Sysinternals PsSuspend Execution

calendar Oct 23, 2025 · attack.privilege-escalation attack.discovery attack.persistence attack.t1543.003  ·
Share on: linkedin copy

Detects usage of Sysinternals PsSuspend which can be abused to suspend critical processes

Sigma rule (View on GitHub)

 1title: Sysinternals PsSuspend Execution
 2id: 48bbc537-b652-4b4e-bd1d-281172df448f
 3related:
 4    - id: 4beb6ae0-f85b-41e2-8f18-8668abc8af78
 5      type: similar
 6status: test
 7description: Detects usage of Sysinternals PsSuspend which can be abused to suspend critical processes
 8references:
 9    - https://learn.microsoft.com/en-us/sysinternals/downloads/pssuspend
10    - https://twitter.com/0gtweet/status/1638069413717975046
11author: Nasreddine Bencherchali (Nextron Systems)
12date: 2023-03-23
13tags:
14    - attack.privilege-escalation
15    - attack.discovery
16    - attack.persistence
17    - attack.t1543.003
18logsource:
19    category: process_creation
20    product: windows
21detection:
22    selection:
23        - OriginalFileName: 'pssuspend.exe'
24        - Image|endswith:
25              - '\pssuspend.exe'
26              - '\pssuspend64.exe'
27    condition: selection
28falsepositives:
29    - Unknown
30level: medium

References

  • PsSuspend - Sysinternals

    Suspend and resume processes.


    Read More

  • Something went wrong, but don’t fret — let’s give it another shot. Some privacy related extensions may cause issues on x.com. Please disable them and try again.


    Read More

Related rules

to-top