detection.wiki

Process Discovery T1057

Tactic: Discovery

Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Administrator or otherwise elevated access may provide better process details. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.

Events covered

5 catalog events are tagged with this technique by at least one rule.

ProviderEventTitle
SysmonEvent ID 1Process creation
Security-AuditingEvent ID 4688A new process has been created.
Linux-AuditdEvent ID 1300SYSCALL
PowerShellEvent ID 4104Creating Scriptblock text (MessageNumber of MessageTotal).
Sysmon-for-LinuxEvent ID 1Process Create

Authoring guide

Patterns shared across the 33 rules above: which fields they filter on, what specific values they look for, and what they exclude. The catalog normalizes field names across vendors so Sigma's Image, Elastic's process.name, and Splunk's process_name collapse into one row. Each rule contributes at most once per row.

Fields filtered most (30 distinct)

The fields most rules look at when detecting this technique. The How column shows the operators authors use (eq, wildcard, regex_match, match) and how often each appears. Sample values are concrete examples to start from, not an exhaustive list.

FieldRulesHowSample values
process_name18eq 11, in 5, match 3arp.exe, atbroker.exe, bginfo.exe, (?i)(whoami|systeminfo|ipconfig|arp|nltest|tasklist|net1?..., egrep
event.type13eq 13start
CommandLine10match 6, contains 4, is_not_null 1(?i)((tracert)|(query)|(net\s+((localgroup)|(group)|(conf..., (?i)((netstat)|(netsh)|(schtasks)|(tasklist)|(driverquery..., (?i)((whoami)|(dir)|(hostname)|(hostname)|(systeminfo)|(i..., (?i)whoami|systeminfo|ipconfig|arp|nltest|dclist|domain_t..., get
EventType10in 9, eq 1exec, exec_event, ProcessRollup2, fork, opened-file
host.os.type10eq 9, in 1
process.args9in 5, eq 3, wildcard 3, starts_with 2, contains 1, is_not_null 1*Win32_Process*, --bytes, -c, -eo, -i
EventID6eq 64688, 1, 4104
Image4ends_with 3, eq 1, is_not_null 1, starts_with 1, wildcard 1/atop, /bin/, /boot/, /dev/shm/, /htop
OriginalFileName4eq 4net.exe, pchunter.exe, psservice.exe, sc.exe, tasklist.exe
dc_process_name4gt 41, 2
event.category4eq 4process, file
parent_process_name4eq 3, match 1(?i)(powershell\.exe)|(cmd\.exe), AcroRd32.exe, Acrobat.exe, FoxitPhantomPDF.exe, eqnedt32.exe
ParentImage3is_not_null 2, eq 1?:\program files (x86)\teamcity\jre\bin\java.exe, ?:\program files\teamcity\jre\bin\java.exe, ?:\teamcity\buildagent\jre\bin\java.exe
process.args_count3eq 31, 2, 3
ScriptBlockText2contains 1, eq 1, in 1.getgporeport(), ::getipglobalproperties(), ::getprocesses, get-process

Top indicator values (414 distinct)

Specific (field, operator, value) combinations the rules check for, ranked by how many rules under this technique use each one. The Corpus reach column counts how many rules across the entire catalog (any technique) check the same combination. High numbers point to widely-used indicators that are likely noisy on their own; combine them with another condition for useful signal. Blank means the combination is specific to rules under this technique. Click a value to expand the rules under this technique that use it.

FieldKindValueRules (here)Corpus reach
event.typeeq
start
13606
EventTypein
exec
9171
EventTypein
exec_event
9139
EventTypein
ProcessRollup2
5117
EventTypein
start
5134
EventTypein
executed
488
EventTypein
process_started
474
process_nameeq
tasklist.exe
69
process_nameeq
net.exe
522
process_nameeq
qprocess.exe
57
process_nameeq
sc.exe
529
process_nameeq
wmic.exe
547
process_nameeq
arp.exe
48
process_nameeq
dsget.exe
47
process_nameeq
dsquery.exe
412
process_nameeq
gpresult.exe
47
process_nameeq
hostname.exe
47
process_nameeq
ipconfig.exe
48
process_nameeq
nbtstat.exe
48
process_nameeq
net1.exe
435
process_nameeq
netsh.exe
418
process_nameeq
netstat.exe
48
process_nameeq
nltest.exe
410
process_nameeq
ping.exe
49
process_nameeq
powershell.exe
4104
process_nameeq
quser.exe
48
process_nameeq
qwinsta.exe
48
process_nameeq
reg.exe
420
process_nameeq
systeminfo.exe
47
process_nameeq
tracert.exe
46

Exclusions (202 distinct)

Field/operator/value combinations excluded by rules under this technique (top-level not() clauses), sorted by how many rules exclude each. These are the false-positive paths the community has learned to filter out. A new rule that ignores the high-count entries here will likely fire on the same noisy paths. Click a value to expand the rules under this technique that exclude it.

FieldKindValueRules excluding
user.idin
S-1-5-18
3
user.idin
S-1-5-19
3
user.idin
S-1-5-20
3
CommandLinematch
(?i)\x5cSplunkUniversalForwarder\x5c(etc|bin)\x5c
2
process_namein
netstat
2
process_namein
pidof
2
process_namein
ps
2
usermatch
\$$
2
CommandLinecontains
\catalina_start.bat
1
CommandLinecontains
\xampp\
1
CommandLinecontains
cmd.exe /c tasklist /v |
1
CommandLinecontains
find /i
1
CommandLineeq
dd ibs=18850 skip=1 count=1
1
CommandLinein
sc query "Axway_Integrator"
1
CommandLinein
sc query "Delta enteliVAULT PostgreSQL"
1

Rules under this technique

Every rule in the catalog tagged with this technique, grouped by vendor. Click a rule title for its full predicates, exclusions, and indicators.

Platform (all)
Domain (all)

Sigma 7 rules

Elastic 18 rules

Splunk 6 rules

Kusto 2 rules