Processes
- 26 Aug 2024
- 4 Minutes to read
- Contributors
- Print
- DarkLight
This documentation version is deprecated, please click here for the latest version.
Processes
- Updated on 26 Aug 2024
- 4 Minutes to read
- Contributors
- Print
- DarkLight
Article summary
Did you find this summary helpful?
Thank you for your feedback
CODE_IDENTITY
Unique combinations of file hash and file path. Event is emitted the first time the combination is seen, but only when the binary is executed or loaded. Therefore it's a great event to look for hashes without being overwhelmed by process execution or module loads.
ONGOING_IDENTITY
The ONGOING_IDENTITY event emits code signature information even if not newly seen, however this data can become duplicative and verbose.
Platforms:
{
"MEMORY_SIZE": 0,
"FILE_PATH": "C:\\Users\\dev\\AppData\\Local\\Temp\\B1B207E5-300E-434F-B4FE-A4816E6551BE\\dismhost.exe",
"TIMESTAMP": 1456285265,
"SIGNATURE": {
"CERT_ISSUER": "C=US, S=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Code Signing PCA",
"CERT_CHAIN_STATUS": 124,
"FILE_PATH": "C:\\Users\\dev\\AppData\\Local\\Temp\\B1B207E5-300E-434F-B4FE-A4816E6551BE\\dismhost.exe",
"CERT_SUBJECT": "C=US, S=Washington, L=Redmond, O=Microsoft Corporation, OU=MOPR, CN=Microsoft Corporation"
},
"HASH": "4ab4024eb555b2e4c54d378a846a847bd02f66ac54849bbce5a1c8b787f1d26c"
}
EXISTING_PROCESS
This event is similar to the NEW_PROCESS event. It gets emitted when a process existed prior to the LimaCharlie sensor loading.
MODULE_LOAD
Generated when a module (like DLL on Windows) is loaded in a process.
Platforms:
Temporarily disabled:
{
"MEMORY_SIZE": 241664,
"PROCESS_ID": 2904,
"FILE_PATH": "C:\\Windows\\System32\\imm32.dll",
"MODULE_NAME": "imm32.dll",
"TIMESTAMP": 1468335264989,
"BASE_ADDRESS": 140715814092800
}
NEW_NAMED_PIPE
This event is emitted when a new Named Pipe is created by a process.
Platforms:
{
"FILE_PATH": "\\Device\\NamedPipe\\LOCAL\\mojo.6380.1072.2134013463507075011",
"PROCESS_ID": 6380
}
NEW_PROCESS
Generated when a new process starts.
Platforms:
Event Data
| Field | Type | Notes |
|---|---|---|
| ts | Epoch timestamp |
{
"PARENT": {
"PARENT_PROCESS_ID": 7076,
"COMMAND_LINE": "\"C:\\Program Files (x86)\\Microsoft Visual Studio 12.0\\Common7\\IDE\\devenv.exe\" ",
"MEMORY_USAGE": 438730752,
"PROCESS_ID": 5820,
"THREADS": 39,
"FILE_PATH": "C:\\Program Files (x86)\\Microsoft Visual Studio 12.0\\Common7\\IDE\\devenv.exe",
"BASE_ADDRESS": 798949376
},
"PARENT_PROCESS_ID": 5820,
"COMMAND_LINE": "-q -s {0257E42D-7F05-42C4-B402-34C1CC2F2EAD} -p 5820",
"FILE_PATH": "C:\\Program Files (x86)\\Microsoft Visual Studio 12.0\\VC\\vcpackages\\VCPkgSrv.exe",
"PROCESS_ID": 1080,
"THREADS": 9,
"MEMORY_USAGE": 8282112,
"TIMESTAMP": 1456285660,
"BASE_ADDRESS": 4194304
}
NEW_REMOTE_THREAD
Generated on a Windows system when a thread is created by a process in another process. This is a characteristic often used by malware during various forms of code injection.
In this case, the process id 492 created a thread (with id 9012) in the process id 7944. The parent process is also globally uniquely identified by the routing/parent and the process where the thread was started is globally uniquely identified by the routing/target (not visible here).
Platforms:
{
"THREAD_ID": 9012,
"PROCESS_ID": 7944,
"PARENT_PROCESS_ID": 492
}
OPEN_NAMED_PIPE
This event is emitted when an existing Named Pipe is opened by a process.
Platforms:
{
"FILE_PATH": "\\Device\\NamedPipe\\lsass",
"PROCESS_ID": 2232
}
PROCESS_ENVIRONMENT
Generated when a process starts. It lists all environment variables associated with that new process.
