Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN0095: Analytic 0095

Identifies adversary behavior that launches commands or invokes APIs to enumerate active processes (e.g., tasklist.exe, Get-Process, or CreateToolhelp32Snapshot). Detects execution combined with parent process lineage, network session context, or remote origin.

EnterpriseAN0095AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence High

Analytic 0095 is a Windows-focused detection analytic for process enumeration behavior: commands or APIs used to list active processes, such as tasklist.exe, Get-Process, or CreateToolhelp32Snapshot. For leaders, the value is not that process listing is always malicious—it is common in administration—but that it can be an early signal of adversary discovery before higher-impact actions. This makes it useful for SOC triage, incident scoping, and validating whether endpoint telemetry can show who enumerated processes, from where, and under what parent process context.

Executive priority

Prioritize this analytic as a control-validation item for Windows endpoint visibility and incident readiness. The business question is whether the organization can distinguish routine administration from suspicious process discovery using parent process lineage, network session context, and remote-origin evidence. This supports faster incident decisions and better audit evidence that discovery-stage activity is monitored, while avoiding overinvestment in alerts that lack context and create SOC noise.

Technical view

SOC and detection teams should validate Windows telemetry for process enumeration via command execution and API-oriented behavior where available. The ATT&CK description specifically points to tasklist.exe, PowerShell Get-Process, and CreateToolhelp32Snapshot-style enumeration, with emphasis on execution context enriched by parent process lineage, network session context, or remote origin. Because no official detection logic is supplied, teams should build or tune detections around contextual combinations rather than simple command-name matching alone.

Likely telemetry

  • Windows process creation events, including command line and executable path
  • Parent-child process lineage for process enumeration tools or scripting hosts
  • PowerShell activity where Get-Process or equivalent process discovery is invoked
  • Endpoint telemetry capable of surfacing API-based process enumeration where available
  • Network session or remote logon context associated with the process execution

Detection direction

  • Validate that process creation logging captures tasklist.exe and PowerShell process-discovery commands with command-line detail.
  • Correlate enumeration activity with parent process lineage to separate expected administrative tooling from unusual launch chains.
  • Use network session context or remote-origin evidence where available, because the analytic explicitly calls out remote context as useful for detection.
  • Tune for false positives from administrators, monitoring tools, software inventory, and troubleshooting workflows that legitimately enumerate processes.
  • Avoid relying only on executable names; API-based enumeration may not appear as tasklist.exe or Get-Process and may require richer endpoint telemetry.

Mitigation priorities

  • First, ensure Windows endpoint logging and EDR telemetry capture process creation, command line, parent process, user, and host context.
  • Next, establish baselines or allowlists for known administrative and monitoring activity that regularly enumerates processes.
  • Then, create triage playbooks that ask whether the activity came from an unusual parent process, user, host, or remote session.
  • Finally, use findings to guide identity, endpoint hardening, and incident response readiness reviews rather than treating every process listing event as inherently malicious.
Analyst notes and limits

This object is a detection analytic, not a technique entry. It provides a behavior description but no official detection logic, tactics, relationships, or linked techniques in the supplied data. The strongest use is as a validation prompt for Windows discovery telemetry and SOC enrichment quality.

The supplied ATT&CK fields only support Windows platform coverage and the described process-enumeration examples. No relationships, official detection text, adversary usage, impact claims, or active exploitation evidence were supplied. Local environment baselines are required to determine alert severity and reduce false positives.

Official MITRE ATT&CK definition

Analytic 0095

Identifies adversary behavior that launches commands or invokes APIs to enumerate active processes (e.g., tasklist.exe, Get-Process, or CreateToolhelp32Snapshot). Detects execution combined with parent process lineage, network session context, or remote origin.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
b524ea464037ad4e...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle b524ea464037…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN0095
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use