Skip to content

Hide Navigation Hide TOC

Process Access (1887a270-576a-4049-84de-ef746b2572d6)

Refers to an event where one process attempts to open another process, typically to inspect or manipulate its memory, access handles, or modify execution flow. Monitoring these access attempts can provide valuable insight into both benign and malicious behaviors, such as debugging, inter-process communication (IPC), or process injection.

Data Collection Measures:

  • Endpoint Detection and Response (EDR) Tools:
    • EDR solutions that provide telemetry on inter-process access and memory manipulation.
  • Sysmon (Windows):
    • Event ID 10: Captures process access attempts, including:
      • Source process (initiator)
      • Target process (victim)
      • Access rights requested
      • Process ID correlation
  • Windows Event Logs:
    • Event ID 4656 (Audit Handle to an Object): Logs access attempts to system objects.
    • Event ID 4690 (Attempted Process Modification): Can help identify unauthorized process changes.
  • Linux/macOS Monitoring:
    • AuditD: Monitors process access through syscall tracing (e.g., ptrace, open, read, write).
    • eBPF/XDP: Used for low-level monitoring of kernel process access.
    • OSQuery: Query process access behavior via structured SQL-like logging.
  • Procmon (Process Monitor) and Debugging Tools:
    • Windows Procmon: Captures real-time process interactions.
    • Linux strace / ptrace: Useful for tracking process behavior at the system call level.
Cluster A Galaxy A Cluster B Galaxy B Level
XPC Services - T1559.003 (8252f135-ed26-4ce1-ae61-f26e94429a19) Attack Pattern Process Access (1887a270-576a-4049-84de-ef746b2572d6) mitre-data-component 1
Process Access (1887a270-576a-4049-84de-ef746b2572d6) mitre-data-component System Owner/User Discovery - T1033 (03d7999c-1f4c-42cc-8373-e7690d318104) Attack Pattern 1
Inter-Process Communication - T1559 (acd0ba37-7ba9-4cc5-ac61-796586cd856d) Attack Pattern Process Access (1887a270-576a-4049-84de-ef746b2572d6) mitre-data-component 1
Credentials from Password Stores - T1555 (3fc9b85a-2862-4363-a64d-d692e3ffbee0) Attack Pattern Process Access (1887a270-576a-4049-84de-ef746b2572d6) mitre-data-component 1
Process Access (1887a270-576a-4049-84de-ef746b2572d6) mitre-data-component Modify Authentication Process - T1556 (f4c1826f-a322-41cd-9557-562100848c84) Attack Pattern 1
OS Credential Dumping - T1003 (0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22) Attack Pattern Process Access (1887a270-576a-4049-84de-ef746b2572d6) mitre-data-component 1
Process Hollowing - T1055.012 (b200542e-e877-4395-875b-cf1a44537ca4) Attack Pattern Process Access (1887a270-576a-4049-84de-ef746b2572d6) mitre-data-component 1
Process Access (1887a270-576a-4049-84de-ef746b2572d6) mitre-data-component LSASS Memory - T1003.001 (65f2d882-3f41-4d48-8a06-29af77ec9f90) Attack Pattern 1
Portable Executable Injection - T1055.002 (806a49c4-970d-43f9-9acc-ac0ee11e6662) Attack Pattern Process Access (1887a270-576a-4049-84de-ef746b2572d6) mitre-data-component 1
Process Access (1887a270-576a-4049-84de-ef746b2572d6) mitre-data-component Credentials from Web Browsers - T1555.003 (58a3e6aa-4453-4cc8-a51f-4befe80b31a8) Attack Pattern 1
Process Access (1887a270-576a-4049-84de-ef746b2572d6) mitre-data-component Browser Session Hijacking - T1185 (544b0346-29ad-41e1-a808-501bb4193f47) Attack Pattern 1
Dynamic-link Library Injection - T1055.001 (f4599aa0-4f85-4a32-80ea-fc39dc965945) Attack Pattern Process Access (1887a270-576a-4049-84de-ef746b2572d6) mitre-data-component 1
Process Access (1887a270-576a-4049-84de-ef746b2572d6) mitre-data-component Process Injection - T1055 (43e7dc91-05b2-474c-b9ac-2ed4fe101f4d) Attack Pattern 1
