← Back to SOC feed Coverage →

Potential Execution of Sysinternals Tools

sigma LOW SigmaHQ
T1588.002
imProcessCreate
This rule was pulled from an open-source repository and enriched with AI. Validate in a test environment before deploying to production.
View original rule at SigmaHQ →
Retrieved: 2026-05-22T23:00:00Z · Confidence: medium

Hunt Hypothesis

Detects command lines that contain the ‘accepteula’ flag which could be a sign of execution of one of the Sysinternals tools

Detection Rule

Sigma (Original)

title: Potential Execution of Sysinternals Tools
id: 7cccd811-7ae9-4ebe-9afd-cb5c406b824b
related:
    - id: 25ffa65d-76d8-4da5-a832-3f2b0136e133
      type: derived
status: test
description: Detects command lines that contain the 'accepteula' flag which could be a sign of execution of one of the Sysinternals tools
references:
    - https://twitter.com/Moti_B/status/1008587936735035392
author: Markus Neis
date: 2017-08-28
modified: 2024-03-13
tags:
    - attack.resource-development
    - attack.t1588.002
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        CommandLine|contains|windash: ' -accepteula'
    condition: selection
falsepositives:
    - Legitimate use of SysInternals tools
    - Programs that use the same command line flag
level: low

KQL (Azure Sentinel)

imProcessCreate
| where TargetProcessCommandLine contains " -accepteula" or TargetProcessCommandLine contains " /accepteula" or TargetProcessCommandLine contains " –accepteula" or TargetProcessCommandLine contains " —accepteula" or TargetProcessCommandLine contains " ―accepteula"

Required Data Sources

Sentinel TableNotes
imProcessCreateEnsure this data connector is enabled

False Positive Guidance

MITRE ATT&CK Context

References

Original source: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_sysinternals_eula_accepted.yml