T1057

Process Discovery

Process Discovery (T1057) is a MITRE ATT&CK technique associated with Discovery . Adversaries may attempt to get information about running processes on a system.

Technique ID: T1057
Difficulty: Intermediate
Tactics: Discovery
Platforms: ESXiLinuxmacOSNetwork DevicesWindows

Executive Summary

Process Discovery (T1057) is a MITRE ATT&CK technique associated with Discovery. Adversaries may attempt to get information about running processes on a system.

Why Attackers Use It

Attackers use Process Discovery because it provides a reliable way to advance their objective within the Discovery tactic, often with a favorable balance of impact versus detectability on ESXi, Linux, macOS, Network Devices, Windows environments. Defenders should assess this behavior in the context of the affected platform and adjacent activity rather than treating it as a standalone indicator.

MITRE Description

Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Administrator or otherwise elevated access may provide better process details. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.

In Windows environments, adversaries could obtain details on running processes using the Tasklist utility via cmd or <code>Get-Process</code> via PowerShell. Information about processes can also be extracted from the output of Native API calls such as <code>CreateToolhelp32Snapshot</code>. In Mac and Linux, this is accomplished with the <code>ps</code> command. Adversaries may also opt to enumerate processes via /proc. ESXi also supports use of the ps command, as well as esxcli system process list.(Citation: Sygnia ESXi Ransomware 2025)(Citation: Crowdstrike Hypervisor Jackpotting Pt 2 2021)

On network devices, Network Device CLI commands such as show processes can be used to display current running processes.(Citation: US-CERT-TA18-106A)(Citation: show_processes_cisco_cmd)

Attack Flow

Attacker gains the prerequisite access or context described below.
Attacker executes Process Discovery to achieve its tactical objective (Discovery).
Resulting access/data/effect is leveraged to advance the broader attack chain (see Related Techniques).

Prerequisites

Platform(s): ESXi, Linux, macOS, Network Devices, Windows
ATT&CK does not define one universal permission requirement for this technique. Establish the required access from the observed implementation and affected platform.

Common Tools

Tool attribution is implementation-specific. Use ATT&CK procedure examples and local telemetry to identify the binaries, services, scripts, accounts, or cloud resources involved.

Commands

No universal command represents Process Discovery. Capture the exact command line, arguments, parent process, account, host, and execution time from the investigated environment; do not operationalize unverified examples.

Network Traffic

Network observability is implementation-dependent. Review DNS, proxy, firewall, flow, authentication, and packet telemetry around the activity window, then correlate remote endpoints and protocol behavior with host evidence.

Windows Events

Event ID	Log Channel	What It Indicates
Environment-specific	Relevant Windows channel(s)	Correlate authentication, process, object-access, and configuration events with the observed execution context.

Sysmon Events

Sysmon Event ID	Name	Why It's Relevant Here
Environment-specific	Validate configured telemetry	Use process, network, file, registry, DNS, or image-load telemetry only when relevant and enabled.

Detection Opportunities

No MITRE detection guidance published for this technique.

Relevant ATT&CK Data Sources: N/A

Sigma Rules

A universal Sigma rule would create unreliable results because this technique has no single guaranteed observable. Build detection logic from a documented behavior and supported data source, scope it to the affected platform, and validate it against benign administrative activity before deployment.

Splunk Queries

Start with the data sources named in the detection section. Scope searches by asset, identity, and time window; correlate the primary behavior with preceding access and subsequent actions. A portable query is intentionally not provided where the technique lacks a universal schema or observable.

Investigation Workflow

Confirm that the observed behavior is consistent with Process Discovery and rule out expected administrative or application activity.
Establish the first-seen time, initiating identity, source system, target system, and affected resources.
Collect relevant host, identity, network, cloud, and application telemetry for the surrounding time window.
Correlate parent and child activity, remote connections, file or configuration changes, and related ATT&CK techniques.
Determine scope by searching for the same observable across peer assets and identities.
Preserve volatile evidence and record confidence, assumptions, and telemetry gaps before containment.

