Sysmon Event ID 10: ProcessAccess
Sysmon Event ID 10 records one process opening another process and is a key source for detecting credential dumping, process inspection, and suspicious cross-process access.
- Applicable version
- Sysmon 1.0 and later; ProcessAccess logging must be enabled
- Last reviewed
- 2026-07-10
Trigger Scenarios
The event is generated when a process opens a handle to another process under the configured Sysmon rules. Because the event can be noisy, collection should focus on sensitive target processes and meaningful access rights.
Key Fields
SourceImage
The executable requesting access. Its path, signer, command line, and parent process are central to determining whether the access is expected.
TargetImage
The process being accessed. lsass.exe is a high-priority target because access with sensitive rights can indicate credential theft.
GrantedAccess
The access mask granted to the source process. Interpret this alongside the target and source process because valid tools may require some overlapping rights.
CallTrace
The recorded call stack can help distinguish known security or management tools from unknown access paths, although symbols and modules may be incomplete.
Common False Positives
- EDR, antivirus, backup, monitoring, and accessibility products often inspect other processes.
- Task Manager, debuggers, and performance tools can request process handles during normal administration.
- Broad ProcessAccess collection without filters can create large volumes that obscure high-risk activity.
Related Events
MITRE ATT&CK Mapping
- T1003OS Credential Dumping
- T1055Process Injection
Detection Notes
T1003 credential dumping is concrete when TargetImage is lsass.exe and GrantedAccess includes 0x1010 or 0x1fffff from a source outside approved EDR paths. Join SourceProcessGuid to Event ID 1 for command-line and signer context.
Sysmon
| where EventID == 10
| where TargetImage endswith @"\lsass.exe"
| project TimeGenerated, Computer, SourceImage, TargetImage, GrantedAccess, CallTrace, SourceProcessGuid
| order by TimeGenerated descindex=sysmon EventCode=10 TargetImage="*\\lsass.exe"
| table _time, host, SourceImage, TargetImage, GrantedAccess, CallTrace, SourceProcessGuidUtcTime: 2026-07-10 03:20:22.000
SourceImage: C:\Users\jsmith\AppData\Local\Temp\diagnostic.exe
TargetImage: C:\Windows\System32\lsass.exe
GrantedAccess: 0x1010
CallTrace: C:\Windows\SYSTEM32\ntdll.dll+9d4c|UNKNOWN(000001F4A1230000)