Processes and Modules
Overview
Evidence: Running Processes and Modules Description: Collect running processes and modules list Category: System Platform: windows Short Name: pri Is Parsed: Yes Sent to Investigation Hub: Yes Collect File(s): No
Background
Windows processes are instances of executing programs. Each process has its own virtual memory space, security context, and system resources. Understanding running processes is fundamental to incident response and threat hunting.
The Process Environment Block (PEB) contains important process information including command line arguments, loaded modules, and environment variables. Windows maintains detailed information about each process including creation time, parent-child relationships, and security identifiers.
Data Collected
This collector gathers structured data about running processes and modules.
Running Processes and Modules Data
ProcessID
Process identifier
1234
ParentID
Parent process identifier
5678
SessionID
Session identifier
1
Object
Kernel object address
0xFFFF8A8012345678
PEB
Process Environment Block address
0x000000007FFD0000
BaseAddress
Base address of the process image
0x00007FF6ABC00000
CreationTime
Process creation timestamp
2023-10-15T14:30:00
Is32Bit
Whether process is 32-bit
TRUE/FALSE
SID
Security identifier
S-1-5-21-...
Username
User account name
DOMAIN\user
Name
Process name
chrome.exe
CommandLine
Full command line
"C:\Program Files\Chrome\chrome.exe" --type=renderer
ProcessPath
Full path to executable
C:\Program Files\Chrome\chrome.exe
BasePriority
Process base priority
8
IsVirtualProcess
Whether process is virtual
FALSE
ProcessRowID
Foreign key to process
1
DllPath
Path to loaded module
C:\Windows\System32\kernel32.dll
DllBase
Base address where DLL is loaded
0x00007FFE12340000
EntryPoint
DLL entry point address
0x00007FFE12341000
SizeOfImage
Size of the loaded image
524288
LoadCount
Module load count
1
ProcessRowID
Foreign key to process
1
ThreadID
Thread identifier
9876
Win32StartAddress
Win32 start address
0x00007FF6ABC12340
StartAddress
Kernel start address
0x00007FF6ABC12340
CreateTime
Thread creation timestamp
2023-10-15T14:30:05
StackBase
Stack base address
0x0000001234560000
StackLimit
Stack limit address
0x0000001234520000
State
Thread state
5
WaitReason
Reason for waiting
0
BasePriority
Thread base priority
8
Priority
Current priority
8
ProcessRowID
Foreign key to process
1
Handle
Handle value
0x1234
HandleType
Type of object
File
HandleName
Name or path of object
\Device\HarddiskVolume3\Windows\System32\kernel32.dll
HandleAccess
Access rights
0x12019F
HandleAttributes
Handle attributes
0
HandleObject
Kernel object address
0xFFFF8A8012345678
ProcessRowID
Foreign key to process
1
Collection Method
This collector uses a kernel driver to enumerate running processes and gather detailed information including:
Process list from kernel
Detailed process information via IOCTL calls
Module enumeration from PEB
Thread enumeration
Handle enumeration
Command line parsing to extract file paths
Forensic Value
Process information is fundamental for incident response and threat hunting. Investigators use this data to identify malicious processes, detect process injection, analyze parent-child relationships, identify suspicious command lines, track loaded DLLs, detect thread injection, enumerate open handles to files and registry keys, and establish process execution timelines. This evidence is particularly valuable for detecting living-off-the-land attacks, fileless malware, and process manipulation techniques.
Last updated
Was this helpful?