Containment

Isolate affected host(s)/account(s) identified during investigation.
Revoke or rotate any credentials/tokens potentially exposed.
Apply the mitigations listed below where not already enforced.
Validate no related techniques (see Related Techniques) were chained against the same asset.

Mitigation

No MITRE mitigations mapped to this technique.

Related Techniques

T1003
T1005
T1007
T1008
T1010
T1012
T1014
T1016
T1016.001
T1016.002
T1018
T1021.002
T1021.005
T1025
T1027
T1027.001
T1027.004
T1027.005
T1027.007
T1027.008
T1027.013
T1027.015
T1027.016
T1029
T1030
T1033
T1036.001
T1036.005
T1037
T1037.004
T1041
T1047
T1048
T1048.003
T1049
T1053.005
T1055
T1055.001
T1055.002
T1055.003
T1055.004
T1056.001
T1056.002
T1056.004
T1059
T1059.001
T1059.002
T1059.003
T1059.004
T1059.011
T1069.001
T1070
T1070.004
T1070.006
T1070.007
T1071
T1071.001
T1071.002
T1071.003
T1080
T1082
T1083
T1087
T1087.001
T1087.002
T1090
T1090.001
T1090.003
T1091
T1095
T1098.004
T1102
T1102.002
T1102.003
T1104
T1105
T1106
T1112
T1113
T1115
T1119
T1120
T1123
T1124
T1125
T1129
T1132.002
T1134
T1134.002
T1134.004
T1135
T1140
T1197
T1203
T1205
T1218.003
T1221
T1480
T1480.001
T1482
T1485
T1486
T1489
T1491.001
T1496.001
T1497.001
T1497.003
T1498
T1518
T1518.001
T1529
T1542.003
T1543.001
T1546
T1546.011
T1546.012
T1546.015
T1547.001
T1547.006
T1547.009
T1547.012
T1547.013
T1548.002
T1552.004
T1553.006
T1555.003
T1555.004
T1555.005
T1559
T1559.001
T1560
T1560.002
T1564
T1564.001
T1564.003
T1564.006
T1568
T1568.002
T1569.001
T1571
T1572
T1573
T1573.001
T1574
T1574.007
T1610
T1620
T1622
T1652
T1654
T1678
T1679
T1680
T1685
T1685.005
T1685.006
T1686
T1686.003
T1688

