AN1223: Analytic 1223
Detects anomalous process execution patterns where a process's parent terminates quickly after process creation or is re-parented to 'init' (PID 1), often indicating double-fork or daemon-style detachment. These behaviors sever the parent-child relationship and obscure the execution origin in process tree analysis.
Analyst context for executives and security teams
This analytic is about a Linux process behavior that can make investigations harder: a newly created process loses its original parent because the parent exits quickly or the child is re-parented to init/PID 1. For leaders, the value is not that this is always malicious, but that it can hide execution lineage and weaken the SOC’s ability to answer basic incident questions such as “what launched this?” and “where did it come from?”
Executive priority
Prioritize this as a visibility and investigation-readiness check for Linux environments. It supports operational resilience and incident response quality by validating whether security teams can preserve process lineage when software uses daemon-style or double-fork patterns. Because no tactic, technique relationship, or official detection logic is supplied, treat it as a detection-engineering input rather than a standalone risk finding.
Technical view
For SOC and detection engineering teams, validate Linux telemetry that records process creation, parent PID, executable path, command line, timestamps, and parent process termination timing. The analytic’s focus is anomalous process execution where the parent terminates quickly after child creation or the child becomes owned by init/PID 1. Tuning should distinguish expected daemon/service behavior from unusual detachment patterns, especially where the original execution chain is lost and process tree analysis becomes unreliable.
Likely telemetry
- Linux process creation events
- Parent process ID and child process ID metadata
- Process start and exit timestamps
- Executable path and command-line arguments
- Process re-parenting indicators, including parent becoming init/PID 1
Detection direction
- Validate that Linux endpoint or audit telemetry can capture both process creation and parent process termination close enough in time to identify quick parent exit behavior.
- Look for child processes re-parented to init/PID 1 shortly after creation, while accounting for legitimate daemonization and service management patterns.
- Tune against known-good Linux services, scheduled jobs, and application daemons to reduce false positives.
- Use this analytic to improve process tree reliability in investigations; do not treat re-parenting alone as proof of malicious activity.
- Because no official detection query is provided, local baselining and environment-specific thresholds are required.
Mitigation priorities
- First, ensure Linux host telemetry preserves process lineage, command line, executable path, and timing data needed for incident reconstruction.
- Second, baseline expected daemon-style process behavior for core services and business applications.
- Third, create triage procedures for detached or re-parented processes that include validating executable location, command line, user context, and surrounding process activity.
- Fourth, retain process telemetry long enough to support incident response and compliance evidence needs.
Analyst notes and limits
This object is a MITRE ATT&CK detection analytic for Linux only. It describes behavior that can obscure execution origin through parent termination or re-parenting to init/PID 1. No ATT&CK tactics, technique relationships, aliases, labels, or official detection implementation were supplied, so the take is framed around defensive validation and telemetry readiness rather than confirmed adversary use.
The supplied ATT&CK fields do not include an official detection query, tactic mapping, related techniques, threat groups, software, mitigations, or data source relationships. Any assessment of severity, maliciousness, or coverage depends on local Linux telemetry, service baselines, and incident context.
Analytic 1223
Detects anomalous process execution patterns where a process's parent terminates quickly after process creation or is re-parented to 'init' (PID 1), often indicating double-fork or daemon-style detachment. These behaviors sever the parent-child relationship and obscure the execution origin in process tree analysis.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | fd4624acb17c… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN1223Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.