SysmonProcess AccessEnhanced Analysis

Event 10: Process Accessed

Quick Answer

Sysmon Event 10 logs when one process opens a handle to another process, typically for reading memory. This event is essential for detecting credential dumping attacks (like Mimikatz accessing LSASS), process injection, and various advanced attack techniques that require process memory access.

Technical Details

Sysmon Source

Event ID: 10

Sysmon- Process Access

Event Description

Reports when a process opens another process memory. This is often required for reading and writing memory sections, and is used by tools like Mimikatz to access LSASS process memory.

Key Log Fields

  • UtcTime - UTC timestamp of process access
  • SourceProcessGuid - Source process GUID accessing target
  • SourceProcessId - Source process PID
  • SourceThreadId - Source thread ID
  • SourceImage - Source process executable path
  • TargetProcessGuid - Target process GUID being accessed
  • TargetProcessId - Target process PID
  • TargetImage - Target process executable path (e.g., lsass.exe, csrss.exe)
  • GrantedAccess - Access rights granted (hex value, e.g., 0x1010=PROCESS_VM_READ)
  • CallTrace - Call stack trace showing modules involved in the access

MITRE ATT&CK® Mapping (6)

T1003credential-access
OS Credential Dumping

Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password. Credentials can be obtained from OS caches, memory, or structures.(Citation: Brining MimiKatz to Unix) Credentials can then be used to perform [Lateral Movement](https://attack.mitre.org/tactics/TA0008) and access restricted information. Several of the tools mentioned in associated sub-techniques may be used by both adversaries and professional security testers. Additional custom tools likely exist as well.

T1003.001credential-access
LSASS Memory

Adversaries may attempt to access credential material stored in the process memory of the Local Security Authority Subsystem Service (LSASS). After a user logs on, the system generates and stores a variety of credential materials in LSASS process memory. These credential materials can be harvested by an administrative user or SYSTEM and used to conduct [Lateral Movement](https://attack.mitre.org/tactics/TA0008) using [Use Alternate Authentication Material](https://attack.mitre.org/techniques/T1550). As well as in-memory techniques, the LSASS process memory can be dumped from the target host and analyzed on a local system. For example, on the target host use procdump: * <code>procdump -ma lsass.exe lsass_dump</code> Locally, mimikatz can be run using: * <code>sekurlsa::Minidump lsassdump.dmp</code> * <code>sekurlsa::logonPasswords</code> Built-in Windows tools such as `comsvcs.dll` can also be used: * <code>rundll32.exe C:\Windows\System32\comsvcs.dll MiniDump PID lsass.dmp full</code>(Citation: Volexity Exchange Marauder March 2021)(Citation: Symantec Attacks Against Government Sector) Similar to [Image File Execution Options Injection](https://attack.mitre.org/techniques/T1546/012), the silent process exit mechanism can be abused to create a memory dump of `lsass.exe` through Windows Error Reporting (`WerFault.exe`).(Citation: Deep Instinct LSASS) Windows Security Support Provider (SSP) DLLs are loaded into LSASS process at system start. Once loaded into the LSA, SSP DLLs have access to encrypted and plaintext passwords that are stored in Windows, such as any logged-on user's Domain password or smart card PINs. The SSP configuration is stored in two Registry keys: <code>HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Security Packages</code> and <code>HKLM\SYSTEM\CurrentControlSet\Control\Lsa\OSConfig\Security Packages</code>. An adversary may modify these Registry keys to add new SSPs, which will be loaded the next time the system boots, or when the AddSecurityPackage Windows API function is called.(Citation: Graeber 2014) The following SSPs can be used to access credentials: * Msv: Interactive logons, batch logons, and service logons are done through the MSV authentication package. * Wdigest: The Digest Authentication protocol is designed for use with Hypertext Transfer Protocol (HTTP) and Simple Authentication Security Layer (SASL) exchanges.(Citation: TechNet Blogs Credential Protection) * Kerberos: Preferred for mutual client-server domain authentication in Windows 2000 and later. * CredSSP: Provides SSO and Network Level Authentication for Remote Desktop Services.(Citation: TechNet Blogs Credential Protection)

T1055defense-evasion, privilege-escalation
Process Injection

Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process. There are many different ways to inject code into a process, many of which abuse legitimate functionalities. These implementations exist for every major OS but are typically platform specific. More sophisticated samples may perform multiple process injections to segment modules and further evade detection, utilizing named pipes or other inter-process communication (IPC) mechanisms as a communication channel.

