PUA - Sysinternals Tools Execution - Registry

Detects the execution of some potentially unwanted tools such as PsExec, Procdump, etc. (part of the Sysinternals suite) via the creation of the "accepteula" registry key.

Sigma rule (View on GitHub)

 1title: PUA - Sysinternals Tools Execution - Registry
 2id: c7da8edc-49ae-45a2-9e61-9fd860e4e73d
 3related:
 4    - id: 25ffa65d-76d8-4da5-a832-3f2b0136e133
 5      type: derived
 6    - id: 9841b233-8df8-4ad7-9133-b0b4402a9014
 7      type: obsolete
 8status: test
 9description: Detects the execution of some potentially unwanted tools such as PsExec, Procdump, etc. (part of the Sysinternals suite) via the creation of the "accepteula" registry key.
10references:
11    - https://twitter.com/Moti_B/status/1008587936735035392
12author: Nasreddine Bencherchali (Nextron Systems)
13date: 2022-08-24
14modified: 2023-02-07
15tags:
16    - attack.resource-development
17    - attack.t1588.002
18logsource:
19    product: windows
20    category: registry_add
21detection:
22    selection:
23        EventType: CreateKey
24        TargetObject|contains:
25            - '\Active Directory Explorer'
26            - '\Handle'
27            - '\LiveKd'
28            - '\Process Explorer'
29            - '\ProcDump'
30            - '\PsExec'
31            - '\PsLoglist'
32            - '\PsPasswd'
33            - '\SDelete'
34            - '\Sysinternals' # Global level https://twitter.com/leonzandman/status/1561736801953382400
35        TargetObject|endswith: '\EulaAccepted'
36    condition: selection
37falsepositives:
38    - Legitimate use of SysInternals tools. Filter the legitimate paths used in your environment
39level: medium

References

Related rules

to-top