Event ID 1 — Process creation
Description
The process creation event provides extended information about a newly created process.
Message #
Fields #
| Name | Description |
|---|---|
RuleName UnicodeString → string | Custom tag mapped to event, i.e. ATT&CK technique ID |
UtcTime UnicodeString → string | Time in UTC when event was created |
ProcessGuid GUID → GUID | Process GUID of the process that got spawned/created (child) |
ProcessId UInt32 → PID | Process ID used by the OS to identify the created process (child) |
Image UnicodeString → string | File path of the process being spawned/created. Considered also the child or source process |
FileVersion UnicodeString → string | Version of the image associated with the main process (child) |
Description UnicodeString → string | Description of the image associated with the main process (child) |
Product UnicodeString → string | Product name the image associated with the main process (child) belongs to |
Company UnicodeString → string | Company name the image associated with the main process (child) belongs to |
OriginalFileName UnicodeString → string | Original file name from the PE header, useful for detecting renamed executables |
CommandLine UnicodeString → string | Arguments which were passed to the executable associated with the main process |
CurrentDirectory UnicodeString → string | The path without the name of the image associated with the process |
User UnicodeString → string | Name of the account who created the process (child). It usually contains domain name and user name (parsed to show only username without the domain) |
LogonGuid GUID → GUID | Logon GUID of the user who created the new process. Value that can help you correlate this event with others that contain the same Logon GUID (Sysmon Events) |
LogonId HexInt64 → HexInt64 | Logon ID of the user who created the new process. Value that can help you correlate this event with others that contain the same Logon ID |
TerminalSessionId UInt32 → unsignedInt | ID of the session the user belongs to |
IntegrityLevel UnicodeString → string | Integrity label assigned to a process |
Hashes UnicodeString → string | Hashes captured by Sysmon driver |
ParentProcessGuid GUID → GUID | Process GUID of the parent process that spawned/created this process |
ParentProcessId UInt32 → PID | Process ID of the process that spawned/created the main process (child) |
ParentImage UnicodeString → string | File path that spawned/created the main process |
ParentCommandLine UnicodeString → string | Arguments which were passed to the executable associated with the parent process |
ParentUser UnicodeString → string | Name of the account who created the process that spawned/created the main process (child) |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Sysmon",
"guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9",
"event_source_name": "",
"event_id": 1,
"version": 5,
"level": 4,
"task": 1,
"opcode": 0,
"keywords": 9223372036854775808,
"time_created": "2023-11-06T02:04:12.512502+00:00",
"event_record_id": 1438276,
"correlation": {},
"execution": {
"process_id": 7064,
"thread_id": 9788
},
"channel": "Microsoft-Windows-Sysmon/Operational",
"computer": "WinDev2310Eval",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"RuleName": "-",
"UtcTime": "2023-11-06 02:04:12.487",
"ProcessGuid": "E56ADA26-499C-6548-2D0B-000000000D00",
"ProcessId": 19696,
"Image": "C:\\Windows\\System32\\dllhost.exe",
"FileVersion": "10.0.22621.1 (WinBuild.160101.0800)",
"Description": "COM Surrogate",
"Product": "Microsoft® Windows® Operating System",
"Company": "Microsoft Corporation",
"OriginalFileName": "dllhost.exe",
"CommandLine": "C:\\Windows\\system32\\DllHost.exe /Processid:{3AD05575-8857-4850-9277-11B85BDB8E09}",
"CurrentDirectory": "C:\\Windows\\system32\\",
"User": "WINDEV2310EVAL\\User",
"LogonGuid": "E56ADA26-17F4-6548-C677-020000000000",
"LogonId": "0x277c6",
"TerminalSessionId": 1,
"IntegrityLevel": "High",
