Event ID 10 — ProcessAccess

Provider: Microsoft-Windows-Sysmon
Channel: Operational
Level: Informational
Collection Priority: Recommended (JSCU-NL)
Task: Process accessed (rule: ProcessAccess)
Opcode: Info

Description

The process accessed event reports when a process opens another process.

Message #

Process accessed:
RuleName: %1
UtcTime: %2
SourceProcessGUID: %3
SourceProcessId: %4
SourceThreadId: %5
SourceImage: %6
TargetProcessGUID: %7
TargetProcessId: %8
TargetImage: %9
GrantedAccess: %10
CallTrace: %11
SourceUser: %12
TargetUser: %13

Fields #

Name	Description
`RuleName` UnicodeString → string	Custom tag mapped to event, i.e. ATT&CK technique ID
`UtcTime` UnicodeString → string	Time in UTC when event was created
`SourceProcessGUID` GUID → GUID	—
`SourceProcessId` UInt32 → PID	Process ID of the source process that opened another process
`SourceThreadId` UInt32 → unsignedInt	ID of the specific thread inside of the source process that opened another process
`SourceImage` UnicodeString → string	File path of the source process that opened another process
`TargetProcessGUID` GUID → GUID	—
`TargetProcessId` UInt32 → PID	Process ID used by the OS to identify the target process
`TargetImage` UnicodeString → string	File path of the target process
`GrantedAccess` HexInt32 → HexInt32	The access flags (bitmask) associated with the process rights requested for the target process Process access rights reference
`CallTrace` UnicodeString → string	Stack trace of where OpenProcess is called, including the DLL and relative virtual address of each function in the call stack
`SourceUser` UnicodeString → string	Name of the account of the source process that opened another process.
`TargetUser` UnicodeString → string	Name of the account of the target process

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Sysmon",
    "guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9",
    "event_source_name": "",
    "event_id": 10,
    "version": 3,
    "level": 4,
    "task": 10,
    "opcode": 0,
    "keywords": 9223372036854775808,
    "time_created": "2023-11-06T02:04:36.621865+00:00",
    "event_record_id": 1441177,
    "correlation": {},
    "execution": {
      "process_id": 7064,
      "thread_id": 9788
    },
    "channel": "Microsoft-Windows-Sysmon/Operational",
    "computer": "WinDev2310Eval",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "RuleName": "-",
    "UtcTime": "2023-11-06 02:04:36.619",
    "SourceProcessGUID": "E56ADA26-3829-6548-6007-000000000D00",
    "SourceProcessId": 15680,
    "SourceThreadId": 15676,
    "SourceImage": "C:\\Program Files\\Avira\\Endpoint Protection SDK\\SentryEye.exe",
    "TargetProcessGUID": "E56ADA26-3766-6548-3C07-000000000D00",
    "TargetProcessId": 15280,
    "TargetImage": "C:\\Program Files\\Avira\\Endpoint Protection SDK\\endpointprotection.exe",
    "GrantedAccess": "0x100000",
    "CallTrace": "C:\\Windows\\SYSTEM32\\ntdll.dll+9f8b4|C:\\Windows\\SYSTEM32\\KERNELBASE.dll+2c60e|C:\\Program Files\\Avira\\Endpoint Protection SDK\\SentryEye.exe+213cf|C:\\Program Files\\Avira\\Endpoint Protection SDK\\SentryEye.exe+2ccffe|C:\\Windows\\SYSTEM32\\KERNEL32.DLL+1257d|C:\\Windows\\SYSTEM32\\ntdll.dll+5aa78",
    "SourceUser": "NT AUTHORITY\\SYSTEM",
    "TargetUser": "NT AUTHORITY\\SYSTEM"
  },
  "message": ""
}

Detection Patterns #

Defense Evasion: Process Hollowing

Sysmon Event ID 1: Process creation→Event ID 10: ProcessAccess

1 rule

Elastic

Suspicious Process Creation CallTrace (source)

Elastic

Detection Rules #

View all rules referencing this event →

Sigma # view in reference

CMSTP Execution Process Access source high: Detects various indicators of Microsoft Connection Manager Profile Installer execution
HackTool - CobaltStrike BOF Injection Pattern source high: Detects a typical pattern of a CobaltStrike BOF which inject into other processes
HackTool - Generic Process Access source high: Detects process access requests from hacktool processes based on their default image name

Show 17 more (23 total)

