T1057 is one of the most widely observed techniques in the MITRE ATT&CK framework, with over 200 documented procedure examples spanning state-sponsored espionage groups, ransomware operators, financially motivated cybercriminals, and red team frameworks. Its prevalence reflects the reality that process enumeration is one of the first and most valuable reconnaissance steps an adversary takes after initial access. The technique appears across every major platform — Windows, Linux, macOS, ESXi, and network devices — and has no sub-techniques. Like its sibling discovery techniques, T1057 cannot be easily mitigated with preventive controls because it relies entirely on the abuse of legitimate system features.
T1057 falls under the Discovery tactic (TA0007). Like other discovery techniques, process enumeration is purely observational — the adversary reads the state of the system without modifying it. This makes detection inherently challenging because the exact same commands used by attackers are also used constantly by legitimate administrators, monitoring tools, help desk scripts, and the operating system itself. The key to detecting malicious process discovery lies not in the command, but in the context: who executed it, from which process, at what time, and what happened immediately before and after.
The intelligence gathered through T1057 directly informs critical attacker decisions. If the process list reveals that CrowdStrike Falcon, Carbon Black, or Microsoft Defender for Endpoint is running, the adversary knows they need to evade or disable those tools before proceeding. If lsass.exe is running (as it always is on Windows), they know the target for credential dumping. If a database server, financial application, or VPN client is active, they have identified high-value targets for data theft. If the process list shows no EDR agent at all, they know the system is effectively unmonitored.
How Process Discovery Works
Process Discovery follows a straightforward pattern: the adversary enumerates running processes to build a picture of the target environment. The specific implementation varies by platform, tooling, and sophistication level.
Windows Built-in Commands
Tasklist. The tasklist utility is the single most commonly observed tool for T1057 on Windows. Running tasklist returns a formatted list of all running processes with their PIDs, session names, and memory usage. The verbose flag (tasklist /v) adds window titles, status, and user context — the Epic malware, attributed to Turla, uses exactly this command. Adversaries frequently combine tasklist with findstr or find to search for specific processes: tasklist | findstr /i "defender" quickly reveals whether Windows Defender is active. Volt Typhoon, the Chinese state-sponsored group targeting US critical infrastructure, uses tasklist as part of its living-off-the-land reconnaissance, saving output to files in temporary locations for later review.
WMIC. The wmic process command provides richer process data in a machine-parseable format. Zebrocy, a toolset attributed to APT28, combines tasklist with wmic process get Caption,ExecutablePath to retrieve both process names and their full executable paths — information that reveals not just what is running, but where it was launched from. WMIC queries can also return parent process IDs, command-line arguments, and the user context under which each process runs.
PowerShell. The Get-Process cmdlet returns detailed process information as structured objects that can be filtered, sorted, and piped through PowerShell's pipeline. Adversaries use it to query specific processes by name (Get-Process -Name "MsMpEng" to check for Defender), filter by memory usage or CPU time, and retrieve module information. PowerShell Script Block Logging captures these commands in full, making it a high-value detection data source.
Native API Calls
Sophisticated malware bypasses command-line tools entirely and calls Windows Native APIs directly, avoiding process creation events that would be logged by Sysmon. The most commonly used API sequence is CreateToolhelp32Snapshot followed by Process32First and Process32Next, which iterates through all running processes and returns their names, PIDs, and parent PIDs.
The SUNSPOT implant, deployed by APT29 (Cozy Bear) as part of the SolarWinds supply chain attack, is one of the best-documented examples of API-based process discovery. SUNSPOT called CreateToolhelp32Snapshot to enumerate all running processes, then hashed each process name and compared the result to the value 0x53D525 — which corresponds to MsBuild.exe. When it found the SolarWinds Orion build process, it injected the SUNBURST backdoor into the build output. This is T1057 used with surgical precision: the malware enumerated processes not for general reconnaissance, but to identify a single specific target process for supply chain compromise.
