Modify Process State¶

What is "Modify Process State"?¶

"Modify Process State" is a technique classified under the MITRE ATT&CK framework, specifically within the Privilege Escalation and Defense Evasion tactics. This technique involves an adversary manipulating the state of a running process to evade defenses or gain higher privileges on a system.

How is "Modify Process State" implemented?¶

1. Direct Memory Access (DMA):

2. Attackers may use tools or malware that interact directly with the physical memory of a host machine, bypassing standard operating system security controls to alter process states.

3. Process Injection:

4. Malicious code is injected into legitimate processes to modify their behavior, allowing malware to execute with the permissions of the hijacked process. Common methods include DLL injection, process hollowing, and thread execution hijacking.

5. API Hooking:

6. Malware may use API hooking to intercept system calls made by legitimate software. By modifying the responses or behaviors of these system calls, attackers can alter the application's normal operation without being detected.

7. Ptrace System Calls:

8. On Unix-like operating systems, ptrace is used for debugging. Attackers can use ptrace to attach to a running process and modify its memory or execution state.

Where does "Modify Process State" typically occur?¶

This technique can be executed on any operating system but is commonly seen in environments where software processes have high-value information or access rights. It occurs in:

• Desktops
• Servers
• Embedded systems
• Mobile devices

The specific targets are often processes with elevated privileges or those integral to security functions (e.g., antivirus processes).

Why use "Modify Process State"?¶

1. Bypass Security Mechanisms:

2. By altering how applications or system processes operate, attackers can evade detection from security tools that rely on known behaviors or signatures.

3. Privilege Escalation:

4. Modifying the state of a process can allow attackers to execute arbitrary code with elevated privileges if they manage to inject code into a higher-privileged process.

5. Persistence:

6. Altering process states can help malicious code survive reboots and continue operating without detection by disguising itself within legitimate processes.

7. Stealth:

8. Running malicious actions within legitimate processes reduces the likelihood of discovery since most monitoring tools trust these processes under normal operations.

By understanding and implementing this technique as part of their strategy, attackers leverage existing trusted systems to conceal their activities and maintain control over critical resources within targeted environments.