HackTool - HandleKatz Duplicating LSASS Handle source high: Detects HandleKatz opening LSASS to duplicate its handle to later dump the memory without opening any new handles
HackTool - LittleCorporal Generated Maldoc Injection source high: Detects the process injection of a LittleCorporal generated Maldoc.
HackTool - SysmonEnte Execution source high: Detects the use of SysmonEnte, a tool to attack the integrity of Sysmon
Lsass Memory Dump via Comsvcs DLL source high: Detects adversaries leveraging the MiniDump export function from comsvcs.dll via rundll32 to perform a memory dump from lsass.
LSASS Memory Access by Tool With Dump Keyword In Name source high: Detects LSASS process access requests from a source process with the "dump" keyword in its image name.
Potential Credential Dumping Activity Via LSASS source medium: Detects process access requests to the LSASS process with specific call trace calls and access masks. This behaviour is expressed by many credential dumping tools such as Mimikatz, NanoDump, Invoke-Mimikatz, Procdump and even the Taskmgr dumping feature.
Credential Dumping Activity By Python Based Tool source high: Detects LSASS process access for potential credential dumping by a Python-like tool such as LaZagne or Pypykatz.
Remote LSASS Process Access Through Windows Remote Management source high: Detects remote access to the LSASS process via WinRM. This could be a sign of credential dumping from tools like mimikatz.
Suspicious LSASS Access Via MalSecLogon source high: Detects suspicious access to LSASS handle via a call trace to "seclogon.dll" with a suspicious access right.
Potentially Suspicious GrantedAccess Flags On LSASS source medium: Detects process access requests to LSASS process with potentially suspicious access flags
Credential Dumping Attempt Via WerFault source high: Detects process LSASS memory dump using Mimikatz, NanoDump, Invoke-Mimikatz, Procdump or Taskmgr based on the CallTrace pointing to ntdll.dll, dbghelp.dll or dbgcore.dll for win10, server2016 and up.
LSASS Access From Potentially White-Listed Processes source high: Detects a possible process memory dump that uses a white-listed filename like TrolleyExpress.exe as a way to dump the LSASS process memory without Microsoft Defender interference
Uncommon Process Access Rights For Target Image source low: Detects process access request to uncommon target images with a "PROCESS_ALL_ACCESS" access mask.
Suspicious Process Access to LSASS with Dbgcore/Dbghelp DLLs source high: Detects suspicious process access to LSASS.exe from processes located in uncommon locations with dbgcore.dll or dbghelp.dll in the call trace. These DLLs contain functions like MiniDumpWriteDump that can be abused for credential dumping purposes. While modern tools like Mimikatz have moved to using ntdll.dll, dbgcore.dll and dbghelp.dll are still used by basic credential dumping utilities and legacy tools for LSASS memory access and process suspension techniques.
Potential Direct Syscall of NtOpenProcess source medium: Detects potential calls to NtOpenProcess directly from NTDLL.
Credential Dumping Attempt Via Svchost source high: Detects when a process tries to access the memory of svchost to potentially dump credentials.
Suspicious Svchost Process Access source high: Detects suspicious access to the "svchost" process such as that used by Invoke-Phantom to kill the thread of the Windows event logging service.

Elastic # view in reference

Potential Credential Access via DuplicateHandle in LSASS source medium: Identifies suspicious access to an LSASS handle via DuplicateHandle from an unknown call trace module. This may indicate an attempt to bypass the NtOpenProcess API to evade detection and dump LSASS memory for credential access.
Suspicious Lsass Process Access source medium: Identifies access attempts to LSASS handle, this may indicate an attempt to dump credentials from Lsass memory.
Potential Credential Access via LSASS Memory Dump source high: Identifies suspicious access to LSASS handle from a call trace pointing to DBGHelp.dll or DBGCore.dll, which both export the MiniDumpWriteDump method that can be used to dump LSASS memory content in preparation for credential access.

Show 2 more (5 total)

Potential LSASS Memory Dump via PssCaptureSnapShot source high: Identifies suspicious access to an LSASS handle via PssCaptureSnapShot where two successive process accesses are performed by the same process and target two different instances of LSASS. This may indicate an attempt to evade detection and dump LSASS memory for credential access.
Suspicious Process Access via Direct System Call source high: Identifies suspicious process access events from an unknown memory region. Endpoint security solutions usually hook userland Windows APIs in order to decide if the code that is being executed is malicious or not. It's possible to bypass hooked functions by writing malicious functions that call syscalls directly.

