tasklist.exe

  • File Path: C:\windows\SysWOW64\tasklist.exe
  • Description: Lists the current running tasks

Hashes

Type Hash
MD5 C68A9321B783BE9641C6A51C68C01004
SHA1 5578280547AC55E9B35326BCEEA6CB2A98C0B675
SHA256 D89AB72AD8A071593BE0F48C5FC0FC40802C1BDEA05E39AEBBF26FABE2FEFECE
SHA384 A46B22354CCADA6FE39D33284E29CECEF04C92291180F198FE0F4A7E0841716C14D10DC5A81C7E0911B55A0954924D07
SHA512 0076EC081EA126116843F9957F2C4D18779B5B02E4E7229866E3A6D9D08C5F870084BDEC414543F90E53A84DDF55497C347703CA0E55C3523242269D34E2F8E8
SSDEEP 1536:GAkPUz+1H85YIl+p/OB1HclSgGFxXMQpS4FUFIzxvsIuE:/+1H85YIlC/MHclSgGFooUFIzx0IV

Signature

  • Status: The file C:\windows\SysWOW64\tasklist.exe is not digitally signed. You cannot run this script on the current system. For more information about running scripts and setting execution policy, see about_Execution_Policies at http://go.microsoft.com/fwlink/?LinkID=135170
  • Serial: ``
  • Thumbprint: ``
  • Issuer:
  • Subject:

File Metadata

  • Original Filename: tasklist.exe.mui
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 6.3.9600.16384 (winblue_rtm.130821-1623)
  • Product Version: 6.3.9600.16384
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.

