SysInternals
Last Updated: January 2, 2020
Downloading
\\live.sysinternals.com\tools\ or https://live.sysinternals.com/
System Monitor
System Monitor (Sysmon) is a Windows system service and device driver that, once installed on a system, remains resident across system reboots to monitor and log system activity to the Microsoft-Windows-Sysmon/Operational event log. It provides detailed information about process creations, network connections, and changes to file creation time. By collecting the events it generates using WEF or SIEM agents and subsequently analyzing them, you can identify malicious or anomalous activity and understand how intruders and malware operate on your network. Note that Sysmon does not provide analysis of the events it generates, nor does it attempt to protect or hide itself from attackers. Sysmon uses a customizable configuration file to determine which events to capture. Configuration settings can also be implemented by Group Policy Preferences, since they are stored in registry. The following image illustrates a sample configuration file that enables capture of events representing loading of non-Windows device drivers and TCP/IP network connections targeting ports 80 and 443:
Process Explorer
Process Explorer is a popular member of the SysInternals Suite that provides a graphical interface via which you can identify all active processes on a target computer. By reviewing their list, you might be able to identify those which exhibit suspicious characteristics, such as: • no icon, description or company name • executing from Windows directory or user profile • misspelled name • unsigned executable • strange URLs or strings embedded in the executable
AutoRuns
This utility, which has the most comprehensive knowledge of auto-starting locations of any startup monitor, shows you what programs are configured to run during system bootup or login, and when you start various built-in Windows applications like Internet Explorer, Explorer and media players. These programs and drivers include ones in your startup folder, Run, RunOnce, and other Registry keys. Autoruns reports Explorer shell extensions, toolbars, browser helper objects, Winlogon notifications, auto-start services, and much more.
Sigcheck
Sigcheck is a command-line utility that shows file version number, timestamp information, and digital signature details, including certificate chains. It also includes an option to check a file’s status on VirusTotal at https://www.virustotal.com/ , a site that performs automated file scanning against over 40 antivirus engines, and an option to upload a file for scanning.
ListDLLs
ListDLLs is a utility that reports the DLLs loaded into processes. You can use it to list all DLLs loaded into all processes, into a specific process, or to list the processes that have a particular DLL loaded. ListDLLs can also display full version information for DLLs, including their digital signature, and can be used to scan processes for unsigned DLLs. Previous