List remote processes using tasklist
Detecting the use of tasklist to display processes of remote hosts using the /S parameter.
Sigma rule (View on GitHub)
1title: List remote processes using tasklist
2id: 80a56507-6778-4d04-8346-320a70358f2c
3description: Detecting the use of tasklist to display processes of remote hosts using the /S parameter.
4status: experimental
5date: 2023-06-12
6modified: 2024-02-23
7author: "@kostastsale, @TheDFIRReport"
8references:
9 - https://thedfirreport.com/2023/06/12/a-truly-graceful-wipe-out
10logsource:
11 category: process_creation
12 product: windows
13detection:
14 selection1:
15 Image|endswith:
16 - '\tasklist.exe'
17 CommandLine|contains:
18 - ' /S '
19 condition: selection1
20falsepositives:
21 - Administrative activity
22level: low
23tags:
24 - attack.discovery #TA0007
25 - attack.t1057
26 - dist.public
References
-
In this intrusion, dated May 2023, we observed Truebot being used to deploy Cobalt Strike and FlawedGrace (aka GraceWire & BARBWIRE) resulting in the exfiltration of data and the deployment … Read More
Read More
Related rules
- Viewing remote directories
- Cisco Discovery
- NetScan Share Enumeration Write Access Check
- HackTool - PCHunter Execution
- Recon Command Output Piped To Findstr.EXE