tasklist.exe

  • File Path: C:\Windows\SysWOW64\tasklist.exe
  • Description: Lists the current running tasks

Hashes

Type Hash
MD5 0A4448B31CE7F83CB7691A2657F330F1
SHA1 7F50D8C3CF3EC79122A876E969BDB65D939BECD0
SHA256 76EAC7B5F53E0D58A98D5A6DDF9C97E19D1462EF65C0035D7798F89988B15AB4
SHA384 E69EE8E1AABB7173F6CF51F52A82F179D34CCA9686CB87806EACCFED1085EF72E0B6E1EC6863A188AC1DFC4D61BE3EE4
SHA512 5251DDA250FB1283A7A80B885919617C838CDE7C3B4420C6AA9A685141CB38326D679412298C9A49E8EB7B6526910BCE046FDCB458B1B3DC9A786F6450280908
SSDEEP 1536:bAkPj5C4gTCKzlBZ1tlxq4Bh3uecKnf0LdVn6DElgiS1xt8S2f:NCGYt3uQ3uecKnfGdR6IqR1xtf2f
IMP 19BBD9C4E73C288A3645E163F4B82682
PESHA1 443382F5344C42E5D823B05BC8DBA0E18E4E1256
PE256 635F0491E89689F7B3E7416143EF01D12F8B60FE6934ADF2BBB69E051053BD55

Runtime Data

Usage (stdout):


TASKLIST [/S system [/U username [/P [password]]]]
         [/M [module] | /SVC | /V] [/FI filter] [/FO format] [/NH]

Description:
    This tool displays a list of currently running processes on
    either a local or remote machine.

Parameter List:
   /S     system           Specifies the remote system to connect to.

   /U     [domain\]user    Specifies the user context under which
                           the command should execute.

   /P     [password]       Specifies the password for the given
                           user context. Prompts for input if omitted.

   /M     [module]         Lists all tasks currently using the given
                           exe/dll name. If the module name is not
                           specified all loaded modules are displayed.

   /SVC                    Displays services hosted in each process.

   /APPS                   Displays Store Apps and their associated processes.

   /V                      Displays verbose task information.

   /FI    filter           Displays a set of tasks that match a
                           given criteria specified by the filter.

   /FO    format           Specifies the output format.
                           Valid values: "TABLE", "LIST", "CSV".

   /NH                     Specifies that the "Column Header" should
                           not be displayed in the output.
                           Valid only for "TABLE" and "CSV" formats.

   /?                      Displays this help message.

Filters:
    Filter Name     Valid Operators           Valid Value(s)
    -----------     ---------------           --------------------------
    STATUS          eq, ne                    RUNNING | SUSPENDED
                                              NOT RESPONDING | UNKNOWN
    IMAGENAME       eq, ne                    Image name
    PID             eq, ne, gt, lt, ge, le    PID value
    SESSION         eq, ne, gt, lt, ge, le    Session number
    SESSIONNAME     eq, ne                    Session name
    CPUTIME         eq, ne, gt, lt, ge, le    CPU time in the format
                                              of hh:mm:ss.
                                              hh - hours,
                                              mm - minutes, ss - seconds
    MEMUSAGE        eq, ne, gt, lt, ge, le    Memory usage in KB
    USERNAME        eq, ne                    User name in [domain\]user
                                              format
    SERVICES        eq, ne                    Service name
    WINDOWTITLE     eq, ne                    Window title
    MODULES         eq, ne                    DLL name

NOTE: "WINDOWTITLE" and "STATUS" filters are not supported when querying
      a remote machine.

Examples:
    TASKLIST
    TASKLIST /M
    TASKLIST /V /FO CSV
    TASKLIST /SVC /FO LIST
    TASKLIST /APPS /FI "STATUS eq RUNNING"
    TASKLIST /M wbem*
    TASKLIST /S system /FO LIST
    TASKLIST /S system /U domain\username /FO CSV /NH
    TASKLIST /S system /U username /P password /FO TABLE /NH
    TASKLIST /FI "USERNAME ne NT AUTHORITY\SYSTEM" /FI "STATUS eq running"

Usage (stderr):

ERROR: Invalid argument/option - '--help'.
Type "TASKLIST /?" for usage.

