{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/sysinternals/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":[],"_cs_severities":["medium"],"_cs_tags":["sysinternals","discovery","defense-evasion","account-discovery","log-clearing","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThis brief details the suspicious use of PsLogList, a legitimate command-line utility from the Sysinternals suite, which is being abused by adversaries for both discovery and defense evasion. PsLogList allows administrators to view, filter, dump, and clear Windows event logs. Attackers exploit this functionality to extract sensitive information, such as admin accounts from security logs, facilitating further account discovery and privilege escalation. Additionally, its capability to clear event logs (\u003ccode\u003e-c\u003c/code\u003e flag) or export them (\u003ccode\u003e-g\u003c/code\u003e flag) is utilized to hinder forensic analysis and remove traces of malicious activity. This activity has been observed in campaigns by advanced threat actors, including those targeting major telecommunications companies, highlighting its role in post-compromise reconnaissance and operational security. Detection focuses on command-line arguments indicative of malicious intent rather than legitimate administrative use.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Access\u003c/strong\u003e: Adversaries gain initial access to a target system through various means, such as exploiting a public-facing application, phishing, or stolen credentials.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eTool Staging\u003c/strong\u003e: The PsLogList utility (\u003ccode\u003epsloglist.exe\u003c/code\u003e or \u003ccode\u003epsloglist64.exe\u003c/code\u003e) is downloaded and staged on the compromised system, often in a non-standard directory.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eEvent Log Discovery (Account Enumeration)\u003c/strong\u003e: The adversary executes \u003ccode\u003epsloglist.exe\u003c/code\u003e with parameters like \u003ccode\u003esecurity\u003c/code\u003e, \u003ccode\u003eapplication\u003c/code\u003e, or \u003ccode\u003esystem\u003c/code\u003e to dump relevant event logs, specifically searching for local or domain administrator accounts. Example: \u003ccode\u003epsloglist security -d 1000\u003c/code\u003e\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eEvent Log Export\u003c/strong\u003e: PsLogList is executed with the \u003ccode\u003e-g\u003c/code\u003e flag to export event logs to a file (\u003ccode\u003e.evt\u003c/code\u003e), allowing for offline analysis without triggering host-based detection. Example: \u003ccode\u003epsloglist security -g C:\\temp\\security.evt\u003c/code\u003e\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eDefense Evasion (Log Clearing)\u003c/strong\u003e: The adversary uses \u003ccode\u003epsloglist.exe\u003c/code\u003e with the \u003ccode\u003e-c\u003c/code\u003e flag to clear specific event logs, such as the security log, to remove evidence of their presence and actions. Example: \u003ccode\u003epsloglist security -c\u003c/code\u003e\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eInformation Exploitation\u003c/strong\u003e: Information gathered from the event logs (e.g., admin accounts, system details) is then used to facilitate lateral movement, privilege escalation, or further targeting within the network.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eImpact\u003c/strong\u003e: Subsequent actions, such as data exfiltration or deploying ransomware, are executed, leveraging the gained privileges and evaded defenses.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe abuse of PsLogList for event log discovery and defense evasion has a significant impact on an organization's security posture. Successful exploitation allows adversaries to gain a deeper understanding of the victim environment, identify valuable accounts for privilege escalation or lateral movement, and systematically erase their tracks. This directly hampers incident response efforts by removing crucial forensic evidence, making attribution and scope determination extremely difficult. In targeted attacks, such as those against major telcos by Chinese threat actors, this can lead to sustained compromise, intellectual property theft, and disruption of critical infrastructure.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the \u003ccode\u003eSuspicious Use of PsLogList\u003c/code\u003e Sigma rule to your SIEM to detect command-line activity associated with this tool.\u003c/li\u003e\n\u003cli\u003eEnsure process creation logging (e.g., via Sysmon) is enabled and configured to capture full command-line arguments to activate the rules above.