Other API approaches include NtQuerySystemInformation with the SystemProcessInformation class, which provides even more detailed process data including thread counts and kernel/user time, and EnumProcesses from the PSAPI library, which returns an array of all active PIDs.
Linux and macOS
On Linux and macOS, the ps command is the primary tool for process discovery. ps aux lists all processes with their user, PID, CPU and memory usage, start time, and full command line. ps -ef provides a similar listing with parent PID information. Adversaries may also enumerate processes by reading the /proc filesystem directly — each subdirectory under /proc/ corresponds to a running process and contains its command line (/proc/[pid]/cmdline), executable path (/proc/[pid]/exe), and environment variables (/proc/[pid]/environ). LoudMiner, a cryptocurrency mining malware, uses ps to continuously monitor the process list for security tools that might detect its mining activity.
On ESXi hypervisors, which are increasingly targeted by ransomware, the ps command and esxcli system process list reveal running virtual machines and management processes. Ransomware operators use this information to identify VM processes that must be killed before their underlying VMDK files can be encrypted.
Network Devices
On network infrastructure devices, CLI commands like show processes (Cisco IOS) display currently running processes, including routing protocols, management services, and any anomalous processes that might indicate compromise. Adversaries use this information to understand the device's role in the network and identify processes to manipulate for persistence.
Why Process Discovery Matters
Process discovery serves several distinct strategic purposes in an attack chain, each of which drives different follow-on behaviors.
Security tool identification. This is the most common and most consequential use of T1057. By enumerating running processes, adversaries identify which security products are active — EDR agents, antivirus engines, HIPS solutions, DLP tools, and logging infrastructure. This intelligence directly determines the adversary's evasion strategy. If CrowdStrike Falcon is running, the adversary may choose process hollowing over standard injection. If no EDR is present, they may proceed with less caution. The Astaroth (Guildma) malware is documented checking running processes specifically to identify antivirus products before proceeding with its infection chain.
Injection target selection. Process injection (T1055) requires identifying a suitable host process. T1057 provides the list of candidates. Adversaries look for processes that are long-lived, have network access, run with elevated privileges, and are unlikely to be closely monitored. Common injection targets include explorer.exe, svchost.exe, browser processes, and Java or .NET runtime hosts. Without T1057, adversaries would be injecting blindly.
Credential access targeting. Process discovery reveals whether high-value credential-bearing processes are running. The presence of lsass.exe confirms credential dumping is possible (T1003.001). Running instances of KeePass, browser processes, SSH agents, or VPN clients indicate additional credential stores that can be targeted. Cobalt Strike operators routinely run tasklist or use the built-in ps command to identify processes for credential harvesting.
Pre-encryption reconnaissance (ransomware). Ransomware operators use process discovery to identify applications that hold file locks — database servers, email clients, backup agents — which must be terminated before their data files can be encrypted. Conti, Clop, Akira, and Embargo all perform process enumeration as part of their encryption preparation. On ESXi, ransomware uses process listing to identify running VMs before killing them to release locks on VMDK files.
Environment validation. Malware uses process discovery to detect sandbox or analysis environments. The presence of processes like vmtoolsd.exe (VMware), vboxservice.exe (VirtualBox), wireshark.exe, procmon.exe, or x64dbg.exe indicates the malware may be running in a security researcher's lab rather than a real target. Detecting these processes triggers evasion behavior — the malware may exit, delay execution, or alter its behavior to appear benign.
Real-World Case Studies
SUNSPOT / APT29 — Precision Process Discovery in the SolarWinds Supply Chain Attack
The SUNSPOT implant represents the most sophisticated documented use of T1057. Deployed by APT29 (attributed to Russia's SVR) as part of the SolarWinds supply chain compromise, SUNSPOT was installed on the SolarWinds build server where it monitored running processes continuously. The implant called CreateToolhelp32Snapshot to enumerate all processes, then hashed each process name using a custom algorithm and compared the result to the hard-coded value 0x53D525.
