Detectionmediumtest
PUA - Sysinternals Tools Execution - Registry
Detects the execution of some potentially unwanted tools such as PsExec, Procdump, etc. (part of the Sysinternals suite) via the creation of the "accepteula" registry key.
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Launch
Nasreddine Bencherchali (Nextron Systems)Created Wed Aug 24Updated Sun Oct 26c7da8edc-49ae-45a2-9e61-9fd860e4e73dwindows
Log Source
WindowsRegistry Set
ProductWindows← raw: windows
CategoryRegistry Set← raw: registry_set
Detection Logic
Detection Logic1 selector
detection:
selection:
TargetObject|contains:
- '\Active Directory Explorer'
- '\Handle'
- '\LiveKd'
- '\Process Explorer'
- '\ProcDump'
- '\PsExec'
- '\PsLoglist'
- '\PsPasswd'
- '\SDelete'
- '\Sysinternals' # Global level https://twitter.com/leonzandman/status/1561736801953382400
TargetObject|endswith: '\EulaAccepted'
condition: selectionFalse Positives
Legitimate use of SysInternals tools. Filter the legitimate paths used in your environment
References
MITRE ATT&CK
Sub-techniques
Related Rules
DerivedDetectionlow
PUA - Sysinternal Tool Execution - Registry
Detects the execution of a Sysinternals Tool via the creation of the "accepteula" registry key
This rule was derived from the related rule - both detect similar activity with different scope.
Similar
Rule not found9841b233-8df8-4ad7-9133-b0b4402a9014
Rule Metadata
Rule ID
c7da8edc-49ae-45a2-9e61-9fd860e4e73d
Status
test
Level
medium
Type
Detection
Created
Wed Aug 24
Modified
Sun Oct 26
Path
rules/windows/registry/registry_set/registry_set_pua_sysinternals_susp_execution_via_eula.yml
Raw Tags
attack.resource-developmentattack.t1588.002