LoFP LoFP / t1057

t1057

TitleTags
administrators may use the tasklist command to display a list of currently running processes. by itself, it does not indicate malicious activity. after obtaining a foothold, it's possible adversaries may use discovery commands like tasklist to get information about running processes.
administrators or power users may use this command for troubleshooting. filter as needed.
commonly used by administrators for troubleshooting
legitimate powershell scripts
uncommon user command activity can be due to an engineer logging onto a server instance in order to perform manual troubleshooting or reconfiguration.
unlikely