Process Discovery, Technique T1057 - Enterprise (original) (raw)
During the 2025 Poland Wiper Attacks, the adversaries enumerated current running processes using tasklist.[5]
4H RAT has the capability to obtain a listing of running processes (including loaded modules).[6]
ADVSTORESHELL can list running processes.[7]
Agent Tesla can list the current running processes on the system.[8]
Akira verifies the deletion of volume shadow copies by checking for the existence of the process ID related to the process created to delete these items.[9]
Andariel has used tasklist to enumerate processes and find a specific string.[10]
Apostle retrieves a list of all running processes on a victim host, and stops all services containing the string "sql," likely to propagate ransomware activity to database files.[11]
AppleSeed can enumerate the current process on a compromised host.[12]
APT1 gathered a list of running processes on the system using tasklist /v.[13]
An APT28 loader Trojan will enumerate the victim's processes searching for explorer.exe if its current process does not have necessary permissions.[14]
APT3 has a tool that can list out currently running processes.[15][16]
APT37's Freenki malware lists running processes using the Microsoft Windows API.[17]
APT38 leveraged Sysmon to understand the processes, services in the organization.[18]
APT5 has used Windows-based utilities to carry out tasks including tasklist.exe. [19]
Aria-body has the ability to enumerate loaded modules for a process.[20].
The AshTag AshenOrchestrator component has process management functionality.[21]
Astaroth searches for different processes on the system.[22]
AsyncRAT can examine running processes to determine if a debugger is present.[23]
Avaddon has collected information about running processes.[24]
Avenger has the ability to use Tasklist to identify running processes.[25]
AvosLocker has discovered system processes by calling RmGetList.[26]
Azorult can collect a list of running processes by calling CreateToolhelp32Snapshot.[27][28]
Babuk has the ability to check running processes on a targeted system.[29][30][31]
BabyShark has executed the tasklist command.[32]
Backdoor.Oldrea collects information about running processes.[33]
BACKSPACE may collect information about running processes.[34]
Bad Rabbit can enumerate all running processes to compare hashes.[35]
BADHATCH can retrieve a list of running processes from a compromised machine.[36]
Bankshot identifies processes and collects the process ids.[37]
Bazar can identity the current process on a compromised host.[38]
BBSRAT can list running processes.[39]
BISCUIT has a command to enumerate running processes and identify their owners.[40]
Bisonal can obtain a list of running processes on the victim’s machine.[41][42][43]
BLACKCOFFEE has the capability to discover processes.[44]
BlackEnergy has gathered a process list by using Tasklist.exe.[45][46][47]
BLUELIGHT can collect process filenames and SID authority level.[48]
Bonadan can use the ps command to discover other cryptocurrency miners active on the system.[49]
Brave Prince lists the running processes.[50]
BRICKSTORM has the ability to check if it is running as an active child process through the detection of a specific environment variable.[51]
Brute Ratel C4 can enumerate all processes and locate specific process IDs (PIDs).[52]
Bumblebee can identify processes associated with analytical tools.[53][54][55]
Bundlore has used the ps command to list processes.[56]
During C0015, the threat actors used the tasklist /s command as well as taskmanager to obtain a list of running processes.[57]
CaddyWiper can obtain a list of current processes.[58]
Cannon can obtain a list of processes running on the system.[59][60]
Carbanak lists running processes.[61]
Carberp has collected a list of running processes.[62]
Carbon can list the processes on the victim’s machine.[63]
Cardinal RAT contains watchdog functionality that ensures its process is always running, else spawns a new instance.[64]
Caterpillar WebShell can gather a list of processes running on the machine.[65]
CharmPower has the ability to list running processes through the use of tasklist.[66]
ChChes collects its process identifier (PID) on the victim.[67]
Chimera has used tasklist to enumerate processes.[68]
CHIMNEYSWEEP can check if a process name contains "creensaver."[69]
Clambling can enumerate processes on a targeted system.[70]
Clop can enumerate all processes on the victim's machine.[71]
COATHANGER will query running process information to determine subsequent program execution flow.[72]
Cobalt Strike's Beacon payload can collect information on process details.[73][74][75]
