Date: 02/07/2025
Severity: Medium
Summary
Detects the enumeration of a particular DLL or EXE by a binary using "tasklist.exe." Attackers commonly use this technique to identify the specific process identifier (PID) associated with the DLL, often for the purpose of dumping the process memory or carrying out other malicious activities.
Indicators of Compromise (IOC) List
Image | '\tasklist.exe' |
OriginalFileName | 'tasklist.exe' |
CommandLine | '-m'
'rdpcorets.dll' |
Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection
Detection Query 1 | ((resourcename in ("Windows Security") AND eventtype = "4688") AND newprocessname = "\tasklist.exe") AND processname = "tasklist.exe" AND commandline like "-m" and commandline like "rdpcorets.dll" |
Detection Query 2 | ((technologygroup = "EDR") AND newprocessname = "\tasklist.exe") AND processname = "tasklist.exe" AND commandline like "-m" and commandline like "rdpcorets.dll" |
Reference:
https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_tasklist_module_enumeration.yml