Splunk # view in reference

Access LSASS Memory for Dump Creation source: The following analytic detects attempts to dump the LSASS process memory, a common technique in credential dumping attacks. It leverages Sysmon logs, specifically EventCode 10, to identify suspicious call traces to dbgcore.dll and dbghelp.dll associated with lsass.exe. This activity is significant as it often precedes the theft of sensitive login credentials, posing a high risk of unauthorized access to systems and data. If confirmed malicious, attackers could gain access to critical credentials, enabling further compromise and lateral movement within the network.
Detect Credential Dumping through LSASS access source: The following analytic detects attempts to read LSASS memory, indicative of credential dumping. It leverages Sysmon EventCode 10, filtering for specific access permissions (0x1010 and 0x1410) on the lsass.exe process. This activity is significant because it suggests an attacker is trying to extract credentials from LSASS memory, potentially leading to unauthorized access, data breaches, and compromise of sensitive information. If confirmed malicious, this could enable attackers to escalate privileges, move laterally within the network, or exfiltrate data. Extensive triage is necessary to differentiate between malicious and benign activities.
Rubeus Kerberos Ticket Exports Through Winlogon Access source: The following analytic detects a process accessing the winlogon.exe system process, indicative of the Rubeus tool attempting to export Kerberos tickets from memory. This detection leverages Sysmon EventCode 10 logs, focusing on processes obtaining a handle to winlogon.exe with specific access rights. This activity is significant as it often precedes pass-the-ticket attacks, where adversaries use stolen Kerberos tickets to move laterally within an environment. If confirmed malicious, this could allow attackers to bypass normal access controls, escalate privileges, and persist within the network, posing a severe security risk.

Show 11 more (14 total)

