{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/tool-abuse/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Sysinternals PsSuspend"],"_cs_severities":["medium"],"_cs_tags":["sysinternals","living-off-the-land","process-manipulation","windows","tool-abuse"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThe Microsoft Sysinternals PsSuspend utility, a legitimate command-line tool, allows administrators to suspend and resume processes on local or remote Windows systems. While designed for troubleshooting and system management, its capabilities can be abused by threat actors to halt critical security software, database services, or other essential applications, thereby disrupting operations or facilitating malicious activities like data exfiltration or ransomware deployment. This brief focuses on the detection of PsSuspend's execution as an indicator of potential abuse. The source material does not detail a specific attack campaign or actor, but highlights the tool's potential for misuse within a broader attack chain to achieve objectives like evasion, persistence, or denial of service.\u003c/p\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe successful abuse of PsSuspend can lead to significant operational disruption and security breaches. By suspending essential processes, attackers can disable endpoint detection and response (EDR) agents, anti-virus software, and other security controls, allowing them to operate undetected. It can also be used to pause critical business applications, leading to denial of service, data inconsistencies, or creating windows of opportunity for data exfiltration before legitimate processes can react. The impact could range from temporary service outages to complete system compromise if security tools are effectively bypassed.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable process creation logging (e.g., via Sysmon) on all Windows endpoints to ensure the \u003ccode\u003eprocess_creation\u003c/code\u003e log source is available.\u003c/li\u003e\n\u003cli\u003eDeploy the \u0026quot;Sysinternals PsSuspend Execution\u0026quot; Sigma rule to your SIEM for detecting PsSuspend usage.\u003c/li\u003e\n\u003cli\u003eMonitor for process suspensions that are not part of approved administrative tasks.\u003c/li\u003e\n\u003cli\u003eImplement application whitelisting or strict controls over the execution of Sysinternals tools on sensitive systems.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-03T14:28:11Z","date_published":"2026-07-03T14:28:11Z","id":"https://feed.craftedsignal.io/briefs/2026-07-sysinternals-pssuspend/","summary":"Unidentified threat actors may leverage the legitimate Microsoft Sysinternals PsSuspend utility to suspend critical processes on Windows systems, enabling evasion of security controls or disruption of operations.","title":"Abuse of Microsoft Sysinternals PsSuspend Utility","url":"https://feed.craftedsignal.io/briefs/2026-07-sysinternals-pssuspend/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Accesschk"],"_cs_severities":["medium"],"_cs_tags":["sysinternals","privilege-escalation","tool-abuse","discovery","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eAdversaries are leveraging the legitimate Microsoft Sysinternals utility \u003ccode\u003eAccesschk.exe\u003c/code\u003e to perform reconnaissance and permission checking on compromised Windows systems. This tool, originally designed for system administrators to audit permissions, is a favored binary for threat actors due to its native capabilities and often being pre-trusted by security solutions. Its abuse enables attackers to quickly identify misconfigurations, weak permissions, or unquoted service paths on files, directories, registry keys, services, and processes. This information is crucial for planning subsequent privilege escalation techniques, allowing an attacker to move from a low-privileged foothold to administrative or system-level access, thereby advancing their objectives such as persistence, lateral movement, or data exfiltration.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Compromise\u003c/strong\u003e: An attacker gains initial access to a target Windows system, typically through methods like phishing, exploiting a vulnerable service, or compromising credentials.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eTool Staging\u003c/strong\u003e: The \u003ccode\u003eAccesschk.exe\u003c/code\u003e utility (or its 64-bit variants like \u003ccode\u003eaccesschk64.exe\u003c/code\u003e) is transferred to the compromised system, often via existing C2 channels, PowerShell, or embedded within a larger malicious payload.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePermission Discovery\u003c/strong\u003e: The attacker executes \u003ccode\u003eAccesschk.exe\u003c/code\u003e from a command prompt or script using specific flags such as \u003ccode\u003euwcqv\u003c/code\u003e (users with write access to services), \u003ccode\u003ekwsu\u003c/code\u003e (kernel objects, services, users), or \u003ccode\u003euwdqs\u003c/code\u003e (users with write access to directories/shares) to enumerate detailed permissions across various system objects.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eOutput Analysis\u003c/strong\u003e: The command output is parsed by the attacker to identify specific misconfigurations or weak access control lists (ACLs) that could be exploited. This might include writable service binaries, DLL hijack paths, or modifiable registry keys.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eIdentify Escalation Paths\u003c/strong\u003e: Based on the gathered permission data, the attacker pinpoints viable privilege escalation vectors, such as services configured to run with SYSTEM privileges but having a writable binary path, or registry keys that control critical system functions and are modifiable by low-privileged users.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eExploitation Planning\u003c/strong\u003e: The attacker formulates a strategy to exploit the identified weaknesses, which could involve replacing legitimate binaries with malicious ones, modifying service parameters, or injecting code into processes to achieve higher privileges.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePrivilege Escalation\u003c/strong\u003e: The attacker executes their chosen method to elevate privileges, often resulting in gaining administrator or SYSTEM-level access on the compromised host.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePost-Escalation Actions\u003c/strong\u003e: With elevated privileges, the attacker can proceed with further malicious activities, including deploying additional malware, establishing persistence, moving laterally within the network, or exfiltrating sensitive data.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful abuse of \u003ccode\u003eAccesschk.exe\u003c/code\u003e as part of a privilege escalation chain can lead to full system compromise, allowing attackers to gain complete control over the affected Windows machine. This enables them to bypass security controls, install rootkits, steal credentials, deploy ransomware, or exfiltrate critical intellectual property and sensitive data. While \u003ccode\u003eAccesschk.exe\u003c/code\u003e itself doesn't cause direct damage, its role in uncovering vulnerabilities can directly lead to significant security breaches, financial loss, reputational damage, and operational disruption for affected organizations across all sectors.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003ePermission Check Via Accesschk.EXE\u003c/code\u003e to your SIEM and tune for your environment to detect suspicious usage of this utility.\u003c/li\u003e\n\u003cli\u003eEnsure Sysmon process creation logging is enabled for all Windows endpoints to capture \u003ccode\u003eImage\u003c/code\u003e and \u003ccode\u003eCommandLine\u003c/code\u003e details necessary for the rule \u003ccode\u003ePermission Check Via Accesschk.EXE\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eRegularly audit permissions on critical system resources and services to identify and remediate misconfigurations that \u003ccode\u003eAccesschk.exe\u003c/code\u003e could reveal to an attacker.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-03T14:25:04Z","date_published":"2026-07-03T14:25:04Z","id":"https://feed.craftedsignal.io/briefs/2026-07-accesschk-permission-check/","summary":"Attackers are abusing the legitimate Sysinternals `Accesschk.exe` utility to perform permission discovery on Windows systems, a common step in privilege escalation attacks, allowing them to identify misconfigurations for gaining higher privileges.","title":"Permission Check Via Accesschk.EXE","url":"https://feed.craftedsignal.io/briefs/2026-07-accesschk-permission-check/"}],"language":"en","title":"CraftedSignal Threat Feed - Tool-Abuse","version":"https://jsonfeed.org/version/1.1"}