tasklist.exe
- File Path:
C:\WINDOWS\SysWOW64\tasklist.exe
- Description: Lists the current running tasks
Hashes
Type | Hash |
---|---|
MD5 | 9FE985712F09AB797588776166E11E83 |
SHA1 | B83D926B481DDD5CDEEAEB77A5B9D0F61FFB7270 |
SHA256 | 1CC4CB74FDD5DEECCCD55B39A642E069EE42F0B1EC81BA4CF8B743D2A6A43296 |
SHA384 | C9BC60BD35FBF07051CF2D71F8619CA5CABE5D5DAEFC10D9C4272C759CD2DFE74E932499C248102A57AFBBA981465226 |
SHA512 | 23DE9E3D74FE32B58BD635C89C86AECD42E20004622FACCEBC1D2C87AE1508C43076E642F995C6741C64AABD3E120A6FE2E03B788BBF83D96793139D807886E9 |
SSDEEP | 1536:6AkPTsG4nJq2BUiWfVgumf256ZTlxLcE3nXxLHyntFAO4xM7DJjmaoHp:dG4Jq2AEbTlxLcE3nXVSnzv4xM7DVmag |
IMP | ABB2F0F9C3E7FD0FA45DF23EDFCAD54C |
PESHA1 | 7EE0A4B90C57145EC1AED3F638F39DF5355BA651 |
PE256 | C0DACBEE1C7375ED6CF10EF0586FF14BFB257FA1B97CFEEC5777C71698E9AD48 |
Runtime Data
Usage (stdout):
TASKLIST [/S system [/U username [/P [password]]]]
[/M [module] | /SVC | /V] [/FI filter] [/FO format] [/NH]
Description:
This tool displays a list of currently running processes on
either a local or remote machine.
Parameter List:
/S system Specifies the remote system to connect to.
/U [domain\]user Specifies the user context under which
the command should execute.
/P [password] Specifies the password for the given
user context. Prompts for input if omitted.
/M [module] Lists all tasks currently using the given
exe/dll name. If the module name is not
specified all loaded modules are displayed.
/SVC Displays services hosted in each process.
/APPS Displays Store Apps and their associated processes.
/V Displays verbose task information.
/FI filter Displays a set of tasks that match a
given criteria specified by the filter.
/FO format Specifies the output format.
Valid values: "TABLE", "LIST", "CSV".
/NH Specifies that the "Column Header" should
not be displayed in the output.
Valid only for "TABLE" and "CSV" formats.
/? Displays this help message.
Filters:
Filter Name Valid Operators Valid Value(s)
----------- --------------- --------------------------
STATUS eq, ne RUNNING | SUSPENDED
NOT RESPONDING | UNKNOWN
IMAGENAME eq, ne Image name
PID eq, ne, gt, lt, ge, le PID value
SESSION eq, ne, gt, lt, ge, le Session number
SESSIONNAME eq, ne Session name
CPUTIME eq, ne, gt, lt, ge, le CPU time in the format
of hh:mm:ss.
hh - hours,
mm - minutes, ss - seconds
MEMUSAGE eq, ne, gt, lt, ge, le Memory usage in KB
USERNAME eq, ne User name in [domain\]user
format
SERVICES eq, ne Service name
WINDOWTITLE eq, ne Window title
MODULES eq, ne DLL name
NOTE: "WINDOWTITLE" and "STATUS" filters are not supported when querying
a remote machine.
Examples:
TASKLIST
TASKLIST /M
TASKLIST /V /FO CSV
TASKLIST /SVC /FO LIST
TASKLIST /APPS /FI "STATUS eq RUNNING"
TASKLIST /M wbem*
TASKLIST /S system /FO LIST
TASKLIST /S system /U domain\username /FO CSV /NH
TASKLIST /S system /U username /P password /FO TABLE /NH
TASKLIST /FI "USERNAME ne NT AUTHORITY\SYSTEM" /FI "STATUS eq running"
Usage (stderr):
ERROR: Invalid argument/option - '--help'.