\u003c/li\u003e\n\u003cli\u003eRegularly review administrative use of PsLogList to establish a baseline of legitimate activity and tune detections to reduce false positives.\u003c/li\u003e\n\u003cli\u003eInvestigate any instances where PsLogList is executed with parameters for clearing (\u003ccode\u003e-c\u003c/code\u003e) or exporting (\u003ccode\u003e-g\u003c/code\u003e) event logs, especially if originating from non-administrative contexts or user accounts.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-03T14:40:17Z","date_published":"2026-07-03T14:40:17Z","id":"https://feed.craftedsignal.io/briefs/2026-07-suspicious-psloglist-use/","summary":"Adversaries are leveraging the legitimate Sysinternals utility PsLogList to perform account and system discovery by dumping Windows event logs, and for defense evasion by clearing or exporting these logs, increasing their ability to operate undetected and further compromise systems.","title":"Suspicious Use of PsLogList for Event Log Discovery and Evasion","url":"https://feed.craftedsignal.io/briefs/2026-07-suspicious-psloglist-use/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["defense-evasion","post-exploitation","sysinternals","registry","windows"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eAdversaries frequently leverage legitimate system administration tools, such as the Microsoft Sysinternals Suite, to perform malicious activities while attempting to blend in with normal system operations and evade detection. A common tactic involves renaming these tools (e.g., PsExec, ProcDump, Process Explorer) to obfuscate their true identity. This brief outlines a detection mechanism specifically designed to identify instances where non-standard or renamed executables attempt to set the \u0026quot;EulaAccepted\u0026quot; registry key, which is typically written by the legitimate Sysinternals tools upon their first execution. Such activity is highly indicative of defense evasion or post-exploitation stages where attackers use these powerful utilities for lateral movement, privilege escalation, or data collection, often under a masqueraded name to avoid scrutiny. Early detection of such behaviors is critical for disrupting advanced persistent threats operating within a network.\u003c/p\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe successful use of renamed Sysinternals tools can significantly hinder a defender's ability to identify and respond to malicious activity. Attackers utilizing this technique can achieve various objectives, including remote code execution, process dumping (for credential theft), system enumeration, and persistent access without immediately triggering alerts designed for known malicious binaries. This evasion increases dwell time, allows for deeper penetration into the network, and can lead to severe consequences such as data exfiltration, deployment of ransomware, or complete system compromise. Organizations across all sectors are susceptible, as this technique exploits common toolsets rather than specific vulnerabilities in widely deployed applications.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the provided Sigma rule to your SIEM/EDR platform to detect suspicious \u0026quot;EulaAccepted\u0026quot; registry key modifications by non-Sysinternals executables.\u003c/li\u003e\n\u003cli\u003eEnsure robust registry event logging is enabled for all Windows endpoints, especially for \u003ccode\u003eHKEY_CURRENT_USER\\Software\\Sysinternals\\\u003c/code\u003e paths, to allow the Sigma rule to function effectively.\u003c/li\u003e\n\u003cli\u003eConduct regular reviews of alerts generated by this rule to identify potential renamed Sysinternals usage and investigate the associated processes and parent processes.\u003c/li\u003e\n\u003cli\u003eImplement application whitelisting or strict execution policies to prevent unauthorized executables, particularly those mimicking legitimate tools, from running on critical systems.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-03T14:31:43Z","date_published":"2026-07-03T14:31:43Z","id":"https://feed.craftedsignal.io/briefs/2026-07-renamed-sysinternals-abuse/","summary":"This brief details a detection strategy for identifying the use of renamed Sysinternals utilities by monitoring for suspicious modifications to the 'EulaAccepted' registry key, indicating potential post-exploitation activity or defense evasion on Windows systems.","title":"Detection of Renamed Sysinternals Tool Usage via Registry EULA Key","url":"https://feed.craftedsignal.io/briefs/2026-07-renamed-sysinternals-abuse/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["sysinternals","evasion","registry","windows","pua"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThis