# T1057 Process Discovery

-----------------------------------------------------------------------

## Technique Description

Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from [Process Discovery](https://attack.mitre.org/techniques/T1057) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.

In Windows environments, adversaries could obtain details on running processes using the [Tasklist](https://attack.mitre.org/software/S0057) utility via [cmd](https://attack.mitre.org/software/S0106) or <code>Get-Process</code> via [PowerShell](https://attack.mitre.org/techniques/T1059/001). Information about processes can also be extracted from the output of [Native API](https://attack.mitre.org/techniques/T1106) calls such as <code>CreateToolhelp32Snapshot</code>. In Mac and Linux, this is accomplished with the <code>ps</code> command. Adversaries may also opt to enumerate processes via /proc.

## Technique Detection

System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.

Normal, benign system and network events that look like process discovery may be uncommon, depending on the environment and how they are used. Monitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).

-----------------------------------------------------------------------

### Tactics:

  *   Discovery

### Platforms:

  * Linux

  * macOS

  * Windows

### Adversary Required Permissions:

  * User

  * Administrator

  * SYSTEM

### System Requirements:

  * Administrator, SYSTEM may provide better process ownership details

### Data Sources:

  * **Process:** OS API Execution

  * **Command:** Command Execution

  * **Process:** Process Creation

-----------------------------------------------------------------------

### Adversarial usage:

| Adversary Group |  Adversarial Usage |
|----|----|
| TeamTNT | [TeamTNT](https://attack.mitre.org/groups/G0139) searches for rival malware and removes them if found.(Citation: Trend Micro TeamTNT)| 
| Andariel | [Andariel](https://attack.mitre.org/groups/G0138) has used <code>tasklist</code> to enumerate processes and find a specific string.(Citation: Kaspersky Andariel Ransomware June 2021)| 
| Mustang Panda | [Mustang Panda](https://attack.mitre.org/groups/G0129) has used <code>tasklist /v</code> to determine active process information.(Citation: Avira Mustang Panda January 2020)	| 
| Higaisa | [Higaisa](https://attack.mitre.org/groups/G0126)’s shellcode attempted to find the process ID of the current process.(Citation: Zscaler Higaisa 2020)| 
| Sidewinder | [Sidewinder](https://attack.mitre.org/groups/G0121) has used tools to identify running processes on the victim's machine.(Citation: ATT Sidewinder January 2021)| 
| UNC2452 | [UNC2452](https://attack.mitre.org/groups/G0118) used multiple command-line utilities to enumerate running processes.(Citation: Volexity SolarWinds)(Citation: Microsoft Deep Dive Solorigate January 2021)| 
| Operation Wocao | [Operation Wocao](https://attack.mitre.org/groups/G0116) has collected a list of running processes on the infected system.(Citation: FoxIT Wocao December 2019)| 
| Chimera | [Chimera](https://attack.mitre.org/groups/G0114) has used <code>tasklist</code> to enumerate processes.(Citation: NCC Group Chimera January 2021)| 
| Windshift | [Windshift](https://attack.mitre.org/groups/G0112) has used malware to enumerate active processes.(Citation: BlackBerry Bahamut)| 
| Rocke | [Rocke](https://attack.mitre.org/groups/G0106) can detect a running process's PID on the infected machine.(Citation: Anomali Rocke March 2019)	| 
| Frankenstein | [Frankenstein](https://attack.mitre.org/groups/G0101) has enumerated hosts, looking to obtain a list of all currently running processes.(Citation: Talos Frankenstein June 2019)| 
| Inception | [Inception](https://attack.mitre.org/groups/G0100) has used a reconnaissance module to identify active processes and other associated loaded modules.(Citation: Symantec Inception Framework March 2018)| 
| Kimsuky | [Kimsuky](https://attack.mitre.org/groups/G0094) can gather a list of all processes running on a victim's machine.(Citation: Talos Kimsuky Nov 2021)| 
| APT38 | [APT38](https://attack.mitre.org/groups/G0082) leveraged Sysmon to understand the processes, services in the organization.(Citation: FireEye APT38 Oct 2018)| 