Type "TASKLIST /?" for usage.
Child Processes:
RdpSa.exe
Loaded Modules:
Path |
---|
C:\WINDOWS\SYSTEM32\ntdll.dll |
C:\WINDOWS\System32\wow64.dll |
C:\WINDOWS\System32\wow64base.dll |
C:\WINDOWS\System32\wow64con.dll |
C:\WINDOWS\System32\wow64cpu.dll |
C:\WINDOWS\System32\wow64win.dll |
C:\WINDOWS\SysWOW64\tasklist.exe |
Signature
- Status: Signature verified.
- Serial:
33000002ED2C45E4C145CF48440000000002ED
- Thumbprint:
312860D2047EB81F8F58C29FF19ECDB4C634CF6A
- Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
- Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
File Metadata
- Original Filename: tasklist.exe.mui
- Product Name: Microsoft Windows Operating System
- Company Name: Microsoft Corporation
- File Version: 10.0.22000.1 (WinBuild.160101.0800)
- Product Version: 10.0.22000.1
- Language: English (United States)
- Legal Copyright: Microsoft Corporation. All rights reserved.
- Machine Type: 32-bit
File Scan
- VirusTotal Detections: 0/73
- VirusTotal Link: https://www.virustotal.com/gui/file/1cc4cb74fdd5deecccd55b39a642e069ee42f0b1ec81ba4cf8b743d2a6a43296/detection
Possible Misuse
The following table contains possible examples of tasklist.exe
being misused. While tasklist.exe
is not inherently malicious, its legitimate functionality can be abused for malicious purposes.
Source | Source File | Example | License |
---|---|---|---|
sigma | apt_silence_downloader_v3.yml | - '\tasklist.exe' |
DRL 1.0 |
sigma | proc_creation_win_impacket_lateralization.yml | # C:\Windows\system32\cmd.exe /Q /c echo tasklist ^> \\127.0.0.1\C$\__output 2^>^&1 > C:\Windows\TEMP\execute.bat & C:\Windows\system32\cmd.exe /Q /c C:\Windows\TEMP\execute.bat & del C:\Windows\TEMP\execute.bat |
DRL 1.0 |
sigma | proc_creation_win_impacket_lateralization.yml | # cmd.exe /C tasklist /m > C:\Windows\Temp\bAJrYQtL.tmp 2>&1 |
DRL 1.0 |
sigma | proc_creation_win_susp_commands_recon_activity.yml | - tasklist |
DRL 1.0 |
sigma | proc_creation_win_susp_tasklist_command.yml | title: Suspicious Tasklist Discovery Command |
DRL 1.0 |
sigma | proc_creation_win_susp_tasklist_command.yml | - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1057/T1057.md#atomic-test-2---process-discovery---tasklist |
DRL 1.0 |
sigma | proc_creation_win_susp_tasklist_command.yml | tasklist: |
DRL 1.0 |
sigma | proc_creation_win_susp_tasklist_command.yml | - CommandLine\|contains: tasklist |
DRL 1.0 |
sigma | proc_creation_win_susp_tasklist_command.yml | - Image: C:\Windows\System32\tasklist.exe |
DRL 1.0 |
sigma | proc_creation_win_susp_tasklist_command.yml | condition: tasklist |
DRL 1.0 |
sigma | proc_creation_win_webshell_detection.yml | - '\tasklist.exe' |
DRL 1.0 |
malware-ioc | misp-dukes-operation-ghost-event.json | "description": "Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software running on systems within the network.\n\n### Windows\n\nAn example command that would obtain details on processes is \"tasklist\" using the [Tasklist](https://attack.mitre.org/software/S0057) utility.\n\n### Mac and Linux\n\nIn Mac and Linux, this is accomplished with the <code>ps</code> command.", |
© ESET 2014-2018 |
malware-ioc | misp_invisimole.json | "description": "Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software running on systems within the network. Adversaries may use the information from [Process Discovery](https://attack.mitre.org/techniques/T1057) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.\n\n### Windows\n\nAn example command that would obtain details on processes is \"tasklist\" using the [Tasklist](https://attack.mitre.org/software/S0057) utility.\n\n### Mac and Linux\n\nIn Mac and Linux, this is accomplished with the <code>ps</code> command.", |