Comnie uses the tasklist to view running processes on the victim’s machine.[76]
Conti can enumerate through all open processes to search for any that have the string "sql" in their process name.[77]
Crimson contains a command to list processes.[78][79][80]
Cuba can enumerate processes running on a victim's machine.[81]
Cuckoo Stealer can use ps aux to enumerate running processes.[82]
Cyclops Blink can enumerate the process it is currently running under.[83]
Dacls can collect data on running and parent processes.[84]
DarkComet can list active processes running on the victim’s machine.[85]
DarkGate performs various checks for running processes, including security software by looking for hard-coded process name values.[86][87]
Darkhotel malware can collect a list of running processes on a system.[88]
DarkTortilla can enumerate a list of running processes on a compromised system.[89]
Deep Panda uses the Microsoft Tasklist utility to list processes running on systems.[90]
Derusbi collects current and parent process IDs.[91][92]
Diavol has used CreateToolhelp32Snapshot, Process32First, and Process32Next API calls to enumerate the running processes in the system.[93]
Doki has searched for the current process’s PID.[94]
Donut includes subprojects that enumerate and identify information about Process Injection candidates.[95]
down_new has the ability to list running processes on a compromised host.[25]
DRATzarus can enumerate and examine running processes to determine if a debugger is present.[96]
Dtrack’s dropper can list all running processes.[97][98]
The discovery modules used with Duqu can collect information on process details.[99]
DUSTTRAP can enumerate running processes.[100]
DustySky collects information about running processes from victims.[101][102]
Earth Lusca has used Tasklist to obtain information from a compromised host.[103]
EKANS looks for processes from a hard-coded list.[104][105][106]
Elise enumerates processes via the tasklist command.[107]
ELMER is capable of performing process listings.[108]
Embargo has utilized MS4Killer to detect running processes on the victim device.[109] Embargo has also captured a snapshot of active running processes using the Windows API CreateToolHelp32Snapshot().[110]
Emotet has been observed enumerating local processes.[111]
Empire can find information about processes running on local and remote systems.[112][113]
Epic uses the tasklist /v command to obtain a list of processes.[114][115]
EvilBunny has used EnumProcesses() to identify how many process are running in the environment.[116]
FatDuke can list running processes on the localhost.[117]
FELIXROOT collects a list of running processes.[118]
FIN7 has used the PowerShell script 3CF9.ps1 to perform process discovery by executing tasklist /v. Additionally, WsTaskLoad.exe executes tasklist /v to perform process discovery.[119]
Final1stspy obtains a list of running processes.[120]
FinFisher checks its parent process for indications that it is running in a sandbox setup.[121][122]
Flagpro has been used to run the tasklist command on a compromised system.[123]
FoggyWeb's loader can enumerate all Common Language Runtimes (CLRs) and running Application Domains in the compromised AD FS server's Microsoft.IdentityServer.ServiceHost.exe process.[124]
FrameworkPOS can enumerate and exclude selected processes on a compromised host to speed execution of memory scraping.[125]
During Frankenstein, the threat actors used Empire to obtain a list of all running processes.[113]
FruitFly has the ability to list processes on the system.[126]
FunnyDream has the ability to discover processes, including Bka.exe and BkavUtil.exe.[127]
During FunnyDream, the threat actors used Tasklist on targeted systems.[127]
Fysbis can collect information about running processes.[128]
Gamaredon Group has used tools to enumerate processes on target hosts including Process Explorer.[129][130][131]
Gelsemium can enumerate running processes.[132]
GeminiDuke collects information on running processes and environment variables from the victim.[133]
Get2 has the ability to identify running processes on an infected host.[134]
gh0st RAT has the capability to list processes.[135]
Gold Dragon checks the running processes on the victim’s machine.[50]
Goopy has checked for the Google Updater process to ensure Goopy was loaded properly.[136]
Grandoreiro can identify installed security tools based on process names.[137]
GravityRAT lists the running processes on the system.[138]
HAFNIUM has used tasklist to enumerate processes.[139]
HALFBAKED can obtain information about running processes on the victim.[140]
Havoc can enumerate processes on targeted hosts.[141][142][143]
