Microsoft-Windows-ProcessExitMonitor
4 events across 2 channels
| Event ID | Title | Channel |
|---|---|---|
| 3000 | The process 'param1' exited with exit code param2. | Application |
| 3001 | The process 'param1' was terminated by the process 'param2' with termination … | Application |
| 1073744824 | The process 'param1' exited with exit code param2. | Operational |
| 1073744825 | The process 'param1' was terminated by the process 'param2' with termination … | Operational |
Event ID 3000 — The process 'param1' exited with exit code param2.
Description
The process 'param1' exited with exit code param2. The creation time for the exiting process was 0xparam3.
Message #
Fields #
| Name | Description |
|---|---|
param1 UnicodeString | — |
param2 UnicodeString | — |
param3 UnicodeString | — |
ExitingProcessId UnicodeString | — |
Detection Rules #
View all rules referencing this event →
Splunk # view in reference
- Windows Event Triggered Image File Execution Options Injection source: The following analytic identifies the creation or modification of Image File Execution Options (IFEO) registry keys, detected via EventCode 3000 in the Application channel. This detection leverages Windows Event Logs to monitor for process names added to IFEO under specific registry paths. This activity is significant as it can indicate attempts to set traps for process monitoring or debugging, often used by attackers for persistence or evasion. If confirmed malicious, this could allow an attacker to execute arbitrary code or manipulate process behavior, leading to potential system compromise.
Event ID 3001 — The process 'param1' was terminated by the process 'param2' with termination code param3.
#Description
The process 'param1' was terminated by the process 'param2' with termination code param3. The creation time for the exiting process was 0xparam4.
Message #
Fields #
| Name | Description |
|---|---|
param1 UnicodeString | — |
param2 UnicodeString | — |
param3 UnicodeString | — |
param4 UnicodeString | — |
ExitingProcessId UnicodeString | — |
InitiatingProcessId UnicodeString | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-ProcessExitMonitor",
"guid": "{FD771D53-8492-4057-8E35-8C02813AF49B}",
"event_source_name": "Process Exit Monitor",
"event_id": 3001,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 36028797018963968,
"time_created": "2021-06-09T04:58:49.287418Z",
"event_record_id": 32887,
"correlation": {},
"execution": {
"process_id": 0,
"thread_id": 0
},
"channel": "Application",
"computer": "MSEDGEWIN10",
"security": {
"user_id": "S-1-5-21-3461203602-4096304019-2269080069-1000"
}
},
"event_data": {
"param1": "C:\\Windows\\System32\\lsass.exe",
"param2": "C:\\Users\\IEUser\\Desktop\\LsassSilentProcessExit.exe",
"param3": "0",
"param4": "01d75d3714c3280e"
}
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 1073744824 — The process 'param1' exited with exit code param2.
Description
The process 'param1' exited with exit code param2. The creation time for the exiting process was 0xparam3.
Message #
Fields #
| Name | Description |
|---|---|
param1 UnicodeString | The process ' |
param2 UnicodeString | ' exited with exit code |
param3 UnicodeString | . The creation time for the exiting process was 0x |
ExitingProcessId UnicodeString | — |
Event ID 1073744825 — The process 'param1' was terminated by the process 'param2' with termination code param3.
Description
The process 'param1' was terminated by the process 'param2' with termination code param3. The creation time for the exiting process was 0xparam4.
Message #
Fields #
| Name | Description |
|---|---|
param1 UnicodeString | The process ' |
param2 UnicodeString | ' was terminated by the process ' |
param3 UnicodeString | ' with termination code |
param4 UnicodeString | . The creation time for the exiting process was 0x |
ExitingProcessId UnicodeString | — |
InitiatingProcessId UnicodeString | — |