Tag
Suspicious Use of PsLogList for Event Log Discovery and Evasion
1 rule 3 TTPsAdversaries are leveraging the legitimate Sysinternals utility PsLogList to perform account and system discovery by dumping Windows event logs, and for defense evasion by clearing or exporting these logs, increasing their ability to operate undetected and further compromise systems.
Detection of Renamed Sysinternals Tool Usage via Registry EULA Key
1 rule 1 TTPThis brief details a detection strategy for identifying the use of renamed Sysinternals utilities by monitoring for suspicious modifications to the 'EulaAccepted' registry key, indicating potential post-exploitation activity or defense evasion on Windows systems.
Suspicious Execution of Renamed Sysinternals Tools via Registry
1 rule 2 TTPsThis brief details a detection method for adversaries using renamed Sysinternals tools, a legitimate suite of utilities, to evade endpoint detection by triggering the `EulaAccepted` registry key creation, potentially leading to unauthorized system manipulation or data access on Windows systems.
Sysinternals PsSuspend Suspicious Execution to Impair Defenses
1 ruleAdversaries are leveraging the legitimate Sysinternals PsSuspend utility to suspend critical security processes, such as Microsoft Defender Antivirus (`msmpeng.exe`), as a defense impairment technique to bypass endpoint detection and response (EDR) solutions.
Abuse of Microsoft Sysinternals PsSuspend Utility
1 rule 4 TTPsUnidentified threat actors may leverage the legitimate Microsoft Sysinternals PsSuspend utility to suspend critical processes on Windows systems, enabling evasion of security controls or disruption of operations.
Detection of Sysinternals PsService Execution
1 rule 3 TTPsThis brief details the detection of Sysinternals PsService, a legitimate utility that can be abused by threat actors for service reconnaissance, manipulation, and persistence on Windows systems, potentially leading to privilege escalation or system disruption.
Procdump Execution Detection
1 rule 1 TTPThis brief details the detection of Procdump, a legitimate Sysinternals utility, which is frequently abused by attackers for credential dumping from sensitive processes like LSASS, enabling privilege escalation and lateral movement on Windows systems.
Permission Check Via Accesschk.EXE
1 rule 1 TTPAttackers are abusing the legitimate Sysinternals `Accesschk.exe` utility to perform permission discovery on Windows systems, a common step in privilege escalation attacks, allowing them to identify misconfigurations for gaining higher privileges.
Detecting Renamed ProcDump Execution for Evasion
1 rule 2 TTPsThis brief focuses on the detection of renamed Sysinternals ProcDump executables, a technique often employed by threat actors to evade security controls and perform credential dumping from LSASS memory on Windows systems, leading to potential lateral movement and privilege escalation.