Sysinternals Tools AppX Versions Execution

Rule Info

Name
Sysinternals Tools AppX Versions Execution
Description
Detects execution of Sysinternals tools via an AppX package. Attackers could install the Sysinternals Suite to get access to tools such as psexec and procdump to avoid detection based on System paths
Reference
Internal Research
Modified
None
Date
2023-01-16 00:00:00
Author
Nasreddine Bencherchali (Nextron Systems)
Tags
attack.defense_evasion DEMO attack.execution
Id
d29a20b2-be4b-4827-81f2-3d8a59eab5fc
Type
Community Rule

Rule History

Author
Commit
Title
Date
Wagga
fix: typos in multiple rules (#4011)
2023-02-06
Nasreddine Bencherchali
chore: add nextron authors tag
2023-02-01
Nasreddine Bencherchali
feat: new rules and updates
2023-01-17