Detectionlowtest
Sysinternals Tools AppX Versions Execution
Detects execution of Sysinternals tools via an AppX package. Attackers could install the Sysinternals Suite to get access to tools such as psexec and procdump to avoid detection based on System paths.
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Launch
Nasreddine Bencherchali (Nextron Systems)Created Mon Jan 16Updated Tue Sep 12d29a20b2-be4b-4827-81f2-3d8a59eab5fcwindows
Log Source
Windowsappmodel-runtime
ProductWindows← raw: windows
Serviceappmodel-runtime← raw: appmodel-runtime
Detection Logic
Detection Logic1 selector
detection:
selection:
EventID: 201
ImageName:
- 'procdump.exe'
- 'psloglist.exe'
- 'psexec.exe'
- 'livekd.exe'
- 'ADExplorer.exe'
condition: selectionFalse Positives
Legitimate usage of sysinternals applications from the Windows Store will trigger this. Apply exclusions as needed.
References
MITRE ATT&CK
Rule Metadata
Rule ID
d29a20b2-be4b-4827-81f2-3d8a59eab5fc
Status
test
Level
low
Type
Detection
Created
Mon Jan 16
Modified
Tue Sep 12
Path
rules/windows/builtin/appmodel_runtime/win_appmodel_runtime_sysinternals_tools_appx_execution.yml
Raw Tags
attack.defense-evasionattack.execution