Techniques
Sample rules
Potential Execution of Sysinternals Tools
- source: sigma
- technicques:
- t1588
- t1588.002
Description
Detects command lines that contain the ‘accepteula’ flag which could be a sign of execution of one of the Sysinternals tools
Detection logic
condition: selection
selection:
CommandLine|contains|windash: ' -accepteula'
PUA - Sysinternal Tool Execution - Registry
- source: sigma
- technicques:
- t1588
- t1588.002
Description
Detects the execution of a Sysinternals Tool via the creation of the “accepteula” registry key
Detection logic
condition: selection
selection:
EventType: CreateKey
TargetObject|endswith: \EulaAccepted