Skip to content
Threat Feed

Tag

Sysinternals

9 briefs RSS
medium advisory

Suspicious Use of PsLogList for Event Log Discovery and Evasion

Adversaries are leveraging the legitimate Sysinternals utility PsLogList to perform account and system discovery by dumping Windows event logs, and for defense evasion by clearing or exporting these logs, increasing their ability to operate undetected and further compromise systems.

sysinternals discovery defense-evasion account-discovery log-clearing windows
1r 3t
high advisory

Detection of Renamed Sysinternals Tool Usage via Registry EULA Key

This brief details a detection strategy for identifying the use of renamed Sysinternals utilities by monitoring for suspicious modifications to the 'EulaAccepted' registry key, indicating potential post-exploitation activity or defense evasion on Windows systems.

defense-evasion post-exploitation sysinternals registry windows
1r 1t
high advisory

Suspicious Execution of Renamed Sysinternals Tools via Registry

This brief details a detection method for adversaries using renamed Sysinternals tools, a legitimate suite of utilities, to evade endpoint detection by triggering the `EulaAccepted` registry key creation, potentially leading to unauthorized system manipulation or data access on Windows systems.

sysinternals evasion registry windows pua
1r 2t
high advisory

Sysinternals PsSuspend Suspicious Execution to Impair Defenses

Adversaries are leveraging the legitimate Sysinternals PsSuspend utility to suspend critical security processes, such as Microsoft Defender Antivirus (`msmpeng.exe`), as a defense impairment technique to bypass endpoint detection and response (EDR) solutions.

Sysinternals PsSuspend defense-evasion utility sysinternals windows
1r
medium advisory

Abuse of Microsoft Sysinternals PsSuspend Utility

Unidentified threat actors may leverage the legitimate Microsoft Sysinternals PsSuspend utility to suspend critical processes on Windows systems, enabling evasion of security controls or disruption of operations.

Sysinternals PsSuspend sysinternals living-off-the-land process-manipulation windows tool-abuse
1r 4t
medium advisory

Detection of Sysinternals PsService Execution

This brief details the detection of Sysinternals PsService, a legitimate utility that can be abused by threat actors for service reconnaissance, manipulation, and persistence on Windows systems, potentially leading to privilege escalation or system disruption.

Sysinternals PsService sysinternals process-execution service-manipulation windows
1r 3t
medium advisory

Procdump Execution Detection

This brief details the detection of Procdump, a legitimate Sysinternals utility, which is frequently abused by attackers for credential dumping from sensitive processes like LSASS, enabling privilege escalation and lateral movement on Windows systems.

Sysinternals ProcDump sysinternals credential-dumping process-memory windows
1r 1t
medium advisory

Permission Check Via Accesschk.EXE

Attackers are abusing the legitimate Sysinternals `Accesschk.exe` utility to perform permission discovery on Windows systems, a common step in privilege escalation attacks, allowing them to identify misconfigurations for gaining higher privileges.

Accesschk sysinternals privilege-escalation tool-abuse discovery windows
1r 1t
high advisory

Detecting Renamed ProcDump Execution for Evasion

This brief focuses on the detection of renamed Sysinternals ProcDump executables, a technique often employed by threat actors to evade security controls and perform credential dumping from LSASS memory on Windows systems, leading to potential lateral movement and privilege escalation.

Windows Sysinternals ProcDump stealth credential-dumping sysinternals evasion windows
1r 2t