CyberSecurityBoard
Sponsor Register Login

Researchers Bypassed CrowdStrike Falcon Sensor to Execute Malicious Applications

Security researchers at SEC Consult have discovered a significant vulnerability in CrowdStrike’s Falcon Sensor that allowed attackers to bypass detection mechanisms and execute malicious applications. The researchers at SEC Consult found that after an attacker gained NT AUTHORITY\SYSTEM permissions on a Windows machine, they could use Process Explorer to suspend CrowdStrike Falcon Sensor processes. When researcher resumed the suspended processes, CrowdStrike would immediately quarantine and remove the malicious tools, confirming that the suspension was indeed bypassing normal detection protocols. In their proof of concept, SEC Consult demonstrated how tools like winPEAS, Rubeus, and Certipy—typically blocked by CrowdStrike—could run unimpeded when the sensor processes were suspended. Process Explorer allowed for the suspension of these critical security processes without any resistance. When the Falcon Sensor processes were suspended, malicious applications that would normally be terminated or removed could execute freely and remain on the disk. While killing these processes was prohibited by the system, suspending them was surprisingly allowed, creating a significant security loophole. Cyber Security News is a Dedicated News Platform For Cyber News, Cyber Attack News, Hacking News & Vulnerability Analysis. The bypass technique involved suspending the EDR processes rather than attempting to terminate them, effectively creating a window of opportunity for malicious actors to operate undetected. However, by 2025, CrowdStrike silently implemented fixes that prevent process suspension, effectively acknowledging the security implications that they had previously dismissed. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news. Processes that were already hooked at the time of sensor suspension remained supervised by CrowdStrike’s kernel processes. Tushar is a Cyber security content editor with a passion for creating captivating and informative content.

This Cyber News was published on cybersecuritynews.com. Publication date: Thu, 06 Mar 2025 14:25:17 +0000


Cyber News related to Researchers Bypassed CrowdStrike Falcon Sensor to Execute Malicious Applications

