Suspicious Execution Of Renamed Sysinternals Tools - Registry

calendar Nov 26, 2025 · attack.resource-development attack.t1588.002  ·
Share on: linkedin copy

Detects the creation of the "accepteula" key related to the Sysinternals tools being created from executables with the wrong name (e.g. a renamed Sysinternals tool)

Sigma rule (View on GitHub)

 1title: Suspicious Execution Of Renamed Sysinternals Tools - Registry
 2id: f50f3c09-557d-492d-81db-9064a8d4e211
 3related:
 4    - id: 25ffa65d-76d8-4da5-a832-3f2b0136e133
 5      type: derived
 6    - id: 8023f872-3f1d-4301-a384-801889917ab4
 7      type: similar
 8status: test
 9description: Detects the creation of the "accepteula" key related to the Sysinternals tools being created from executables with the wrong name (e.g. a renamed Sysinternals tool)
10references:
11    - Internal Research
12author: Nasreddine Bencherchali (Nextron Systems)
13date: 2022-08-24
14modified: 2025-10-26
15tags:
16    - attack.resource-development
17    - attack.t1588.002
18logsource:
19    product: windows
20    category: registry_set
21detection:
22    selection:
23        TargetObject|contains:
24            # Please add new values while respecting the alphabetical order
25            - '\Active Directory Explorer'
26            - '\Handle'
27            - '\LiveKd'
28            - '\ProcDump'
29            - '\Process Explorer'
30            - '\PsExec'
31            - '\PsLoggedon'
32            - '\PsLoglist'
33            - '\PsPasswd'
34            - '\PsPing'
35            - '\PsService'
36            - '\SDelete'
37        TargetObject|endswith: '\EulaAccepted'
38    filter:
39        Image|endswith:
40            # Please add new values while respecting the alphabetical order
41            - '\ADExplorer.exe'
42            - '\ADExplorer64.exe'
43            - '\handle.exe'
44            - '\handle64.exe'
45            - '\livekd.exe'
46            - '\livekd64.exe'
47            - '\procdump.exe'
48            - '\procdump64.exe'
49            - '\procexp.exe'
50            - '\procexp64.exe'
51            - '\PsExec.exe'
52            - '\PsExec64.exe'
53            - '\PsLoggedon.exe'
54            - '\PsLoggedon64.exe'
55            - '\psloglist.exe'
56            - '\psloglist64.exe'
57            - '\pspasswd.exe'
58            - '\pspasswd64.exe'
59            - '\PsPing.exe'
60            - '\PsPing64.exe'
61            - '\PsService.exe'
62            - '\PsService64.exe'
63            - '\sdelete.exe'
64    condition: selection and not filter
65falsepositives:
66    - Unlikely
67level: high
68regression_tests_path: regression_data/rules/windows/registry/registry_set/registry_set_pua_sysinternals_renamed_execution_via_eula/info.yml

References

Related rules

to-top