Possible Misuse

The following table contains possible examples of tasklist.exe being misused. While tasklist.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma apt_silence_downloader_v3.yml - '\tasklist.exe' DRL 1.0
sigma proc_creation_win_impacket_lateralization.yml # C:\Windows\system32\cmd.exe /Q /c echo tasklist ^> \\127.0.0.1\C$\__output 2^>^&1 > C:\Windows\TEMP\execute.bat & C:\Windows\system32\cmd.exe /Q /c C:\Windows\TEMP\execute.bat & del C:\Windows\TEMP\execute.bat DRL 1.0
sigma proc_creation_win_impacket_lateralization.yml # cmd.exe /C tasklist /m > C:\Windows\Temp\bAJrYQtL.tmp 2>&1 DRL 1.0
sigma proc_creation_win_susp_commands_recon_activity.yml - tasklist DRL 1.0
sigma proc_creation_win_susp_tasklist_command.yml title: Suspicious Tasklist Discovery Command DRL 1.0
sigma proc_creation_win_susp_tasklist_command.yml - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1057/T1057.md#atomic-test-2---process-discovery---tasklist DRL 1.0
sigma proc_creation_win_susp_tasklist_command.yml tasklist: DRL 1.0
sigma proc_creation_win_susp_tasklist_command.yml - CommandLine\|contains: tasklist DRL 1.0
sigma proc_creation_win_susp_tasklist_command.yml - Image: C:\Windows\System32\tasklist.exe DRL 1.0
sigma proc_creation_win_susp_tasklist_command.yml condition: tasklist DRL 1.0
sigma proc_creation_win_webshell_detection.yml - '\tasklist.exe' DRL 1.0
malware-ioc misp-dukes-operation-ghost-event.json "description": "Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software running on systems within the network.\n\n### Windows\n\nAn example command that would obtain details on processes is \"tasklist\" using the [Tasklist](https://attack.mitre.org/software/S0057) utility.\n\n### Mac and Linux\n\nIn Mac and Linux, this is accomplished with the <code>ps</code> command.", © ESET 2014-2018
malware-ioc misp_invisimole.json "description": "Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software running on systems within the network. Adversaries may use the information from [Process Discovery](https://attack.mitre.org/techniques/T1057) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.\n\n### Windows\n\nAn example command that would obtain details on processes is \"tasklist\" using the [Tasklist](https://attack.mitre.org/software/S0057) utility.\n\n### Mac and Linux\n\nIn Mac and Linux, this is accomplished with the <code>ps</code> command.", © ESET 2014-2018
malware-ioc misp_invisimole.json "description": "Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on the system. This may include things such as local firewall rules and anti-virus. Adversaries may use the information from [Security Software Discovery](https://attack.mitre.org/techniques/T1063) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.\n\n\n### Windows\n\nExample commands that can be used to obtain security software information are [netsh](https://attack.mitre.org/software/S0108), <code>reg query</code> with [Reg](https://attack.mitre.org/software/S0075), <code>dir</code> with [cmd](https://attack.mitre.org/software/S0106), and [Tasklist](https://attack.mitre.org/software/S0057), but other indicators of discovery behavior may be more specific to the type of software or security system the adversary is looking for.\n\n### Mac\n\nIt's becoming more common to see macOS malware perform checks for LittleSnitch and KnockKnock software.", © ESET 2014-2018
malware-ioc misp_invisimole.json "description": "Adversaries may try to get information about registered services. Commands that may obtain information about services using operating system utilities are \"sc,\" \"tasklist /svc\" using [Tasklist](https://attack.mitre.org/software/S0057), and \"net start\" using [Net](https://attack.mitre.org/software/S0039), but adversaries may also use other tools as well. Adversaries may use the information from [System Service Discovery](https://attack.mitre.org/techniques/T1007) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.", © ESET 2014-2018
malware-ioc misp-turla-powershell-event.json "description": "Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software running on systems within the network.\n\n===Windows===\n\nAn example command that would obtain details on processes is \"tasklist\" using the Tasklist utility.\n\n===Mac and Linux===\n\nIn Mac and Linux, this is accomplished with the <code>ps</code> command.\n\nDetection: System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.\n\nNormal, benign system and network events that look like process discovery may be uncommon, depending on the environment and how they are used. Monitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as Windows Management Instrumentation and PowerShell.\n\nPlatforms: Linux, macOS, Windows\n\nData Sources: Process command-line parameters, Process monitoring\n\nPermissions Required: User, Administrator, SYSTEM\n\nSystem Requirements: Administrator, SYSTEM may provide better process ownership details", © ESET 2014-2018
atomic-red-team index.md - Atomic Test #2: Process Discovery - tasklist [windows] MIT License. © 2018 Red Canary
atomic-red-team windows-index.md - Atomic Test #2: Process Discovery - tasklist [windows] MIT License. © 2018 Red Canary
atomic-red-team T1003.001.md $LSASS = tasklist | findstr “lsass” MIT License. © 2018 Red Canary
atomic-red-team T1007.md <blockquote>Adversaries may try to get information about registered services. Commands that may obtain information about services using operating system utilities are “sc,” “tasklist /svc” using Tasklist, and “net start” using Net, but adversaries may also use other tools as well. Adversaries may use the information from System Service Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.</blockquote> MIT License. © 2018 Red Canary
atomic-red-team T1007.md tasklist.exe MIT License. © 2018 Red Canary
atomic-red-team T1021.001.md $p=Tasklist /svc /fi “IMAGENAME eq mstsc.exe” /fo csv | convertfrom-csv MIT License. © 2018 Red Canary
atomic-red-team T1057.md In Windows environments, adversaries could obtain details on running processes using the Tasklist utility via cmd or Get-Process via PowerShell. Information about processes can also be extracted from the output of Native API calls such as CreateToolhelp32Snapshot. In Mac and Linux, this is accomplished with the ps command. Adversaries may also opt to enumerate processes via /proc.</blockquote> MIT License. © 2018 Red Canary
atomic-red-team T1057.md - Atomic Test #2 - Process Discovery - tasklist MIT License. © 2018 Red Canary
atomic-red-team T1057.md ## Atomic Test #2 - Process Discovery - tasklist MIT License. © 2018 Red Canary
atomic-red-team T1057.md Utilize tasklist to identify processes. MIT License. © 2018 Red Canary
atomic-red-team T1057.md Upon successful execution, cmd.exe will execute tasklist.exe to list processes. Output will be via stdout. MIT License. © 2018 Red Canary
atomic-red-team T1057.md tasklist MIT License. © 2018 Red Canary
atomic-red-team T1518.001.md Example commands that can be used to obtain security software information are netsh, reg query with Reg, dir with cmd, and Tasklist, but other indicators of discovery behavior may be more specific to the type of software or security system the adversary is looking for. It is becoming more common to see macOS malware perform checks for LittleSnitch and KnockKnock software. MIT License. © 2018 Red Canary
atomic-red-team T1518.001.md tasklist.exe MIT License. © 2018 Red Canary
atomic-red-team T1518.001.md tasklist.exe | findstr /i virus MIT License. © 2018 Red Canary
atomic-red-team T1518.001.md tasklist.exe | findstr /i cb MIT License. © 2018 Red Canary
atomic-red-team T1518.001.md tasklist.exe | findstr /i defender MIT License. © 2018 Red Canary
atomic-red-team T1518.001.md tasklist.exe | findstr /i cylance MIT License. © 2018 Red Canary
signature-base apt_fin7.yar $x8 = “\par \tab \tab sh.Run "%comspec% /c tasklist >""" & tpath & """ 2>&1", 0, true” fullword ascii CC BY-NC 4.0
signature-base apt_golddragon.yar $s4 = “cmd.exe /c tasklist “ fullword ascii CC BY-NC 4.0
signature-base apt_sednit_delphidownloader.yar $s5 = “53595354454D494E464F2026205441534B4C495354” ascii /* hex encoded string ‘SYSTEMINFO & TASKLIST’ */ CC BY-NC 4.0
signature-base gen_recon_indicators.yar $s5 = “tasklist /v” ascii CC BY-NC 4.0
signature-base gen_recon_indicators.yar $s10 = “tasklist /svc” ascii CC BY-NC 4.0
signature-base gen_recon_indicators.yar /* tasklist */ CC BY-NC 4.0
signature-base gen_suspicious_strings.yar $ = “tasklist” CC BY-NC 4.0
signature-base gen_susp_lnk_files.yar $s14 = “&tasklist>” CC BY-NC 4.0
signature-base thor-hacktools.yar $s1 = “in (‘tasklist /fi "PID eq %%b" /FO CSV’) do “ ascii CC BY-NC 4.0
signature-base thor-hacktools.yar $s0 = “tasklist |find "Clear.bat"||start Clear.bat” fullword ascii CC BY-NC 4.0
signature-base thor-webshells.yar $s5 = “//——- [netstat -an] and [ipconfig] and [tasklist] ————” fullword CC BY-NC 4.0
stockpile 5a39d7ed-45c9-4a79-b581-e5fb99e24f65.yml command: tasklist Apache-2.0
stockpile 8adf02e8-6e71-4244-886c-98c402857404.yml name: tasklist Process Enumeration Apache-2.0
stockpile 8adf02e8-6e71-4244-886c-98c402857404.yml tasklist /m >> $env:APPDATA\vmtool.log; Apache-2.0