© ESET 2014-2018 |
malware-ioc | misp_invisimole.json | "description": "Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on the system. This may include things such as local firewall rules and anti-virus. Adversaries may use the information from [Security Software Discovery](https://attack.mitre.org/techniques/T1063) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.\n\n\n### Windows\n\nExample commands that can be used to obtain security software information are [netsh](https://attack.mitre.org/software/S0108), <code>reg query</code> with [Reg](https://attack.mitre.org/software/S0075), <code>dir</code> with [cmd](https://attack.mitre.org/software/S0106), and [Tasklist](https://attack.mitre.org/software/S0057), but other indicators of discovery behavior may be more specific to the type of software or security system the adversary is looking for.\n\n### Mac\n\nIt's becoming more common to see macOS malware perform checks for LittleSnitch and KnockKnock software.", |
© ESET 2014-2018 |
malware-ioc | misp_invisimole.json | "description": "Adversaries may try to get information about registered services. Commands that may obtain information about services using operating system utilities are \"sc,\" \"tasklist /svc\" using [Tasklist](https://attack.mitre.org/software/S0057), and \"net start\" using [Net](https://attack.mitre.org/software/S0039), but adversaries may also use other tools as well. Adversaries may use the information from [System Service Discovery](https://attack.mitre.org/techniques/T1007) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.", |
© ESET 2014-2018 |
malware-ioc | misp-turla-powershell-event.json | "description": "Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software running on systems within the network.\n\n===Windows===\n\nAn example command that would obtain details on processes is \"tasklist\" using the Tasklist utility.\n\n===Mac and Linux===\n\nIn Mac and Linux, this is accomplished with the <code>ps</code> command.\n\nDetection: System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.\n\nNormal, benign system and network events that look like process discovery may be uncommon, depending on the environment and how they are used. Monitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as Windows Management Instrumentation and PowerShell.\n\nPlatforms: Linux, macOS, Windows\n\nData Sources: Process command-line parameters, Process monitoring\n\nPermissions Required: User, Administrator, SYSTEM\n\nSystem Requirements: Administrator, SYSTEM may provide better process ownership details", |
© ESET 2014-2018 |
atomic-red-team | index.md | - Atomic Test #2: Process Discovery - tasklist [windows] | MIT License. © 2018 Red Canary |
atomic-red-team | windows-index.md | - Atomic Test #2: Process Discovery - tasklist [windows] | MIT License. © 2018 Red Canary |
atomic-red-team | T1003.001.md | $LSASS = tasklist | findstr “lsass” | MIT License. © 2018 Red Canary |
atomic-red-team | T1007.md | <blockquote>Adversaries may try to get information about registered services. Commands that may obtain information about services using operating system utilities are “sc,” “tasklist /svc” using Tasklist, and “net start” using Net, but adversaries may also use other tools as well. Adversaries may use the information from System Service Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.</blockquote> | MIT License. © 2018 Red Canary |
atomic-red-team | T1007.md | tasklist.exe | MIT License. © 2018 Red Canary |
atomic-red-team | T1021.001.md | $p=Tasklist /svc /fi “IMAGENAME eq mstsc.exe” /fo csv | convertfrom-csv | MIT License. © 2018 Red Canary |
