← Back to SOC feed Coverage →

PUA - Sysinternals Tools Execution - Registry

sigma MEDIUM SigmaHQ
T1588.002
imRegistry
lateral-movement
This rule was pulled from an open-source repository and enriched with AI. Validate in a test environment before deploying to production.
View original rule at SigmaHQ →
Retrieved: 2026-05-31T11:00:00Z · Confidence: medium

Hunt Hypothesis

Detects the execution of some potentially unwanted tools such as PsExec, Procdump, etc. (part of the Sysinternals suite) via the creation of the “accepteula” registry key.

Detection Rule

Sigma (Original)

title: PUA - Sysinternals Tools Execution - Registry
id: c7da8edc-49ae-45a2-9e61-9fd860e4e73d
related:
    - id: 25ffa65d-76d8-4da5-a832-3f2b0136e133
      type: derived
    - id: 9841b233-8df8-4ad7-9133-b0b4402a9014
      type: obsolete
status: test
description: Detects the execution of some potentially unwanted tools such as PsExec, Procdump, etc. (part of the Sysinternals suite) via the creation of the "accepteula" registry key.
references:
    - https://twitter.com/Moti_B/status/1008587936735035392
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-08-24
modified: 2025-10-26
tags:
    - attack.resource-development
    - attack.t1588.002
logsource:
    product: windows
    category: registry_set
detection:
    selection:
        TargetObject|contains:
            - '\Active Directory Explorer'
            - '\Handle'
            - '\LiveKd'
            - '\Process Explorer'
            - '\ProcDump'
            - '\PsExec'
            - '\PsLoglist'
            - '\PsPasswd'
            - '\SDelete'
            - '\Sysinternals' # Global level https://twitter.com/leonzandman/status/1561736801953382400
        TargetObject|endswith: '\EulaAccepted'
    condition: selection
falsepositives:
    - Legitimate use of SysInternals tools. Filter the legitimate paths used in your environment
level: medium
regression_tests_path: regression_data/rules/windows/registry/registry_set/registry_set_pua_sysinternals_susp_execution_via_eula/info.yml

KQL (Azure Sentinel)

imRegistry
| where (RegistryKey contains "\\Active Directory Explorer" or RegistryKey contains "\\Handle" or RegistryKey contains "\\LiveKd" or RegistryKey contains "\\Process Explorer" or RegistryKey contains "\\ProcDump" or RegistryKey contains "\\PsExec" or RegistryKey contains "\\PsLoglist" or RegistryKey contains "\\PsPasswd" or RegistryKey contains "\\SDelete" or RegistryKey contains "\\Sysinternals") and RegistryKey endswith "\\EulaAccepted"

KQL (Microsoft 365 Defender)

DeviceRegistryEvents
| where (RegistryKey contains "\\Active Directory Explorer" or RegistryKey contains "\\Handle" or RegistryKey contains "\\LiveKd" or RegistryKey contains "\\Process Explorer" or RegistryKey contains "\\ProcDump" or RegistryKey contains "\\PsExec" or RegistryKey contains "\\PsLoglist" or RegistryKey contains "\\PsPasswd" or RegistryKey contains "\\SDelete" or RegistryKey contains "\\Sysinternals") and RegistryKey endswith "\\EulaAccepted"

Required Data Sources

Sentinel TableNotes
imRegistryEnsure this data connector is enabled

False Positive Guidance

MITRE ATT&CK Context

References

Original source: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/registry/registry_set/registry_set_pua_sysinternals_susp_execution_via_eula.yml