
Summary
This detection rule identifies the potential execution of Sysinternals tools by monitoring command lines that include the 'accepteula' flag. Typically, this flag is required for the first run of various Sysinternals utilities, following which it indicates acceptance of the End User License Agreement. The presence of this flag in a command line could signify that a tool like PsExec or Procmon is being used, which can be valid for legitimate purposes but could also indicate potential misuse by attackers for reconnaissance or lateral movement within a network. As such, this detection rule is important for recognizing exploitation tactics associated with tool misuse. The rule operates by analyzing process creation logs from Windows-based endpoints. A low level of threat is assigned to this rule due to the possibility of false positives, such as legitimate Sysinternals use or other applications that may utilize similar command line parameters. To mitigate this, it's advised to investigate alerts while considering the context of the environment.
Categories
- Endpoint
- Windows
Data Sources
- Process
Created: 2017-08-28