I don’t think there’s any better analogy to explain fork and run technique, than the animated series Rick and Morty. So, if you haven’t watched it, now is a good time to take a break and watch a couple of episodes. Go…I’ll wait.

Ok, now that we’re back.

In the series, Rick is a scientist who has mastered the art of cloning himself (and his grandson). Whenever he needs to go on a side quest, he creates a clone of himself (fork) and let that clone take care of the quest (run). Meanwhile the “orginial” Rick, goes on his own adventures with his grandson and spends time with his family. Once the side quest is over, he just kills off the clone.

The above analogy is how fork & run technique works in the world of computers as well. The original process creates a sacrificial process (fork), assigns it a task and executes it (run). Once the sacrificial process’s task is over, it is killed off. Fork & run is a legitimate functionality offered by many operating systems. It enables parallel processes and thereby multi-processing.

For quite some time, fork & run was the go to technique for executing malicious code without sacrificing the attacker controlled process. It became so popular that Cobalt Strike used this technique as part of the execute-assembly module in version 3.11.

However, anti-malware and EDR vendors eventually caught on and fork & run became the bane of red team tradecraft. These solutions started looking at process behavior (eg. Explorer process connecting to a web URL), abnormalities in parent-child process patterns (eg. MS Edge process spawning a Powershell process), use of suspicious system calls (eg. fork()) and resource usage patterns (eg. hikes in CPU and memory usage) to detect this technique. In 2021, Cobalt Strike declared this technique as “history” and introduced new process injection capabilities as part of the 4.5 release.

Fork & run is now considered an expensive OPSEC technique and no longer recommended for most engagements. The focus has now shifted to other techniques of executing code that do not use fork and run technique, such as using unmanaged code to execute binaries in memory, Process Hollowing, Process Ghosting, AtomBombing or other custom process injection techniques.

Red Team Notes
- Fork & Run is a code execution technique in which a process spawns a sacrificial process to execute a task. 
- It is no longer recommended for red team tradecraft as it gets easily detected.
- Use alternative code execution techniques such as using unmanaged code to execute binaries in memory, Process Hollowing, Process Ghosting, AtomBombing etc.

Follow my journey of 100 Days of Red Team on WhatsApp or Discord.