"Hashes": "SHA1=C521025C55687C1F29B1F3A3C69B3D152CE84981,MD5=144FA51A15E98D84D28EEAB815BC9A8B,SHA256=FDFAD08EADD54A431E431FEBE60E87B574CE90E5502ED0BE2F026A1828120FC6,IMPHASH=FBDAC0471446783AD621D3CAB6033559",
"ParentProcessGuid": "E56ADA26-17EE-6548-0D00-000000000D00",
"ParentProcessId": 920,
"ParentImage": "C:\\Windows\\System32\\svchost.exe",
"ParentCommandLine": "C:\\Windows\\system32\\svchost.exe -k DcomLaunch -p",
"ParentUser": "NT AUTHORITY\\SYSTEM"
},
"message": ""
}
Detection Patterns #
Security-Auditing Event ID 4688: A new process has been created.ORSysmon Event ID 1: Process creation
429 rules
Sigma
Show 411 more (414 total)
Splunk
Show 11 more (14 total)
Kusto Query Language
Defender-DeviceProcessEvents Event ID 9001000: Process activityORSecurity-Auditing Event ID 4688: A new process has been created.ORSysmon Event ID 1: Process creation
26 rules
Kusto Query Language
Show 23 more (26 total)
Defender-DeviceProcessEvents Event ID 9001000: Process activityANDSecurity-Auditing Event ID 4688: A new process has been created.ANDSysmon Event ID 1: Process creation
14 rules
Kusto Query Language
Show 11 more (14 total)
9 rules
Splunk
Show 6 more (9 total)
Normalized Process Events
Security-Auditing Event ID 4688: A new process has been created.OREvent ID 4689: A process has exited.ORSysmon Event ID 1: Process creationOREvent ID 5: Process terminated
7 rules
Kusto Query Language
Defender-DeviceProcessEvents Event ID 9001000: Process activity→Security-Auditing Event ID 4688: A new process has been created.→Sysmon Event ID 1: Process creation
7 rules
Kusto Query Language
(Security-Auditing Event ID 4688: A new process has been created.ANDSysmon Event ID 11: FileCreate)OR(Event ID 1: Process creationANDEvent ID 11: FileCreate)
7 rules
Splunk
No Command Line
6 rules
Splunk
Normalized Process Events
Asim Version
Persistence: Create or Modify System Process
1 rule
Kusto Query Language
Defense Evasion: Process Hollowing
1 rule
Defense Evasion: Modify Registry
Lateral Movement: Exploitation of Remote Services
Security-Auditing Event ID 4624: An account was successfully logged on.OREvent ID 4688: A new process has been created.ORSysmon Event ID 1: Process creationOREvent ID 19: WmiEventOREvent ID 20: WmiEventOREvent ID 21: WmiEvent
1 rule
Kusto Query Language
Detection Rules #
View all rules referencing this event →
Sigma # view in reference
- 7Zip Compressing Dump Files source medium: Detects execution of 7z in order to compress a file with a ".dmp"/".dump" extension, which could be a step in a process of dump file exfiltration.
- Compress Data and Lock With Password for Exfiltration With 7-ZIP source medium: An adversary may compress or encrypt data that is collected prior to exfiltration using 3rd party utilities
- Potential DLL Injection Via AccCheckConsole source medium: Detects the execution "AccCheckConsole" a command-line tool for verifying the accessibility implementation of an application's UI. One of the tests that this checker can run are called "verification routine", which tests for things like Consistency, Navigation, etc. The tool allows a user to provide a DLL that can contain a custom "verification routine". An attacker can build such DLLs and pass it via the CLI, which would then be loaded in the context of the "AccCheckConsole" utility.
Show 17 more (733 total)
- Suspicious AddinUtil.EXE CommandLine Execution source high: Detects execution of the Add-In deployment cache updating utility (AddInutil.exe) with suspicious Addinroot or Pipelineroot paths. An adversary may execute AddinUtil.exe with uncommon Addinroot/Pipelineroot paths that point to the adversaries Addins.Store payload.
- Uncommon AddinUtil.EXE CommandLine Execution source medium: Detects execution of the Add-In deployment cache updating utility (AddInutil.exe) with uncommon Addinroot or Pipelineroot paths. An adversary may execute AddinUtil.exe with uncommon Addinroot/Pipelineroot paths that point to the adversaries Addins.Store payload.
- AddinUtil.EXE Execution From Uncommon Directory source medium: Detects execution of the Add-In deployment cache updating utility (AddInutil.exe) from a non-standard directory.
