My Games
Account 🔐
Sign Up
Login
Global Leaderboard
Case Vault
Badge Backpack
Blue Team Glossary
Login and start playing
Leaving so soon?
×
You really want to log out? We were having so much fun!
Home
›
Glossary
›
processevents
Processevents
Definition
`ProcessEvents` is a KC7 data table that shows which programs and commands run on computers inside the organization. When a program starts on a computer, the operating system records information about it. Security tools collect these records to help defenders see how the system is being used and to detect suspicious activity. In real organizations, similar process logging is used in tools like Windows Event Logs, Sysmon, and Endpoint Detection and Response systems. This data gives analysts visibility into how attackers move once they are inside a network. | Field | What it means in simple terms | | ----------------------- | ------------------------------------------------------------------------------------- | | **timestamp** | When the program started running | | **parent_process_name** | The program that launched the new process | | **parent_process_hash** | A unique identifier for the parent program | | **process_commandline** | The exact command that was run, including arguments or script paths | | **process_name** | The name of the program being executed | | **process_hash** | A unique identifier for the program’s file, used to check if it matches known malware | | **hostname** | The specific computer where the process ran | | **username** | The user account that triggered or owns the process | **What defenders can learn** * If a trusted program is launching suspicious tools * Whether attackers are running scripts to gain more access * Which computers and user accounts are involved in unusual activity * Whether known malicious files are running using their file hashes **Example** ``` ProcessEvents | where process_commandline contains "rclone" | project timestamp, hostname, username, process_name ``` This highlights potential data exfiltration activity because attackers often use tools like rclone to upload stolen files.
Explore More Terms
Pyramid Of Pain
Double-Extorsion
Influence-Operations
Ransom-Note
Hack-And-Leak
.png)