Process Access (1887a270-576a-4049-84de-ef746b2572d6) mitre-data-component Securityd Memory - T1555.002 (1a80d097-54df-41d8-9d33-34e755ec5e72) Attack Pattern 1
Process Access (1887a270-576a-4049-84de-ef746b2572d6) mitre-data-component Thread Execution Hijacking - T1055.003 (41d9846c-f6af-4302-a654-24bba2729bc6) Attack Pattern 1
Password Managers - T1555.005 (315f51f0-6b03-4c1e-bfb2-84740afb8e21) Attack Pattern Process Access (1887a270-576a-4049-84de-ef746b2572d6) mitre-data-component 1
Steal Web Session Cookie - T1539 (10ffac09-e42d-4f56-ab20-db94c67d76ff) Attack Pattern Process Access (1887a270-576a-4049-84de-ef746b2572d6) mitre-data-component 1
Asynchronous Procedure Call - T1055.004 (7c0f17c9-1af6-4628-9cbd-9e45482dd605) Attack Pattern Process Access (1887a270-576a-4049-84de-ef746b2572d6) mitre-data-component 1
Process Access (1887a270-576a-4049-84de-ef746b2572d6) mitre-data-component Domain Controller Authentication - T1556.001 (d4b96d2c-1032-4b22-9235-2b5b649d0605) Attack Pattern 1
Thread Local Storage - T1055.005 (e49ee9d2-0d98-44ef-85e5-5d3100065744) Attack Pattern Process Access (1887a270-576a-4049-84de-ef746b2572d6) mitre-data-component 1
Process Access (1887a270-576a-4049-84de-ef746b2572d6) mitre-data-component Ptrace System Calls - T1055.008 (ea016b56-ae0e-47fe-967a-cc0ad51af67f) Attack Pattern 1
Inter-Process Communication - T1559 (acd0ba37-7ba9-4cc5-ac61-796586cd856d) Attack Pattern XPC Services - T1559.003 (8252f135-ed26-4ce1-ae61-f26e94429a19) Attack Pattern 2
Process Hollowing - T1055.012 (b200542e-e877-4395-875b-cf1a44537ca4) Attack Pattern Process Injection - T1055 (43e7dc91-05b2-474c-b9ac-2ed4fe101f4d) Attack Pattern 2
OS Credential Dumping - T1003 (0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22) Attack Pattern LSASS Memory - T1003.001 (65f2d882-3f41-4d48-8a06-29af77ec9f90) Attack Pattern 2
Portable Executable Injection - T1055.002 (806a49c4-970d-43f9-9acc-ac0ee11e6662) Attack Pattern Process Injection - T1055 (43e7dc91-05b2-474c-b9ac-2ed4fe101f4d) Attack Pattern 2
Credentials from Password Stores - T1555 (3fc9b85a-2862-4363-a64d-d692e3ffbee0) Attack Pattern Credentials from Web Browsers - T1555.003 (58a3e6aa-4453-4cc8-a51f-4befe80b31a8) Attack Pattern 2
Dynamic-link Library Injection - T1055.001 (f4599aa0-4f85-4a32-80ea-fc39dc965945) Attack Pattern Process Injection - T1055 (43e7dc91-05b2-474c-b9ac-2ed4fe101f4d) Attack Pattern 2
Credentials from Password Stores - T1555 (3fc9b85a-2862-4363-a64d-d692e3ffbee0) Attack Pattern Securityd Memory - T1555.002 (1a80d097-54df-41d8-9d33-34e755ec5e72) Attack Pattern 2
Process Injection - T1055 (43e7dc91-05b2-474c-b9ac-2ed4fe101f4d) Attack Pattern Thread Execution Hijacking - T1055.003 (41d9846c-f6af-4302-a654-24bba2729bc6) Attack Pattern 2
Credentials from Password Stores - T1555 (3fc9b85a-2862-4363-a64d-d692e3ffbee0) Attack Pattern Password Managers - T1555.005 (315f51f0-6b03-4c1e-bfb2-84740afb8e21) Attack Pattern 2
Asynchronous Procedure Call - T1055.004 (7c0f17c9-1af6-4628-9cbd-9e45482dd605) Attack Pattern Process Injection - T1055 (43e7dc91-05b2-474c-b9ac-2ed4fe101f4d) Attack Pattern 2
Domain Controller Authentication - T1556.001 (d4b96d2c-1032-4b22-9235-2b5b649d0605) Attack Pattern Modify Authentication Process - T1556 (f4c1826f-a322-41cd-9557-562100848c84) Attack Pattern 2
Thread Local Storage - T1055.005 (e49ee9d2-0d98-44ef-85e5-5d3100065744) Attack Pattern Process Injection - T1055 (43e7dc91-05b2-474c-b9ac-2ed4fe101f4d) Attack Pattern 2
Process Injection - T1055 (43e7dc91-05b2-474c-b9ac-2ed4fe101f4d) Attack Pattern Ptrace System Calls - T1055.008 (ea016b56-ae0e-47fe-967a-cc0ad51af67f) Attack Pattern 2