intelligence focuses on the detection of highly suspicious activity involving the Sysinternals Suite, a collection of legitimate, powerful utilities developed by Microsoft. Adversaries frequently leverage these tools for various post-exploitation activities, including process manipulation, system information gathering, and privilege escalation. To circumvent security detections that might flag the execution of standard Sysinternals tool names (e.g., \u003ccode\u003ePsExec.exe\u003c/code\u003e, \u003ccode\u003eProcDump.exe\u003c/code\u003e), attackers often rename these executables. This brief highlights a detection opportunity centered around the creation of the \u003ccode\u003eEulaAccepted\u003c/code\u003e registry key, which is generated upon the first execution of a Sysinternals tool. When this key is created by an executable that does not match the known original Sysinternals filename, it strongly indicates an attempt at evasion, signaling potential malicious activity on Windows endpoints.\u003c/p\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe successful execution of renamed Sysinternals tools allows adversaries to perform a wide range of actions on compromised Windows systems, often with elevated privileges. This could include dumping credentials, establishing persistence, monitoring system activity, or remotely executing commands, all while attempting to bypass standard security controls. Such evasion tactics enable attackers to remain undetected for longer periods, facilitating further malicious operations like data exfiltration, lateral movement, or the deployment of ransomware. The impact on an organization can range from data breaches and operational disruption to significant financial and reputational damage.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026quot;Suspicious Execution Of Renamed Sysinternals Tools - Registry\u0026quot; to your SIEM/EDR to detect this evasive technique.\u003c/li\u003e\n\u003cli\u003eEnsure Sysmon and Windows Registry logging are comprehensively enabled across all endpoints to capture \u003ccode\u003eregistry_set\u003c/code\u003e events required for this detection.\u003c/li\u003e\n\u003cli\u003eInvestigate all alerts generated by the \u0026quot;Suspicious Execution Of Renamed Sysinternals Tools - Registry\u0026quot; rule immediately to determine the origin and intent of the renamed Sysinternals tool execution.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-03T14:30:39Z","date_published":"2026-07-03T14:30:39Z","id":"https://feed.craftedsignal.io/briefs/2026-07-renamed-sysinternals-registry/","summary":"This brief details a detection method for adversaries using renamed Sysinternals tools, a legitimate suite of utilities, to evade endpoint detection by triggering the `EulaAccepted` registry key creation, potentially leading to unauthorized system manipulation or data access on Windows systems.","title":"Suspicious Execution of Renamed Sysinternals Tools via Registry","url":"https://feed.craftedsignal.io/briefs/2026-07-renamed-sysinternals-registry/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Sysinternals PsSuspend"],"_cs_severities":["high"],"_cs_tags":["defense-evasion","utility","sysinternals","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThreat actors are increasingly misusing legitimate system utilities, like Microsoft's Sysinternals PsSuspend, to hinder security defenses. PsSuspend is a powerful tool designed for administrators to pause and resume processes on local or remote systems. However, its capability to suspend any running process, including critical antivirus (AV) and endpoint detection and response (EDR) agents, makes it an attractive target for adversaries seeking to operate undetected. This brief highlights the detection of PsSuspend being executed with command-line arguments targeting security processes such as \u003ccode\u003emsmpeng.exe\u003c/code\u003e (Microsoft Defender Antivirus service). Such activity indicates an attempt to temporarily disable or bypass security controls, allowing subsequent malicious activity to proceed without interference. While the exact campaigns are not specified in the source, this technique is broadly adopted by various sophisticated threat groups for defense evasion.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003cp\u003e[Insufficient information in the provided source to construct a detailed 6-8 step attack chain covering initial access through impact. The source describes a single defense impairment action rather than a full campaign lifecycle.]