Process Discovery via Windows Tools

Attackers will enumerate running processes to gain further comprehension of the environment.

id:555a76e1-d5fe-44b9-a6bc-d275c4c446cc categories:enrich confidence:low os:windows created:7/26/2019 updated:7/26/2019

MITRE ATT&CK™ Mapping

tactics:Discovery techniques:T1057 Process Discovery, T1063 Security Software Discovery

Query

process where subtype.create and (
  process_name == "tasklist.exe" and not matchLite(?".* [-/]svc", command_line) or
  process_name == "quser.exe" or
  (process_name == "powershell.exe" and command_line == "*Get-Process*")
)

Contributors

• Endgame