Process Discovery T1057

Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Administrator or otherwise elevated access may provide better process details. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.

Events covered

3 catalog events are tagged with this technique by at least one rule.

Authoring guide

Patterns shared across the 18 rules above: which fields they filter on, what specific values they look for, and what they exclude. The catalog normalizes field names across vendors so Sigma's Image, Elastic's process.name, and Splunk's process_name collapse into one row. Each rule contributes at most once per row.

Fields filtered most (19 distinct)

The fields most rules look at when detecting this technique. The How column shows the operators authors use (eq, wildcard, regex_match, match) and how often each appears. Sample values are concrete examples to start from, not an exhaustive list.

FieldRulesHowSample values
process_name10eq 7, match 3arp.exe, atbroker.exe, bginfo.exe, (?i)(whoami|systeminfo|ipconfig|arp|nltest|tasklist|net1?..., (?i)((netstat)|(netsh)|(schtasks)|(tasklist)|(driverquery...
CommandLine9match 6, contains 4(?i)((tracert)|(query)|(net\s+((localgroup)|(group)|(conf..., (?i)((netstat)|(netsh)|(schtasks)|(tasklist)|(driverquery..., (?i)((whoami)|(dir)|(hostname)|(hostname)|(systeminfo)|(i..., (?i)whoami|systeminfo|ipconfig|arp|nltest|dclist|domain_t..., get
EventID6eq 64688, 1, 4104
event.type6eq 6start
OriginalFileName4eq 4net.exe, pchunter.exe, psservice.exe, sc.exe, tasklist.exe
dc_process_name4gt 41, 2
parent_process_name4eq 3, match 1(?i)(powershell\.exe)|(cmd\.exe), AcroRd32.exe, Acrobat.exe, FoxitPhantomPDF.exe, eqnedt32.exe
Image3ends_with 3/atop, /htop, /pgrep, \pchunter32.exe, \pchunter64.exe
Type2eq 2
dc_process2gt 23
process.args2wildcard 2, contains 1, eq 1*Win32_Process*, /fi, /svc, csv, q*
process.args_count2eq 21, 2
Description1eq 1Epoolsoft Windows Information View Tools
EfectiveCommand1regex_match 1regexEmpire
EventData1contains 1-encodedcommand, powershell.exe, powershell_ise.exe

Top indicator values (161 distinct)

Specific (field, operator, value) combinations the rules check for, ranked by how many rules under this technique use each one. The Corpus reach column counts how many rules across the entire catalog (any technique) check the same combination. High numbers point to widely-used indicators that are likely noisy on their own; combine them with another condition for useful signal. Blank means the combination is specific to rules under this technique. Click a value to expand the rules under this technique that use it.

FieldKindValueRules (here)Corpus reach
event.typeeq
start
6241
process_nameeq
tasklist.exe
69
process_nameeq
net.exe
520
process_nameeq
qprocess.exe
57
process_nameeq
sc.exe
527
process_nameeq
wmic.exe
544
process_nameeq
arp.exe
48
process_nameeq
dsget.exe
47
process_nameeq
dsquery.exe
412
process_nameeq
gpresult.exe
47
process_nameeq
hostname.exe
47
process_nameeq
ipconfig.exe
48
process_nameeq
nbtstat.exe
47
process_nameeq
net1.exe
434
process_nameeq
netsh.exe
418
process_nameeq
netstat.exe
47
process_nameeq
nltest.exe
410
process_nameeq
ping.exe
49
process_nameeq
powershell.exe
499
process_nameeq
quser.exe
48
process_nameeq
qwinsta.exe
48
process_nameeq
reg.exe
420
process_nameeq
systeminfo.exe
47
process_nameeq
tracert.exe
46
process_nameeq
whoami.exe
411
process_nameeq
atbroker.exe
35
process_nameeq
bginfo.exe
36
process_nameeq
bitsadmin.exe
314
CommandLinematch
(?i)((tracert)|(query)|(net\s+((localgroup)|(group)|(config)|(share)|(use)|(u...
33
EventIDeq
4688
3312

Exclusions (48 distinct)

Field/operator/value combinations excluded by rules under this technique (top-level not() clauses), sorted by how many rules exclude each. These are the false-positive paths the community has learned to filter out. A new rule that ignores the high-count entries here will likely fire on the same noisy paths. Click a value to expand the rules under this technique that exclude it.

FieldKindValueRules excluding
CommandLinematch
(?i)\x5cSplunkUniversalForwarder\x5c(etc|bin)\x5c
2
usermatch
\$$
2
user.idin
S-1-5-18
2
user.idin
S-1-5-19
2
user.idin
S-1-5-20
2
CommandLinecontains
\catalina_start.bat
1
CommandLinecontains
\xampp\
1
CommandLinecontains
cmd.exe /c tasklist /v |
1
CommandLinecontains
find /i
1
CommandLinein
sc query "Axway_Integrator"
1
CommandLinein
sc query "Delta enteliVAULT PostgreSQL"
1
CommandLinein
sc query "WERMA-WIN-Connector"
1
CommandLinein
sc query _EWSSynchronizationServer_JDE
1
CommandLinein
sc queryex SCardSvr
1
CommandLinein
sc query SchneiderUPSMySQL
1

Rules under this technique

Every rule in the catalog tagged with this technique, grouped by vendor. Click a rule title for its full predicates, exclusions, and indicators.

Sigma 5 rules

Elastic 6 rules

Splunk 6 rules

Kusto 1 rule