1. Home
  2. Data Components
  3. Process Modification

Process Modification

Changes made to a running process, such as writing data into memory, modifying execution behavior, or injecting code into an existing process. Adversaries frequently modify processes to execute malicious payloads, evade detection, or gain escalated privileges.

Data Collection Measures:

  • Endpoint Detection and Response (EDR) Tools:
    • EDRs can monitor memory modifications and API-level calls.
  • Sysmon (Windows):
    • Event ID 8 (CreateRemoteThread) – Detects cross-process thread injection, commonly used in process hollowing.
    • Event ID 10 (Process Access) – Detects access attempts to another process, often preceding injection attempts.
  • Linux/macOS Monitoring:
    • AuditD (ptrace, mmap, mprotect syscalls): Detects memory modifications and debugging attempts.
    • eBPF/XDP: Monitors low-level system calls related to process modifications.
    • OSQuery: The processes table can be queried for unusual modifications.
  • Network-Based Monitoring:
    • Zeek (Bro) Logs: Captures lateral movement attempts where adversaries remotely modify a process.
    • Syslog/OSSEC: Monitors logs for suspicious modifications.
ID: DC0020
Domains: Enterprise
Version: 2.0
Created: 20 October 2021
Last Modified: 21 October 2025

Log Sources

Name Channel
auditd:memprotect change from PROT_READ|PROT_WRITE to PROT_EXEC
auditd:SYSCALL rename, chmod
auditd:SYSCALL mprotect
auditd:SYSCALL kill syscalls targeting auditd process
auditd:SYSCALL open, rename
auditd:SYSCALL SYSCALL ptrace/mprotect
auditd:SYSCALL rename
ebpf:tracepoints Runtime memory overwrite of argv[] memory region
etw:Microsoft-Windows-Kernel-Process Memory Modification / Unmapped module load or suspicious RWX allocations in the process space of a browser process
linux:osquery Detection of bitwise operations or custom encryption functions in memory traces
linux:procfs /proc/[pid]/maps, /proc/[pid]/mem
macos:endpointsecurity ES_EVENT_MMAP
macos:endpointsecurity ES_EVENT_TYPE_NOTIFY_MMAP
macos:osquery Memory Mappings
macos:unifiedlog memory mapping
macos:unifiedlog Anomalous dyld dynamic library loads or RWX memory mappings in browser process
macos:unifiedlog process, library load, memory operations
macos:unifiedlog Abnormal memory operations (XOR/bitwise loops) during archive generation
WinEventLog:Sysmon EventCode=8

Detection Strategy

ID Name Technique Detected
DET0556 Behavior-chain detection strategy for T1127.001 Trusted Developer Utilities Proxy Execution: MSBuild (Windows) T1127.001
DET0537 Behavioral detection for Supply Chain Compromise (package/update tamper → install → first-run) T1195
DET0100 Behavioral Detection of Asynchronous Procedure Call (APC) Injection via Remote Thread Queuing T1055.004
DET0106 Behavioral Detection of PE Injection via Remote Memory Mapping T1055.002
DET0508 Behavioral Detection of Process Injection Across Platforms T1055
DET0295 Behavioral Detection of Thread Execution Hijacking via Thread Suspension and Context Switching T1055.003
DET0438 Detect Archiving via Custom Method (T1560.003) T1560.003
DET0507 Detect browser session hijacking via privilege, handle access, and remote thread into browsers T1185
DET0139 Detection of Credential Harvesting via API Hooking T1056.004
DET0062 Detection Strategy for Disable or Modify Linux Audit System T1562.012
DET0189 Detection Strategy for Indicator Removal from Tools - Post-AV Evasion Modification T1027.005
DET0322 Detection Strategy for Junk Code Obfuscation with Suspicious Execution Patterns T1027.016
DET0331 Detection Strategy for ListPlanting Injection on Windows T1055.015
DET0347 Detection Strategy for Masquerading via Legitimate Resource Name or Location T1036.005
DET0164 Detection Strategy for Overwritten Process Arguments Masquerading T1036.011
DET0324 Detection Strategy for Polymorphic Code Mutation and Execution T1027.014
DET0382 Detection Strategy for Process Hollowing on Windows T1055.012
DET0467 Detection Strategy for TLS Callback Injection via PE Memory Modification and Hollowing T1055.005
DET0448 Detection Strategy for VDSO Hijacking on Linux T1055.014
DET0176 Drive-by Compromise — Behavior-based, Multi-platform Detection Strategy (T1189) T1189
DET0087 Encrypted or Encoded File Payload Detection Strategy T1027.013
DET0562 Multi-Platform Execution Guardrails Environmental Validation Detection Strategy T1480
DET0023 Obfuscated Binary Unpacking Detection via Behavioral Patterns T1027.002
DET0009 Supply-chain tamper in dependencies/dev-tools (manager→write/install→first-run→egress) T1195.001