T1003OS Credential Dumping T1005Data from Local System T1007System Service Discovery T1008Fallback Channels T1010Application Window Discovery T1012Query Registry T1014Rootkit T1016System Network Configuration Discovery T1016.001Internet Connection Discovery T1016.002Wi-Fi Discovery T1018Remote System Discovery T1021.002SMB/Windows Admin Shares T1021.005VNC T1025Data from Removable Media T1027Obfuscated Files or Information T1027.001Binary Padding T1027.004Compile After Delivery T1027.005Indicator Removal from Tools T1027.007Dynamic API Resolution T1027.008Stripped Payloads T1027.013Encrypted/Encoded File T1027.015Compression T1027.016Junk Code Insertion T1029Scheduled Transfer T1030Data Transfer Size Limits T1033System Owner/User Discovery T1036.001Invalid Code Signature T1036.005Match Legitimate Resource Name or Location T1037Boot or Logon Initialization Scripts T1037.004RC Scripts T1041Exfiltration Over C2 Channel T1047Windows Management Instrumentation T1048Exfiltration Over Alternative Protocol T1048.003Exfiltration Over Unencrypted Non-C2 Protocol T1049System Network Connections Discovery T1053.005Scheduled Task T1055Process Injection T1055.001Dynamic-link Library Injection T1055.002Portable Executable Injection T1055.003Thread Execution Hijacking T1055.004Asynchronous Procedure Call T1056.001Keylogging T1056.002GUI Input Capture T1056.004Credential API Hooking T1059Command and Scripting Interpreter T1059.001PowerShell T1059.002AppleScript T1059.003Windows Command Shell T1059.004Unix Shell T1059.011Lua T1069.001Local Groups T1070Indicator Removal T1070.004File Deletion T1070.006Timestomp T1070.007Clear Network Connection History and Configurations T1071Application Layer Protocol T1071.001Web Protocols T1071.002File Transfer Protocols T1071.003Mail Protocols T1080Taint Shared Content T1082System Information Discovery T1083File and Directory Discovery T1087Account Discovery T1087.001Local Account T1087.002Domain Account T1090Proxy T1090.001Internal Proxy T1090.003Multi-hop Proxy T1091Replication Through Removable Media T1095Non-Application Layer Protocol T1098.004SSH Authorized Keys T1102Web Service T1102.002Bidirectional Communication T1102.003One-Way Communication T1104Multi-Stage Channels T1105Ingress Tool Transfer T1106Native API T1112Modify Registry T1113Screen Capture T1115Clipboard Data T1119Automated Collection T1120Peripheral Device Discovery T1123Audio Capture T1124System Time Discovery T1125Video Capture T1129Shared Modules T1132.002Non-Standard Encoding T1134Access Token Manipulation T1134.002Create Process with Token T1134.004Parent PID Spoofing T1135Network Share Discovery T1140Deobfuscate/Decode Files or Information T1197BITS Jobs T1203Exploitation for Client Execution T1205Traffic Signaling T1218.003CMSTP T1221Template Injection T1480Execution Guardrails T1480.001Environmental Keying T1482Domain Trust Discovery T1485Data Destruction T1486Data Encrypted for Impact T1489Service Stop T1491.001Internal Defacement T1496.001Compute Hijacking T1497.001System Checks T1497.003Time Based Checks T1498Network Denial of Service T1518Software Discovery T1518.001Security Software Discovery T1529System Shutdown/Reboot T1542.003Bootkit T1543.001Launch Agent T1546Event Triggered Execution T1546.011Application Shimming T1546.012Image File Execution Options Injection T1546.015Component Object Model Hijacking T1547.001Registry Run Keys / Startup Folder T1547.006Kernel Modules and Extensions T1547.009Shortcut Modification T1547.012Print Processors T1547.013XDG Autostart Entries T1548.002Bypass User Account Control T1552.004Private Keys T1553.006Code Signing Policy Modification T1555.003Credentials from Web Browsers T1555.004Windows Credential Manager T1555.005Password Managers T1559Inter-Process Communication T1559.001Component Object Model T1560Archive Collected Data T1560.002Archive via Library T1564Hide Artifacts T1564.001Hidden Files and Directories T1564.003Hidden Window T1564.006Run Virtual Instance T1568Dynamic Resolution T1568.002Domain Generation Algorithms T1569.001Launchctl T1571Non-Standard Port T1572Protocol Tunneling T1573Encrypted Channel T1573.001Symmetric Cryptography T1574Hijack Execution Flow T1574.007Path Interception by PATH Environment Variable T1610Deploy Container T1620Reflective Code Loading T1622Debugger Evasion T1652Device Driver Discovery T1654Log Enumeration T1678Delay Execution T1679Selective Exclusion T1680Local Storage Discovery T1685Disable or Modify Tools T1685.005Clear Windows Event Logs T1685.006Clear Linux or Mac System Logs T1686Disable or Modify System Firewall T1686.003Windows Host Firewall T1688Safe Mode Boot

Loading AttackTrace...

Executive Summary

Process Discovery (T1057) is a MITRE ATT&CK technique associated with Discovery. Adversaries may attempt to get information about running processes on a system.

Why Attackers Use It

MITRE Description

On network devices, Network Device CLI commands such as show processes can be used to display current running processes.(Citation: US-CERT-TA18-106A)(Citation: show_processes_cisco_cmd)

Attack Flow

Attacker gains the prerequisite access or context described below.
Attacker executes Process Discovery to achieve its tactical objective (Discovery).
Resulting access/data/effect is leveraged to advance the broader attack chain (see Related Techniques).

Prerequisites

Platform(s): ESXi, Linux, macOS, Network Devices, Windows
ATT&CK does not define one universal permission requirement for this technique. Establish the required access from the observed implementation and affected platform.

Common Tools

Tool attribution is implementation-specific. Use ATT&CK procedure examples and local telemetry to identify the binaries, services, scripts, accounts, or cloud resources involved.