HELLOKITTY can search for specific processes to terminate.[144]
Helminth has used Tasklist to get information on processes.[14]
HEXANE has enumerated processes on targeted systems.[145]
Heyoka Backdoor can gather process information.[146]
HiddenFace can check running processes against a list of blocklisted applications.[147]
Higaisa’s shellcode attempted to find the process ID of the current process.[148]
HIUPAN has conducted process discovery to identify the PUBLOAD malware under the process WCBrowserWatcher.exe and will launch it from an install directory if it is not found.[149]
HotCroissant has the ability to list running processes on the infected host.[150]
Hydraq creates a backdoor through which remote attackers can monitor processes.[151][152]
iKitten lists the current processes running.[126]
Imminent Monitor has a "Process Watcher" feature to monitor processes in case the client ever crashes or gets closed.[153]
INC Ransomware can use the Microsoft Win32 Restart Manager to kill processes with a specific handle or that are accessing resources it wants to encrypt.[154]
Inception has used a reconnaissance module to identify active processes and other associated loaded modules.[155]
Industroyer2 has the ability to cyclically enumerate running processes such as PServiceControl.exe, PService_PDD.exe, and other targets supplied through a hardcoded configuration.[156]
InvisibleFerret has the capability to query installed programs and running processes.[157] InvisibleFerret has also identified running processes using the Python project "psutil".[158]
InvisiMole can obtain a list of running processes.[159][160]
IPsec Helper can identify the process it is currently running under and its number, and pass this back to a command and control node.[11]
IronNetInjector can identify processes via C# methods such as GetProcessesByName and running Tasklist with the Python os.popen function.[161]
Ixeshe can list running processes.[162]
Javali can monitor processes for open browsers and custom banking applications.[163]
JHUHUGIT obtains a list of running processes on the victim.[164][165]
JPIN can list running processes.[166]
jRAT can query and kill system processes.[167]
Kasidet has the ability to search for a given process name in processes currently running in the system.[168]
Kazuar obtains a list of running processes through WMI querying and the ps command.[169]
Ke3chang performs process discovery using tasklist commands.[170][171]
KEYMARBLE can obtain a list of running processes on the system.[172]
KillDisk has called GetCurrentProcess.[173]
Kimsuky can gather a list of all processes running on a victim's machine.[174] Kimsuky has also obtained running processes on the victim device utilizing PowerShell cmdlet Get-Process.[175]
Kinsing has used ps to list processes.[176]
The OsInfo function in Komplex collects a running process list.[177]
KONNI has used the command cmd /c tasklist to get a snapshot of the current processes on the target machine.[178][179]
KOPILUWAK can enumerate current running processes on the targeted machine.[180]
Scripts associated with KV Botnet Activity initial deployment can identify processes related to security tools and other botnet families for follow-on disabling during installation.[181]
Kwampirs collects a list of running services with the command tasklist /v.[182]
LAMEHUG can gather process information on targeted systems.[183][184]
Latrodectus can enumerate running processes including process grandchildren on targeted hosts.[185][186][187]
Several Lazarus Group malware families gather a list of running processes on a victim system and send it to their C2 server. A Destover-like variant used by Lazarus Group also gathers process times.[188][189][190][191][84][192]
If sent the command 16002, LightSpy uses the NSWorkspace runningApplications() method to collect the process ID, path to the executable, bundle information, and the filename of the executable for all running applications.[193]
Linfo creates a backdoor through which remote attackers can retrieve a list of running processes.[194]
Lizar has a plugin designed to obtain a list of processes.[195][196]
LockBit 2.0 can determine if a running process has administrative privileges and terminate processes that interfere with encryption or exfiltration.[197][198]
LockBit 3.0 can identify and terminate specific services.[199][200]
LODEINFO can kill a process using specific process ID.[201][202]
LookBack can list running processes.[203]
LoudMiner used the ps command to monitor the running processes on the system.[204]
LP-Notes has searched for the process taskhostw.exe.[205]
Lucifer can identify the process that owns remote connections.[206]
