Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN0822: Analytic 0822

Detects hijacking of an existing thread (OpenThread) through a behavioral chain involving thread suspension (SuspendThread), memory modification (VirtualAllocEx + WriteProcessMemory), context manipulation (SetThreadContext), and thread resumption—all within another live process's address space (ResumeThread).

EnterpriseAN0822AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

This analytic matters because it focuses on Windows thread hijacking behavior inside a live process: suspending an existing thread, changing memory and execution context, then resuming it. For leaders, the decision value is whether endpoint and SOC telemetry can show process-to-process memory and thread manipulation clearly enough to support rapid containment and investigation, rather than only seeing a suspicious process after execution has already shifted.

Executive priority

Prioritize this as an endpoint detection and incident response readiness question for Windows environments. The key business issue is not just whether a tool has a rule named for this behavior, but whether the organization can collect, retain, and interpret the low-level process, memory, and thread events needed to prove what process altered another process and when. This affects containment confidence, audit evidence after an intrusion, and control investment decisions around endpoint visibility.

Technical view

Validate coverage for the behavioral chain described by ATT&CK: OpenThread, SuspendThread, VirtualAllocEx, WriteProcessMemory, SetThreadContext, and ResumeThread occurring against another live process address space on Windows. SOC and detection teams should test whether telemetry can correlate these actions across source process, target process, thread identifier, memory allocation/write activity, and timing. Because ATT&CK provides no separate official detection text and no relationship context for this analytic, local validation should determine which event sources expose these API-level behaviors and how much context is available for triage.

Likely telemetry

  • Endpoint detection and response telemetry for cross-process thread and memory operations
  • Windows process and thread activity metadata, including source and target process context where available
  • API or behavioral telemetry showing OpenThread, SuspendThread, VirtualAllocEx, WriteProcessMemory, SetThreadContext, and ResumeThread patterns
  • Memory allocation and remote process write indicators
  • Process lineage, command-line, executable path, signer, user, and host context to support triage

Detection direction

  • Correlate the full behavior chain rather than alerting on a single API call where possible.
  • Validate visibility into both the process performing the operation and the live process being modified.
  • Tune against legitimate software that may manipulate other processes, such as debugging, security, management, or compatibility tooling, based on local baselines.
  • Confirm retention is sufficient for incident responders to reconstruct timing and scope across endpoint events.
  • Treat absence of telemetry as a coverage gap, since the supplied ATT&CK object does not include a ready-made detection implementation.

Mitigation priorities

  • Start by ensuring Windows endpoint telemetry can capture cross-process memory and thread manipulation at investigation depth.
  • Restrict or closely monitor administrative, debugging, and tooling privileges that can enable legitimate cross-process manipulation capabilities.
  • Use application control, least privilege, and endpoint hardening to reduce opportunities for untrusted code to run with access to other processes.
  • Document validated detection coverage and known blind spots as compliance and incident response evidence.
  • Review exceptions for tools that legitimately perform thread or memory operations so they do not create broad detection suppression.
Analyst notes and limits

The supplied object is a detection analytic for Windows only and describes a specific behavioral chain for thread hijacking. No tactics, related techniques, malware, groups, campaigns, mitigations, or official detection text were supplied, so this take is limited to defensive validation and telemetry planning based on the analytic description.

No relationship context or official detection implementation was provided. This response does not assert active exploitation, attribution, impact, or guaranteed detectability. Local endpoint architecture and telemetry sources will determine practical coverage.

Official MITRE ATT&CK definition

Analytic 0822

Detects hijacking of an existing thread (OpenThread) through a behavioral chain involving thread suspension (SuspendThread), memory modification (VirtualAllocEx + WriteProcessMemory), context manipulation (SetThreadContext), and thread resumption—all within another live process's address space (ResumeThread).

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
a7b6625bbedc19f8...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle a7b6625bbedc…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN0822
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use