Suspicious Execution Of Renamed Sysinternals Tools - Registry

calendar Jan 1, 2024 · attack.resource_development attack.t1588.002  ·
Share on: linkedin copy

Detects the creation of the "accepteula" key related to the Sysinternals tools being created from executables with the wrong name (e.g. a renamed Sysinternals tool)

Sigma rule (View on GitHub)

 1title: Suspicious Execution Of Renamed Sysinternals Tools - Registry
 2id: f50f3c09-557d-492d-81db-9064a8d4e211
 3related:
 4    - id: 25ffa65d-76d8-4da5-a832-3f2b0136e133
 5      type: derived
 6    - id: 8023f872-3f1d-4301-a384-801889917ab4
 7      type: similar
 8status: test
 9description: Detects the creation of the "accepteula" key related to the Sysinternals tools being created from executables with the wrong name (e.g. a renamed Sysinternals tool)
10references:
11    - Internal Research
12author: Nasreddine Bencherchali (Nextron Systems)
13date: 2022/08/24
14modified: 2023/02/07
15tags:
16    - attack.resource_development
17    - attack.t1588.002
18logsource:
19    product: windows
20    category: registry_add
21detection:
22    selection:
23        EventType: CreateKey
24        TargetObject|contains:
25            # Please add new values while respecting the alphabetical order
26            - '\Active Directory Explorer'
27            - '\Handle'
28            - '\LiveKd'
29            - '\ProcDump'
30            - '\Process Explorer'
31            - '\PsExec'
32            - '\PsLoggedon'
33            - '\PsLoglist'
34            - '\PsPasswd'
35            - '\PsPing'
36            - '\PsService'
37            - '\SDelete'
38        TargetObject|endswith: '\EulaAccepted'
39    filter:
40        Image|endswith:
41            # Please add new values while respecting the alphabetical order
42            - '\ADExplorer.exe'
43            - '\ADExplorer64.exe'
44            - '\handle.exe'
45            - '\handle64.exe'
46            - '\livekd.exe'
47            - '\livekd64.exe'
48            - '\procdump.exe'
49            - '\procdump64.exe'
50            - '\procexp.exe'
51            - '\procexp64.exe'
52            - '\PsExec.exe'
53            - '\PsExec64.exe'
54            - '\PsLoggedon.exe'
55            - '\PsLoggedon64.exe'
56            - '\psloglist.exe'
57            - '\psloglist64.exe'
58            - '\pspasswd.exe'
59            - '\pspasswd64.exe'
60            - '\PsPing.exe'
61            - '\PsPing64.exe'
62            - '\PsService.exe'
63            - '\PsService64.exe'
64            - '\sdelete.exe'
65    condition: selection and not filter
66falsepositives:
67    - Unlikely
68level: high

References

Related rules

to-top