Commands

Network Traffic

Network observability is implementation-dependent. Review DNS, proxy, firewall, flow, authentication, and packet telemetry around the activity window, then correlate remote endpoints and protocol behavior with host evidence.

Windows Events

Event ID	Log Channel	What It Indicates
Environment-specific	Relevant Windows channel(s)	Correlate authentication, process, object-access, and configuration events with the observed execution context.

Sysmon Events

Sysmon Event ID	Name	Why It's Relevant Here
Environment-specific	Validate configured telemetry	Use process, network, file, registry, DNS, or image-load telemetry only when relevant and enabled.

Detection Opportunities

No MITRE detection guidance published for this technique.

Relevant ATT&CK Data Sources: N/A

Sigma Rules

Splunk Queries

Investigation Workflow

Confirm that the observed behavior is consistent with Process Discovery and rule out expected administrative or application activity.
Establish the first-seen time, initiating identity, source system, target system, and affected resources.
Collect relevant host, identity, network, cloud, and application telemetry for the surrounding time window.
Correlate parent and child activity, remote connections, file or configuration changes, and related ATT&CK techniques.
Determine scope by searching for the same observable across peer assets and identities.
Preserve volatile evidence and record confidence, assumptions, and telemetry gaps before containment.

Containment

Isolate affected host(s)/account(s) identified during investigation.
Revoke or rotate any credentials/tokens potentially exposed.
Apply the mitigations listed below where not already enforced.
Validate no related techniques (see Related Techniques) were chained against the same asset.

Mitigation

No MITRE mitigations mapped to this technique.

Related Techniques

T1003
T1005
T1007
T1008
T1010
T1012
T1014
T1016
T1016.001
T1016.002
T1018
T1021.002
T1021.005
T1025
T1027
T1027.001
T1027.004
T1027.005
T1027.007
T1027.008
T1027.013
T1027.015
T1027.016
T1029
T1030
T1033
T1036.001
T1036.005
T1037
T1037.004
T1041
T1047
T1048
T1048.003
T1049
T1053.005
T1055
T1055.001
T1055.002
T1055.003
T1055.004
T1056.001
T1056.002
T1056.004
T1059
T1059.001
T1059.002
T1059.003
T1059.004
T1059.011
T1069.001
T1070
T1070.004
T1070.006
T1070.007
T1071
T1071.001
T1071.002
T1071.003
T1080
T1082
T1083
T1087
T1087.001
T1087.002
T1090
T1090.001
T1090.003
T1091
T1095
T1098.004
T1102
T1102.002
T1102.003
T1104
T1105
T1106
T1112
T1113
T1115
T1119
T1120
T1123
T1124
T1125
T1129
T1132.002
T1134
T1134.002
T1134.004
T1135
T1140
T1197
T1203
T1205
T1218.003
T1221
T1480
T1480.001
T1482
T1485
T1486
T1489
T1491.001
T1496.001
T1497.001
T1497.003
T1498
T1518
T1518.001
T1529
T1542.003
T1543.001
T1546
T1546.011
T1546.012
T1546.015
T1547.001
T1547.006
T1547.009
T1547.012
T1547.013
T1548.002
T1552.004
T1553.006
T1555.003
T1555.004
T1555.005
T1559
T1559.001
T1560
T1560.002
T1564
T1564.001
T1564.003
T1564.006
T1568
T1568.002
T1569.001
T1571
T1572
T1573
T1573.001
T1574
T1574.007
T1610
T1620
T1622
T1652
T1654
T1678
T1679
T1680
T1685
T1685.005
T1685.006
T1686
T1686.003
T1688

Executive Summary

Why Attackers Use It

MITRE Description

Attack Flow

Prerequisites

Common Tools

Commands

Network Traffic

Windows Events

Sysmon Events

Detection Opportunities

Sigma Rules

Splunk Queries

Investigation Workflow

Containment

Mitigation

Related Techniques

Related techniques

Executive Summary

Why Attackers Use It

MITRE Description

Attack Flow

Prerequisites

Common Tools

Commands

Network Traffic

Windows Events

Sysmon Events

Detection Opportunities

Sigma Rules

Splunk Queries

Investigation Workflow

Containment

Mitigation

Related Techniques

Related techniques