Loaded Module Enumeration via Tasklist.exe

    Date: 02/07/2025

    Severity: Medium

    Summary

    Detects the enumeration of a particular DLL or EXE by a binary using "tasklist.exe." Attackers commonly use this technique to identify the specific process identifier (PID) associated with the DLL, often for the purpose of dumping the process memory or carrying out other malicious activities.

    Indicators of Compromise (IOC) List

    Image

    '\tasklist.exe'

    OriginalFileName

    'tasklist.exe'

    CommandLine

    '-m'
    'rdpcorets.dll'

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1

    ((resourcename in ("Windows Security") AND eventtype = "4688") AND newprocessname = "\tasklist.exe") AND processname = "tasklist.exe" AND commandline like "-m" and commandline like "rdpcorets.dll"

    Detection Query 2

    ((technologygroup = "EDR") AND newprocessname = "\tasklist.exe") AND processname = "tasklist.exe" AND commandline like "-m" and commandline like "rdpcorets.dll"

    Reference:

    https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_tasklist_module_enumeration.yml


    Tags

    SigmaMalwareDLL

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags