Process Discovery, Technique T1057 - Enterprise (original) (raw)
4H RAT has the capability to obtain a listing of running processes (including loaded modules).[3]
ADVSTORESHELL can list running processes.[4]
Agent Tesla can list the current running processes on the system.[5]
Andariel has used tasklist to enumerate processes and find a specific string.[6]
AppleSeed can enumerate the current process on a compromised host.[7]
APT1 gathered a list of running processes on the system using tasklist /v.[8]
An APT28 loader Trojan will enumerate the victim's processes searching for explorer.exe if its current process does not have necessary permissions.[9]
APT3 has a tool that can list out currently running processes.[10][11]
APT37's Freenki malware lists running processes using the Microsoft Windows API.[12]
APT38 leveraged Sysmon to understand the processes, services in the organization.[13]
Aria-body has the ability to enumerate loaded modules for a process.[14].
Astaroth searches for different processes on the system.[15]
AsyncRAT can examine running processes to determine if a debugger is present.[16]
Avaddon has collected information about running processes.[17]
Avenger has the ability to use Tasklist to identify running processes.[18]
AvosLocker has discovered system processes by calling RmGetList.[19]
Azorult can collect a list of running processes by calling CreateToolhelp32Snapshot.[20][21]
Babuk has the ability to check running processes on a targeted system.[22][23][24]
BabyShark has executed the tasklist command.[25]
Backdoor.Oldrea collects information about running processes.[26]
BACKSPACE may collect information about running processes.[27]
Bad Rabbit can enumerate all running processes to compare hashes.[28]
BADHATCH can retrieve a list of running processes from a compromised machine.[29]
Bankshot identifies processes and collects the process ids.[30]
Bazar can identity the current process on a compromised host.[31]
BBSRAT can list running processes.[32]
BISCUIT has a command to enumerate running processes and identify their owners.[33]
Bisonal can obtain a list of running processes on the victim’s machine.[34][35][36]
BLACKCOFFEE has the capability to discover processes.[37]
BlackEnergy has gathered a process list by using Tasklist.exe.[38][39][40]
BLUELIGHT can collect process filenames and SID authority level.[41]
Bonadan can use the ps command to discover other cryptocurrency miners active on the system.[42]
Brave Prince lists the running processes.[43]
Brute Ratel C4 can enumerate all processes and locate specific process IDs (PIDs).[44]
Bumblebee can identify processes associated with analytical tools.[45][46][47]
Bundlore has used the ps command to list processes.[48]
During C0015, the threat actors used the tasklist /s command as well as taskmanager to obtain a list of running processes.[49]
CaddyWiper can obtain a list of current processes.[50]
Cannon can obtain a list of processes running on the system.[51][52]
Carbanak lists running processes.[53]
Carberp has collected a list of running processes.[54]
Carbon can list the processes on the victim’s machine.[55]
Cardinal RAT contains watchdog functionality that ensures its process is always running, else spawns a new instance.[56]
Caterpillar WebShell can gather a list of processes running on the machine.[57]
CharmPower has the ability to list running processes through the use of tasklist.[58]
ChChes collects its process identifier (PID) on the victim.[59]
Chimera has used tasklist to enumerate processes.[60]
Clambling can enumerate processes on a targeted system.[61]
Clop can enumerate all processes on the victim's machine.[62]
Cobalt Strike's Beacon payload can collect information on process details.[63][64][65]
Comnie uses the tasklist to view running processes on the victim’s machine.[66]
Conti can enumerate through all open processes to search for any that have the string "sql" in their process name.[67]
Crimson contains a command to list processes.[68][69][70]
Cuba can enumerate processes running on a victim's machine.[71]
Cyclops Blink can enumerate the process it is currently running under.[72]
Dacls can collect data on running and parent processes.[73]
DarkComet can list active processes running on the victim’s machine.[74]
Darkhotel malware can collect a list of running processes on a system.[75]
DarkTortilla can enumerate a list of running processes on a compromised system.[76]
Deep Panda uses the Microsoft Tasklist utility to list processes running on systems.[77]
Derusbi collects current and parent process IDs.[78][79]
Diavol has used CreateToolhelp32Snapshot, Process32First, and Process32Next API calls to enumerate the running processes in the system.[80]
Doki has searched for the current process’s PID.[81]
Donut includes subprojects that enumerate and identify information about Process Injection candidates.[82]
down_new has the ability to list running processes on a compromised host.[18]
DRATzarus can enumerate and examine running processes to determine if a debugger is present.[83]
Dtrack’s dropper can list all running processes.[84][85]
The discovery modules used with Duqu can collect information on process details.[86]
DustySky collects information about running processes from victims.[87][88]