\u003c/p\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful execution of PsSuspend against security processes can lead to a critical blind spot in an organization's defense posture. When AV/EDR agents are suspended, they cease to monitor, detect, and prevent malicious activities, effectively disarming endpoint protection. This allows threat actors to perform actions such as executing malware, establishing persistence, exfiltrating data, or deploying ransomware without being detected. The immediate consequence is a loss of visibility and control, significantly increasing the risk of a successful breach and subsequent data compromise or system disruption.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the provided Sigma rule \u0026quot;Sysinternals PsSuspend Suspicious Execution\u0026quot; to your SIEM and tune for your environment to detect attempts to suspend security products.\u003c/li\u003e\n\u003cli\u003eEnsure process creation logging, especially for command-line arguments, is enabled on all Windows endpoints to support the detection rules.\u003c/li\u003e\n\u003cli\u003eRestrict the execution of unauthorized or unapproved system utilities, including Sysinternals tools, on critical endpoints.\u003c/li\u003e\n\u003cli\u003eImplement strong access controls and principle of least privilege to prevent unauthorized users or processes from running tools like PsSuspend.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-03T14:29:07Z","date_published":"2026-07-03T14:29:07Z","id":"https://feed.craftedsignal.io/briefs/2026-07-sysinternals-pssuspend-suspicious-execution/","summary":"Adversaries are leveraging the legitimate Sysinternals PsSuspend utility to suspend critical security processes, such as Microsoft Defender Antivirus (`msmpeng.exe`), as a defense impairment technique to bypass endpoint detection and response (EDR) solutions.","title":"Sysinternals PsSuspend Suspicious Execution to Impair Defenses","url":"https://feed.craftedsignal.io/briefs/2026-07-sysinternals-pssuspend-suspicious-execution/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Sysinternals PsSuspend"],"_cs_severities":["medium"],"_cs_tags":["sysinternals","living-off-the-land","process-manipulation","windows","tool-abuse"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThe Microsoft Sysinternals PsSuspend utility, a legitimate command-line tool, allows administrators to suspend and resume processes on local or remote Windows systems. While designed for troubleshooting and system management, its capabilities can be abused by threat actors to halt critical security software, database services, or other essential applications, thereby disrupting operations or facilitating malicious activities like data exfiltration or ransomware deployment. This brief focuses on the detection of PsSuspend's execution as an indicator of potential abuse. The source material does not detail a specific attack campaign or actor, but highlights the tool's potential for misuse within a broader attack chain to achieve objectives like evasion, persistence, or denial of service.\u003c/p\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe successful abuse of PsSuspend can lead to significant operational disruption and security breaches. By suspending essential processes, attackers can disable endpoint detection and response (EDR) agents, anti-virus software, and other security controls, allowing them to operate undetected. It can also be used to pause critical business applications, leading to denial of service, data inconsistencies, or creating windows of opportunity for data exfiltration before legitimate processes can react. The impact could range from temporary service outages to complete system compromise if security tools are effectively bypassed.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable process creation logging (e.g., via Sysmon) on all Windows endpoints to ensure the \u003ccode\u003eprocess_creation\u003c/code\u003e log source is available.\u003c/li\u003e\n\u003cli\u003eDeploy the \u0026quot;Sysinternals PsSuspend Execution\u0026quot; Sigma rule to your SIEM for detecting PsSuspend usage.\u003c/li\u003e\n\u003cli\u003eMonitor for process suspensions that are not part of approved administrative tasks.\u003c/li\u003e\n\u003cli\u003eImplement application whitelisting or strict controls over the execution of Sysinternals tools on sensitive systems.