- Potential Adplus.EXE Abuse source high: Detects execution of "AdPlus.exe", a binary that is part of the Windows SDK that can be used as a LOLBIN in order to dump process memory and execute arbitrary commands.
- AgentExecutor PowerShell Execution source medium: Detects execution of the AgentExecutor.exe binary. Which can be abused as a LOLBIN to execute powershell scripts with the ExecutionPolicy "Bypass" or any binary named "powershell.exe" located in the path provided by 6th positional argument
- Suspicious AgentExecutor PowerShell Execution source high: Detects execution of the AgentExecutor.exe binary. Which can be abused as a LOLBIN to execute powershell scripts with the ExecutionPolicy "Bypass" or any binary named "powershell.exe" located in the path provided by 6th positional argument
- Windows AMSI Related Registry Tampering Via CommandLine source high: Detects tampering of AMSI (Anti-Malware Scan Interface) related registry values via command line tools such as reg.exe or PowerShell. AMSI provides a generic interface for applications and services to integrate with antimalware products. Adversaries may disable AMSI to evade detection of malicious scripts and code execution.
- Uncommon Assistive Technology Applications Execution Via AtBroker.EXE source medium: Detects the start of a non built-in assistive technology applications via "Atbroker.EXE".
- Hiding Files with Attrib.exe source medium: Detects usage of attrib.exe to hide files from users.
- Set Suspicious Files as System Files Using Attrib.EXE source high: Detects the usage of attrib with the "+s" option to set scripts or executables located in suspicious locations as system files to hide them from users and make them unable to be deleted with simple rights. The rule limits the search to specific extensions and directories to avoid FPs
- Audit Policy Tampering Via Auditpol source high: Threat actors can use auditpol binary to change audit policy configuration to impair detection capability. This can be carried out by selectively disabling/removing certain audit policies as well as restoring a custom policy owned by the threat actor.
- Suspicious Autorun Registry Modified via WMI source high: Detects suspicious activity where the WMIC process is used to create an autorun registry entry via reg.exe, which is often indicative of persistence mechanisms employed by malware.
- Indirect Inline Command Execution Via Bash.EXE source medium: Detects execution of Microsoft bash launcher with the "-c" flag. This can be used to potentially bypass defenses and execute Linux or Windows-based binaries directly via bash.
- Indirect Command Execution From Script File Via Bash.EXE source medium: Detects execution of Microsoft bash launcher without any flags to execute the content of a bash script directly. This can be used to potentially bypass defenses and execute Linux or Windows-based binaries directly via bash.
- Boot Configuration Tampering Via Bcdedit.EXE source high: Detects the use of the bcdedit command to tamper with the boot configuration data. This technique is often times used by malware or attackers as a destructive way before launching ransomware.
- Potential Ransomware or Unauthorized MBR Tampering Via Bcdedit.EXE source medium: Detects potential malicious and unauthorized usage of bcdedit.exe
- Data Export From MSSQL Table Via BCP.EXE source medium: Detects the execution of the BCP utility in order to export data from the database. Attackers were seen saving their malware to a database column or table and then later extracting it via "bcp.exe" into a file.
Splunk # view in reference
- Detect Remote Access Software Usage FileInfo source: The following analytic detects the execution of processes with file or code signing attributes from known remote access software within the environment. It leverages Sysmon EventCode 1 data and cross-references a lookup table of remote access utilities such as AnyDesk, GoToMyPC, LogMeIn, and TeamViewer. This activity is significant as adversaries often use these tools to maintain unauthorized remote access. If confirmed malicious, this could allow attackers to persist in the environment, potentially leading to data exfiltration or further compromise of the network.
- Excessive Usage Of SC Service Utility source: The following analytic detects excessive usage of the `sc.exe` service utility on a host machine. It leverages Sysmon EventCode 1 logs to identify instances where `sc.exe` is executed more frequently than normal within a 15-minute window. This behavior is significant as it is commonly associated with ransomware, cryptocurrency miners, and other malware attempting to create, modify, delete, or disable services, potentially related to security applications or for privilege escalation. If confirmed malicious, this activity could allow attackers to manipulate critical services, leading to system compromise or disruption of security defenses.
