IMPORTANT: No additional bug fixes or documentation updates
will be released for this version. For the latest information, see the
current release documentation.
Process Discovery via Tasklistedit
Adversaries may attempt to get information about running processes on a system.
Rule indices:
- winlogbeat-*
Severity: low
Risk score: 21
Runs every: 5 minutes
Searches indices from: now-6m (Date Math format, see also Additional look-back time
)
Maximum signals per execution: 100
Tags:
- Elastic
- Windows
Rule version: 1
Added (Elastic Stack release): 7.6.0
Potential false positivesedit
Administrators may use the tasklist command to display a list of currently running processes. By itself, it does not indicate malicious activity. After obtaining a foothold, it’s possible adversaries may use discovery commands like tasklist to get information about running processes.
Rule queryedit
event.code:1 and process.name:tasklist.exe
Threat mappingedit
Framework: MITRE ATT&CKTM
-
Tactic:
- Name: Discovery
- ID: TA0007
- Reference URL: https://attack.mitre.org/tactics/TA0007/
-
Technique:
- Name: Process Discovery
- ID: T1057
- Reference URL: https://attack.mitre.org/techniques/T1057/