Just Published! Threat Report: Exposing Malware in Linux-Based Multi-Cloud Environments | Download Now

Decoding requested_acces field in event_type:cross_process

Decoding requested_acces field in event_type:cross_process

Version

5.2.X and earlier

Topic

In a cross_process event type there is a key named "requested_acces", what is this value and how can it be decoded?

Steps

The value for for the key requested_acces is an access mask value as defined by Microsoft and is Windows specific.  This value is included in cross_process event type to capture the access requested from one process to another.  To understand what this value means:

  1. Convert the requested_acces value to hex
    1. Open the calc.exe application in Windows, click View>Programmer
    2. Select "Dec" for decimal and enter the value (example:  2097151)
    3. Select "Hex" to convert the value (example result: 1FFFFF)
  2. The value is a combination of multiple access rights into a single value.  Use the following external page to Microsoft documentation as reference:

          https://msdn.microsoft.com/en-us/library/windows/desktop/ms684880(v=vs.85).aspx

          In this case, it is specifying all STANDARD/SPECIFIC rights:

          #define STANDARD_RIGHTS_ALL (0x001F0000L)

          #define SPECIFIC_RIGHTS_ALL (0x0000FFFFL)

          combined:  0x001FFFFFL (which equates to 1FFFFF)

Labels (1)
Was this article helpful? Yes No
No ratings
Article Information
Author:
Creation Date:
‎12-28-2016
Views:
558
Contributors