This hash corresponded to MsBuild.exe — the build tool that compiled the Orion software platform. When SUNSPOT detected MsBuild running, it knew a build was in progress and injected the SUNBURST backdoor into the source code before compilation. The SUNBURST backdoor was then distributed through legitimate SolarWinds software updates to approximately 18,000 organizations worldwide. This case demonstrates T1057 at its most dangerous: not as generic reconnaissance, but as a precision targeting mechanism in a supply chain attack.
Volt Typhoon — Living Off the Land Process Discovery Against US Critical Infrastructure
Volt Typhoon (also tracked as Bronze Silhouette, Insidious Taurus, and DEV-0391), a Chinese state-sponsored threat group, has used process discovery as part of its systematic reconnaissance of US critical infrastructure since at least 2021. According to joint advisories from CISA, NSA, and international partners, Volt Typhoon uses Windows' built-in tasklist /v command to enumerate running processes, saving the output to temporary files for later analysis. The group relies almost exclusively on living-off-the-land techniques, meaning they use native system tools rather than deploying custom malware.
Microsoft observed Volt Typhoon discovering running processes alongside file system types, drive information, and open networks as part of comprehensive system profiling. The process list helps Volt Typhoon identify security tools that must be evaded and administrative software that can be leveraged for lateral movement. FBI Director Christopher Wray characterized Volt Typhoon as pursuing pre-positioning within US critical infrastructure for potential disruptive or destructive operations during a future crisis — making their quiet, methodical process discovery a precursor to potentially devastating follow-on actions.
Earth Preta (Mustang Panda) — Process Discovery for Defense Evasion (2025)
In February 2025, Trend Micro documented Earth Preta (also known as Mustang Panda), a China-aligned APT group, mixing legitimate and malicious components to sidestep detection. The group's toolchain includes process enumeration as a key reconnaissance step, using the information to identify security products on target systems and adapt its evasion techniques accordingly. Earth Preta's operations target government and diplomatic organizations across Southeast Asia, and their use of T1057 is tightly integrated with their defense evasion workflow — process discovery feeds directly into decisions about which DLL sideloading techniques to employ and which legitimate processes to abuse for code execution.
FIN7 — Process Discovery in Automotive Industry Targeting (2024)
In late 2023, BlackBerry researchers discovered FIN7 targeting a US automotive manufacturer, exploiting IT employees with elevated access. FIN7's attack chain included systematic process discovery to identify security tools, business applications, and administrative software on compromised systems. The group used this intelligence to evade detection while deploying their Carbanak-derived tooling. FIN7's process enumeration was part of a broader discovery phase that included system information gathering and network reconnaissance, demonstrating how sophisticated financially motivated groups combine multiple discovery techniques to build a comprehensive picture of the target environment before proceeding with data theft.
Cobalt Strike — Process Discovery as Standard Red Team and Criminal Tradecraft
Cobalt Strike, the commercial adversary simulation framework that has become one of the most widely abused tools in both legitimate red team operations and criminal campaigns, includes built-in process discovery capabilities. The ps command within Cobalt Strike's Beacon implant enumerates all running processes and displays their PIDs, parent PIDs, process names, architectures (x86/x64), and user contexts. Operators routinely use this to identify injection targets, locate security software, and find processes running with SYSTEM or domain admin privileges. Because Cobalt Strike interacts directly with the Windows API rather than spawning tasklist.exe, its process enumeration is harder to detect through command-line monitoring alone.
Detection Strategies
Detecting T1057 requires the same contextual approach as other discovery techniques. Process enumeration commands are legitimate and common, so detection rules must focus on the circumstances surrounding their execution rather than the commands themselves.
Alerting on every execution of tasklist or ps will generate overwhelming false positives. Effective T1057 detection focuses on anomalous process lineage (who spawned the enumeration), temporal proximity to other discovery commands, and whether the output was redirected to a file or sent over the network. A tasklist from a monitoring agent is normal. A tasklist spawned by rundll32.exe three seconds after a new scheduled task was created is not.
