LimaCharlie Log In

Processes

12 Jan 2024
4 Minutes to read
Contributors

Print
Share
Dark
Light

Processes

Updated on 12 Jan 2024
4 Minutes to read
Contributors

Print
Share
Dark
Light

Article Summary

Share feedback

Thanks for sharing your feedback!

CODE_IDENTITY

Unique combinations of file hash and file path. Event is emitted the first time the combination is seen, but only when the binary is executed or loaded. Therefore it's a great event to look for hashes without being overwhelmed by process execution or module loads.

ONGOING_IDENTITY

The ONGOING_IDENTITY event emits code signature information even if not newly seen, however this data can become duplicative and verbose.

Platforms:

{
  "MEMORY_SIZE": 0,
  "FILE_PATH": "C:\\Users\\dev\\AppData\\Local\\Temp\\B1B207E5-300E-434F-B4FE-A4816E6551BE\\dismhost.exe",
  "TIMESTAMP": 1456285265,
  "SIGNATURE": {
    "CERT_ISSUER": "C=US, S=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Code Signing PCA",
    "CERT_CHAIN_STATUS": 124,
    "FILE_PATH": "C:\\Users\\dev\\AppData\\Local\\Temp\\B1B207E5-300E-434F-B4FE-A4816E6551BE\\dismhost.exe",
    "CERT_SUBJECT": "C=US, S=Washington, L=Redmond, O=Microsoft Corporation, OU=MOPR, CN=Microsoft Corporation"
  },
  "HASH": "4ab4024eb555b2e4c54d378a846a847bd02f66ac54849bbce5a1c8b787f1d26c"
}

EXISTING_PROCESS

This event is similar to the NEW_PROCESS event. It gets emitted when a process existed prior to the LimaCharlie sensor loading.

MODULE_LOAD

Generated when a module (like DLL on Windows) is loaded in a process.

Platforms:

{
  "MEMORY_SIZE": 241664,
  "PROCESS_ID": 2904,
  "FILE_PATH": "C:\\Windows\\System32\\imm32.dll",
  "MODULE_NAME": "imm32.dll",
  "TIMESTAMP": 1468335264989,
  "BASE_ADDRESS": 140715814092800
}

NEW_NAMED_PIPE

This event is emitted when a new Named Pipe is created by a process.

Platforms:

NEW_PROCESS

Generated when a new process starts.

Platforms:

Event Data

Field	Type	Notes
ts	Epoch timestamp

{
  "PARENT": {
    "PARENT_PROCESS_ID": 7076,
    "COMMAND_LINE": "\"C:\\Program Files (x86)\\Microsoft Visual Studio 12.0\\Common7\\IDE\\devenv.exe\"  ",
    "MEMORY_USAGE": 438730752,
    "PROCESS_ID": 5820,
    "THREADS": 39,
    "FILE_PATH": "C:\\Program Files (x86)\\Microsoft Visual Studio 12.0\\Common7\\IDE\\devenv.exe",
    "BASE_ADDRESS": 798949376
  },
  "PARENT_PROCESS_ID": 5820,
  "COMMAND_LINE": "-q  -s {0257E42D-7F05-42C4-B402-34C1CC2F2EAD} -p 5820",
  "FILE_PATH": "C:\\Program Files (x86)\\Microsoft Visual Studio 12.0\\VC\\vcpackages\\VCPkgSrv.exe",
  "PROCESS_ID": 1080,
  "THREADS": 9,
  "MEMORY_USAGE": 8282112,
  "TIMESTAMP": 1456285660,
  "BASE_ADDRESS": 4194304
}

NEW_REMOTE_THREAD

Generated on a Windows system when a thread is created by a process in another process. This is a characteristic often used by malware during various forms of code injection.

In this case, the process id 492 created a thread (with id 9012) in the process id 7944. The parent process is also globally uniquely identified by the routing/parent and the process where the thread was started is globally uniquely identified by the routing/target (not visible here).

Platforms:

{
  "THREAD_ID": 9012,
  "PROCESS_ID": 7944,
  "PARENT_PROCESS_ID": 492
}

OPEN_NAMED_PIPE

This event is emitted when an existing Named Pipe is opened by a process.

Platforms:

PROCESS_ENVIRONMENT

Generated when a process starts. It lists all environment variables associated with that new process.

Platforms:

{
  "ENVIRONMENT_VARIABLES": [
    "LANG=en_US.UTF-8",
    "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
    "NOTIFY_SOCKET=/run/systemd/notify",
    "LISTEN_PID=18950",
    "LISTEN_FDS=2",
    "LISTEN_FDNAMES=systemd-udevd-kernel.socket:systemd-udevd-control.socket",
    "WATCHDOG_PID=18950",
    "WATCHDOG_USEC=180000000",
    "INVOCATION_ID=07d6d5f06eea44cabd20adb6c6dcfe0c",
    "JOURNAL_STREAM=9:4165813"
  ],
  "PROCESS_ID": 13463
}

REMOTE_PROCESS_HANDLE

This event is generated whenever a process opens a handle to another process with one of the following access flags: VM_READ, VM_WRITE or PROCESS_CREATE_THREAD. Only available on Windows OS. A routing/target is also populated in the event as the globally unique identifier of the target process.

