EXPLORE

← Back to Explore

T1588.002

Tool

Adversaries may buy, steal, or download software tools that can be used during targeting. Tools can be open or closed source, free or commercial. A tool can be used for malicious purposes by an adversary, but (unlike malware) were not intended to be used for those purposes (ex: [PsExec](https://attack.mitre.org/software/S0029)). Adversaries may obtain tools to support their operations, including to support execution of post-compromise behaviors. Tools may also be leveraged for testing – for ex...

PRE

13

Detections

2

Sources

79

Threat Actors

BY SOURCE

9sigma4splunk_escu

PROCEDURES (10)

Process Creation Monitoring4 detections

Auto-extracted: 4 detections for process creation monitoring

Registry1 detections

Auto-extracted: 1 detections for registry

Dump1 detections

Auto-extracted: 1 detections for dump

Suspicious1 detections

Auto-extracted: 1 detections for suspicious

Suspicious1 detections

Auto-extracted: 1 detections for suspicious

Registry Monitoring1 detections

Auto-extracted: 1 detections for registry monitoring

General Monitoring1 detections

Auto-extracted: 1 detections for general monitoring

Credential1 detections

Auto-extracted: 1 detections for credential

Dump1 detections

Auto-extracted: 1 detections for dump

Credential1 detections

Auto-extracted: 1 detections for credential

DETECTIONS (13)

Cisco Secure Firewall - Connection to File Sharing Domain

Hacktool Execution - Imphash

Hacktool Execution - PE Metadata

Potential Execution of Sysinternals Tools

PUA - Sysinternal Tool Execution - Registry

PUA - Sysinternals Tools Execution - Registry

Renamed SysInternals DebugView Execution

Suspicious Execution Of Renamed Sysinternals Tools - Registry

Suspicious Keyboard Layout Load

Usage of Renamed Sysinternals Tools - RegistrySet

Windows NirSoft AdvancedRun

Windows NirSoft Tool Bundle File Created

Windows NirSoft Utilities