Tools
T1654Sysinternals
How the Sysinternals Suite -- Process Explorer, Autoruns, TCPView, PsExec -- gives analysts Windows forensic visibility without installing agents, and how attackers use the same tools against you.
View on Graph
What the Sysinternals Suite Is and Why It Belongs in Every Analyst Toolkit
- Sysinternals Suite is a collection of 70+ free Windows system utilities developed by Mark Russinovich and now maintained by Microsoft.
- These tools give analysts deep visibility into Windows internals — processes, threads, handles, network connections, registry, file system, and kernel objects — without installing agents or drivers.
- For incident response, Sysinternals is indispensable: it runs from a USB drive or network share with no installation, leaves minimal forensic footprint, and exposes what the OS actually sees rather than what user-mode applications report.
- MITRE ATT&CK maps log enumeration and analysis tools to
T1654(Log Enumeration).
The Essential Tools and Their Use Cases
Process Explorer (procexp.exe)
What it shows: Tree view of all running processes, including parent-child relationships, handle usage, DLLs loaded, and process properties Task Manager does not expose.
Analyst use cases:
| Scenario | What to Check in Process Explorer |
|---|---|
| Unknown process running | Check the process properties: “Verified Signer” — is it Microsoft-signed? “Parent” — what spawned it? |
| Suspicious CPU spike | Sort by CPU. Look for processes with high CPU that you cannot identify. Check the command line and file path. |
| Process injection detection | Right-click process → Properties → “Image” tab → Check the “Address space” for unexpected loaded DLLs. Switch to “Strings” tab — look for process name strings (self-injection). |
| Handle analysis | View → Lower Pane → Handles. Suspicious: a process with handles to lsass.exe, SAM, or C:\Windows\System32\drivers\etc\hosts. |
| Network connections per process | View → Lower Pane → “TCP/IP” tab. See every open TCP/UDP connection and the process that owns it. |
How to run: procexp.exe → accept EULA → switch to “Process Tree” view (View → Show Process Tree) to see parent-child relationships.
Autoruns (autoruns.exe)
What it shows: Every location where a program can automatically start — registry Run keys, scheduled tasks, services, drivers, WMI subscriptions, browser extensions, and 20+ other autorun locations.
Analyst use cases:
| Scenario | What to Check |
|---|---|
| Persistence hunting | Click “Everything” tab. Sort by “Verified” column. Any unverified entry is suspicious. Focus on files in %TEMP%, %APPDATA%, %LOCALAPPDATA%. |
| Ransomware prevention | Run Autoruns weekly. A new entry for powershell.exe -EncodedCommand... in HKCU\...\Run is a ransomware precursor. |
| Malware removal | After discovering malware, run Autoruns to find the persistence mechanism. Disable the entry (uncheck), do not delete — you may need it for forensic analysis. |
| Dll hijacking check | Look for missing DLL entries — Autoruns shows entries where the referenced file does not exist (yellow highlight). These can be exploited for DLL hijacking. |
How to run: autoruns.exe → go to “Everything” → scroll to unverified entries (yellow background). Focus on items scheduled to start from %TEMP%, %APPDATA%, or non-system directories.
TCPView (tcpvcon.exe)
What it shows: Real-time list of all TCP and UDP endpoints on the system, mapped to the owning process. Includes state (LISTENING, ESTABLISHED, CLOSE_WAIT), process ID, and local/remote addresses.
Analyst use cases:
| Scenario | What to Check |
|---|---|
| C2 beaconing | Look for processes with ESTABLISHED connections to external IPs on port 443. Check if the process name matches the connection (e.g., svchost.exe connected to known bad IP is suspicious). |
| Data exfiltration | Look for CLOSE_WAIT connections — the process closed the local side but the remote side is still waiting. Large data transfers leave many CLOSE_WAIT connections. |
| Unauthorized listening services | Sort by State: LISTENING. Any process listening on a high port (4443, 8080, 1337) without a corresponding legitimate application is suspicious. |
| RDP enumeration | Check for svchost.exe listening on port 3389 — is RDP currently enabled and accepting connections? |
How to run: tcpview.exe → observe active connections → right-click connections to close them or look up IP addresses via WHOIS.
PsExec (psexec.exe)
What it does: Execute processes remotely on Windows systems. Primary tool for both IT administration and lateral movement.
