Detects binaries that use the same name as legitimate sysinternals tools to evade detection. This rule looks for the execution of binaries that are named similarly to Sysinternals tools. Adversary may
title: Potential Binary Impersonating Sysinternals Tools
id: 7cce6fc8-a07f-4d84-a53e-96e1879843c9
status: test
description: |
Detects binaries that use the same name as legitimate sysinternals tools to evade detection.
This rule looks for the execution of binaries that are named similarly to Sysinternals tools.
Adversary may rename their malicious tools as legitimate Sysinternals tools to evade detection.
references:
- https://learn.microsoft.com/en-us/sysinternals/downloads/sysinternals-suite
author: frack113, Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2021-12-20
modified: 2025-04-12
tags:
- attack.execution
- attack.stealth
- attack.t1218
- attack.t1202
- attack.t1036.005
logsource:
category: process_creation
product: windows
detection:
selection_exe:
Image|endswith:
- '\accesschk.exe'
- '\accesschk64.exe'
- '\AccessEnum.exe'
- '\ADExplorer.exe'
- '\ADExplorer64.exe'
- '\ADInsight.exe'
- '\ADInsight64.exe'
- '\adrestore.exe'
- '\adrestore64.exe'
- '\Autologon.exe'
- '\Autologon64.exe'
- '\Autoruns.exe'
- '\Autoruns64.exe'
- '\autorunsc.exe'
- '\autorunsc64.exe'
- '\Bginfo.exe'
- '\Bginfo64.exe'
- '\Cacheset.exe'
- '\Cacheset64.exe'
- '\Clockres.exe'
- '\Clockres64.exe'
- '\Contig.exe'
- '\Contig64.exe'
- '\Coreinfo.exe'
- '\Coreinfo64.exe'
- '\CPUSTRES.EXE'
- '\CPUSTRES64.EXE'
- '\ctrl2cap.exe'
- '\Dbgview.exe'
- '\dbgview64.exe'
- '\Desktops.exe'
- '\Desktops64.exe'
- '\disk2vhd.exe'
- '\disk2vhd64.exe'
- '\diskext.exe'
- '\diskext64.exe'
- '\Diskmon.exe'
- '\Diskmon64.exe'
- '\DiskView.exe'
- '\DiskView64.exe'
- '\du.exe'
- '\du64.exe'
- '\efsdump.exe'
- '\FindLinks.exe'
- '\FindLinks64.exe'
- '\handle.exe'
- '\handle64.exe'
- '\hex2dec.exe'
- '\hex2dec64.exe'
- '\junction.exe'
- '\junction64.exe'
- '\ldmdump.exe'
- '\listdlls.exe'
- '\listdlls64.exe'
- '\livekd.exe'
- '\livekd64.exe'
- '\loadOrd.exe'
- '\loadOrd64.exe'
- '\loadOrdC.exe'
- '\loadOrdC64.exe'
- '\logonsessions.exe'
- '\logonsessions64.exe'
- '\movefile.exe'
- '\movefile64.exe'
- '\notmyfault.exe'
- '\notmyfault64.exe'
- '\notmyfaultc.exe'
- '\notmyfaultc64.exe'
- '\ntfsinfo.exe'
- '\ntfsinfo64.exe'
- '\pendmoves.exe'
- '\pendmoves64.exe'
- '\pipelist.exe'
- '\pipelist64.exe'
- '\portmon.exe'
- '\procdump.exe'
- '\procdump64.exe'
- '\procexp.exe'
- '\procexp64.exe'
- '\Procmon.exe'
- '\Procmon64.exe'
- '\psExec.exe'
- '\psExec64.exe'
- '\psfile.exe'
- '\psfile64.exe'
- '\psGetsid.exe'
- '\psGetsid64.exe'
- '\psInfo.exe'
- '\psInfo64.exe'
- '\pskill.exe'
- '\pskill64.exe'
- '\pslist.exe'
- '\pslist64.exe'
- '\psLoggedon.exe'
- '\psLoggedon64.exe'
- '\psloglist.exe'
- '\psloglist64.exe'
- '\pspasswd.exe'
- '\pspasswd64.exe'
- '\psping.exe'
- '\psping64.exe'
- '\psService.exe'
- '\psService64.exe'
- '\psshutdown.exe'
- '\psshutdown64.exe'
- '\pssuspend.exe'
- '\pssuspend64.exe'
- '\RAMMap.exe'
