Sysinternals Tools AppX Versions Execution

Rule Info

Name
Sysinternals Tools AppX Versions Execution
Description
Detects execution of Sysinternals tools via an AppX package. Attackers could install the Sysinternals Suite to get access to tools such as psexec and procdump to avoid detection based on System paths
Reference
Internal Research
Modified
None
Date
2023-01-16 00:00:00
Author
Nasreddine Bencherchali (Nextron Systems)
Tags
attack.defense_evasion DEMO attack.execution
Id
d29a20b2-be4b-4827-81f2-3d8a59eab5fc
Type
Community Rule
Link to Public Repo
https://github.com/SigmaHQ/sigma/search?q=d29a20b2-be4b-4827-81f2-3d8a59eab5fc

Rule History

Author
Commit
Title
Date
Wagga
273fdb998
fix: typos in multiple rules (#4011)
2023-02-06
Nasreddine Bencherchali
7c38a5c49
chore: add nextron authors tag
2023-02-01
Nasreddine Bencherchali
85fb255bc
feat: new rules and updates
2023-01-17
THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022