discord

Process Discovery

Process Discovery [T1057]

Information

  • Name: Process Discovery

  • ID: T1057

  • Tactics: TA0007

Introduction

Process Discovery is a reconnaissance technique categorized under the MITRE ATT&CK framework (Technique ID: T1057). Attackers utilize this method to gain insight into running processes, services, and applications on compromised systems. By enumerating processes, adversaries can identify security tools, defensive measures, valuable targets, and opportunities for privilege escalation or lateral movement within a network. Process Discovery typically occurs early in the attack lifecycle, enabling attackers to make informed decisions about subsequent actions.

Deep Dive Into Technique

Process Discovery involves enumerating running processes and services on a compromised host to gather intelligence about the environment. Technical details and execution methods include:

  • Native OS Commands and Utilities:

    • Windows:

      • tasklist: Lists running processes and services.

      • wmic process list: Provides detailed process information.

      • PowerShell commands: Get-Process, Get-Service to enumerate processes and services.

    • Linux/Unix:

      • ps: Lists running processes.

      • top and htop: Interactive process viewers.

      • systemctl: Lists active services.

      • pstree: Displays processes in a hierarchical tree.

  • Scripting and Automation:

    • Attackers frequently leverage scripts (PowerShell, Python, Bash) to automate enumeration and parsing of process information.

  • Third-party Tools:

    • Sysinternals Suite (Windows): Utilities like Process Explorer, PsList provide detailed process information.

    • Custom malware and reconnaissance tools specifically designed to enumerate processes and identify defensive software.

  • APIs and System Calls:

    • Directly utilizing operating system APIs (e.g., Windows API calls like CreateToolhelp32Snapshot, EnumProcesses) to programmatically gather process information without invoking standard command-line utilities, thus evading basic detection mechanisms.

Attackers often use this technique to detect the presence of antivirus software, endpoint detection and response (EDR) tools, backup utilities, and other defensive measures to adjust their tactics accordingly.

When this Technique is Usually Used

Process Discovery is typically employed during various stages of the attack lifecycle, including:

  • Initial Reconnaissance and Enumeration:

    • Immediately after gaining initial access to a system, attackers enumerate processes to understand the environment.

  • Privilege Escalation Attempts:

    • Identifying running processes owned by privileged users or services to exploit vulnerabilities and escalate privileges.

  • Defense Evasion:

    • Determining presence of security software and endpoint protection mechanisms to disable or evade detection.

  • Lateral Movement Preparation:

    • Enumerating processes and services to identify potential pivot points and targets on adjacent systems.

  • Persistence and Execution:

    • Identifying suitable processes or services to inject malicious payloads or establish persistent backdoors.

How this Technique is Usually Detected

Detection methods for Process Discovery include monitoring and analyzing various activities and indicators:

  • Endpoint Monitoring and Logging:

    • Monitoring execution of suspicious command-line utilities (tasklist, ps, wmic, systemctl) via endpoint detection and response (EDR) solutions.

    • Logging PowerShell script execution and analyzing scripts for enumeration commands.

  • Process Execution and Command-line Analysis:

    • Detecting unusual or unexpected invocation of native OS enumeration commands.

    • Identifying enumeration commands executed from uncommon directories or by non-standard user accounts.

  • Behavioral Analysis and Anomaly Detection:

    • Establishing baselines of normal user and system behavior, then identifying deviations such as unusual frequency or timing of enumeration commands.

    • Alerting on suspicious API calls or system calls used to enumerate processes programmatically.

  • Security Information and Event Management (SIEM) Tools:

    • Correlating logs from multiple sources (endpoint, network, application) to detect enumeration activities.

    • Setting up alerts for known enumeration commands executed by unauthorized users or processes.

Indicators of Compromise (IoCs)

  • Execution of enumeration commands (tasklist, ps, wmic) by unauthorized or unexpected user accounts.

  • Presence of scripts or binaries specifically designed for process enumeration.

  • Unusual API calls related to process enumeration (CreateToolhelp32Snapshot, EnumProcesses).

  • Detection of known enumeration tools (e.g., Sysinternals utilities) used without authorization.

Why it is Important to Detect This Technique

Detecting Process Discovery is critical due to its role as an early-stage reconnaissance activity that can significantly impact the security posture of an organization. Importance of early detection includes:

  • Preventing Further Compromise:

    • Early identification and containment of reconnaissance activities limit attackers' ability to escalate privileges, move laterally, or establish persistence.

  • Reducing Attack Surface:

    • Identifying enumeration attempts allows defenders to proactively strengthen defenses, patch vulnerabilities, and remove unnecessary services or processes.

  • Protecting Sensitive Information:

    • Preventing attackers from accurately mapping the environment reduces the risk of sensitive data exfiltration and targeted attacks.

  • Enhancing Incident Response Effectiveness:

    • Early detection enables rapid investigation, response, and remediation, minimizing potential damage and downtime.

  • Maintaining Compliance and Trust:

    • Prompt detection and response reduce the likelihood of regulatory violations, data breaches, and potential reputational damage.

Examples

Real-world examples illustrating the use of Process Discovery include:

  • APT29 (Cozy Bear):

    • Utilized PowerShell commands (Get-Process) and Windows Management Instrumentation (WMI) to enumerate running processes and services, identifying security software before proceeding with lateral movement and privilege escalation.

  • TrickBot Malware:

    • Frequently executed tasklist and custom enumeration scripts to identify antivirus products and security solutions running on infected hosts, enabling attackers to adjust their tactics and evade detection.

  • FIN7 Group:

    • Leveraged native Windows utilities (wmic process list) and Sysinternals tools (PsList, Process Explorer) to enumerate processes and identify security software, allowing them to disable or bypass endpoint protections during compromise of financial institutions.

  • Emotet Malware:

    • Performed process enumeration to detect sandbox environments, virtual machines, and security tools, adjusting its behavior accordingly to evade analysis and detection.

  • DarkSide Ransomware:

    • Conducted enumeration of running processes and services to identify backup software and security solutions, disabling or terminating these processes to ensure successful encryption of victim data.

In each example, attackers leveraged Process Discovery techniques to gain critical intelligence about targeted environments, enabling them to evade defenses, escalate privileges, and achieve their objectives successfully.

Last updated

Was this helpful?