Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Administrator or otherwise elevated access may provide better process details. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
In Windows environments, adversaries could obtain details on running processes using the Tasklist utility via cmd or <code>Get-Process</code> via PowerShell. Information about processes can also be extracted from the output of Native API calls such as <code>CreateToolhelp32Snapshot</code>. In Mac and Linux, this is accomplished with the <code>ps</code> command. Adversaries may also opt to enumerate processes via /proc.
On network devices, Network Device CLI commands such as show processes can be used to display current running processes.(Citation: US-CERT-TA18-106A)(Citation: show_processes_cisco_cmd)
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| intel-tdt | Intel Threat Detection Technology | CrowdStrike AMS | T1057 | Process Discovery |
Comments
Intel Threat Detection Technology (TDT), combined with CrowdStrike Falcon Accelerated Memory Scanning (CAMS), enhances cybersecurity defenses by enabling faster, real-time detection of process discovery attacks. This integrated solution strengthens CrowdStrike Falcon, improving its ability to detect and mitigate cyber threats earlier in the kill chain, all while minimizing system performance impact.
Process discovery involves adversaries identifying and listing active processes on a compromised system to locate targets for further exploitation or lateral movement. Attackers may use process discovery to identify running security tools, user applications, or system services that could be manipulated, disabled, or evaded. By gaining insight into the processes running on a system, attackers can better understand the environment and adapt their tactics to evade detection.
Intel TDT plays a critical role in identifying these threats by providing real-time telemetry on program execution, memory access, and control flow, allowing security teams to detect abnormal behaviors that could indicate unauthorized process discovery activity. This telemetry enables rapid detection of attempts to enumerate or interact with system processes, whether through direct API calls or indirect methods such as scanning memory or accessing system information.
References
|