Sysinternals PsSuspend Suspicious Execution
Detects suspicious execution of Sysinternals PsSuspend, where the utility is used to suspend critical processes such as AV or EDR to bypass defenses
Sigma rule (View on GitHub)
1title: Sysinternals PsSuspend Suspicious Execution
2id: 4beb6ae0-f85b-41e2-8f18-8668abc8af78
3related:
4 - id: 48bbc537-b652-4b4e-bd1d-281172df448f # Basic Execution
5 type: similar
6status: test
7description: Detects suspicious execution of Sysinternals PsSuspend, where the utility is used to suspend critical processes such as AV or EDR to bypass defenses
8references:
9 - https://docs.microsoft.com/en-us/sysinternals/downloads/pssuspend
10 - https://twitter.com/0gtweet/status/1638069413717975046
11author: Nasreddine Bencherchali (Nextron Systems)
12date: 2023/03/23
13tags:
14 - attack.defense_evasion
15 - attack.t1562.001
16logsource:
17 category: process_creation
18 product: windows
19detection:
20 selection_img:
21 - OriginalFileName: 'pssuspend.exe'
22 - Image|endswith:
23 - '\pssuspend.exe'
24 - '\pssuspend64.exe'
25 selection_cli:
26 # Add more interesting/critical processes
27 CommandLine|contains: 'msmpeng.exe'
28 condition: all of selection_*
29falsepositives:
30 - Unlikely
31level: high
References
Related rules
- AWS Config Disabling Channel/Recorder
- Cisco Disabling Logging
- NetNTLM Downgrade Attack - Registry
- Hypervisor Enforced Code Integrity Disabled
- Powershell Defender Disable Scan Feature