Sysinternals and Windows Tools

There are some tools that allow us to study the behavior of some processes with the objective of identifying malicious actions.

https://docs.microsoft.com/en-us/sysinternals/downloads/

• Sigcheck, it is a command-line utility that shows the file version number, timestamp information, and digital signature details, including certificate chains
• Streams, Alternate Data Streams (ADS) is a file attribute specific to Windows NTFS (New Technology File System)
• SDelete, it allows you to delete one or more files
• resmon is a command that is used to call the Resource Monitor.
• tcpview
• Autoruns it shows what programs are configured to run during system bootup
  • autoruns -accepteula
• ProcDump is a command-line utility for monitoring application CPU spikes and generating crash dumps
• Process Explorer
• Process Monitor, it shows real-time file-system, registry, and process/thread activity.
  • procmon -accepteula
• PsExec, it is a light-weight telnet-replacement that lets us execute process on other systems
• Sysmon (System monitor), "it a Windows system service and device driver that, once installed on a system, remains resident across system reboots to monitor and log system activity to the Windows event log. It provides detailed information about process creations, network connections, and changes to file creation time. By collecting the events it generates using Windows Event Collection or SIEM agents and subsequently analyzing them, you can identify malicious or anomalous activity and understand how intruders and malware operate on your network" Link
• WinObj, it provides information on the NT Object Manager's namespace.
• BgInfo This tool shows information about a Windows computer on the Desktop's background.
• RegJump
• strings
• strings ZoomIt.exe | findstr /i .pdb

There are other tools that can be searched at Link

References

• Part of the information was taken and based on https://tryhackme.com/room/btsysinternalssg