{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/sysinternals-pssuspend/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Sysinternals PsSuspend"],"_cs_severities":["high"],"_cs_tags":["defense-evasion","utility","sysinternals","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThreat actors are increasingly misusing legitimate system utilities, like Microsoft's Sysinternals PsSuspend, to hinder security defenses. PsSuspend is a powerful tool designed for administrators to pause and resume processes on local or remote systems. However, its capability to suspend any running process, including critical antivirus (AV) and endpoint detection and response (EDR) agents, makes it an attractive target for adversaries seeking to operate undetected. This brief highlights the detection of PsSuspend being executed with command-line arguments targeting security processes such as \u003ccode\u003emsmpeng.exe\u003c/code\u003e (Microsoft Defender Antivirus service). Such activity indicates an attempt to temporarily disable or bypass security controls, allowing subsequent malicious activity to proceed without interference. While the exact campaigns are not specified in the source, this technique is broadly adopted by various sophisticated threat groups for defense evasion.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003cp\u003e[Insufficient information in the provided source to construct a detailed 6-8 step attack chain covering initial access through impact. The source describes a single defense impairment action rather than a full campaign lifecycle.]\u003c/p\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful execution of PsSuspend against security processes can lead to a critical blind spot in an organization's defense posture. When AV/EDR agents are suspended, they cease to monitor, detect, and prevent malicious activities, effectively disarming endpoint protection. This allows threat actors to perform actions such as executing malware, establishing persistence, exfiltrating data, or deploying ransomware without being detected. The immediate consequence is a loss of visibility and control, significantly increasing the risk of a successful breach and subsequent data compromise or system disruption.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the provided Sigma rule \u0026quot;Sysinternals PsSuspend Suspicious Execution\u0026quot; to your SIEM and tune for your environment to detect attempts to suspend security products.\u003c/li\u003e\n\u003cli\u003eEnsure process creation logging, especially for command-line arguments, is enabled on all Windows endpoints to support the detection rules.\u003c/li\u003e\n\u003cli\u003eRestrict the execution of unauthorized or unapproved system utilities, including Sysinternals tools, on critical endpoints.\u003c/li\u003e\n\u003cli\u003eImplement strong access controls and principle of least privilege to prevent unauthorized users or processes from running tools like PsSuspend.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-03T14:29:07Z","date_published":"2026-07-03T14:29:07Z","id":"https://feed.craftedsignal.io/briefs/2026-07-sysinternals-pssuspend-suspicious-execution/","summary":"Adversaries are leveraging the legitimate Sysinternals PsSuspend utility to suspend critical security processes, such as Microsoft Defender Antivirus (`msmpeng.exe`), as a defense impairment technique to bypass endpoint detection and response (EDR) solutions.","title":"Sysinternals PsSuspend Suspicious Execution to Impair Defenses","url":"https://feed.craftedsignal.io/briefs/2026-07-sysinternals-pssuspend-suspicious-execution/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Sysinternals PsSuspend"],"_cs_severities":["medium"],"_cs_tags":["sysinternals","living-off-the-land","process-manipulation","windows","tool-abuse"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThe Microsoft Sysinternals PsSuspend utility, a legitimate command-line tool, allows administrators to suspend and resume processes on local or remote Windows systems. While designed for troubleshooting and system management, its capabilities can be abused by threat actors to halt critical security software, database services, or other essential applications, thereby disrupting operations or facilitating malicious activities like data exfiltration or ransomware deployment. This brief focuses on the detection of PsSuspend's execution as an indicator of potential abuse. The source material does not detail a specific attack campaign or actor, but highlights the tool's potential for misuse within a broader attack chain to achieve objectives like evasion, persistence, or denial of service.\u003c/p\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe successful abuse of PsSuspend can lead to significant operational disruption and security breaches. By suspending essential processes, attackers can disable endpoint detection and response (EDR) agents, anti-virus software, and other security controls, allowing them to operate undetected. It can also be used to pause critical business applications, leading to denial of service, data inconsistencies, or creating windows of opportunity for data exfiltration before legitimate processes can react. The impact could range from temporary service outages to complete system compromise if security tools are effectively bypassed.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable process creation logging (e.g., via Sysmon) on all Windows endpoints to ensure the \u003ccode\u003eprocess_creation\u003c/code\u003e log source is available.\u003c/li\u003e\n\u003cli\u003eDeploy the \u0026quot;Sysinternals PsSuspend Execution\u0026quot; Sigma rule to your SIEM for detecting PsSuspend usage.\u003c/li\u003e\n\u003cli\u003eMonitor for process suspensions that are not part of approved administrative tasks.\u003c/li\u003e\n\u003cli\u003eImplement application whitelisting or strict controls over the execution of Sysinternals tools on sensitive systems.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-03T14:28:11Z","date_published":"2026-07-03T14:28:11Z","id":"https://feed.craftedsignal.io/briefs/2026-07-sysinternals-pssuspend/","summary":"Unidentified threat actors may leverage the legitimate Microsoft Sysinternals PsSuspend utility to suspend critical processes on Windows systems, enabling evasion of security controls or disruption of operations.","title":"Abuse of Microsoft Sysinternals PsSuspend Utility","url":"https://feed.craftedsignal.io/briefs/2026-07-sysinternals-pssuspend/"}],"language":"en","title":"CraftedSignal Threat Feed - Sysinternals PsSuspend","version":"https://jsonfeed.org/version/1.1"}