List remote processes using tasklist

calendar Feb 23, 2024 · attack.discovery attack.t1057 dist.public  ·
Share on: linkedin copy

Detecting the use of tasklist to display processes of remote hosts using the /S parameter.

Sigma rule (View on GitHub)

 1title: List remote processes using tasklist
 2id: 80a56507-6778-4d04-8346-320a70358f2c
 3description: Detecting the use of tasklist to display processes of remote hosts using the /S parameter.
 4status: experimental
 5date: 2023-06-12
 6modified: 2024-02-23
 7author: "@kostastsale, @TheDFIRReport"
 8references:
 9    - https://thedfirreport.com/2023/06/12/a-truly-graceful-wipe-out
10logsource:
11    category: process_creation
12    product: windows
13detection:
14    selection1:
15        Image|endswith:
16            - '\tasklist.exe'
17        CommandLine|contains:
18            - ' /S '
19    condition: selection1
20falsepositives:
21    - Administrative activity
22level: low
23tags:
24    - attack.discovery #TA0007
25    - attack.t1057
26    - dist.public

References

  • A Truly Graceful Wipe Out

    In this intrusion, dated May 2023, we observed Truebot being used to deploy Cobalt Strike and FlawedGrace (aka GraceWire & BARBWIRE) resulting in the exfiltration of data and the deployment of …


    Read More

Related rules

to-top