Skip to content

Hide Navigation Hide TOC

Process Modification (d5fca4e4-e47a-487b-873f-3d22f8865e96)

Changes made to a running process, such as writing data into memory, modifying execution behavior, or injecting code into an existing process. Adversaries frequently modify processes to execute malicious payloads, evade detection, or gain escalated privileges.

Data Collection Measures:

  • Endpoint Detection and Response (EDR) Tools:
    • EDRs can monitor memory modifications and API-level calls.
  • Sysmon (Windows):
    • Event ID 8 (CreateRemoteThread) – Detects cross-process thread injection, commonly used in process hollowing.
    • Event ID 10 (Process Access) – Detects access attempts to another process, often preceding injection attempts.
  • Linux/macOS Monitoring:
    • AuditD (ptrace, mmap, mprotect syscalls): Detects memory modifications and debugging attempts.
    • eBPF/XDP: Monitors low-level system calls related to process modifications.
    • OSQuery: The processes table can be queried for unusual modifications.
  • Network-Based Monitoring:
    • Zeek (Bro) Logs: Captures lateral movement attempts where adversaries remotely modify a process.
    • Syslog/OSSEC: Monitors logs for suspicious modifications.
Cluster A Galaxy A Cluster B Galaxy B Level
Impair Defenses - T1562 (3d333250-30e4-4a82-9edc-756c68afc529) Attack Pattern Process Modification (d5fca4e4-e47a-487b-873f-3d22f8865e96) mitre-data-component 1
ListPlanting - T1055.015 (eb2cb5cb-ae87-4de0-8c35-da2a17aafb99) Attack Pattern Process Modification (d5fca4e4-e47a-487b-873f-3d22f8865e96) mitre-data-component 1
Thread Execution Hijacking - T1055.003 (41d9846c-f6af-4302-a654-24bba2729bc6) Attack Pattern Process Modification (d5fca4e4-e47a-487b-873f-3d22f8865e96) mitre-data-component 1
Dynamic-link Library Injection - T1055.001 (f4599aa0-4f85-4a32-80ea-fc39dc965945) Attack Pattern Process Modification (d5fca4e4-e47a-487b-873f-3d22f8865e96) mitre-data-component 1
Asynchronous Procedure Call - T1055.004 (7c0f17c9-1af6-4628-9cbd-9e45482dd605) Attack Pattern Process Modification (d5fca4e4-e47a-487b-873f-3d22f8865e96) mitre-data-component 1
Process Hollowing - T1055.012 (b200542e-e877-4395-875b-cf1a44537ca4) Attack Pattern Process Modification (d5fca4e4-e47a-487b-873f-3d22f8865e96) mitre-data-component 1
Process Modification (d5fca4e4-e47a-487b-873f-3d22f8865e96) mitre-data-component Ptrace System Calls - T1055.008 (ea016b56-ae0e-47fe-967a-cc0ad51af67f) Attack Pattern 1
Portable Executable Injection - T1055.002 (806a49c4-970d-43f9-9acc-ac0ee11e6662) Attack Pattern Process Modification (d5fca4e4-e47a-487b-873f-3d22f8865e96) mitre-data-component 1
Process Modification (d5fca4e4-e47a-487b-873f-3d22f8865e96) mitre-data-component Browser Session Hijacking - T1185 (544b0346-29ad-41e1-a808-501bb4193f47) Attack Pattern 1
Thread Local Storage - T1055.005 (e49ee9d2-0d98-44ef-85e5-5d3100065744) Attack Pattern Process Modification (d5fca4e4-e47a-487b-873f-3d22f8865e96) mitre-data-component 1
Process Injection - T1055 (43e7dc91-05b2-474c-b9ac-2ed4fe101f4d) Attack Pattern Process Modification (d5fca4e4-e47a-487b-873f-3d22f8865e96) mitre-data-component 1
Process Modification (d5fca4e4-e47a-487b-873f-3d22f8865e96) mitre-data-component Disable or Modify Linux Audit System - T1562.012 (562e9b64-7239-493d-80f4-2bff900d9054) Attack Pattern 1
Process Injection - T1055 (43e7dc91-05b2-474c-b9ac-2ed4fe101f4d) Attack Pattern ListPlanting - T1055.015 (eb2cb5cb-ae87-4de0-8c35-da2a17aafb99) Attack Pattern 2
Process Injection - T1055 (43e7dc91-05b2-474c-b9ac-2ed4fe101f4d) Attack Pattern Thread Execution Hijacking - T1055.003 (41d9846c-f6af-4302-a654-24bba2729bc6) Attack Pattern 2
Dynamic-link Library Injection - T1055.001 (f4599aa0-4f85-4a32-80ea-fc39dc965945) Attack Pattern Process Injection - T1055 (43e7dc91-05b2-474c-b9ac-2ed4fe101f4d) Attack Pattern 2
Asynchronous Procedure Call - T1055.004 (7c0f17c9-1af6-4628-9cbd-9e45482dd605) Attack Pattern Process Injection - T1055 (43e7dc91-05b2-474c-b9ac-2ed4fe101f4d) Attack Pattern 2
Process Hollowing - T1055.012 (b200542e-e877-4395-875b-cf1a44537ca4) Attack Pattern Process Injection - T1055 (43e7dc91-05b2-474c-b9ac-2ed4fe101f4d) Attack Pattern 2
Process Injection - T1055 (43e7dc91-05b2-474c-b9ac-2ed4fe101f4d) Attack Pattern Ptrace System Calls - T1055.008 (ea016b56-ae0e-47fe-967a-cc0ad51af67f) Attack Pattern 2
Portable Executable Injection - T1055.002 (806a49c4-970d-43f9-9acc-ac0ee11e6662) Attack Pattern Process Injection - T1055 (43e7dc91-05b2-474c-b9ac-2ed4fe101f4d) Attack Pattern 2
Thread Local Storage - T1055.005 (e49ee9d2-0d98-44ef-85e5-5d3100065744) Attack Pattern Process Injection - T1055 (43e7dc91-05b2-474c-b9ac-2ed4fe101f4d) Attack Pattern 2
Impair Defenses - T1562 (3d333250-30e4-4a82-9edc-756c68afc529) Attack Pattern Disable or Modify Linux Audit System - T1562.012 (562e9b64-7239-493d-80f4-2bff900d9054) Attack Pattern 2