T1552.001credential-access
Credentials In Files

Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials. These can be files created by users to store their own credentials, shared credential stores for a group of individuals, configuration files containing passwords for a system or service, or source code/binary files containing embedded passwords. It is possible to extract passwords from backups or saved virtual machines through [OS Credential Dumping](https://attack.mitre.org/techniques/T1003).(Citation: CG 2014) Passwords may also be obtained from Group Policy Preferences stored on the Windows Domain Controller.(Citation: SRD GPP) In cloud and/or containerized environments, authenticated user and service account credentials are often stored in local configuration and credential files.(Citation: Unit 42 Hildegard Malware) They may also be found as parameters to deployment commands in container logs.(Citation: Unit 42 Unsecured Docker Daemons) In some cases, these files can be copied and reused on another machine or the contents can be read and then used to authenticate without needing to copy any files.(Citation: Specter Ops - Cloud Credential Storage)

Event Comparison

Event 10 detects the access attempt itself. Combine with Event 11 (File Create) to catch dumped credential files, and Event 3 (Network Connection) to detect exfiltration of stolen credentials.

What This Event Means

Sysmon Event 10 captures process access events where one process opens a handle to another process, usually to read or manipulate its memory space. This event records the source process performing the access, the target process being accessed, the access permissions requested (such as PROCESS_VM_READ for reading memory), and both process IDs. The most critical use case for Event 10 is detecting credential theft attacks where tools like Mimikatz, ProcDump, or other credential dumpers access the Local Security Authority Subsystem Service (LSASS) process to extract plaintext passwords, password hashes, and Kerberos tickets from memory. LSASS is a high-value target for attackers because it stores authentication credentials in memory for all logged-on users, and compromising LSASS effectively gives attackers the keys to the kingdom. Event 10 also reveals process injection techniques where attackers inject malicious code into legitimate processes to evade detection, as the injection requires opening handles to target processes with specific memory access rights. Security analysts configure alerts for any non-system process accessing LSASS, as legitimate software rarely needs to read LSASS memory. The event's granted access mask field indicates what level of access was obtained, helping analysts assess the severity - for example, PROCESS_VM_READ combined with PROCESS_QUERY_INFORMATION are strong indicators of credential dumping attempts. The source process path and command line provide additional context about whether the access is from a legitimate administrative tool or an unknown executable that may be malicious.

Security Implications

  • Any non-system process accessing lsass.exe strongly indicates credential dumping attempts
  • Process access from temporary directories or user folders suggests attacker tools like Mimikatz
  • Access patterns with PROCESS_VM_READ permissions often precede credential theft or code injection
  • After-hours LSASS access from workstations indicates potential adversary activity during off-peak hours
  • Multiple process access events in rapid succession may indicate automated attack tool execution

Detection Strategies

Create high-priority alerts for any process accessing lsass.exe except explicitly whitelisted system processes and security software. Monitor the source process image path and flag access from unsigned executables or those outside System32/Program Files directories. Alert on process access from known LOLBins (Living Off The Land Binaries) like rundll32, regsvr32, or PowerShell that attackers use to proxy malicious activity. Track the granted access rights in the event and prioritize access requests that include memory read permissions. Correlate Event 10 with process creation (Event 1) to understand what spawned the process attempting access. Monitor for access to other sensitive targets beyond LSASS including security software processes and privileged service accounts. Implement user behavior analytics to detect abnormal patterns such as service accounts or regular users whose processes suddenly begin accessing sensitive process memory. Detailed detection rules and baseline configuration guidance for Sysmon Event 10 will be provided in subsequent releases.

Note: Comprehensive SIEM detection queries for Splunk SPL, Microsoft KQL, and Elastic Query DSL will be added in future updates.

Real-World Attack Examples

  • Mimikatz credential dumping produces distinctive Sysmon Event 10 patterns when accessing lsass.exe with specific access rights

  • Cobalt Strike's process injection and credential theft modules generate Event 10 logs showing beacon processes accessing lsass and other targets

  • FIN6 threat group uses procdump and other LSASS dumping tools that are clearly visible in Sysmon Event 10 during active operations

Contents