Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
In Windows environments, adversaries could obtain details on running processes using the Tasklist utility via cmd or Get-Process
via PowerShell. Information about processes can also be extracted from the output of Native API calls such as CreateToolhelp32Snapshot
. In Mac and Linux, this is accomplished with the ps
command. Adversaries may also opt to enumerate processes via /proc.
ID | Name | Description |
---|---|---|
S0065 | 4H RAT |
4H RAT has the capability to obtain a listing of running processes (including loaded modules).[1] |
S0045 | ADVSTORESHELL |
ADVSTORESHELL can list running processes.[2] |
S0331 | Agent Tesla |
Agent Tesla can list the current running processes on the system.[3] |
G0138 | Andariel |
Andariel has used |
S0622 | AppleSeed |
AppleSeed can enumerate the current process on a compromised host.[5] |
G0006 | APT1 |
APT1 gathered a list of running processes on the system using |
G0007 | APT28 |
An APT28 loader Trojan will enumerate the victim's processes searching for explorer.exe if its current process does not have necessary permissions.[7] |
G0016 | APT29 |
APT29 has used multiple command-line utilities to enumerate running processes.[8][9][10] |
G0022 | APT3 |
APT3 has a tool that can list out currently running processes.[11][12] |
G0067 | APT37 |
APT37's Freenki malware lists running processes using the Microsoft Windows API.[13] |
G0082 | APT38 |
APT38 leveraged Sysmon to understand the processes, services in the organization.[14] |
S0456 | Aria-body |
Aria-body has the ability to enumerate loaded modules for a process.[15]. |
S0373 | Astaroth |
Astaroth searches for different processes on the system.[16] |
S0640 | Avaddon |
Avaddon has collected information about running processes.[17] |
S0473 | Avenger |
Avenger has the ability to use Tasklist to identify running processes.[18] |
S0344 | Azorult |
Azorult can collect a list of running processes by calling CreateToolhelp32Snapshot.[19][20] |
S0638 | Babuk |
Babuk has the ability to check running processes on a targeted system.[21][22][23] |
S0414 | BabyShark | |
S0093 | Backdoor.Oldrea |
Backdoor.Oldrea collects information about running processes.[25] |
S0031 | BACKSPACE |
BACKSPACE may collect information about running processes.[26] |
S0606 | Bad Rabbit |
Bad Rabbit can enumerate all running processes to compare hashes.[27] |
S0239 | Bankshot |
Bankshot identifies processes and collects the process ids.[28] |
S0534 | Bazar |
Bazar can identity the current process on a compromised host.[29] |
S0127 | BBSRAT | |
S0017 | BISCUIT |
BISCUIT has a command to enumerate running processes and identify their owners.[31] |
S0268 | Bisonal |
Bisonal can obtain a list of running processes on the victim’s machine.[32][33][34] |
S0069 | BLACKCOFFEE |
BLACKCOFFEE has the capability to discover processes.[35] |
S0089 | BlackEnergy |
BlackEnergy has gathered a process list by using Tasklist.exe.[36][37][38] |
S0657 | BLUELIGHT |
BLUELIGHT can collect process filenames and SID authority level.[39] |
S0486 | Bonadan |
Bonadan can use the |
S0252 | Brave Prince |
Brave Prince lists the running processes.[41] |
S0482 | Bundlore | |
S0693 | CaddyWiper |
CaddyWiper can obtain a list of current processes.[43] |
S0351 | Cannon |
Cannon can obtain a list of processes running on the system.[44][45] |
S0030 | Carbanak | |
S0484 | Carberp | |
S0335 | Carbon | |
S0348 | Cardinal RAT |
Cardinal RAT contains watchdog functionality that ensures its process is always running, else spawns a new instance.[49] |
S0572 | Caterpillar WebShell |
Caterpillar WebShell can gather a list of processes running on the machine.[50] |
S0674 | CharmPower |
CharmPower has the ability to list running processes through the use of |
S0144 | ChChes |
ChChes collects its process identifier (PID) on the victim.[52] |
G0114 | Chimera | |
S0660 | Clambling | |
S0611 | Clop |
Clop can enumerate all processes on the victim's machine.[55] |
S0154 | Cobalt Strike |
Cobalt Strike's Beacon payload can collect information on process details.[56][57][58] |
S0244 | Comnie |
Comnie uses the |
S0575 | Conti |
Conti can enumerate through all open processes to search for any that have the string "sql" in their process name.[60] |
S0115 | Crimson | |
S0625 | Cuba |
Cuba can enumerate processes running on a victim's machine.[63] |
S0687 | Cyclops Blink |
Cyclops Blink can enumerate the process it is currently running under.[64] |
S0497 | Dacls | |
S0334 | DarkComet |
DarkComet can list active processes running on the victim’s machine.[66] |
G0012 | Darkhotel |
