HYLAS // SYSREF
SYSINTERNALS REFERENCE & SECURITY ANALYSIS HUB
v1.0
Sysinternals is Microsoft's suite of advanced Windows diagnostics and forensics tools — the standard toolkit for incident responders, malware analysts, and penetration testers. Each tool page covers command syntax, key output fields, red team use cases (how attackers abuse the tool), and blue team indicators (what defenders look for). These tools expose the Windows internals most malware attempts to hide in.
// PROCESS & SYSTEM INSPECTION
AUTORUNS PERSISTENCE
Autoruns.exe / Autoruns64.exe / autorunsc.exe
Shows every program configured to run at system startup or login — the most comprehensive autostart viewer available. Essential for persistence hunting.
Malware persistence Registry run keys Baseline comparison VirusTotal integration Scheduled tasks
OPEN REF →
PROCESS EXPLORER FORENSICS
procexp.exe / procexp64.exe
Advanced task manager showing full process trees, loaded DLLs, open handles, and memory maps. Replaces Task Manager for serious analysis.
DLL injection Process hollowing Parent/child trees VirusTotal hashes Suspicious handles
OPEN REF →
HANDLE / LISTDLLS HANDLES & DLLS
handle.exe / handle64.exe / Listdlls.exe
Handle shows what files, registry keys, and objects a process has open. ListDLLs shows every DLL loaded in running processes — critical for DLL hijack detection.
DLL hijacking Locked file forensics Open handle audit Unsigned DLLs
OPEN REF →
// NETWORK & PORT TOOLS
PORTMON SERIAL / PARALLEL
portmon.exe
Monitors serial and parallel port activity in real time. Rarely used for routine admin — but critical for detecting hardware implants, BadUSB devices, and rogue COM port traffic.
BadUSB detection Hardware implants COM port audit Keystroke loggers
OPEN REF →
// REMOTE ADMINISTRATION & LATERAL MOVEMENT
PSTOOLS SUITE LATERAL MOVEMENT
PsExec, PsInfo, PsList, PsKill, PsLoggedon, PsLogList, PsPing, PsService, PsShutdown…
Remote administration tools most commonly seen in attacker playbooks for lateral movement, privilege escalation, and post-exploitation. Understand what they do and how to detect them.
Lateral movement Remote execution SIEM detection rules Log artefacts Living-off-the-land
OPEN REF →