Falcon Cloud Security Supports Google Cloud Run to Strengthen Serverless Application Security - We're thrilled to share that the CrowdStrike Falcon® sensor now fully supports Google Cloud Run, bringing advanced security capabilities to your serverless applications. While we announced this at Google Cloud Next in April 2024, this blog goes ...
11 months ago Crowdstrike.com
CrowdStrike Demonstrates Cloud Security Leadership at AWS re:Invent - CrowdStrike is honored to be named Partner of the Year for several 2023 Geo and Global AWS Partner Awards at Amazon Web Services re:Invent 2023, where we are participating this year as a Diamond Sponsor. These accomplishments demonstrate our ...
1 year ago Crowdstrike.com
CVE-2025-1146 - CrowdStrike uses industry-standard TLS (transport layer security) to secure communications from the Falcon sensor to the CrowdStrike cloud. CrowdStrike has identified a validation logic error in the Falcon sensor for Linux, Falcon Kubernetes ...
4 months ago Tenable.com
Researchers Bypassed CrowdStrike Falcon Sensor to Execute Malicious Applications - Security researchers at SEC Consult have discovered a significant vulnerability in CrowdStrike’s Falcon Sensor that allowed attackers to bypass detection mechanisms and execute malicious applications. The researchers at SEC Consult found that ...
3 months ago Cybersecuritynews.com
CrowdStrike Falcon Sensor for Linux TLS Vulnerability Enabling MiTM Attack - The vulnerability affects versions of the Falcon Sensor for Linux and related components prior to version 7.06. The issue arises from incorrect processing of server certificates during TLS communication with the CrowdStrike cloud. CrowdStrike has ...
4 months ago Cybersecuritynews.com CVE-2025-1146
CrowdStrike Enhances Cloud Asset Visualization to Accelerate Risk Prioritization - The massive increase in cloud adoption has driven adversaries to focus their efforts on cloud environments - a shift that led to cloud intrusions increasing by 75% in 2023, emphasizing the need for stronger cloud security. As organizations increase ...
1 year ago Crowdstrike.com
Generative AI Takes on SIEM - With more vendors adding support for generative AI to their platforms and products, life for security analysts seems to be getting deceptively easier. While adding generative AI capabilities to security information and event management is still in ...
1 year ago Darkreading.com
Hello Authentication Vulnerabilities Discovered: Stay Safe - In the realm of cybersecurity, a recent study has brought to light a series of Hello Authentication vulnerabilities that could compromise the Windows Hello authentication on popular laptop models, including Dell Inspiron 15, Lenovo ThinkPad T14, and ...
1 year ago Securityboulevard.com
US Grounds SpaceX Falcon After Second-Stage Issue | Silicon UK - The US Federal Aviation Administration (FAA) has grounded SpaceX’s Falcon rockets for the third time in three months after a second-stage problem occurred following the successful launch of a Dragon Crew mission that brought two astronauts to ...
8 months ago Silicon.co.uk Rocke
Top 10 XDR (Extended Detection & Response) Solutions - 2025 - CrowdStrike Falcon XDR uses this data to extend EDR outcomes and advanced threat detection across the security stack, thereby stopping breaches more quickly. It does this by using CrowdStrike’s world-class machine learning, artificial ...
2 months ago Cybersecuritynews.com
Privilege elevation exploits used in over 50% of insider attacks - Elevation of privilege flaws are the most common vulnerability leveraged by corporate insiders when conducting unauthorized activities on networks, whether for malicious purposes or by downloading risky tools in a dangerous manner. A report by ...
1 year ago Bleepingcomputer.com CVE-2017-0213
\Logicube’s Falcon®-NEO2 Forensic Imager Achieves Project VIC Validation; Now VICS Data Compliant - Kindred Tech, the organization responsible for maintaining and curating the VICS (Video, Image, Classification Schema) data model, welcomes Falcon-NEO2 into the network of officially validated tools that support international standards for ...
1 month ago Cybersecuritynews.com
MEDUSA Ransomware Using Malicious ABYSSWORKER Driver to Disable EDR - Elastic Security Labs analysts noted that this driver is specifically designed to target and silence different EDR vendors, effectively removing a critical layer of defense against ransomware attacks. One particularly troubling aspect of the ...
3 months ago Cybersecuritynews.com Abyss Silence Medusa
Threat actors misuse OAuth applications to automate financially driven attacks - Threat actors are misusing OAuth applications as an automation tool in financially motivated attacks. Threat actors compromise user accounts to create, modify, and grant high privileges to OAuth applications that they can misuse to hide malicious ...
1 year ago Microsoft.com
CVE-2025-21992 - In the Linux kernel, the following vulnerability has been resolved: ...
2 months ago
PowerSchool previously hacked in August, months before data breach - Although the company has not officially disclosed the number of people impacted by this incident, BleepingComputer first reported that the threat actor claimed to have stolen the data of 72 million people, including students and teachers. In that ...
3 months ago Bleepingcomputer.com
Google Researchers' Attack Prompts ChatGPT to Reveal Its Training Data - A team of researchers primarily from Google's DeepMind systematically convinced ChatGPT to reveal snippets of the data it was trained on using a new type of attack prompt which asked a production model of the chatbot to repeat specific words forever. ...
1 year ago 404media.co
Linux io_uring Security Blind Spot Let Attackers Stealthly Deploy Rootkits - The research team at ARMO has demonstrated that popular security solutions, including CrowdStrike’s Falcon, Microsoft Defender, Falco, and Tetragon, are effectively “blind” to malicious activities performed via io_uring—an ...
2 months ago Cybersecuritynews.com
Data thieves abuse Microsoft's 'verified publisher' status The Register - Miscreants using malicious OAuth applications abused Microsoft's "Verified publisher" status to gain access to organizations' cloud environments, then steal data and pry into to users' mailboxes, calendars, and meetings. According to researchers with ...
2 years ago Packetstormsecurity.com Lazarus Group
Researchers Uncover Simple Technique to Extract ChatGPT Training Data - Can getting ChatGPT to repeat the same word over and over again cause it to regurgitate large amounts of its training data, including personally identifiable information and other data scraped from the Web? The answer is an emphatic yes, according to ...
1 year ago Darkreading.com
Researchers extract RSA keys from SSH server signing errors - A team of academic researchers from universities in California and Massachusetts demonstrated that it's possible under certain conditions for passive network attackers to retrieve secret RSA keys from naturally occurring errors leading to failed SSH ...
1 year ago Bleepingcomputer.com
Apple To Drop Sensor From Some Watch Models - Redesign plan to remove blood-oxygen sensor on certain Apple Watch models is dependent on an appeal court decision. Apple is reportedly prepared to remove the blood-oxygen sensor from certain Apple Watch models, depending on a court decision. The ...
1 year ago Silicon.co.uk
5 Best Practices for Securing Azure Resources - Cloud computing has become the backbone for modern businesses due to its scalability, flexibility and cost-efficiency. As organizations choose cloud service providers to power their technological transformations, they must also properly secure their ...
1 year ago Crowdstrike.com
Attackers Target Microsoft Accounts to Weaponize OAuth Apps - Threat actors are abusing organizations' weak authentication practices to create and exploit OAuth applications, often for financial gain, in a string of attacks that include various vectors, including cryptomining, phishing, and password spraying. ...
1 year ago Darkreading.com
Report Surfaces Extent of SaaS Application Insecurity - An analysis of how 493 organizations are employing software-as-a-service applications published today by Wing Security finds nearly all experienced a security incident involving at least one application. A full 81% reported security incidents ...
1 year ago Securityboulevard.com

Latest Cyber News


Cyber Trends (last 7 days)


Trending Cyber News (last 7 days)