security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
eb22807ddc4e4e766380c78bdbcfc7079dd32d49
blue-team-tools/rules/windows/process_creation/process_creation_sysinternals_eula_accepted.yml
T
frack113 3db427873a split sysinternals eula and uac bypass
2021-09-12 09:38:05 +02:00

26 lines
741 B
YAML
Raw Blame History

title: Usage of Sysinternals Tools
id: 7cccd811-7ae9-4ebe-9afd-cb5c406b824b
related:
- id: 25ffa65d-76d8-4da5-a832-3f2b0136e133
type: derived
status: experimental
description: Detects the usage of Sysinternals Tools due to accepteula key being added to Registry
references:
- https://twitter.com/Moti_B/status/1008587936735035392
date: 2017/08/28
modified: 2021/09/12
author: Markus Neis
tags:
- attack.resource_development
- attack.t1588.002
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains: ' -accepteula'
condition: selection
falsepositives:
- Legitimate use of SysInternals tools
- Programs that use the same Registry Key
level: low
Reference in New Issue View Git Blame Copy Permalink