- '\RAMMap64.exe'
- '\RDCMan.exe'
- '\RegDelNull.exe'
- '\RegDelNull64.exe'
- '\regjump.exe'
- '\ru.exe'
- '\ru64.exe'
- '\sdelete.exe'
- '\sdelete64.exe'
- '\ShareEnum.exe'
- '\ShareEnum64.exe'
- '\shellRunas.exe'
- '\sigcheck.exe'
- '\sigcheck64.exe'
- '\streams.exe'
- '\streams64.exe'
- '\strings.exe'
- '\strings64.exe'
- '\sync.exe'
- '\sync64.exe'
- '\Sysmon.exe'
- '\Sysmon64.exe'
- '\tcpvcon.exe'
- '\tcpvcon64.exe'
- '\tcpview.exe'
- '\tcpview64.exe'
- '\Testlimit.exe'
- '\Testlimit64.exe'
- '\vmmap.exe'
- '\vmmap64.exe'
- '\Volumeid.exe'
- '\Volumeid64.exe'
- '\whois.exe'
- '\whois64.exe'
- '\Winobj.exe'
- '\Winobj64.exe'
- '\ZoomIt.exe'
- '\ZoomIt64.exe'
selection_arm64:
Image|endswith:
- '\accesschk64a.exe'
- '\ADExplorer64a.exe'
- '\ADInsight64a.exe'
- '\adrestore64a.exe'
- '\Autologon64a.exe'
- '\Autoruns64a.exe'
- '\autorunsc64a.exe'
- '\Clockres64a.exe'
- '\Contig64a.exe'
- '\Coreinfo64a.exe'
- '\Dbgview64a.exe'
- '\disk2vhd64a.exe'
- '\diskext64a.exe'
- '\DiskView64a.exe'
- '\du64a.exe'
- '\FindLinks64a.exe'
- '\handle64a.exe'
- '\hex2dec64a.exe'
- '\junction64a.exe'
- '\LoadOrd64a.exe'
- '\LoadOrdC64a.exe'
- '\logonsessions64a.exe'
- '\movefile64a.exe'
- '\notmyfault64a.exe'
- '\notmyfaultc64a.exe'
- '\pendmoves64a.exe'
- '\pipelist64a.exe'
- '\procdump64a.exe'
- '\procexp64a.exe'
- '\Procmon64a.exe'
- '\PsExec64a.exe'
- '\psfile64a.exe'
- '\PsGetsid64a.exe'
- '\PsInfo64a.exe'
- '\pskill64a.exe'
- '\psloglist64a.exe'
- '\pspasswd64a.exe'
- '\psping64a.exe'
- '\PsService64a.exe'
- '\pssuspend64a.exe'
- '\RAMMap64a.exe'
- '\RegDelNull64a.exe'
- '\ru64a.exe'
- '\sdelete64a.exe'
- '\sigcheck64a.exe'
- '\streams64a.exe'
- '\strings64a.exe'
- '\sync64a.exe'
- '\Sysmon64a.exe'
- '\tcpvcon64a.exe'
- '\tcpview64a.exe'
- '\vmmap64a.exe'
- '\whois64a.exe'
- '\Winobj64a.exe'
- '\ZoomIt64a.exe'
filter_valid:
- Company:
- 'Sysinternals - www.sysinternals.com'
- 'Sysinternals'
- Product|startswith: 'Sysinternals'
filter_empty:
- Company: null
- Product: null
condition: 1 of selection_* and not 1 of filter_*
falsepositives:
- Unknown
level: medium
imProcessCreate
| where ((TargetProcessName endswith "\\accesschk.exe" or TargetProcessName endswith "\\accesschk64.exe" or TargetProcessName endswith "\\AccessEnum.exe" or TargetProcessName endswith "\\ADExplorer.exe" or TargetProcessName endswith "\\ADExplorer64.exe" or TargetProcessName endswith "\\ADInsight.exe" or TargetProcessName endswith "\\ADInsight64.exe" or TargetProcessName endswith "\\adrestore.exe" or TargetProcessName endswith "\\adrestore64.exe" or TargetProcessName endswith "\\Autologon.exe" or TargetProcessName endswith "\\Autologon64.exe" or TargetProcessName endswith "\\Autoruns.exe" or TargetProcessName endswith "\\Autoruns64.exe" or TargetProcessName endswith "\\autorunsc.exe" or TargetProcessName endswith "\\autorunsc64.exe" or TargetProcessName endswith "\\Bginfo.exe" or TargetProcessName endswith "\\Bginfo64.exe" or TargetProcessName endswith "\\Cacheset.exe" or TargetProcessName endswith "\\Cacheset64.exe" or