Detect the use of a new Sysinternal tool
New Sysinternal Tool Detected
Query
let SysInternalSuite = dynamic(["accesschk.exe","accesschk64.exe","AccessEnum.exe", "AdExplorer.exe","ADExplorer.exe","ADExplorer64.exe","ADInsight.chm","ADInsight.exe","ADInsight64.exe","adrestore.exe","adrestore64.exe","Autologon.exe","Autologon64.exe","autoruns.chm","Autoruns.exe","Autoruns64.exe","autorunsc.exe","autorunsc64.exe","Bginfo.exe","Bginfo64.exe","Cacheset.exe","Cacheset64.exe","Clockres.exe","Clockres64.exe","Contig.exe","Contig64.exe","Coreinfo.exe","Coreinfo64.exe","CPUSTRES.exe","CPUSTRES64.exe","ctrl2cap.amd.sys","ctrl2cap.exe","Dbgview.chm","Dbgview.exe","dbgview64.exe","Desktops.exe","Desktops64.exe","Disk2vhd.chm","disk2vhd.exe","disk2vhd64.exe","diskext.exe","diskext64.exe","Diskmon.exe","Diskmon64.exe","DiskView.exe","DiskView64.exe","du.exe","du64.exe","efsdump.exe","Eula.txt","FindLinks.exe","FindLinks64.exe","handle.exe","handle64.exe","hex2dec.exe","hex2dec64.exe","junction.exe","junction64.exe","ldmdump.exe","Listdlls.exe","Listdlls64.exe","livekd.exe","livekd64.exe","LoadOrd.exe","LoadOrd64.exe","LoadOrdC.exe","LoadOrdC64.exe","logonsessions.exe","logonsessions64.exe","movefile.exe","movefile64.exe","notmyfault.exe","notmyfault64.exe","notmyfaultc.exe","notmyfaultc64.exe","ntfsinfo.exe","ntfsinfo64.exe","pendmoves.exe","pendmoves64.exe","pipelist.exe","pipelist64.exe","portmon.exe","procdump.exe","procdump64.exe","procexp.chm","procexp.exe","procexp64.exe","procmon.chm","Procmon.exe","Procmon64.exe","PsExec.exe","PsExec64.exe","psfile.exe","psfile64.exe","PsGetsid.exe","PsGetsid64.exe","PsInfo.exe","PsInfo64.exe","pskill.exe","pskill64.exe","pslist.exe","pslist64.exe","PsLoggedon.exe","PsLoggedon64.exe","psloglist.exe","psloglist64.exe","pspasswd.exe","pspasswd64.exe","psping.exe","psping64.exe","PsService.exe","PsService64.exe","psshutdown.exe","psshutdown64.exe","pssuspend.exe","pssuspend64.exe","Pstools.chm","psversion.txt","RAMMap.exe","RAMMap64.exe","RDCMan.exe","readme.txt","RegDelNull.exe","RegDelNull64.exe","regjump.exe","ru.exe","ru64.exe","sdelete.exe","sdelete64.exe","ShareEnum.exe","ShareEnum64.exe","ShellRunas.exe","sigcheck.exe","sigcheck64.exe","streams.exe","streams64.exe","strings.exe","strings64.exe","sync.exe","sync64.exe","Sysmon.exe","Sysmon64.exe","tcpvcon.exe","tcpvcon64.exe","tcpview.chm","tcpview.exe","tcpview64.exe","Testlimit.exe","Testlimit64.exe","Vmmap.chm","vmmap.exe","vmmap64.exe","Volumeid.exe","Volumeid64.exe","whois.exe","whois64.exe","Winobj.exe","Winobj64.exe","ZoomIt.exe","ZoomIt64.exe"]);
let knownsysinternaltools = DeviceProcessEvents
| where FileName in~ (SysInternalSuite)
| where Timestamp between (ago(30d) .. ago(2d))
| distinct FileName;
DeviceProcessEvents
| where Timestamp > ago(2d)
| where FileName in~ (SysInternalSuite) and FileName !in~
(knownsysinternaltools)
| project
Timestamp,
DeviceName,
AccountDomain,
AccountName,
FileName,
ProcessCommandLine,
InitiatingProcessCommandLine,
FolderPathAbout this query
Explanation
This query is designed to detect the use of Sysinternal tools that haven't been used recently on a network. It checks for any Sysinternal tool that has been executed in the last two days but hasn't been used in the previous 30 days (for Defender XDR) or 90 days (for Sentinel). Here's a simplified breakdown:
-
Sysinternal Tools List: The query defines a list of Sysinternal tools, which are utilities used for system diagnostics and troubleshooting.
-
Identify Known Tools: It first identifies which of these tools have been used in the past 30 days (for Defender XDR) or 90 days (for Sentinel) and marks them as "known."
-
Detect New Usage: The query then looks at the last two days of activity to find any Sysinternal tools that have been used but were not part of the "known" list. This helps in identifying any new or unusual usage of these tools.
-
Output Details: For any newly detected tool usage, the query outputs details such as the time it was used, the device name, account information, the tool's file name, and the command line used to execute it.
This approach helps in monitoring and potentially identifying suspicious or unauthorized use of Sysinternal tools within a network.
Details

Bert-Jan Pals
Released: December 1, 2024
Tables
Keywords
Operators