Platforms:
{
"ENVIRONMENT_VARIABLES": [
"LANG=en_US.UTF-8",
"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
"NOTIFY_SOCKET=/run/systemd/notify",
"LISTEN_PID=18950",
"LISTEN_FDS=2",
"LISTEN_FDNAMES=systemd-udevd-kernel.socket:systemd-udevd-control.socket",
"WATCHDOG_PID=18950",
"WATCHDOG_USEC=180000000",
"INVOCATION_ID=07d6d5f06eea44cabd20adb6c6dcfe0c",
"JOURNAL_STREAM=9:4165813"
],
"PROCESS_ID": 13463
}
REMOTE_PROCESS_HANDLE
This event is generated whenever a process opens a handle to another process with one of the following access flags: VM_READ, VM_WRITE or PROCESS_CREATE_THREAD. Only available on Windows OS. A routing/target is also populated in the event as the globally unique identifier of the target process.
The ACCESS_FLAGS is the access mask as defined here.
Platforms:
{
"ACCESS_FLAGS": 136208,
"PARENT_PROCESS_ID": 6492,
"PROCESS_ID": 2516
}
SENSITIVE_PROCESS_ACCESS
This event is generated when a process gains sensitive access through a remote process handle or a remote thread to sensitive operating system processes like lsass.exe on Windows.
Platforms:
{
"EVENTS": [
{
"event": {
"BASE_ADDRESS": 140697066274816,
"COMMAND_LINE": "C:\WINDOWS\system32\lsass.exe",
"FILE_IS_SIGNED": 1,
"FILE_PATH": "C:\WINDOWS\system32\lsass.exe",
"HASH": "f56dddf7a8f1aa0f3d9ffe0cd618544cfaf233a33314240eccbe5f897a91b534",
"MEMORY_USAGE": 14950400,
"PARENT_PROCESS_ID": 484,
"PROCESS_ID": 636,
"THREADS": 12,
"USER_NAME": "BUILTIN\Administrators"
},
"routing": {
...
}
},
{
"event": {
"ACCESS_FLAGS": 2097151,
"PARENT_PROCESS_ID": 4148,
"PROCESS_ID": 636,
"SOURCE": {
"FILE_PATH": "\Device\HarddiskVolume1\ProgramData\Microsoft\Windows Defender\Platform\4.18.1902.2-0\MsMpEng.exe",
"MEMORY_USAGE": 126771200,
"PARENT_PROCESS_ID": 620,
"PROCESS_ID": 4148,
"THIS_ATOM": "69a5a90aade375d2860c76701ba8d701",
"THREADS": 32,
"TIMESTAMP": 1553448803541,
"USER_NAME": "NT AUTHORITY\SYSTEM"
},
"TARGET": {
"BASE_ADDRESS": 140697066274816,
"COMMAND_LINE": "C:\WINDOWS\system32\lsass.exe",
"FILE_PATH": "C:\WINDOWS\system32\lsass.exe",
"MEMORY_USAGE": 14950400,
"PARENT_PROCESS_ID": 484,
"PROCESS_ID": 636,
"THIS_ATOM": "98ffb0230c694f750671c7387b535b9b",
"THREADS": 12,
"TIMESTAMP": 1553448799838,
"USER_NAME": "BUILTIN\Administrators"
}
},
"routing": {
...
}
}
]
}
TERMINATE_PROCESS
Generated when a process exits.
Platforms:
{
"PARENT_PROCESS_ID": 5820,
"TIMESTAMP": 1456285661,
"PROCESS_ID": 6072
}
THREAD_INJECTION
This event is generated when the sensor detects what looks like a thread injection into a remote process.
