DC0035: Process Access

Refers to an event where one process attempts to open another process, typically to inspect or manipulate its memory, access handles, or modify execution flow. Monitoring these access attempts can provide valuable insight into both benign and malicious behaviors, such as debugging, inter-process communication (IPC), or process injection.

*Data Collection Measures:*

- Endpoint Detection and Response (EDR) Tools: - EDR solutions that provide telemetry on inter-process access and memory manipulation. - Sysmon (Windows): - Event ID 10: Captures process access attempts, including: - Source process (initiator) - Target process (victim) - Access rights requested - Process ID correlation - Windows Event Logs: - Event ID 4656 (Audit Handle to an Object): Logs access attempts to system objects. - Event ID 4690 (Attempted Process Modification): Can help identify unauthorized process changes. - Linux/macOS Monitoring: - AuditD: Monitors process access through syscall tracing (e.g., `ptrace`, `open`, `read`, `write`). - eBPF/XDP: Used for low-level monitoring of kernel process access. - OSQuery: Query process access behavior via structured SQL-like logging. - Procmon (Process Monitor) and Debugging Tools: - Windows Procmon: Captures real-time process interactions. - Linux strace / ptrace: Useful for tracking process behavior at the system call level.

EnterpriseDC0035Data ComponentObject v3.0 Modified May 12, 2026, 15:12 UTC (UTC+00:00)

Process Access is evidence that one process tried to open or interact with another process, often to inspect memory, obtain handles, or alter execution flow. For leaders, this matters because the same signal can explain both legitimate administration/debugging and high-risk activity such as process injection, making it a key telemetry class for endpoint visibility and incident reconstruction.

Executive priority

Prioritize this as an endpoint detection and response readiness question: can the organization prove when sensitive or unusual process-to-process access occurs, who initiated it, and whether it was authorized? This data component supports SOC investigations, IR timelines, control validation, and audit evidence around monitoring of process manipulation behaviors, but it requires tuning because legitimate debugging, IPC, and administrative tools can create similar events.

Technical view

Validate whether endpoint telemetry captures source process, target process, requested access rights, and process ID correlation for process access attempts. The supplied ATT&CK description highlights EDR telemetry, Windows Sysmon Event ID 10, Windows Event IDs 4656 and 4690, Linux/macOS syscall-oriented monitoring such as AuditD, eBPF/XDP, OSQuery, and investigative tools such as Procmon or strace/ptrace. Because no ATT&CK detection text or relationship context is supplied, teams should build local baselines for expected inter-process access and then focus review on unusual source/target pairings, sensitive targets, unexpected access rights, and events that align with broader process injection or memory manipulation investigations.

Likely telemetry

EDR events for inter-process access and memory manipulation
Sysmon Event ID 10 with source process, target process, access rights, and PID correlation
Windows Event ID 4656 for attempted handle access to objects
Windows Event ID 4690 for attempted process modification
Linux/macOS syscall telemetry from AuditD, including ptrace/open/read/write-style activity

Detection direction

Confirm the organization actually collects process access events, not only process start/stop events.
Tune detections around source process, target process, access rights requested, and PID correlation rather than relying on process names alone.
Baseline legitimate debugging, IPC, endpoint tooling, and administrative activity to reduce false positives.
Prioritize review of unusual access to high-value or security-sensitive processes, especially when paired with other endpoint signals.
Validate retention and searchability so IR teams can reconstruct process relationships after an alert.

Mitigation priorities

Ensure an endpoint telemetry source is deployed and configured to record process access attempts where operationally feasible.
Enable or validate relevant audit sources such as Sysmon Event ID 10, Windows object/process modification auditing, or Linux/macOS syscall monitoring based on the environment.
Define approved use cases for debugging, administrative inspection, and process monitoring tools so exceptions can be governed.
Use least privilege and administrative control review to reduce unnecessary ability to inspect or modify other processes.
Include process access evidence requirements in incident response playbooks and compliance monitoring procedures.

Analyst notes and limits

This is a data component, not a technique. Its value is in proving visibility into process-to-process interaction that may support investigations of benign administration, debugging, IPC, process injection, or memory manipulation. Local baselining is essential because the official description explicitly notes both benign and malicious behaviors.

No ATT&CK tactics, platforms, official detection text, or relationship context were supplied. The object lists collection measures but does not provide detection logic, severity, adversary usage, or attribution. Environment-specific telemetry availability and normal process behavior must be validated locally.

Official MITRE ATT&CK definition

Process Access

*Data Collection Measures:*

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release: 19.1
Object version: 3.0
Created: Oct 20, 2021, 15:05 UTC (UTC+00:00)
Modified: May 12, 2026, 15:12 UTC (UTC+00:00)
Raw hash: 0d364b3db18f427b...

Imported snapshots across ATT&CK releases (1)

Release	Bundle imported	Object version	Modified	Status	Raw hash
19.1	May 18, 2026, 07:08 UTC (UTC+00:00)	3.0	May 12, 2026, 15:12 UTC (UTC+00:00)	Current bundle	`0d364b3db18f…`

Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy

Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

[1]
mitre-attack DC0035
Open source URL

Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use