Description
Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Administrator or otherwise elevated access may provide better process details. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
In Windows environments, adversaries could obtain details on running processes using the Tasklist utility via cmd or Get-Process via PowerShell. Information about processes can also be extracted from the output of Native API calls such as CreateToolhelp32Snapshot. In Mac and Linux, this is accomplished with the ps command. Adversaries may also opt to enumerate processes via /proc. ESXi also supports use of the ps command, as well as esxcli system process list.(Citation: Sygnia ESXi Ransomware 2025)(Citation: Crowdstrike Hypervisor Jackpotting Pt 2 2021)
On network devices, Network Device CLI commands such as show processes can be used to display current running processes.(Citation: US-CERT-TA18-106A)(Citation: show_processes_cisco_cmd)
Platforms
Threat Groups (41)
| ID | Group | Context |
|---|---|---|
| G1054 | MirrorFace | [MirrorFace](https://attack.mitre.org/groups/G1054) has used [Tasklist](https://attack.mitre.org/software/S0057) on compromised hosts for discovery.(C... |
| G0112 | Windshift | [Windshift](https://attack.mitre.org/groups/G0112) has used malware to enumerate active processes.(Citation: BlackBerry Bahamut) |
| G1017 | Volt Typhoon | [Volt Typhoon](https://attack.mitre.org/groups/G1017) has enumerated running processes on targeted systems including through the use of [Tasklist](htt... |
| G0081 | Tropic Trooper | [Tropic Trooper](https://attack.mitre.org/groups/G0081) is capable of enumerating the running processes on the system using <code>pslist</code>.(Citat... |
| G0121 | Sidewinder | [Sidewinder](https://attack.mitre.org/groups/G0121) has used tools to identify running processes on the victim's machine.(Citation: ATT Sidewinder Jan... |
| G0009 | Deep Panda | [Deep Panda](https://attack.mitre.org/groups/G0009) uses the Microsoft [Tasklist](https://attack.mitre.org/software/S0057) utility to list processes r... |
| G0006 | APT1 | [APT1](https://attack.mitre.org/groups/G0006) gathered a list of running processes on the system using <code>tasklist /v</code>.(Citation: Mandiant AP... |
| G0125 | HAFNIUM | [HAFNIUM](https://attack.mitre.org/groups/G0125) has used `tasklist` to enumerate processes.(Citation: Rapid7 HAFNIUM Mar 2021) |
| G0012 | Darkhotel | [Darkhotel](https://attack.mitre.org/groups/G0012) malware can collect a list of running processes on a system.(Citation: Securelist Darkhotel Aug 201... |
| G1040 | Play | [Play](https://attack.mitre.org/groups/G1040) has used the information stealer Grixba to check for a list of security processes.(Citation: Trend Micr... |
| G0038 | Stealth Falcon | [Stealth Falcon](https://attack.mitre.org/groups/G0038) malware gathers a list of running processes.(Citation: Citizen Lab Stealth Falcon May 2016) |
| G0139 | TeamTNT | [TeamTNT](https://attack.mitre.org/groups/G0139) has searched for rival malware and removes it if found.(Citation: Trend Micro TeamTNT) [TeamTNT](http... |
| G0007 | APT28 | An [APT28](https://attack.mitre.org/groups/G0007) loader Trojan will enumerate the victim's processes searching for explorer.exe if its current proces... |
| G0114 | Chimera | [Chimera](https://attack.mitre.org/groups/G0114) has used <code>tasklist</code> to enumerate processes.(Citation: NCC Group Chimera January 2021) |
| G0138 | Andariel | [Andariel](https://attack.mitre.org/groups/G0138) has used <code>tasklist</code> to enumerate processes and find a specific string.(Citation: Kaspersk... |
| G0032 | Lazarus Group | Several [Lazarus Group](https://attack.mitre.org/groups/G0032) malware families gather a list of running processes on a victim system and send it to t... |
| G1053 | Storm-0501 | [Storm-0501](https://attack.mitre.org/groups/G1053) has discovered running processes through `tasklist.exe`.(Citation: Microsoft Storm-501 Sabbath Ran... |
| G0021 | Molerats | [Molerats](https://attack.mitre.org/groups/G0021) actors obtained a list of active processes on the victim and sent them to C2 servers.(Citation: Dust... |
| G1006 | Earth Lusca | [Earth Lusca](https://attack.mitre.org/groups/G1006) has used [Tasklist](https://attack.mitre.org/software/S0057) to obtain information from a comprom... |
| G1051 | Medusa Group | [Medusa Group](https://attack.mitre.org/groups/G1051) has utilized a hard-coded security tool process list that identifies and terminates using an und... |
Associated Software (267)
| ID | Name | Type | Context |
|---|---|---|---|
| S0091 | Epic | Malware | [Epic](https://attack.mitre.org/software/S0091) uses the <code>tasklist /v</code> command to obtain a list of processes.(Citation: Kaspersky Turla)(Ci... |