Platforms:
{
"event": {
"EVENTS": [
{
"event": {
"ACCESS_FLAGS": 2097151,
"PARENT_PROCESS_ID": 5380,
"PROCESS_ID": 4276,
"SOURCE": {
"BASE_ADDRESS": 140701160243200,
"COMMAND_LINE": "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe\" --continue-active-setup",
"FILE_IS_SIGNED": 1,
"FILE_PATH": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe",
"HASH": "c47fc20231ffc1e3befef952478363bff96cf3af1f36da4bd1129c8ed0e17fdb",
"MEMORY_USAGE": 5881856,
"PARENT_ATOM": "df4e951a09e365cb46c36c11659ee556",
"PARENT_PROCESS_ID": 5972,
"PROCESS_ID": 5380,
"THIS_ATOM": "37b57d228af708b25d097f32659ee557",
"THREADS": 3,
"TIMESTAMP": 1704912214704,
"USER_NAME": "WINDOWS-SERVER-\\whitney"
},
"TARGET": {
"COMMAND_LINE": "C:\\Windows\\system32\\sppsvc.exe",
"FILE_IS_SIGNED": 1,
"FILE_PATH": "C:\\Windows\\system32\\sppsvc.exe",
"HASH": "1ca5b9745872748575c452e456966b8ed1c4153757e9f4faf6f86c78c53d4ae8",
"MEMORY_USAGE": 6156288,
"PARENT_ATOM": "74be005ef68f6edb8682d972659ee024",
"PARENT_PROCESS_ID": 628,
"PROCESS_ID": 4276,
"THIS_ATOM": "fe1dee93442392ea97becdad659ee516",
"THREADS": 3,
"TIMESTAMP": 1704912150174,
"USER_NAME": "NT AUTHORITY\\NETWORK SERVICE"
}
},
"routing": {
"arch": 2,
"did": "",
"event_id": "d61caa47-225a-4f6a-9f3a-6094cdb3c383",
"event_time": 1704912219717,
"event_type": "REMOTE_PROCESS_HANDLE",
"ext_ip": "104.198.223.172",
"hostname": "windows-server-2022-bc76d608-9d83-4c6c-bdd5-f86bbd385a94-0.c.lc-demo-infra.internal.",
"iid": "3c5c33e6-daaf-4029-be0b-94f50b86777e",
"int_ip": "10.128.15.197",
"moduleid": 2,
"oid": "bc76d608-9d83-4c6c-bdd5-f86bbd385a94",
"parent": "37b57d228af708b25d097f32659ee557",
"plat": 268435456,
"sid": "ccd0c386-88c1-4f8d-954c-581a95a1cc34",
"tags": [
"windows"
],
"target": "fe1dee93442392ea97becdad659ee516",
"this": "87509849fc608bce8a236f49659ee55b"
}
},
{
"event": {
"PARENT_PROCESS_ID": 5380,
"PROCESS_ID": 4276,
"SOURCE": {
"BASE_ADDRESS": 140701160243200,
"COMMAND_LINE": "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe\" --continue-active-setup",
"FILE_IS_SIGNED": 1,
"FILE_PATH": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe",
"HASH": "c47fc20231ffc1e3befef952478363bff96cf3af1f36da4bd1129c8ed0e17fdb",
"MEMORY_USAGE": 5881856,
"PARENT_ATOM": "df4e951a09e365cb46c36c11659ee556",
"PARENT_PROCESS_ID": 5972,
"PROCESS_ID": 5380,
"THIS_ATOM": "37b57d228af708b25d097f32659ee557",
"THREADS": 3,
"TIMESTAMP": 1704912214704,
"USER_NAME": "WINDOWS-SERVER-\\whitney"
},
"TARGET": {
"COMMAND_LINE": "C:\\Windows\\system32\\sppsvc.exe",
"FILE_IS_SIGNED": 1,
"FILE_PATH": "C:\\Windows\\system32\\sppsvc.exe",
"HASH": "1ca5b9745872748575c452e456966b8ed1c4153757e9f4faf6f86c78c53d4ae8",
"MEMORY_USAGE": 6156288,
"PARENT_ATOM": "74be005ef68f6edb8682d972659ee024",
"PARENT_PROCESS_ID": 628,
"PROCESS_ID": 4276,
"THIS_ATOM": "fe1dee93442392ea97becdad659ee516",
"THREADS": 3,
"TIMESTAMP": 1704912150174,
"USER_NAME": "NT AUTHORITY\\NETWORK SERVICE"
},
"THREAD_ID": 3672
},
"routing": {
"arch": 2,
"did": "",
"event_id": "ece7d85e-a43c-49d3-bc9a-28ace6dc1b02",
"event_time": 1704912219967,
"event_type": "NEW_REMOTE_THREAD",
"ext_ip": "104.198.223.172",
"hostname": "windows-server-2022-bc76d608-9d83-4c6c-bdd5-f86bbd385a94-0.c.lc-demo-infra.internal.",
"iid": "3c5c33e6-daaf-4029-be0b-94f50b86777e",
"int_ip": "10.128.15.197",
"moduleid": 2,
"oid": "bc76d608-9d83-4c6c-bdd5-f86bbd385a94",
"parent": "37b57d228af708b25d097f32659ee557",
"plat": 268435456,
"sid": "ccd0c386-88c1-4f8d-954c-581a95a1cc34",
"tags": [
"windows"
],
"target": "fe1dee93442392ea97becdad659ee516",
"this": "b30a499edf9ec2e424b07d20659ee55b"
}
}
]
}
"ts": "2024-01-10 18:43:39"
}
Was this article helpful?