PUA - Sysinternals Tools Execution - Registry
Detects the execution of some potentially unwanted tools such as PsExec, Procdump, etc. (part of the Sysinternals suite) via the creation of the "accepteula" registry key.
Sigma rule (View on GitHub)
1title: PUA - Sysinternals Tools Execution - Registry
2id: c7da8edc-49ae-45a2-9e61-9fd860e4e73d
3related:
4 - id: 25ffa65d-76d8-4da5-a832-3f2b0136e133
5 type: derived
6 - id: 9841b233-8df8-4ad7-9133-b0b4402a9014
7 type: obsoletes
8status: test
9description: Detects the execution of some potentially unwanted tools such as PsExec, Procdump, etc. (part of the Sysinternals suite) via the creation of the "accepteula" registry key.
10references:
11 - https://twitter.com/Moti_B/status/1008587936735035392
12author: Nasreddine Bencherchali (Nextron Systems)
13date: 2022/08/24
14modified: 2023/02/07
15tags:
16 - attack.resource_development
17 - attack.t1588.002
18logsource:
19 product: windows
20 category: registry_add
21detection:
22 selection:
23 EventType: CreateKey
24 TargetObject|contains:
25 - '\Active Directory Explorer'
26 - '\Handle'
27 - '\LiveKd'
28 - '\Process Explorer'
29 - '\ProcDump'
30 - '\PsExec'
31 - '\PsLoglist'
32 - '\PsPasswd'
33 - '\SDelete'
34 - '\Sysinternals' # Global level https://twitter.com/leonzandman/status/1561736801953382400
35 TargetObject|endswith: '\EulaAccepted'
36 condition: selection
37falsepositives:
38 - Legitimate use of SysInternals tools. Filter the legitimate paths used in your environment
39level: medium
References
Related rules
- PUA - Sysinternal Tool Execution - Registry
- Suspicious Execution Of Renamed Sysinternals Tools - Registry
- Suspicious Keyboard Layout Load
- Usage of Renamed Sysinternals Tools - RegistrySet
- Renamed SysInternals DebugView Execution