Loaded Module Enumeration Via Tasklist.EXE

Detects the enumeration of a specific DLL or EXE being used by a binary via "tasklist.exe". This is often used by attackers in order to find the specific process identifier (PID) that is using the DLL in question. In order to dump the process memory or perform other nefarious actions.

Sigma rule (View on GitHub)

 1title: Loaded Module Enumeration Via Tasklist.EXE
 2id: 34275eb8-fa19-436b-b959-3d9ecd53fa1f
 3status: experimental
 4description: |
 5    Detects the enumeration of a specific DLL or EXE being used by a binary via "tasklist.exe".
 6    This is often used by attackers in order to find the specific process identifier (PID) that is using the DLL in question.
 7    In order to dump the process memory or perform other nefarious actions.    
 8references:
 9    - https://www.n00py.io/2021/05/dumping-plaintext-rdp-credentials-from-svchost-exe/
10    - https://pentestlab.blog/tag/svchost/
11author: Swachchhanda Shrawan Poudel
12date: 2024/02/12
13tags:
14    - attack.t1003
15logsource:
16    product: windows
17    category: process_creation
18detection:
19    selection_img:
20        - Image|endswith: '\tasklist.exe'
21        - OriginalFileName: 'tasklist.exe'
22    selection_flags:
23        CommandLine|contains:
24            - '/m'
25            - '-m'
26    selection_module:
27        # Note: add other interesting modules or binaries
28        CommandLine|contains: 'rdpcorets.dll'
29    condition: all of selection_*
30falsepositives:
31    - Unknown
32level: medium

References

Related rules

to-top