Usage of Renamed Sysinternals Tools - RegistrySet

 1title: Usage of Renamed Sysinternals Tools - RegistrySet
 2id: 8023f872-3f1d-4301-a384-801889917ab4
 3related:
 4    - id: 25ffa65d-76d8-4da5-a832-3f2b0136e133
 5      type: derived
 6    - id: f50f3c09-557d-492d-81db-9064a8d4e211
 7      type: similar
 8status: test
 9description: Detects non-sysinternals tools setting the "accepteula" key which normally is set on sysinternals tool execution
10references:
11    - Internal Research
12author: Nasreddine Bencherchali (Nextron Systems)
13date: 2022-08-24
14modified: 2023-08-17
15tags:
16    - attack.resource-development
17    - attack.t1588.002
18logsource:
19    product: windows
20    category: registry_set
21detection:
22    selection:
23        TargetObject|contains:
24            - '\PsExec'
25            - '\ProcDump'
26            - '\Handle'
27            - '\LiveKd'
28            - '\Process Explorer'
29            - '\PsLoglist'
30            - '\PsPasswd'
31            - '\Active Directory Explorer'
32        TargetObject|endswith: '\EulaAccepted'
33    filter_main_image_names:
34        Image|endswith:
35            - '\PsExec.exe'
36            - '\PsExec64.exe'
37            - '\procdump.exe'
38            - '\procdump64.exe'
39            - '\handle.exe'
40            - '\handle64.exe'
41            - '\livekd.exe'
42            - '\livekd64.exe'
43            - '\procexp.exe'
44            - '\procexp64.exe'
45            - '\psloglist.exe'
46            - '\psloglist64.exe'
47            - '\pspasswd.exe'
48            - '\pspasswd64.exe'
49            - '\ADExplorer.exe'
50            - '\ADExplorer64.exe'
51    filter_optional_null:
52        Image: null # Race condition with some logging tools
53    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
54falsepositives:
55    - Unlikely
56level: high