Potential Execution of Sysinternals Tools

Detects command lines that contain the 'accepteula' flag which could be a sign of execution of one of the Sysinternals tools

Sigma rule (View on GitHub)

 1title: Potential Execution of Sysinternals Tools
 2id: 7cccd811-7ae9-4ebe-9afd-cb5c406b824b
 3related:
 4    - id: 25ffa65d-76d8-4da5-a832-3f2b0136e133
 5      type: derived
 6status: test
 7description: Detects command lines that contain the 'accepteula' flag which could be a sign of execution of one of the Sysinternals tools
 8references:
 9    - https://twitter.com/Moti_B/status/1008587936735035392
10author: Markus Neis
11date: 2017/08/28
12modified: 2023/02/24
13tags:
14    - attack.resource_development
15    - attack.t1588.002
16logsource:
17    category: process_creation
18    product: windows
19detection:
20    selection:
21        CommandLine|contains:
22            - ' -accepteula'
23            - ' /accepteula'
24    condition: selection
25falsepositives:
26    - Legitimate use of SysInternals tools
27    - Programs that use the same command line flag
28level: low

References

Related rules

to-top