You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
description: Detects execution of Sysinternals tools via an AppX package. Attackers could install the Sysinternals Suite to get access to tools such as psexec and procdump to avoid detection based on System paths
references:
- Internal Research
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023/01/16
modified: 2023/09/12
tags:
- attack.defense_evasion
- attack.execution
logsource:
product: windows
service: appmodel-runtime
detection:
selection:
EventID: 201
ImageName:
- 'procdump.exe'
- 'psloglist.exe'
- 'psexec.exe'
- 'livekd.exe'
- 'ADExplorer.exe'
condition: selection
falsepositives:
- Legitimate usage of the applications from the Windows Store