Spoolsv Suspicious Process Access source: The following analytic detects suspicious process access by spoolsv.exe, potentially indicating exploitation of the PrintNightmare vulnerability (CVE-2021-34527). It leverages Sysmon EventCode 10 to identify when spoolsv.exe accesses critical system files or processes like rundll32.exe with elevated privileges. This activity is significant as it may signal an attempt to gain unauthorized privilege escalation on a vulnerable machine. If confirmed malicious, an attacker could achieve elevated privileges, leading to further system compromise, persistent access, or unauthorized control over the affected environment.
Windows Access Token Manipulation Winlogon Duplicate Token Handle source: The following analytic detects a process attempting to access winlogon.exe to duplicate its handle. This is identified using Sysmon EventCode 10, focusing on processes targeting winlogon.exe with specific access rights. This activity is significant because it is a common technique used by adversaries to escalate privileges by leveraging the high privileges and security tokens associated with winlogon.exe. If confirmed malicious, this could allow an attacker to gain elevated privileges, potentially leading to full system compromise and unauthorized access to sensitive information.
Windows Access Token Winlogon Duplicate Handle In Uncommon Path source: The following analytic detects a process attempting to duplicate the handle of winlogon.exe from an uncommon or public source path. This is identified using Sysmon EventCode 10, focusing on processes targeting winlogon.exe with specific access rights and excluding common system paths. This activity is significant because it may indicate an adversary trying to escalate privileges by leveraging the high-privilege tokens associated with winlogon.exe. If confirmed malicious, this could allow the attacker to gain elevated access, potentially leading to full system compromise and persistent control over the affected host.
Windows Handle Duplication in Known UAC-Bypass Binaries source: The following analytic detects suspicious handle duplication activity targeting known Windows utilities such as ComputerDefaults.exe, Eventvwr.exe, and others. This technique is commonly used to escalate privileges or bypass UAC by inheriting or injecting elevated tokens or handles. The detection focuses on non-standard use of DuplicateHandle or token duplication where process, thread, or token handles are copied into the context of trusted, signed utilities. Such behavior may indicate attempts to execute with elevated rights without user consent. Alerts enable rapid triage using process trees, handle data, token attributes, command-lines, and binary hashes.
Windows Hunting System Account Targeting Lsass source: The following analytic identifies processes attempting to access Lsass.exe, which may indicate credential dumping or applications needing credential access. It leverages Sysmon EventCode 10 to detect such activities by analyzing fields like TargetImage, GrantedAccess, and SourceImage. This behavior is significant as unauthorized access to Lsass.exe can lead to credential theft, posing a severe security risk. If confirmed malicious, attackers could gain access to sensitive credentials, potentially leading to privilege escalation and further compromise of the environment.
Windows Non-System Account Targeting Lsass source: The following analytic identifies non-SYSTEM accounts requesting access to lsass.exe. This detection leverages Sysmon EventCode 10 logs to monitor access attempts to the Local Security Authority Subsystem Service (lsass.exe) by non-SYSTEM users. This activity is significant as it may indicate credential dumping attempts or unauthorized access to sensitive credentials. If confirmed malicious, an attacker could potentially extract credentials from memory, leading to privilege escalation or lateral movement within the network. Immediate investigation is required to determine the legitimacy of the access request and to mitigate any potential threats.
Windows Possible Credential Dumping source: The following analytic detects potential credential dumping by identifying specific GrantedAccess permission requests and CallTrace DLLs targeting the LSASS process. It leverages Sysmon EventCode 10 logs, focusing on access requests to lsass.exe and call traces involving debug and native API DLLs like dbgcore.dll, dbghelp.dll, and ntdll.dll. This activity is significant as credential dumping can lead to unauthorized access to sensitive credentials. If confirmed malicious, attackers could gain elevated privileges and persist within the environment, posing a severe security risk.
Windows Process Injection into Commonly Abused Processes source: The following analytic detects process injection into executables that are commonly abused using Sysmon EventCode 10. It identifies suspicious GrantedAccess requests (0x40 and 0x1fffff) to processes such as notepad.exe, wordpad.exe and calc.exe, excluding common system paths like System32, Syswow64, and Program Files. This behavior is often associated with the SliverC2 framework by BishopFox. Monitoring this activity is crucial as it may indicate an initial payload attempting to execute malicious code. If confirmed malicious, this could allow attackers to execute arbitrary code, potentially leading to privilege escalation or persistent access within the environment.
Windows Process Injection into Notepad source: The following analytic detects process injection into Notepad.exe using Sysmon EventCode 10. It identifies suspicious GrantedAccess requests (0x40 and 0x1fffff) to Notepad.exe, excluding common system paths like System32, Syswow64, and Program Files. This behavior is often associated with the SliverC2 framework by BishopFox. Monitoring this activity is crucial as it may indicate an initial payload attempting to execute malicious code within Notepad.exe. If confirmed malicious, this could allow attackers to execute arbitrary code, potentially leading to privilege escalation or persistent access within the environment.
Windows Terminating Lsass Process source: The following analytic detects a suspicious process attempting to terminate the Lsass.exe process. It leverages Sysmon EventCode 10 logs to identify processes granted PROCESS_TERMINATE access to Lsass.exe. This activity is significant because Lsass.exe is a critical process responsible for enforcing security policies and handling user credentials. If confirmed malicious, this behavior could indicate an attempt to perform credential dumping, privilege escalation, or evasion of security policies, potentially leading to unauthorized access and persistence within the environment.
Windows WMI Impersonate Token source: The following analytic detects potential WMI token impersonation activities in a process or command. It leverages Sysmon EventCode 10 to identify instances where `wmiprvse.exe` has a duplicate handle or full granted access in a target process. This behavior is significant as it is commonly used by malware like Qakbot for privilege escalation or defense evasion. If confirmed malicious, this activity could allow an attacker to gain elevated privileges, evade defenses, and maintain persistence within the environment.

Kusto Query Language # view in reference

Dumping LSASS Process Into a File source high: 'Adversaries may attempt to access credential material stored in the process memory of the Local Security Authority Subsystem Service (LSASS). After a user logs on, the system generates and stores a variety of credential materials in LSASS process memory. These credential materials can be harvested by an administrative user or system and used to conduct lateral movement using alternate authentication materials. As well as in-memory techniques, the LSASS process memory can be dumped from the target host and analyzed on a local system. Ref: https://attack.mitre.org/techniques/T1003/001/'

References #

Microsoft Learn https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#event-id-10-processaccess
Example event sourced from https://github.com/NextronSystems/evtx-baseline
OSSEM-DD https://github.com/OTRF/OSSEM-DD/blob/main/windows/sysmon/events/event-10.yml
NSA/CISA - Best Practices for Event Logging https://www.cisa.gov/resources-tools/resources/best-practices-event-logging-and-threat-detection

Event ID 10 — ProcessAccess

Description

Message #

Fields #

Example Event #

Detection Patterns #

Defense Evasion: Process Hollowing

Elastic

Detection Rules #

Sigma # view in reference

Elastic # view in reference

Splunk # view in reference

Kusto Query Language # view in reference

Related Events #

References #