Which SIEM platforms have a T1057 detection rule?

df00tech provides T1057 (Process Discovery) detection queries for 7 SIEM platforms: Microsoft Sentinel / Defender, Splunk, Elastic Security (EQL), IBM QRadar (AQL), Sumo Logic CSE, Google Chronicle / SecOps, CrowdStrike LogScale (CQL).

What data sources are required to detect Process Discovery (T1057)?

Detecting Process Discovery requires the following data sources: Process: Process Creation, Command: Command Execution, Microsoft Defender for Endpoint.

What severity and confidence is the T1057 detection?

The T1057 detection is rated low severity with medium confidence.

What are common false positives for T1057?

Common false positives for T1057 include: IT administrators running tasklist or wmic process get for inventory, troubleshooting, or performance monitoring; Endpoint Detection and Response (EDR) agents, antivirus software, and monitoring tools (Datadog, SolarWinds, Nagios) that periodically enumerate processes as part of their normal operation; Software installers and update mechanisms that check for conflicting processes before installation or during version upgrades.

T1057 Sumo Logic CSE · Sumo

Detect Process Discovery in Sumo Logic CSE

Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software and applications running on systems within the network. In Windows environments, adversaries use tools such as tasklist.exe, wmic process, and PowerShell Get-Process to enumerate running processes. On Linux and macOS, the ps command and /proc filesystem are used. ESXi supports ps and esxcli system process list. This technique is frequently used during post-exploitation to identify security tools, determine if analysis environments (sandboxes, AV) are present, find target processes for injection, and shape follow-on actions. Threat actors including Volt Typhoon, Turla, and numerous RAT families (WarzoneRAT, FELIXROOT) perform process discovery as a standard reconnaissance step.

MITRE ATT&CK

Tactic: Discovery
Technique: T1057 Process Discovery
Canonical reference: https://attack.mitre.org/techniques/T1057/

Sumo Detection Query

Sumo Logic CSE (Sumo)

sql

(_sourceCategory=*windows* OR _sourceCategory=*sysmon*)
| where (%"EventCode"="1" OR %"EventID"="1" OR %"EventCode"="4688")
| eval ImageLower = toLowerCase(Image)
| eval CommandLineLower = toLowerCase(CommandLine)
| eval ParentImageLower = toLowerCase(ParentImage)
| eval IsTasklist = if(ImageLower matches "*\\tasklist.exe" OR ImageLower matches "*\\pslist.exe" OR ImageLower matches "*\\proclist.exe" OR ImageLower matches "*\\tlist.exe", 1, 0)
| eval IsWmicProcess = if(ImageLower matches "*\\wmic.exe" AND (CommandLineLower matches "*process get*" OR CommandLineLower matches "*process list*" OR CommandLineLower matches "*process where*" OR CommandLineLower matches "*win32_process*"), 1, 0)
| eval IsPSGetProcess = if((ImageLower matches "*\\powershell.exe" OR ImageLower matches "*\\pwsh.exe") AND (CommandLineLower matches "*get-process*" OR CommandLineLower matches "*get-wmiobject*win32_process*" OR CommandLineLower matches "*get-ciminstance*win32_process*" OR CommandLineLower matches "*[system.diagnostics.process]::getprocesses*" OR CommandLineLower matches "*gps *"), 1, 0)
| eval IsProcessDiscovery = IsTasklist + IsWmicProcess + IsPSGetProcess
| where IsProcessDiscovery > 0
| eval SuspiciousParent = if(ParentImageLower matches "*(wscript.exe|cscript.exe|mshta.exe|rundll32.exe|regsvr32.exe|msbuild.exe|installutil.exe|certutil.exe|bitsadmin.exe)*", 1, 0)
| eval VerboseEnum = if(CommandLineLower matches "*(/v |/fo |/svc |executablepath|commandline|caption,executablepath)*", 1, 0)
| eval RiskScore = IsProcessDiscovery + SuspiciousParent + VerboseEnum
| fields _time, Computer, User, Image, CommandLine, ParentImage, ParentCommandLine, IsTasklist, IsWmicProcess, IsPSGetProcess, SuspiciousParent, VerboseEnum, RiskScore
| sort by _time desc

medium severity high confidence

Detects T1057 Process Discovery in Sumo Logic by parsing Windows Sysmon (Event ID 1) or Security (Event ID 4688) process creation logs. Evaluates process names and command lines for tasklist.exe, wmic process enumeration, and PowerShell Get-Process patterns. Computes a composite risk score based on discovery type, suspicious parent process, and verbose enumeration flags.

Data Sources

Sumo Logic Cloud SIEMSumo Logic Installed Collector (Windows)Sysmon for WindowsWindows Security Event Log

Required Tables

_sourceCategory=*windows*sysmon*_sourceCategory=*windows*security*

False Positives & Tuning

Automated patch management solutions that run tasklist.exe pre/post-patch to confirm process states
Security operations teams running ad-hoc PowerShell Get-Process commands during incident triage
Application performance monitoring agents using wmic or PowerShell to collect process metrics for dashboards

Download portable Sigma rule (.yml)

Other platforms for T1057

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

Test 1Tasklist Verbose Process Enumeration
Expected signal: Sysmon Event ID 1: Process Create with Image=tasklist.exe, CommandLine='tasklist /v /fo csv'. Security Event ID 4688 (if command line auditing enabled). Sysmon Event ID 11: File Create for %TEMP%\proc_list.csv. Parent process will be cmd.exe or the shell running the test.
Test 2WMIC Process Discovery with Executable Path
Expected signal: Sysmon Event ID 1: Process Create with Image=wmic.exe, CommandLine containing 'process get' and 'ExecutablePath'. WMI-Activity/Operational Event ID 5857/5861 for WMI query execution. Sysmon Event ID 11: File Create for %TEMP%\wmic_proc.csv.
Test 3PowerShell Process Enumeration via Get-Process
Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe, CommandLine containing 'Get-Process'. PowerShell ScriptBlock Log Event ID 4104 with full script content. Sysmon Event ID 11: File Create for the CSV output.
Test 4Process Discovery via WMI CIM Instance (PowerShell)
Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe, CommandLine containing 'Get-CimInstance Win32_Process'. PowerShell ScriptBlock Log Event ID 4104 showing the full query including security product name filter. WMI-Activity/Operational logs for CIM query execution.
Test 5Linux Process Enumeration via ps with Full Detail
Expected signal: Auditd execve records (if configured with EXECVE audit rules): syscall=execve with argv containing 'ps', 'aux'. Linux syslog/auth.log may capture activity if PAM logging is enabled. On macOS, Unified Log entries with process=ps. Parent process will be the shell (bash/sh/zsh) used to run the test.

Last updated: 2026-04-16 Research depth: deep

References (10)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1057 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Detect Process Discovery in Sumo Logic CSE

MITRE ATT&CK

Sumo Detection Query

Data Sources

Required Tables

False Positives & Tuning

Other platforms for T1057

Testing Methodology

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Related Techniques

Same Tactic: Discovery

Popular Detections

MITRE ATT&CK

Sumo Detection Query

Data Sources

Required Tables

False Positives & Tuning

Other platforms for T1057

Testing Methodology

Unlock Pro Content

Related Detections

Related Techniques

Same Tactic: Discovery

Popular Detections

Get new detections in your inbox