TargetProcessName endswith "\\Clockres.exe" or TargetProcessName endswith "\\Clockres64.exe" or TargetProcessName endswith "\\Contig.exe" or TargetProcessName endswith "\\Contig64.exe" or TargetProcessName endswith "\\Coreinfo.exe" or TargetProcessName endswith "\\Coreinfo64.exe" or TargetProcessName endswith "\\CPUSTRES.EXE" or TargetProcessName endswith "\\CPUSTRES64.EXE" or TargetProcessName endswith "\\ctrl2cap.exe" or TargetProcessName endswith "\\Dbgview.exe" or TargetProcessName endswith "\\dbgview64.exe" or TargetProcessName endswith "\\Desktops.exe" or TargetProcessName endswith "\\Desktops64.exe" or TargetProcessName endswith "\\disk2vhd.exe" or TargetProcessName endswith "\\disk2vhd64.exe" or TargetProcessName endswith "\\diskext.exe" or TargetProcessName endswith "\\diskext64.exe" or TargetProcessName endswith "\\Diskmon.exe" or TargetProcessName endswith "\\Diskmon64.exe" or TargetProcessName endswith "\\DiskView.exe" or TargetProcessName endswith "\\DiskView64.exe" or TargetProcessName endswith "\\du.exe" or TargetProcessName endswith "\\du64.exe" or TargetProcessName endswith "\\efsdump.exe" or TargetProcessName endswith "\\FindLinks.exe" or TargetProcessName endswith "\\FindLinks64.exe" or TargetProcessName endswith "\\handle.exe" or TargetProcessName endswith "\\handle64.exe" or TargetProcessName endswith "\\hex2dec.exe" or TargetProcessName endswith "\\hex2dec64.exe" or TargetProcessName endswith "\\junction.exe" or TargetProcessName endswith "\\junction64.exe" or TargetProcessName endswith "\\ldmdump.exe" or TargetProcessName endswith "\\listdlls.exe" or TargetProcessName endswith "\\listdlls64.exe" or TargetProcessName endswith "\\livekd.exe" or TargetProcessName endswith "\\livekd64.exe" or TargetProcessName endswith "\\loadOrd.exe" or TargetProcessName endswith "\\loadOrd64.exe" or TargetProcessName endswith "\\loadOrdC.exe" or TargetProcessName endswith "\\loadOrdC64.exe" or TargetProcessName endswith "\\logonsessions.exe" or TargetProcessName endswith "\\logonsessions64.exe" or TargetProcessName endswith "\\movefile.exe" or TargetProcessName endswith "\\movefile64.exe" or TargetProcessName endswith "\\notmyfault.exe" or TargetProcessName endswith "\\notmyfault64.exe" or TargetProcessName endswith "\\notmyfaultc.exe" or TargetProcessName endswith "\\notmyfaultc64.exe" or TargetProcessName endswith "\\ntfsinfo.exe" or TargetProcessName endswith "\\ntfsinfo64.exe" or TargetProcessName endswith "\\pendmoves.exe" or TargetProcessName endswith "\\pendmoves64.exe" or TargetProcessName endswith "\\pipelist.exe" or TargetProcessName endswith "\\pipelist64.exe" or TargetProcessName endswith "\\portmon.exe" or TargetProcessName endswith "\\procdump.exe" or TargetProcessName endswith "\\procdump64.exe" or TargetProcessName endswith "\\procexp.exe" or TargetProcessName endswith "\\procexp64.exe" or TargetProcessName endswith "\\Procmon.exe" or TargetProcessName endswith "\\Procmon64.exe" or TargetProcessName endswith "\\psExec.exe" or TargetProcessName