LRQA Nettitude Blog

Process Hiving - Red Teaming Whitepaper

Posted by Rob Bone and Ben Turner on Sep 2, 2021 3:00:00 PM

Our red team has created a new technique, and accompanying tool, that allows a red team operator to avoid many of the usual indicators that can trigger detection alerts when using existing tools. Avoiding detection is a high priority for a red team operator because this usually signals the imminent end of the compromise, as the network defenders start to contain and eradicate the threat.

Process Hiving Image

What is Process Hiving?

The new tool, “RunPE”, uses a new technique called “Process Hiving”. This technique allows a single process to host other processes, creating a hive of process activity.

This technique allows red team operators to take their existing tools and stealthily run them from an implant. They can do so in a way that is familiar to them, passing arguments and capturing output, without the need to create additional processes. Consequently, the technique can be easily integrated into the operator’s existing workflow, affording them added stealth with minimal added complexity.

 

We have written a technical blog and full whitepaper on Process Hiving and RunPE, which you can access here.

Topics: Red Teaming, Process Hiving

Subscribe Here!

About LRQA Nettitude

LRQA Nettitude is the trusted cyber security provider to thousands of businesses around the world. We stop at nothing to keep your data and business secure in an age of ever-evolving cyber threats.

Recent Posts

Posts by Tag

See all