Key Monitoring Points
| Data Source | What to Monitor | Detection Logic |
|---|---|---|
| Sysmon Event ID 1 (Process Creation) | tasklist.exe, tasklist /v execution | Flag tasklist executions by non-administrative users, from unexpected parent processes (especially rundll32, regsvr32, mshta, or scripting engines), or combined with findstr filtering for security product names |
| Sysmon Event ID 1 | wmic process queries | Flag wmic process get or wmic process list executions, especially those requesting ExecutablePath or CommandLine fields, which indicate targeted reconnaissance rather than casual inspection |
| PowerShell Script Block Logging (Event ID 4104) | Get-Process usage | Flag Get-Process combined with filtering for security product names, output to files, or pipeline operations that extract specific process attributes |
| Windows API Monitoring / EDR | CreateToolhelp32Snapshot calls | Flag calls to CreateToolhelp32Snapshot with TH32CS_SNAPPROCESS flag from unsigned binaries, processes in user-writable directories, or recently created executables |
| Sysmon Event ID 1 — Linux | ps command execution | Flag ps aux, ps -ef, or reads of /proc/*/cmdline from non-interactive shell sessions, especially those associated with recently established SSH or reverse shell connections |
| EDR / Process Telemetry | Process enumeration followed by process termination | Correlate T1057 (process listing) immediately followed by T1489 (Service Stop) or process termination — a strong indicator of ransomware pre-encryption activity |
| Network Traffic | Process list exfiltration | Monitor for outbound data transfers containing process listing artifacts (columnar process data, PID sequences, security product names) to external infrastructure |
Splunk Detection Queries
Query 1: Process Enumeration from Suspicious Parent Processes
Detects process discovery commands spawned by processes that would not normally perform enumeration — a strong indicator of adversary activity via LOLBins or malware.
index=windows source="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
(process_name=tasklist.exe OR process_name=wmic.exe
OR (process_name=powershell.exe AND CommandLine="*Get-Process*"))
AND (parent_process_name=rundll32.exe OR parent_process_name=regsvr32.exe
OR parent_process_name=mshta.exe OR parent_process_name=wscript.exe
OR parent_process_name=cscript.exe OR parent_process_name=certutil.exe)
| table _time host user process_name CommandLine parent_process_name parent_process_path
| sort -_timeQuery 2: Process Enumeration Targeting Security Products
Detects process enumeration commands combined with filtering for security product names, a pattern used by adversaries to identify and evade defensive tools.
index=windows source="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
(process_name=tasklist.exe OR process_name=findstr.exe OR process_name=find.exe)
AND (CommandLine="*defender*" OR CommandLine="*crowdstrike*" OR CommandLine="*falcon*"
OR CommandLine="*carbon*" OR CommandLine="*sentinel*" OR CommandLine="*sophos*"
OR CommandLine="*symantec*" OR CommandLine="*kaspersky*" OR CommandLine="*mcafee*"
OR CommandLine="*cylance*" OR CommandLine="*fireeye*" OR CommandLine="*trellix*")
| table _time host user process_name CommandLine parent_process_name
| sort -_timeQuery 3: Rapid Multi-Command Discovery Pattern
Detects multiple discovery commands executed in rapid succession from the same host — a pattern consistent with automated reconnaissance by malware or post-exploitation frameworks.
index=windows source="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
(process_name IN (tasklist.exe, systeminfo.exe, ipconfig.exe, net.exe,
whoami.exe, hostname.exe, netstat.exe, arp.exe, route.exe))
| bin _time span=60s
| stats count dc(process_name) as unique_commands values(process_name) as commands by _time host user
| where unique_commands >= 4
| sort -_timeQuery 4: Linux Process Discovery from Remote Sessions
Detects process enumeration on Linux systems from shell sessions associated with SSH or reverse shell activity.
