1. Home
  2. Data Components
  3. Process Access

Process Access

Refers to an event where one process attempts to open another process, typically to inspect or manipulate its memory, access handles, or modify execution flow. Monitoring these access attempts can provide valuable insight into both benign and malicious behaviors, such as debugging, inter-process communication (IPC), or process injection.

Data Collection Measures:

  • Endpoint Detection and Response (EDR) Tools:
    • EDR solutions that provide telemetry on inter-process access and memory manipulation.
  • Sysmon (Windows):
    • Event ID 10: Captures process access attempts, including:
      • Source process (initiator)
      • Target process (victim)
      • Access rights requested
      • Process ID correlation
  • Windows Event Logs:
    • Event ID 4656 (Audit Handle to an Object): Logs access attempts to system objects.
    • Event ID 4690 (Attempted Process Modification): Can help identify unauthorized process changes.
  • Linux/macOS Monitoring:
    • AuditD: Monitors process access through syscall tracing (e.g., ptrace, open, read, write).
    • eBPF/XDP: Used for low-level monitoring of kernel process access.
    • OSQuery: Query process access behavior via structured SQL-like logging.
  • Procmon (Process Monitor) and Debugging Tools:
    • Windows Procmon: Captures real-time process interactions.
    • Linux strace / ptrace: Useful for tracking process behavior at the system call level.
ID: DC0035
Domains: Enterprise, Mobile
Version: 3.0
Created: 20 October 2021
Last Modified: 23 February 2026

Log Sources

Name Channel
android:logcat Runtime grant or manifest presence for MANAGE_EXTERNAL_STORAGE/READ_EXTERNAL_STORAGE/READ_MEDIA_*; legacy external storage mode detection
android:logcat Activity/Process state change (mFocusedApp, onResume/onPause) identifying as foreground
android:logcat Grant/activation of BIND_ACCESSIBILITY_SERVICE, BIND_INPUT_METHOD, SYSTEM_ALERT_WINDOW, POST_NOTIFICATIONS for
android:logcat Grant/enablement for BIND_ACCESSIBILITY_SERVICE or BIND_INPUT_METHOD for
android:logcat Grant/enablement of SYSTEM_ALERT_WINDOW, BIND_ACCESSIBILITY_SERVICE, POST_NOTIFICATIONS for
android:logcat Reads/queries ops for PACKAGE_USAGE_STATS, QUERY_ALL_PACKAGES, BIND_DEVICE_ADMIN, BIND_VPN_SERVICE
Apple TCC Logs Microphone Access Events
auditd:SYSCALL ptrace attach
auditd:SYSCALL High frequency of accept(), read(), or SSL_read() syscalls tied to nginx/apache processes
auditd:SYSCALL ptrace
auditd:SYSCALL ptrace syscall or access to /proc/*/mem
auditd:SYSCALL ACCESS
auditd:SYSCALL execve, fork, mmap, ptrace
auditd:SYSCALL ptrace or process_vm_readv
EDR:telemetry Sustained or high-frequency location sensor access, including background location usage
iOS:unifiedlog Code signing validation events referencing newly written local Mach-O/bundle prior to exec or dlopen
iOS:unifiedlog Privacy (TCC) prompts/grants for Photos/Files or access changes indicating new visibility into user/app data
iOS:unifiedlog Foreground/background transition for to contextualize access timing
iOS:unifiedlog Keyboard extension Full Access change; privacy grant touching input/keyboard categories for
iOS:unifiedlog Keyboard extension Full Access change or related privacy grant for
iOS:unifiedlog Scene/foreground transitions for to contextualize timing
linux:osquery Process State
linux:osquery process_events
linux:syslog syscalls (open, read, ioctl) on /dev/input or /proc/*/fd/*
macos:endpointsecurity ES_EVENT_TYPE_NOTIFY_OPEN
macos:osquery process_open
macos:osquery unexpected memory inspection
macos:unifiedlog ptrace or task_for_pid
macos:unifiedlog Unexpected NSXPCConnection calls by non-Apple-signed or abnormal binaries
macos:unifiedlog Unusual Mach port registration or access attempts between unrelated processes
macos:unifiedlog subsystem=com.apple.security, library=libsystem_kernel.dylib
macos:unifiedlog vm_read, task_for_pid, or file open to cookie databases
WinEventLog:Security EventCode=4663, 4670, 4656
WinEventLog:Sysmon EventCode=10
WinEventLog:Sysmon EventCode=25