Earth Lusca has used Tasklist to obtain information from a compromised host.[89]
EKANS looks for processes from a hard-coded list.[90][91][92]
Elise enumerates processes via the tasklist command.[93]
ELMER is capable of performing process listings.[94]
Emotet has been observed enumerating local processes.[95]
Empire can find information about processes running on local and remote systems.[96][97]
Epic uses the tasklist /v command to obtain a list of processes.[98][99]
EvilBunny has used EnumProcesses() to identify how many process are running in the environment.[100]
FatDuke can list running processes on the localhost.[101]
FELIXROOT collects a list of running processes.[102]
Final1stspy obtains a list of running processes.[103]
FinFisher checks its parent process for indications that it is running in a sandbox setup.[104][105]
Flagpro has been used to run the tasklist command on a compromised system.[106]
FoggyWeb's loader can enumerate all Common Language Runtimes (CLRs) and running Application Domains in the compromised AD FS server's Microsoft.IdentityServer.ServiceHost.exe process.[107]
FrameworkPOS can enumerate and exclude selected processes on a compromised host to speed execution of memory scraping.[108]
During Frankenstein, the threat actors used Empire to obtain a list of all running processes.[97]
FruitFly has the ability to list processes on the system.[109]
FunnyDream has the ability to discover processes, including Bka.exe and BkavUtil.exe.[110]
During FunnyDream, the threat actors used Tasklist on targeted systems.[110]
Fysbis can collect information about running processes.[111]
Gamaredon Group has used tools to enumerate processes on target hosts including Process Explorer.[112][113]
Gelsemium can enumerate running processes.[114]
GeminiDuke collects information on running processes and environment variables from the victim.[115]
Get2 has the ability to identify running processes on an infected host.[116]
gh0st RAT has the capability to list processes.[117]
Gold Dragon checks the running processes on the victim’s machine.[43]
Goopy has checked for the Google Updater process to ensure Goopy was loaded properly.[118]
Grandoreiro can identify installed security tools based on process names.[119]
GravityRAT lists the running processes on the system.[120]
HAFNIUM has used tasklist to enumerate processes.[121]
HALFBAKED can obtain information about running processes on the victim.[122]
HELLOKITTY can search for specific processes to terminate.[123]
Helminth has used Tasklist to get information on processes.[9]
HEXANE has enumerated processes on targeted systems.[124]
Heyoka Backdoor can gather process information.[125]
Higaisa’s shellcode attempted to find the process ID of the current process.[126]
HotCroissant has the ability to list running processes on the infected host.[127]
Hydraq creates a backdoor through which remote attackers can monitor processes.[128][129]
iKitten lists the current processes running.[109]
Imminent Monitor has a "Process Watcher" feature to monitor processes in case the client ever crashes or gets closed.[130]
Inception has used a reconnaissance module to identify active processes and other associated loaded modules.[131]
Industroyer2 has the ability to cyclically enumerate running processes such as PServiceControl.exe, PService_PDD.exe, and other targets supplied through a hardcoded configuration.[132]
InvisiMole can obtain a list of running processes.[133][134]
IronNetInjector can identify processes via C# methods such as GetProcessesByName and running Tasklist with the Python os.popen function.[135]
Ixeshe can list running processes.[136]
Javali can monitor processes for open browsers and custom banking applications.[137]
JHUHUGIT obtains a list of running processes on the victim.[138][139]
JPIN can list running processes.[140]
jRAT can query and kill system processes.[141]
Kasidet has the ability to search for a given process name in processes currently running in the system.[142]
Kazuar obtains a list of running processes through WMI querying and the ps command.[143]
Ke3chang performs process discovery using tasklist commands.[144][145]
KEYMARBLE can obtain a list of running processes on the system.[146]
KillDisk has called GetCurrentProcess.[147]
Kimsuky can gather a list of all processes running on a victim's machine.[148]
Kinsing has used ps to list processes.[149]
The OsInfo function in Komplex collects a running process list.[150]
KONNI has used the command cmd /c tasklist to get a snapshot of the current processes on the target machine.[151][152]
KOPILUWAK can enumerate current running processes on the targeted machine.[153]
Kwampirs collects a list of running services with the command tasklist /v.[154]
Several Lazarus Group malware families gather a list of running processes on a victim system and send it to their C2 server. A Destover-like variant used by Lazarus Group also gathers process times.[155][156][157][158][73][159]
Linfo creates a backdoor through which remote attackers can retrieve a list of running processes.[160]
Lizar has a plugin designed to obtain a list of processes.[161][162]
LookBack can list running processes.[163]
LoudMiner used the ps command to monitor the running processes on the system.[164]
Lucifer can identify the process that owns remote connections.[165]
