What are Sysinternals?
Sysinternals is a suite of more than 70 free Windows utilities developed by Microsoft that can be used for system troubleshooting, monitoring, and diagnostics. These tools can be used to manage and monitor various aspects of Windows operating systems, including processes, services, registry settings, file systems, network connections, and more.
The Sysinternals suite includes a wide range of tools, such as Process Explorer, Autoruns, Procmon, Tcpview, and PsTools, among others. These tools are designed to help IT professionals and advanced users troubleshoot and optimize their Windows-based systems.
The Sysinternals tools were originally developed by Mark Russinovich and Bryce Cogswell, who founded the company Sysinternals in 1996. In 2006, Microsoft acquired Sysinternals and incorporated the tools into their suite of Windows system utilities. Since then, Microsoft has continued to develop and update the Sysinternals tools, making them freely available to download and use for Windows users.
How are they used?
Sysinternals tools can be used as part of a cyber defense strategy to help IT professionals and security analysts detect, investigate, and respond to cyber threats on Windows-based systems. Here are some ways Sysinternals tools can be used for cyber defense:
Malware analysis: Tools like Process Explorer and Procmon can be used to monitor processes and system activity to identify suspicious behavior that may be indicative of malware.
Endpoint protection: Tools like Autoruns and Process Explorer can be used to identify and disable unwanted or malicious software that may be running on an endpoint.
Incident response: Sysinternals tools can be used to gather information during a security incident, such as network connections, running processes, and file activity, to help analysts determine the scope and severity of the incident.
Vulnerability assessment: Tools like AccessChk and ShareEnum can be used to assess the security posture of a system by identifying potential vulnerabilities, such as misconfigured file permissions or exposed network shares.
Forensics: Sysinternals tools can be used in digital forensics investigations to gather and analyze system data, such as event logs and file activity, to reconstruct events and determine the cause and extent of a security incident.
Example:
Sigcheck is a useful tool that can be used to verify signature info for critical files. Here is the official definition:
"Sigcheck is a command-line utility that shows file version number, timestamp information, and digital signature details, including certificate chains. It also includes an option to check a file’s status on VirusTotal, a site that performs automated file scanning against over 40 antivirus engines, and an option to upload a file for scanning."
One simple command will reveal any problematic files that need to be reviewed further in the \Windows\System32 directory.
Command: sigcheck -u -e C:\Windows\System32
Results:
What is Sysinternals Live?
Per the Sysinternals website,"Sysinternals Live is a service that enables you to execute Sysinternals tools directly from the Web without hunting for and manually downloading them. Simply enter a tool's Sysinternals Live path into Windows Explorer or a command prompt as live.sysinternals.com/<toolname> or \\live.sysinternals.com\tools\<toolname>."
In short, you don't need to download any of these tools to use them. A couple of configuration changes through Powershell and you're good to go!
You can even map the utilities to a shared network drive where you can call on the tools like any other file on your desktop.
Overall, Sysinternals tools are valuable resources for cyber defense because they provide granular visibility into system activity and can help identify and respond to cyber threats in a timely and effective manner.
Check out more info about these tools here. If you wish to download a tool or two but not the entire suite, you can click here. Some of these tools have many applications. Including OFFENSIVE ones. ;)
Comments