Loaded Modules:

Path
C:\Windows\SYSTEM32\ntdll.dll
C:\Windows\System32\wow64.dll
C:\Windows\System32\wow64cpu.dll
C:\Windows\System32\wow64win.dll
C:\Windows\SysWOW64\tasklist.exe

Signature

  • Status: Signature verified.
  • Serial: 3300000266BD1580EFA75CD6D3000000000266
  • Thumbprint: A4341B9FD50FB9964283220A36A1EF6F6FAA7840
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: tasklist.exe.mui
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.19041.1 (WinBuild.160101.0800)
  • Product Version: 10.0.19041.1
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.
  • Machine Type: 32-bit

File Scan

  • VirusTotal Detections: 0/75
  • VirusTotal Link: https://www.virustotal.com/gui/file/76eac7b5f53e0d58a98d5a6ddf9c97e19d1462ef65c0035d7798f89988b15ab4/detection

Possible Misuse

The following table contains possible examples of tasklist.exe being misused. While tasklist.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma apt_silence_downloader_v3.yml - '\tasklist.exe' DRL 1.0
sigma proc_creation_win_impacket_lateralization.yml # C:\Windows\system32\cmd.exe /Q /c echo tasklist ^> \\127.0.0.1\C$\__output 2^>^&1 > C:\Windows\TEMP\execute.bat & C:\Windows\system32\cmd.exe /Q /c C:\Windows\TEMP\execute.bat & del C:\Windows\TEMP\execute.bat DRL 1.0
sigma proc_creation_win_impacket_lateralization.yml # cmd.exe /C tasklist /m > C:\Windows\Temp\bAJrYQtL.tmp 2>&1 DRL 1.0
sigma proc_creation_win_susp_commands_recon_activity.yml - tasklist DRL 1.0
sigma proc_creation_win_susp_tasklist_command.yml title: Suspicious Tasklist Discovery Command DRL 1.0
sigma proc_creation_win_susp_tasklist_command.yml - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1057/T1057.md#atomic-test-2---process-discovery---tasklist DRL 1.0
sigma proc_creation_win_susp_tasklist_command.yml tasklist: DRL 1.0
sigma proc_creation_win_susp_tasklist_command.yml - CommandLine\|contains: tasklist DRL 1.0
sigma proc_creation_win_susp_tasklist_command.yml - Image: C:\Windows\System32\tasklist.exe DRL 1.0
sigma proc_creation_win_susp_tasklist_command.yml condition: tasklist DRL 1.0
sigma proc_creation_win_webshell_detection.yml - '\tasklist.exe' DRL 1.0
malware-ioc misp-dukes-operation-ghost-event.json "description": "Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software running on systems within the network.\n\n### Windows\n\nAn example command that would obtain details on processes is \"tasklist\" using the [Tasklist](https://attack.mitre.org/software/S0057) utility.\n\n### Mac and Linux\n\nIn Mac and Linux, this is accomplished with the <code>ps</code> command.", © ESET 2014-2018
malware-ioc misp_invisimole.json "description": "Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software running on systems within the network. Adversaries may use the information from [Process Discovery](https://attack.mitre.org/techniques/T1057) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.\n\n### Windows\n\nAn example command that would obtain details on processes is \"tasklist\" using the [Tasklist](https://attack.mitre.org/software/S0057) utility.\n\n### Mac and Linux\n\nIn Mac and Linux, this is accomplished with the <code>ps</code> command.", © ESET 2014-2018
malware-ioc misp_invisimole.json "description": "Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on the system. This may include things such as local firewall rules and anti-virus. Adversaries may use the information from [Security Software Discovery](https://attack.mitre.org/techniques/T1063) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.\n\n\n### Windows\n\nExample commands that can be used to obtain security software information are [netsh](https://attack.mitre.org/software/S0108), <code>reg query</code> with [Reg](https://attack.mitre.org/software/S0075), <code>dir</code> with [cmd](https://attack.mitre.org/software/S0106), and [Tasklist](https://attack.mitre.org/software/S0057), but other indicators of discovery behavior may be more specific to the type of software or security system the adversary is looking for.\n\n### Mac\n\nIt's becoming more common to see macOS malware perform checks for LittleSnitch and KnockKnock software.", © ESET 2014-2018
malware-ioc misp_invisimole.json "description": "Adversaries may try to get information about registered services. Commands that may obtain information about services using operating system utilities are \"sc,\" \"tasklist /svc\" using [Tasklist](https://attack.mitre.org/software/S0057), and \"net start\" using [Net](https://attack.mitre.org/software/S0039), but adversaries may also use other tools as well. Adversaries may use the information from [System Service Discovery](https://attack.mitre.org/techniques/T1007) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.", © ESET 2014-2018
