Process Discovery (T1057) is a MITRE ATT&CK technique in the Discovery tactic. SOC analysts detect it by monitoring for XDR, SIEM events, behavioral anomalies, and the specific indicators described in this detection guide. Practice detection in SOCSimulator Operations.
Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully invests in a compromise. Enumerating running processes helps attackers understand what security tools are installed and running, identify application servers and databases as lateral movement targets, and find processes to inject into for defense evasion. On Windows, tasklist.exe and the Get-Process PowerShell cmdlet are commonly used, while ps and /proc filesystem enumeration are used on Linux. Security-conscious attackers use process discovery to identify and selectively terminate security tools before performing sensitive operations and to understand which processes represent high-value injection targets for defense evasion.
“Process Discovery is documented as technique T1057 in the MITRE ATT&CK knowledge base under the Discovery tactic. Detection requires visibility into XDR, SIEM telemetry.”
The following detection strategies help SOC analysts identify Process Discovery activity. These methods apply across XDR, SIEM environments and can be implemented as detection rules, correlation queries, or behavioral analytics in your security platform.
Monitor for execution of process enumeration commands including tasklist.exe, wmic process list, and Get-Process from non-administrative accounts or from processes that do not normally perform process enumeration.
Alert on process enumeration followed immediately by process termination targeting security tools, as attackers typically enumerate processes to identify security software before attempting to disable or terminate it.
Detect automated process enumeration tools that query the Windows process list or Linux procfs at high frequency, which is a signature of post-exploitation framework functionality performing environment reconnaissance.
Monitor for cross-process queries using OpenProcess with PROCESS_QUERY_INFORMATION access rights against many processes in rapid succession, as this is the API-based equivalent of running tasklist and provides more detailed process information.
Track process enumeration events on sensitive systems including domain controllers and database servers, as attackers targeting these systems perform process discovery to understand running services before attempting exploitation or disruption.
These realistic alert examples show what Process Discovery looks like in your security tools. Use them to tune detection rules and train analysts to recognize true positives versus false positives in live environments.
Tasklist.exe executed and output filtered for security product process names including defender, edr, sentinel, crowdstrike, and carbon. Immediately following this discovery step, sc.exe stop and taskkill commands targeted the identified security processes. This deliberate enumeration before targeted termination of security tools is a characteristic pre-execution step in ransomware and sophisticated APT operations.
WMIC process list brief command executed on domain controller DC-SECONDARY from a remote workstation via WMI. The executing account is a standard domain user account with no administrative access to domain controllers. Remote process enumeration of a domain controller without authorization is a significant reconnaissance event that provides attackers with information about security tools and services running on the most sensitive server in the environment.
Command sequence detected: tasklist /v > C:\Users\Public\sysinfo.txt followed by systeminfo >> C:\Users\Public\sysinfo.txt and the resulting file appended to a collection archive. Exporting detailed process and system information to a staging file for exfiltration indicates a methodical attacker performing comprehensive environment reconnaissance to plan subsequent attack phases against specifically identified software and service versions.
SOCSimulator provides hands-on training rooms where you investigate real-world attack scenarios including Process Discovery. Build detection skills with zero consequences — free forever.
Lateral movement is the attack phase where adversaries expand access from an initial foothold to additional systems, usi…
Read more GlossaryNetwork Detection and Response (NDR) is a security platform that passively monitors network traffic using machine learni…
Read more GlossaryThreat hunting is the proactive, human-led process of searching through security telemetry to find hidden threats that e…
Read more GlossarySecurity Information and Event Management (SIEM) is a platform that aggregates, normalizes, and correlates log data from…
Read more Career PathThreat Hunters do not wait for alerts. You develop hypotheses based on threat intelligence and adversary behavior models…
Read more Career PathTier 2 SOC Analysts handle the investigations that Tier 1 escalates. You dig into multi-stage attacks, coordinate contai…
Read more ToolThe XDR console in SOCSimulator replicates the investigation workflow of platforms like CrowdStrike Falcon, Microsoft De…
Read more ToolThe SIEM console in SOCSimulator replicates the workflow of enterprise platforms like Splunk Enterprise Security, Micros…
Read more ComparisonSOCSimulator wins on operational realism. You get multi-tool shift simulation with SLA pressure, noise injection, and al…
Read more ComparisonSOCSimulator is the better tool for dedicated SOC analyst preparation. TryHackMe is the better tool for broad cybersecur…
Read more GlossaryComplete glossary of Security Operations Center terminology for aspiring SOC analysts.
Read more FeaturePractice alert triage under realistic time pressure with SLA timers and noise injection.
Read moreWe use cookies to improve your experience and measure usage. Learn more