Our red team has created a new technique, and accompanying tool, that allows a red team operator to avoid many of the usual indicators that can trigger detection alerts when using existing tools. Avoiding detection is a high priority for a red team operator because this usually signals the imminent end of the compromise, as the network defenders start to contain and eradicate the threat.
What is Process Hiving?
The new tool, “RunPE”, uses a new technique called “Process Hiving”. This technique allows a single process to host other processes, creating a hive of process activity.
This technique allows red team operators to take their existing tools and stealthily run them from an implant. They can do so in a way that is familiar to them, passing arguments and capturing output, without the need to create additional processes. Consequently, the technique can be easily integrated into the operator’s existing workflow, affording them added stealth with minimal added complexity.