detection.wiki

Defender-DeviceProcessEvents

4 events across 4 channels

Event IDTitleChannel
9001000Process activity (any)DeviceProcessEvents
9001001Process createdProcessCreated
9001002Process opened (OpenProcess API call)OpenProcessApiCall
9001003Process primary token modifiedProcessPrimaryTokenModified

Event ID 9001000 — Process activity (any)

#
Provider
Defender-DeviceProcessEvents
Channel
DeviceProcessEvents

Description

Process activity (any)

Fields #

NameDescription
DeviceId
DeviceName
Timestamp
ActionType
FileName
FolderPath
SHA1
SHA256
MD5
ProcessId
ProcessCommandLine
AccountName
AccountDomain
InitiatingProcessFileName
InitiatingProcessFolderPath
InitiatingProcessSHA256
InitiatingProcessCommandLine
InitiatingProcessAccountName
InitiatingProcessAccountDomain
InitiatingProcessParentFileName

Detection Patterns #

Defender-DeviceProcessEvents Event ID 9001000: Process activityORSecurity-Auditing Event ID 4688: A new process has been created.ORSysmon Event ID 1: Process creation
26 rules

Kusto Query Language

Suspicious parentprocess relationship - Office child processes. (source)
Exchange Worker Process Making Remote Call (source)
Microsoft Security Community
Java Executing cmd to run Powershell (source)
Show 23 more (26 total)
Doppelpaymer Stop Services (source)
Detect Suspicious Commands Initiated by Webserver Processes (source)
Office Apps Launching Wscipt (source)
Qakbot Discovery Activies (source)
Execution of software vulnerable to webp buffer overflow of CVE-2023-4863 (source)
Ingress Tool Transfer - Certutil (source)
Qakbot Campaign Self Deletion (source)
Clearing of forensic evidence from event logs using wevtutil (source)
Trusted Developer Utilities Proxy Execution (source)
Disable or Modify Windows Defender (source)
Disabling Security Services via Registry (source)
Stopping multiple processes using taskkill (source)
Dev-0228 File Path Hashes November 2021 (source)
Microsoft Security Research
DopplePaymer Procdump (source)
LSASS Credential Dumping with Procdump (source)
LaZagne Credential Theft (source)
Probable AdFind Recon Tool Usage (source)
Oracle suspicious command execution (source)
Bitsadmin Activity (source)
Detecting UAC bypass - elevated COM interface (source)
Detecting UAC bypass - modify Windows Store settings (source)
Detecting UAC bypass - ChangePK and SLUI registry tampering (source)
Shadow Copy Deletions (source)

Detection Rules #

View all rules referencing this event →

Kusto Query Language # view in reference

  • SUNBURST suspicious SolarWinds child processes source medium: Identifies suspicious child processes of SolarWinds.Orion.Core.BusinessLayer.dll that may be evidence of the SUNBURST backdoor References: - https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html - https://gist.github.com/olafhartong/71ffdd4cab4b6acd5cbcd1a0691ff82f

References #

Event ID 9001001 — Process created

Provider
Defender-DeviceProcessEvents
Channel
ProcessCreated

Description

Process created

Fields #

NameDescription
DeviceId
Timestamp
FileName
FolderPath
SHA256
ProcessCommandLine
AccountName
InitiatingProcessFileName
InitiatingProcessCommandLine

References #

Event ID 9001002 — Process opened (OpenProcess API call)

Provider
Defender-DeviceProcessEvents
Channel
OpenProcessApiCall

Description

Process opened (OpenProcess API call) — Sysmon-10 is ProcessAccess; Defender's OpenProcessApiCall is the closest equivalent.

Fields #

NameDescription
DeviceId
Timestamp
FileName
ProcessId
InitiatingProcessFileName
InitiatingProcessCommandLine

References #

Event ID 9001003 — Process primary token modified

Provider
Defender-DeviceProcessEvents
Channel
ProcessPrimaryTokenModified

Description

Process primary token modified — No clean Windows-native equivalent.

Fields #

NameDescription
DeviceId
Timestamp
ProcessId
AccountName
InitiatingProcessFileName

References #