Security researchers at SEC Consult have discovered a significant vulnerability in CrowdStrike’s Falcon Sensor that allowed attackers to bypass detection mechanisms and execute malicious applications.
This vulnerability, dubbed “Sleeping Beauty,” was initially reported to CrowdStrike in late 2023 but was dismissed as merely a “detection gap.”
The bypass technique involved suspending the EDR processes rather than attempting to terminate them, effectively creating a window of opportunity for malicious actors to operate undetected.
The researchers at SEC Consult found that after an attacker gained NT AUTHORITYSYSTEM permissions on a Windows machine, they could use Process Explorer to suspend CrowdStrike Falcon Sensor processes.
While killing these processes was prohibited by the system, suspending them was surprisingly allowed, creating a significant security loophole.
Process Explorer allowed for the suspension of these critical security processes without any resistance.
.webp)
The implications of this vulnerability are substantial for organizations relying on CrowdStrike for endpoint protection.
When the Falcon Sensor processes were suspended, malicious applications that would normally be terminated or removed could execute freely and remain on the disk.
This behavior stands in stark contrast to other EDR solutions like Microsoft Defender for Endpoint, which blocks suspension attempts entirely.
In their proof of concept, SEC Consult demonstrated how tools like winPEAS, Rubeus, and Certipy—typically blocked by CrowdStrike—could run unimpeded when the sensor processes were suspended.
.webp)
While besides this, the “winPEAS starts” and “winPEAS can perform enumeration tasks” document winPEAS successfully executing and performing enumeration tasks during this suspended state.
.webp)
Implementation
The technical analysis revealed important caveats to this vulnerability. Processes that were already hooked at the time of sensor suspension remained supervised by CrowdStrike’s kernel processes.
This meant that certain high-risk actions, such as LSASS memory dumps, would still trigger protection mechanisms and lead to the removal of the offending application.
Although the security gap provided sufficient opportunity for attackers to gain a foothold within protected systems.
.webp)
When researcher resumed the suspended processes, CrowdStrike would immediately quarantine and remove the malicious tools, confirming that the suspension was indeed bypassing normal detection protocols.
Initially, CrowdStrike responded that this behavior “does not pose a security vulnerability within the sensor” and that “suspending the user mode service does not stop the kernel components or sensor communications.”
However, by 2025, CrowdStrike silently implemented fixes that prevent process suspension, effectively acknowledging the security implications that they had previously dismissed.
SEC Consult discovered this change incidentally during subsequent security assessments rather than through formal notification from the vendor
Collect Threat Intelligence on the Latest Malware and Phishing Attacks with ANY.RUN TI Lookup -> Try for free