detection.wiki

Microsoft-Windows-ProcessExitMonitor › Event 3001

Event ID 3001 — The process 'param1' was terminated by the process 'param2' with termination code param3.

Provider
Microsoft-Windows-ProcessExitMonitor
Channel
Application
Level
Informational

Description

The process 'param1' was terminated by the process 'param2' with termination code param3. The creation time for the exiting process was 0xparam4.

Message #

The process '%1' was terminated by the process '%2' with termination code %3. The creation time for the exiting process was 0x%4.

Fields #

NameDescription
param1 UnicodeString
param2 UnicodeString
param3 UnicodeString
param4 UnicodeString
ExitingProcessId UnicodeString
InitiatingProcessId UnicodeString

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-ProcessExitMonitor",
    "guid": "{FD771D53-8492-4057-8E35-8C02813AF49B}",
    "event_source_name": "Process Exit Monitor",
    "event_id": 3001,
    "version": 0,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "keywords": 36028797018963968,
    "time_created": "2021-06-09T04:58:49.287418Z",
    "event_record_id": 32887,
    "correlation": {},
    "execution": {
      "process_id": 0,
      "thread_id": 0
    },
    "channel": "Application",
    "computer": "MSEDGEWIN10",
    "security": {
      "user_id": "S-1-5-21-3461203602-4096304019-2269080069-1000"
    }
  },
  "event_data": {
    "param1": "C:\\Windows\\System32\\lsass.exe",
    "param2": "C:\\Users\\IEUser\\Desktop\\LsassSilentProcessExit.exe",
    "param3": "0",
    "param4": "01d75d3714c3280e"
  }
}

References #