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-03T14:28:11Z","date_published":"2026-07-03T14:28:11Z","id":"https://feed.craftedsignal.io/briefs/2026-07-sysinternals-pssuspend/","summary":"Unidentified threat actors may leverage the legitimate Microsoft Sysinternals PsSuspend utility to suspend critical processes on Windows systems, enabling evasion of security controls or disruption of operations.","title":"Abuse of Microsoft Sysinternals PsSuspend Utility","url":"https://feed.craftedsignal.io/briefs/2026-07-sysinternals-pssuspend/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Sysinternals PsService"],"_cs_severities":["medium"],"_cs_tags":["sysinternals","process-execution","service-manipulation","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eSysinternals PsService is a command-line utility for Windows systems that allows users, typically administrators, to view and control services. While a legitimate tool for system management, it can be leveraged by malicious actors post-compromise for various nefarious activities. Threat actors can use PsService to enumerate running services for discovery (TA0007), stop critical services to disrupt operations, start malicious services for persistence (TA0003), or modify service configurations to achieve privilege escalation (TA0004). The execution of this tool, especially from unusual directories or by non-administrative accounts, is a strong indicator of potential malicious activity. Defenders should be aware of its legitimate uses versus its potential for abuse in the hands of an attacker to identify anomalous behavior.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003cp\u003eThis detection brief focuses on the execution of a specific tool, Sysinternals PsService, which can be used at various stages of an attack. The source material does not provide a full, observed attack chain from initial access to impact. Therefore, this section is omitted as per quality requirements.\u003c/p\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe abuse of Sysinternals PsService can lead to significant impact depending on how an attacker utilizes it. If used for reconnaissance, it facilitates further lateral movement or targeting of critical systems. If used to stop or disable essential services, it can cause severe disruption to business operations, leading to downtime and data loss. Modifying services can grant attackers elevated privileges, allowing them to install persistent backdoors or execute arbitrary code with SYSTEM rights, compromising the integrity and confidentiality of the affected system and potentially the entire network.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the provided \u0026quot;Sysinternals PsService Execution\u0026quot; Sigma rule to your SIEM solution to detect instances of \u003ccode\u003ePsService.exe\u003c/code\u003e execution.\u003c/li\u003e\n\u003cli\u003eEnable process creation logging, such as via Sysmon, to ensure the necessary \u003ccode\u003eImage\u003c/code\u003e and \u003ccode\u003eOriginalFileName\u003c/code\u003e fields are captured for the Sigma rule.\u003c/li\u003e\n\u003cli\u003eInvestigate alerts from the \u0026quot;Sysinternals PsService Execution\u0026quot; rule, paying close attention to the parent process, command-line arguments, and the user context of the execution.\u003c/li\u003e\n\u003cli\u003eReview legitimate uses of PsService within your environment and consider whitelisting known legitimate execution paths or users if false positives occur, as highlighted in the rule's \u003ccode\u003efalsepositives\u003c/code\u003e field.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-03T14:27:18Z","date_published":"2026-07-03T14:27:18Z","id":"https://feed.craftedsignal.io/briefs/2026-07-sysinternals-psservice-execution/","summary":"This brief details the detection of Sysinternals PsService, a legitimate utility that can be abused by threat actors for service reconnaissance, manipulation, and persistence on Windows systems, potentially leading to privilege escalation or system disruption.","title":"Detection of Sysinternals PsService Execution","url":"https://feed.craftedsignal.io/briefs/2026-07-sysinternals-psservice-execution/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Sysinternals ProcDump"],"_cs_severities":["medium"],"_cs_tags":["sysinternals","credential-dumping","process-memory","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eProcdump is a command-line utility from Microsoft's Sysinternals suite, designed primarily for troubleshooting application crashes by generating memory dumps of processes. While a legitimate tool used by developers and system administrators for debugging, it is also widely co-opted by malicious actors. Attackers leverage Procdump to dump the memory of sensitive processes, most notably Local Security Authority Subsystem Service (LSASS), to extract credentials such as NTLM hashes or plaintext passwords. This technique allows adversaries to bypass traditional endpoint security measures that might block direct access to LSASS or other credential-storage mechanisms. Its execution often indicates an attacker has already gained a foothold and is attempting to escalate privileges or move laterally within a compromised Windows environment.