Skip to content

Hide Navigation Hide TOC

Process Access (1887a270-576a-4049-84de-ef746b2572d6)

Refers to an event where one process attempts to open another process, typically to inspect or manipulate its memory, access handles, or modify execution flow. Monitoring these access attempts can provide valuable insight into both benign and malicious behaviors, such as debugging, inter-process communication (IPC), or process injection.

Data Collection Measures:

  • Endpoint Detection and Response (EDR) Tools:
    • EDR solutions that provide telemetry on inter-process access and memory manipulation.
  • Sysmon (Windows):
    • Event ID 10: Captures process access attempts, including:
      • Source process (initiator)
      • Target process (victim)
      • Access rights requested
      • Process ID correlation
  • Windows Event Logs:
    • Event ID 4656 (Audit Handle to an Object): Logs access attempts to system objects.
    • Event ID 4690 (Attempted Process Modification): Can help identify unauthorized process changes.
  • Linux/macOS Monitoring:
    • AuditD: Monitors process access through syscall tracing (e.g., ptrace, open, read, write).
    • eBPF/XDP: Used for low-level monitoring of kernel process access.
    • OSQuery: Query process access behavior via structured SQL-like logging.
  • Procmon (Process Monitor) and Debugging Tools:
    • Windows Procmon: Captures real-time process interactions.
    • Linux strace / ptrace: Useful for tracking process behavior at the system call level.
Cluster A Galaxy A Cluster B Galaxy B Level
Inter-Process Communication - T1559 (acd0ba37-7ba9-4cc5-ac61-796586cd856d) Attack Pattern Process Access (1887a270-576a-4049-84de-ef746b2572d6) mitre-data-component 1
Credentials from Password Stores - T1555 (3fc9b85a-2862-4363-a64d-d692e3ffbee0) Attack Pattern Process Access (1887a270-576a-4049-84de-ef746b2572d6) mitre-data-component 1
Modify Authentication Process - T1556 (f4c1826f-a322-41cd-9557-562100848c84) Attack Pattern Process Access (1887a270-576a-4049-84de-ef746b2572d6) mitre-data-component 1
OS Credential Dumping - T1003 (0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22) Attack Pattern Process Access (1887a270-576a-4049-84de-ef746b2572d6) mitre-data-component 1
Process Hollowing - T1055.012 (b200542e-e877-4395-875b-cf1a44537ca4) Attack Pattern Process Access (1887a270-576a-4049-84de-ef746b2572d6) mitre-data-component 1
LSASS Memory - T1003.001 (65f2d882-3f41-4d48-8a06-29af77ec9f90) Attack Pattern Process Access (1887a270-576a-4049-84de-ef746b2572d6) mitre-data-component 1
Portable Executable Injection - T1055.002 (806a49c4-970d-43f9-9acc-ac0ee11e6662) Attack Pattern Process Access (1887a270-576a-4049-84de-ef746b2572d6) mitre-data-component 1
Credentials from Web Browsers - T1555.003 (58a3e6aa-4453-4cc8-a51f-4befe80b31a8) Attack Pattern Process Access (1887a270-576a-4049-84de-ef746b2572d6) mitre-data-component 1
Browser Session Hijacking - T1185 (544b0346-29ad-41e1-a808-501bb4193f47) Attack Pattern Process Access (1887a270-576a-4049-84de-ef746b2572d6) mitre-data-component 1
Dynamic-link Library Injection - T1055.001 (f4599aa0-4f85-4a32-80ea-fc39dc965945) Attack Pattern Process Access (1887a270-576a-4049-84de-ef746b2572d6) mitre-data-component 1
Process Injection - T1055 (43e7dc91-05b2-474c-b9ac-2ed4fe101f4d) Attack Pattern Process Access (1887a270-576a-4049-84de-ef746b2572d6) mitre-data-component 1
Securityd Memory - T1555.002 (1a80d097-54df-41d8-9d33-34e755ec5e72) Attack Pattern Process Access (1887a270-576a-4049-84de-ef746b2572d6) mitre-data-component 1
Thread Execution Hijacking - T1055.003 (41d9846c-f6af-4302-a654-24bba2729bc6) Attack Pattern Process Access (1887a270-576a-4049-84de-ef746b2572d6) mitre-data-component 1
