Live Active security incident? Get immediate response
MITRE ATT&CK® Data Component

DC0032: Process Creation

Refers to the event in which a new process (executable) is initialized by an operating system. This can involve parent-child process relationships, process arguments, and environmental variables. Monitoring process creation is crucial for detecting malicious behaviors, such as execution of unauthorized binaries, scripting abuse, or privilege escalation attempts..

EnterpriseDC0032Data ComponentObject v2.1 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence High

Process creation telemetry is a foundational evidence source: it shows when an operating system starts an executable and can include the parent process, command-line arguments, and environment variables. For leaders, its value is not that it is tied to one specific technique here, but that many investigations and detections depend on knowing what ran, how it was launched, and what launched it.

Executive priority

Prioritize this as a core visibility and audit-readiness capability. If the organization cannot reliably capture and retain process creation records, SOC and incident response teams may struggle to validate unauthorized execution, scripting abuse, or privilege escalation attempts described in the official ATT&CK description. Executives should ask whether this telemetry is collected consistently, retained long enough for investigations, and usable as evidence during incident response and compliance reviews.

Technical view

Validate that process creation events capture parent-child process relationships, process arguments, and environment variables where available. Because the supplied ATT&CK object does not specify platforms, tactics, techniques, or detection logic, detection engineering should treat DC0032 as a general data component and map it locally to the operating systems, log sources, and analytic use cases in scope. SOC teams should confirm that event normalization preserves executable name/path, parent process, command line, user/context, timestamp, and host identity without over-filtering high-volume process data.

Likely telemetry

  • Process start or process creation events
  • Executable name and path
  • Parent-child process relationship data
  • Process arguments or command-line fields
  • Environment variable data where collected

Detection direction

  • Verify that process creation logging is enabled and centrally searchable for systems in scope.
  • Test whether parent process, arguments, and environment variable fields survive collection, forwarding, parsing, and retention.
  • Tune detections carefully because process creation is high-volume and legitimate administrative, software update, and scripting activity can resemble suspicious execution patterns.
  • Use this data component as a prerequisite for analytics involving unauthorized binaries, scripting abuse, and possible privilege escalation attempts, while mapping exact detection content to local platforms and ATT&CK techniques separately.
  • Document blind spots where process creation is not collected, command-line fields are truncated, environment variables are unavailable, or retention is too short for incident response timelines.

Mitigation priorities

  • Establish process creation telemetry as a baseline logging requirement before relying on behavior-based detections that need execution context.
  • Standardize collection, normalization, retention, and access controls for process execution records across in-scope environments.
  • Protect log integrity and ensure SOC and incident responders can rapidly query process lineage during investigations.
  • Review data volume, privacy, and retention requirements so useful fields such as arguments and environment variables are collected responsibly where permitted.
  • Use telemetry gap assessments to prioritize logging improvements before adding higher-fidelity analytics that depend on this data.
Analyst notes and limits

This is an ATT&CK data component, not an adversary technique. Its main decision value is coverage validation: defenders should confirm that process execution evidence is available and complete enough to support detection and response workflows. No relationship context was supplied, so this take does not tie DC0032 to specific techniques, tactics, groups, software, or campaigns.

The official object provides a description but no official detection text, no platforms, no tactics, and no supplied relationships. Local environment details are required to determine exact log sources, field availability, retention needs, detection logic, and false-positive handling.

Official MITRE ATT&CK definition

Process Creation

Refers to the event in which a new process (executable) is initialized by an operating system. This can involve parent-child process relationships, process arguments, and environmental variables. Monitoring process creation is crucial for detecting malicious behaviors, such as execution of unauthorized binaries, scripting abuse, or privilege escalation attempts..

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
2.1
Created
Modified
Raw hash
fcbf6e6db0c5609c...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 2.1 Current bundle fcbf6e6db0c5…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack DC0032
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use