SOC Event Lookup
Event ID 10ProcessP1

Sysmon Event ID 10: ProcessAccess

Sysmon Event ID 10 records one process opening another process and is a key source for detecting credential dumping, process inspection, and suspicious cross-process access.

Applicable version
Sysmon 1.0 and later; ProcessAccess logging must be enabled
Last reviewed
2026-07-10

Trigger Scenarios

The event is generated when a process opens a handle to another process under the configured Sysmon rules. Because the event can be noisy, collection should focus on sensitive target processes and meaningful access rights.

Key Fields

SourceImage

The executable requesting access. Its path, signer, command line, and parent process are central to determining whether the access is expected.

TargetImage

The process being accessed. lsass.exe is a high-priority target because access with sensitive rights can indicate credential theft.

GrantedAccess

The access mask granted to the source process. Interpret this alongside the target and source process because valid tools may require some overlapping rights.

CallTrace

The recorded call stack can help distinguish known security or management tools from unknown access paths, although symbols and modules may be incomplete.

Common False Positives

  • EDR, antivirus, backup, monitoring, and accessibility products often inspect other processes.
  • Task Manager, debuggers, and performance tools can request process handles during normal administration.
  • Broad ProcessAccess collection without filters can create large volumes that obscure high-risk activity.

Related Events

MITRE ATT&CK Mapping

  • T1003OS Credential Dumping
  • T1055Process Injection

Detection Notes

T1003 credential dumping is concrete when TargetImage is lsass.exe and GrantedAccess includes 0x1010 or 0x1fffff from a source outside approved EDR paths. Join SourceProcessGuid to Event ID 1 for command-line and signer context.

Microsoft Sentinel KQL
Sysmon
| where EventID == 10
| where TargetImage endswith @"\lsass.exe"
| project TimeGenerated, Computer, SourceImage, TargetImage, GrantedAccess, CallTrace, SourceProcessGuid
| order by TimeGenerated desc
Splunk SPL
index=sysmon EventCode=10 TargetImage="*\\lsass.exe"
| table _time, host, SourceImage, TargetImage, GrantedAccess, CallTrace, SourceProcessGuid
Sample Log
UtcTime: 2026-07-10 03:20:22.000
SourceImage: C:\Users\jsmith\AppData\Local\Temp\diagnostic.exe
TargetImage: C:\Windows\System32\lsass.exe
GrantedAccess: 0x1010
CallTrace: C:\Windows\SYSTEM32\ntdll.dll+9d4c|UNKNOWN(000001F4A1230000)

Source