Sysinternals PsSuspend Execution
Detects usage of Sysinternals PsSuspend which can be abused to suspend critical processes
Sigma rule (View on GitHub)
1title: Sysinternals PsSuspend Execution
2id: 48bbc537-b652-4b4e-bd1d-281172df448f
3related:
4 - id: 4beb6ae0-f85b-41e2-8f18-8668abc8af78
5 type: similar
6status: test
7description: Detects usage of Sysinternals PsSuspend which can be abused to suspend critical processes
8references:
9 - https://learn.microsoft.com/en-us/sysinternals/downloads/pssuspend
10 - https://twitter.com/0gtweet/status/1638069413717975046
11author: Nasreddine Bencherchali (Nextron Systems)
12date: 2023-03-23
13tags:
14 - attack.discovery
15 - attack.persistence
16 - attack.t1543.003
17logsource:
18 category: process_creation
19 product: windows
20detection:
21 selection:
22 - OriginalFileName: 'pssuspend.exe'
23 - Image|endswith:
24 - '\pssuspend.exe'
25 - '\pssuspend64.exe'
26 condition: selection
27falsepositives:
28 - Unknown
29level: medium
References
Related rules
- Sysinternals PsService Execution
- Allow Service Access Using Security Descriptor Tampering Via Sc.EXE
- CosmicDuke Service Installation
- Deny Service Access Using Security Descriptor Tampering Via Sc.EXE
- Driver Load From A Temporary Directory