sigmalowHunting

PUA - Sysinternal Tool Execution - Registry

Detects the execution of a Sysinternals Tool via the creation of the "accepteula" registry key

MITRE ATT&CK

resource-development

Detection Query

selection:
  TargetObject|endswith: \EulaAccepted
condition: selection

Author

Markus Neis

Created

2017-08-28

Data Sources

windowsRegistry Set Events

Platforms

windows

References

https://twitter.com/Moti_B/status/1008587936735035392

Tags

attack.resource-developmentattack.t1588.002

Raw Content

title: PUA - Sysinternal Tool Execution - Registry
id: 25ffa65d-76d8-4da5-a832-3f2b0136e133
status: test
description: Detects the execution of a Sysinternals Tool via the creation of the "accepteula" registry key
references:
    - https://twitter.com/Moti_B/status/1008587936735035392
author: Markus Neis
date: 2017-08-28
modified: 2025-10-26
tags:
    - attack.resource-development
    - attack.t1588.002
logsource:
    product: windows
    category: registry_set
detection:
    selection:
        TargetObject|endswith: '\EulaAccepted'
    condition: selection
falsepositives:
    - Legitimate use of SysInternals tools
    - Programs that use the same Registry Key
level: low
regression_tests_path: regression_data/rules/windows/registry/registry_set/registry_set_pua_sysinternals_execution_via_eula/info.yml