Introduction

In this video walk-through, we covered some sysinternal tools from Microsoft that can be used to investigate the presence of malware.

Learn to use the Sysinternals tools to analyze Window systems or applications.

What are the tools known as Sysinternals?

The Sysinternals tools is a compilation of over 70+ Windows-based tools. Each of the tools falls into one of the following categories:

  • File and Disk Utilities
  • Networking Utilities
  • Process Utilities
  • Security Utilities
  • System Information
  • Miscellaneous

Get Blue Team Notes

The Sysinternals tools and its website (sysinternals.com) were created by Mark Russinovich back in the late ’90s, along with an individual named Bryce Cogswell under the company Wininternals Software.

In 2005, Microsoft acquired Wininternals Software, and Mark Russinovich joined Microsoft. Today he is the CTO of Microsoft Azure.

Mark Russinovich made headlines when he reported that Sony embedded rootkits into their music CDs back in 2005. This discovery was made known thanks to one of the Sysinternals tools he was testing. You can read more about that here.

He also discovered in 2006 that Symantec was using rootkit-like technology. You can read more about that here.

The Sysinternals tools are extremely popular among IT professionals who manage Windows systems. These tools are so popular that even red teamers and adversaries alike use them. Throughout this room, I’ll note which tools MITRE has identified to have been used by adversaries.

The goal of this room is to introduce you to a handful of Sysinternals tools with the hopes that you will expand on this knowledge with your own research and curiosity.

Room Answers

When did Microsoft acquire the Sysinternals tools?
What is the last tool listed within the Sysinternals Suite?
What service needs to be enabled on the local host to interact with live.sysinternals.com?
There is a txt file on the desktop named file.txt. What is the text within the ADS?
Using WHOIS tools, what is the ISP/Organization for the remote address in the screenshots above?

What entry was updated?

What is the updated value?

Run the Strings tool on ZoomIt.exe. What is the full path to the .pdb file?

Video Walk-through

 

 

About the Author

Mastermind Study Notes is a group of talented authors and writers who are experienced and well-versed across different fields. The group is led by, Motasem Hamdan, who is a Cybersecurity content creator and YouTuber.

View Articles