- MacOS - Re-opened Applications source: The following analytic identifies processes referencing plist files that determine which applications are re-opened when a user reboots their MacOS machine. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and parent processes related to "com.apple.loginwindow." This activity is significant because it can indicate attempts to persist across reboots, a common tactic used by attackers to maintain access. If confirmed malicious, this could allow an attacker to execute code or maintain persistence on the affected system, potentially leading to further compromise.
Show 17 more (22 total)
- Malicious PowerShell Process With Obfuscation Techniques source: The following analytic detects PowerShell processes launched with command-line arguments indicative of obfuscation techniques. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names, parent processes, and complete command-line executions. This activity is significant because obfuscated PowerShell commands are often used by attackers to evade detection and execute malicious scripts. If confirmed malicious, this activity could lead to unauthorized code execution, privilege escalation, or persistent access within the environment, posing a significant security risk.
- Process Deleting Its Process File Path source: The following analytic identifies a process attempting to delete its own file path, a behavior often associated with defense evasion techniques. This detection leverages Sysmon EventCode 1 logs, focusing on command lines executed via cmd.exe that include deletion commands. This activity is significant as it may indicate malware, such as Clop ransomware, trying to evade detection by removing its executable file if certain conditions are met. If confirmed malicious, this could allow the attacker to persist undetected, complicating incident response and remediation efforts.
- Web or Application Server Spawning a Shell source: The following analytic detects instances where Java, or Tomcat processes spawn a Linux shell, which may indicate exploitation attempts, such as those related to CVE-2021-44228 (Log4Shell). This detection leverages Endpoint Detection and Response (EDR) telemetry, focusing on process names and parent-child process relationships. This activity is significant as it can signify a compromised Java application, potentially leading to unauthorized shell access. If confirmed malicious, attackers could execute arbitrary commands, escalate privileges, or maintain persistent access, posing a severe threat to the environment.
- Web Servers Executing Suspicious Processes source: The following analytic detects the execution of suspicious processes on systems identified as web servers. It leverages the Splunk data model "Endpoint.Processes" to search for specific process names such as "whoami", "ping", "iptables", "wget", "service", and "curl". This activity is significant because these processes are often used by attackers for reconnaissance, persistence, or data exfiltration. If confirmed malicious, this could lead to data theft, deployment of additional malware, or even ransomware attacks. Immediate investigation is required to determine the legitimacy of the activity and mitigate potential threats.
- Windows Account Access Removal via Logoff Exec source: The following analytic detects the process of logging off a user through the use of the quser and logoff commands. By monitoring for these commands, the analytic identifies actions where a user session is forcibly terminated, which could be part of an administrative task or a potentially unauthorized access attempt. This detection helps identify potential misuse or malicious activity where a user’s access is revoked without proper authorization, providing insight into potential security incidents involving account management or session manipulation.
- Windows Browser Process Launched with Unusual Flags source: The following analytic detects the use of unusual browser flags, specifically --mute-audio and --do-not-elevate, which deviate from standard browser launch behavior. These flags may indicate automated scripts, testing environments, or attempts to modify browser functionality for silent operation or restricted privilege execution. Detection focuses on non-standard launch parameters, unexpected process behavior, or deviations from baseline configurations. Monitoring such flag usage helps identify potentially suspicious activity, misconfigurations, or policy violations, enabling security teams to investigate anomalies, ensure system compliance, and differentiate legitimate administrative or testing uses from unusual or unauthorized operations.
- Windows ComputerDefaults Spawning a Process source: The following analytic detects the spawning of ComputerDefaults.exe, a Windows system process used to manage default application associations. While normally legitimate, this process can be exploited by attackers to bypass User Account Control (UAC) and execute unauthorized code with elevated privileges. Detection focuses on abnormal execution patterns, unusual parent-child process relationships, or deviations from standard paths. Such behavior may indicate attempts to modify system defaults or run malicious scripts undetected. Monitoring ComputerDefaults.exe is critical to identify potential security threats, prevent privilege escalation, and maintain system integrity by distinguishing normal operations from suspicious activity.
