Process Discovery via Tasklist
Adversaries may attempt to get information about running processes on a system.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2020/02/18"
3deprecation_date = "2021/04/15"
4maturity = "deprecated"
5updated_date = "2021/04/15"
6
7[rule]
8author = ["Elastic"]
9description = "Adversaries may attempt to get information about running processes on a system."
10false_positives = [
11 """
12 Administrators may use the tasklist command to display a list of currently running processes. By itself, it does not
13 indicate malicious activity. After obtaining a foothold, it's possible adversaries may use discovery commands like
14 tasklist to get information about running processes.
15 """,
16]
17from = "now-9m"
18index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"]
19language = "kuery"
20license = "Elastic License v2"
21name = "Process Discovery via Tasklist"
22risk_score = 21
23rule_id = "cc16f774-59f9-462d-8b98-d27ccd4519ec"
24severity = "low"
25tags = ["Elastic", "Host", "Windows", "Threat Detection", "Discovery"]
26timestamp_override = "event.ingested"
27type = "query"
28
29query = '''
30event.category:process and event.type:(start or process_started) and process.name:tasklist.exe
31'''
32
33
34[[rule.threat]]
35framework = "MITRE ATT&CK"
36[[rule.threat.technique]]
37id = "T1057"
38name = "Process Discovery"
39reference = "https://attack.mitre.org/techniques/T1057/"
40
41
42[rule.threat.tactic]
43id = "TA0007"
44name = "Discovery"
45reference = "https://attack.mitre.org/tactics/TA0007/"