Machete has a component to check for running processes to look for web browsers.[166]
MacMa can enumerate running processes.[167]
macOS.OSAMiner has used ps ax | grep <name> | grep -v grep | ... and ps ax | grep -E... to conduct process discovery.[168]
Mafalda can enumerate running processes on a machine.[169]
Magic Hound malware can list running processes.[170]
MarkiRAT can search for different processes on a system.[171]
Maze has gathered all of the running system processes.[172]
metaMain can enumerate the processes that run on the platform.[169][173]
Metamorfo has performed process name checks and has monitored applications.[174]
Meteor can check if a specific process is running, such as Kaspersky's avp.exe.[175]
MobileOrder has a command to upload information about all running processes to its C2 server.[176]
Molerats actors obtained a list of active processes on the victim and sent them to C2 servers.[87]
MoonWind has a command to return a list of running processes.[177]
Mosquito runs tasklist to obtain running processes.[178]
MuddyWater has used malware to obtain a list of running processes on the system.[179][180]
Mustang Panda has used tasklist /v to determine active process information.[181]
NavRAT uses tasklist /v to check running processes.[182]
Nebulae can enumerate processes on a target system.[183]
NETEAGLE can send process listings over the C2 channel.[27]
NETWIRE can discover processes on compromised hosts.[184]
NightClub has the ability to use GetWindowThreadProcessId to identify the process behind a specified window.[185]
njRAT can search a list of running processes for Tr.exe.[186]
ObliqueRAT can check for blocklisted process names on a compromised host.[187]
OceanSalt can collect the name and ID for every process running on the system.[188]
OilRig has run tasklist on a victim's machine.[189]
During Operation CuckooBees, the threat actors used the tasklist command as part of their advanced reconnaissance.[190]
During Operation Honeybee, the threat actors obtained a list of running processes on a victim machine using cmd /c tasklist > %temp%\temp.ini.[191]
During Operation Wocao, the threat actors used tasklist to collect a list of running processes on an infected system.[192]
Orz can gather a process list from the victim.[193]
OutSteel can identify running processes on a compromised host.[194]
P8RAT can check for specific processes associated with virtual environments.[195]
Pandora can monitor processes on a compromised host.[196]
Pasam creates a backdoor through which remote attackers can retrieve lists of running processes.[197]
PcShare can obtain a list of running processes on a compromised host.[110]
Pillowmint can iterate through running processes every six seconds collecting a list of processes to capture from later.[198]
PipeMon can iterate over the running processes to find a suitable injection target.[199]
PLAINTEE performs the tasklist command to list running processes.[200]
PLEAD has the ability to list processes on the compromised host.[201]
PlugX has a module to list the processes running on a machine.[202]
PoetRAT has the ability to list all running processes.[203]
POORAIM can enumerate processes.[204]
After compromising a victim, Poseidon Group lists all running processes.[205]
PowerDuke has a command to list the victim's processes.[206]
PowerShower has the ability to deploy a reconnaissance module to retrieve a list of the active processes.[207]
PowerSploit's Get-ProcessTokenPrivilege Privesc-PowerUp module can enumerate privileges for a given process.[208][209]
PowerStallion has been used to monitor process lists.[210]
POWERSTATS has used get_tasklist to discover processes on the compromised host.[211]
POWRUNER may collect process information by running tasklist on a victim.[212]
Proxysvc lists processes running on the system.[158]
Pupy can list the running processes and get the process ID and parent process’s ID.[213]
QakBot has the ability to check running processes.[214]
RainyDay can enumerate processes on a target system.[183]
Ramsay can gather a list of running processes by using Tasklist.[215]
RATANKBA lists the system’s processes.[216][217]
RCSession can identify processes based on PID.[218]
Remsec can obtain a process list from the victim.[219]
Rising Sun can enumerate all running processes and process information on an infected machine.[220]
Rocke can detect a running process's PID on the infected machine.[221]
RogueRobin checks the running processes for evidence it may be running in a sandbox environment. It specifically enumerates processes for Wireshark and Sysinternals.[222]
ROKRAT can list the current running processes on the system.[223][224]
RotaJakiro can monitor the /proc/[PID] directory of known RotaJakiro processes as a part of its persistence when executing with non-root permissions. If the process is found dead, it resurrects the process. RotaJakiro processes can be matched to an associated Advisory Lock, in the /proc/locks folder, to ensure it doesn't spawn more than one process.[225]
Royal can use GetCurrentProcess to enumerate processes.[226]
RTM can obtain information about process integrity levels.[227]
Ryuk has called CreateToolhelp32Snapshot to enumerate all running processes.[228]
Saint Bot has enumerated running processes on a compromised host to determine if it is running under the process name dfrgui.exe.[194]