\u003c/p\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe successful abuse of Procdump can lead to significant compromise. By extracting credentials from processes like LSASS, attackers gain access to legitimate user and administrative account credentials. This enables them to perform lateral movement, access restricted resources, escalate privileges, and maintain persistence within an organization's network. The primary impact is unauthorized access to sensitive data and systems, potentially leading to data exfiltration, system destruction, or deployment of further malicious payloads like ransomware. The ease with which Procdump can be used makes it a popular choice for credential dumping in targeted attacks.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026quot;Detect Procdump Execution\u0026quot; to your SIEM to alert on the execution of the \u003ccode\u003eprocdump.exe\u003c/code\u003e binary.\u003c/li\u003e\n\u003cli\u003eInvestigate all instances of \u003ccode\u003eprocdump.exe\u003c/code\u003e, \u003ccode\u003eprocdump64.exe\u003c/code\u003e, or \u003ccode\u003eprocdump64a.exe\u003c/code\u003e execution, especially if originating from non-standard directories or executed by non-administrative accounts.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon process creation logging to ensure \u003ccode\u003eprocess_creation\u003c/code\u003e events for \u003ccode\u003eprocdump.exe\u003c/code\u003e are collected and available for analysis by the provided Sigma rule.\u003c/li\u003e\n\u003cli\u003eReview legitimate use cases for Procdump within your environment and create baselines or whitelisting rules to reduce false positives for authorized debugging activities.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-03T14:25:53Z","date_published":"2026-07-03T14:25:53Z","id":"https://feed.craftedsignal.io/briefs/2026-07-procdump-execution/","summary":"This brief details the detection of Procdump, a legitimate Sysinternals utility, which is frequently abused by attackers for credential dumping from sensitive processes like LSASS, enabling privilege escalation and lateral movement on Windows systems.","title":"Procdump Execution Detection","url":"https://feed.craftedsignal.io/briefs/2026-07-procdump-execution/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Accesschk"],"_cs_severities":["medium"],"_cs_tags":["sysinternals","privilege-escalation","tool-abuse","discovery","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eAdversaries are leveraging the legitimate Microsoft Sysinternals utility \u003ccode\u003eAccesschk.exe\u003c/code\u003e to perform reconnaissance and permission checking on compromised Windows systems. This tool, originally designed for system administrators to audit permissions, is a favored binary for threat actors due to its native capabilities and often being pre-trusted by security solutions. Its abuse enables attackers to quickly identify misconfigurations, weak permissions, or unquoted service paths on files, directories, registry keys, services, and processes. This information is crucial for planning subsequent privilege escalation techniques, allowing an attacker to move from a low-privileged foothold to administrative or system-level access, thereby advancing their objectives such as persistence, lateral movement, or data exfiltration.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Compromise\u003c/strong\u003e: An attacker gains initial access to a target Windows system, typically through methods like phishing, exploiting a vulnerable service, or compromising credentials.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eTool Staging\u003c/strong\u003e: The \u003ccode\u003eAccesschk.exe\u003c/code\u003e utility (or its 64-bit variants like \u003ccode\u003eaccesschk64.exe\u003c/code\u003e) is transferred to the compromised system, often via existing C2 channels, PowerShell, or embedded within a larger malicious payload.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePermission Discovery\u003c/strong\u003e: The attacker executes \u003ccode\u003eAccesschk.exe\u003c/code\u003e from a command prompt or script using specific flags such as \u003ccode\u003euwcqv\u003c/code\u003e (users with write access to services), \u003ccode\u003ekwsu\u003c/code\u003e (kernel objects, services, users), or \u003ccode\u003euwdqs\u003c/code\u003e (users with write access to directories/shares) to enumerate detailed permissions across various system objects.