The ACCESS_FLAGS is the access mask as defined here.

Platforms:

{
   "ACCESS_FLAGS":   136208,
   "PARENT_PROCESS_ID":  6492,
   "PROCESS_ID":   2516
}

SENSITIVE_PROCESS_ACCESS

This event is generated when a process gains sensitive access through a remote process handle or a remote thread to sensitive operating system processes like lsass.exe on Windows.

Platforms:

{
    "EVENTS": [
      {
        "event": {
          "BASE_ADDRESS": 140697066274816,
          "COMMAND_LINE": "C:\WINDOWS\system32\lsass.exe",
          "FILE_IS_SIGNED": 1,
          "FILE_PATH": "C:\WINDOWS\system32\lsass.exe",
          "HASH": "f56dddf7a8f1aa0f3d9ffe0cd618544cfaf233a33314240eccbe5f897a91b534",
          "MEMORY_USAGE": 14950400,
          "PARENT_PROCESS_ID": 484,
          "PROCESS_ID": 636,
          "THREADS": 12,
          "USER_NAME": "BUILTIN\Administrators"
        },
        "routing": {
          ...
        }
      },
      {
        "event": {
          "ACCESS_FLAGS": 2097151,
          "PARENT_PROCESS_ID": 4148,
          "PROCESS_ID": 636,
          "SOURCE": {
            "FILE_PATH": "\Device\HarddiskVolume1\ProgramData\Microsoft\Windows Defender\Platform\4.18.1902.2-0\MsMpEng.exe",
            "MEMORY_USAGE": 126771200,
            "PARENT_PROCESS_ID": 620,
            "PROCESS_ID": 4148,
            "THIS_ATOM": "69a5a90aade375d2860c76701ba8d701",
            "THREADS": 32,
            "TIMESTAMP": 1553448803541,
            "USER_NAME": "NT AUTHORITY\SYSTEM"
          },
          "TARGET": {
            "BASE_ADDRESS": 140697066274816,
            "COMMAND_LINE": "C:\WINDOWS\system32\lsass.exe",
            "FILE_PATH": "C:\WINDOWS\system32\lsass.exe",
            "MEMORY_USAGE": 14950400,
            "PARENT_PROCESS_ID": 484,
            "PROCESS_ID": 636,
            "THIS_ATOM": "98ffb0230c694f750671c7387b535b9b",
            "THREADS": 12,
            "TIMESTAMP": 1553448799838,
            "USER_NAME": "BUILTIN\Administrators"
          }
        },
        "routing": {
          ...
        }
      }
    ]
  }

TERMINATE_PROCESS

Generated when a process exits.

Platforms:

{
  "PARENT_PROCESS_ID": 5820,
  "TIMESTAMP": 1456285661,
  "PROCESS_ID": 6072
}

THREAD_INJECTION

This event is generated when the sensor detects what looks like a thread injection into a remote process.

Platforms:

