Synopsis
Activation Period |
14 Days |
Training Period |
30 Days |
Test Period |
N/A (single event) |
Deduplication Period |
1 Day |
Required Data |
|
Detection Modules |
|
Detector Tags |
|
ATT&CK Tactic |
|
ATT&CK Technique |
|
Severity |
Informational |
Description
An attacker may be trying to avoid detection by using an obfuscated copy of SysInternals tools.
Attacker's Goals
Attackers may leverage SysInternals tools for lateral movement, credential access, or to delete recovery backups to cause impact.
Investigative actions
- Check if the file is familiar to the user, if not, investigate further the source of it.
Variations
Unusual use of a 'SysInternals' tool by a process with an invalid or non-standard signatureUnusual use of a 'SysInternals' tool that can be used for offensive operations
A registry key related to SysInternals was modified by a known registry editor