← Back to SOC feed Coverage →

Usage of Renamed Sysinternals Tools - RegistrySet

sigma HIGH SigmaHQ
T1588.002
imRegistry
This rule was pulled from an open-source repository and enriched with AI. Validate in a test environment before deploying to production.
View original rule at SigmaHQ →
Retrieved: 2026-05-31T11:00:00Z · Confidence: medium

Hunt Hypothesis

Detects non-sysinternals tools setting the “accepteula” key which normally is set on sysinternals tool execution

Detection Rule

Sigma (Original)

title: Usage of Renamed Sysinternals Tools - RegistrySet
id: 8023f872-3f1d-4301-a384-801889917ab4
related:
    - id: 25ffa65d-76d8-4da5-a832-3f2b0136e133
      type: derived
    - id: f50f3c09-557d-492d-81db-9064a8d4e211
      type: similar
status: test
description: Detects non-sysinternals tools setting the "accepteula" key which normally is set on sysinternals tool execution
references:
    - Internal Research
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-08-24
modified: 2023-08-17
tags:
    - attack.resource-development
    - attack.t1588.002
logsource:
    product: windows
    category: registry_set
detection:
    selection:
        TargetObject|contains:
            - '\PsExec'
            - '\ProcDump'
            - '\Handle'
            - '\LiveKd'
            - '\Process Explorer'
            - '\PsLoglist'
            - '\PsPasswd'
            - '\Active Directory Explorer'
        TargetObject|endswith: '\EulaAccepted'
    filter_main_image_names:
        Image|endswith:
            - '\PsExec.exe'
            - '\PsExec64.exe'
            - '\procdump.exe'
            - '\procdump64.exe'
            - '\handle.exe'
            - '\handle64.exe'
            - '\livekd.exe'
            - '\livekd64.exe'
            - '\procexp.exe'
            - '\procexp64.exe'
            - '\psloglist.exe'
            - '\psloglist64.exe'
            - '\pspasswd.exe'
            - '\pspasswd64.exe'
            - '\ADExplorer.exe'
            - '\ADExplorer64.exe'
    filter_optional_null:
        Image: null # Race condition with some logging tools
    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
    - Unlikely
level: high

KQL (Azure Sentinel)

imRegistry
| where ((RegistryKey contains "\\PsExec" or RegistryKey contains "\\ProcDump" or RegistryKey contains "\\Handle" or RegistryKey contains "\\LiveKd" or RegistryKey contains "\\Process Explorer" or RegistryKey contains "\\PsLoglist" or RegistryKey contains "\\PsPasswd" or RegistryKey contains "\\Active Directory Explorer") and RegistryKey endswith "\\EulaAccepted") and (not((ActingProcessName endswith "\\PsExec.exe" or ActingProcessName endswith "\\PsExec64.exe" or ActingProcessName endswith "\\procdump.exe" or ActingProcessName endswith "\\procdump64.exe" or ActingProcessName endswith "\\handle.exe" or ActingProcessName endswith "\\handle64.exe" or ActingProcessName endswith "\\livekd.exe" or ActingProcessName endswith "\\livekd64.exe" or ActingProcessName endswith "\\procexp.exe" or ActingProcessName endswith "\\procexp64.exe" or ActingProcessName endswith "\\psloglist.exe" or ActingProcessName endswith "\\psloglist64.exe" or ActingProcessName endswith "\\pspasswd.exe" or ActingProcessName endswith "\\pspasswd64.exe" or ActingProcessName endswith "\\ADExplorer.exe" or ActingProcessName endswith "\\ADExplorer64.exe"))) and (not(isnull(ActingProcessName)))

Required Data Sources

Sentinel TableNotes
imRegistryEnsure this data connector is enabled

False Positive Guidance

MITRE ATT&CK Context

References

Original source: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/registry/registry_set/registry_set_renamed_sysinternals_eula_accepted.yml