Event 9001000: Process activity (any) — Defender-DeviceProcessEvents

Description

Process activity (any)

Fields #

Name	Description
`DeviceId`	—
`DeviceName`	—
`Timestamp`	—
`ActionType`	—
`FileName`	—
`FolderPath`	—
`SHA1`	—
`SHA256`	—
`MD5`	—
`ProcessId`	—
`ProcessCommandLine`	—
`AccountName`	—
`AccountDomain`	—
`InitiatingProcessFileName`	—
`InitiatingProcessFolderPath`	—
`InitiatingProcessSHA256`	—
`InitiatingProcessCommandLine`	—
`InitiatingProcessAccountName`	—
`InitiatingProcessAccountDomain`	—
`InitiatingProcessParentFileName`	—

Detection Patterns #

Defender-DeviceProcessEvents Event ID 9001000: Process activityORSecurity-Auditing Event ID 4688: A new process has been created.ORSysmon Event ID 1: Process creation

26 rules

Kusto Query Language

Suspicious parentprocess relationship - Office child processes. (source)

Exchange Worker Process Making Remote Call (source)

Microsoft Security Community

Java Executing cmd to run Powershell (source)

Show 23 more (26 total)

Doppelpaymer Stop Services (source)

Detect Suspicious Commands Initiated by Webserver Processes (source)

Office Apps Launching Wscipt (source)

Qakbot Discovery Activies (source)

Execution of software vulnerable to webp buffer overflow of CVE-2023-4863 (source)

Ingress Tool Transfer - Certutil (source)

Qakbot Campaign Self Deletion (source)

Clearing of forensic evidence from event logs using wevtutil (source)

Trusted Developer Utilities Proxy Execution (source)

Disable or Modify Windows Defender (source)

Disabling Security Services via Registry (source)

Stopping multiple processes using taskkill (source)

Dev-0228 File Path Hashes November 2021 (source)

Microsoft Security Research

DopplePaymer Procdump (source)

LSASS Credential Dumping with Procdump (source)

LaZagne Credential Theft (source)

Probable AdFind Recon Tool Usage (source)

Oracle suspicious command execution (source)

Bitsadmin Activity (source)

Detecting UAC bypass - elevated COM interface (source)

Detecting UAC bypass - modify Windows Store settings (source)

Detecting UAC bypass - ChangePK and SLUI registry tampering (source)

Shadow Copy Deletions (source)

Defender-DeviceProcessEvents Event ID 9001000: Process activityANDSecurity-Auditing Event ID 4688: A new process has been created.ANDSysmon Event ID 1: Process creation

14 rules

Defender-DeviceProcessEvents Event ID 9001000: Process activity→Security-Auditing Event ID 4688: A new process has been created.→Sysmon Event ID 1: Process creation

7 rules

Kusto Query Language

Dev-0228 File Path Hashes November 2021 (source)

Microsoft Security Research

Potential Build Process Compromise - MDE (source)

Match Legitimate Name or Location - 2 (source)

Show 4 more (7 total)

Regsvr32 Rundll32 with Anomalous Parent Process (source)

DopplePaymer Procdump (source)

LSASS Credential Dumping with Procdump (source)

LaZagne Credential Theft (source)

Detection Rules #

View all rules referencing this event →

Kusto Query Language # view in reference

SUNBURST suspicious SolarWinds child processes source medium: Identifies suspicious child processes of SolarWinds.Orion.Core.BusinessLayer.dll that may be evidence of the SUNBURST backdoor References: - https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html - https://gist.github.com/olafhartong/71ffdd4cab4b6acd5cbcd1a0691ff82f

References #

Microsoft Defender XDR — advanced hunting reference https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-deviceprocessevents-table

Event ID 9001000 — Process activity (any)

Description

Fields #

Detection Patterns #

Kusto Query Language

Kusto Query Language

Kusto Query Language

Detection Rules #

Kusto Query Language # view in reference

References #

Keyboard Shortcuts