Sysinternals Tools AppX Versions Execution
Detects execution of Sysinternals tools via an AppX package. Attackers could install the Sysinternals Suite to get access to tools such as psexec and procdump to avoid detection based on System paths.
Sigma rule (View on GitHub)
1title: Sysinternals Tools AppX Versions Execution
2id: d29a20b2-be4b-4827-81f2-3d8a59eab5fc
3status: test
4description: |
5 Detects execution of Sysinternals tools via an AppX package.
6 Attackers could install the Sysinternals Suite to get access to tools such as psexec and procdump to avoid detection based on System paths.
7references:
8 - https://learn.microsoft.com/en-us/sysinternals/downloads/microsoft-store
9author: Nasreddine Bencherchali (Nextron Systems)
10date: 2023-01-16
11modified: 2023-09-12
12tags:
13 - attack.execution
14 - attack.stealth
15logsource:
16 product: windows
17 service: appmodel-runtime
18detection:
19 selection:
20 EventID: 201
21 ImageName:
22 - 'procdump.exe'
23 - 'psloglist.exe'
24 - 'psexec.exe'
25 - 'livekd.exe'
26 - 'ADExplorer.exe'
27 condition: selection
28falsepositives:
29 - Legitimate usage of sysinternals applications from the Windows Store will trigger this. Apply exclusions as needed.
30level: low
References
Related rules
- APT27 - Emissary Panda Activity
- APT29 2018 Phishing Campaign CommandLine Indicators
- AWS IAM S3Browser LoginProfile Creation
- AWS IAM S3Browser Templated S3 Bucket Policy Creation
- AWS IAM S3Browser User or AccessKey Creation