EXPLORE
Sign In
← Back to Explore
sigmahighHunting

Usage of Renamed Sysinternals Tools - RegistrySet

Detects non-sysinternals tools setting the "accepteula" key which normally is set on sysinternals tool execution

MITRE ATT&CK

T1588.002
resource-development

Detection Query

selection:
  TargetObject|contains:
    - \PsExec
    - \ProcDump
    - \Handle
    - \LiveKd
    - \Process Explorer
    - \PsLoglist
    - \PsPasswd
    - \Active Directory Explorer
  TargetObject|endswith: \EulaAccepted
filter_main_image_names:
  Image|endswith:
    - \PsExec.exe
    - \PsExec64.exe
    - \procdump.exe
    - \procdump64.exe
    - \handle.exe
    - \handle64.exe
    - \livekd.exe
    - \livekd64.exe
    - \procexp.exe
    - \procexp64.exe
    - \psloglist.exe
    - \psloglist64.exe
    - \pspasswd.exe
    - \pspasswd64.exe
    - \ADExplorer.exe
    - \ADExplorer64.exe
filter_optional_null:
  Image: null
condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*

Author

Nasreddine Bencherchali (Nextron Systems)

Created

2022-08-24

Data Sources

windowsRegistry Set Events

Platforms

windows

References

Tags

attack.resource-developmentattack.t1588.002
Raw Content
title: Usage of Renamed Sysinternals Tools - RegistrySet
id: 8023f872-3f1d-4301-a384-801889917ab4
related:
    - id: 25ffa65d-76d8-4da5-a832-3f2b0136e133
      type: derived
    - id: f50f3c09-557d-492d-81db-9064a8d4e211
      type: similar
status: test
description: Detects non-sysinternals tools setting the "accepteula" key which normally is set on sysinternals tool execution
references:
    - Internal Research
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-08-24
modified: 2023-08-17
tags:
    - attack.resource-development
    - attack.t1588.002
logsource:
    product: windows
    category: registry_set
detection:
    selection:
        TargetObject|contains:
            - '\PsExec'
            - '\ProcDump'
            - '\Handle'
            - '\LiveKd'
            - '\Process Explorer'
            - '\PsLoglist'
            - '\PsPasswd'
            - '\Active Directory Explorer'
        TargetObject|endswith: '\EulaAccepted'
    filter_main_image_names:
        Image|endswith:
            - '\PsExec.exe'
            - '\PsExec64.exe'
            - '\procdump.exe'
            - '\procdump64.exe'
            - '\handle.exe'
            - '\handle64.exe'
            - '\livekd.exe'
            - '\livekd64.exe'
            - '\procexp.exe'
            - '\procexp64.exe'
            - '\psloglist.exe'
            - '\psloglist64.exe'
            - '\pspasswd.exe'
            - '\pspasswd64.exe'
            - '\ADExplorer.exe'
            - '\ADExplorer64.exe'
    filter_optional_null:
        Image: null # Race condition with some logging tools
    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
    - Unlikely
level: high