Potential Binary Impersonating Sysinternals Tools
Detects binaries that use the same name as legitimate sysinternals tools to evade detection. This rule looks for the execution of binaries that are named similarly to Sysinternals tools. Adversary may rename their malicious tools as legitimate Sysinternals tools to evade detection.
Sigma rule (View on GitHub)
1title: Potential Binary Impersonating Sysinternals Tools
2id: 7cce6fc8-a07f-4d84-a53e-96e1879843c9
3status: test
4description: |
5 Detects binaries that use the same name as legitimate sysinternals tools to evade detection.
6 This rule looks for the execution of binaries that are named similarly to Sysinternals tools.
7 Adversary may rename their malicious tools as legitimate Sysinternals tools to evade detection.
8references:
9 - https://learn.microsoft.com/en-us/sysinternals/downloads/sysinternals-suite
10author: frack113, Swachchhanda Shrawan Poudel (Nextron Systems)
11date: 2021-12-20
12modified: 2025-04-12
13tags:
14 - attack.execution
15 - attack.defense-evasion
16 - attack.t1218
17 - attack.t1202
18 - attack.t1036.005
19logsource:
20 category: process_creation
21 product: windows
22detection:
23 selection_exe:
24 Image|endswith:
25 - '\accesschk.exe'
26 - '\accesschk64.exe'
27 - '\AccessEnum.exe'
28 - '\ADExplorer.exe'
29 - '\ADExplorer64.exe'
30 - '\ADInsight.exe'
31 - '\ADInsight64.exe'
32 - '\adrestore.exe'
33 - '\adrestore64.exe'
34 - '\Autologon.exe'
35 - '\Autologon64.exe'
36 - '\Autoruns.exe'
37 - '\Autoruns64.exe'
38 - '\autorunsc.exe'
39 - '\autorunsc64.exe'
40 - '\Bginfo.exe'
41 - '\Bginfo64.exe'
42 - '\Cacheset.exe'
43 - '\Cacheset64.exe'
44 - '\Clockres.exe'
45 - '\Clockres64.exe'
46 - '\Contig.exe'
47 - '\Contig64.exe'
48 - '\Coreinfo.exe'
49 - '\Coreinfo64.exe'
50 - '\CPUSTRES.EXE'
51 - '\CPUSTRES64.EXE'
52 - '\ctrl2cap.exe'
53 - '\Dbgview.exe'
54 - '\dbgview64.exe'
55 - '\Desktops.exe'
56 - '\Desktops64.exe'
57 - '\disk2vhd.exe'
58 - '\disk2vhd64.exe'
59 - '\diskext.exe'
60 - '\diskext64.exe'
61 - '\Diskmon.exe'
62 - '\Diskmon64.exe'
63 - '\DiskView.exe'
64 - '\DiskView64.exe'
65 - '\du.exe'
66 - '\du64.exe'
67 - '\efsdump.exe'
68 - '\FindLinks.exe'
69 - '\FindLinks64.exe'
70 - '\handle.exe'
71 - '\handle64.exe'
72 - '\hex2dec.exe'
73 - '\hex2dec64.exe'
74 - '\junction.exe'
75 - '\junction64.exe'
76 - '\ldmdump.exe'
77 - '\listdlls.exe'
78 - '\listdlls64.exe'
79 - '\livekd.exe'
80 - '\livekd64.exe'
81 - '\loadOrd.exe'
82 - '\loadOrd64.exe'
83 - '\loadOrdC.exe'
84 - '\loadOrdC64.exe'
85 - '\logonsessions.exe'
86 - '\logonsessions64.exe'
87 - '\movefile.exe'
88 - '\movefile64.exe'
89 - '\notmyfault.exe'
90 - '\notmyfault64.exe'
91 - '\notmyfaultc.exe'
92 - '\notmyfaultc64.exe'
93 - '\ntfsinfo.exe'
94 - '\ntfsinfo64.exe'
95 - '\pendmoves.exe'
96 - '\pendmoves64.exe'
97 - '\pipelist.exe'
98 - '\pipelist64.exe'
99 - '\portmon.exe'
100 - '\procdump.exe'
101 - '\procdump64.exe'
102 - '\procexp.exe'
103 - '\procexp64.exe'
104 - '\Procmon.exe'
105 - '\Procmon64.exe'
106 - '\psExec.exe'
107 - '\psExec64.exe'
108 - '\psfile.exe'
109 - '\psfile64.exe'
110 - '\psGetsid.exe'
111 - '\psGetsid64.exe'
112 - '\psInfo.exe'
113 - '\psInfo64.exe'
114 - '\pskill.exe'
115 - '\pskill64.exe'
116 - '\pslist.exe'
