Sysinternals Tools AppX Versions Execution
Detects execution of Sysinternals tools via an AppX package. Attackers could install the Sysinternals Suite to get access to tools such as psexec and procdump to avoid detection based on System paths.
Sigma rule (View on GitHub)
1title: Sysinternals Tools AppX Versions Execution
2id: d29a20b2-be4b-4827-81f2-3d8a59eab5fc
3status: test
4description: |
5 Detects execution of Sysinternals tools via an AppX package.
6 Attackers could install the Sysinternals Suite to get access to tools such as psexec and procdump to avoid detection based on System paths.
7references:
8 - https://learn.microsoft.com/en-us/sysinternals/downloads/microsoft-store
9author: Nasreddine Bencherchali (Nextron Systems)
10date: 2023-01-16
11modified: 2023-09-12
12tags:
13 - attack.defense-evasion
14 - attack.execution
15logsource:
16 product: windows
17 service: appmodel-runtime
18detection:
19 selection:
20 EventID: 201
21 ImageName:
22 - 'procdump.exe'
23 - 'psloglist.exe'
24 - 'psexec.exe'
25 - 'livekd.exe'
26 - 'ADExplorer.exe'
27 condition: selection
28falsepositives:
29 - Legitimate usage of sysinternals applications from the Windows Store will trigger this. Apply exclusions as needed.
30level: low
References
Related rules
- Renamed Schtasks Execution
- Suspicious Explorer Process with Whitespace Padding - ClickFix/FileFix
- PUA - AdvancedRun Execution
- Powershell Executed From Headless ConHost Process
- Renamed CURL.EXE Execution