100 Days of Red Team

100 Days of Red Team

Share this post

100 Days of Red Team
100 Days of Red Team
Fork & run and its drawbacks for red team tradecraft

Fork & run and its drawbacks for red team tradecraft

What is fork & run technique and why it is bad for red team tradecraft.

Uday Mittal's avatar
Uday Mittal
Jan 03, 2025

Share this post

100 Days of Red Team
100 Days of Red Team
Fork & run and its drawbacks for red team tradecraft
Share

I don’t think there’s any better analogy to explain fork and run technique, than the animated series Rick and Morty. So, if you haven’t watched it, now is a good time to take a break and watch a couple of episodes. Go…I’ll wait.

Ok, now that we’re back.

Thanks for reading 100 Days of Red Team! Subscribe for free to receive new posts and support my work.

In the series, Rick is a scientist who has mastered the art of cloning himself (and his grandson). Whenever he needs to go on a side quest, he creates a clone of himself (fork) and let that clone take care of the quest (run). Meanwhile the “orginial” Rick, goes on his own adventures with his grandson and spends time with his family. Once the side quest is over, he just kills off the clone.

The above analogy is how fork & run technique works in the world of computers as well. The original process creates a sacrificial process (fork), assigns it a task and executes it (run). Once the sacrificial process’s task is over, it is killed off. Fork & run is a legitimate functionality offered by many operating systems. It enables parallel processes and thereby multi-processing.

For quite some time, fork & run was the go to technique for executing malicious code without sacrificing the attacker controlled process. It became so popular that Cobalt Strike used this technique as part of the execute-assembly module in version 3.11.

However, anti-malware and EDR vendors eventually caught on and fork & run became the bane of red team tradecraft. These solutions started looking at process behavior (eg. Explorer process connecting to a web URL), abnormalities in parent-child process patterns (eg. MS Edge process spawning a Powershell process), use of suspicious system calls (eg. fork()) and resource usage patterns (eg. hikes in CPU and memory usage) to detect this technique. In 2021, Cobalt Strike declared this technique as “history” and introduced new process injection capabilities as part of the 4.5 release.

Fork & run is now considered an expensive OPSEC technique and no longer recommended for most engagements. The focus has now shifted to other techniques of executing code that do not use fork and run technique, such as using unmanaged code to execute binaries in memory, Process Hollowing, Process Ghosting, AtomBombing or other custom process injection techniques.

Red Team Notes
- Fork & Run is a code execution technique in which a process spawns a sacrificial process to execute a task. 
- It is no longer recommended for red team tradecraft as it gets easily detected.
- Use alternative code execution techniques such as using unmanaged code to execute binaries in memory, Process Hollowing, Process Ghosting, AtomBombing etc.

Follow my journey of 100 Days of Red Team on WhatsApp or Discord.

Thanks for reading 100 Days of Red Team! Subscribe for free to receive new posts and support my work.

Share this post

100 Days of Red Team
100 Days of Red Team
Fork & run and its drawbacks for red team tradecraft
Share

Discussion about this post

User's avatar
Using Havoc C2 to bypass UAC
Demonstration of couple of UAC bypass methods using Havoc C2.
Feb 16 • 
Uday Mittal
1

Share this post

100 Days of Red Team
100 Days of Red Team
Using Havoc C2 to bypass UAC
Let's write a Beacon Object File for Havoc C2 - Part 1
Learn how to use Windows APIs in a Beacon Object File (BOF).
Feb 27 • 
Uday Mittal
2

Share this post

100 Days of Red Team
100 Days of Red Team
Let's write a Beacon Object File for Havoc C2 - Part 1
Red Team Infrastructure - Deploying Havoc C2 via Terraform
Learn how to deploy Havoc C2 (team server and client) in AWS via Terraform.
May 17 • 
Uday Mittal
2

Share this post

100 Days of Red Team
100 Days of Red Team
Red Team Infrastructure - Deploying Havoc C2 via Terraform

Ready for more?

© 2025 Uday Mittal
Privacy ∙ Terms ∙ Collection notice
Start writingGet the app
Substack is the home for great culture

Share

Create your profile

User's avatar

Only paid subscribers can comment on this post

Already a paid subscriber? Sign in

Check your email

For your security, we need to re-authenticate you.

Click the link we sent to , or click here to sign in.