EXPLORE
Sign In
← Back to Explore
sigmahighHunting

Suspicious Execution Of Renamed Sysinternals Tools - Registry

Detects the creation of the "accepteula" key related to the Sysinternals tools being created from executables with the wrong name (e.g. a renamed Sysinternals tool)

MITRE ATT&CK

T1588.002
resource-development

Detection Query

selection:
  TargetObject|contains:
    - \Active Directory Explorer
    - \Handle
    - \LiveKd
    - \ProcDump
    - \Process Explorer
    - \PsExec
    - \PsLoggedon
    - \PsLoglist
    - \PsPasswd
    - \PsPing
    - \PsService
    - \SDelete
  TargetObject|endswith: \EulaAccepted
filter:
  Image|endswith:
    - \ADExplorer.exe
    - \ADExplorer64.exe
    - \handle.exe
    - \handle64.exe
    - \livekd.exe
    - \livekd64.exe
    - \procdump.exe
    - \procdump64.exe
    - \procexp.exe
    - \procexp64.exe
    - \PsExec.exe
    - \PsExec64.exe
    - \PsLoggedon.exe
    - \PsLoggedon64.exe
    - \psloglist.exe
    - \psloglist64.exe
    - \pspasswd.exe
    - \pspasswd64.exe
    - \PsPing.exe
    - \PsPing64.exe
    - \PsService.exe
    - \PsService64.exe
    - \sdelete.exe
condition: selection and not filter

Author

Nasreddine Bencherchali (Nextron Systems)

Created

2022-08-24

Data Sources

windowsRegistry Set Events

Platforms

windows

References

Tags

attack.resource-developmentattack.t1588.002
Raw Content
title: Suspicious Execution Of Renamed Sysinternals Tools - Registry
id: f50f3c09-557d-492d-81db-9064a8d4e211
related:
    - id: 25ffa65d-76d8-4da5-a832-3f2b0136e133
      type: derived
    - id: 8023f872-3f1d-4301-a384-801889917ab4
      type: similar
status: test
description: Detects the creation of the "accepteula" key related to the Sysinternals tools being created from executables with the wrong name (e.g. a renamed Sysinternals tool)
references:
    - Internal Research
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-08-24
modified: 2025-10-26
tags:
    - attack.resource-development
    - attack.t1588.002
logsource:
    product: windows
    category: registry_set
detection:
    selection:
        TargetObject|contains:
            # Please add new values while respecting the alphabetical order
            - '\Active Directory Explorer'
            - '\Handle'
            - '\LiveKd'
            - '\ProcDump'
            - '\Process Explorer'
            - '\PsExec'
            - '\PsLoggedon'
            - '\PsLoglist'
            - '\PsPasswd'
            - '\PsPing'
            - '\PsService'
            - '\SDelete'
        TargetObject|endswith: '\EulaAccepted'
    filter:
        Image|endswith:
            # Please add new values while respecting the alphabetical order
            - '\ADExplorer.exe'
            - '\ADExplorer64.exe'
            - '\handle.exe'
            - '\handle64.exe'
            - '\livekd.exe'
            - '\livekd64.exe'
            - '\procdump.exe'
            - '\procdump64.exe'
            - '\procexp.exe'
            - '\procexp64.exe'
            - '\PsExec.exe'
            - '\PsExec64.exe'
            - '\PsLoggedon.exe'
            - '\PsLoggedon64.exe'
            - '\psloglist.exe'
            - '\psloglist64.exe'
            - '\pspasswd.exe'
            - '\pspasswd64.exe'
            - '\PsPing.exe'
            - '\PsPing64.exe'
            - '\PsService.exe'
            - '\PsService64.exe'
            - '\sdelete.exe'
    condition: selection and not filter
falsepositives:
    - Unlikely
level: high
regression_tests_path: regression_data/rules/windows/registry/registry_set/registry_set_pua_sysinternals_renamed_execution_via_eula/info.yml