Skip to content

<<< Hide Navigation Hide TOC >>>

Process Access (1887a270-576a-4049-84de-ef746b2572d6)

Refers to an event where one process attempts to open another process, typically to inspect or manipulate its memory, access handles, or modify execution flow. Monitoring these access attempts can provide valuable insight into both benign and malicious behaviors, such as debugging, inter-process communication (IPC), or process injection.

Data Collection Measures:

  • Endpoint Detection and Response (EDR) Tools:
    • EDR solutions that provide telemetry on inter-process access and memory manipulation.
  • Sysmon (Windows):
    • Event ID 10: Captures process access attempts, including:
      • Source process (initiator)
      • Target process (victim)
      • Access rights requested
      • Process ID correlation
  • Windows Event Logs:
    • Event ID 4656 (Audit Handle to an Object): Logs access attempts to system objects.
    • Event ID 4690 (Attempted Process Modification): Can help identify unauthorized process changes.
  • Linux/macOS Monitoring:
    • AuditD: Monitors process access through syscall tracing (e.g., ptrace, open, read, write).
    • eBPF/XDP: Used for low-level monitoring of kernel process access.
    • OSQuery: Query process access behavior via structured SQL-like logging.
  • Procmon (Process Monitor) and Debugging Tools:
    • Windows Procmon: Captures real-time process interactions.
    • Linux strace / ptrace: Useful for tracking process behavior at the system call level.
Galaxy Colorsmitre-data...Attack Pat...
Rows: 34
Loading extensions...
Collapse filters
Use the filters above each column to filter and limit table data. Advanced searches can be performed by using the following operators:
<, <=, >, >=, =, *, !, {, }, ||,&&, [empty], [nonempty], rgx:
Learn more

