Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Administrator or otherwise elevated access may provide better process details. Adversaries may use the information from [Process Discovery](https://attack.mitre.org/techniques/T1057) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions. In Windows environments, adversaries could obtain details on running processes using the [Tasklist](https://attack.mitre.org/software/S0057) utility via [cmd](https://attack.mitre.org/software/S0106) orGet-Process
via [PowerShell](https://attack.mitre.org/techniques/T1059/001). Information about processes can also be extracted from the output of [Native API](https://attack.mitre.org/techniques/T1106) calls such asCreateToolhelp32Snapshot
. In Mac and Linux, this is accomplished with theps
command. Adversaries may also opt to enumerate processes via `/proc`. On network devices, [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) commands such as `show processes` can be used to display current running processes.(Citation: US-CERT-TA18-106A)(Citation: show_processes_cisco_cmd)
Utilize ps to identify processes.
Upon successful execution, sh will execute ps and output to /tmp/loot.txt.
Supported Platforms: Linux, macOS
auto_generated_guid: 4ff64f0b-aaf2-4866-b39d-38d9791407cc
| Name | Description | Type | Default Value | |——|————-|——|—————| | output_file | path of output file | path | /tmp/loot.txt|
1
sh
!1
2
ps >> #{output_file}
ps aux >> #{output_file}
1
rm #{output_file}
Utilize tasklist to identify processes.
Upon successful execution, cmd.exe will execute tasklist.exe to list processes. Output will be via stdout.
Supported Platforms: Windows
auto_generated_guid: c5806a4f-62b8-4900-980b-c7ec004e9908
1
command_prompt
!tasklist
Utilize Get-Process PowerShell cmdlet to identify processes.
Upon successful execution, powershell.exe will execute Get-Process to list processes. Output will be via stdout.
Supported Platforms: Windows
auto_generated_guid: 3b3809b6-a54b-4f5b-8aff-cb51f2e97b34
1
powershell
!1
Get-Process
Utilize get-wmiObject PowerShell cmdlet to identify processes.
Upon successful execution, powershell.exe will execute get-wmiObject to list processes. Output will be via stdout.
Supported Platforms: Windows
auto_generated_guid: b51239b4-0129-474f-a2b4-70f855b9f2c2
1
powershell
!1
get-wmiObject -class Win32_Process
Utilize windows management instrumentation to identify processes.
Upon successful execution, WMIC will execute process to list processes. Output will be via stdout.
Supported Platforms: Windows
auto_generated_guid: 640cbf6d-659b-498b-ba53-f6dd1a1cc02c
1
command_prompt
!wmic process get /format:list
Adversaries may use command line tools to discover specific processes in preparation of further attacks. Examples of this could be discovering the PID of lsass.exe to dump its memory or discovering whether specific security processes (e.g. AV or EDR) are running.
Supported Platforms: Windows
auto_generated_guid: 11ba69ee-902e-4a0f-b3b6-418aed7d7ddb
| Name | Description | Type | Default Value | |——|————-|——|—————| | process_to_enumerate | Process name string to search for. | string | lsass|
1
command_prompt
!tasklist | findstr #{process_to_enumerate}
Process Hacker can be exploited to infiltrate system processes, identify weak points, or achieve unauthorized control over systems. However, its malicious use can often be flagged by security defenses, rendering it a perilous tool for illegitimate purposes.
Supported Platforms: Windows
auto_generated_guid: 966f4c16-1925-4d9b-8ce0-01334ee0867d
| Name | Description | Type | Default Value | |——|————-|——|—————| | processhacker_exe | Process hacker installation executables. | string | ProcessHacker.exe|
1
powershell
! Elevation Required (e.g. root or admin)1
Start-Process -FilePath "$Env:ProgramFiles\Process Hacker 2\#{processhacker_exe}"
1
powershell
!1
if (Test-Path "c:\Program Files\Process Hacker 2\#{processhacker_exe}") {exit 0} else {exit 1}
1
2
3
4
5
Write-Host Downloading Process Hacker
New-Item -Type Directory "C:\Temp\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
Invoke-WebRequest "https://versaweb.dl.sourceforge.net/project/processhacker/processhacker2/processhacker-2.39-setup.exe" -OutFile "C:\Temp\ExternalPayloads\processhacker-2.39-setup.exe"
Write-Host Installing Process Hacker
Start-Process "c:\Temp\ExternalPayloads\processhacker-2.39-setup.exe" -Wait -ArgumentList "/s"
PC Hunter is a toolkit with access to hundreds of settings including kernels, kernel modules, processes, network, startup, and more. When abused, this tool can allow threat actors to effectively access sensitive processes, collect system information, and terminate security software.
Supported Platforms: Windows
auto_generated_guid: b4ca838d-d013-4461-bf2c-f7132617b409
| Name | Description | Type | Default Value | |——|————-|——|—————| | pchunter64_exe | Process hacker installation executables. | string | PChunter64.exe|
1
powershell
! Elevation Required (e.g. root or admin)1
Start-Process -FilePath "C:\Temp\ExternalPayloads\PCHunter_free\#{pchunter64_exe}"
1
powershell
!1
if (Get-ChildItem -Path C:\ -Include *PCHunter64* -File -Recurse -ErrorAction SilentlyContinue) {exit 0} else {exit 1}
1
2
3
4
5
Write-Host Downloading PC Hunter
New-Item -Type Directory "C:\Temp\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
Invoke-WebRequest "https://www.snapfiles.com/directdl/PCHunter_free.zip" -OutFile "C:\Temp\ExternalPayloads\PCHunter_free.zip"
Expand-Archive -LiteralPath 'C:\Temp\ExternalPayloads\PCHunter_free.zip' -DestinationPath C:\Temp\ExternalPayloads
Write-Host Unzipping Installing Process Hunter
An adverary may launch taskmgr.exe with the /7 switch via command prompt to view processes running on the system. Reference
Supported Platforms: Windows
auto_generated_guid: 4fd35378-39aa-481e-b7c4-e3bf49375c67
1
command_prompt
!taskmgr.exe /7