Closed jdu2600 closed 1 year ago
Elastic Defend includes OpenProcess (and OpenThread) events.
The primary relevant fields are -
process.Ext.api.name
process.Ext.api.parameters.desired_access[]
process.Ext.api.parameters.handle_type
Target.process.pid
process.thread.Ext.call_stack[]
Here is a credential_access_lsass_openprocess_api detection rule written using these events. And here is a screenshot of a sample event.
Description
Elastic Defend includes OpenProcess (and OpenThread) events.
The primary relevant fields are -
process.Ext.api.nameprocess.Ext.api.parameters.desired_access[]process.Ext.api.parameters.handle_typeTarget.process.pidprocess.thread.Ext.call_stack[]Here is a credential_access_lsass_openprocess_api detection rule written using these events. And here is a screenshot of a sample event.