Potential Execution of Sysinternals Tools
Detects command lines that contain the 'accepteula' flag which could be a sign of execution of one of the Sysinternals tools
Sigma rule (View on GitHub)
1title: Potential Execution of Sysinternals Tools
2id: 7cccd811-7ae9-4ebe-9afd-cb5c406b824b
3related:
4 - id: 25ffa65d-76d8-4da5-a832-3f2b0136e133
5 type: derived
6status: test
7description: Detects command lines that contain the 'accepteula' flag which could be a sign of execution of one of the Sysinternals tools
8references:
9 - https://twitter.com/Moti_B/status/1008587936735035392
10author: Markus Neis
11date: 2017-08-28
12modified: 2024-03-13
13tags:
14 - attack.resource-development
15 - attack.t1588.002
16logsource:
17 category: process_creation
18 product: windows
19detection:
20 selection:
21 CommandLine|contains|windash: ' -accepteula'
22 condition: selection
23falsepositives:
24 - Legitimate use of SysInternals tools
25 - Programs that use the same command line flag
26level: low
References
Related rules
- PUA - Sysinternal Tool Execution - Registry
- PUA - Sysinternals Tools Execution - Registry
- Renamed SysInternals DebugView Execution
- Suspicious Execution Of Renamed Sysinternals Tools - Registry
- Suspicious Keyboard Layout Load