117 - '\pslist64.exe'
118 - '\psLoggedon.exe'
119 - '\psLoggedon64.exe'
120 - '\psloglist.exe'
121 - '\psloglist64.exe'
122 - '\pspasswd.exe'
123 - '\pspasswd64.exe'
124 - '\psping.exe'
125 - '\psping64.exe'
126 - '\psService.exe'
127 - '\psService64.exe'
128 - '\psshutdown.exe'
129 - '\psshutdown64.exe'
130 - '\pssuspend.exe'
131 - '\pssuspend64.exe'
132 - '\RAMMap.exe'
133 - '\RAMMap64.exe'
134 - '\RDCMan.exe'
135 - '\RegDelNull.exe'
136 - '\RegDelNull64.exe'
137 - '\regjump.exe'
138 - '\ru.exe'
139 - '\ru64.exe'
140 - '\sdelete.exe'
141 - '\sdelete64.exe'
142 - '\ShareEnum.exe'
143 - '\ShareEnum64.exe'
144 - '\shellRunas.exe'
145 - '\sigcheck.exe'
146 - '\sigcheck64.exe'
147 - '\streams.exe'
148 - '\streams64.exe'
149 - '\strings.exe'
150 - '\strings64.exe'
151 - '\sync.exe'
152 - '\sync64.exe'
153 - '\Sysmon.exe'
154 - '\Sysmon64.exe'
155 - '\tcpvcon.exe'
156 - '\tcpvcon64.exe'
157 - '\tcpview.exe'
158 - '\tcpview64.exe'
159 - '\Testlimit.exe'
160 - '\Testlimit64.exe'
161 - '\vmmap.exe'
162 - '\vmmap64.exe'
163 - '\Volumeid.exe'
164 - '\Volumeid64.exe'
165 - '\whois.exe'
166 - '\whois64.exe'
167 - '\Winobj.exe'
168 - '\Winobj64.exe'
169 - '\ZoomIt.exe'
170 - '\ZoomIt64.exe'
171 selection_arm64:
172 Image|endswith:
173 - '\accesschk64a.exe'
174 - '\ADExplorer64a.exe'
175 - '\ADInsight64a.exe'
176 - '\adrestore64a.exe'
177 - '\Autologon64a.exe'
178 - '\Autoruns64a.exe'
179 - '\autorunsc64a.exe'
180 - '\Clockres64a.exe'
181 - '\Contig64a.exe'
182 - '\Coreinfo64a.exe'
183 - '\Dbgview64a.exe'
184 - '\disk2vhd64a.exe'
185 - '\diskext64a.exe'
186 - '\DiskView64a.exe'
187 - '\du64a.exe'
188 - '\FindLinks64a.exe'
189 - '\handle64a.exe'
190 - '\hex2dec64a.exe'
191 - '\junction64a.exe'
192 - '\LoadOrd64a.exe'
193 - '\LoadOrdC64a.exe'
194 - '\logonsessions64a.exe'
195 - '\movefile64a.exe'
196 - '\notmyfault64a.exe'
197 - '\notmyfaultc64a.exe'
198 - '\pendmoves64a.exe'
199 - '\pipelist64a.exe'
200 - '\procdump64a.exe'
201 - '\procexp64a.exe'
202 - '\Procmon64a.exe'
203 - '\PsExec64a.exe'
204 - '\psfile64a.exe'
205 - '\PsGetsid64a.exe'
206 - '\PsInfo64a.exe'
207 - '\pskill64a.exe'
208 - '\psloglist64a.exe'
209 - '\pspasswd64a.exe'
210 - '\psping64a.exe'
211 - '\PsService64a.exe'
212 - '\pssuspend64a.exe'
213 - '\RAMMap64a.exe'
214 - '\RegDelNull64a.exe'
215 - '\ru64a.exe'
216 - '\sdelete64a.exe'
217 - '\sigcheck64a.exe'
218 - '\streams64a.exe'
219 - '\strings64a.exe'
220 - '\sync64a.exe'
221 - '\Sysmon64a.exe'
222 - '\tcpvcon64a.exe'
223 - '\tcpview64a.exe'
224 - '\vmmap64a.exe'
225 - '\whois64a.exe'
226 - '\Winobj64a.exe'
227 - '\ZoomIt64a.exe'
228 filter_valid:
229 - Company:
230 - 'Sysinternals - www.sysinternals.com'
231 - 'Sysinternals'
232 - Product|startswith: 'Sysinternals'
233 filter_empty:
234 - Company: null
235 - Product: null
236 condition: 1 of selection_* and not 1 of filter_*
237falsepositives:
238 - Unknown
239level: medium
References
-
The Windows Sysinternals troubleshooting Utilities have been rolled up into a single suite of tools.
Read More
Related rules
- Potentially Suspicious Child Process Of VsCode
- Potential Arbitrary File Download Via Cmdl32.EXE
- Suspicious Child Process Of BgInfo.EXE
- Suspicious ZipExec Execution
- Uncommon Child Process Of BgInfo.EXE