Techniques
Sample rules
PUA - Sysinternals Tools Execution - Registry
- source: sigma
- technicques:
- t1588
- t1588.002
Description
Detects the execution of some potentially unwanted tools such as PsExec, Procdump, etc. (part of the Sysinternals suite) via the creation of the “accepteula” registry key.
Detection logic
condition: selection
selection:
EventType: CreateKey
TargetObject|contains:
- \Active Directory Explorer
- \Handle
- \LiveKd
- \Process Explorer
- \ProcDump
- \PsExec
- \PsLoglist
- \PsPasswd
- \SDelete
- \Sysinternals
TargetObject|endswith: \EulaAccepted