{
  "event": {
    "EVENTS": [
      {
        "event": {
          "ACCESS_FLAGS": 2097151,
          "PARENT_PROCESS_ID": 5380,
          "PROCESS_ID": 4276,
          "SOURCE": {
            "BASE_ADDRESS": 140701160243200,
            "COMMAND_LINE": "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe\" --continue-active-setup",
            "FILE_IS_SIGNED": 1,
            "FILE_PATH": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe",
            "HASH": "c47fc20231ffc1e3befef952478363bff96cf3af1f36da4bd1129c8ed0e17fdb",
            "MEMORY_USAGE": 5881856,
            "PARENT_ATOM": "df4e951a09e365cb46c36c11659ee556",
            "PARENT_PROCESS_ID": 5972,
            "PROCESS_ID": 5380,
            "THIS_ATOM": "37b57d228af708b25d097f32659ee557",
            "THREADS": 3,
            "TIMESTAMP": 1704912214704,
            "USER_NAME": "WINDOWS-SERVER-\\whitney"
          },
          "TARGET": {
            "COMMAND_LINE": "C:\\Windows\\system32\\sppsvc.exe",
            "FILE_IS_SIGNED": 1,
            "FILE_PATH": "C:\\Windows\\system32\\sppsvc.exe",
            "HASH": "1ca5b9745872748575c452e456966b8ed1c4153757e9f4faf6f86c78c53d4ae8",
            "MEMORY_USAGE": 6156288,
            "PARENT_ATOM": "74be005ef68f6edb8682d972659ee024",
            "PARENT_PROCESS_ID": 628,
            "PROCESS_ID": 4276,
            "THIS_ATOM": "fe1dee93442392ea97becdad659ee516",
            "THREADS": 3,
            "TIMESTAMP": 1704912150174,
            "USER_NAME": "NT AUTHORITY\\NETWORK SERVICE"
          }
        },
        "routing": {
          "arch": 2,
          "did": "",
          "event_id": "d61caa47-225a-4f6a-9f3a-6094cdb3c383",
          "event_time": 1704912219717,
          "event_type": "REMOTE_PROCESS_HANDLE",
          "ext_ip": "104.198.223.172",
          "hostname": "windows-server-2022-bc76d608-9d83-4c6c-bdd5-f86bbd385a94-0.c.lc-demo-infra.internal.",
          "iid": "3c5c33e6-daaf-4029-be0b-94f50b86777e",
          "int_ip": "10.128.15.197",
          "moduleid": 2,
          "oid": "bc76d608-9d83-4c6c-bdd5-f86bbd385a94",
          "parent": "37b57d228af708b25d097f32659ee557",
          "plat": 268435456,
          "sid": "ccd0c386-88c1-4f8d-954c-581a95a1cc34",
          "tags": [
            "windows"
          ],
          "target": "fe1dee93442392ea97becdad659ee516",
          "this": "87509849fc608bce8a236f49659ee55b"
        }
      },
      {
        "event": {
          "PARENT_PROCESS_ID": 5380,
          "PROCESS_ID": 4276,
          "SOURCE": {
            "BASE_ADDRESS": 140701160243200,
            "COMMAND_LINE": "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe\" --continue-active-setup",
            "FILE_IS_SIGNED": 1,
            "FILE_PATH": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe",
            "HASH": "c47fc20231ffc1e3befef952478363bff96cf3af1f36da4bd1129c8ed0e17fdb",
            "MEMORY_USAGE": 5881856,
            "PARENT_ATOM": "df4e951a09e365cb46c36c11659ee556",
            "PARENT_PROCESS_ID": 5972,
            "PROCESS_ID": 5380,
            "THIS_ATOM": "37b57d228af708b25d097f32659ee557",
            "THREADS": 3,
            "TIMESTAMP": 1704912214704,
            "USER_NAME": "WINDOWS-SERVER-\\whitney"
          },
          "TARGET": {
            "COMMAND_LINE": "C:\\Windows\\system32\\sppsvc.exe",
            "FILE_IS_SIGNED": 1,
            "FILE_PATH": "C:\\Windows\\system32\\sppsvc.exe",
            "HASH": "1ca5b9745872748575c452e456966b8ed1c4153757e9f4faf6f86c78c53d4ae8",
            "MEMORY_USAGE": 6156288,
            "PARENT_ATOM": "74be005ef68f6edb8682d972659ee024",
            "PARENT_PROCESS_ID": 628,
            "PROCESS_ID": 4276,
            "THIS_ATOM": "fe1dee93442392ea97becdad659ee516",
            "THREADS": 3,
            "TIMESTAMP": 1704912150174,
            "USER_NAME": "NT AUTHORITY\\NETWORK SERVICE"
          },
          "THREAD_ID": 3672
        },
        "routing": {
          "arch": 2,
          "did": "",
          "event_id": "ece7d85e-a43c-49d3-bc9a-28ace6dc1b02",
          "event_time": 1704912219967,
          "event_type": "NEW_REMOTE_THREAD",
          "ext_ip": "104.198.223.172",
          "hostname": "windows-server-2022-bc76d608-9d83-4c6c-bdd5-f86bbd385a94-0.c.lc-demo-infra.internal.",
          "iid": "3c5c33e6-daaf-4029-be0b-94f50b86777e",
          "int_ip": "10.128.15.197",
          "moduleid": 2,
          "oid": "bc76d608-9d83-4c6c-bdd5-f86bbd385a94",
          "parent": "37b57d228af708b25d097f32659ee557",
          "plat": 268435456,
          "sid": "ccd0c386-88c1-4f8d-954c-581a95a1cc34",
          "tags": [
            "windows"
          ],
          "target": "fe1dee93442392ea97becdad659ee516",
          "this": "b30a499edf9ec2e424b07d20659ee55b"
        }
      }
    ]
  }
  "ts": "2024-01-10 18:43:39"
}

Was this article helpful?

What's Next

Registry

Table of contents

CODE_IDENTITY
EXISTING_PROCESS
MODULE_LOAD
NEW_NAMED_PIPE
NEW_PROCESS
NEW_REMOTE_THREAD
OPEN_NAMED_PIPE
PROCESS_ENVIRONMENT
REMOTE_PROCESS_HANDLE
SENSITIVE_PROCESS_ACCESS
TERMINATE_PROCESS
THREAD_INJECTION