SigmaHQ/rules/windows/sysmon/sysmon_sysinternals_eula_accepted.yml

title: Usage of Sysinternals Tools 
status: experimental
description: Detects the usage of Sysinternals Tools due to accepteula key beeing added to Registry 
references:
    - https://twitter.com/Moti_B/status/1008587936735035392
date: 2017/08/28
author: Markus Neis
logsource:
    product: windows
    service: sysmon
detection:
    selection:
        EventID: 13
        TargetObject: '*\EulaAccepted'
    condition: selection
falsepositives:
    - Legitimate use of SysInternals tools
    - Programs that use the same Registry Key
level: low
Added Detection of Sysinternals Tools via eulaaccepted registry key 2018-08-28 15:36:22 +00:00			`title: Usage of Sysinternals Tools`
Rule: SysInternals EULA accept improved and renamed 2018-08-30 11:16:28 +00:00			`status: experimental`
Added Detection of Sysinternals Tools via eulaaccepted registry key 2018-08-28 15:36:22 +00:00			`description: Detects the usage of Sysinternals Tools due to accepteula key beeing added to Registry`
			`references:`
			`- https://twitter.com/Moti_B/status/1008587936735035392`
			`date: 2017/08/28`
			`author: Markus Neis`
			`logsource:`
			`product: windows`
			`service: sysmon`
			`detection:`
			`selection:`
			`EventID: 13`
			`TargetObject: '*\EulaAccepted'`
			`condition: selection`
			`falsepositives:`
Rule: SysInternals EULA accept improved and renamed 2018-08-30 11:16:28 +00:00			`- Legitimate use of SysInternals tools`
Added Detection of Sysinternals Tools via eulaaccepted registry key 2018-08-28 15:36:22 +00:00			`- Programs that use the same Registry Key`
Rule: SysInternals EULA accept improved and renamed 2018-08-30 11:16:28 +00:00			`level: low`
Added Detection of Sysinternals Tools via eulaaccepted registry key 2018-08-28 15:36:22 +00:00