Process Discovery
Detects process discovery commands. Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network
Sigma rule (View on GitHub)
1title: Process Discovery
2id: 4e2f5868-08d4-413d-899f-dc2f1508627b
3status: stable
4description: |
5 Detects process discovery commands. Adversaries may attempt to get information about running processes on a system.
6 Information obtained could be used to gain an understanding of common software/applications running on systems within the network
7references:
8 - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1057/T1057.md
9author: Ömer Günal, oscd.community
10date: 2020-10-06
11modified: 2022-07-07
12tags:
13 - attack.discovery
14 - attack.t1057
15logsource:
16 product: linux
17 category: process_creation
18detection:
19 selection:
20 Image|endswith:
21 - '/ps'
22 - '/top'
23 condition: selection
24falsepositives:
25 - Legitimate administration activities
26level: informational
References
-
Small and highly portable detection tests based on MITRE's ATT&CK. - redcanaryco/atomic-red-team
Read More
Related rules
- Cisco Discovery
- HackTool - PCHunter Execution
- Recon Command Output Piped To Findstr.EXE
- Suspicious Process Discovery With Get-Process
- List remote processes using tasklist