Windows Sysinternals Notes

Here my notes on the Sysinternals Suite from the point of view of a security analyst/engineer. Many of these tools are used frequently by sysadmins and malicious actors. I recommend that security professionals familiarize themselves with these tools due to their prominence.

This page may be updated.

Installing Sysinternals

Everything

Direct link to the newest zip containing everything: https://download.sysinternals.com/files/SysinternalsSuite.zip

Download with PowerShell

Invoke-WebRequest -Uri "https://download.sysinternals.com/files/SysinternalsSuite.zip" -OutFile SysinternalsSuite.zip
Expand-Archive -Path SysinternalsSuite.zip -DestinationPath C:\Sysinsternals

Installing Individual Tools

Each tool has an individual download link:

https://download.sysinternals.com/files/Autoruns.zip

Directory Listing:

https://live.sysinternals.com/

Download links to individual tools with descriptions:

https://github.com/Mogeko/scoop-sysinternals

Documentation

Official Documentation

https://docs.microsoft.com/en-us/sysinternals/downloads/sysinternals-suite

Microsoft Win32 API Documentation

Win32 API documentation is useful for developing your own tools and reverse engineering malware.

https://docs.microsoft.com/en-us/windows/win32/

Books

As an Amazon Associate I earn from qualifying purchases.

Troubleshooting with the Windows Sysinternals Tools

Windows Internals, Part 1: System architecture, processes, threads, memory management, and more (Developer Reference)

Windows Internals, Part 2 (Developer Reference)

Useful Tools

Although all of the Sysinternals suite are useful, these are the ones I see and use consistently within the context of security. They are in no particular order.

Many of these tools are used regularly by malicious actors, despite their intended use cases being legitimate. Establishing a baseline of these tools’ usage within your environment provides value. A detection or forensic artifact indicating the use of a Sysinternals tool is neither malicious nor benign. For example, a detection for PsExec being used to spawn a shell as SYSTEM may very well be a true positive and malicious detection. It is just as often used by systems administrators in their day to day workflows.

AccessChk

AccessChk – Show the accesses the specified user or group has to files, Registry keys, or services.

AccessEnum

AccessEnum – Shows who has what access to directories, files and Registry keys. Use it to find holes in your permissions.

Process Monitor

Process Monitor – Monitor file system, Registry, process, thread and DLL activity in real-time. This is useful for dynamic malware analysis.

MoveFile

MoveFile – Schedule file rename and delete commands for the next reboot. This can be useful for cleaning stubborn or in-use malware files.

PsTools Suite

PsTools – The PsTools suite includes command-line utilities for listing the processes running on local or remote computers, running processes remotely, rebooting computers, dumping event logs, and more.

PsExec – Execute processes remotely. Commonly used by sysadmins and attackers to elevate to SYSTEM privileges.

PsFile – See what files are opened remotely.

PsKill – Terminate local or remote processes.

PsGetSid – Displays the SID of a computer or a user.

PsLoggedOn – Show users logged on to a system.

PsLogList – Dump event log records.

PsList – Show information about processes and threads.

PsService – View and control services.

PsSuspend – Suspend and resume processes.

PsPasswd – Change passwords.

SDelete

SDelete – Securely overwrites files and free space.

ShareEnum

ShareEnum – Scan file shares on your network and view their security settings to close security holes.

Sigcheck

Sigcheck – Dump file version information and verify that images on your system are digitally signed.

From Sigcheck documentation:

One way to use the tool is to check for unsigned files in your \Windows\System32 directories with this command:

sigcheck -u -e c:\windows\system32

You should investigate the purpose of any files that are not signed.

Sigcheck can also be configured to check samples for hits on VirusTotal.

Streams

Streams – Enumerate NTFS alternate data streams (ADS).

Malware can hide in ADS. Some browsers and email clients create Zone.Identifier streams to store metadata about a file’s origin.

AD Explorer

AD Explorer – GUI Active Directory (AD) viewer and editor.

TCPView

TCPView – Active socket command-line viewer.

Whois

Whois – See who owns an Internet address. This is similar to the whois utility found on Linux, MacOS, and others.

Autoruns

Autoruns – See what programs are configured to startup automatically when your system boots and you login. Autoruns also shows you the full list of Registry and file locations where applications can configure auto-start settings.

Autoruns can be used to find persistence placed by malware or an attacker.

Handle

Handle – Enumerate what files are open by which processes, and much more. Also lets you close handles opened by an arbitrary process.

ListDLLs

ListDLLs – List all the DLLs that are currently loaded, including where they are loaded and their version numbers.

Process Explorer

Process Explorer – Find out what files, registry keys and other objects processes have open, which DLLs they have loaded, and more.

The Control-Alt-Delete shortcut to launch Task Manager is often replaced with Process Explorer or Process Hacker.

Rootkit Revealer

Rootkit Revealer – RootkitRevealer is an advanced rootkit detection utility.

ShellRunas

ShellRunas – Launch programs as a different user via a convenient shell context-menu entry.

LogonSessions

LogonSessions – List active logon sessions

Sysmon

Sysmon – Monitors and reports key system activity via the Windows event log. This tool is very powerful and can easily have a book’s worth of material written about its usage.

Strings

Strings – Search for ANSI and UNICODE strings in binary images. Similar to strings provided by binutils on Linux.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s