- Windows Credential Target Information Structure in Commandline source: Detects DNS-based Kerberos coercion attacks where adversaries inject marshaled credential structures into DNS records to spoof SPNs and redirect authentication such as in CVE-2025-33073. This detection leverages process creation events looking for specific CREDENTIAL_TARGET_INFORMATION structures.
- Windows Default Rdp File Unhidden source: This detection identifies the use of attrib.exe to remove hidden (-h) or system (-s) attributes from the Default.rdp file, which is automatically created in a user's Documents folder when a Remote Desktop Protocol (RDP) session is initiated using mstsc.exe. The Default.rdp file stores session configuration details such as the remote host address and screen settings. Unhiding this file is uncommon in normal user behavior and may indicate that an attacker or red team operator is attempting to access or manipulate RDP connection history that was previously hidden—either by default or as part of an earlier anti-forensics effort. This activity may represent part of a broader pattern of reconnaissance or staging for credential reuse, lateral movement, or forensic analysis evasion. Monitoring for this behavior can help uncover suspicious manipulation of user artifacts and highlight interactive attacker activity on a compromised host.
- Windows Disable or Stop Browser Process source: The following analytic detects the use of the taskkill command in a process command line to terminate several known browser processes, a technique commonly employed by the Braodo stealer malware to steal credentials. By forcefully closing browsers like Chrome, Edge, and Firefox, the malware can unlock files that store sensitive information, such as passwords and login data. This detection focuses on identifying taskkill commands targeting these browsers, signaling malicious intent. Early detection allows security teams to investigate and prevent further credential theft and system compromise.
- Windows Privilege Escalation Suspicious Process Elevation source: The following analytic detects when a process running with low or medium integrity from a user account spawns an elevated process with high or system integrity in suspicious locations. This behavior is identified using process execution data from Windows process monitoring. This activity is significant as it may indicate a threat actor successfully elevating privileges, which is a common tactic in advanced attacks. If confirmed malicious, this could allow the attacker to execute code with higher privileges, potentially leading to full system compromise and persistent access.
- Windows Privilege Escalation System Process Without System Parent source: The following analytic detects any system integrity level process spawned by a non-system account. It leverages Sysmon EventID 1, focusing on process integrity and parent user data. This behavior is significant as it often indicates successful privilege escalation to SYSTEM from a user-controlled process or service. If confirmed malicious, this activity could allow an attacker to gain full control over the system, execute arbitrary code, and potentially compromise the entire environment.
- Windows Privilege Escalation User Process Spawn System Process source: The following analytic detects when a process with low, medium, or high integrity spawns a system integrity process from a user-controlled location. This behavior is indicative of privilege escalation attempts where attackers elevate their privileges to SYSTEM level from a user-controlled process or service. The detection leverages Sysmon data, specifically Event ID 15, to identify such transitions. Monitoring this activity is crucial as it can signify an attacker gaining SYSTEM-level access, potentially leading to full control over the affected system, unauthorized access to sensitive data, and further malicious activities.
- Windows RDP Client Launched with Admin Session source: This detection identifies the execution of the Windows Remote Desktop Client (mstsc.exe) with the "/v" and /admin command-line arguments. The "/v" flag specifies the remote host to connect to, while the /admin flag initiates a connection to the target system’s console session, often used for administrative purposes. This combination may indicate that a user or attacker is performing privileged remote access, potentially to manage a system without disrupting existing user sessions. While such usage may be legitimate for IT administrators, it is less common in typical user behavior. Threat actors may abuse this capability during lateral movement to maintain stealthy access to high-value systems. Monitoring for this pattern can help detect interactive hands-on-keyboard activity, privilege abuse, or attempts to access critical infrastructure without leaving typical login traces associated with non-admin RDP sessions.