LunarWeb has used shell commands to list running processes.[207]
Machete has a component to check for running processes to look for web browsers.[208]
MacMa can enumerate running processes.[209]
macOS.OSAMiner has used ps ax | grep <name> | grep -v grep | ... and ps ax | grep -E... to conduct process discovery.[210]
Mafalda can enumerate running processes on a machine.[211]
Magic Hound malware can list running processes.[212]
MarkiRAT can search for different processes on a system.[213]
Maze has gathered all of the running system processes.[214]
Medusa Group has utilized a hard-coded security tool process list that identifies and terminates using an undocumented IOCTL code 0x222094.[215]
Medusa Ransomware has utilized an encoded list of the processes that it detects and terminates.[215][216][217]
Megazord can terminate a list of specified services and processes.[218]
metaMain can enumerate the processes that run on the platform.[211][219]
Metamorfo has performed process name checks and has monitored applications.[220]
Meteor can check if a specific process is running, such as Kaspersky's avp.exe.[221]
MgBot includes a module for establishing a process watchdog for itself, identifying if the MgBot process is still running.[222]
MirrorFace has used Tasklist on compromised hosts for discovery.[223]
Mispadu can enumerate the running processes on a compromised host.[224]
MobileOrder has a command to upload information about all running processes to its C2 server.[225]
Molerats actors obtained a list of active processes on the victim and sent them to C2 servers.[101]
MoonWind has a command to return a list of running processes.[226]
Mosquito runs tasklist to obtain running processes.[227]
MuddyViper has the ability to collect running processes.[205]
MuddyWater has used malware to obtain a list of running processes on the system.[228][229]
Mustang Panda has used tasklist /v to determine active process information.[230] Mustang Panda has also used TONESHELL malware to check the process name and process path to ensure it matches the expected one prior to triggering a custom exception handler.[231]
NavRAT uses tasklist /v to check running processes.[232]
Nebulae can enumerate processes on a target system.[233]
NETEAGLE can send process listings over the C2 channel.[34]
NETWIRE can discover processes on compromised hosts.[234]
NightClub has the ability to use GetWindowThreadProcessId to identify the process behind a specified window.[235]
Nightdoor can collect information on installed applications via Windows registry keys, as well as collecting information on running processes.[236]
Ninja can enumerate processes on a targeted host.[237][238]
njRAT can search a list of running processes for Tr.exe.[239]
NKAbuse will check victim systems to ensure only one copy of the malware is running.[240]
ObliqueRAT can check for blocklisted process names on a compromised host.[241]
OceanSalt can collect the name and ID for every process running on the system.[242]
OilRig has run tasklist on a victim's machine and used infostealers to capture processes.[243][244]
During Operation CuckooBees, the threat actors used the tasklist command as part of their advanced reconnaissance.[245]
During Operation Honeybee, the threat actors obtained a list of running processes on a victim machine using cmd /c tasklist > %temp%\temp.ini.[246]
During Operation Wocao, the threat actors used tasklist to collect a list of running processes on an infected system.[247]
Orz can gather a process list from the victim.[248]
OutSteel can identify running processes on a compromised host.[249]
P8RAT can check for specific processes associated with virtual environments.[250]
PAKLOG has detected and logged the full path of processes active in the foreground using Windows API calls.[251]
Pandora can monitor processes on a compromised host.[252]
Pasam creates a backdoor through which remote attackers can retrieve lists of running processes.[253]
PcShare can obtain a list of running processes on a compromised host.[127]
Pillowmint can iterate through running processes every six seconds collecting a list of processes to capture from later.[254]
PipeMon can iterate over the running processes to find a suitable injection target.[255]
PLAINTEE performs the tasklist command to list running processes.[256]
Play has used the information stealer Grixba to check for a list of security processes.[257]
PLEAD has the ability to list processes on the compromised host.[258]
PlugX has a module to list the processes running on a machine.[259]
PoetRAT has the ability to list all running processes.[260]
POORAIM can enumerate processes.[261]
After compromising a victim, Poseidon Group lists all running processes.[262]