malware-ioc misp-turla-powershell-event.json "description": "Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software running on systems within the network.\n\n===Windows===\n\nAn example command that would obtain details on processes is \"tasklist\" using the Tasklist utility.\n\n===Mac and Linux===\n\nIn Mac and Linux, this is accomplished with the <code>ps</code> command.\n\nDetection: System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.\n\nNormal, benign system and network events that look like process discovery may be uncommon, depending on the environment and how they are used. Monitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as Windows Management Instrumentation and PowerShell.\n\nPlatforms: Linux, macOS, Windows\n\nData Sources: Process command-line parameters, Process monitoring\n\nPermissions Required: User, Administrator, SYSTEM\n\nSystem Requirements: Administrator, SYSTEM may provide better process ownership details", © ESET 2014-2018
atomic-red-team index.md - Atomic Test #2: Process Discovery - tasklist [windows] MIT License. © 2018 Red Canary
atomic-red-team windows-index.md - Atomic Test #2: Process Discovery - tasklist [windows] MIT License. © 2018 Red Canary
atomic-red-team T1003.001.md $LSASS = tasklist | findstr “lsass” MIT License. © 2018 Red Canary
atomic-red-team T1007.md <blockquote>Adversaries may try to get information about registered services. Commands that may obtain information about services using operating system utilities are “sc,” “tasklist /svc” using Tasklist, and “net start” using Net, but adversaries may also use other tools as well. Adversaries may use the information from System Service Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.</blockquote> MIT License. © 2018 Red Canary
atomic-red-team T1007.md tasklist.exe MIT License. © 2018 Red Canary
atomic-red-team T1021.001.md $p=Tasklist /svc /fi “IMAGENAME eq mstsc.exe” /fo csv | convertfrom-csv MIT License. © 2018 Red Canary
atomic-red-team T1057.md In Windows environments, adversaries could obtain details on running processes using the Tasklist utility via cmd or Get-Process via PowerShell. Information about processes can also be extracted from the output of Native API calls such as CreateToolhelp32Snapshot. In Mac and Linux, this is accomplished with the ps command. Adversaries may also opt to enumerate processes via /proc.</blockquote> MIT License. © 2018 Red Canary
atomic-red-team T1057.md - Atomic Test #2 - Process Discovery - tasklist MIT License. © 2018 Red Canary
atomic-red-team T1057.md ## Atomic Test #2 - Process Discovery - tasklist MIT License. © 2018 Red Canary
atomic-red-team T1057.md Utilize tasklist to identify processes. MIT License. © 2018 Red Canary
atomic-red-team T1057.md Upon successful execution, cmd.exe will execute tasklist.exe to list processes. Output will be via stdout. MIT License. © 2018 Red Canary
atomic-red-team T1057.md tasklist MIT License. © 2018 Red Canary
atomic-red-team T1518.001.md Example commands that can be used to obtain security software information are netsh, reg query with Reg, dir with cmd, and Tasklist, but other indicators of discovery behavior may be more specific to the type of software or security system the adversary is looking for. It is becoming more common to see macOS malware perform checks for LittleSnitch and KnockKnock software. MIT License. © 2018 Red Canary
atomic-red-team T1518.001.md tasklist.exe MIT License. © 2018 Red Canary
atomic-red-team T1518.001.md tasklist.exe | findstr /i virus MIT License. © 2018 Red Canary
atomic-red-team T1518.001.md tasklist.exe | findstr /i cb MIT License. © 2018 Red Canary
atomic-red-team T1518.001.md tasklist.exe | findstr /i defender MIT License. © 2018 Red Canary
atomic-red-team T1518.001.md tasklist.exe | findstr /i cylance MIT License. © 2018 Red Canary
signature-base apt_fin7.yar $x8 = “\par \tab \tab sh.Run "%comspec% /c tasklist >""" & tpath & """ 2>&1", 0, true” fullword ascii CC BY-NC 4.0
signature-base apt_golddragon.yar $s4 = “cmd.exe /c tasklist “ fullword ascii CC BY-NC 4.0
signature-base apt_sednit_delphidownloader.yar $s5 = “53595354454D494E464F2026205441534B4C495354” ascii /* hex encoded string ‘SYSTEMINFO & TASKLIST’ */ CC BY-NC 4.0
signature-base gen_recon_indicators.yar $s5 = “tasklist /v” ascii CC BY-NC 4.0
signature-base gen_recon_indicators.yar $s10 = “tasklist /svc” ascii CC BY-NC 4.0
signature-base gen_recon_indicators.yar /* tasklist */ CC BY-NC 4.0
signature-base gen_suspicious_strings.yar $ = “tasklist” CC BY-NC 4.0
signature-base gen_susp_lnk_files.yar $s14 = “&tasklist>” CC BY-NC 4.0
signature-base thor-hacktools.yar $s1 = “in (‘tasklist /fi "PID eq %%b" /FO CSV’) do “ ascii CC BY-NC 4.0
signature-base thor-hacktools.yar $s0 = “tasklist |find "Clear.bat"||start Clear.bat” fullword ascii CC BY-NC 4.0
signature-base thor-webshells.yar $s5 = “//——- [netstat -an] and [ipconfig] and [tasklist] ————” fullword CC BY-NC 4.0
stockpile 5a39d7ed-45c9-4a79-b581-e5fb99e24f65.yml command: tasklist Apache-2.0
stockpile 8adf02e8-6e71-4244-886c-98c402857404.yml name: tasklist Process Enumeration Apache-2.0
stockpile 8adf02e8-6e71-4244-886c-98c402857404.yml tasklist /m >> $env:APPDATA\vmtool.log; Apache-2.0

