Process
tasklist.exe
tasklist.exe lists the processes running on a computer, locally or on a remote machine, with options to show the services and DLLs each one hosts. Administrators use it to inspect what is running. Attackers use it to survey a host, especially to spot the antivirus and EDR products they need to evade.
File identity
Not observed.
Not observed.
Not observed.
Not observed.
Execution context
Not observed.
Not observed.
Not observed.
Not observed.
Not observed.
Not observed.
Ancestry
Not observed.
Not observed.
Not observed.
Not observed.
Behavior
Not observed.
Not observed.
Not observed.
Not observed.
Indicators
Not observed.
Analysis
tasklist.exe enumerates running processes and their PIDs. /svc shows the services hosted in each process, /m lists the DLL modules a process has loaded, and /v adds verbose detail such as the window title and the running user. With /s <host> and credentials it queries a remote machine. The genuine binary lives at C:\Windows\System32\tasklist.exe.
Legitimately, tasklist is run by administrators and scripts to check what is running and which services map to which process. It only reads process state.
tasklist is used to take stock of a host (T1057). A process list tells an attacker what is installed and running, and the next question is usually which defenses are present: tasklist output checked for antivirus and EDR process names is security-software discovery (T1518.001), informing whether and how to disable them.
As with the other discovery commands, a single run is unremarkable. tasklist alongside whoami, systeminfo, and net commands in quick succession, or launched by a process with no reason to inventory the host, is the pattern that matters.
- Image path other than
C:\Windows\System32\tasklist.exehigh - Parent is an Office application, a script host, or an unfamiliar processhigh
- Output filtered for antivirus or EDR process namesmed
/menumerating loaded modules across processesmed- A remote target,
/s <host>med
Telemetry
Not observed.
Not observed.