Skip to content
Threat Feed
high advisory

Suspicious Execution of Renamed Sysinternals Tools via Registry

This brief details a detection method for adversaries using renamed Sysinternals tools, a legitimate suite of utilities, to evade endpoint detection by triggering the `EulaAccepted` registry key creation, potentially leading to unauthorized system manipulation or data access on Windows systems.

This intelligence focuses on the detection of highly suspicious activity involving the Sysinternals Suite, a collection of legitimate, powerful utilities developed by Microsoft. Adversaries frequently leverage these tools for various post-exploitation activities, including process manipulation, system information gathering, and privilege escalation. To circumvent security detections that might flag the execution of standard Sysinternals tool names (e.g., PsExec.exe, ProcDump.exe), attackers often rename these executables. This brief highlights a detection opportunity centered around the creation of the EulaAccepted registry key, which is generated upon the first execution of a Sysinternals tool. When this key is created by an executable that does not match the known original Sysinternals filename, it strongly indicates an attempt at evasion, signaling potential malicious activity on Windows endpoints.

Impact

The successful execution of renamed Sysinternals tools allows adversaries to perform a wide range of actions on compromised Windows systems, often with elevated privileges. This could include dumping credentials, establishing persistence, monitoring system activity, or remotely executing commands, all while attempting to bypass standard security controls. Such evasion tactics enable attackers to remain undetected for longer periods, facilitating further malicious operations like data exfiltration, lateral movement, or the deployment of ransomware. The impact on an organization can range from data breaches and operational disruption to significant financial and reputational damage.

Recommendation

  • Deploy the Sigma rule "Suspicious Execution Of Renamed Sysinternals Tools - Registry" to your SIEM/EDR to detect this evasive technique.
  • Ensure Sysmon and Windows Registry logging are comprehensively enabled across all endpoints to capture registry_set events required for this detection.
  • Investigate all alerts generated by the "Suspicious Execution Of Renamed Sysinternals Tools - Registry" rule immediately to determine the origin and intent of the renamed Sysinternals tool execution.

Detection coverage 1

Suspicious Execution Of Renamed Sysinternals Tools - Registry

high

Detects the creation of the 'accepteula' key related to Sysinternals tools when executed from a renamed binary, indicating potential evasion.

sigma tactics: resource-development techniques: T1588.002 sources: registry_set, windows

Detection queries are available on the platform. Get full rules →