heroui logo

Suspicious Execution Of Renamed Sysinternals Tools - Registry

Sigma Rules

View Source
Summary
This detection rule identifies suspicious executions of Sysinternals tools that have been renamed, focusing particularly on the creation of the 'accepteula' registry key associated with those tools. The rule captures events where specific registry keys related to Sysinternals applications are created, particularly when the target object ends with '\EulaAccepted'. It further refines the detection by filtering out legitimate uses of these tools based on their expected executable names. By monitoring registry key creation events where unauthorized names are present, it aims to uncover potential misuse indicating resource development attacks, as tools from the Sysinternals suite can be leveraged by threat actors for various malicious activities. The rule is categorized as high-level detection due to the implications of unauthorized use of legitimate system tools and is primarily applicable to Windows environments.
Categories
  • Windows
  • Endpoint
Data Sources
  • Windows Registry
Created: 2022-08-24