endswith "\\psExec64.exe" or TargetProcessName endswith "\\psfile.exe" or TargetProcessName endswith "\\psfile64.exe" or TargetProcessName endswith "\\psGetsid.exe" or TargetProcessName endswith "\\psGetsid64.exe" or TargetProcessName endswith "\\psInfo.exe" or TargetProcessName endswith "\\psInfo64.exe" or TargetProcessName endswith "\\pskill.exe" or TargetProcessName endswith "\\pskill64.exe" or TargetProcessName endswith "\\pslist.exe" or TargetProcessName endswith "\\pslist64.exe" or TargetProcessName endswith "\\psLoggedon.exe" or TargetProcessName endswith "\\psLoggedon64.exe" or TargetProcessName endswith "\\psloglist.exe" or TargetProcessName endswith "\\psloglist64.exe" or TargetProcessName endswith "\\pspasswd.exe" or TargetProcessName endswith "\\pspasswd64.exe" or TargetProcessName endswith "\\psping.exe" or TargetProcessName endswith "\\psping64.exe" or TargetProcessName endswith "\\psService.exe" or TargetProcessName endswith "\\psService64.exe" or TargetProcessName endswith "\\psshutdown.exe" or TargetProcessName endswith "\\psshutdown64.exe" or TargetProcessName endswith "\\pssuspend.exe" or TargetProcessName endswith "\\pssuspend64.exe" or TargetProcessName endswith "\\RAMMap.exe" or TargetProcessName endswith "\\RAMMap64.exe" or TargetProcessName endswith "\\RDCMan.exe" or TargetProcessName endswith "\\RegDelNull.exe" or TargetProcessName endswith "\\RegDelNull64.exe" or TargetProcessName endswith "\\regjump.exe" or TargetProcessName endswith "\\ru.exe" or TargetProcessName endswith "\\ru64.exe" or TargetProcessName endswith "\\sdelete.exe" or TargetProcessName endswith "\\sdelete64.exe" or TargetProcessName endswith "\\ShareEnum.exe" or TargetProcessName endswith "\\ShareEnum64.exe" or TargetProcessName endswith "\\shellRunas.exe" or TargetProcessName endswith "\\sigcheck.exe" or TargetProcessName endswith "\\sigcheck64.exe" or TargetProcessName endswith "\\streams.exe" or TargetProcessName endswith "\\streams64.exe" or TargetProcessName endswith "\\strings.exe" or TargetProcessName endswith "\\strings64.exe" or TargetProcessName endswith "\\sync.exe" or TargetProcessName endswith "\\sync64.exe" or TargetProcessName endswith "\\Sysmon.exe" or TargetProcessName endswith "\\Sysmon64.exe" or TargetProcessName endswith "\\tcpvcon.exe" or TargetProcessName endswith "\\tcpvcon64.exe" or TargetProcessName endswith "\\tcpview.exe" or TargetProcessName endswith "\\tcpview64.exe" or TargetProcessName endswith "\\Testlimit.exe" or TargetProcessName endswith "\\Testlimit64.exe" or TargetProcessName endswith "\\vmmap.exe" or TargetProcessName endswith "\\vmmap64.exe" or TargetProcessName endswith "\\Volumeid.exe" or TargetProcessName endswith "\\Volumeid64.exe" or TargetProcessName endswith "\\whois.exe" or TargetProcessName endswith "\\whois64.exe" or TargetProcessName endswith "\\Winobj.exe" or TargetProcessName endswith "\\Winobj64.exe" or TargetProcessName endswith "\\ZoomIt.exe" or TargetProcessName endswith "\\ZoomIt64.exe") or (TargetProcessName