Skip to content

DC0020 Process Modification

Item Value
ID DC0020
Version 2.0
Created 20 October 2021
Last Modified 12 November 2025

Log Sources

Name Channel
auditd:memprotect change from PROT_READ
auditd:SYSCALL rename, chmod
auditd:SYSCALL mprotect
auditd:SYSCALL kill syscalls targeting auditd process
auditd:SYSCALL open, rename
auditd:SYSCALL SYSCALL ptrace/mprotect
auditd:SYSCALL rename
ebpf:tracepoints Runtime memory overwrite of argv[] memory region
etw:Microsoft-Windows-Kernel-Process Memory Modification / Unmapped module load or suspicious RWX allocations in the process space of a browser process
linux:osquery Detection of bitwise operations or custom encryption functions in memory traces
linux:procfs /proc/[pid]/maps, /proc/[pid]/mem
macos:endpointsecurity ES_EVENT_MMAP
macos:endpointsecurity ES_EVENT_TYPE_NOTIFY_MMAP
macos:osquery Memory Mappings
macos:unifiedlog memory mapping
macos:unifiedlog Anomalous dyld dynamic library loads or RWX memory mappings in browser process
macos:unifiedlog process, library load, memory operations
macos:unifiedlog Abnormal memory operations (XOR/bitwise loops) during archive generation
WinEventLog:Sysmon EventCode=8

Detection Strategy

ID Name Technique Detected
DET0556 Behavior-chain detection strategy for T1127.001 Trusted Developer Utilities Proxy Execution: MSBuild (Windows) T1127.001
DET0537 Behavioral detection for Supply Chain Compromise (package/update tamper → install → first-run) T1195
DET0100 Behavioral Detection of Asynchronous Procedure Call (APC) Injection via Remote Thread Queuing T1055.004
DET0106 Behavioral Detection of PE Injection via Remote Memory Mapping T1055.002
DET0508 Behavioral Detection of Process Injection Across Platforms T1055
DET0295 Behavioral Detection of Thread Execution Hijacking via Thread Suspension and Context Switching T1055.003
DET0438 Detect Archiving via Custom Method (T1560.003) T1560.003
DET0507 Detect browser session hijacking via privilege, handle access, and remote thread into browsers T1185
DET0139 Detection of Credential Harvesting via API Hooking T1056.004
DET0062 Detection Strategy for Disable or Modify Linux Audit System T1562.012
DET0189 Detection Strategy for Indicator Removal from Tools - Post-AV Evasion Modification T1027.005
DET0322 Detection Strategy for Junk Code Obfuscation with Suspicious Execution Patterns T1027.016
DET0331 Detection Strategy for ListPlanting Injection on Windows T1055.015
DET0347 Detection Strategy for Masquerading via Legitimate Resource Name or Location T1036.005
DET0164 Detection Strategy for Overwritten Process Arguments Masquerading T1036.011
DET0324 Detection Strategy for Polymorphic Code Mutation and Execution T1027.014
DET0382 Detection Strategy for Process Hollowing on Windows T1055.012
DET0467 Detection Strategy for TLS Callback Injection via PE Memory Modification and Hollowing T1055.005
DET0448 Detection Strategy for VDSO Hijacking on Linux T1055.014
DET0176 Drive-by Compromise — Behavior-based, Multi-platform Detection Strategy (T1189) T1189
DET0087 Encrypted or Encoded File Payload Detection Strategy T1027.013
DET0562 Multi-Platform Execution Guardrails Environmental Validation Detection Strategy T1480
DET0023 Obfuscated Binary Unpacking Detection via Behavioral Patterns T1027.002
DET0009 Supply-chain tamper in dependencies/dev-tools (manager→write/install→first-run→egress) T1195.001