Data Source: Sysmon EventID 10

Date: 2025-07-10

ID: 659cd5a8-148a-4c59-ade1-05f41ac1b096

Author: Patrick Bareiss, Splunk

Description

Logs events where one process accesses another process, typically for memory reads or injections, including details about the source and target processes.

Details

Property	Value
Source	`XmlWinEventLog:Microsoft-Windows-Sysmon/Operational`
Sourcetype	`XmlWinEventLog`
Separator	EventID

Name ▲▼	Technique ▲▼	Type ▲▼
Access LSASS Memory for Dump Creation	LSASS Memory	TTP
Detect Credential Dumping through LSASS access	LSASS Memory	TTP
Rubeus Kerberos Ticket Exports Through Winlogon Access	Pass the Ticket	TTP
Spoolsv Suspicious Process Access	Exploitation for Privilege Escalation	TTP
Windows Access Token Manipulation Winlogon Duplicate Token Handle	Token Impersonation/Theft	Hunting
Windows Access Token Winlogon Duplicate Handle In Uncommon Path	Token Impersonation/Theft	Anomaly
Windows Handle Duplication in Known UAC-Bypass Binaries	Token Impersonation/Theft	Anomaly
Windows Hunting System Account Targeting Lsass	LSASS Memory	Hunting
Windows Non-System Account Targeting Lsass	LSASS Memory	TTP
Windows Possible Credential Dumping	LSASS Memory	TTP
Windows Process Injection into Commonly Abused Processes	Portable Executable Injection	Anomaly
Windows Process Injection into Notepad	Portable Executable Injection	Anomaly
Windows Terminating Lsass Process	Disable or Modify Tools	Anomaly
Windows WMI Impersonate Token	Windows Management Instrumentation	Anomaly

Supported Apps

Splunk Add-on for Sysmon (version 5.0.0)

