<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Tool-Abuse - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/tags/tool-abuse/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Fri, 03 Jul 2026 14:28:11 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/tags/tool-abuse/feed.xml" rel="self" type="application/rss+xml"/><item><title>Abuse of Microsoft Sysinternals PsSuspend Utility</title><link>https://feed.craftedsignal.io/briefs/2026-07-sysinternals-pssuspend/</link><pubDate>Fri, 03 Jul 2026 14:28:11 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-sysinternals-pssuspend/</guid><description>Unidentified threat actors may leverage the legitimate Microsoft Sysinternals PsSuspend utility to suspend critical processes on Windows systems, enabling evasion of security controls or disruption of operations.</description><content:encoded><![CDATA[<p>The Microsoft Sysinternals PsSuspend utility, a legitimate command-line tool, allows administrators to suspend and resume processes on local or remote Windows systems. While designed for troubleshooting and system management, its capabilities can be abused by threat actors to halt critical security software, database services, or other essential applications, thereby disrupting operations or facilitating malicious activities like data exfiltration or ransomware deployment. This brief focuses on the detection of PsSuspend's execution as an indicator of potential abuse. The source material does not detail a specific attack campaign or actor, but highlights the tool's potential for misuse within a broader attack chain to achieve objectives like evasion, persistence, or denial of service.</p>
<h2 id="impact">Impact</h2>
<p>The successful abuse of PsSuspend can lead to significant operational disruption and security breaches. By suspending essential processes, attackers can disable endpoint detection and response (EDR) agents, anti-virus software, and other security controls, allowing them to operate undetected. It can also be used to pause critical business applications, leading to denial of service, data inconsistencies, or creating windows of opportunity for data exfiltration before legitimate processes can react. The impact could range from temporary service outages to complete system compromise if security tools are effectively bypassed.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Enable process creation logging (e.g., via Sysmon) on all Windows endpoints to ensure the <code>process_creation</code> log source is available.</li>
<li>Deploy the &quot;Sysinternals PsSuspend Execution&quot; Sigma rule to your SIEM for detecting PsSuspend usage.</li>
<li>Monitor for process suspensions that are not part of approved administrative tasks.</li>
<li>Implement application whitelisting or strict controls over the execution of Sysinternals tools on sensitive systems.</li>
</ul>
]]></content:encoded><category domain="severity">medium</category><category domain="type">advisory</category><category>sysinternals</category><category>living-off-the-land</category><category>process-manipulation</category><category>windows</category><category>tool-abuse</category></item><item><title>Permission Check Via Accesschk.EXE</title><link>https://feed.craftedsignal.io/briefs/2026-07-accesschk-permission-check/</link><pubDate>Fri, 03 Jul 2026 14:25:04 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-accesschk-permission-check/</guid><description>Attackers are abusing the legitimate Sysinternals `Accesschk.exe` utility to perform permission discovery on Windows systems, a common step in privilege escalation attacks, allowing them to identify misconfigurations for gaining higher privileges.</description><content:encoded><![CDATA[<p>Adversaries are leveraging the legitimate Microsoft Sysinternals utility <code>Accesschk.exe</code> to perform reconnaissance and permission checking on compromised Windows systems. This tool, originally designed for system administrators to audit permissions, is a favored binary for threat actors due to its native capabilities and often being pre-trusted by security solutions. Its abuse enables attackers to quickly identify misconfigurations, weak permissions, or unquoted service paths on files, directories, registry keys, services, and processes. This information is crucial for planning subsequent privilege escalation techniques, allowing an attacker to move from a low-privileged foothold to administrative or system-level access, thereby advancing their objectives such as persistence, lateral movement, or data exfiltration.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li><strong>Initial Compromise</strong>: An attacker gains initial access to a target Windows system, typically through methods like phishing, exploiting a vulnerable service, or compromising credentials.</li>
<li><strong>Tool Staging</strong>: The <code>Accesschk.exe</code> utility (or its 64-bit variants like <code>accesschk64.exe</code>) is transferred to the compromised system, often via existing C2 channels, PowerShell, or embedded within a larger malicious payload.</li>
<li><strong>Permission Discovery</strong>: The attacker executes <code>Accesschk.exe</code> from a command prompt or script using specific flags such as <code>uwcqv</code> (users with write access to services), <code>kwsu</code> (kernel objects, services, users), or <code>uwdqs</code> (users with write access to directories/shares) to enumerate detailed permissions across various system objects.</li>
<li><strong>Output Analysis</strong>: The command output is parsed by the attacker to identify specific misconfigurations or weak access control lists (ACLs) that could be exploited. This might include writable service binaries, DLL hijack paths, or modifiable registry keys.</li>
<li><strong>Identify Escalation Paths</strong>: Based on the gathered permission data, the attacker pinpoints viable privilege escalation vectors, such as services configured to run with SYSTEM privileges but having a writable binary path, or registry keys that control critical system functions and are modifiable by low-privileged users.</li>
<li><strong>Exploitation Planning</strong>: The attacker formulates a strategy to exploit the identified weaknesses, which could involve replacing legitimate binaries with malicious ones, modifying service parameters, or injecting code into processes to achieve higher privileges.</li>
<li><strong>Privilege Escalation</strong>: The attacker executes their chosen method to elevate privileges, often resulting in gaining administrator or SYSTEM-level access on the compromised host.</li>
<li><strong>Post-Escalation Actions</strong>: With elevated privileges, the attacker can proceed with further malicious activities, including deploying additional malware, establishing persistence, moving laterally within the network, or exfiltrating sensitive data.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful abuse of <code>Accesschk.exe</code> as part of a privilege escalation chain can lead to full system compromise, allowing attackers to gain complete control over the affected Windows machine. This enables them to bypass security controls, install rootkits, steal credentials, deploy ransomware, or exfiltrate critical intellectual property and sensitive data. While <code>Accesschk.exe</code> itself doesn't cause direct damage, its role in uncovering vulnerabilities can directly lead to significant security breaches, financial loss, reputational damage, and operational disruption for affected organizations across all sectors.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Deploy the Sigma rule <code>Permission Check Via Accesschk.EXE</code> to your SIEM and tune for your environment to detect suspicious usage of this utility.</li>
<li>Ensure Sysmon process creation logging is enabled for all Windows endpoints to capture <code>Image</code> and <code>CommandLine</code> details necessary for the rule <code>Permission Check Via Accesschk.EXE</code>.</li>
<li>Regularly audit permissions on critical system resources and services to identify and remediate misconfigurations that <code>Accesschk.exe</code> could reveal to an attacker.</li>
</ul>
]]></content:encoded><category domain="severity">medium</category><category domain="type">advisory</category><category>sysinternals</category><category>privilege-escalation</category><category>tool-abuse</category><category>discovery</category><category>windows</category></item></channel></rss>