Darkhotel malware can collect a list of running processes on a system.[67] |
G0009 | Deep Panda |
Deep Panda uses the Microsoft Tasklist utility to list processes running on systems.[68] |
S0021 | Derusbi | |
S0659 | Diavol |
Diavol has used |
S0600 | Doki | |
S0695 | Donut |
Donut includes subprojects that enumerate and identify information about Process Injection candidates.[73] |
S0472 | down_new |
down_new has the ability to list running processes on a compromised host.[18] |
S0694 | DRATzarus |
DRATzarus can enumerate and examine running processes to determine if a debugger is present.[74] |
S0567 | Dtrack | |
S0038 | Duqu |
The discovery modules used with Duqu can collect information on process details.[77] |
S0062 | DustySky |
DustySky collects information about running processes from victims.[78][79] |
S0605 | EKANS |
EKANS looks for processes from a hard-coded list.[80][81][82] |
S0081 | Elise | |
S0064 | ELMER | |
S0367 | Emotet | |
S0363 | Empire |
Empire can find information about processes running on local and remote systems.[86] |
S0091 | Epic |
Epic uses the |
S0396 | EvilBunny |
EvilBunny has used EnumProcesses() to identify how many process are running in the environment.[89] |
S0512 | FatDuke | |
S0267 | FELIXROOT | |
S0355 | Final1stspy |
Final1stspy obtains a list of running processes.[92] |
S0182 | FinFisher |
FinFisher checks its parent process for indications that it is running in a sandbox setup.[93][94] |
S0696 | Flagpro |
Flagpro has been used to run the |
S0661 | FoggyWeb |
FoggyWeb's loader can enumerate all Common Language Runtimes (CLRs) and running Application Domains in the compromised AD FS server's |
S0503 | FrameworkPOS |
FrameworkPOS can enumerate and exclude selected processes on a compromised host to speed execution of memory scraping.[97] |
G0101 | Frankenstein |
Frankenstein has enumerated hosts, looking to obtain a list of all currently running processes.[98] |
S0277 | FruitFly |
FruitFly has the ability to list processes on the system.[99] |
S0410 | Fysbis |
Fysbis can collect information about running processes.[100] |
G0047 | Gamaredon Group |
Gamaredon Group has used tools to enumerate processes on target hosts including Process Explorer.[101][102] |
S0666 | Gelsemium | |
S0049 | GeminiDuke |
GeminiDuke collects information on running processes and environment variables from the victim.[104] |
S0460 | Get2 |
Get2 has the ability to identify running processes on an infected host.[105] |
S0032 | gh0st RAT | |
S0249 | Gold Dragon |
Gold Dragon checks the running processes on the victim’s machine.[41] |
S0477 | Goopy |
Goopy has checked for the Google Updater process to ensure Goopy was loaded properly.[107] |
S0531 | Grandoreiro |
Grandoreiro can identify installed security tools based on process names.[108] |
S0237 | GravityRAT |
GravityRAT lists the running processes on the system.[109] |
S0151 | HALFBAKED |
HALFBAKED can obtain information about running processes on the victim.[110] |
S0617 | HELLOKITTY |
HELLOKITTY can search for specific processes to terminate.[111] |
S0170 | Helminth |
Helminth has used Tasklist to get information on processes.[7] |
G0126 | Higaisa |
Higaisa’s shellcode attempted to find the process ID of the current process.[112] |
G0072 | Honeybee |
Honeybee gathers a list of processes using the |
S0431 | HotCroissant |
HotCroissant has the ability to list running processes on the infected host.[114] |
S0203 | Hydraq |
Hydraq creates a backdoor through which remote attackers can monitor processes.[115][116] |
S0278 | iKitten | |
S0434 | Imminent Monitor |
Imminent Monitor has a "Process Watcher" feature to monitor processes in case the client ever crashes or gets closed.[117] |
G0100 | Inception |
Inception has used a reconnaissance module to identify active processes and other associated loaded modules.[118] |
S0260 | InvisiMole |
InvisiMole can obtain a list of running processes.[119][120] |
S0581 | IronNetInjector |
IronNetInjector can identify processes via C# methods such as |
S0015 | Ixeshe | |
S0528 | Javali |
Javali can monitor processes for open browsers and custom banking applications.[123] |
S0044 | JHUHUGIT |
JHUHUGIT obtains a list of running processes on the victim.[124][125] |
S0201 | JPIN | |
S0283 | jRAT | |
S0088 | Kasidet |
Kasidet has the ability to search for a given process name in processes currently running in the system.[128] |
S0265 | Kazuar |
Kazuar obtains a list of running processes through WMI querying and the |
G0004 | Ke3chang |
Ke3chang performs process discovery using |
S0271 | KEYMARBLE |
KEYMARBLE can obtain a list of running processes on the system.[132] |
