Detects the creation of the “accepteula” key related to the Sysinternals tools being created from executables with the wrong name (e.g. a renamed Sysinternals tool)
title: Suspicious Execution Of Renamed Sysinternals Tools - Registry
id: f50f3c09-557d-492d-81db-9064a8d4e211
related:
- id: 25ffa65d-76d8-4da5-a832-3f2b0136e133
type: derived
- id: 8023f872-3f1d-4301-a384-801889917ab4
type: similar
status: test
description: Detects the creation of the "accepteula" key related to the Sysinternals tools being created from executables with the wrong name (e.g. a renamed Sysinternals tool)
references:
- Internal Research
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-08-24
modified: 2025-10-26
tags:
- attack.resource-development
- attack.t1588.002
logsource:
product: windows
category: registry_set
detection:
selection:
TargetObject|contains:
# Please add new values while respecting the alphabetical order
- '\Active Directory Explorer'
- '\Handle'
- '\LiveKd'
- '\ProcDump'
- '\Process Explorer'
- '\PsExec'
- '\PsLoggedon'
- '\PsLoglist'
- '\PsPasswd'
- '\PsPing'
- '\PsService'
- '\SDelete'
TargetObject|endswith: '\EulaAccepted'
filter:
Image|endswith:
# Please add new values while respecting the alphabetical order
- '\ADExplorer.exe'
- '\ADExplorer64.exe'
- '\handle.exe'
- '\handle64.exe'
- '\livekd.exe'
- '\livekd64.exe'
- '\procdump.exe'
- '\procdump64.exe'
- '\procexp.exe'
- '\procexp64.exe'
- '\PsExec.exe'
- '\PsExec64.exe'
- '\PsLoggedon.exe'
- '\PsLoggedon64.exe'
- '\psloglist.exe'
- '\psloglist64.exe'
- '\pspasswd.exe'
- '\pspasswd64.exe'
- '\PsPing.exe'
- '\PsPing64.exe'
- '\PsService.exe'
- '\PsService64.exe'
- '\sdelete.exe'
condition: selection and not filter
falsepositives:
- Unlikely
level: high
regression_tests_path: regression_data/rules/windows/registry/registry_set/registry_set_pua_sysinternals_renamed_execution_via_eula/info.yml
imRegistry
| where ((RegistryKey contains "\\Active Directory Explorer" or RegistryKey contains "\\Handle" or RegistryKey contains "\\LiveKd" or RegistryKey contains "\\ProcDump" or RegistryKey contains "\\Process Explorer" or RegistryKey contains "\\PsExec" or RegistryKey contains "\\PsLoggedon" or RegistryKey contains "\\PsLoglist" or RegistryKey contains "\\PsPasswd" or RegistryKey contains "\\PsPing" or RegistryKey contains "\\PsService" or RegistryKey contains "\\SDelete") and RegistryKey endswith "\\EulaAccepted") and (not((ActingProcessName endswith "\\ADExplorer.exe" or ActingProcessName endswith "\\ADExplorer64.exe" or ActingProcessName endswith "\\handle.exe" or ActingProcessName endswith "\\handle64.exe" or ActingProcessName endswith "\\livekd.exe" or ActingProcessName endswith "\\livekd64.exe" or ActingProcessName endswith "\\procdump.exe" or ActingProcessName endswith "\\procdump64.exe" or ActingProcessName endswith "\\procexp.exe" or ActingProcessName endswith "\\procexp64.exe" or ActingProcessName endswith "\\PsExec.exe" or ActingProcessName endswith "\\PsExec64.exe" or ActingProcessName endswith "\\PsLoggedon.exe" or ActingProcessName endswith "\\PsLoggedon64.exe" or ActingProcessName endswith "\\psloglist.exe" or ActingProcessName endswith "\\psloglist64.exe" or ActingProcessName endswith "\\pspasswd.exe" or ActingProcessName endswith "\\pspasswd64.exe" or ActingProcessName endswith "\\PsPing.exe" or ActingProcessName endswith "\\PsPing64.exe" or ActingProcessName endswith "\\PsService.exe" or ActingProcessName endswith "\\PsService64.exe" or ActingProcessName endswith "\\sdelete.exe")))| Sentinel Table | Notes |
|---|---|
imRegistry | Ensure this data connector is enabled |