Process Hiving - Red Teaming Whitepaper

Posted by Rob Bone and Ben Turner on Sep 2, 2021

Our red team has created a new technique, and accompanying tool, that allows a red team operator to avoid many of the usual indicators that can trigger detection alerts when using existing tools. Avoiding detection is a high priority for a red team operator because this usually signals the imminent end of the compromise, as the network defenders start to contain and eradicate the threat.

Process Hiving Image

What is Process Hiving?

The new tool, “RunPE”, uses a new technique called “Process Hiving”. This technique allows a single process to host other processes, creating a hive of process activity.

This technique allows red team operators to take their existing tools and stealthily run them from an implant. They can do so in a way that is familiar to them, passing arguments and capturing output, without the need to create additional processes. Consequently, the technique can be easily integrated into the operator’s existing workflow, affording them added stealth with minimal added complexity.


We have written a technical blog and full whitepaper on Process Hiving and RunPE, which you can access here.

Topics: Red Teaming, Process Hiving

Subscribe Here!

About LRQA Nettitude

Through our connected portfolio of advanced cybersecurity solutions, LRQA Nettitude helps organisations to identify and manage the vulnerabilities and threats that pose a risk to their business, building cybersecurity resilience and underpinning your business strategy with proactive measures.

Recent Posts

Posts by Tag

See all