title: DN_0003_1_windows_sysmon_process_creation description: > Windows process creation log, including command line loggingpolicy: - LP_0003_windows_sysmon_process_creation references: - https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90001 category: OS Logs platform: Windows type: Applications and Services Logs channel: Microsoft-Windows-Sysmon/Operational provider: Microsoft-Windows-Sysmon fields: - EventID - Hostname # redundant - Computer - UtcTime - Username # redundant - User - ProcessGuid - ProcessId - ProcessName - CommandLine - LogonGuid - LogonId - TerminalSessionid - IntegrityLevel - Hashes - Imphash - Sha256hash - Sha1hash - Md5hash - Image - ParentImage - ParentProcessGuid - ParentProcessId - ParentProcessName - ParentCommandLine - OriginalFileName - FileVersion - Description - Product - Company - CurrentDirectory sample: | - - 1 5 4 1 0 0x8000000000000000 4219 Microsoft-Windows-Sysmon/Operational atc-win-10 - 2019-07-09 03:44:58.036 {717CFEC0-0DBA-5D24-0000-001087BC0800} 5500 C:\Windows\System32\conhost.exe 10.0.14393.0 (rs1_release.160715-1616) Console Window Host Microsoft® Windows® Operating System Microsoft Corporation CONHOST.EXE \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 C:\Windows atc-win-10\yugoslavskiy {717CFEC0-0DA0-5D24-0000-0020D0F50300} 0x3f5d0 1 Medium MD5=D752C96401E2540A443C599154FC6FA9,SHA256=046F7A1B4DE67562547ED9A180A72F481FC41E803DE49A96D7D7C731964D53A0 {717CFEC0-0DB9-5D24-0000-0010C9BB0800} 4412 C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /q /c rmdir /s /q "C:\Users\yugoslavskiy\AppData\Local\Microsoft\OneDrive\19.086.0502.0006"