This repository has been archived by the owner on Sep 13, 2023. It is now read-only.
/
process.yml
68 lines (68 loc) · 2.66 KB
/
process.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
name: Process
definition: Instances of computer programs that are being executed by at least one thread. Processes have memory space for process executables, loaded modules (DLLs or shared libraries), and allocated memory regions containing everything from user input to application-specific data structures
collection_layers:
- Host
platforms:
- Windows
- Linux
- macOS
contributors:
- ATT&CK
- Center for Threat-Informed Defense (CTID)
data_components:
- name: Process Metadata
type: information
description: "Contextual data about a running process, which may include information such as environment variables, image name, user/owner, etc."
relationships:
- source_data_element: user
relationship: retrieved information about
target_data_element: process
- name: Process Creation
type: activity
description: "Birth of a new running process (ex: Sysmon EID 1 or Windows EID 4688)"
relationships:
- source_data_element: user
relationship: created
target_data_element: process
- source_data_element: process
relationship: created
target_data_element: process
- source_data_element: process
relationship: created
target_data_element: thread
- name: Process Termination
type: activity
description: "Exit of a running process (ex: Sysmon EID 5 or Windows EID 4689)"
relationships:
- source_data_element: user
relationship: terminated
target_data_element: process
- name: Process Modification
type: activity
description: "Changes made to a process, or its contents, typically to write and/or execute code in the memory of the target process (ex: Sysmon EID 8)"
relationships:
- source_data_element: process
relationship: modified
target_data_element: process
- name: Process Access
type: activity
description: "Opening of a process by another process, typically to read memory of the target process (ex: Sysmon EID 10)"
relationships:
- source_data_element: process
relationship: accessed
target_data_element: process
- source_data_element: process
relationship: requested access to
target_data_element: process
- name: OS API Execution
type: activity
description: "Operating system function/method calls executed by a process"
relationships:
- source_data_element: process
relationship: executed
target_data_element: api call
- source_data_element: process
relationship: executed
target_data_element: system call
references:
- https://docs.microsoft.com/en-us/windows/win32/procthread/processes-and-threads