Sysinternals Tools AppX Versions Execution

Rule Info

Name
Sysinternals Tools AppX Versions Execution
Author
Nasreddine Bencherchali (Nextron Systems)
Description
Detects execution of Sysinternals tools via an AppX package. Attackers could install the Sysinternals Suite to get access to tools such as psexec and procdump to avoid detection based on System paths
Reference
Internal Research
Date
2023-01-16 00:00:00
Modified
2023-09-12 00:00:00
Id
d29a20b2-be4b-4827-81f2-3d8a59eab5fc
Tags
attack.defense_evasion attack.execution DEMO
Type
Community Rule
Link to Public Repo
https://github.com/SigmaHQ/sigma/search?q=d29a20b2-be4b-4827-81f2-3d8a59eab5fc

Rule History

Author
Title
Date
Commit
Nasreddine Bencherchali
Merge PR #4427 from @nasbench - Multiple Fixes & Enhancements
2023-10-04
e230acd7e
Wagga
fix: typos in multiple rules (#4011)
2023-02-06
273fdb998
Nasreddine Bencherchali
chore: add nextron authors tag
2023-02-01
7c38a5c49
Nasreddine Bencherchali
feat: new rules and updates
2023-01-17
85fb255bc
THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022