Medium RiskWindowsLegitimateCommonly Abused
tasklist.exeSYSTEM UTILITYtasklist.exe - Process List Utility Security Analysis
tasklist.exe displays **running processes** on local or remote systems. Attackers use tasklist for **security software detection**, **process reconnaissance**, and **target identification**. Combined with taskkill.exe, attackers can **terminate security processes**. Repeated tasklist execution indicates reconnaissance.
Risk Summary
MEDIUM priority for SOC triage. tasklist.exe is commonly used for reconnaissance to identify security software and processes to target. Monitor for repeated executions, remote process listing, and correlation with subsequent taskkill commands.
Overview
What is tasklist.exe?
tasklist.exe displays information about running processes.
Core Functions
Process Information:
- List running processes
- Show process details
- Query remote systems
- Filter by criteria
Security Significance
- Reconnaissance Tool: Identify security software
- Target Selection: Find processes to kill
- Environment Profiling: Understand system state
Normal Behavior
Normal Behavior
Expected Process State
| Property | Expected Value |
|---|---|
| Path | C:\Windows\System32\tasklist.exe |
| Parent | cmd.exe, powershell.exe |
| User | Any |
| Context | System monitoring |
Legitimate Usage
tasklist
tasklist /v
tasklist /svc
Common Locations
C:\Windows\System32\tasklist.exeC:\Windows\SysWOW64\tasklist.exeSuspicious Indicators
Legitimate vs Suspicious
LEGITIMATE
Command: tasklist (basic list)
tasklist /svc (show services)
Frequency: Occasional
Context: System monitoring
SUSPICIOUS
Command: tasklist | findstr /i "defender malware antivirus"
tasklist /s RemotePC
Frequency: Repeated rapid execution
Context: After initial access
Before process termination
Abuse Techniques
Attack Techniques
Technique #1: Security Software Discovery (T1518.001)
Find AV/EDR Processes:
tasklist | findstr /i "defender avg avast kaspersky crowdstrike carbon"
Technique #2: Process Reconnaissance (T1057)
Enumerate All Processes:
tasklist /v /fo csv > processes.csv
Technique #3: Remote Process Enumeration (T1057)
tasklist /s TARGET /u admin /p password
Combined with taskkill (T1489)
tasklist | findstr MsMpEng
taskkill /f /im MsMpEng.exe
Detection Guidance
Detection Strategies
Priority #1: Security Software Search
Process = "tasklist.exe" AND
CommandLineChain CONTAINS "findstr" AND
CommandLineChain CONTAINS ["defender", "antivirus", "security"]
→ ALERT: HIGH - AV reconnaissance
Priority #2: Remote Enumeration
Process = "tasklist.exe" AND
CommandLine CONTAINS "/s "
→ ALERT: HIGH - Remote process enumeration
Priority #3: Rapid Repeated Execution
Process = "tasklist.exe" AND
ExecutionCount > 3 within 5 minutes
→ ALERT: MEDIUM - Possible reconnaissance
Remediation Steps
Protection and Remediation
Defense: Monitor Execution Patterns
Alert on tasklist combined with findstr for security terms.
If Reconnaissance Detected
- Identify the user/process
- Check for subsequent taskkill
- Review for lateral movement
- Assess if security software targeted
- Investigate initial access vector
Investigation Checklist
Investigation Checklist
- Review command line arguments
- Check for security software keywords
- Correlate with taskkill commands
- Review remote enumeration attempts
- Check execution frequency
- Identify parent process chain
- Assess reconnaissance intent
MITRE ATT&CK Techniques
Last verified: January 18, 2026