Identifies adversary behavior that launches commands or invokes APIs to enumerate active processes (e.g., tasklist.exe, Get-Process, or CreateToolhelp32Snapshot). Detects execution combined with parent process lineage, network session context, or remote origin.
| Data Component | Name | Channel |
|---|---|---|
| Process Creation (DC0032) | WinEventLog:Security | EventCode=4688 |
| Process Access (DC0035) | WinEventLog:Sysmon | EventCode=10 |
| Field | Description |
|---|---|
| ParentProcessName | Used to scope suspicious discovery from non-interactive or non-standard parent processes like Office macros, WMI, or script engines |
| CommandLinePattern | Adversaries may obfuscate or vary process discovery commands (e.g., aliases, PowerShell variants) |
| TimeWindow | Helps detect bursty discovery behavior within a short timeframe |
Detects execution of common process enumeration utilities (e.g., ps, top, htop) or access to /proc with suspicious ancestry. Correlates command usage with interactive shell context and user role.
| Data Component | Name | Channel |
|---|---|---|
| Process Creation (DC0032) | auditd:SYSCALL | execve |
| File Access (DC0055) | auditd:SYSCALL | openat |
| Process Access (DC0035) | linux:osquery | Process State |
| Field | Description |
|---|---|
| AccessedPath | Filter based on suspicious /proc directory enumeration or high-volume ls/readlink usage |
| UserContext | Helps tune for root vs. low-priv users during interactive vs. scripted activity |
Monitors execution of ps, top, or launchctl with unusual parent processes or from terminal scripts. Also detects AppleScript-based process listing or system_profiler SPApplicationsDataType misuse.
| Data Component | Name | Channel |
|---|---|---|
| Process Creation (DC0032) | macos:unifiedlog | process launch |
| Process Metadata (DC0034) | macos:osquery | Process Context |
| Field | Description |
|---|---|
| ParentApp | Tunable to detect discovery from non-UI tools or script-based execution (osascript, zsh, cron) |
Detects process enumeration using esxcli system process list or ps on ESXi shell or via unauthorized SSH sessions. Correlates with interactive sessions and abnormal user roles.
| Data Component | Name | Channel |
|---|---|---|
| Command Execution (DC0064) | esxi:shell | interactive shell |
| Process Metadata (DC0034) | esxi:auth | user session |
| Field | Description |
|---|---|
| User | Admins are expected to run these commands—flag if non-admin or unknown users do |
Monitors CLI-based execution of show process or equivalent on routers/switches. Correlates unusual device access, unauthorized roles, or config mode changes.
| Data Component | Name | Channel |
|---|---|---|
| Command Execution (DC0064) | networkdevice:cli | CLI command |
| Process Metadata (DC0034) | networkdevice:syslog | Admin activity |
| Field | Description |
|---|---|
| Username | Tunable based on authorized operators for network infrastructure |
| CommandString | Pattern match or regex scope for discovery commands |