SysInternals

Table of Contents

Accessing the tool suite

The complete SysInternals Suite is available online at the following two locations:

This means that you can execute any tool using its online UNC path as long as the target system has access to the Internet.

Example:

C:\Users\betelsam>\\live.sysinternals.com\tools\ADExplorer.exe

You might need to “mount” the share before being able to run the tool from their UNC path.

net use \\live.sysinternals.com\tools

ADExplorer

Active Directory Explorer (AD Explorer) is an advanced Active Directory (AD) viewer and editor. You can use AD Explorer to easily navigate an AD database, define favorite locations, view object properties and attributes without having to open dialog boxes, edit permissions, view an object’s schema, and execute sophisticated searches that you can save and re-execute.

Offensive usage:

Create snapshot from the command-line:

ADExplorer.exe -snapshot "" <SNAPSHOT.DAT PATH>

Reference: https://www.blackhillsinfosec.com/domain-goodness-learned-love-ad-explorer/

ProcDump

ProcDump can serve as a general process dump utility (i.e. for lsass.exe).

procdump.exe -accepteula -ma <PROCESS> <DUMP FILE>

Requires local administrative privileges.

ProcExp

Process Explorer is a kind of task manager on steroid. Ever wondered which program has a particular file or directory open? Now you can find out. Process Explorer shows you information about which handles and DLLs processes have opened or loaded.

Process Explorer also allows you to create memory dump of proccesses.

PsLoggedOn

PsLoggedOn is an applet that displays both the locally logged on users and users logged on via resources for either the local computer, or a remote one. If you specify a user name instead of a computer, PsLoggedOn searches the computers in the network neighborhood and tells you if the user is currently logged on.

psloggedon.exe \\<COMPUTER>
psloggedon.exe <USERNAME>

Strings

Strings just scans the file you pass it for UNICODE (or ASCII) strings of a default length of 3 or more UNICODE (or ASCII) characters. It basically does the same than its Unix equivalent.

Autoruns / Autorunsc

This utility, which has the most comprehensive knowledge of auto-starting locations of any startup monitor, shows you what programs are configured to run during system bootup or login, and when you start various built-in Windows applications like Internet Explorer, Explorer and media players.

Useful to find custom executables or batch scripts that could be exploited to escalate privileges locally on the target system when used in conjunction with AccessChk.

Command Line Usage

In order to get the same functionnality via the command line:

autorunsc.exe -a * <OPTIONS ...>
Option Description
-c Print output as CSV
-ct Print output as tab-delimited values
-x Print output as XML
-m Hide Microsoft entries
-vt Query hashes on VirusTotal

AccessChk

As a part of ensuring that they’ve created a secure environment Windows administrators often need to know what kind of accesses specific users or groups have to resources including files, directories, Registry keys, global objects and Windows services. AccessChk quickly answers these questions with an intuitive interface and output.

accesschk.exe -accepteula -qu <TYPE> <OPTIONS> <USERNAME> <FILE, DIRECTORY, REGISTRY KEY, PROCESS, SERVICE, OBJECT>
Type Description
(default) Query a file or directory (local or UNC)
-c Query a Windows Service
-p Query a process name
-h Query a file or printer share
-k Query a registrey key (i.e. hklm\software)
Option Description
-s Recurse
-n Show only objects that have no access
-r Show only objects that have read access
-w Show only objects that have write access

Find write permissions of user within path:

accesschk.exe -accepteula -u -sw <USERNAME> <LOCAL PATH/UNC PATH>

Find read permissions of user within share:

accesschk.exe -accepteula -u -sr <USERNAME> \\<HOSTNAME>\<SHARE>

Find permissions on all services:

accesschk.exe -accepteula -u -c <USERNAME> *

Find permissions on all local shares:

accesschk.exe -accepteula -u -h <USERNAME> *

AccessEnum

There’s no built-in way to quickly view user accesses to a tree of directories or keys. AccessEnum gives you a full view of your file system and Registry security settings in seconds, making it the ideal tool for helping you for security holes and lock down permissions where necessary.

This is basically the GUI equivalent of AccessChk.

SigCheck

Sigcheck is a command-line utility that shows file version number, timestamp information, and digital signature details, including certificate chains. It also includes an option to check a file’s status on VirusTotal.

Useful to find a program version number and search for known exploits.

sigcheck.exe -a <OPTIONS> <FILE or DIRECTORY>
Option Description
-c Print output as CSV
-ct Print output as tab-delimited values
-x Print output as XML
-h Show file hashes
-s Recurse subdirectories
-u Show unsigned only
-e Scan executable images only (regardless of their extension)
-vt Query hashes on VirusTotal