LoFP / programs that use the same command line flag

Techniques

• t1588
• t1588.002

Sample rules

Potential Execution of Sysinternals Tools

• source: sigma
• technicques:
  • t1588
  • t1588.002

Description

Detects command lines that contain the ‘accepteula’ flag which could be a sign of execution of one of the Sysinternals tools

Detection logic

condition: selection
selection:
  CommandLine|contains|windash: ' -accepteula'