endswith "\\accesschk64a.exe" or TargetProcessName endswith "\\ADExplorer64a.exe" or TargetProcessName endswith "\\ADInsight64a.exe" or TargetProcessName endswith "\\adrestore64a.exe" or TargetProcessName endswith "\\Autologon64a.exe" or TargetProcessName endswith "\\Autoruns64a.exe" or TargetProcessName endswith "\\autorunsc64a.exe" or TargetProcessName endswith "\\Clockres64a.exe" or TargetProcessName endswith "\\Contig64a.exe" or TargetProcessName endswith "\\Coreinfo64a.exe" or TargetProcessName endswith "\\Dbgview64a.exe" or TargetProcessName endswith "\\disk2vhd64a.exe" or TargetProcessName endswith "\\diskext64a.exe" or TargetProcessName endswith "\\DiskView64a.exe" or TargetProcessName endswith "\\du64a.exe" or TargetProcessName endswith "\\FindLinks64a.exe" or TargetProcessName endswith "\\handle64a.exe" or TargetProcessName endswith "\\hex2dec64a.exe" or TargetProcessName endswith "\\junction64a.exe" or TargetProcessName endswith "\\LoadOrd64a.exe" or TargetProcessName endswith "\\LoadOrdC64a.exe" or TargetProcessName endswith "\\logonsessions64a.exe" or TargetProcessName endswith "\\movefile64a.exe" or TargetProcessName endswith "\\notmyfault64a.exe" or TargetProcessName endswith "\\notmyfaultc64a.exe" or TargetProcessName endswith "\\pendmoves64a.exe" or TargetProcessName endswith "\\pipelist64a.exe" or TargetProcessName endswith "\\procdump64a.exe" or TargetProcessName endswith "\\procexp64a.exe" or TargetProcessName endswith "\\Procmon64a.exe" or TargetProcessName endswith "\\PsExec64a.exe" or TargetProcessName endswith "\\psfile64a.exe" or TargetProcessName endswith "\\PsGetsid64a.exe" or TargetProcessName endswith "\\PsInfo64a.exe" or TargetProcessName endswith "\\pskill64a.exe" or TargetProcessName endswith "\\psloglist64a.exe" or TargetProcessName endswith "\\pspasswd64a.exe" or TargetProcessName endswith "\\psping64a.exe" or TargetProcessName endswith "\\PsService64a.exe" or TargetProcessName endswith "\\pssuspend64a.exe" or TargetProcessName endswith "\\RAMMap64a.exe" or TargetProcessName endswith "\\RegDelNull64a.exe" or TargetProcessName endswith "\\ru64a.exe" or TargetProcessName endswith "\\sdelete64a.exe" or TargetProcessName endswith "\\sigcheck64a.exe" or TargetProcessName endswith "\\streams64a.exe" or TargetProcessName endswith "\\strings64a.exe" or TargetProcessName endswith "\\sync64a.exe" or TargetProcessName endswith "\\Sysmon64a.exe" or TargetProcessName endswith "\\tcpvcon64a.exe" or TargetProcessName endswith "\\tcpview64a.exe" or TargetProcessName endswith "\\vmmap64a.exe" or TargetProcessName endswith "\\whois64a.exe" or TargetProcessName endswith "\\Winobj64a.exe" or TargetProcessName endswith "\\ZoomIt64a.exe")) and (not((((TargetProcessFileCompany in~ ("Sysinternals - www.sysinternals.com", "Sysinternals")) or TargetProcessFileProduct startswith "Sysinternals") or (isnull(TargetProcessFileCompany) or isnull(TargetProcessFileProduct)))))| Sentinel Table | Notes |
|---|---|
imProcessCreate | Ensure this data connector is enabled |