Password Managers - T1555.005 (315f51f0-6b03-4c1e-bfb2-84740afb8e21) Attack Pattern Process Access (1887a270-576a-4049-84de-ef746b2572d6) mitre-data-component 1
Steal Web Session Cookie - T1539 (10ffac09-e42d-4f56-ab20-db94c67d76ff) Attack Pattern Process Access (1887a270-576a-4049-84de-ef746b2572d6) mitre-data-component 1
Asynchronous Procedure Call - T1055.004 (7c0f17c9-1af6-4628-9cbd-9e45482dd605) Attack Pattern Process Access (1887a270-576a-4049-84de-ef746b2572d6) mitre-data-component 1
Domain Controller Authentication - T1556.001 (d4b96d2c-1032-4b22-9235-2b5b649d0605) Attack Pattern Process Access (1887a270-576a-4049-84de-ef746b2572d6) mitre-data-component 1
Thread Local Storage - T1055.005 (e49ee9d2-0d98-44ef-85e5-5d3100065744) Attack Pattern Process Access (1887a270-576a-4049-84de-ef746b2572d6) mitre-data-component 1
Ptrace System Calls - T1055.008 (ea016b56-ae0e-47fe-967a-cc0ad51af67f) Attack Pattern Process Access (1887a270-576a-4049-84de-ef746b2572d6) mitre-data-component 1
XPC Services - T1559.003 (8252f135-ed26-4ce1-ae61-f26e94429a19) Attack Pattern Process Access (1887a270-576a-4049-84de-ef746b2572d6) mitre-data-component 1
System Owner/User Discovery - T1033 (03d7999c-1f4c-42cc-8373-e7690d318104) Attack Pattern Process Access (1887a270-576a-4049-84de-ef746b2572d6) mitre-data-component 1
Process Hollowing - T1055.012 (b200542e-e877-4395-875b-cf1a44537ca4) Attack Pattern Process Injection - T1055 (43e7dc91-05b2-474c-b9ac-2ed4fe101f4d) Attack Pattern 2
OS Credential Dumping - T1003 (0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22) Attack Pattern LSASS Memory - T1003.001 (65f2d882-3f41-4d48-8a06-29af77ec9f90) Attack Pattern 2
Portable Executable Injection - T1055.002 (806a49c4-970d-43f9-9acc-ac0ee11e6662) Attack Pattern Process Injection - T1055 (43e7dc91-05b2-474c-b9ac-2ed4fe101f4d) Attack Pattern 2
Credentials from Web Browsers - T1555.003 (58a3e6aa-4453-4cc8-a51f-4befe80b31a8) Attack Pattern Credentials from Password Stores - T1555 (3fc9b85a-2862-4363-a64d-d692e3ffbee0) Attack Pattern 2
Dynamic-link Library Injection - T1055.001 (f4599aa0-4f85-4a32-80ea-fc39dc965945) Attack Pattern Process Injection - T1055 (43e7dc91-05b2-474c-b9ac-2ed4fe101f4d) Attack Pattern 2
Securityd Memory - T1555.002 (1a80d097-54df-41d8-9d33-34e755ec5e72) Attack Pattern Credentials from Password Stores - T1555 (3fc9b85a-2862-4363-a64d-d692e3ffbee0) Attack Pattern 2
Thread Execution Hijacking - T1055.003 (41d9846c-f6af-4302-a654-24bba2729bc6) Attack Pattern Process Injection - T1055 (43e7dc91-05b2-474c-b9ac-2ed4fe101f4d) Attack Pattern 2
Credentials from Password Stores - T1555 (3fc9b85a-2862-4363-a64d-d692e3ffbee0) Attack Pattern Password Managers - T1555.005 (315f51f0-6b03-4c1e-bfb2-84740afb8e21) Attack Pattern 2
Asynchronous Procedure Call - T1055.004 (7c0f17c9-1af6-4628-9cbd-9e45482dd605) Attack Pattern Process Injection - T1055 (43e7dc91-05b2-474c-b9ac-2ed4fe101f4d) Attack Pattern 2
Domain Controller Authentication - T1556.001 (d4b96d2c-1032-4b22-9235-2b5b649d0605) Attack Pattern Modify Authentication Process - T1556 (f4c1826f-a322-41cd-9557-562100848c84) Attack Pattern 2
Thread Local Storage - T1055.005 (e49ee9d2-0d98-44ef-85e5-5d3100065744) Attack Pattern Process Injection - T1055 (43e7dc91-05b2-474c-b9ac-2ed4fe101f4d) Attack Pattern 2
Ptrace System Calls - T1055.008 (ea016b56-ae0e-47fe-967a-cc0ad51af67f) Attack Pattern Process Injection - T1055 (43e7dc91-05b2-474c-b9ac-2ed4fe101f4d) Attack Pattern 2
Inter-Process Communication - T1559 (acd0ba37-7ba9-4cc5-ac61-796586cd856d) Attack Pattern XPC Services - T1559.003 (8252f135-ed26-4ce1-ae61-f26e94429a19) Attack Pattern 2