sigmalowHunting

Sysinternals Tools AppX Versions Execution

Detects execution of Sysinternals tools via an AppX package. Attackers could install the Sysinternals Suite to get access to tools such as psexec and procdump to avoid detection based on System paths.

Detection Query

selection:
  EventID: 201
  ImageName:
    - procdump.exe
    - psloglist.exe
    - psexec.exe
    - livekd.exe
    - ADExplorer.exe
condition: selection

Author

Nasreddine Bencherchali (Nextron Systems)

Created

2023-01-16

Data Sources

windowsappmodel-runtime

Platforms

windows

References

https://learn.microsoft.com/en-us/sysinternals/downloads/microsoft-store

Tags

attack.defense-evasionattack.execution

Raw Content

title: Sysinternals Tools AppX Versions Execution
id: d29a20b2-be4b-4827-81f2-3d8a59eab5fc
status: test
description: |
    Detects execution of Sysinternals tools via an AppX package.
    Attackers could install the Sysinternals Suite to get access to tools such as psexec and procdump to avoid detection based on System paths.
references:
    - https://learn.microsoft.com/en-us/sysinternals/downloads/microsoft-store
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-01-16
modified: 2023-09-12
tags:
    - attack.defense-evasion
    - attack.execution
logsource:
    product: windows
    service: appmodel-runtime
detection:
    selection:
        EventID: 201
        ImageName:
            - 'procdump.exe'
            - 'psloglist.exe'
            - 'psexec.exe'
            - 'livekd.exe'
            - 'ADExplorer.exe'
    condition: selection
falsepositives:
    - Legitimate usage of sysinternals applications from the Windows Store will trigger this. Apply exclusions as needed.
level: low