Depending on the type of operation that was performed with the process file, one of the following section names is displayed in the event information:
Process access is open
Duplicate handle
The Process access is open displays the following information:
IOA tags—Information about the results of file analysis using the Targeted Attack Analyzer technology: name of the TAA (IOA) rule that was used to create the alert.
Click the link to display information about the TAA (IOA) rule. If the rule was provided by Kaspersky experts, it contains information about the triggered MITRE technique as well as recommendations for reacting to the event.
The MITRE ATT&CK (Adversarial Tactics, Techniques & Common Knowledge) database contains descriptions of hacker behavior based on the analysis of real attacks. It is a structured list of known hacker techniques represented as a table.
The field is displayed if a TAA (IOA) rule was triggered when the event was created.
File—Name of the recipient process.
Process ID—Process ID of the recipient process.
Launch parameters—Command line options of the recipient process.
MD5—MD5 hash of the recipient process file.
SHA256—SHA256 hash of the recipient process file.
Access permissions—Requested process access rights.
Size—Size of the recipient process file.
Event time—Time when the event was detected.
Time created—Recipient process file creation time.
Time modified—Time of last modification of the recipient process file.
Attributes modification time—Time when the attributes of the recipient process file were changed.
Call trace—Call stack.
The Duplicate handle section displays the following information:
File—File name of the duplicated process.
MD5—MD5 hash of the duplicated process file.
SHA256—SHA256 hash of the duplicated process file.
Time created—Duplicated process file creation time.
Time modified—Time of last modification of the duplicated process file.
Attributes modification time—Time when the attributes of the duplicated process file were changed.
Size—Size of the duplicated process file.
Process ID—ID of the duplicated process.
Launch parameters—Command line options of the duplicated process.
For events of this type, the event information also includes the Information about the process to which the handle was duplicated and Information about the process from which the handle was duplicated sections. These sections contain the following information:
File—Process file name.
MD5—MD5 hash of the process file.
SHA256—SHA256 hash of the process file.
Process ID—Process identifier.
Launch parameters—Process startup settings.
Size—Size of the process file.
Time created—Process file creation time.
Time modified—Time of last modification of the file.
Attributes modification time—Time when the attributes of the process file were changed.
Event initiator section:
File—Path to the parent process file.
MD5—MD5 hash of the parent process file.
SHA256—SHA256 hash of the parent process file.
Launch parameters—Parent process startup settings.
System info section:
Host name—Name of the host on which the file was created.
User name—Name of the user that created the file.
OS version—Version of the operating system that is being used on the host.
Clicking the link with the file name or path to the file in the section with information about the file with which the operation was performed opens a list in which you can select one of the following actions: