Processes
Overview
Evidence: Processes Description: Collect Processes Category: System Platform: macos Short Name: process Is Parsed: Yes Sent to Investigation Hub: Yes Collect File(s): No
Background
Process information provides a snapshot of all running processes on macOS, including command lines, parent-child relationships, and protection flags. This data is essential for understanding system activity, detecting malicious processes, and identifying unauthorized execution.
Data Collected
This collector gathers structured data about processes.
Processes Data
ProcessId
Process Id
123
CSTime
CS Time
2023-10-15 14:30:25+03:00
StartTime
Start Time
2023-10-15 14:30:25+03:00
Command
Command
Example value
CommandLine
Command Line
Example value
State
State
Example value
SecureProcess
Secure Process
123
VirtualProcess
Virtual Process
123
ProtectionType
Protection Type
Example value
Cwd
Cwd
Example value
VirtualRootDir
Virtual Root Dir
Example value
Executable
Executable
Example value
IsExecutableExists
Is Executable Exists
true
Environment
Environment
Example value
LastChangeTime
Last Change Time
2023-10-15 14:30:25+03:00
AccessTime
Access Time
2023-10-15 14:30:25+03:00
ModificationTime
Modification Time
2023-10-15 14:30:25+03:00
SizeInBytes
Size In Bytes
123
Hash
Hash
Example value
ParentId
Parent Id
123
UserId
User Id
123
UserName
User Name
Example value
EffectiveUserId
Effective User Id
123
EffectiveUserName
Effective User Name
Example value
SavedUserId
Saved User Id
123
SavedUserName
Saved User Name
Example value
GroupId
Group Id
123
EffectiveGroupId
Effective Group Id
123
SavedGroupId
Saved Group Id
123
Threads
Threads
123
Nice
Nice
123
Collection Method
This collector parses the necessary data from the processes table via osquery.
Forensic Value
This evidence is crucial for forensic investigations as it reveals active applications and services, enabling detection of malware, process injection, backdoors, and persistence mechanisms.
Last updated
Was this helpful?