Analyst use cases:
| Perspective | What to Check |
|---|---|
| Defender use | Run commands remotely on multiple systems during incident response without deploying full remote management. PsExec \\target -s cmd.exe opens a SYSTEM-level command prompt. The -s flag runs as System — invaluable for accessing protected processes. |
| Detection | Event 7045 (service installed) for PSEXECSVC is the key detection signal. Event 4688 with parent process PsExec.exe. Logon type 3 from the controlling workstation. |
| Attacker use | Attackers use PsExec exactly the same way. The same PsExec binary is used by IT and by ransomware operators. Detection relies on parent process, account context, and timing. |
AccessChk (accesschk.exe)
What it does: Reports effective permissions on files, registry keys, processes, services, and more. Essential for privilege escalation investigations.
How to use it:
# Check if a user can modify a service binary (potential privilege escalation)
accesschk64.exe -w -c "DNS" (service permissions)
# Check effective permissions for a specific user on a file
accesschk64.exe "C:\Program Files\SomeApp\config.exe" -u "DOMAIN\user"
# Check which services are writable by non-admin users
accesschk64.exe -w -c *Strings (strings.exe)
What it does: Extracts ASCII and Unicode strings from binary files. Essential for quick malware analysis without a disassembler. Pair with YARA for automated pattern matching on extracted strings.
How to use it:
# Extract strings from a suspicious binary
strings.exe suspicious.exe > strings_output.txt
# Look for interesting strings in the output
findstr /i "http:// https:// C2 beacon powershell cmd.exe DLL" strings_output.txt
# URLs → likely network indicators
# Registry paths → possible persistence
# API calls → file access, network access, process injection
# Usernames/paths → attacker artifactsDetection — Sysinternals Tools as Attack Tools
| Sysinternals Tool | How Attackers Abuse It | Detection Signal |
|---|---|---|
| PsExec | Lateral movement — run commands remotely | Event 7045 (PSEXECSVC), Event 4688 (PsExec.exe as parent), SMB access to ADMIN$ |
| AccessChk | Enumerate service permissions for privilege escalation | Sysmon Event 1 (accesschk.exe execution), Event 4688 with AccessChk command lines |
| ProcDump | Dump lsass.exe for credential theft | Sysmon Event 10 (process access to lsass.exe — see Mimikatz for credential dumping), ProcDump binary execution |
| Strings | Extract strings from target binaries for recon | Rarely used live — usually executed on forensic image or offline. No direct detection signal. |
| Sigcheck | Verify file signatures, check PE metadata | Rare. Usually legitimate IT use. |
Investigation Workflow — Using Sysinternals in Incident Response
Step 1 — Capture Running State
procexp.exe /accepteula /t /g /e /p processes.csv
tcpview.exe /accepteula /a /o connections.txt
autoruns.exe /accepteula /a /c autoruns.csvStep 2 — Analyze for Anomalies
- Process Explorer: Sort by company name (Column: “Verified Signer”). Any process listed as “(Verified) Microsoft Windows” is expected. Unverified or “not verified” binaries in
%TEMP%or%APPDATA%are suspicious. - TCPView: Note all ESTABLISHED connections to external IPs. Cross-reference with known IPs (CDN, cloud providers, SIEM, threat intel).
- Autoruns: Filter by “Entry Type” → “Run” and “RunOnce”. Any entry with a command line including
powershell,wscript, or a URL is a persistence signal.
Step 3 — Collect Evidence
Use the following tools to collect forensic evidence without altering the system state:
| Tool | What It Collects | Forensics Value |
|---|---|---|
procdump -ma lsass.dmp | LSASS process memory (live memory dump) | Credential access — only if necessary for IR |
strings.exe malicious.exe | Embedded strings in malicious binary | Network IOCs, C2 URLs, file paths |
handle.exe | All open handles | Identify which files/registry keys a process is accessing |
logonsessions.exe | Active logon sessions | Identify which users are logged on — useful for lateral movement detection |
Related
- Azure Sentinel — detection and response for T1654 techniques
- CyberChef — detection and response for T1654 techniques
- Log Sources Overview — covers the log sources overview concepts
- Lateral Movement Response — detection and response for T1021, T1570, T1047 techniques