The Life and Times of SysInternals | How One Developer Changed the Face of Malware Analysis
We Keep you Connected
The Life and Times of SysInternals | How One Developer Changed the Face of Malware Analysis
When we first set down the idea of starting a SentinelLabs conference, we decided that the central tenet of the con would be to create a stage to showcase the best research, recognize potential contributions, and amplify them. As LABScon evolved and we were crafting the agenda, Ryan Naraine and I developed a shortlist of ‘dream talks’ we’d love to see on the first day Keynote stage. One idea that kept percolating up to the top was ‘can we get Mark Russinovich to give us a history of SysInternals?’ We eventually realized more than a talk, we were expressing a lasting admiration that deserves greater recognition. So as we set about convincing Mark to join our stage for this coveted talk, we sneakily set about creating our first ‘LABScon Lifetime Achievement Award’. Mark Russinovich is now a recognizable commodity in the computing industry and prominently holds the position of Microsoft Azure’s Chief Technology Officer but to the malware analysis industry he’s a different figure altogether– Mark is the father of the SysInternals Suite. Early Windows sysadmins and malware analysts came to rely on this handy suite of tools for their day-to-day work. The suite includes well-known tools like Process Explorer, System Monitor (SysMon), and Process Monitor (ProcMon). Though malware analysis is now a well-established subset of reverse engineering, it originally arose in part from using utilities to track OS quirks as they interacted with malware. To this day, dynamic analysis 101s kick off with SysInternals tools. As Mark mentions in the talk, defenders weren’t the only ones that saw the utility of SysInternals tools. Attackers have also adopted tools like PsExec and Sdelete for crucial parts of their operations. PsExec started out as a tool to allow sysAdmins to execute commands remotely. Those admins in turn realized its convenient ability to spawn remote processes. That same ability is now enthusiastically applied by ransomware operators and other attackers looking to move laterally and spread across an enterprise. More recently, as cyber operations pepper the Ukrainian landscape in the midst of the Russian invasion, not all wipers have been purpose built by the attackers. On top of the approximately 15 wipers (that we know of) being used in Ukraine since February 2022, MSTIC researchers also spotted abuse of Sdelete in data destruction operations. While Sdelete was designed as a utility to securely erase files on Windows systems, it’s just as useful to threat actors like ‘IRIDIUM’ who’ll rename it ‘cdel.exe’ and effectively use it as a wiper. More recently, ESET also announced their discovery of a new wiper based on Sdelete that they call ‘NikoWiper’ used against the Ukrainian energy sector. Abusing great tools is a staple of the dual-use nature of technology but it’s undeniable that the SysInternals Suite has done orders of magnitude more good in the hands of sysadmins, defenders, and malware analysts. Mark was also kind enough to share a demo preview of a special capability meant to address some of these abuses (kept as TLP:RED) for the LABScon audience. It’s worth noting as an example of Mark’s continued commitment to the SysInternals tools as he continues to contribute features and bug fixes to this day. It’s in that spirit of appreciation that we recognize Mark Russinovich as our first LABScon Lifetime Achievement Award. We hope you’ll join us in congratulating him and enjoy his keynote: ‘The Life and Times of SysInternals’
Get notified when we post new content. Thanks! Keep an eye out for new content! In the era of interconnectivity, when markets, geographies, and jurisdictions merge in the melting pot of the digital domain, the perils of the threat ecosystem become unparalleled. Crimeware families achieve an unparalleled level of technical sophistication, APT groups are competing in fully-fledged cyber warfare, while once decentralized and scattered threat actors are forming adamant alliances of operating as elite corporate espionage teams. Get notified when we post new content. Thanks! Keep an eye out for new content!
Catering to All IT Issues So You Can Stay Connected Securely
The Network Company has been based in South Orange County, CA, for over 27 years and provides “Managed IT Services.” We support your company’s network, computers, software, and users; and make sure your system is always running smoothly. Our topmost priority is to ensure that your users and customers get the most from your IT investment.
GET YOUR FREE, NO-OBLIGATION NETWORK HEALTH CHECK! We know you’re so busy running your business that sometimes you may forget to think about the security and health of your computer network. In fact, many business owners do NOT perform regular IT and Security maintenance, leaving the door wide open for spyware, viruses and other malicious threats that can infect their networks. This can lead to the loss of irreplaceable business data and hours of downtime. This is where we can help with Professional IT services, no matter what industry your business is in.
We don’t want this to happen to you! We’re offering you a FREE, no-strings-attached Network Health Check, which includes an inventory of your current environment, along with recommended improvements to keep your network healthy.
What’s the catch? You must be wondering why we are willing to give this away for free. We are simply offering this Network Health Check as a risk-free way to “get to know us” while helping you identify areas of vulnerability.
How does it work? To get your free Network Health Check, simply click here to complete the online request form. After we receive your request, we will contact you to schedule a specialist to perform the assessment.
Following the assessment, you will receive a complimentary recommended action plan and estimate for correcting any existing issues.