atomic-red-team | T1057.md | In Windows environments, adversaries could obtain details on running processes using the Tasklist utility via cmd or Get-Process via PowerShell. Information about processes can also be extracted from the output of Native API calls such as CreateToolhelp32Snapshot . In Mac and Linux, this is accomplished with the ps command. Adversaries may also opt to enumerate processes via /proc.</blockquote> |
MIT License. © 2018 Red Canary |
atomic-red-team | T1057.md | - Atomic Test #2 - Process Discovery - tasklist | MIT License. © 2018 Red Canary |
atomic-red-team | T1057.md | ## Atomic Test #2 - Process Discovery - tasklist | MIT License. © 2018 Red Canary |
atomic-red-team | T1057.md | Utilize tasklist to identify processes. | MIT License. © 2018 Red Canary |
atomic-red-team | T1057.md | Upon successful execution, cmd.exe will execute tasklist.exe to list processes. Output will be via stdout. | MIT License. © 2018 Red Canary |
atomic-red-team | T1057.md | tasklist | MIT License. © 2018 Red Canary |
atomic-red-team | T1518.001.md | Example commands that can be used to obtain security software information are netsh, reg query with Reg, dir with cmd, and Tasklist, but other indicators of discovery behavior may be more specific to the type of software or security system the adversary is looking for. It is becoming more common to see macOS malware perform checks for LittleSnitch and KnockKnock software. |
MIT License. © 2018 Red Canary |
atomic-red-team | T1518.001.md | tasklist.exe | MIT License. © 2018 Red Canary |
atomic-red-team | T1518.001.md | tasklist.exe | findstr /i virus | MIT License. © 2018 Red Canary |
atomic-red-team | T1518.001.md | tasklist.exe | findstr /i cb | MIT License. © 2018 Red Canary |
atomic-red-team | T1518.001.md | tasklist.exe | findstr /i defender | MIT License. © 2018 Red Canary |
atomic-red-team | T1518.001.md | tasklist.exe | findstr /i cylance | MIT License. © 2018 Red Canary |
signature-base | apt_fin7.yar | $x8 = “\par \tab \tab sh.Run "%comspec% /c tasklist >""" & tpath & """ 2>&1", 0, true” fullword ascii | CC BY-NC 4.0 |
signature-base | apt_golddragon.yar | $s4 = “cmd.exe /c tasklist “ fullword ascii | CC BY-NC 4.0 |
signature-base | apt_sednit_delphidownloader.yar | $s5 = “53595354454D494E464F2026205441534B4C495354” ascii /* hex encoded string ‘SYSTEMINFO & TASKLIST’ */ | CC BY-NC 4.0 |
signature-base | gen_recon_indicators.yar | $s5 = “tasklist /v” ascii | CC BY-NC 4.0 |
signature-base | gen_recon_indicators.yar | $s10 = “tasklist /svc” ascii | CC BY-NC 4.0 |
signature-base | gen_recon_indicators.yar | /* tasklist */ | CC BY-NC 4.0 |
signature-base | gen_suspicious_strings.yar | $ = “tasklist” | CC BY-NC 4.0 |
signature-base | gen_susp_lnk_files.yar | $s14 = “&tasklist>” | CC BY-NC 4.0 |
signature-base | thor-hacktools.yar | $s1 = “in (‘tasklist /fi "PID eq %%b" /FO CSV’) do “ ascii | CC BY-NC 4.0 |
signature-base | thor-hacktools.yar | $s0 = “tasklist |find "Clear.bat"||start Clear.bat” fullword ascii | CC BY-NC 4.0 |
signature-base | thor-webshells.yar | $s5 = “//——- [netstat -an] and [ipconfig] and [tasklist] ————” fullword | CC BY-NC 4.0 |
stockpile | 5a39d7ed-45c9-4a79-b581-e5fb99e24f65.yml | command: tasklist |
Apache-2.0 |
stockpile | 8adf02e8-6e71-4244-886c-98c402857404.yml | name: tasklist Process Enumeration |
Apache-2.0 |
stockpile | 8adf02e8-6e71-4244-886c-98c402857404.yml | tasklist /m >> $env:APPDATA\vmtool.log; |
Apache-2.0 |
Additional Info*
*The information below is copied from MicrosoftDocs, which is maintained by Microsoft. Available under CC BY 4.0 license.
tasklist
Displays a list of currently running processes on the local computer or on a remote computer. Tasklist replaces the tlist tool.
