Process Access Rights Reference
The GrantedAccess and DesiredAccess fields in Microsoft-Windows-Sysmon Event 10 (ProcessAccess) and Microsoft-Windows-Security-Auditing Event 4663 are hexadecimal bitmasks indicating which access rights were requested or granted on a process object. These values are central to detecting credential dumping, process injection, and other process manipulation techniques.
Process Access Rights#
| Bit | Right | Description |
|---|---|---|
| 0x00000001 | PROCESS_TERMINATE | Terminate the process |
| 0x00000002 | PROCESS_CREATE_THREAD | Create a thread in the process |
| 0x00000004 | PROCESS_SET_SESSIONID | Set the session ID |
| 0x00000008 | PROCESS_VM_OPERATION | Perform operations on the process address space (VirtualProtectEx, WriteProcessMemory) |
| 0x00000010 | PROCESS_VM_READ | Read the process memory (ReadProcessMemory) |
| 0x00000020 | PROCESS_VM_WRITE | Write to the process memory (WriteProcessMemory) |
| 0x00000040 | PROCESS_DUP_HANDLE | Duplicate a handle from the process |
| 0x00000080 | PROCESS_CREATE_PROCESS | Create a process using this process as the parent |
| 0x00000100 | PROCESS_SET_QUOTA | Set the working set and paging limits |
| 0x00000200 | PROCESS_SET_INFORMATION | Set process information (e.g. priority class) |
| 0x00000400 | PROCESS_QUERY_INFORMATION | Query process information (token, exit code, priority) |
| 0x00000800 | PROCESS_SUSPEND_RESUME | Suspend or resume the process |
| 0x00001000 | PROCESS_QUERY_LIMITED_INFORMATION | Query limited process information (subset of PROCESS_QUERY_INFORMATION) |
| 0x00002000 | PROCESS_SET_LIMITED_INFORMATION | Set limited process information |
| 0x00010000 | DELETE | Delete the process object |
| 0x00020000 | READ_CONTROL | Read the process security descriptor |
| 0x00040000 | WRITE_DAC | Modify the process DACL |
| 0x00080000 | WRITE_OWNER | Change the process object owner |
| 0x00100000 | SYNCHRONIZE | Wait on the process handle |
| 0x001FFFFF | PROCESS_ALL_ACCESS | All possible access rights for a process object |
Well-Known Access Patterns#
The following GrantedAccess values appear frequently in threat detection and are associated with specific techniques:
| GrantedAccess | Technique | Description |
|---|---|---|
0x1010 | Credential dumping (Mimikatz) | PROCESS_QUERY_LIMITED_INFORMATION | PROCESS_VM_READ: classic Mimikatz signature when targeting LSASS |
0x1FFFFF | PROCESS_ALL_ACCESS | Full access to the target process; extremely broad and suspicious when targeting LSASS or other sensitive processes |
0x002A | CreateRemoteThread injection | PROCESS_CREATE_THREAD | PROCESS_VM_OPERATION | PROCESS_VM_WRITE: minimum rights for classic thread injection |
0x001A | Process hollowing | PROCESS_VM_OPERATION | PROCESS_VM_READ | PROCESS_CREATE_THREAD: used to hollow a process and inject code |
0x0040 | Handle duplication | PROCESS_DUP_HANDLE: duplicating a handle from another process, used to steal handles to privileged processes |
0x0800 | Suspend/Resume | PROCESS_SUSPEND_RESUME: suspending a process before manipulation (common in process hollowing) |
0x1410 | ProcDump variant | PROCESS_QUERY_LIMITED_INFORMATION | PROCESS_QUERY_INFORMATION | PROCESS_VM_READ: memory dump pattern |
Caveats#
Legitimate software commonly requests broad process access rights. Antivirus, EDR agents, debugging tools, and system utilities routinely open processes with PROCESS_QUERY_INFORMATION, PROCESS_VM_READ, or even PROCESS_ALL_ACCESS. Effective detection requires combining the access mask with context:
- Source process: Is it a known security tool or a suspicious binary?
- Target process: Is it LSASS, a browser, or another sensitive process?
- Source user: Is it SYSTEM/service account (often legitimate) or a standard user?
- Frequency: One-time access may be a tool initializing; repeated access to LSASS is suspicious.
Related Events#
- Microsoft-Windows-Sysmon Event ID 10: ProcessAccess, GrantedAccess field
- Microsoft-Windows-Security-Auditing Event ID 4663: An attempt was made to access an object, when object type is Process