Processes

Overview

Evidence: Processes
Description: Collect Processes
Category: System
Platform: macos
Short Name: process
Is Parsed: Yes
Sent to Investigation Hub: Yes
Collect File(s): No

Background

Process information provides a snapshot of all running processes on macOS, including command lines, parent-child relationships, and protection flags. This data is essential for understanding system activity, detecting malicious processes, and identifying unauthorized execution.

Data Collected

This collector gathers structured data about processes.

Processes Data

Field	Description	Example
ProcessId	Process Id	123
CSTime	CS Time	2023-10-15 14:30:25+03:00
StartTime	Start Time	2023-10-15 14:30:25+03:00
Command	Command	Example value
CommandLine	Command Line	Example value
State	State	Example value
SecureProcess	Secure Process	123
VirtualProcess	Virtual Process	123
ProtectionType	Protection Type	Example value
Cwd	Cwd	Example value
VirtualRootDir	Virtual Root Dir	Example value
Executable	Executable	Example value
IsExecutableExists	Is Executable Exists	true
Environment	Environment	Example value
LastChangeTime	Last Change Time	2023-10-15 14:30:25+03:00
AccessTime	Access Time	2023-10-15 14:30:25+03:00
ModificationTime	Modification Time	2023-10-15 14:30:25+03:00
SizeInBytes	Size In Bytes	123
Hash	Hash	Example value
ParentId	Parent Id	123
UserId	User Id	123
UserName	User Name	Example value
EffectiveUserId	Effective User Id	123
EffectiveUserName	Effective User Name	Example value
SavedUserId	Saved User Id	123
SavedUserName	Saved User Name	Example value
GroupId	Group Id	123
EffectiveGroupId	Effective Group Id	123
SavedGroupId	Saved Group Id	123
Threads	Threads	123
Nice	Nice	123

Collection Method

This collector parses the necessary data from the processes table via osquery.

Forensic Value

This evidence is crucial for forensic investigations as it reveals active applications and services, enabling detection of malware, process injection, backdoors, and persistence mechanisms.