Sardonic has the ability to execute the tasklist command.[229]
SDBbot can enumerate a list of running processes on a compromised machine.[230]
Seasalt has a command to perform a process listing.[33]
ShadowPad has collected the PID of a malicious process.[231]
ShimRatReporter listed all running processes on the machine.[232]
SHOTPUT has a command to obtain a process listing.[233]
Sidewinder has used tools to identify running processes on the victim's machine.[234]
SILENTTRINITY can enumerate processes, including properties to determine if they have the Common Language Runtime (CLR) loaded.[235]
Skidmap has monitored critical processes to ensure resiliency.[236]
SLOTHFULMEDIA has enumerated processes by ID, name, or privileges.[237]
Socksbot can list all running processes.[238]
SodaMaster can search a list of running processes.[195]
During the SolarWinds Compromise, APT29 used multiple command-line utilities to enumerate running processes.[239][240][241]
SombRAT can use the getprocesslist command to enumerate processes on a compromised host.[242][123][243]
SoreFang can enumerate processes on a victim machine through use of Tasklist.[244]
Stealth Falcon malware gathers a list of running processes.[245]
StreamEx has the ability to enumerate processes.[246]
StrongPity can determine if a user is logged in by checking to see if explorer.exe is running.[247]
SUNBURST collected a list of process names that were hashed using a FNV-1a + XOR algorithm to check against similarly-hashed hardcoded blocklists.[248]
SUNSPOT monitored running processes for instances of MsBuild.exe by hashing the name of each running process and comparing it to the corresponding value 0x53D525. It also extracted command-line arguments and individual arguments from the running MsBuild.exe process to identify the directory path of the Orion software Visual Studio solution.[249]
SVCReady can collect a list of running processes from an infected host.[250]
Sykipot may gather a list of running processes by running tasklist /v.[251]
SynAck enumerates all running processes.[252][253]
SYSCON has the ability to use Tasklist to list running processes.[254]
SysUpdate can collect information about running processes.[255]
Taidoor can use GetCurrentProcessId for process discovery.[256]
TAINTEDSCRIBE can execute ProcessList for process discovery.[257]
TajMahal has the ability to identify running processes and associated plugins on an infected host.[258]
Tasklist can be used to discover processes running on a system.[259]
TeamTNT has searched for rival malware and removes it if found.[260] TeamTNT has also searched for running processes containing the strings aliyun or liyun to identify machines running Alibaba Cloud Security tools.[261]
ThiefQuest obtains a list of running processes using the function kill_unwanted.[262]
TrickBot uses module networkDll for process list discovery.[263][264]
Trojan.Karagany can use Tasklist to collect a list of running tasks.[26][265]
Tropic Trooper is capable of enumerating the running processes on the system using pslist.[266][267]
TSCookie has the ability to list processes on the infected host.[268]
Turla surveys a system upon check-in to discover running processes using the tasklist /v command.[98] Turla RPC backdoors have also enumerated processes associated with specific open ports or named pipes.[210]
UBoatRAT can list running processes on the system.[269]
Uroburos can use its Process List command to enumerate processes on compromised hosts.[270]
Ursnif has gathered information about running processes.[271][272]
USBferry can use tasklist to gather information about the process running on the infected system.[267]
Valak has the ability to enumerate running processes on a compromised host.[273]
VERMIN can get a list of the processes and running tasks on the system.[274]
Volgmer can gather a list of processes.[275]
Volt Typhoon has enumerated running processes on targeted systems.[276][277]
WarzoneRAT can obtain a list of processes on a compromised host.[278]
Waterbear can identify the process for a specific security product.[279]
Windshift has used malware to enumerate active processes.[280]
WINERACK can enumerate processes.[204]
WinMM sets a WH_CBT Windows hook to collect information on process creation.[281]
Winnti for Windows can check if the explorer.exe process is responsible for calling its install function.[282]
Winnti Group looked for a specific process running on infected servers.[283]
Woody RAT can call NtQuerySystemProcessInformation with SystemProcessInformation to enumerate all running processes, including associated information such as PID, parent PID, image name, and owner.[284]
XAgentOSX contains the getProcessList function to run ps aux to get running processes.[285]
yty gets an output of running processes using the tasklist command.[286]
Zebrocy uses the tasklist and wmic process get Capture, ExecutablePath commands to gather the processes running on the system.[51][287][52][288][289]
Zeus Panda checks for running processes on the victim’s machine.[290]
Zox has the ability to list processes.[291]
ZxShell has a command, ps, to obtain a listing of processes on the system.[292]
ZxxZ has created a snapshot of running processes using CreateToolhelp32Snapshot.[293]