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eOutput Analysis\u003c/strong\u003e: The command output is parsed by the attacker to identify specific misconfigurations or weak access control lists (ACLs) that could be exploited. This might include writable service binaries, DLL hijack paths, or modifiable registry keys.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eIdentify Escalation Paths\u003c/strong\u003e: Based on the gathered permission data, the attacker pinpoints viable privilege escalation vectors, such as services configured to run with SYSTEM privileges but having a writable binary path, or registry keys that control critical system functions and are modifiable by low-privileged users.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eExploitation Planning\u003c/strong\u003e: The attacker formulates a strategy to exploit the identified weaknesses, which could involve replacing legitimate binaries with malicious ones, modifying service parameters, or injecting code into processes to achieve higher privileges.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePrivilege Escalation\u003c/strong\u003e: The attacker executes their chosen method to elevate privileges, often resulting in gaining administrator or SYSTEM-level access on the compromised host.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePost-Escalation Actions\u003c/strong\u003e: With elevated privileges, the attacker can proceed with further malicious activities, including deploying additional malware, establishing persistence, moving laterally within the network, or exfiltrating sensitive data.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful abuse of \u003ccode\u003eAccesschk.exe\u003c/code\u003e as part of a privilege escalation chain can lead to full system compromise, allowing attackers to gain complete control over the affected Windows machine. This enables them to bypass security controls, install rootkits, steal credentials, deploy ransomware, or exfiltrate critical intellectual property and sensitive data. While \u003ccode\u003eAccesschk.exe\u003c/code\u003e itself doesn't cause direct damage, its role in uncovering vulnerabilities can directly lead to significant security breaches, financial loss, reputational damage, and operational disruption for affected organizations across all sectors.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003ePermission Check Via Accesschk.EXE\u003c/code\u003e to your SIEM and tune for your environment to detect suspicious usage of this utility.\u003c/li\u003e\n\u003cli\u003eEnsure Sysmon process creation logging is enabled for all Windows endpoints to capture \u003ccode\u003eImage\u003c/code\u003e and \u003ccode\u003eCommandLine\u003c/code\u003e details necessary for the rule \u003ccode\u003ePermission Check Via Accesschk.EXE\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eRegularly audit permissions on critical system resources and services to identify and remediate misconfigurations that \u003ccode\u003eAccesschk.exe\u003c/code\u003e could reveal to an attacker.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-03T14:25:04Z","date_published":"2026-07-03T14:25:04Z","id":"https://feed.craftedsignal.io/briefs/2026-07-accesschk-permission-check/","summary":"Attackers are abusing the legitimate Sysinternals `Accesschk.exe` utility to perform permission discovery on Windows systems, a common step in privilege escalation attacks, allowing them to identify misconfigurations for gaining higher privileges.","title":"Permission Check Via Accesschk.EXE","url":"https://feed.craftedsignal.io/briefs/2026-07-accesschk-permission-check/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Windows Sysinternals ProcDump"],"_cs_severities":["high"],"_cs_tags":["stealth","credential-dumping","sysinternals","evasion","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThis intelligence brief addresses the technique of executing renamed Sysinternals ProcDump binaries, a common evasion tactic used by sophisticated threat actors. ProcDump, a legitimate utility from Microsoft Sysinternals, is designed to monitor an application for CPU spikes and generate crash dumps. However, adversaries frequently abuse it to dump the Local Security Authority Subsystem Service (LSASS) process memory, which often contains sensitive credential material. By renaming the \u003ccode\u003eprocdump.exe\u003c/code\u003e or \u003ccode\u003eprocdump64.exe\u003c/code\u003e binary (e.g., to \u003ccode\u003edump.exe\u003c/code\u003e or \u003ccode\u003eservice.exe\u003c/code\u003e), attackers aim to bypass static detections based on file names or hash values, making their activities harder to spot for security defenders. This tactic significantly raises the risk of credential theft, enabling lateral movement and privilege escalation within compromised environments.