[!NOTE] This command replaces the tlist tool.
Syntax
tasklist [/s <computer> [/u [<domain>\]<username> [/p <password>]]] [{/m <module> | /svc | /v}] [/fo {table | list | csv}] [/nh] [/fi <filter> [/fi <filter> [ ... ]]]
Parameters
Parameter | Description |
---|---|
/s <computer> |
Specifies the name or IP address of a remote computer (do not use backslashes). The default is the local computer. |
/u <domain>\<username> |
Runs the command with the account permissions of the user who is specified by <username> or by <domain>\<username> . The /u parameter can be specified only if /s is also specified. The default is the permissions of the user who is currently logged on to the computer that is issuing the command. |
/p <password> |
Specifies the password of the user account that is specified in the /u parameter. |
/m <module> |
Lists all tasks with DLL modules loaded that match the given pattern name. If the module name is not specified, this option displays all modules loaded by each task. |
svc | Lists all the service information for each process without truncation. Valid when the /fo parameter is set to table. |
/v | Displays verbose task information in the output. For complete verbose output without truncation, use /v and /svc together. |
/fo {table | list | csv} |
Specifies the format to use for the output. Valid values are table, list, and csv. The default format for output is table. |
/nh | Suppresses column headers in the output. Valid when the /fo parameter is set to table or csv. |
/fi <filter> |
Specifies the types of processes to include in or exclude from the query. You can use more than one filter or use the wildcard character (\ ) to specify all tasks or image names. The valid filters are listed in the Filter names, operators, and values section of this article. |
/? | Displays help at the command prompt. |
Filter names, operators, and values
Filter Name | Valid Operators | Valid Value(s) |
---|---|---|
STATUS | eq, ne | RUNNING | NOT RESPONDING | UNKNOWN . This filter isn’t supported if you specify a remote system. |
IMAGENAME | eq, ne | Image name |
PID | eq, ne, gt, lt, ge, le | PID value |
SESSION | eq, ne, gt, lt, ge, le | Session number |
SESSIONNAME | eq, ne | Session name |
CPUtime | eq, ne, gt, lt, ge, le | CPU time in the format HH:MM:SS, where MM and SS are between 0 and 59 and HH is any unsigned number |
MEMUSAGE | eq, ne, gt, lt, ge, le | Memory usage in KB |
USERNAME | eq, ne | Any valid user name (<user> or <domain\user> ) |
SERVICES | eq, ne | Service name |
WINDOWTITLE | eq, ne | Window title. This filter isn’t supported if you specify a remote system. |
MODULES | eq, ne | DLL name |
Examples
To list all tasks with a process ID greater than 1000, and display them in csv format, type:
tasklist /v /fi "PID gt 1000" /fo csv
To list the system processes that are currently running, type:
tasklist /fi "USERNAME ne NT AUTHORITY\SYSTEM" /fi "STATUS eq running"
To list detailed information for all processes that are currently running, type:
tasklist /v /fi "STATUS eq running"
To list all the service information for processes on the remote computer srvmain, which has a DLL name beginning with ntdll, type:
tasklist /s srvmain /svc /fi "MODULES eq ntdll*"
To list the processes on the remote computer srvmain, using the credentials of your currently logged-on user account, type:
tasklist /s srvmain
To list the processes on the remote computer srvmain, using the credentials of the user account Hiropln, type:
tasklist /s srvmain /u maindom\hiropln /p p@ssW23
Additional References
MIT License. Copyright (c) 2020-2021 Strontic.