Additional Info*

*The information below is copied from MicrosoftDocs, which is maintained by Microsoft. Available under CC BY 4.0 license.


tasklist

Displays a list of currently running processes on the local computer or on a remote computer. Tasklist replaces the tlist tool.

[!NOTE] This command replaces the tlist tool.

Syntax

tasklist [/s <computer> [/u [<domain>\]<username> [/p <password>]]] [{/m <module> | /svc | /v}] [/fo {table | list | csv}] [/nh] [/fi <filter> [/fi <filter> [ ... ]]]

Parameters

Parameter Description
/s <computer> Specifies the name or IP address of a remote computer (do not use backslashes). The default is the local computer.
/u <domain>\<username> Runs the command with the account permissions of the user who is specified by <username> or by <domain>\<username>. The /u parameter can be specified only if /s is also specified. The default is the permissions of the user who is currently logged on to the computer that is issuing the command.
/p <password> Specifies the password of the user account that is specified in the /u parameter.
/m <module> Lists all tasks with DLL modules loaded that match the given pattern name. If the module name is not specified, this option displays all modules loaded by each task.
svc Lists all the service information for each process without truncation. Valid when the /fo parameter is set to table.
/v Displays verbose task information in the output. For complete verbose output without truncation, use /v and /svc together.
/fo {table | list | csv} Specifies the format to use for the output. Valid values are table, list, and csv. The default format for output is table.
/nh Suppresses column headers in the output. Valid when the /fo parameter is set to table or csv.
/fi <filter> Specifies the types of processes to include in or exclude from the query. You can use more than one filter or use the wildcard character (\) to specify all tasks or image names. The valid filters are listed in the Filter names, operators, and values section of this article.
/? Displays help at the command prompt.
Filter names, operators, and values
Filter Name Valid Operators Valid Value(s)
STATUS eq, ne RUNNING | NOT RESPONDING | UNKNOWN. This filter isn’t supported if you specify a remote system.
IMAGENAME eq, ne Image name
PID eq, ne, gt, lt, ge, le PID value
SESSION eq, ne, gt, lt, ge, le Session number
SESSIONNAME eq, ne Session name
CPUtime eq, ne, gt, lt, ge, le CPU time in the format HH:MM:SS, where MM and SS are between 0 and 59 and HH is any unsigned number
MEMUSAGE eq, ne, gt, lt, ge, le Memory usage in KB
USERNAME eq, ne Any valid user name (<user> or <domain\user>)
SERVICES eq, ne Service name
WINDOWTITLE eq, ne Window title. This filter isn’t supported if you specify a remote system.
MODULES eq, ne DLL name

Examples

To list all tasks with a process ID greater than 1000, and display them in csv format, type:

tasklist /v /fi "PID gt 1000" /fo csv

To list the system processes that are currently running, type:

tasklist /fi "USERNAME ne NT AUTHORITY\SYSTEM" /fi "STATUS eq running"

To list detailed information for all processes that are currently running, type:

tasklist /v /fi "STATUS eq running"

To list all the service information for processes on the remote computer srvmain, which has a DLL name beginning with ntdll, type:

tasklist /s srvmain /svc /fi "MODULES eq ntdll*"

To list the processes on the remote computer srvmain, using the credentials of your currently logged-on user account, type:

tasklist /s srvmain

To list the processes on the remote computer srvmain, using the credentials of the user account Hiropln, type:

tasklist /s srvmain /u maindom\hiropln /p p@ssW23

Additional References


MIT License. Copyright (c) 2020-2021 Strontic.