The Sysinternals Suite: A set of legitimate tools designed to make system administrator’s lives easier. However, often times system administrators are not alone: Attackers really love these tools too! This presentation will take a hard look at how attackers, both legal and not, are bending the Sysinternals suite to their will. Without needing any 0-days, custom malware, or advanced knowledge of network topology, attackers are moving through compromised networks with skill and ease. We’re going to expose how attackers are utilizing these tools, and common flaws that we see within many networks. We won’t name names, but it might get embarrassing! We’ll look at how the red team can use these tools to blend in too.
We’re also going to discuss common forensic artifacts these tools leave behind, and how our blue teamers can up their game and make sure that the lowest hanging fruit isn’t the most ignored fruit. While this knowledge may seem trivial to seem, we are still seeing advanced attackers using these tools on a daily basis. The goal of this presentation is to help the red team find some new tools, and help the blue team defend a bit better against these commonly-abused tools.