EXPLORE
Sign In
← Back to Explore
T1057

Process Discovery

Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Administrator or otherwise elevated access may provide better process details. Adversaries may use the information from [Process Discovery](https://attack.mitre.org/techniques/T1057) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infe...

ESXiLinuxmacOSNetwork DevicesWindows
18
Detections
3
Sources
40
Threat Actors

BY SOURCE

12elastic5sigma1splunk_escu

PROCEDURES (16)

Child Process2 detections

Auto-extracted: 2 detections for child process

Network Connection Monitoring2 detections

Auto-extracted: 2 detections for network connection monitoring

Suspicious1 detections

Auto-extracted: 1 detections for suspicious

Dump1 detections

Auto-extracted: 1 detections for dump

Privilege1 detections

Auto-extracted: 1 detections for privilege

Process Creation Monitoring1 detections

Auto-extracted: 1 detections for process creation monitoring

Inject1 detections

Auto-extracted: 1 detections for inject

Dump1 detections

Auto-extracted: 1 detections for dump

Suspicious1 detections

Auto-extracted: 1 detections for suspicious

Inject1 detections

Auto-extracted: 1 detections for inject

Script Execution Monitoring1 detections

Auto-extracted: 1 detections for script execution monitoring

Suspicious1 detections

Auto-extracted: 1 detections for suspicious

General Monitoring1 detections

Auto-extracted: 1 detections for general monitoring

Privilege1 detections

Auto-extracted: 1 detections for privilege

Wmi1 detections

Auto-extracted: 1 detections for wmi

Wmi1 detections

Auto-extracted: 1 detections for wmi

THREAT ACTORS (40)

AndarielAPT1APT28APT3APT37APT38APT5ChimeraDarkhotelDeep PandaEarth LuscaFIN7Gamaredon GroupHAFNIUMHEXANEHigaisaInceptionKe3changKimsukyLazarus GroupMagic HoundMedusa GroupMoleratsMuddyWaterMustang PandaOilRigPlayPoseidon GroupRockeSidewinderStealth FalconStorm-0501TeamTNTToddyCatTropic TrooperTurlaUNC3886Volt TyphoonWindshiftWinnti Group

DETECTIONS (18)

Cisco Discovery
sigmalow
Enumeration Command Spawned via WMIPrvSE
elasticlow
HackTool - PCHunter Execution
sigmahigh
Potential Linux Credential Dumping via Proc Filesystem
elastichigh
Potential Linux Hack Tool Launched
elasticmedium
Process Capability Enumeration
elasticmedium
Recon Command Output Piped To Findstr.EXE
sigmamedium
Suspicious /proc/maps Discovery
elastichigh
Suspicious Dynamic Linker Discovery via od
elastichigh
Suspicious JetBrains TeamCity Child Process
elasticmedium
Suspicious Memory grep Activity
elastichigh
Suspicious MS Office Child Process
elasticmedium
Suspicious PDF Reader Child Process
elasticlow
Suspicious Process Discovery With Get-Process
sigmalow
Suspicious System Commands Executed by Previously Unknown Executable
elasticlow
System Info Discovery via Sysinfo Syscall
sigmalow
Unusual Linux Process Discovery Activity
elasticlow
Windows Process Commandline Discovery
splunk_escu