Sysinternals Tools AppX Versions Execution
Detects execution of Sysinternals tools via an AppX package. Attackers could install the Sysinternals Suite to get access to tools such as psexec and procdump to avoid detection based on System paths
Sigma rule (View on GitHub)
1title: Sysinternals Tools AppX Versions Execution
2id: d29a20b2-be4b-4827-81f2-3d8a59eab5fc
3status: test
4description: Detects execution of Sysinternals tools via an AppX package. Attackers could install the Sysinternals Suite to get access to tools such as psexec and procdump to avoid detection based on System paths
5references:
6 - Internal Research
7author: Nasreddine Bencherchali (Nextron Systems)
8date: 2023-01-16
9modified: 2023-09-12
10tags:
11 - attack.defense-evasion
12 - attack.execution
13logsource:
14 product: windows
15 service: appmodel-runtime
16detection:
17 selection:
18 EventID: 201
19 ImageName:
20 - 'procdump.exe'
21 - 'psloglist.exe'
22 - 'psexec.exe'
23 - 'livekd.exe'
24 - 'ADExplorer.exe'
25 condition: selection
26falsepositives:
27 - Legitimate usage of the applications from the Windows Store
28level: low
References
Related rules
- AMSI Bypass Pattern Assembly GetType
- APT29 2018 Phishing Campaign CommandLine Indicators
- Add Insecure Download Source To Winget
- Add New Download Source To Winget
- Arbitrary File Download Via MSOHTMED.EXE