| Tropic Trooper | [Tropic Trooper](https://attack.mitre.org/groups/G0081) is capable of enumerating the running processes on the system using <code>pslist</code>.(Citation: Unit 42 Tropic Trooper Nov 2016)(Citation: TrendMicro Tropic Trooper May 2020)| 
| Honeybee | [Honeybee](https://attack.mitre.org/groups/G0072) gathers a list of processes using the <code>tasklist</code> command and then is sent back to the control server.(Citation: McAfee Honeybee)| 
| MuddyWater | [MuddyWater](https://attack.mitre.org/groups/G0069) has used malware to obtain a list of running processes on the system.(Citation: Securelist MuddyWater Oct 2018)(Citation: ClearSky MuddyWater June 2019)| 
| APT37 | [APT37](https://attack.mitre.org/groups/G0067)'s Freenki malware lists running processes using the Microsoft Windows API.(Citation: Talos Group123)| 
| Magic Hound | [Magic Hound](https://attack.mitre.org/groups/G0059) malware can list running processes.(Citation: Unit 42 Magic Hound Feb 2017)| 
| OilRig | [OilRig](https://attack.mitre.org/groups/G0049) has run <code>tasklist</code> on a victim's machine.(Citation: Palo Alto OilRig May 2016)| 
| Gamaredon Group | [Gamaredon Group](https://attack.mitre.org/groups/G0047) has used tools to enumerate processes on target hosts including Process Explorer.(Citation: Symantec Shuckworm January 2022)(Citation: Unit 42 Gamaredon February 2022)| 
| Winnti Group | [Winnti Group](https://attack.mitre.org/groups/G0044) looked for a specific process running on infected servers.(Citation: Kaspersky Winnti April 2013)| 
| Stealth Falcon | [Stealth Falcon](https://attack.mitre.org/groups/G0038) malware gathers a list of running processes.(Citation: Citizen Lab Stealth Falcon May 2016)| 
| Poseidon Group | After compromising a victim, [Poseidon Group](https://attack.mitre.org/groups/G0033) lists all running processes.(Citation: Kaspersky Poseidon Group)| 
| Lazarus Group | Several [Lazarus Group](https://attack.mitre.org/groups/G0032) malware families gather a list of running processes on a victim system and send it to their C2 server. A Destover-like variant used by [Lazarus Group](https://attack.mitre.org/groups/G0032) also gathers process times.(Citation: Novetta Blockbuster)(Citation: Novetta Blockbuster Loaders)(Citation: McAfee Lazarus Resurfaces Feb 2018)(Citation: McAfee GhostSecret)(Citation: TrendMicro macOS Dacls May 2020)(Citation: Lazarus APT January 2022)| 
| APT3 | [APT3](https://attack.mitre.org/groups/G0022) has a tool that can list out currently running processes.(Citation: FireEye Clandestine Fox)(Citation: evolution of pirpi)| 
| Molerats | [Molerats](https://attack.mitre.org/groups/G0021) actors obtained a list of active processes on the victim and sent them to C2 servers.(Citation: DustySky)| 
| APT29 | [APT29](https://attack.mitre.org/groups/G0016) has used multiple command-line utilities to enumerate running processes.(Citation: Volexity SolarWinds)(Citation: Microsoft Deep Dive Solorigate January 2021)(Citation: CrowdStrike StellarParticle January 2022)| 
| Darkhotel | [Darkhotel](https://attack.mitre.org/groups/G0012) malware can collect a list of running processes on a system.(Citation: Securelist Darkhotel Aug 2015)| 
| Turla | [Turla](https://attack.mitre.org/groups/G0010) surveys a system upon check-in to discover running processes using the <code>tasklist /v</code> command.(Citation: Kaspersky Turla) [Turla](https://attack.mitre.org/groups/G0010) RPC backdoors have also enumerated processes associated with specific open ports or named pipes.(Citation: ESET Turla PowerShell May 2019)| 
| Deep Panda | [Deep Panda](https://attack.mitre.org/groups/G0009) uses the Microsoft [Tasklist](https://attack.mitre.org/software/S0057) utility to list processes running on systems.(Citation: Alperovitch 2014)| 
| APT28 | An [APT28](https://attack.mitre.org/groups/G0007) loader Trojan will enumerate the victim's processes searching for explorer.exe if its current process does not have necessary permissions.(Citation: Unit 42 Playbook Dec 2017)| 
| APT1 | [APT1](https://attack.mitre.org/groups/G0006) gathered a list of running processes on the system using <code>tasklist /v</code>.(Citation: Mandiant APT1)| 
| Ke3chang | [Ke3chang](https://attack.mitre.org/groups/G0004) performs process discovery using <code>tasklist</code> commands.(Citation: Mandiant Operation Ke3chang November 2014)(Citation: NCC Group APT15 Alive and Strong)| 
-----------------------------------------------------------------------

