# Processes

## Overview

**Evidence:** Processes\
**Description:** Collect Processes\
**Category:** System\
**Platform:** macos\
**Short Name:** process\
**Is Parsed:** Yes\
**Sent to Investigation Hub:** Yes\
**Collect File(s):** No

## Background

Process information provides a snapshot of all running processes on macOS, including command lines, parent-child relationships, and protection flags. This data is essential for understanding system activity, detecting malicious processes, and identifying unauthorized execution.

## Data Collected

This collector gathers structured data about processes.

### Processes Data

| Field                | Description          | Example                   |
| -------------------- | -------------------- | ------------------------- |
| `ProcessId`          | Process Id           | 123                       |
| `CSTime`             | CS Time              | 2023-10-15 14:30:25+03:00 |
| `StartTime`          | Start Time           | 2023-10-15 14:30:25+03:00 |
| `Command`            | Command              | Example value             |
| `CommandLine`        | Command Line         | Example value             |
| `State`              | State                | Example value             |
| `SecureProcess`      | Secure Process       | 123                       |
| `VirtualProcess`     | Virtual Process      | 123                       |
| `ProtectionType`     | Protection Type      | Example value             |
| `Cwd`                | Cwd                  | Example value             |
| `VirtualRootDir`     | Virtual Root Dir     | Example value             |
| `Executable`         | Executable           | Example value             |
| `IsExecutableExists` | Is Executable Exists | true                      |
| `Environment`        | Environment          | Example value             |
| `LastChangeTime`     | Last Change Time     | 2023-10-15 14:30:25+03:00 |
| `AccessTime`         | Access Time          | 2023-10-15 14:30:25+03:00 |
| `ModificationTime`   | Modification Time    | 2023-10-15 14:30:25+03:00 |
| `SizeInBytes`        | Size In Bytes        | 123                       |
| `Hash`               | Hash                 | Example value             |
| `ParentId`           | Parent Id            | 123                       |
| `UserId`             | User Id              | 123                       |
| `UserName`           | User Name            | Example value             |
| `EffectiveUserId`    | Effective User Id    | 123                       |
| `EffectiveUserName`  | Effective User Name  | Example value             |
| `SavedUserId`        | Saved User Id        | 123                       |
| `SavedUserName`      | Saved User Name      | Example value             |
| `GroupId`            | Group Id             | 123                       |
| `EffectiveGroupId`   | Effective Group Id   | 123                       |
| `SavedGroupId`       | Saved Group Id       | 123                       |
| `Threads`            | Threads              | 123                       |
| `Nice`               | Nice                 | 123                       |

## Collection Method

This collector parses the necessary data from the `processes` table via osquery.

## Forensic Value

This evidence is crucial for forensic investigations as it reveals active applications and services, enabling detection of malware, process injection, backdoors, and persistence mechanisms.