Techniques
Sample rules
Sysinternals Tools AppX Versions Execution
- source: sigma
- technicques:
Description
Detects execution of Sysinternals tools via an AppX package. Attackers could install the Sysinternals Suite to get access to tools such as psexec and procdump to avoid detection based on System paths.
Detection logic
condition: selection
selection:
EventID: 201
ImageName:
- procdump.exe
- psloglist.exe
- psexec.exe
- livekd.exe
- ADExplorer.exe