process_description |
WMI Commandline Utility |
keyword |
Description of executed process |
process_command_line |
c:\tmp\runme.exe, /tmp/runme |
keyword/loweronly |
Full command line of executed process |
process_command_line_length |
29347 |
long |
Length of of process_command_line |
process_id |
2045,0x3e7 |
keyword/loweronly |
Process identifier associated with executed process |
process_integrity_level |
medium, high, trusted |
keyword |
Integrity level of executed process |
process_parent_command_line |
c:\tmp\runme.exe, /tmp/runme |
keyword/loweronly |
Full command line of parent process |
process_parent_id |
2045,0x3e7 |
keyword/loweronly |
Process identifier associated with parent process |
process_parent_name |
whoami, whoami.exe |
keyword/loweronly |
File name of parent process, excluding path |
process_parent_path |
C:\Windows\system32\whoami.exe, /usr/bin/whoami |
keyword/loweronly |
Full path of parent process |
process_parent_uid |
{73123815-5caa-4e39-90dc-d25d4013bf15} |
keyword |
GUID or unique identifier for parent process that is not the process_id |
process_name |
whoami, whoami.exe |
keyword/loweronly |
File name of executed process, excluding path |
process_path |
C:\Windows\system32\whoami.exe, /usr/bin/whoami |
keyword/loweronly |
Full path of executed process |
process_target_id |
2045,0x3e7 |
keyword |
The process ID of the targeted process of some action that was taken against that process |
process_target_name |
whoami, whoami.exe |
keyword |
The name of the targeted process of some action that was taken against that process |
process_target_path |
C:\Windows\system32\whoami.exe, /usr/bin/whoami |
keyword |
The full path and name of the targeted process of some action that was taken against that process |
process_target_uid |
{73123815-5caa-4e39-90dc-d25d4013bf15} |
keyword |
The process unuqie identifier of the targeted process of some action that was taken against that running process |
process_uid |
{73123815-5caa-4e39-90dc-d25d4013bf15} |
keyword |
GUID or unique identifier for executed process that is not the process_id |
process_working_directory |
C:\Windows\Temp |
keyword |
The current working directory that the process was called from |