PowerDuke has a command to list the victim's processes.[263]
PowerShower has the ability to deploy a reconnaissance module to retrieve a list of the active processes.[264]
PowerSploit's Get-ProcessTokenPrivilege Privesc-PowerUp module can enumerate privileges for a given process.[265][266]
PowerStallion has been used to monitor process lists.[267]
POWERSTATS has used get_tasklist to discover processes on the compromised host.[268]
POWRUNER may collect process information by running tasklist on a victim.[269]
Proxysvc lists processes running on the system.[191]
PUBLOAD has used tasklist to gather running processes on victim host.[149] PUBLOAD has also leveraged the OpenEventA Windows API function to check whether the same process was already running.[231]
Pupy can list the running processes and get the process ID and parent process’s ID.[270]
PureCrypter can enumerate processes on compromised hosts.[271]
QakBot has the ability to check running processes.[272]
Qilin can define specific processes to be terminated or left alone at execution.[273][274][275][276][277][278]
RainyDay can enumerate processes on a target system.[233]
Ramsay can gather a list of running processes by using Tasklist.[279]
RansomHub can stop processes associated with files currently in use to maximize the impact of encryption.[280]
Raspberry Robin can identify processes running on the victim machine, such as security software, during execution.[281][282]
RATANKBA lists the system’s processes.[283][284]
RCSession can identify processes based on PID.[285]
During RedPenguin, UNC3886 used malware capable of reading the PID for the Junos OS snmpd daemon.[286]
Remcos can discover running processes on compromised machines.[287]
Remsec can obtain a process list from the victim.[288]
Rising Sun can enumerate all running processes and process information on an infected machine.[289]
Rocke can detect a running process's PID on the infected machine.[290]
RogueRobin checks the running processes for evidence it may be running in a sandbox environment. It specifically enumerates processes for Wireshark and Sysinternals.[291]
ROKRAT can list the current running processes on the system.[292][293]
RotaJakiro can monitor the /proc/[PID] directory of known RotaJakiro processes as a part of its persistence when executing with non-root permissions. If the process is found dead, it resurrects the process. RotaJakiro processes can be matched to an associated Advisory Lock, in the /proc/locks folder, to ensure it doesn't spawn more than one process.[294]
Royal can use GetCurrentProcess to enumerate processes.[295]
RTM can obtain information about process integrity levels.[296]
Ryuk has called CreateToolhelp32Snapshot to enumerate all running processes.[297]
Sagerunex identifies the explorer.exe process on the executing system.[298]
Saint Bot has enumerated running processes on a compromised host to determine if it is running under the process name dfrgui.exe.[249]
Sardonic has the ability to execute the tasklist command.[299]
SDBbot can enumerate a list of running processes on a compromised machine.[300]
Seasalt has a command to perform a process listing.[40]
ShadowPad has collected the PID of a malicious process.[301]
ShimRatReporter listed all running processes on the machine.[302]
SHOTPUT has a command to obtain a process listing.[303]
ShrinkLocker checks whether the Bitlocker Drive Encryption Tools service is running.[304]
Sidewinder has used tools to identify running processes on the victim's machine.[305]
SILENTTRINITY can enumerate processes, including properties to determine if they have the Common Language Runtime (CLR) loaded.[306]
Skidmap has monitored critical processes to ensure resiliency.[307]
SLOTHFULMEDIA has enumerated processes by ID, name, or privileges.[308]
SocGholish can list processes on targeted hosts.[309]
Socksbot can list all running processes.[310]
SodaMaster can search a list of running processes.[250]
During the SolarWinds Compromise, APT29 used multiple command-line utilities to enumerate running processes.[311][312][313]
SombRAT can use the getprocesslist command to enumerate processes on a compromised host.[314][144][315]
SoreFang can enumerate processes on a victim machine through use of Tasklist.[316]
SPAWNCHIMERA has searched for running processes to include web or dsmdm.[317][318]
Stealth Falcon malware gathers a list of running processes.[319]
Storm-0501 has discovered running processes through tasklist.exe.[320]
StreamEx has the ability to enumerate processes.[321]
StrongPity can determine if a user is logged in by checking to see if explorer.exe is running.[322]
