/
Why do you respond by suspending programs?

Why do you respond by suspending programs?

Owned by Dennis Underwood
May 18, 2022
1 min read

Criminals have learned that operating in memory only, using techniques such as process injection, provide a variety of advantages:

  1. Assuming control of a user’s identity for that program.

  2. Evasion from identity management checks.

  3. Evasion from application-based firewall rules and whitelists.

  4. Evasion from data loss prevention tools on servers.

  5. Deletion of almost all in-memory evidence when the process is killed.

  6. Deletion of almost all in-memory evidence once the computer is rebooted.

By suspending the programs under control of the attacker, evidence is frozen in time.

The attacker is also frozen.

Evidence is available for forensic tools as part of an investigation process.

If the organization is not equipped to perform forensics at the time, a simple reboot by the attacker will bring the system back to a healthy state. Force killing the suspending program, and restarting it, usually also has the desired effect.

 

 

Related content

Process Injection
Process Injection
Cyber Crucible Knowledge Base
More like this
Do you have false positives? What is your false positive rate?
Do you have false positives? What is your false positive rate?
Cyber Crucible Knowledge Base
More like this
Training Scenario - Memory Modification
Training Scenario - Memory Modification
Cyber Crucible Knowledge Base
More like this
Training Scenario - Identity Theft
Training Scenario - Identity Theft
Cyber Crucible Knowledge Base
More like this
Training Scenario - Process Injection
Training Scenario - Process Injection
Cyber Crucible Knowledge Base
More like this
Does the software automatically stop all Process Injection?
Does the software automatically stop all Process Injection?
Cyber Crucible Knowledge Base
More like this