PUA - Sysinternal Tool Execution - Registry
Detects the execution of a Sysinternals Tool via the creation of the "accepteula" registry key
Sigma rule (View on GitHub)
1title: PUA - Sysinternal Tool Execution - Registry
2id: 25ffa65d-76d8-4da5-a832-3f2b0136e133
3status: test
4description: Detects the execution of a Sysinternals Tool via the creation of the "accepteula" registry key
5references:
6 - https://twitter.com/Moti_B/status/1008587936735035392
7author: Markus Neis
8date: 2017-08-28
9modified: 2025-10-26
10tags:
11 - attack.resource-development
12 - attack.t1588.002
13logsource:
14 product: windows
15 category: registry_set
16detection:
17 selection:
18 TargetObject|endswith: '\EulaAccepted'
19 condition: selection
20falsepositives:
21 - Legitimate use of SysInternals tools
22 - Programs that use the same Registry Key
23level: low
24regression_tests_path: regression_data/rules/windows/registry/registry_set/registry_set_pua_sysinternals_execution_via_eula/info.yml
References
-
Something went wrong, but don’t fret — let’s give it another shot. Some privacy related extensions may cause issues on x.com. Please disable them and try again.
Read More
Related rules
- PUA - Sysinternals Tools Execution - Registry
- Suspicious Execution Of Renamed Sysinternals Tools - Registry
- Potential Execution of Sysinternals Tools
- Hacktool Execution - Imphash
- Hacktool Execution - PE Metadata