title: False Sysinternals Suite Tools id: 7cce6fc8-a07f-4d84-a53e-96e1879843c9 status: experimental description: Rename as a legitim Sysinternals Suite tools to evade detection references: - https://docs.microsoft.com/en-us/sysinternals/downloads/sysinternals-suite author: frack113 date: 2021/12/20 logsource: category: process_creation product: windows detection: selection_exe: Image|endswith: - '\accesschk.exe' - '\accesschk64.exe' - '\AccessEnum.exe' - '\ADExplorer.exe' - '\ADExplorer64.exe' - '\ADInsight.exe' - '\ADInsight64.exe' - '\adrestore.exe' - '\adrestore64.exe' - '\Autologon.exe' - '\Autologon64.exe' - '\Autoruns.exe' - '\Autoruns64.exe' - '\autorunsc.exe' - '\autorunsc64.exe' - '\Bginfo.exe' - '\Bginfo64.exe' - '\Cacheset.exe' - '\Cacheset64.exe' - '\Clockres.exe' - '\Clockres64.exe' - '\Contig.exe' - '\Contig64.exe' - '\Coreinfo.exe' - '\Coreinfo64.exe' - '\CPUSTRES.EXE' - '\CPUSTRES64.EXE' - '\ctrl2cap.exe' - '\Dbgview.exe' - '\dbgview64.exe' - '\Desktops.exe' - '\Desktops64.exe' - '\disk2vhd.exe' - '\disk2vhd64.exe' - '\diskext.exe' - '\diskext64.exe' - '\Diskmon.exe' - '\Diskmon64.exe' - '\DiskView.exe' - '\DiskView64.exe' - '\du.exe' - '\du64.exe' - '\efsdump.exe' - '\FindLinks.exe' - '\FindLinks64.exe' - '\handle.exe' - '\handle64.exe' - '\hex2dec.exe' - '\hex2dec64.exe' - '\junction.exe' - '\junction64.exe' - '\ldmdump.exe' - '\listdlls.exe' - '\listdlls64.exe' - '\livekd.exe' - '\livekd64.exe' - '\loadOrd.exe' - '\loadOrd64.exe' - '\loadOrdC.exe' - '\loadOrdC64.exe' - '\logonsessions.exe' - '\logonsessions64.exe' - '\movefile.exe' - '\movefile64.exe' - '\notmyfault.exe' - '\notmyfault64.exe' - '\notmyfaultc.exe' - '\notmyfaultc64.exe' - '\ntfsinfo.exe' - '\ntfsinfo64.exe' - '\pendmoves.exe' - '\pendmoves64.exe' - '\pipelist.exe' - '\pipelist64.exe' - '\portmon.exe' - '\procdump.exe' - '\procdump64.exe' - '\procexp.exe' - '\procexp64.exe' - '\Procmon.exe' - '\Procmon64.exe' - '\psExec.exe' - '\psExec64.exe' - '\psfile.exe' - '\psfile64.exe' - '\psGetsid.exe' - '\psGetsid64.exe' - '\psInfo.exe' - '\psInfo64.exe' - '\pskill.exe' - '\pskill64.exe' - '\pslist.exe' - '\pslist64.exe' - '\psLoggedon.exe' - '\psLoggedon64.exe' - '\psloglist.exe' - '\psloglist64.exe' - '\pspasswd.exe' - '\pspasswd64.exe' - '\psping.exe' - '\psping64.exe' - '\psService.exe' - '\psService64.exe' - '\psshutdown.exe' - '\psshutdown64.exe' - '\pssuspend.exe' - '\pssuspend64.exe' - '\RAMMap.exe' - '\RDCMan.exe' - '\RegDelNull.exe' - '\RegDelNull64.exe' - '\regjump.exe' - '\ru.exe' - '\ru64.exe' - '\sdelete.exe' - '\sdelete64.exe' - '\ShareEnum.exe' - '\ShareEnum64.exe' - '\shellRunas.exe' - '\sigcheck.exe' - '\sigcheck64.exe' - '\streams.exe' - '\streams64.exe' - '\strings.exe' - '\strings64.exe' - '\sync.exe' - '\sync64.exe' - '\Sysmon.exe' - '\Sysmon64.exe' - '\tcpvcon.exe' - '\tcpvcon64.exe' - '\tcpview.exe' - '\tcpview64.exe' - '\Testlimit.exe' - '\Testlimit64.exe' - '\vmmap.exe' - '\vmmap64.exe' - '\Volumeid.exe' - '\Volumeid64.exe' - '\whois.exe' - '\whois64.exe' - '\Winobj.exe' - '\Winobj64.exe' - '\ZoomIt.exe' - '\ZoomIt64.exe' filter_valid: Company: - 'Sysinternals - www.sysinternals.com' - 'Sysinternals' filter_empty: Company: null condition: selection_exe and not 1 of filter* falsepositives: - Unknown level: medium tags: - attack.execution - attack.defense_evasion - attack.t1218 - attack.t1202