PUA - Sysinternals Tools Execution - Registry

 1title: PUA - Sysinternals Tools Execution - Registry
 2id: c7da8edc-49ae-45a2-9e61-9fd860e4e73d
 3related:
 4    - id: 25ffa65d-76d8-4da5-a832-3f2b0136e133
 5      type: derived
 6    - id: 9841b233-8df8-4ad7-9133-b0b4402a9014
 7      type: obsolete
 8status: test
 9description: Detects the execution of some potentially unwanted tools such as PsExec, Procdump, etc. (part of the Sysinternals suite) via the creation of the "accepteula" registry key.
10references:
11    - https://twitter.com/Moti_B/status/1008587936735035392
12author: Nasreddine Bencherchali (Nextron Systems)
13date: 2022-08-24
14modified: 2025-10-26
15tags:
16    - attack.resource-development
17    - attack.t1588.002
18logsource:
19    product: windows
20    category: registry_set
21detection:
22    selection:
23        TargetObject|contains:
24            - '\Active Directory Explorer'
25            - '\Handle'
26            - '\LiveKd'
27            - '\Process Explorer'
28            - '\ProcDump'
29            - '\PsExec'
30            - '\PsLoglist'
31            - '\PsPasswd'
32            - '\SDelete'
33            - '\Sysinternals' # Global level https://twitter.com/leonzandman/status/1561736801953382400
34        TargetObject|endswith: '\EulaAccepted'
35    condition: selection
36falsepositives:
37    - Legitimate use of SysInternals tools. Filter the legitimate paths used in your environment
38level: medium
39regression_tests_path: regression_data/rules/windows/registry/registry_set/registry_set_pua_sysinternals_susp_execution_via_eula/info.yml