Detection Strategy

ID Name Technique Detected
DET0283 Behavior-chain detection for T1134 Access Token Manipulation on Windows T1134
DET0482 Behavior-chain detection for T1134.001 Access Token Manipulation: Token Impersonation/Theft on Windows T1134.001
DET0456 Behavior-chain detection for T1134.002 Create Process with Token (Windows) T1134.002
DET0556 Behavior-chain detection strategy for T1127.001 Trusted Developer Utilities Proxy Execution: MSBuild (Windows) T1127.001
DET0151 Behavior-chain, platform-aware detection strategy for T1124 System Time Discovery T1124
DET0100 Behavioral Detection of Asynchronous Procedure Call (APC) Injection via Remote Thread Queuing T1055.004
DET0389 Behavioral Detection of DLL Injection via Windows API T1055.001
DET0102 Behavioral Detection of Input Capture Across Platforms T1056
DET0089 Behavioral Detection of Keylogging Activity Across Platforms T1056.001
DET0529 Behavioral Detection of Native API Invocation via Unusual DLL Loads and Direct Syscalls T1106
DET0106 Behavioral Detection of PE Injection via Remote Memory Mapping T1055.002
DET0508 Behavioral Detection of Process Injection Across Platforms T1055
DET0295 Behavioral Detection of Thread Execution Hijacking via Thread Suspension and Context Switching T1055.003
DET0221 Behavioral Detection Strategy for T1123 Audio Capture Across Windows, Linux, macOS T1123
DET0341 Clipboard Data Access with Anomalous Context T1115
DET0234 Credential Dumping via Sensitive Memory and Registry Access Correlation T1003
DET0493 Detect Abuse of Inter-Process Communication (T1559) T1559
DET0335 Detect Abuse of XPC Services (T1559.003) T1559.003
DET0275 Detect Adversary Deobfuscation or Decoding of Files and Payloads T1140
DET0438 Detect Archiving via Custom Method (T1560.003) T1560.003
DET0507 Detect browser session hijacking via privilege, handle access, and remote thread into browsers T1185
DET0430 Detect Credentials Access from Password Stores T1555
DET0271 Detect Domain Controller Authentication Process Modification (Skeleton Key) T1556.001
DET0144 Detect Forged Kerberos Golden Tickets (T1558.001) T1558.001
DET0241 Detect Forged Kerberos Silver Tickets (T1558.002) T1558.002
DET0157 Detect Kerberoasting Attempts (T1558.003) T1558.003
DET0522 Detect Kerberos Ticket Theft or Forgery (T1558) T1558
DET0104 Detect Modification of Authentication Processes Across Platforms T1556
DET0580 Detect Network Provider DLL Registration and Credential Capture T1556.008
DET0037 Detect Suspicious Access to Browser Credential Stores T1555.003
DET0057 Detect Suspicious Access to securityd Memory for Credential Extraction T1555.002
DET0134 Detect Suspicious Access to Windows Credential Manager T1555.004
DET0597 Detect Unauthorized Access to Password Managers T1555.005
DET0420 Detect User Activity Based Sandbox Evasion via Input & Artifact Probing T1497.002
DET0433 Detecting Code Injection via mavinject.exe (App-V Injector) T1218.013
DET0011 Detecting Junk Data in C2 Channels via Behavioral Analysis T1001.001
DET0593 Detecting OS Credential Dumping via /proc Filesystem Access on Linux T1003.007
DET0440 Detecting PowerShell Execution via SyncAppvPublishingServer.vbs Proxy Abuse T1216.002
DET0034 Detection of Adversarial Process Discovery Behavior T1057
DET0097 Detection of Application Window Enumeration via API or Scripting T1010
DET0513 Detection of Cached Domain Credential Dumping via Local Hash Cache Access T1003.005
