PUA - Sysinternal Tool Execution - Registry

Severity: low
Author: Markus Neis
Source: upstream

Detects the execution of a Sysinternals Tool via the creation of the "accepteula" registry key

MITRE ATT&CK coverage

Tactic	Techniques
Resource Development	`T1588.002` Obtain Capabilities: Tool

Event coverage

Provider	Event ID	Title
Sysmon	13	RegistryEvent (Value Set)

Stages and Predicates

Stage 1: `selection`

TargetObject|endswith: '\EulaAccepted'

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

Field	Kind	Values
`TargetObject`	ends_with	`\EulaAccepted` corpus 4 (sigma 4)

Neighbors

Stricter alternatives (narrower than this rule)

The rules below may be useful if you find the current rule is too noisy / lacks specificity.

Suspicious Execution Of Renamed Sysinternals Tools - Registry [sigma] (adds 1 filter) (first-stage match only; downstream stages may differ)
PUA - Sysinternals Tools Execution - Registry [sigma] (adds 1 filter)
Usage of Renamed Sysinternals Tools - RegistrySet [sigma] (adds 1 filter) (first-stage match only; downstream stages may differ)