List remote processes using tasklist

calendar Aug 2, 2024 · attack.discovery attack.t1057 dist.public  ·
Share on: linkedin copy

Detecting the use of tasklist to display processes of remote hosts using the /S parameter.

Sigma rule (View on GitHub)

 1title: List remote processes using tasklist
 2id: 80a56507-6778-4d04-8346-320a70358f2c
 3description: Detecting the use of tasklist to display processes of remote hosts using the /S parameter.
 4status: experimental
 5date: 2023-06-12
 6modified: 2024-02-23
 7author: "@kostastsale, @TheDFIRReport"
 8references:
 9    - https://thedfirreport.com/2023/06/12/a-truly-graceful-wipe-out
10logsource:
11    category: process_creation
12    product: windows
13detection:
14    selection:
15        Image|endswith: '\tasklist.exe'
16        CommandLine|contains: ' /S '
17    condition: selection
18falsepositives:
19    - Administrative activity
20level: low
21tags:
22    - attack.discovery #TA0007
23    - attack.t1057
24    - dist.public

References

  • A Truly Graceful Wipe Out

    In this intrusion, dated May 2023, we observed Truebot being used to deploy Cobalt Strike and FlawedGrace (aka GraceWire & BARBWIRE) resulting in the exfiltration of data and the deployment of …


    Read More

Related rules

to-top