Saturday, November 21, 2015

Useful Sysinternals Tools for Malware Hunting in Windows OS

Some of the tools in Sysinternals suite are very useful for securing as well as for identifying any malicious activities in Windows operating system.

I have listed the tools, that I frequently use for malware hunting.

Download windows Sysinternals suite and explore the listed tools for malware hunting and securing your windows system.

Tools
Description
AccessEnum
This tool shows access permission of user accounts to the directories, files and Registry keys on the system. Users can use it to find ACL permission holes
EFSDump
View information for encrypted files
MoveFile
Schedule file rename and delete commands for the next reboot. This can be useful for cleaning stubborn or in-use malware files
PendMoves
See what files are scheduled for delete or rename the next time the system boots
Process Monitor
Monitor file system, Registry, process, thread and DLL activity in real-time
Psfile
See what files are opened remotely
Sdelete
Securely overwrite your sensitive files and cleanse your free space of previously deleted files using this DoD-compliant secure delete program
ShareEnum
Scan file shares on your network and view their security settings to close security holes
Sigcheck
Dump file version information and verify that images on your system are digitally signed
Ping
Measures network performance
TCPview
Active socket command-line viewer
Whois
See who owns an Internet address
Autoruns
See what programs are configured to startup automatically when your system boots and you login. Autoruns also shows you the full list of Registry and file locations where applications can configure auto-start settings.

Handle
This handy command-line utility will show you what files are open by which processes, and much more
ListDLLs
List all the DLLs that are currently loaded, including where they are loaded and their version numbers. Version 2.0 prints the full path names of loaded 
ProcDump
This new command-line utility is aimed at capturing process dumps of otherwise difficult to isolate and reproduce CPU spikes. It also serves as a general process dump creation utility and can also monitor and generate process dumps when a process has a hung window or unhandled exception
Process Explorer
Find out what files, registry keys, and other objects processes have open, which DLLs they have loaded, and more. This uniquely powerful utility will even show you who owns each process.
Psexec
Execute processes remotely
Pskill
Terminate local or remote processes
Pslist
Show information about processes and threads
Psservice
View and control services
Pssuspend
Suspend and resume processes
Shellrunas
Launch programs as a different user via a convenient shell context-menu entry
Autologon
Bypass password screen during logon
LogonSessions
List active logon sessions
PsLoggedOn
Show users logged on to a system
Psinfo
Obtain information about a system
Strings
Search for ANSI and UNICODE strings in binary images.