OpenProcess
Added a new rule attribute, which triggers when a process is opened.
HIPS sends OpenProcess events only for lsass.exe and only with PROCESS_VM_WRITE and/or PROCESS_VM_READ process access only when calling OpenProcess or DuplicateHandle (upon the already opened process with mentioned accesses)
Properties are:
AccessRight—it can have these values PROCESS_VM_WRITE, PROCESS_VM_READ
Example:
<operations> <operation type="OpenProcess"> <condition component="OpenProcess" property="AccessRight" condition="contains" value="PROCESS_VM_READ" /> </operation> </operations> |
Supported Operations and their components:
|
OpenProcess |
|---|---|
OpenProcess |
X |