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Access\u003c/strong\u003e: A threat actor gains initial access to a Windows system, often via phishing, exploited vulnerabilities, or RDP brute-forcing.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eTool Staging\u003c/strong\u003e: The attacker uploads a copy of ProcDump (or another legitimate tool like \u003ccode\u003ecomsvcs.dll\u003c/code\u003e for \u003ccode\u003erundll32.exe\u003c/code\u003e memory dumping) to the compromised system.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eRenaming for Evasion\u003c/strong\u003e: The ProcDump executable is renamed to a seemingly innocuous name (e.g., \u003ccode\u003edump.exe\u003c/code\u003e, \u003ccode\u003eexplorer.exe\u003c/code\u003e, \u003ccode\u003esvchost.exe\u003c/code\u003e, or other names not in the default Sysinternals installation path) to avoid detection by traditional endpoint security solutions that might whitelist or specifically monitor \u003ccode\u003eprocdump.exe\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eCredential Dumping\u003c/strong\u003e: The renamed ProcDump executable is launched via the command line to target the \u003ccode\u003elsass.exe\u003c/code\u003e process and create a memory dump. Typical command-line arguments include \u003ccode\u003e-ma\u003c/code\u003e for a full memory dump, or \u003ccode\u003e-mp\u003c/code\u003e for mini plus. The \u003ccode\u003eaccepteula\u003c/code\u003e flag is often used to suppress the license agreement prompt.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eExfiltration\u003c/strong\u003e: The generated LSASS memory dump file, which may contain NTLM hashes, Kerberos tickets, or clear-text passwords, is compressed or encrypted and exfiltrated from the network to attacker-controlled infrastructure.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eLateral Movement/Privilege Escalation\u003c/strong\u003e: The stolen credentials are used for lateral movement to other systems, accessing sensitive resources, or escalating privileges within the compromised environment.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this technique can lead to severe organizational impact, including widespread credential theft and unauthorized access across the enterprise network. Compromised credentials allow threat actors to escalate privileges, move laterally to critical systems, bypass multi-factor authentication (if not properly configured), and gain persistence. This often precedes data exfiltration, deployment of ransomware, or other destructive activities, resulting in significant financial losses, operational disruption, and reputational damage. The pervasive nature of credential abuse makes it a high-priority threat for detection engineers.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the provided Sigma rule \u0026quot;Detecting Renamed ProcDump Execution\u0026quot; to your SIEM to identify suspicious ProcDump activity.\u003c/li\u003e\n\u003cli\u003eEnsure Sysmon process-creation logging is enabled to provide the necessary \u003ccode\u003eOriginalFileName\u003c/code\u003e, \u003ccode\u003eImage\u003c/code\u003e, and \u003ccode\u003eCommandLine\u003c/code\u003e fields for the detection rule.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the rule, especially those involving \u003ccode\u003eOriginalFileName: 'procdump'\u003c/code\u003e where \u003ccode\u003eImage\u003c/code\u003e does not end in \u003ccode\u003e\\procdump.exe\u003c/code\u003e, \u003ccode\u003e\\procdump64.exe\u003c/code\u003e, or \u003ccode\u003e\\procdump64a.exe\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eImplement strong access controls and principle of least privilege to limit the ability of non-administrative accounts to execute or rename tools in sensitive directories.\u003c/li\u003e\n\u003cli\u003eRegularly review and harden endpoint security configurations to block or alert on the execution of non-standard binaries in unexpected locations.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-03T14:23:37Z","date_published":"2026-07-03T14:23:37Z","id":"https://feed.craftedsignal.io/briefs/2026-07-renamed-procdump-execution/","summary":"This brief focuses on the detection of renamed Sysinternals ProcDump executables, a technique often employed by threat actors to evade security controls and perform credential dumping from LSASS memory on Windows systems, leading to potential lateral movement and privilege escalation.","title":"Detecting Renamed ProcDump Execution for Evasion","url":"https://feed.craftedsignal.io/briefs/2026-07-renamed-procdump-execution/"}],"language":"en","title":"CraftedSignal Threat Feed - Sysinternals","version":"https://jsonfeed.org/version/1.1"}