Sysinternals PsSuspend Suspicious Execution

Detects suspicious execution of Sysinternals PsSuspend, where the utility is used to suspend critical processes such as AV or EDR to bypass defenses

Sigma rule (View on GitHub)

 1title: Sysinternals PsSuspend Suspicious Execution
 2id: 4beb6ae0-f85b-41e2-8f18-8668abc8af78
 3related:
 4    - id: 48bbc537-b652-4b4e-bd1d-281172df448f # Basic Execution
 5      type: similar
 6status: test
 7description: Detects suspicious execution of Sysinternals PsSuspend, where the utility is used to suspend critical processes such as AV or EDR to bypass defenses
 8references:
 9    - https://learn.microsoft.com/en-us/sysinternals/downloads/pssuspend
10    - https://twitter.com/0gtweet/status/1638069413717975046
11author: Nasreddine Bencherchali (Nextron Systems)
12date: 2023-03-23
13tags:
14    - attack.defense-evasion
15    - attack.t1562.001
16logsource:
17    category: process_creation
18    product: windows
19detection:
20    selection_img:
21        - OriginalFileName: 'pssuspend.exe'
22        - Image|endswith:
23              - '\pssuspend.exe'
24              - '\pssuspend64.exe'
25    selection_cli:
26        # Add more interesting/critical processes
27        CommandLine|contains: 'msmpeng.exe'
28    condition: all of selection_*
29falsepositives:
30    - Unlikely
31level: high

References

Related rules

to-top