<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Sysinternals PsSuspend - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/products/sysinternals-pssuspend/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Fri, 03 Jul 2026 14:29:07 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/products/sysinternals-pssuspend/feed.xml" rel="self" type="application/rss+xml"/><item><title>Sysinternals PsSuspend Suspicious Execution to Impair Defenses</title><link>https://feed.craftedsignal.io/briefs/2026-07-sysinternals-pssuspend-suspicious-execution/</link><pubDate>Fri, 03 Jul 2026 14:29:07 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-sysinternals-pssuspend-suspicious-execution/</guid><description>Adversaries are leveraging the legitimate Sysinternals PsSuspend utility to suspend critical security processes, such as Microsoft Defender Antivirus (`msmpeng.exe`), as a defense impairment technique to bypass endpoint detection and response (EDR) solutions.</description><content:encoded><![CDATA[<p>Threat actors are increasingly misusing legitimate system utilities, like Microsoft's Sysinternals PsSuspend, to hinder security defenses. PsSuspend is a powerful tool designed for administrators to pause and resume processes on local or remote systems. However, its capability to suspend any running process, including critical antivirus (AV) and endpoint detection and response (EDR) agents, makes it an attractive target for adversaries seeking to operate undetected. This brief highlights the detection of PsSuspend being executed with command-line arguments targeting security processes such as <code>msmpeng.exe</code> (Microsoft Defender Antivirus service). Such activity indicates an attempt to temporarily disable or bypass security controls, allowing subsequent malicious activity to proceed without interference. While the exact campaigns are not specified in the source, this technique is broadly adopted by various sophisticated threat groups for defense evasion.</p>
<h2 id="attack-chain">Attack Chain</h2>
<p>[Insufficient information in the provided source to construct a detailed 6-8 step attack chain covering initial access through impact. The source describes a single defense impairment action rather than a full campaign lifecycle.]</p>
<h2 id="impact">Impact</h2>
<p>Successful execution of PsSuspend against security processes can lead to a critical blind spot in an organization's defense posture. When AV/EDR agents are suspended, they cease to monitor, detect, and prevent malicious activities, effectively disarming endpoint protection. This allows threat actors to perform actions such as executing malware, establishing persistence, exfiltrating data, or deploying ransomware without being detected. The immediate consequence is a loss of visibility and control, significantly increasing the risk of a successful breach and subsequent data compromise or system disruption.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Deploy the provided Sigma rule &quot;Sysinternals PsSuspend Suspicious Execution&quot; to your SIEM and tune for your environment to detect attempts to suspend security products.</li>
<li>Ensure process creation logging, especially for command-line arguments, is enabled on all Windows endpoints to support the detection rules.</li>
<li>Restrict the execution of unauthorized or unapproved system utilities, including Sysinternals tools, on critical endpoints.</li>
<li>Implement strong access controls and principle of least privilege to prevent unauthorized users or processes from running tools like PsSuspend.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>defense-evasion</category><category>utility</category><category>sysinternals</category><category>windows</category></item><item><title>Abuse of Microsoft Sysinternals PsSuspend Utility</title><link>https://feed.craftedsignal.io/briefs/2026-07-sysinternals-pssuspend/</link><pubDate>Fri, 03 Jul 2026 14:28:11 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-sysinternals-pssuspend/</guid><description>Unidentified threat actors may leverage the legitimate Microsoft Sysinternals PsSuspend utility to suspend critical processes on Windows systems, enabling evasion of security controls or disruption of operations.</description><content:encoded><![CDATA[<p>The Microsoft Sysinternals PsSuspend utility, a legitimate command-line tool, allows administrators to suspend and resume processes on local or remote Windows systems. While designed for troubleshooting and system management, its capabilities can be abused by threat actors to halt critical security software, database services, or other essential applications, thereby disrupting operations or facilitating malicious activities like data exfiltration or ransomware deployment. This brief focuses on the detection of PsSuspend's execution as an indicator of potential abuse. The source material does not detail a specific attack campaign or actor, but highlights the tool's potential for misuse within a broader attack chain to achieve objectives like evasion, persistence, or denial of service.</p>
<h2 id="impact">Impact</h2>
<p>The successful abuse of PsSuspend can lead to significant operational disruption and security breaches. By suspending essential processes, attackers can disable endpoint detection and response (EDR) agents, anti-virus software, and other security controls, allowing them to operate undetected. It can also be used to pause critical business applications, leading to denial of service, data inconsistencies, or creating windows of opportunity for data exfiltration before legitimate processes can react. The impact could range from temporary service outages to complete system compromise if security tools are effectively bypassed.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Enable process creation logging (e.g., via Sysmon) on all Windows endpoints to ensure the <code>process_creation</code> log source is available.</li>
<li>Deploy the &quot;Sysinternals PsSuspend Execution&quot; Sigma rule to your SIEM for detecting PsSuspend usage.</li>
<li>Monitor for process suspensions that are not part of approved administrative tasks.</li>
<li>Implement application whitelisting or strict controls over the execution of Sysinternals tools on sensitive systems.</li>
</ul>
]]></content:encoded><category domain="severity">medium</category><category domain="type">advisory</category><category>sysinternals</category><category>living-off-the-land</category><category>process-manipulation</category><category>windows</category><category>tool-abuse</category></item></channel></rss>