SUNBURST collected a list of process names that were hashed using a FNV-1a + XOR algorithm to check against similarly-hashed hardcoded blocklists.[323]
SUNSPOT monitored running processes for instances of MsBuild.exe by hashing the name of each running process and comparing it to the corresponding value 0x53D525. It also extracted command-line arguments and individual arguments from the running MsBuild.exe process to identify the directory path of the Orion software Visual Studio solution.[324]
SVCReady can collect a list of running processes from an infected host.[325]
Sykipot may gather a list of running processes by running tasklist /v.[326]
SynAck enumerates all running processes.[327][328]
SYSCON has the ability to use Tasklist to list running processes.[329]
SystemBC has the ability to enumerate running processes.[330]
SysUpdate can collect information about running processes.[331]
Taidoor can use GetCurrentProcessId for process discovery.[332]
TAINTEDSCRIBE can execute ProcessList for process discovery.[333]
TajMahal has the ability to identify running processes and associated plugins on an infected host.[334]
Tasklist can be used to discover processes running on a system.[335]
TeamTNT has searched for rival malware and removes it if found.[336] TeamTNT has also searched for running processes containing the strings aliyun or liyun to identify machines running Alibaba Cloud Security tools.[337]
ThiefQuest obtains a list of running processes using the function kill_unwanted.[338]
ToddyCat has run cmd /c start /b tasklist to enumerate processes.[238]
TONESHELL has checked the process name and process path to ensure it matches the expected one prior to triggering a custom exception handler.[231] TONESHELL has also searched for running antivirus processes to include ESET’s antivirus associated executables ekrn.exe and egui.exe.[339]
TRAILBLAZE has conducted process discovery by searching for specific named processes such as /home/bin/web.[340][341]
TrickBot uses module networkDll for process list discovery.[342][343]
Trojan.Karagany can use Tasklist to collect a list of running tasks.[33][344]
Tropic Trooper is capable of enumerating the running processes on the system using pslist.[345][346]
TSCookie has the ability to list processes on the infected host.[347]
Turla surveys a system upon check-in to discover running processes using the tasklist /v command.[114] Turla RPC backdoors have also enumerated processes associated with specific open ports or named pipes.[267]
UBoatRAT can list running processes on the system.[348]
UNC3886 has run scripts to list all running processes on a guest VM from an ESXi host.[349]
UPSTYLE has the ability to read /proc/self/cmdline to see if it is running as a monitored process.[350]
Uroburos can use its Process List command to enumerate processes on compromised hosts.[351]
Ursnif has gathered information about running processes.[352][353]
USBferry can use tasklist to gather information about the process running on the infected system.[346]
Valak has the ability to enumerate running processes on a compromised host.[354]
VERMIN can get a list of the processes and running tasks on the system.[355]
Volgmer can gather a list of processes.[356]
Volt Typhoon has enumerated running processes on targeted systems including through the use of Tasklist.[357][358][359]
WarzoneRAT can obtain a list of processes on a compromised host.[360]
Waterbear can identify the process for a specific security product.[361]
Windshift has used malware to enumerate active processes.[362]
WINERACK can enumerate processes.[261]
WinMM sets a WH_CBT Windows hook to collect information on process creation.[363]
Winnti for Windows can check if the explorer.exe process is responsible for calling its install function.[364]
Winnti Group looked for a specific process running on infected servers.[365]
Woody RAT can call NtQuerySystemProcessInformation with SystemProcessInformation to enumerate all running processes, including associated information such as PID, parent PID, image name, and owner.[366]
XAgentOSX contains the getProcessList function to run ps aux to get running processes.[367]
yty gets an output of running processes using the tasklist command.[368]
Zebrocy uses the tasklist and wmic process get Capture, ExecutablePath commands to gather the processes running on the system.[59][369][60][370][371]
Zeus Panda checks for running processes on the victim’s machine.[372]
ZIPLINE can identify running processes and their names.[373]
Zox has the ability to list processes.[374]
ZxShell has a command, ps, to obtain a listing of processes on the system.[375]
ZxxZ has created a snapshot of running processes using CreateToolhelp32Snapshot.[376]