index=linux sourcetype=syslog OR sourcetype=linux_audit
(CommandLine="ps aux*" OR CommandLine="ps -ef*" OR CommandLine="ps -A*"
OR CommandLine="*cat /proc/*/cmdline*" OR CommandLine="*cat /proc/*/status*")
| eval session_type=case(
match(parent_process,"sshd"), "SSH",
match(parent_process,"(bash|sh|dash|zsh)"), "Shell",
1=1, "Other")
| where session_type="SSH" OR isnotnull(parent_process)
| table _time host user CommandLine parent_process session_type
| sort -_timeKnown Threat Actors and Malware
T1057 is used by a broad cross-section of threat actors. The following tables highlight documented usage organized by motivation.
State-Sponsored Espionage
| Actor / Malware | Attribution | T1057 Usage |
|---|---|---|
| APT29 / SUNSPOT | Russia (SVR) | CreateToolhelp32Snapshot to enumerate processes, hashing each name to find MsBuild.exe for SolarWinds supply chain injection |
| Volt Typhoon | China (PRC) | tasklist /v as living-off-the-land reconnaissance against US critical infrastructure |
| APT28 / Zebrocy | Russia (GRU) | Combined tasklist with wmic process get Caption,ExecutablePath for full process path enumeration |
| Earth Preta (Mustang Panda) | China | Process enumeration to identify security products before deploying DLL sideloading payloads (2025 campaigns) |
| Turla / Epic | Russia (FSB) | tasklist /v for verbose process listing including window titles |
| APT38 (Lazarus sub-group) | North Korea | Process enumeration to identify financial software and security controls on banking systems |
| Sidewinder | India | Custom tools to identify running processes on victim machines |
| Deep Panda | China | Uses tasklist to enumerate processes on compromised systems |
Ransomware and Financially Motivated Groups
| Actor / Malware | T1057 Usage |
|---|---|
| Cobalt Strike | Built-in ps command enumerates processes via Windows API with PID, PPID, architecture, and user context |
| FIN7 | Process discovery for security tool identification during US automotive industry targeting (2024) |
| Conti | Process enumeration to identify applications holding file locks before encryption |
| Clop | Enumerates processes as part of pre-encryption preparation |
| Akira | Process discovery to identify running applications and security tools on target systems |
| Embargo | Process enumeration for ESXi VM identification before VMDK encryption |
| Avaddon | Enumerates running processes to identify targets for termination before encryption |
| WarzoneRAT | Obtains list of processes on compromised hosts for security tool identification |
Malware and Tools
| Tool / Malware | T1057 Usage |
|---|---|
| SUNSPOT | API-level process monitoring via CreateToolhelp32Snapshot with hash-based process name matching |
| Astaroth / Guildma | Checks running processes to identify antivirus products before proceeding with infection |
| LoudMiner | Continuously monitors process list via ps for security tools that might detect crypto mining |
| FELIXROOT | Collects list of running processes as part of initial system profiling |
| FoggyWeb | Checks for specific AD FS processes on compromised servers (attributed to NOBELIUM) |
| Empire | PowerShell-based process enumeration via Get-Process with filtering capabilities |
| IronNetInjector | Uses C# GetProcessesByName to locate specific target processes for injection |
Defensive Recommendations
1. Enable comprehensive process creation logging
Deploy Sysmon with a configuration that logs all process creation events (Event ID 1) with full command-line arguments and parent process information. Enable Windows Security audit policy for process creation (Event ID 4688) with command-line logging enabled via Group Policy. On Linux, configure auditd to log execve system calls. These logs are the foundation for all T1057 detection — without them, process discovery activity is invisible to defenders.
2. Enable PowerShell Script Block Logging
PowerShell Module Logging (Event ID 4103) and Script Block Logging (Event ID 4104) capture Get-Process and related cmdlets in full. This is essential for detecting PowerShell-based process discovery that does not spawn a separate tasklist.exe process. Ensure logs are forwarded to your SIEM and retained for at least 90 days.