Event Fields

+ Fields

  <span class="pill kill-chain">_time</span>
  
  <span class="pill kill-chain">CallTrace</span>
  
  <span class="pill kill-chain">Channel</span>
  
  <span class="pill kill-chain">Computer</span>
  
  <span class="pill kill-chain">EventChannel</span>
  
  <span class="pill kill-chain">EventCode</span>
  
  <span class="pill kill-chain">EventData_Xml</span>
  
  <span class="pill kill-chain">EventDescription</span>
  
  <span class="pill kill-chain">EventID</span>
  
  <span class="pill kill-chain">EventRecordID</span>
  
  <span class="pill kill-chain">GrantedAccess</span>
  
  <span class="pill kill-chain">Guid</span>
  
  <span class="pill kill-chain">Keywords</span>
  
  <span class="pill kill-chain">Level</span>
  
  <span class="pill kill-chain">Name</span>
  
  <span class="pill kill-chain">Opcode</span>
  
  <span class="pill kill-chain">ProcessID</span>
  
  <span class="pill kill-chain">RecordID</span>
  
  <span class="pill kill-chain">RecordNumber</span>
  
  <span class="pill kill-chain">RuleName</span>
  
  <span class="pill kill-chain">SecurityID</span>
  
  <span class="pill kill-chain">SourceImage</span>
  
  <span class="pill kill-chain">SourceProcessGUID</span>
  
  <span class="pill kill-chain">SourceProcessId</span>
  
  <span class="pill kill-chain">SourceThreadId</span>
  
  <span class="pill kill-chain">SystemTime</span>
  
  <span class="pill kill-chain">System_Props_Xml</span>
  
  <span class="pill kill-chain">TargetImage</span>
  
  <span class="pill kill-chain">TargetProcessGUID</span>
  
  <span class="pill kill-chain">TargetProcessId</span>
  
  <span class="pill kill-chain">Task</span>
  
  <span class="pill kill-chain">ThreadID</span>
  
  <span class="pill kill-chain">TimeCreated</span>
  
  <span class="pill kill-chain">UserID</span>
  
  <span class="pill kill-chain">UtcTime</span>
  
  <span class="pill kill-chain">Version</span>
  
  <span class="pill kill-chain">action</span>
  
  <span class="pill kill-chain">date_hour</span>
  
  <span class="pill kill-chain">date_mday</span>
  
  <span class="pill kill-chain">date_minute</span>
  
  <span class="pill kill-chain">date_month</span>
  
  <span class="pill kill-chain">date_second</span>
  
  <span class="pill kill-chain">date_wday</span>
  
  <span class="pill kill-chain">date_year</span>
  
  <span class="pill kill-chain">date_zone</span>
  
  <span class="pill kill-chain">dest</span>
  
  <span class="pill kill-chain">dvc</span>
  
  <span class="pill kill-chain">dvc_nt_host</span>
  
  <span class="pill kill-chain">event_id</span>
  
  <span class="pill kill-chain">eventtype</span>
  
  <span class="pill kill-chain">granted_access</span>
  
  <span class="pill kill-chain">host</span>
  
  <span class="pill kill-chain">id</span>
  
  <span class="pill kill-chain">index</span>
  
  <span class="pill kill-chain">linecount</span>
  
  <span class="pill kill-chain">os</span>
  
  <span class="pill kill-chain">parent_process_exec</span>
  
  <span class="pill kill-chain">parent_process_guid</span>
  
  <span class="pill kill-chain">parent_process_id</span>
  
  <span class="pill kill-chain">parent_process_name</span>
  
  <span class="pill kill-chain">parent_process_path</span>
  
  <span class="pill kill-chain">process_exec</span>
  
  <span class="pill kill-chain">process_guid</span>
  
  <span class="pill kill-chain">process_id</span>
  
  <span class="pill kill-chain">process_name</span>
  
  <span class="pill kill-chain">process_path</span>
  
  <span class="pill kill-chain">punct</span>
  
  <span class="pill kill-chain">signature</span>
  
  <span class="pill kill-chain">signature_id</span>
  
  <span class="pill kill-chain">source</span>
  
  <span class="pill kill-chain">sourcetype</span>
  
  <span class="pill kill-chain">splunk_server</span>
  
  <span class="pill kill-chain">tag</span>
  
  <span class="pill kill-chain">tag::eventtype</span>
  
  <span class="pill kill-chain">timeendpos</span>
  
  <span class="pill kill-chain">timestartpos</span>
  
  <span class="pill kill-chain">user_id</span>
  
  <span class="pill kill-chain">vendor_product</span>
  
</div>

Example Log

1<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Sysmon' Guid='{5770385F-C22A-43E0-BF4C-06F5698FFBD9}'/><EventID>10</EventID><Version>3</Version><Level>4</Level><Task>10</Task><Opcode>0</Opcode><Keywords>0x8000000000000000</Keywords><TimeCreated SystemTime='2022-02-01T21:01:44.672666100Z'/><EventRecordID>150624412</EventRecordID><Correlation/><Execution ProcessID='2992' ThreadID='3220'/><Channel>Microsoft-Windows-Sysmon/Operational</Channel><Computer>win-dc-128.attackrange.local</Computer><Security UserID='S-1-5-18'/></System><EventData><Data Name='RuleName'>-</Data><Data Name='UtcTime'>2022-02-01 21:01:44.670</Data><Data Name='SourceProcessGUID'>{3BF36828-9F6D-61F9-390A-02000000CF01}</Data><Data Name='SourceProcessId'>1272</Data><Data Name='SourceThreadId'>956</Data><Data Name='SourceImage'>C:\Tools\Rubeus.exe</Data><Data Name='TargetProcessGUID'>{3BF36828-4B37-61E8-0900-00000000CF01}</Data><Data Name='TargetProcessId'>572</Data><Data Name='TargetImage'>C:\Windows\system32\winlogon.exe</Data><Data Name='GrantedAccess'>0x1f3fff</Data><Data Name='CallTrace'>C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+381f60|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+2f8cd5|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+2c3b1e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+2c01f5|UNKNOWN(00007FFD8E245F0C)</Data></EventData></Event>

Required Output Fields

dest
user_id
parent_process_name
parent_process_guid
process_name
process_guid
process_id
signature
SourceImage
TargetImage
GrantedAccess
CallTrace

Source: GitHub | Version: 3