Loaded Module Enumeration Via Tasklist.EXE (34275eb8-fa19-436b-b959-3d9ecd53fa1f)
Detects the enumeration of a specific DLL or EXE being used by a binary via "tasklist.exe". This is often used by attackers in order to find the specific process identifier (PID) that is using the DLL in question. In order to dump the process memory or perform other nefarious actions.
| Cluster A | Galaxy A | Cluster B | Galaxy B | Level |
|---|---|---|---|---|
| Loaded Module Enumeration Via Tasklist.EXE (34275eb8-fa19-436b-b959-3d9ecd53fa1f) | Sigma-Rules | OS Credential Dumping - T1003 (0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22) | Attack Pattern | 1 |