Sysinternals Tools AppX Versions Execution
Detects execution of Sysinternals tools via an AppX package. Attackers could install the Sysinternals Suite to get access to tools such as psexec and procdump to avoid detection based on System paths
Sigma rule (View on GitHub)
1title: Sysinternals Tools AppX Versions Execution
2id: d29a20b2-be4b-4827-81f2-3d8a59eab5fc
3status: experimental
4description: Detects execution of Sysinternals tools via an AppX package. Attackers could install the Sysinternals Suite to get access to tools such as psexec and procdump to avoid detection based on System paths
5references:
6 - Internal Research
7author: Nasreddine Bencherchali (Nextron Systems)
8date: 2023/01/16
9modified: 2023/09/12
10tags:
11 - attack.defense_evasion
12 - attack.execution
13logsource:
14 product: windows
15 service: appmodel-runtime
16detection:
17 selection:
18 EventID: 201
19 ImageName:
20 - 'procdump.exe'
21 - 'psloglist.exe'
22 - 'psexec.exe'
23 - 'livekd.exe'
24 - 'ADExplorer.exe'
25 condition: selection
26falsepositives:
27 - Legitimate usage of the applications from the Windows Store
28level: low
References
Related rules
- DNS Query Request By Regsvr32.EXE
- IE ZoneMap Setting Downgraded To MyComputer Zone For HTTP Protocols Via CLI
- Interactive Bash Suspicious Children
- Potential BlackByte Ransomware Activity
- Uncommon Child Process Of BgInfo.EXE