STIX Wiki

Process

The Process object represents common properties of an instance of a computer program as executed on an operating system. A Process object MUST contain at least one property (other than type) from this object (or one of its extensions).

Properties

Required Common Properties

typeid

Optional Common Properties

spec_versionobject_marking_refsgranular_markingsdefangedextensions

Not Applicable

created_by_refrevokedlabelsconfidencelangexternal_references

Process Specific

extensionsis_hiddenpidcreated_timecwdcommand_lineenvironment_variablesopened_connection_refscreator_user_refimage_refparent_refchild_refs

Property	Type	Description
`type`optional	`string`	The value of this property MUST be `process`.
`extensions`optional		The Process Object defines the following extensions. In addition to these, producers MAY create their own. Extensions: windows-process-ext, windows-service-ext.
`is_hidden`optional	`boolean`	Specifies whether the process is hidden.
`pid`optional	`integer`	Specifies the Process ID, or PID, of the process.
`created_time`optional	`string`	Specifies the date/time at which the process was created.
`cwd`optional	`string`	Specifies the current working directory of the process.
`command_line`optional	`string`	Specifies the full command line used in executing the process, including the process name (which may be specified individually via the binary_ref.name property) and any arguments.
`environment_variables`optional	`object`	A dictionary captures a set of key/value pairs
`opened_connection_refs`optional	list of `string`	Specifies the list of network connections opened by the process, as a reference to one or more Network Traffic Objects.
`creator_user_ref`optional	`string`	Specifies the user that created the process, as a reference to a User Account Object.
`image_ref`optional	`string`	Specifies the executable binary that was executed as the process image, as a reference to a File Object.
`parent_ref`optional	`string`	Specifies the other process that spawned (i.e. is the parent of) this one, as represented by a Process Object.
`child_refs`optional	list of `string`	Specifies the other processes that were spawned by (i.e. children of) this process, as a reference to one or more other Process Objects.

Examples

[
  {
    "type": "file",
    "spec_version": "2.1",
    "id": "file--edb1ebee-4387-41cc-943b-f94fd491118c",
    "name": "gedit-bin",
    "hashes": {
      "SHA-256": "aec070645fe53ee3b3763059376134f058cc337247c978add178b6ccdfb0019f"
    }
  },
  {
    "type": "process",
    "spec_version": "2.1",
    "id": "process--d2ec5aab-808d-4492-890a-3c1a1e3cb06e",
    "pid": 1221,
    "created_time": "2016-01-20T14:11:25.55Z",
    "command_line": "./gedit-bin --new-window",
    "image_ref": "file--e04f22d1-be2c-59de-add8-10f61d15fe20"
  }
]

Process

Properties

Required Common Properties

typeid

Optional Common Properties

spec_versionobject_marking_refsgranular_markingsdefangedextensions

Not Applicable

created_by_refrevokedlabelsconfidencelangexternal_references

Process Specific

extensionsis_hiddenpidcreated_timecwdcommand_lineenvironment_variablesopened_connection_refscreator_user_refimage_refparent_refchild_refs

Property	Type	Description
`type`optional	`string`	The value of this property MUST be `process`.
`extensions`optional		The Process Object defines the following extensions. In addition to these, producers MAY create their own. Extensions: windows-process-ext, windows-service-ext.
`is_hidden`optional	`boolean`	Specifies whether the process is hidden.
`pid`optional	`integer`	Specifies the Process ID, or PID, of the process.
`created_time`optional	`string`	Specifies the date/time at which the process was created.
`cwd`optional	`string`	Specifies the current working directory of the process.
`command_line`optional	`string`	Specifies the full command line used in executing the process, including the process name (which may be specified individually via the binary_ref.name property) and any arguments.
`environment_variables`optional	`object`	A dictionary captures a set of key/value pairs
`opened_connection_refs`optional	list of `string`	Specifies the list of network connections opened by the process, as a reference to one or more Network Traffic Objects.
`creator_user_ref`optional	`string`	Specifies the user that created the process, as a reference to a User Account Object.
`image_ref`optional	`string`	Specifies the executable binary that was executed as the process image, as a reference to a File Object.
`parent_ref`optional	`string`	Specifies the other process that spawned (i.e. is the parent of) this one, as represented by a Process Object.
`child_refs`optional	list of `string`	Specifies the other processes that were spawned by (i.e. children of) this process, as a reference to one or more other Process Objects.

Examples

[
  {
    "type": "file",
    "spec_version": "2.1",
    "id": "file--edb1ebee-4387-41cc-943b-f94fd491118c",
    "name": "gedit-bin",
    "hashes": {
      "SHA-256": "aec070645fe53ee3b3763059376134f058cc337247c978add178b6ccdfb0019f"
    }
  },
  {
    "type": "process",
    "spec_version": "2.1",
    "id": "process--d2ec5aab-808d-4492-890a-3c1a1e3cb06e",
    "pid": 1221,
    "created_time": "2016-01-20T14:11:25.55Z",
    "command_line": "./gedit-bin --new-window",
    "image_ref": "file--e04f22d1-be2c-59de-add8-10f61d15fe20"
  }
]

Process

Properties

Examples

On this page

Process

Properties

Examples

On this page