S0607 | KillDisk | |
G0094 | Kimsuky |
Kimsuky can gather a list of all processes running on a victim's machine.[134] |
S0599 | Kinsing | |
S0162 | Komplex |
The OsInfo function in Komplex collects a running process list.[136] |
S0356 | KONNI |
KONNI has used the command |
S0236 | Kwampirs |
Kwampirs collects a list of running services with the command |
G0032 | Lazarus Group |
Several Lazarus Group malware families gather a list of running processes on a victim system and send it to their C2 server. A Destover-like variant used by Lazarus Group also gathers process times.[140][141][142][143][65][144] |
S0211 | Linfo |
Linfo creates a backdoor through which remote attackers can retrieve a list of running processes.[145] |
S0681 | Lizar |
Lizar has a plugin designed to obtain a list of processes.[146][147] |
S0582 | LookBack | |
S0451 | LoudMiner |
LoudMiner used the |
S0532 | Lucifer |
Lucifer can identify the process that owns remote connections.[150] |
S0409 | Machete |
Machete has a component to check for running processes to look for web browsers.[151] |
G0059 | Magic Hound |
Magic Hound malware can list running processes.[152] |
S0652 | MarkiRAT |
MarkiRAT can search for different processes on a system.[153] |
S0449 | Maze | |
S0455 | Metamorfo |
Metamorfo has performed process name checks and has monitored applications.[155] |
S0688 | Meteor |
Meteor can check if a specific process is running, such as Kaspersky's |
S0079 | MobileOrder |
MobileOrder has a command to upload information about all running processes to its C2 server.[157] |
G0021 | Molerats |
Molerats actors obtained a list of active processes on the victim and sent them to C2 servers.[78] |
S0149 | MoonWind |
MoonWind has a command to return a list of running processes.[158] |
S0256 | Mosquito | |
G0069 | MuddyWater |
MuddyWater has used malware to obtain a list of running processes on the system.[160][161] |
G0129 | Mustang Panda |
Mustang Panda has used |
S0247 | NavRAT | |
S0630 | Nebulae | |
S0034 | NETEAGLE | |
S0198 | NETWIRE | |
S0385 | njRAT |
njRAT can search a list of running processes for Tr.exe.[166] |
S0644 | ObliqueRAT |
ObliqueRAT can check for blocklisted process names on a compromised host.[167] |
S0346 | OceanSalt |
OceanSalt can collect the name and ID for every process running on the system.[168] |
G0049 | OilRig | |
G0116 | Operation Wocao |
Operation Wocao has collected a list of running processes on the infected system.[170] |
S0229 | Orz | |
S0626 | P8RAT |
P8RAT can check for specific processes associated with virtual environments.[172] |
S0664 | Pandora | |
S0208 | Pasam |
Pasam creates a backdoor through which remote attackers can retrieve lists of running processes.[174] |
S0517 | Pillowmint |
Pillowmint can iterate through running processes every six seconds collecting a list of processes to capture from later.[175] |
S0501 | PipeMon |
PipeMon can iterate over the running processes to find a suitable injection target.[176] |
S0254 | PLAINTEE |
PLAINTEE performs the |
S0435 | PLEAD |
PLEAD has the ability to list processes on the compromised host.[178] |
S0013 | PlugX |
PlugX has a module to list the processes running on a machine.[179] |
S0428 | PoetRAT | |
S0216 | POORAIM | |
G0033 | Poseidon Group |
After compromising a victim, Poseidon Group lists all running processes.[182] |
S0139 | PowerDuke |
PowerDuke has a command to list the victim's processes.[183] |
S0441 | PowerShower |
PowerShower has the ability to deploy a reconnaissance module to retrieve a list of the active processes.[184] |
S0194 | PowerSploit |
PowerSploit's |
S0393 | PowerStallion |
PowerStallion has been used to monitor process lists.[187] |
S0223 | POWERSTATS |
POWERSTATS has used |
S0184 | POWRUNER |
POWRUNER may collect process information by running |
S0238 | Proxysvc | |
S0192 | Pupy |
Pupy can list the running processes and get the process ID and parent process’s ID.[190] |
S0650 | QakBot | |
S0629 | RainyDay | |
S0458 | Ramsay |
Ramsay can gather a list of running processes by using Tasklist.[192] |
S0241 | RATANKBA | |
S0662 | RCSession | |
S0125 | Remsec | |
S0448 | Rising Sun |
Rising Sun can enumerate all running processes and process information on an infected machine.[197] |
G0106 | Rocke |
Rocke can detect a running process's PID on the infected machine.[198] |
S0270 | RogueRobin |
RogueRobin checks the running processes for evidence it may be running in a sandbox environment. It specifically enumerates processes for Wireshark and Sysinternals.[199] |
S0240 | ROKRAT |
ROKRAT can list the current running processes on the system.[200][201] |
