Sysmon Event ID 10

SourceSysmon
Discussions on Event ID 10
Ask a question about this event

10: ProcessAccess

This is an event from Sysmon.

On this page

The process accessed event reports when a process opens another process, an operation that’s often followed by information queries or reading and writing the address space of the target process. This enables detection of hacking tools that read the memory contents of processes like Local Security Authority (Lsass.exe) in order to steal credentials for use in Pass-the-Hash attacks. Enabling it can generate significant amounts of logging if there are diagnostic utilities active that repeatedly open processes to query their state, so it generally should only be done so with filters that remove expected accesses.

Free Security Log Resources by Randy

Description Fields in 10

  • Log Name
  • Source
  • Date
  • Event ID
  • Task Category
  • Level
  • Keywords
  • User
  • Computer
  • Description
  • UtcTime
  • SourceProcessGUID
  • SourceProcessId
  • SourceThreadId
  • SourceImage
  • TargetProcessGUID
  • TargerProcessId
  • TargetImage
  • GrantedAccess
  • CallTrace

Setup PowerShell Audit Log Forwarding in 4 Minutes

 

Examples of 10

Process accessed:
UtcTime: 2017-05-15 00:02:01.463
SourceProcessGUID: {d49b2de5-efa6-5918-0000-00104d553c00}
SourceProcessId: 4704
SourceThreadId: 4124
SourceImage: C:\mimikatz\x64\mimikatz.exe
TargetProcessGUID: {d49b2de5-e852-5918-0000-00100b0f0700}
TargetProcessId: 1576
TargetImage: C:\Windows\system32\winlogon.exe
GrantedAccess: 0x40
CallTrace: C:\Windows\SYSTEM32\ntdll.dll+a5594|C:\Windows\system32\KERNELBASE.dll+1e865|C:\mimikatz\x64\mimikatz.exe+77ad|C:\mimikatz\x64\mimikatz.exe+7759|C:\mimikatz\x64\mimikatz.exe+f095|C:\mimikatz\x64\mimikatz.exe+6610a|C:\mimikatz\x64\mimikatz.exe+65dc4|C:\mimikatz\x64\mimikatz.exe+4ac00|C:\mimikatz\x64\mimikatz.exe+4aa36|C:\mimikatz\x64\mimikatz.exe+4a81d|C:\mimikatz\x64\mimikatz.exe+6ebe5|C:\Windows\system32\KERNEL32.DLL+18102|C:\Windows\SYSTEM32\ntdll.dll+5c5b4

 

Event XML:
 
 <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
    <System>
        <Provider Name="Microsoft-Windows-Sysmon" Guid="{5770385F-C22A-43E0-BF4C-06F5698FFBD9}" />
        <EventID>10</EventID>
        <Version>3</Version>
        <Level>4</Level>
        <Task>10</Task>
        <Opcode>0</Opcode>
        <Keywords>0x8000000000000000</Keywords>
        <TimeCreated SystemTime="2017-05-15T00:02:01.824936300Z" />
        <EventRecordID>1406</EventRecordID>
        <Correlation />
        <Execution ProcessID="6304" ThreadID="6360" />
        <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
        <Computer>Ransom1</Computer>
        <Security UserID="S-1-5-18" />
    </System>
    <EventData>
        <Data Name="UtcTime">2017-05-15 00:02:01.463</Data>
        <Data Name="SourceProcessGUID">{D49B2DE5-EFA6-5918-0000-00104D553C00}</Data>
        <Data Name="SourceProcessId">4704</Data>
        <Data Name="SourceThreadId">4124</Data>
        <Data Name="SourceImage">C:\mimikatz\x64\mimikatz.exe</Data>
        <Data Name="TargetProcessGUID">{D49B2DE5-E852-5918-0000-00100B0F0700}</Data>
        <Data Name="TargetProcessId">1576</Data>
        <Data Name="TargetImage">C:\Windows\system32\winlogon.exe</Data>
        <Data Name="GrantedAccess">0x40</Data>
        <Data Name="CallTrace">C:\Windows\SYSTEM32\ntdll.dll+a5594|C:\Windows\system32\KERNELBASE.dll+1e865|C:\mimikatz\x64\mimikatz.exe+77ad|C:\mimikatz\x64\mimikatz.exe+7759|C:\mimikatz\x64\mimikatz.exe+f095|C:\mimikatz\x64\mimikatz.exe+6610a|C:\mimikatz\x64\mimikatz.exe+65dc4|C:\mimikatz\x64\mimikatz.exe+4ac00|C:\mimikatz\x64\mimikatz.exe+4aa36|C:\mimikatz\x64\mimikatz.exe+4a81d|C:\mimikatz\x64\mimikatz.exe+6ebe5|C:\Windows\system32\KERNEL32.DLL+18102|C:\Windows\SYSTEM32\ntdll.dll+5c5b4</Data>
    </EventData>
</Event>

Top 10 Windows Security Events to Monitor

Free Tool for Windows Event Collection



 

Additional Resources