Event ID 10

A process opens another process

Source:

Microsoft-Windows-Sysmon

Category:

Process accessed (rule: ProcessAccess)

Process accessed:
    RuleName: %1!s!
    UtcTime: %2!s!
    SourceProcessGUID: %3!s!
    SourceProcessId: %4!s!
    SourceThreadId: %5!s!
    SourceImage: %6!s!
    TargetProcessGUID: %7!s!
    TargetProcessId: %8!s!
    TargetImage: %9!s!
    GrantedAccess: %10!s!
    CallTrace: %11!s!
    SourceUser: %12!s!
    TargetUser: %13!s!

The process accessed event reports when a process opens another process, an operation that’s often followed by information queries or reading and writing the address space of the target process. This enables detection of hacking tools that read the memory contents of processes like Local Security Authority (Lsass.exe) in order to steal credentials for use in Pass-the-Hash attacks. Enabling it can generate significant amounts of logging if there are diagnostic utilities active that repeatedly open processes to query their state, so it generally should only be done so with filters that remove expected accesses.

Auditing: Conditional

Generally recommended, filtering for known processes in the Sysmon configuration file is recommended, especially on domain controllers.

Volume: Low Medium

This event has a higher volume on domain controllers.

LEFT/RIGHT arrow keys for navigation

Back to List