Process Discovery via Windows Tools¶
Attackers will enumerate running processes to gain further comprehension of the environment.
id: | 555a76e1-d5fe-44b9-a6bc-d275c4c446cc |
---|---|
categories: | enrich |
confidence: | low |
os: | windows |
created: | 7/26/2019 |
updated: | 7/26/2019 |
MITRE ATT&CK™ Mapping¶
tactics: | Discovery |
---|---|
techniques: | T1057 Process Discovery, T1063 Security Software Discovery |
Query¶
process where subtype.create and (
process_name == "tasklist.exe" and not matchLite(?".* [-/]svc", command_line) or
process_name == "quser.exe" or
(process_name == "powershell.exe" and command_line == "*Get-Process*")
)