T1057 Process Discovery Mappings

Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.

In Windows environments, adversaries could obtain details on running processes using the Tasklist utility via cmd or <code>Get-Process</code> via PowerShell. Information about processes can also be extracted from the output of Native API calls such as <code>CreateToolhelp32Snapshot</code>. In Mac and Linux, this is accomplished with the <code>ps</code> command. Adversaries may also opt to enumerate processes via /proc.



Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name
CVE-2012-4681 n/a uncategorized T1057 Process Discovery
action.hacking.variety.Footprinting Footprinting and fingerprinting related-to T1057 Process Discovery