Additional Info*

*The information below is copied from MicrosoftDocs, which is maintained by Microsoft. Available under CC BY 4.0 license.


tasklist

Displays a list of currently running processes on the local computer or on a remote computer. Tasklist replaces the tlist tool.

[!NOTE] This command replaces the tlist tool.

Syntax

tasklist [/s <computer> [/u [<domain>\]<username> [/p <password>]]] [{/m <module> | /svc | /v}] [/fo {table | list | csv}] [/nh] [/fi <filter> [/fi <filter> [ ... ]]]

Parameters

Parameter Description
/s <computer> Specifies the name or IP address of a remote computer (do not use backslashes). The default is the local computer.
/u <domain>\<username> Runs the command with the account permissions of the user who is specified by <username> or by <domain>\<username>. The /u parameter can be specified only if /s is also specified. The default is the permissions of the user who is currently logged on to the computer that is issuing the command.
/p <password> Specifies the password of the user account that is specified in the /u parameter.
/m <module> Lists all tasks with DLL modules loaded that match the given pattern name. If the module name is not specified, this option displays all modules loaded by each task.
svc Lists all the service information for each process without truncation. Valid when the /fo parameter is set to table.
/v Displays verbose task information in the output. For complete verbose output without truncation, use /v and /svc together.
/fo {table | list | csv} Specifies the format to use for the output. Valid values are table, list, and csv. The default format for output is table.
/nh Suppresses column headers in the output. Valid when the /fo parameter is set to table or csv.
/fi <filter> Specifies the types of processes to include in or exclude from the query. You can use more than one filter or use the wildcard character (\) to specify all tasks or image names. The valid filters are listed in the Filter names, operators, and values section of this article.
/? Displays help at the command prompt.
Filter names, operators, and values
Filter Name Valid Operators Valid Value(s)
STATUS eq, ne RUNNING | NOT RESPONDING | UNKNOWN. This filter isn’t supported if you specify a remote system.
IMAGENAME eq, ne Image name
PID eq, ne, gt, lt, ge, le PID value
SESSION eq, ne, gt, lt, ge, le Session number
SESSIONNAME eq, ne Session name
CPUtime eq, ne, gt, lt, ge, le CPU time in the format HH:MM:SS, where MM and SS are between 0 and 59 and HH is any unsigned number
MEMUSAGE eq, ne, gt, lt, ge, le Memory usage in KB
USERNAME eq, ne Any valid user name (<user> or <domain\user>)
SERVICES eq, ne Service name
WINDOWTITLE eq, ne Window title. This filter isn’t supported if you specify a remote system.
MODULES eq, ne DLL name

Examples

To list all tasks with a process ID greater than 1000, and display them in csv format, type:

tasklist /v /fi "PID gt 1000" /fo csv

To list the system processes that are currently running, type:

tasklist /fi "USERNAME ne NT AUTHORITY\SYSTEM" /fi "STATUS eq running"

To list detailed information for all processes that are currently running, type:

tasklist /v /fi "STATUS eq running"

To list all the service information for processes on the remote computer srvmain, which has a DLL name beginning with ntdll, type:

tasklist /s srvmain /svc /fi "MODULES eq ntdll*"

To list the processes on the remote computer srvmain, using the credentials of your currently logged-on user account, type:

tasklist /s srvmain

To list the processes on the remote computer srvmain, using the credentials of the user account Hiropln, type:

tasklist /s srvmain /u maindom\hiropln /p p@ssW23

Additional References


MIT License. Copyright (c) 2020-2021 Strontic.