title: Process Discovery (T1057)
id: df00tech-t1057
status: experimental
description: "Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software and applications running on systems within the network. In Windows environments, adversaries use tools such as tasklist.exe, wmic process, and PowerShell Get-Process to enumerate running processes. On Linux and macOS, the ps command and /proc filesystem are used. ESXi supports ps and esxcli system process list. This technique is frequently used during post-exploitation to identify security tools, determine if analysis environments (sandboxes, AV) are present, find target processes for injection, and shape follow-on actions. Threat actors including Volt Typhoon, Turla, and numerous RAT families (WarzoneRAT, FELIXROOT) perform process discovery as a standard reconnaissance step."
references:
  - https://attack.mitre.org/techniques/T1057/
  - https://df00tech.com/detections/T1057
author: df00tech
date: 2026/04/16
tags:
  - attack.t1057
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - "IT administrators running tasklist or wmic process get for inventory, troubleshooting, or performance monitoring"
  - "Endpoint Detection and Response (EDR) agents, antivirus software, and monitoring tools (Datadog, SolarWinds, Nagios) that periodically enumerate processes as part of their normal operation"
  - Software installers and update mechanisms that check for conflicting processes before installation or during version upgrades
  - "Help desk and remote support tools (TeamViewer, ConnectWise, SolarWinds N-central) that use tasklist or WMI to display running applications to remote support agents"
  - "Developer tools, IDEs (Visual Studio, JetBrains), and build pipelines that enumerate processes as part of debugging, profiling, or test orchestration"
  - Vulnerability scanners and asset management platforms running authenticated scans against endpoints
level: low