Loaded Module Enumeration Via Tasklist.EXE
Detects the enumeration of a specific DLL or EXE being used by a binary via "tasklist.exe". This is often used by attackers in order to find the specific process identifier (PID) that is using the DLL in question. In order to dump the process memory or perform other nefarious actions.
Sigma rule (View on GitHub)
1title: Loaded Module Enumeration Via Tasklist.EXE
2id: 34275eb8-fa19-436b-b959-3d9ecd53fa1f
3status: experimental
4description: |
5 Detects the enumeration of a specific DLL or EXE being used by a binary via "tasklist.exe".
6 This is often used by attackers in order to find the specific process identifier (PID) that is using the DLL in question.
7 In order to dump the process memory or perform other nefarious actions.
8references:
9 - https://www.n00py.io/2021/05/dumping-plaintext-rdp-credentials-from-svchost-exe/
10 - https://pentestlab.blog/tag/svchost/
11author: Swachchhanda Shrawan Poudel
12date: 2024/02/12
13modified: 2024/03/13
14tags:
15 - attack.t1003
16logsource:
17 product: windows
18 category: process_creation
19detection:
20 selection_img:
21 - Image|endswith: '\tasklist.exe'
22 - OriginalFileName: 'tasklist.exe'
23 selection_flags:
24 CommandLine|contains|windash: '-m'
25 selection_module:
26 # Note: add other interesting modules or binaries
27 CommandLine|contains: 'rdpcorets.dll'
28 condition: all of selection_*
29falsepositives:
30 - Unknown
31level: medium
References
-
Recently I was browsing Twitter and came across a very interesting tweet: Umm- why can I find the password I used to connect to a remote desktop service in cleartext in memory of RDP service? First...
Read More -
Related rules
- Capture Credentials with Rpcping.exe
- OpenCanary - MSSQL Login Attempt Via SQLAuth
- OpenCanary - MSSQL Login Attempt Via Windows Authentication
- OpenCanary - MySQL Login Attempt
- OpenCanary - REDIS Action Command Attempt