Overview
The Processes command enumerates running processes on the system. By default, it filters out Microsoft-signed processes to focus on potentially interesting third-party and custom applications. Use the-full flag to enumerate all processes without filtering.
Syntax
This command does not support remote execution for standard enumeration. Use ProcessOwners for remote process listing.
Output
Returns process information:- Process name and ID (PID)
- Parent process ID (PPID)
- Company name
- Process path
- Command line arguments
- Process owner
- Integrity level
Use Cases
- Red Team
- Blue Team
- Identify security products and monitoring tools
- Find potential injection targets
- Discover admin/developer tools
- Locate high-privileged processes
- Identify processes for credential harvesting
Example Output
Remote Execution
For remote process enumeration, use the ProcessOwners command instead.Detection Considerations
Low to moderate detection risk - process enumeration is common.
- API Calls: Uses CreateToolhelp32Snapshot or WMI queries
- EDR Telemetry: May be logged by security products
- Pattern Detection: Rapid enumeration may trigger alerts
Related Commands
- InterestingProcesses - Security and admin tool processes
- Services - Windows services
- LogonSessions - Active logon sessions
- TokenPrivileges - Current token privileges