3. Build detection rules around process lineage
The most effective T1057 detections focus on anomalous parent-child relationships. A tasklist.exe spawned by explorer.exe (a user opening Task Manager) is normal. A tasklist.exe spawned by rundll32.exe, mshta.exe, or regsvr32.exe is almost certainly malicious. Build detection rules that flag process enumeration commands from unexpected parent processes, and maintain allowlists for known-good monitoring tools.
4. Detect rapid multi-command discovery patterns
Adversaries and post-exploitation frameworks typically execute multiple discovery commands in rapid succession: whoami, systeminfo, tasklist, ipconfig, net user, and netstat within seconds. Build correlation rules that fire when four or more discovery commands are observed from the same host within a 60-second window. This pattern is highly reliable and generates fewer false positives than alerting on individual commands.
5. Monitor for API-level process enumeration
Advanced malware like SUNSPOT bypasses command-line tools by calling CreateToolhelp32Snapshot, Process32First, and Process32Next directly. Configure your EDR to monitor for these API calls from unsigned binaries, processes running from user-writable directories, or recently created executables. While API monitoring generates more telemetry than command-line logging, it catches evasion techniques that bypass traditional detection.
6. Deploy deceptive processes
Run decoy processes with names that mimic high-value targets: a process named keepass.exe, 1password.exe, or sqlserver.exe that contains no real data but triggers alerts when accessed or injected into. Similarly, running a process named after a non-existent EDR product may cause adversaries to waste time attempting to evade a tool that is not there, while alerting defenders that process enumeration has occurred and the adversary is reacting to the fake process list.
7. Correlate T1057 with other discovery and follow-on techniques
Process discovery rarely occurs alone. When T1057 is observed alongside T1082 (System Information Discovery), T1083 (File and Directory Discovery), T1016 (System Network Configuration Discovery), and T1049 (System Network Connections Discovery), it strongly indicates an adversary is conducting comprehensive reconnaissance. Correlate T1057 with subsequent T1055 (Process Injection) or T1562 (Impair Defenses) activity to detect adversaries acting on the intelligence gathered through process discovery.
8. Implement application whitelisting on critical servers
On high-value servers (domain controllers, database servers, build servers), implement application control policies (AppLocker, WDAC) that restrict which processes can execute. While this does not prevent process enumeration, it limits what adversaries can do with the intelligence — if they cannot run their tools, knowing what processes are running provides less operational value. The SolarWinds attack underscores why build servers in particular need strict application control.
MITRE ATT&CK Mapping
| Field | Value |
|---|---|
| Technique ID | T1057 |
| Technique Name | Process Discovery |
| Tactics | Discovery (TA0007) |
| Platforms | Windows, Linux, macOS, ESXi, Network Devices |
| Sub-Techniques | None (no sub-techniques defined) |
| Data Sources | Process (Creation), Command (Execution), OS API (Execution) |
| Version | 1.6 (last modified October 2025) |
| MITRE Reference | attack.mitre.org/techniques/T1057 |
Sources and References
- MITRE ATT&CK — T1057 Process Discovery: attack.mitre.org
- CrowdStrike — SUNSPOT: An Implant in the Build Process: crowdstrike.com
- Microsoft — Volt Typhoon Targets US Critical Infrastructure with Living-Off-The-Land Techniques: microsoft.com
- CISA/NSA — PRC State-Sponsored Cyber Actor Living Off the Land (Volt Typhoon): cisa.gov
- Trend Micro — Earth Preta Mixes Legitimate and Malicious Components to Sidestep Detection (2025): trendmicro.com
- BlackBerry — Threat Group FIN7 Targets the US Automotive Industry (2024): blackberry.com
- Red Canary — Atomic Red Team T1057 Tests: github.com
- Picus Security — Red Report 2026: picussecurity.com