Techniques
Sample rules
PUA - Sysinternal Tool Execution - Registry
- source: sigma
- technicques:
- t1588
- t1588.002
Description
Detects the execution of a Sysinternals Tool via the creation of the “accepteula” registry key
Detection logic
condition: selection
selection:
EventType: CreateKey
TargetObject|endswith: \EulaAccepted