Skip to content

Hide Navigation Hide TOC

Process Modification (d5fca4e4-e47a-487b-873f-3d22f8865e96)

Changes made to a running process, such as writing data into memory, modifying execution behavior, or injecting code into an existing process. Adversaries frequently modify processes to execute malicious payloads, evade detection, or gain escalated privileges.

Data Collection Measures:

  • Endpoint Detection and Response (EDR) Tools:
    • EDRs can monitor memory modifications and API-level calls.
  • Sysmon (Windows):
    • Event ID 8 (CreateRemoteThread) – Detects cross-process thread injection, commonly used in process hollowing.
    • Event ID 10 (Process Access) – Detects access attempts to another process, often preceding injection attempts.
  • Linux/macOS Monitoring:
    • AuditD (ptrace, mmap, mprotect syscalls): Detects memory modifications and debugging attempts.
    • eBPF/XDP: Monitors low-level system calls related to process modifications.
    • OSQuery: The processes table can be queried for unusual modifications.
  • Network-Based Monitoring:
    • Zeek (Bro) Logs: Captures lateral movement attempts where adversaries remotely modify a process.
    • Syslog/OSSEC: Monitors logs for suspicious modifications.
Cluster A Galaxy A Cluster B Galaxy B Level
Process Modification (d5fca4e4-e47a-487b-873f-3d22f8865e96) mitre-data-component Portable Executable Injection - T1055.002 (806a49c4-970d-43f9-9acc-ac0ee11e6662) Attack Pattern 1
Process Modification (d5fca4e4-e47a-487b-873f-3d22f8865e96) mitre-data-component Browser Session Hijacking - T1185 (544b0346-29ad-41e1-a808-501bb4193f47) Attack Pattern 1
Process Modification (d5fca4e4-e47a-487b-873f-3d22f8865e96) mitre-data-component Process Hollowing - T1055.012 (b200542e-e877-4395-875b-cf1a44537ca4) Attack Pattern 1
Process Modification (d5fca4e4-e47a-487b-873f-3d22f8865e96) mitre-data-component Thread Local Storage - T1055.005 (e49ee9d2-0d98-44ef-85e5-5d3100065744) Attack Pattern 1
Process Modification (d5fca4e4-e47a-487b-873f-3d22f8865e96) mitre-data-component Dynamic-link Library Injection - T1055.001 (f4599aa0-4f85-4a32-80ea-fc39dc965945) Attack Pattern 1
Process Modification (d5fca4e4-e47a-487b-873f-3d22f8865e96) mitre-data-component Process Injection - T1055 (43e7dc91-05b2-474c-b9ac-2ed4fe101f4d) Attack Pattern 1
Process Modification (d5fca4e4-e47a-487b-873f-3d22f8865e96) mitre-data-component Disable or Modify Linux Audit System - T1562.012 (562e9b64-7239-493d-80f4-2bff900d9054) Attack Pattern 1
Process Modification (d5fca4e4-e47a-487b-873f-3d22f8865e96) mitre-data-component Ptrace System Calls - T1055.008 (ea016b56-ae0e-47fe-967a-cc0ad51af67f) Attack Pattern 1
Process Modification (d5fca4e4-e47a-487b-873f-3d22f8865e96) mitre-data-component Impair Defenses - T1562 (3d333250-30e4-4a82-9edc-756c68afc529) Attack Pattern 1
ListPlanting - T1055.015 (eb2cb5cb-ae87-4de0-8c35-da2a17aafb99) Attack Pattern Process Modification (d5fca4e4-e47a-487b-873f-3d22f8865e96) mitre-data-component 1
Thread Execution Hijacking - T1055.003 (41d9846c-f6af-4302-a654-24bba2729bc6) Attack Pattern Process Modification (d5fca4e4-e47a-487b-873f-3d22f8865e96) mitre-data-component 1
Process Modification (d5fca4e4-e47a-487b-873f-3d22f8865e96) mitre-data-component Asynchronous Procedure Call - T1055.004 (7c0f17c9-1af6-4628-9cbd-9e45482dd605) Attack Pattern 1
Portable Executable Injection - T1055.002 (806a49c4-970d-43f9-9acc-ac0ee11e6662) Attack Pattern Process Injection - T1055 (43e7dc91-05b2-474c-b9ac-2ed4fe101f4d) Attack Pattern 2
Process Hollowing - T1055.012 (b200542e-e877-4395-875b-cf1a44537ca4) Attack Pattern Process Injection - T1055 (43e7dc91-05b2-474c-b9ac-2ed4fe101f4d) Attack Pattern 2
Thread Local Storage - T1055.005 (e49ee9d2-0d98-44ef-85e5-5d3100065744) Attack Pattern Process Injection - T1055 (43e7dc91-05b2-474c-b9ac-2ed4fe101f4d) Attack Pattern 2
Dynamic-link Library Injection - T1055.001 (f4599aa0-4f85-4a32-80ea-fc39dc965945) Attack Pattern Process Injection - T1055 (43e7dc91-05b2-474c-b9ac-2ed4fe101f4d) Attack Pattern 2
Disable or Modify Linux Audit System - T1562.012 (562e9b64-7239-493d-80f4-2bff900d9054) Attack Pattern Impair Defenses - T1562 (3d333250-30e4-4a82-9edc-756c68afc529) Attack Pattern 2
Ptrace System Calls - T1055.008 (ea016b56-ae0e-47fe-967a-cc0ad51af67f) Attack Pattern Process Injection - T1055 (43e7dc91-05b2-474c-b9ac-2ed4fe101f4d) Attack Pattern 2
ListPlanting - T1055.015 (eb2cb5cb-ae87-4de0-8c35-da2a17aafb99) Attack Pattern Process Injection - T1055 (43e7dc91-05b2-474c-b9ac-2ed4fe101f4d) Attack Pattern 2
Thread Execution Hijacking - T1055.003 (41d9846c-f6af-4302-a654-24bba2729bc6) Attack Pattern Process Injection - T1055 (43e7dc91-05b2-474c-b9ac-2ed4fe101f4d) Attack Pattern 2
Asynchronous Procedure Call - T1055.004 (7c0f17c9-1af6-4628-9cbd-9e45482dd605) Attack Pattern Process Injection - T1055 (43e7dc91-05b2-474c-b9ac-2ed4fe101f4d) Attack Pattern 2