Live Active security incident? Get immediate response
MITRE ATT&CK® Detection Strategy

DET0571: Detection of System Process Creation or Modification Across Platforms

DET0571 is a MITRE detection strategy entry for identifying creation or modification of system processes associated with ATT&CK technique T1543, Create or...

EnterpriseDET0571Detection StrategyObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

DET0571 is a MITRE detection strategy entry for identifying creation or modification of system processes associated with ATT&CK technique T1543, Create or Modify System Process. The business significance is that system-level process changes are often tied to persistence and privilege escalation, meaning a missed change can allow unauthorized code to survive reboots or run with elevated trust. Because this detection strategy has no official ATT&CK detection text or platform list of its own, teams should treat it as a prompt to validate local coverage for the related technique across the environments they actually operate.

Executive priority

Prioritize this area where system services, daemons, launch mechanisms, or container process definitions are material to business continuity. Leaders should ask whether the SOC can prove visibility into authorized versus unauthorized system process changes, whether incident responders can quickly identify when persistence was established, and whether change-control evidence supports audit and recovery decisions. This is especially relevant to resilience planning because persistence and privilege escalation can extend dwell time and complicate containment.

Technical view

The supplied relationship states that this strategy detects T1543, Create or Modify System Process, which is associated with persistence and privilege escalation on Containers, Linux, macOS, and Windows. Detection engineering should validate telemetry for creation, modification, enablement, or configuration changes to system-level processes and startup-managed components in those in-scope platforms. Because ATT&CK provides no official detection logic for DET0571, teams should build environment-specific analytics around baselining legitimate administrative activity, correlating changes with user, process, host, and change-ticket context, and escalating unusual system process modifications that lack an approved operational reason.

Likely telemetry

  • Operating system process creation events
  • Service or daemon creation, modification, enablement, or startup configuration records
  • macOS launch agent and launch daemon configuration evidence where macOS is in scope
  • Linux service manager, init, or daemon configuration evidence where Linux is in scope
  • Windows service control and registry-backed service configuration evidence where Windows is in scope

Detection direction

  • Confirm which related T1543 platforms are actually in scope before claiming coverage: Containers, Linux, macOS, and Windows are supported by the related technique, while DET0571 itself does not specify platforms.
  • Tune detections around high-signal changes to system-level process configuration rather than generic process creation alone, since normal administration and software installation can produce substantial noise.
  • Correlate system process changes with the initiating account, parent process, host role, maintenance window, and approved change record to reduce false positives.
  • Look for persistence-relevant patterns: newly created services or daemons, modified startup behavior, unexpected execution paths, unusual command-line parameters, or changes made by non-standard administrative tooling.
  • Validate retention and endpoint coverage gaps, especially for short-lived command execution, offline hosts, unmanaged containers, and systems where service configuration logs are not centrally collected.

Mitigation priorities

  • Establish authoritative baselines for approved system services, daemons, launch components, and container startup definitions on critical assets.
  • Restrict who can create or modify system-level processes through least privilege and administrative access governance.
  • Require change control for service and daemon modifications on production and high-value systems, and make those records available to SOC and IR teams.
  • Centralize endpoint, system configuration, and administrative activity telemetry with retention sufficient for incident reconstruction.
  • Periodically test detection logic by validating that benign, approved system process changes are observed and correctly enriched, without assuming ATT&CK provides a complete analytic for DET0571.
Analyst notes and limits

This take is based on the DET0571 detection strategy metadata and its relationship to T1543, Create or Modify System Process. The ATT&CK object does not provide an official description or detection procedure, so the practical guidance is derived from the related technique’s stated behavior, tactics, and platforms. Local asset inventory, operating system mix, administrative model, and logging architecture are required to turn this into validated coverage.

Official DET0571 description, detection text, tactics, and platforms are not provided. The platform and tactic context comes from the relationship to T1543, not from the detection strategy object itself. No claims are made about active exploitation, adversary attribution, product coverage, or guaranteed detection.

Official MITRE ATT&CK definition

Detection of System Process Creation or Modification Across Platforms

No official description is available in the imported ATT&CK source object.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

1 rows
Domain ID Name Relationship / procedure
Enterprise T1543 Create or Modify System Process This object detects Create or Modify System Process.
Relationship explorer

All related ATT&CK context

detects · Technique T1543: Create or Modify System Process Enterprise
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
48322f8ea4455637...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 48322f8ea445…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack DET0571
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use