Event ID 10
A process opens another processProcess accessed: RuleName: %1!s! UtcTime: %2!s! SourceProcessGUID: %3!s! SourceProcessId: %4!s! SourceThreadId: %5!s! SourceImage: %6!s! TargetProcessGUID: %7!s! TargetProcessId: %8!s! TargetImage: %9!s! GrantedAccess: %10!s! CallTrace: %11!s! SourceUser: %12!s! TargetUser: %13!s!
The process accessed event reports when a process opens another process, an operation that’s often followed by information queries or reading and writing the address space of the target process. This enables detection of hacking tools that read the memory contents of processes like Local Security Authority (Lsass.exe) in order to steal credentials for use in Pass-the-Hash attacks. Enabling it can generate significant amounts of logging if there are diagnostic utilities active that repeatedly open processes to query their state, so it generally should only be done so with filters that remove expected accesses.
Generally recommended, filtering for known processes in the Sysmon configuration file is recommended, especially on domain controllers.
This event has a higher volume on domain controllers.
LEFT/RIGHT arrow keys for navigation
Back to List