EXPLORE
Sign In
← Back to Explore
T1057

Process Discovery

Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Administrator or otherwise elevated access may provide better process details. Adversaries may use the information from [Process Discovery](https://attack.mitre.org/techniques/T1057) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infe...

ESXiLinuxmacOSNetwork DevicesWindows
20
Detections
3
Sources
41
Threat Actors

BY SOURCE

12elastic7sigma1splunk_escu

PROCEDURES (16)

Process Creation Monitoring3 detections

Auto-extracted: 3 detections for process creation monitoring

Child Process2 detections

Auto-extracted: 2 detections for child process

Network Connection Monitoring2 detections

Auto-extracted: 2 detections for network connection monitoring

Dump1 detections

Auto-extracted: 1 detections for dump

Privilege1 detections

Auto-extracted: 1 detections for privilege

Inject1 detections

Auto-extracted: 1 detections for inject

Suspicious1 detections

Auto-extracted: 1 detections for suspicious

Privilege1 detections

Auto-extracted: 1 detections for privilege

Wmi1 detections

Auto-extracted: 1 detections for wmi

Dump1 detections

Auto-extracted: 1 detections for dump

Suspicious1 detections

Auto-extracted: 1 detections for suspicious

Inject1 detections

Auto-extracted: 1 detections for inject

Script Execution Monitoring1 detections

Auto-extracted: 1 detections for script execution monitoring

General Monitoring1 detections

Auto-extracted: 1 detections for general monitoring

Registry Monitoring1 detections

Auto-extracted: 1 detections for registry monitoring

Suspicious1 detections

Auto-extracted: 1 detections for suspicious

THREAT ACTORS (41)

AndarielAPT1APT28APT3APT37APT38APT5ChimeraDarkhotelDeep PandaEarth LuscaFIN7Gamaredon GroupHAFNIUMHEXANEHigaisaInceptionKe3changKimsukyLazarus GroupMagic HoundMedusa GroupMirrorFaceMoleratsMuddyWaterMustang PandaOilRigPlayPoseidon GroupRockeSidewinderStealth FalconStorm-0501TeamTNTToddyCatTropic TrooperTurlaUNC3886Volt TyphoonWindshiftWinnti Group

DETECTIONS (20)

Cisco Discovery
sigmalow
Enumeration Command Spawned via WMIPrvSE
elasticlow
HackTool - PCHunter Execution
sigmahigh
Potential Linux Credential Dumping via Proc Filesystem
elastichigh
Potential Linux Hack Tool Launched
elasticmedium
Process Capability Enumeration
elasticmedium
Process Discovery
sigmalow
Recon Command Output Piped To Findstr.EXE
sigmamedium
Suspicious /proc/maps Discovery
elastichigh
Suspicious Dynamic Linker Discovery via od
elastichigh
Suspicious JetBrains TeamCity Child Process
elasticmedium
Suspicious Memory grep Activity
elastichigh
Suspicious MS Office Child Process
elasticmedium
Suspicious PDF Reader Child Process
elasticlow
Suspicious Process Discovery With Get-Process
sigmalow
Suspicious System Commands Executed by Previously Unknown Executable
elasticlow
Suspicious Tasklist Discovery Command
sigmainformational
System Info Discovery via Sysinfo Syscall
sigmalow
Unusual Linux Process Discovery Activity
elasticlow
Windows Process Commandline Discovery
splunk_escu