DET0643 Detection of Clipboard Data T1414
DET0363 Detection of Credential Dumping from LSASS Memory via Access and Dump Sequence T1003.001
DET0139 Detection of Credential Harvesting via API Hooking T1056.004
DET0426 Detection of Direct Volume Access for File System Evasion T1006
DET0007 Detection of Domain Trust Discovery via API, Script, and CLI Enumeration T1482
DET0676 Detection of GUI Input Capture T1417.002
DET0705 Detection of Input Capture T1417
DET0661 Detection of Keylogging T1417.001
DET0675 Detection of Location Tracking T1430
DET0437 Detection of LSA Secrets Dumping via Registry and Memory Extraction T1003.004
DET0328 Detection of Malicious Profile Installation via CMSTP.exe T1218.003
DET0720 Detection of Obfuscated Files or Information T1406
DET0466 Detection of Script-Based Proxy Execution via Signed Microsoft Utilities T1216
DET0680 Detection of Security Software Discovery T1418.001
DET0621 Detection of Stored Application Data T1409
DET0509 Detection of Web Session Cookie Theft via File, Memory, and Network Artifacts T1539
DET0332 Detection Strategy for AutoHotKey & AutoIT Abuse T1059.010
DET0173 Detection Strategy for Endpoint DoS via Service Exhaustion Flood T1499.002
DET0174 Detection Strategy for Exploitation for Credential Access T1212
DET0514 Detection Strategy for Exploitation for Privilege Escalation T1068
DET0217 Detection Strategy for Extra Window Memory (EWM) Injection on Windows T1055.011
DET0260 Detection Strategy for Forged Web Credentials T1606
DET0577 Detection Strategy for Hijack Execution Flow through the KernelCallbackTable on Windows. T1574.013
DET0422 Detection Strategy for IFEO Injection on Windows T1546.012
DET0322 Detection Strategy for Junk Code Obfuscation with Suspicious Execution Patterns T1027.016
DET0331 Detection Strategy for ListPlanting Injection on Windows T1055.015
DET0246 Detection Strategy for MFA Interception via Input Capture and Smart Card Proxying T1111
DET0324 Detection Strategy for Polymorphic Code Mutation and Execution T1027.014
DET0045 Detection Strategy for Process Argument Spoofing on Windows T1564.010
DET0544 Detection Strategy for Process Doppelgänging on Windows T1055.013
DET0382 Detection Strategy for Process Hollowing on Windows T1055.012
DET0300 Detection Strategy for Reflective Code Loading T1620
DET0388 Detection Strategy for T1548.002 – Bypass User Account Control (UAC) T1548.002
DET0352 Detection Strategy for T1550.003 - Pass the Ticket (Windows) T1550.003
DET0467 Detection Strategy for TLS Callback Injection via PE Memory Modification and Hollowing T1055.005
DET0087 Encrypted or Encoded File Payload Detection Strategy T1027.013
DET0474 Environmental Keying Discovery-to-Decryption Behavioral Chain Detection Strategy T1480.001
DET0118 Exploitation of Remote Services – multi-platform lateral movement detection T1210
DET0368 Hardware Supply Chain Compromise Detection via Host Status & Boot Integrity Checks T1195.003
DET0023 Obfuscated Binary Unpacking Detection via Behavioral Patterns T1027.002
DET0491 Peripheral Device Enumeration via System Utilities and API Calls T1120
DET0105 Post-Credential Dump Password Cracking Detection via Suspicious File Access and Hash Analysis Tools T1110.002
DET0168 Virtualization/Sandbox Evasion via System Checks across Windows, Linux, macOS T1497.001
DET0026 Windows Detection Strategy for T1547.012 - Print Processor DLL Persistence T1547.012