S0148 | RTM |
RTM can obtain information about process integrity levels.[202] |
S0446 | Ryuk |
Ryuk has called |
S0345 | Seasalt | |
S0596 | ShadowPad |
ShadowPad has collected the PID of a malicious process.[204] |
S0445 | ShimRatReporter |
ShimRatReporter listed all running processes on the machine.[205] |
S0063 | SHOTPUT | |
G0121 | Sidewinder |
Sidewinder has used tools to identify running processes on the victim's machine.[207] |
S0692 | SILENTTRINITY |
SILENTTRINITY can enumerate processes, including properties to determine if they have the Common Language Runtime (CLR) loaded.[208] |
S0468 | Skidmap |
Skidmap has monitored critical processes to ensure resiliency.[209] |
S0533 | SLOTHFULMEDIA |
SLOTHFULMEDIA has enumerated processes by ID, name, or privileges.[210] |
S0273 | Socksbot | |
S0627 | SodaMaster |
SodaMaster can search a list of running processes.[172] |
S0615 | SombRAT |
SombRAT can use the |
S0516 | SoreFang |
SoreFang can enumerate processes on a victim machine through use of Tasklist.[214] |
G0038 | Stealth Falcon |
Stealth Falcon malware gathers a list of running processes.[215] |
S0142 | StreamEx | |
S0491 | StrongPity |
StrongPity can determine if a user is logged in by checking to see if explorer.exe is running.[217] |
S0559 | SUNBURST |
SUNBURST collected a list of process names that were hashed using a FNV-1a + XOR algorithm to check against similarly-hashed hardcoded blocklists.[218] |
S0562 | SUNSPOT |
SUNSPOT monitored running processes for instances of |
S0018 | Sykipot |
Sykipot may gather a list of running processes by running |
S0242 | SynAck | |
S0464 | SYSCON |
SYSCON has the ability to use Tasklist to list running processes.[223] |
S0011 | Taidoor |
Taidoor can use |
S0586 | TAINTEDSCRIBE |
TAINTEDSCRIBE can execute |
S0467 | TajMahal |
TajMahal has the ability to identify running processes and associated plugins on an infected host.[226] |
S0057 | Tasklist |
Tasklist can be used to discover processes running on a system.[227] |
G0139 | TeamTNT |
TeamTNT searches for rival malware and removes them if found.[228] |
S0595 | ThiefQuest |
ThiefQuest obtains a list of running processes using the function |
S0266 | TrickBot |
TrickBot uses module networkDll for process list discovery.[230][231] |
S0094 | Trojan.Karagany |
Trojan.Karagany can use Tasklist to collect a list of running tasks.[25][232] |
G0081 | Tropic Trooper |
Tropic Trooper is capable of enumerating the running processes on the system using |
S0436 | TSCookie |
TSCookie has the ability to list processes on the infected host.[235] |
G0010 | Turla |
Turla surveys a system upon check-in to discover running processes using the |
S0333 | UBoatRAT | |
S0386 | Ursnif |
Ursnif has gathered information about running processes.[237][238] |
S0452 | USBferry |
USBferry can use |
S0476 | Valak |
Valak has the ability to enumerate running processes on a compromised host.[239] |
S0257 | VERMIN |
VERMIN can get a list of the processes and running tasks on the system.[240] |
S0180 | Volgmer | |
S0670 | WarzoneRAT |
WarzoneRAT can obtain a list of processes on a compromised host.[242] |
S0579 | Waterbear |
Waterbear can identify the process for a specific security product.[243] |
G0112 | Windshift |
Windshift has used malware to enumerate active processes.[244] |
S0219 | WINERACK | |
S0059 | WinMM |
WinMM sets a WH_CBT Windows hook to collect information on process creation.[245] |
S0141 | Winnti for Windows |
Winnti for Windows can check if the explorer.exe process is responsible for calling its install function.[246] |
G0044 | Winnti Group |
Winnti Group looked for a specific process running on infected servers.[247] |
S0161 | XAgentOSX |
XAgentOSX contains the getProcessList function to run |
S0248 | yty |
yty gets an output of running processes using the |
S0251 | Zebrocy |
Zebrocy uses the |
S0330 | Zeus Panda |
Zeus Panda checks for running processes on the victim’s machine.[253] |
S0672 | Zox | |
S0412 | ZxShell |
ZxShell has a command, ps, to obtain a listing of processes on the system.[255] |
This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.
ID | Data Source | Data Component |
---|---|---|
DS0017 | Command | Command Execution |
DS0009 | Process | OS API Execution |
Process Creation |
System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.
Normal, benign system and network events that look like process discovery may be uncommon, depending on the environment and how they are used. Monitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as Windows Management Instrumentation and PowerShell.