AN1501: Analytic 1501
Detects adversary abuse of Transactional NTFS (TxF) and undocumented process loading mechanisms (e.g., NtCreateProcessEx) to create a hollowed process from an uncommitted, maliciously tainted file image in memory, later executed via NtCreateThreadEx.
Analyst context for executives and security teams
AN1501 is a Windows detection analytic focused on a stealthy process-execution pattern: abusing Transactional NTFS and native process/thread creation mechanisms to run a hollowed process from a malicious file image that may never be committed normally to disk. For leaders, the practical issue is whether endpoint monitoring can see beyond ordinary file and process events when adversaries use low-level Windows behavior to evade simpler controls.
Executive priority
Prioritize this as an endpoint visibility and incident-response readiness question. If the organization relies mainly on file-based scanning, standard process logs, or post-execution alerts, this behavior may expose a blind spot around in-memory execution and process hollowing. Security leaders should ask whether Windows endpoint telemetry, managed detection workflows, and IR playbooks can preserve enough evidence to explain how a suspicious process was created, what file image backed it, and whether transaction-based file activity was involved.
Technical view
For SOC and detection engineering teams, validate visibility on Windows hosts for Transactional NTFS activity, process creation using native/undocumented mechanisms such as NtCreateProcessEx, and thread creation such as NtCreateThreadEx. Because the official ATT&CK object does not provide detection logic, teams should treat AN1501 as a behavior to test against available endpoint telemetry rather than as a ready-made rule. Useful validation includes correlating unusual transaction-backed file activity with suspicious process image creation, memory-backed execution, hollowed process indicators, and subsequent remote or native thread creation.
Likely telemetry
- Windows endpoint detection and response telemetry
- Process creation and parent/child process metadata
- Thread creation telemetry, especially native thread creation indicators
- File system and NTFS transaction-related activity where available
- Image load and section/object metadata from endpoint or kernel-level sensors
Detection direction
- Confirm whether endpoint tooling can observe Transactional NTFS or transaction-backed file behavior; many standard Windows logs may not expose this in sufficient detail.
- Correlate low-level process creation, suspicious image backing, and thread creation rather than relying on a single event type.
- Tune for rarity and context: legitimate software, installers, security tools, or system components may use uncommon file/process APIs, so baselining by host role, signer, path, and process lineage is important.
- Validate whether detections still work when the malicious image is not present as a normal committed file on disk.
- Ensure alerts retain enough evidence for IR triage, including process lineage, image metadata, transaction/file object context if available, and memory-backed execution details.
Mitigation priorities
- First, verify Windows endpoint sensor coverage for process, thread, image-load, file-system, and memory-execution evidence relevant to this behavior.
- Strengthen behavioral detection and response workflows for process hollowing and in-memory execution, rather than depending only on file scanning.
- Use application control, least privilege, and endpoint hardening where appropriate to reduce opportunities for untrusted code execution.
- Ensure incident response procedures include memory capture or EDR evidence preservation when hollowed or transaction-backed execution is suspected.
- Review managed detection or SOC runbooks so analysts know how to investigate suspicious native process/thread creation patterns.
Analyst notes and limits
This object is a detection analytic, not a technique entry. It applies to Windows and describes detection intent for abuse of Transactional NTFS, NtCreateProcessEx, hollowed process creation, and NtCreateThreadEx. No ATT&CK tactics, relationships, aliases, labels, or official detection logic were supplied, so recommendations are framed as validation and telemetry requirements.
The supplied ATT&CK fields do not include a concrete query, data source list, mitigation mapping, tactic mapping, or relationship context. Local endpoint telemetry, EDR capability, Windows logging configuration, and baseline software behavior are required to determine actual coverage and alert fidelity.
Analytic 1501
Detects adversary abuse of Transactional NTFS (TxF) and undocumented process loading mechanisms (e.g., NtCreateProcessEx) to create a hollowed process from an uncommitted, maliciously tainted file image in memory, later executed via NtCreateThreadEx.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 664a9c196a6c… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN1501Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.