Sysinternal tool execution
Introduction
Sysinternals tools are a suite of advanced system utilities developed by Microsoft to help IT professionals monitor, troubleshoot, and manage Windows systems. However, these powerful tools can also be misused by attackers to bypass security controls, escalate privileges, or execute commands stealthily.
KQL
let SysInternalSuite = dynamic(["accesschk.exe","accesschk64.exe","AccessEnum.exe", "AdExplorer.exe","ADExplorer.exe","ADExplorer64.exe","ADInsight.chm","ADInsight.exe","ADInsight64.exe","adrestore.exe","adrestore64.exe","Autologon.exe","Autologon64.exe","autoruns.chm","Autoruns.exe","Autoruns64.exe","autorunsc.exe","autorunsc64.exe","Bginfo.exe","Bginfo64.exe","Cacheset.exe","Cacheset64.exe","Clockres.exe","Clockres64.exe","Contig.exe","Contig64.exe","Coreinfo.exe","Coreinfo64.exe","CPUSTRES.exe","CPUSTRES64.exe","ctrl2cap.amd.sys","ctrl2cap.exe","Dbgview.chm","Dbgview.exe","dbgview64.exe","Desktops.exe","Desktops64.exe","Disk2vhd.chm","disk2vhd.exe","disk2vhd64.exe","diskext.exe","diskext64.exe","Diskmon.exe","Diskmon64.exe","DiskView.exe","DiskView64.exe","du.exe","du64.exe","efsdump.exe","Eula.txt","FindLinks.exe","FindLinks64.exe","handle.exe","handle64.exe","hex2dec.exe","hex2dec64.exe","junction.exe","junction64.exe","ldmdump.exe","Listdlls.exe","Listdlls64.exe","livekd.exe","livekd64.exe","LoadOrd.exe","LoadOrd64.exe","LoadOrdC.exe","LoadOrdC64.exe","logonsessions.exe","logonsessions64.exe","movefile.exe","movefile64.exe","notmyfault.exe","notmyfault64.exe","notmyfaultc.exe","notmyfaultc64.exe","ntfsinfo.exe","ntfsinfo64.exe","pendmoves.exe","pendmoves64.exe","pipelist.exe","pipelist64.exe","portmon.exe","procdump.exe","procdump64.exe","procexp.chm","procexp.exe","procexp64.exe","procmon.chm","Procmon.exe","Procmon64.exe","PsExec.exe","PsExec64.exe","psfile.exe","psfile64.exe","PsGetsid.exe","PsGetsid64.exe","PsInfo.exe","PsInfo64.exe","pskill.exe","pskill64.exe","pslist.exe","pslist64.exe","PsLoggedon.exe","PsLoggedon64.exe","psloglist.exe","psloglist64.exe","pspasswd.exe","pspasswd64.exe","psping.exe","psping64.exe","PsService.exe","PsService64.exe","psshutdown.exe","psshutdown64.exe","pssuspend.exe","pssuspend64.exe","Pstools.chm","psversion.txt","RAMMap.exe","RAMMap64.exe","RDCMan.exe","readme.txt","RegDelNull.exe","RegDelNull64.exe","regjump.exe","ru.exe","ru64.exe","sdelete.exe","sdelete64.exe","ShareEnum.exe","ShareEnum64.exe","ShellRunas.exe","sigcheck.exe","sigcheck64.exe","streams.exe","streams64.exe","strings.exe","strings64.exe","sync.exe","sync64.exe","Sysmon.exe","Sysmon64.exe","tcpvcon.exe","tcpvcon64.exe","tcpview.chm","tcpview.exe","tcpview64.exe","Testlimit.exe","Testlimit64.exe","Vmmap.chm","vmmap.exe","vmmap64.exe","Volumeid.exe","Volumeid64.exe","whois.exe","whois64.exe","Winobj.exe","Winobj64.exe","ZoomIt.exe","ZoomIt64.exe"]);
DeviceProcessEvents
| where FileName in~ (SysInternalSuite)
| where Timestamp > ago(30d)
| summarize count() by FileName
| render piechart with(title="Sysinternal Tool Usage")
Reference: https://github.com/Bert-JanP/Hunting-Queries-Detection-Rules/blob/main/Defender%20For%20Endpoint/Visualizations/Visualization%20-%20SysinternalToolUsage.md