Running Processes and Modules
Overview
Section titled “Overview”Evidence: Running Processes and Modules
Description: Collect running processes and modules list
Category: System
Platform: windows
Short Name: pri
Is Parsed: Yes
Sent to Investigation Hub: Yes
Collect File(s): No
Background
Section titled “Background”Windows processes are instances of executing programs. Each process has its own virtual memory space, security context, and system resources. Understanding running processes is fundamental to incident response and threat hunting.
The Process Environment Block (PEB) contains important process information including command line arguments, loaded modules, and environment variables. Windows maintains detailed information about each process including creation time, parent-child relationships, and security identifiers.
Data Collected
Section titled “Data Collected”This collector gathers structured data about running processes and modules.
Running Processes and Modules Data
Section titled “Running Processes and Modules Data”| Field | Description | Example |
|---|---|---|
ProcessID | Process identifier | 1234 |
ParentID | Parent process identifier | 5678 |
SessionID | Session identifier | 1 |
Object | Kernel object address | 0xFFFF8A8012345678 |
PEB | Process Environment Block address | 0x000000007FFD0000 |
BaseAddress | Base address of the process image | 0x00007FF6ABC00000 |
CreationTime | Process creation timestamp | 2023-10-15T14:30:00 |
Is32Bit | Whether process is 32-bit | TRUE/FALSE |
SID | Security identifier | S-1-5-21-… |
Username | User account name | DOMAIN\user |
Name | Process name | chrome.exe |
CommandLine | Full command line | ”C:\Program Files\Chrome\chrome.exe” —type=renderer |
ProcessPath | Full path to executable | C:\Program Files\Chrome\chrome.exe |
BasePriority | Process base priority | 8 |
IsVirtualProcess | Whether process is virtual | FALSE |
ProcessRowID | Foreign key to process | 1 |
DllPath | Path to loaded module | C:\Windows\System32\kernel32.dll |
DllBase | Base address where DLL is loaded | 0x00007FFE12340000 |
EntryPoint | DLL entry point address | 0x00007FFE12341000 |
SizeOfImage | Size of the loaded image | 524288 |
LoadCount | Module load count | 1 |
ProcessRowID | Foreign key to process | 1 |
ThreadID | Thread identifier | 9876 |
Win32StartAddress | Win32 start address | 0x00007FF6ABC12340 |
StartAddress | Kernel start address | 0x00007FF6ABC12340 |
CreateTime | Thread creation timestamp | 2023-10-15T14:30:05 |
StackBase | Stack base address | 0x0000001234560000 |
StackLimit | Stack limit address | 0x0000001234520000 |
State | Thread state | 5 |
WaitReason | Reason for waiting | 0 |
BasePriority | Thread base priority | 8 |
Priority | Current priority | 8 |
ProcessRowID | Foreign key to process | 1 |
Handle | Handle value | 0x1234 |
HandleType | Type of object | File |
HandleName | Name or path of object | \Device\HarddiskVolume3\Windows\System32\kernel32.dll |
HandleAccess | Access rights | 0x12019F |
HandleAttributes | Handle attributes | 0 |
HandleObject | Kernel object address | 0xFFFF8A8012345678 |
ProcessRowID | Foreign key to process | 1 |
Collection Method
Section titled “Collection Method”This collector uses a kernel driver to enumerate running processes and gather detailed information including:
- Process list from kernel
- Detailed process information via IOCTL calls
- Module enumeration from PEB
- Thread enumeration
- Handle enumeration
- Command line parsing to extract file paths
Forensic Value
Section titled “Forensic Value”Process information is fundamental for incident response and threat hunting. Investigators use this data to identify malicious processes, detect process injection, analyze parent-child relationships, identify suspicious command lines, track loaded DLLs, detect thread injection, enumerate open handles to files and registry keys, and establish process execution timelines. This evidence is particularly valuable for detecting living-off-the-land attacks, fileless malware, and process manipulation techniques.