Windows sysinternals¶

Windows Sysinternals is a set of tools and advanced system utilities developed to help IT professionals manage, troubleshoot, and diagnose the Windows operating system in advanced topics.

The Sysinternals Suite includes:

• Disk management

• Process management

• Networking tools

• System information

• Security tools

While built-in and Sysinternals tools are helpful for system administrators, these tools are also used by hackers, malware developers, and pentesters due to the inherent trust they have within the operating system.

Due to the increase of adversaries and malware creators using these tools nowadays, the blue team is aware of possible malicious uses and has implemented defensive controls against most of them.

Resources¶

• Sysinternals Suite

• Sysinternals Resources

Counter moves¶

Signed Sysinternals tools are trusted, which is exactly why they get abused. Monitoring their use and command lines, and restricting where they run, are the counters. Seen from the other side, this sits in the blue notes on plausibility as cover.