Sysinternals Suite

Microsoft

Process Explorer, Autoruns, Procmon and friends — essential Windows internals toolkit.

Endpoint Analysis Built-in OS GUI Learning Windows

Cyber Kill Chain & Defender Lifecycle

Attacker — Kill Chain

1 Reconnaissance

2 Weaponization

3 Delivery

4 Exploitation

5 Installation

6 Command & Control

7 Actions on Objectives

Defender — IR Lifecycle

8 Detection / Monitoring

9 Containment & Eradication

10 Post-incident Forensics

Description

The Sysinternals Suite (Mark Russinovich, Microsoft) is the indispensable toolkit for Windows analysts. CySA+ candidates should know the role of each headline tool:

Process Explorer — a supercharged Task Manager: signed binaries, loaded DLLs, VirusTotal lookups, parent/child trees.
Process Monitor (Procmon) — file/registry/network activity in real time, with filters; primary tool for behavioural analysis.
Autoruns — every autostart location in Windows (Run keys, services, scheduled tasks, BHOs, AppInit DLLs, …).
Sysmon — kernel driver + service that emits rich Event Log entries (process create, network connect, file create-time changes, registry).
TCPView — live socket viewer.
PsExec — remote command execution (frequently abused by attackers; SOC analysts must recognise PsExec service install events).

Use cases

Live triage of a suspect Windows host
Building Sysmon-driven detections in a SIEM
Recognising attacker abuse patterns (PsExec, Procdump on LSASS)

Example

# Install Sysmon with a community config
Sysmon64.exe -accepteula -i sysmonconfig-export.xml