Information about the "Process access" event

The window displaying information about File changed events contains the following details:

• Tree of events.
• Actions that can be performed to handle an event.
• Depending on the type of operation that was performed with the process file, one of the following section names is displayed in the event information:
  • Process access is open
  • Duplicate handle

  The Process access is open displays the following information:

  • IOA tags—Information about the results of file analysis using the Targeted Attack Analyzer technology: name of the TAA (IOA) rule that was used to create the alert.

    Click the link to display information about the TAA (IOA) rule. If the rule was provided by Kaspersky experts, it contains information about the triggered MITRE technique as well as recommendations for reacting to the event.

    The MITRE ATT&CK (Adversarial Tactics, Techniques & Common Knowledge) database contains descriptions of hacker behavior based on the analysis of real attacks. It is a structured list of known hacker techniques represented as a table.

    The field is displayed if a TAA (IOA) rule was triggered when the event was created.

  • File—Name of the recipient process.
  • Process ID—Process ID of the recipient process.
  • Launch parameters—Command line options of the recipient process.
  • MD5—MD5 hash of the recipient process file.
  • SHA256—SHA256 hash of the recipient process file.
  • Access permissions—Requested process access rights.
  • Size—Size of the recipient process file.
  • Event time—Time when the event was detected.
  • Time created—Recipient process file creation time.
  • Time modified—Time of last modification of the recipient process file.
  • Attributes modification time—Time when the attributes of the recipient process file were changed.
  • Call trace—Call stack.

  The Duplicate handle section displays the following information:

  • File—File name of the duplicated process.
  • MD5—MD5 hash of the duplicated process file.
  • SHA256—SHA256 hash of the duplicated process file.
  • Time created—Duplicated process file creation time.
  • Time modified—Time of last modification of the duplicated process file.
  • Attributes modification time—Time when the attributes of the duplicated process file were changed.
  • Size—Size of the duplicated process file.
  • Process ID—ID of the duplicated process.
  • Launch parameters—Command line options of the duplicated process.

  For events of this type, the event information also includes the Information about the process to which the handle was duplicated and Information about the process from which the handle was duplicated sections. These sections contain the following information:

  • File—Process file name.
  • MD5—MD5 hash of the process file.
  • SHA256—SHA256 hash of the process file.
  • Process ID—Process identifier.
  • Launch parameters—Process startup settings.
  • Size—Size of the process file.
  • Time created—Process file creation time.
  • Time modified—Time of last modification of the file.
  • Attributes modification time—Time when the attributes of the process file were changed.
• Event initiator section:
  • File—Path to the parent process file.
  • MD5—MD5 hash of the parent process file.
  • SHA256—SHA256 hash of the parent process file.
  • Launch parameters—Parent process startup settings.
• System info section:
  • Host name—Name of the host on which the file was created.
  • User name—Name of the user that created the file.
  • OS version—Version of the operating system that is being used on the host.

Clicking the link with the file name or path to the file in the section with information about the file with which the operation was performed opens a list in which you can select one of the following actions:

• Find events.
• Find alerts.
• Run the following tasks:
  • Delete file.
  • Get file.
  • Get forensics.
  • Quarantine file.
• Copy value to clipboard.

Clicking the link with the file name or file path in the Event initiator section opens a list in which you can select one of the following actions:

• Find events.
• Find alerts.
• Run the following tasks:
  • Kill process.
  • Kill by unique PID.
  • Delete file.
  • Get file.
  • Get forensics.
  • Quarantine file.
• Copy value to clipboard.

Clicking the MD5 link opens a list in which you can select one of the following actions:

• Find events.
• Find alerts.
• Find on Kaspersky TIP.

  Kaspersky information system Contains and displays reputation information for files and URL addresses.

• Find in Storage.
• Create prevention rule.
• Copy value to clipboard.

Clicking the SHA256 link opens a list in which you can select one of the following actions:

• Find events.
• Find alerts.
• Find on Kaspersky TIP.
• Find on virustotal.com.
• Find in Storage.
• Create prevention rule.
• Copy value to clipboard.

See also Event information Recommendations for processing events Information about events in the tree of events Viewing the table of events Configuring the event table display Viewing information about an event Information about the "Process started" event Information about the "Process terminated" event Information about the "Module loaded" event Information about the "Remote connection" event Information about the "Prevention rule" event Information about the "Document blocked" event Information about the "File modified" event Information about the "System event log" event Information about the "Changes in the registry" event Information about the "Port listened" event Information about the "Driver loaded" event Information about the "DNS" event Information about the "LDAP" event Information about the "Named pipe" event Information about the "WMI" event Information about the "Alert" event Information about the "Alert processing result" event Information about the "Interpreted file run" event Information about the "AMSI scan" event Information about the "Interactive command input at the console" event Information about the "Code injection" event

Page top