## Mitre References

  * [Mitre-Attack](https://attack.mitre.org/techniques/T1057)

  * [Capec](https://capec.mitre.org/data/definitions/573.html)

> *Note: Do not edit this cell with information you want to keep. This cell will be wiped when the update script is ran. Store permanent information in one of the relevant cells below*

*Last pulled from Mitre on: 23 June 2022*



-----------------------------------------------------------------------

## Metadata

  * **Last Updated  Date:** 8 July 2021

  * **Author(s):** SSgt Johnathan Smith, SSgt John Beres

  * **Validated:** NO

-----------------------------------------------------------------------

## Overall Hypothesis

- Adversaries may enumerate processes on boxes to for multiple reasons (surveying, privilege escalation, etc.)

## Adversary Examples

| Adversary Specific Examples | Host Analytics | Network Analytics |
|-----------------------------|----------------|-------------------|
| Example APT/Threat actor | 1, 2 | 2, 3, 5|

## Detection Blindspots

#### Turla
- will survey systems upon check-in to discover running processes using the tasklist /v command.
- may also enumerate processes associated with specific open ports or named pipes by using their RPC backdoors.

#### APT28 
- loader Trojan will enumerate the victim's processes searching for explorer.exe if its current process does not have necessary permissions.


## Analytical References

  * [The Epic Turla Operation (securelist)](https://securelist.com/the-epic-turla-operation/65545/)
  * [Turla Powershell Usage 2019 (welivesecurity)](https://www.welivesecurity.com/2019/05/29/turla-powershell-usage/)
  * [Playbook Viewer (pan-unit42.github.io)](https://pan-unit42.github.io/playbook_viewer/)

-----------------------------------------------------------------------

## Host Analytics

-----------------------------------------------------------------------

### Hunter Notes

- The use of "tasklist" is not inherently bad, and these events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities.
- Monitor processes and command-line arguments for actions that could be taken to gather system information related to services.

#### Analytic 1

  * **Information:** Identify use of "tasklist /v" command from client after "check-in"

  * **Source:** Windows Audits, Sysmon

  * **Tool:** Kibana

  * **Notes:**  Deconflict legitimate admin activity

  * **Query:** ```Event_ID:1 AND commandline: *tasklist*```

#### Analytic 2

  * **Information:** Monitor processes and command-line arguments for actions that could be taken to gather system and network information.

  * **Source:** Windows Audits, Sysmon

  * **Tool:** Kibana

  * **Notes:** "Event_ID:1 AND commandline:" can be replaced with "Event_ID:4688 AND process.command.line:" if Sysmon is unavailable.The use of the below commandlines are not inherently bad, and these events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities.

  * **Query:** ```Event_ID:1 AND commandline:"*tasklist*"```
  * **Query:** ```Event_ID:1 AND commandline:"*get-process*"```
  * **Query:** ```Event_ID:1 AND commandline:"*gps*"```
  * **Query:** ```Event_ID:1 AND commandline:"*ps*"```
  * **Query:** ```Event_ID:1 AND commandline:"*wmic process*```
  * **Query:** ```Event_ID:1 AND commandline:"*netstat*"```



-----------------------------------------------------------------------

## Network Analytics

-----------------------------------------------------------------------

### Hunter Notes

- There will only be network traffic related to this technique if they are being enumerated remotely, such as rpc commands. Determine related rpc commands and add to playbook for future use

