Detection rules › Sigma
Sysinternals Tools AppX Versions Execution
Detects execution of Sysinternals tools via an AppX package. Attackers could install the Sysinternals Suite to get access to tools such as psexec and procdump to avoid detection based on System paths.
Event coverage
| Provider | Event ID | Title |
|---|---|---|
| AppModel-Runtime | 201 | Created process ProcessID for application ApplicationName in package PackageName. |
Stages and Predicates
Stage 1: selection
ImageName: [ADExplorer.exe, livekd.exe, procdump.exe, psexec.exe, psloglist.exe]
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
ImageName | eq |
|