| S9024 | SPAWNCHIMERA | Malware | [SPAWNCHIMERA](https://attack.mitre.org/software/S9024) has searched for running processes to include web or dsmdm.(Citation: CISA SPAWNCHIMERA RESURG... |
| S0670 | WarzoneRAT | Malware | [WarzoneRAT](https://attack.mitre.org/software/S0670) can obtain a list of processes on a compromised host.(Citation: Check Point Warzone Feb 2020) |
| S0267 | FELIXROOT | Malware | [FELIXROOT](https://attack.mitre.org/software/S0267) collects a list of running processes.(Citation: ESET GreyEnergy Oct 2018) |
| S9020 | LODEINFO | Malware | [LODEINFO](https://attack.mitre.org/software/S9020) can kill a process using specific process ID.(Citation: Kaspersky LODEINFO Part II OCT 2022)(Citat... |
| S0562 | SUNSPOT | Malware | [SUNSPOT](https://attack.mitre.org/software/S0562) monitored running processes for instances of <code>MsBuild.exe</code> by hashing the name of each r... |
| S9012 | TRAILBLAZE | Malware | [TRAILBLAZE](https://attack.mitre.org/software/S9012) has conducted process discovery by searching for specific named processes such as `/home/bin/web... |
| S0142 | StreamEx | Malware | [StreamEx](https://attack.mitre.org/software/S0142) has the ability to enumerate processes.(Citation: Cylance Shell Crew Feb 2017) |
| S9019 | PureCrypter | Malware | [PureCrypter](https://attack.mitre.org/software/S9019) can enumerate processes on compromised hosts.(Citation: Check Point Blind Eagle MAR 2025) |
| S0456 | Aria-body | Malware | [Aria-body](https://attack.mitre.org/software/S0456) has the ability to enumerate loaded modules for a process.(Citation: CheckPoint Naikon May 2020). |
| S0149 | MoonWind | Malware | [MoonWind](https://attack.mitre.org/software/S0149) has a command to return a list of running processes.(Citation: Palo Alto MoonWind March 2017) |
| S0251 | Zebrocy | Malware | [Zebrocy](https://attack.mitre.org/software/S0251) uses the <code>tasklist</code> and <code>wmic process get Capture, ExecutablePath</code> commands t... |
| S0581 | IronNetInjector | Tool | [IronNetInjector](https://attack.mitre.org/software/S0581) can identify processes via C# methods such as <code>GetProcessesByName</code> and running [... |
| S0277 | FruitFly | Malware | [FruitFly](https://attack.mitre.org/software/S0277) has the ability to list processes on the system.(Citation: objsee mac malware 2017) |
| S0351 | Cannon | Malware | [Cannon](https://attack.mitre.org/software/S0351) can obtain a list of processes running on the system.(Citation: Unit42 Cannon Nov 2018)(Citation: Un... |
| S0451 | LoudMiner | Malware | [LoudMiner](https://attack.mitre.org/software/S0451) used the <code>ps</code> command to monitor the running processes on the system.(Citation: ESET L... |
| S0059 | WinMM | Malware | [WinMM](https://attack.mitre.org/software/S0059) sets a WH_CBT Windows hook to collect information on process creation.(Citation: Baumgartner Naikon 2... |
| S1013 | ZxxZ | Malware | [ZxxZ](https://attack.mitre.org/software/S1013) has created a snapshot of running processes using `CreateToolhelp32Snapshot`.(Citation: Cisco Talos Bi... |
| S0531 | Grandoreiro | Malware | [Grandoreiro](https://attack.mitre.org/software/S0531) can identify installed security tools based on process names.(Citation: ESET Grandoreiro April ... |
| S0271 | KEYMARBLE | Malware | [KEYMARBLE](https://attack.mitre.org/software/S0271) can obtain a list of running processes on the system.(Citation: US-CERT KEYMARBLE Aug 2018) |
References
- Cisco. (2022, August 16). show processes - . Retrieved July 13, 2022.
- Michael Dawson. (2021, August 30). Hypervisor Jackpotting, Part 2: eCrime Actors Increase Targeting of ESXi Servers with Ransomware. Retrieved March 26, 2025.
- US-CERT. (2018, April 20). Alert (TA18-106A) Russian State-Sponsored Cyber Actors Targeting Network Infrastructure Devices. Retrieved October 19, 2020.
- Zhongyuan Hau (Aaron), Ren Jie Yow, and Yoav Mazor. (2025, January 21). ESXi Ransomware Attacks: Stealthy Persistence through. Retrieved March 27, 2025.
Frequently Asked Questions
What is T1057 (Process Discovery)?
T1057 is a MITRE ATT&CK technique named 'Process Discovery'. It belongs to the Discovery tactic(s). Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within th...
How can T1057 be detected?
Detection of T1057 (Process Discovery) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1057?
Follow defense-in-depth principles including network segmentation, least privilege access, security monitoring, and regular patching to reduce the risk of this technique.
Which threat groups use T1057?
Known threat groups using T1057 include: MirrorFace, Windshift, Volt Typhoon, Tropic Trooper, Sidewinder, Deep Panda, APT1, HAFNIUM.