Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN1076: Analytic 1076

Detects adversary use of suspended process creation, using the CREATE_SUSPENDED flag via CreateProcess, followed by unmapping the memory of the child process (NtUnmapViewOfSection) and replacing it with malicious code via VirtualAllocEx/WriteProcessMemory, then SetThreadContext and ResumeThread to begin execution within the hollowed process.

EnterpriseAN1076AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence High

This analytic is about detecting Windows process hollowing behavior: a process is started in a suspended state, its original memory is removed, and different code is placed into it before execution resumes. For leaders, the practical issue is that this behavior can make malicious execution appear to come from a legitimate process, complicating triage, containment, and audit explanations after an incident.

Executive priority

Prioritize this as a Windows endpoint detection and incident response readiness topic. The decision value is whether the organization can prove it collects and correlates the process, memory, and API-level evidence needed to recognize suspicious process manipulation before responders are forced to rely only on post-compromise artifacts. Security leaders should ask whether EDR coverage, SOC runbooks, and evidence retention are sufficient to investigate hollowed-process scenarios and explain findings to risk, legal, and compliance stakeholders.

Technical view

For SOC and detection engineering teams, validate whether Windows endpoint telemetry can connect suspended process creation with subsequent memory unmapping, remote memory allocation or writing, thread context changes, and resumed execution in the target process. Because the supplied ATT&CK object provides no separate detection logic, tactics, or relationships, teams should treat AN1076 as a behavior description to operationalize rather than a complete analytic. Testing should focus on correlation quality, parent-child process context, image path and signer context, command-line context, and whether the apparent running process differs from expected execution behavior.

Likely telemetry

  • Windows process creation events, including parent-child relationships and command-line context
  • Endpoint detection telemetry for process creation flags or suspended process creation indicators
  • API or behavioral telemetry related to memory unmapping and remote process memory allocation/writes
  • Thread manipulation telemetry, including thread context changes and resumed execution where available
  • Process image metadata such as path, hash, signer, and loaded image context

Detection direction

  • Validate that detections correlate the sequence of suspicious process manipulation events rather than alerting on a single API name in isolation.
  • Tune for context: some security tools, debuggers, software updaters, or application compatibility mechanisms may create noisy process or memory-manipulation patterns.
  • Check blind spots where endpoint tools log process creation but not lower-level memory or thread manipulation behavior.
  • Ensure analysts can pivot from the apparent legitimate process to the initiating parent process and surrounding endpoint timeline.
  • Because no official detection text or relationship context is supplied, document local assumptions, tested data sources, and expected false-positive sources.

Mitigation priorities

  • Confirm broad Windows endpoint visibility first, especially on systems important to business operations or incident containment.
  • Harden endpoint execution controls and least-privilege practices to reduce opportunities for unauthorized process manipulation.
  • Use EDR prevention and behavioral detection capabilities where available, but validate with local telemetry rather than assuming coverage.
  • Maintain incident response playbooks for suspicious process injection or hollowing investigations, including containment, memory capture considerations, and evidence preservation.
  • Review detection coverage as part of compliance readiness where endpoint monitoring and incident evidence are audit-relevant.
Analyst notes and limits

AN1076 is a detection analytic object for Windows and describes suspended process creation followed by memory replacement and resumed execution in the altered process. No tactics, official detection field, aliases, labels, or relationship context were supplied, so this take focuses on defensive validation and evidence requirements rather than campaign, attribution, or impact claims.

This assessment is limited to the supplied ATT&CK fields and external reference. It does not establish active exploitation, adversary attribution, prevalence, guaranteed detection, or coverage beyond Windows. Local endpoint telemetry, EDR capabilities, retention, and SOC workflows are required to determine actual defensive readiness.

Official MITRE ATT&CK definition

Analytic 1076

Detects adversary use of suspended process creation, using the CREATE_SUSPENDED flag via CreateProcess, followed by unmapping the memory of the child process (NtUnmapViewOfSection) and replacing it with malicious code via VirtualAllocEx/WriteProcessMemory, then SetThreadContext and ResumeThread to begin execution within the hollowed process.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
42782921b442a18b...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 42782921b442…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN1076
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use