- Windows Renamed Powershell Execution source: The following analytic identifies instances where the PowerShell executable has been renamed and executed under an alternate filename. This behavior is commonly associated with attempts to evade security controls or bypass logging mechanisms that monitor standard PowerShell usage. While rare in legitimate environments, renamed PowerShell binaries are frequently observed in malicious campaigns leveraging Living-off-the-Land Binaries (LOLBins) and fileless malware techniques. This detection flags executions of PowerShell where the process name does not match the default powershell.exe or pwsh.exe, especially when invoked from unusual paths or accompanied by suspicious command-line arguments.
- Windows Rundll32 Load DLL in Temp Dir source: This detection identifies instances where rundll32.exe is used to load a DLL from a temporary directory, such as C:\Users\<User>\AppData\Local\Temp\ or C:\Windows\Temp\. While rundll32.exe is a legitimate Windows utility used to execute functions exported from DLLs, its use to load libraries from temporary locations is highly suspicious. These directories are commonly used by malware and red team tools to stage payloads or execute code in-memory without writing it to more persistent locations. This behavior often indicates defense evasion, initial access, or privilege escalation, especially when the DLL is unsigned, recently written, or executed shortly after download. In normal user workflows, DLLs are not typically loaded from Temp paths, making this a high-fidelity indicator of potentially malicious activity. Monitoring this pattern is essential for detecting threats that attempt to blend in with native system processes while bypassing traditional application controls.
- Windows UAC Bypass Suspicious Escalation Behavior source: The following analytic detects when a process spawns an executable known for User Account Control (UAC) bypass exploitation and subsequently monitors for any child processes with a higher integrity level than the original process. This detection leverages Sysmon EventID 1 data, focusing on process integrity levels and known UAC bypass executables. This activity is significant as it may indicate an attacker has successfully used a UAC bypass exploit to escalate privileges. If confirmed malicious, the attacker could gain elevated privileges, potentially leading to further system compromise and persistent access.
Kusto Query Language # view in reference
- SUNBURST suspicious SolarWinds child processes source medium: Identifies suspicious child processes of SolarWinds.Orion.Core.BusinessLayer.dll that may be evidence of the SUNBURST backdoor References: - https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html - https://gist.github.com/olafhartong/71ffdd4cab4b6acd5cbcd1a0691ff82f
- Audit policy manipulation using auditpol utility source medium: This detects attempts to manipulate audit policies using auditpol command. This technique was seen in relation to Solorigate attack but the results can indicate potential malicious activity used in different attacks. The process name in each data source is commented out as an adversary could rename it. It is advisable to keep process name commented but if the results show unrelated false positives, users may want to uncomment it. Refer to auditpol syntax: https://docs.microsoft.com/windows-server/administration/windows-commands/auditpol Refer to our M365 blog for details on use during the Solorigate attack: https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/
- Modification of Accessibility Features source medium: 'Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by accessibility features. Windows contains accessibility features that may be launched with a key combination before a user has logged in (ex: when the user is on the Windows logon screen). An adversary can modify the way these programs are launched to get a command prompt or backdoor without logging in to the system. Two common accessibility programs are C:\Windows\System32\sethc.exe, launched when the shift key is pressed five times and C:\Windows\System32\utilman.exe, launched when the Windows + U key combination is pressed. The sethc.exe program is often referred to as "sticky keys", and has been used by adversaries for unauthenticated access through a remote desktop login screen. [1] Ref: https://attack.mitre.org/techniques/T1546/008/'
Show 3 more (6 total)
- Lateral Movement via DCOM source medium: 'This query detects a fairly uncommon attack technique using the Windows Distributed Component Object Model (DCOM) to make a remote execution call to another computer system and gain lateral movement throughout the network. Ref: http://thenegative.zone/incident%20response/2017/02/04/MMC20.Application-Lateral-Movement-Analysis.html'
- Detecting Macro Invoking ShellBrowserWindow COM Objects source medium: 'This query detects a macro invoking ShellBrowserWindow COM Objects evade naive parent/child Office detection rules.'
- Windows Binaries Lolbins Renamed source medium: 'This query detects the execution of renamed Windows binaries (Lolbins). This is a common technique used by adversaries to evade detection. Ref: https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-analytics-alert-reference/cortex-xdr-analytics-alert-reference/execution-of-renamed-lolbin.html'