TableFilter v0.7.2

https://www.tablefilter.com/
©2015-2025 Max Guglielmi
?
Cluster A Galaxy A Cluster B Galaxy B Level
Process Access (1887a270-576a-4049-84de-ef746b2572d6) mitre-data-component Thread Execution Hijacking - T1055.003 (41d9846c-f6af-4302-a654-24bba2729bc6) Attack Pattern 1
Password Managers - T1555.005 (315f51f0-6b03-4c1e-bfb2-84740afb8e21) Attack Pattern Process Access (1887a270-576a-4049-84de-ef746b2572d6) mitre-data-component 1
Steal Web Session Cookie - T1539 (10ffac09-e42d-4f56-ab20-db94c67d76ff) Attack Pattern Process Access (1887a270-576a-4049-84de-ef746b2572d6) mitre-data-component 1
Asynchronous Procedure Call - T1055.004 (7c0f17c9-1af6-4628-9cbd-9e45482dd605) Attack Pattern Process Access (1887a270-576a-4049-84de-ef746b2572d6) mitre-data-component 1
Process Access (1887a270-576a-4049-84de-ef746b2572d6) mitre-data-component Domain Controller Authentication - T1556.001 (d4b96d2c-1032-4b22-9235-2b5b649d0605) Attack Pattern 1
Thread Local Storage - T1055.005 (e49ee9d2-0d98-44ef-85e5-5d3100065744) Attack Pattern Process Access (1887a270-576a-4049-84de-ef746b2572d6) mitre-data-component 1
Ptrace System Calls - T1055.008 (ea016b56-ae0e-47fe-967a-cc0ad51af67f) Attack Pattern Process Access (1887a270-576a-4049-84de-ef746b2572d6) mitre-data-component 1
XPC Services - T1559.003 (8252f135-ed26-4ce1-ae61-f26e94429a19) Attack Pattern Process Access (1887a270-576a-4049-84de-ef746b2572d6) mitre-data-component 1
Process Access (1887a270-576a-4049-84de-ef746b2572d6) mitre-data-component System Owner/User Discovery - T1033 (03d7999c-1f4c-42cc-8373-e7690d318104) Attack Pattern 1
Inter-Process Communication - T1559 (acd0ba37-7ba9-4cc5-ac61-796586cd856d) Attack Pattern Process Access (1887a270-576a-4049-84de-ef746b2572d6) mitre-data-component 1
Credentials from Password Stores - T1555 (3fc9b85a-2862-4363-a64d-d692e3ffbee0) Attack Pattern Process Access (1887a270-576a-4049-84de-ef746b2572d6) mitre-data-component 1
Modify Authentication Process - T1556 (f4c1826f-a322-41cd-9557-562100848c84) Attack Pattern Process Access (1887a270-576a-4049-84de-ef746b2572d6) mitre-data-component 1
OS Credential Dumping - T1003 (0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22) Attack Pattern Process Access (1887a270-576a-4049-84de-ef746b2572d6) mitre-data-component 1
Process Hollowing - T1055.012 (b200542e-e877-4395-875b-cf1a44537ca4) Attack Pattern Process Access (1887a270-576a-4049-84de-ef746b2572d6) mitre-data-component 1
LSASS Memory - T1003.001 (65f2d882-3f41-4d48-8a06-29af77ec9f90) Attack Pattern Process Access (1887a270-576a-4049-84de-ef746b2572d6) mitre-data-component 1
Portable Executable Injection - T1055.002 (806a49c4-970d-43f9-9acc-ac0ee11e6662) Attack Pattern Process Access (1887a270-576a-4049-84de-ef746b2572d6) mitre-data-component 1
Process Access (1887a270-576a-4049-84de-ef746b2572d6) mitre-data-component Browser Session Hijacking - T1185 (544b0346-29ad-41e1-a808-501bb4193f47) Attack Pattern 1
Process Access (1887a270-576a-4049-84de-ef746b2572d6) mitre-data-component Credentials from Web Browsers - T1555.003 (58a3e6aa-4453-4cc8-a51f-4befe80b31a8) Attack Pattern 1
Dynamic-link Library Injection - T1055.001 (f4599aa0-4f85-4a32-80ea-fc39dc965945) Attack Pattern Process Access (1887a270-576a-4049-84de-ef746b2572d6) mitre-data-component 1
Process Injection - T1055 (43e7dc91-05b2-474c-b9ac-2ed4fe101f4d) Attack Pattern Process Access (1887a270-576a-4049-84de-ef746b2572d6) mitre-data-component 1
Process Access (1887a270-576a-4049-84de-ef746b2572d6) mitre-data-component Securityd Memory - T1555.002 (1a80d097-54df-41d8-9d33-34e755ec5e72) Attack Pattern 1
Process Injection - T1055 (43e7dc91-05b2-474c-b9ac-2ed4fe101f4d) Attack Pattern Thread Execution Hijacking - T1055.003 (41d9846c-f6af-4302-a654-24bba2729bc6) Attack Pattern 2
Credentials from Password Stores - T1555 (3fc9b85a-2862-4363-a64d-d692e3ffbee0) Attack Pattern Password Managers - T1555.005 (315f51f0-6b03-4c1e-bfb2-84740afb8e21) Attack Pattern 2
Asynchronous Procedure Call - T1055.004 (7c0f17c9-1af6-4628-9cbd-9e45482dd605) Attack Pattern Process Injection - T1055 (43e7dc91-05b2-474c-b9ac-2ed4fe101f4d) Attack Pattern 2
Modify Authentication Process - T1556 (f4c1826f-a322-41cd-9557-562100848c84) Attack Pattern Domain Controller Authentication - T1556.001 (d4b96d2c-1032-4b22-9235-2b5b649d0605) Attack Pattern 2
Thread Local Storage - T1055.005 (e49ee9d2-0d98-44ef-85e5-5d3100065744) Attack Pattern Process Injection - T1055 (43e7dc91-05b2-474c-b9ac-2ed4fe101f4d) Attack Pattern 2
Ptrace System Calls - T1055.008 (ea016b56-ae0e-47fe-967a-cc0ad51af67f) Attack Pattern Process Injection - T1055 (43e7dc91-05b2-474c-b9ac-2ed4fe101f4d) Attack Pattern 2
Inter-Process Communication - T1559 (acd0ba37-7ba9-4cc5-ac61-796586cd856d) Attack Pattern XPC Services - T1559.003 (8252f135-ed26-4ce1-ae61-f26e94429a19) Attack Pattern 2
Process Hollowing - T1055.012 (b200542e-e877-4395-875b-cf1a44537ca4) Attack Pattern Process Injection - T1055 (43e7dc91-05b2-474c-b9ac-2ed4fe101f4d) Attack Pattern 2
OS Credential Dumping - T1003 (0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22) Attack Pattern LSASS Memory - T1003.001 (65f2d882-3f41-4d48-8a06-29af77ec9f90) Attack Pattern 2
Portable Executable Injection - T1055.002 (806a49c4-970d-43f9-9acc-ac0ee11e6662) Attack Pattern Process Injection - T1055 (43e7dc91-05b2-474c-b9ac-2ed4fe101f4d) Attack Pattern 2
Credentials from Password Stores - T1555 (3fc9b85a-2862-4363-a64d-d692e3ffbee0) Attack Pattern Credentials from Web Browsers - T1555.003 (58a3e6aa-4453-4cc8-a51f-4befe80b31a8) Attack Pattern 2
Dynamic-link Library Injection - T1055.001 (f4599aa0-4f85-4a32-80ea-fc39dc965945) Attack Pattern Process Injection - T1055 (43e7dc91-05b2-474c-b9ac-2ed4fe101f4d) Attack Pattern 2
Credentials from Password Stores - T1555 (3fc9b85a-2862-4363-a64d-d692e3ffbee0) Attack Pattern Securityd Memory - T1555.002 (1a80d097-54df-41d8-9d33-34e755ec5e72) Attack Pattern 2