Windows Server Update Service Spawning Suspicious Processes

  1[metadata]
  2creation_date = "2025/10/24"
  3integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"]
  4maturity = "production"
  5updated_date = "2026/05/03"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Identifies suspicious processes being spawned by the Windows Server Update Service.
 11This activity may indicate exploitation activity or access to an existing web shell backdoor.
 12"""
 13from = "now-9m"
 14index = [
 15    "logs-endpoint.events.process-*",
 16    "winlogbeat-*",
 17    "logs-windows.sysmon_operational-*",
 18    "endgame-*",
 19    "logs-m365_defender.event-*",
 20    "logs-sentinel_one_cloud_funnel.*",
 21]
 22language = "eql"
 23license = "Elastic License v2"
 24name = "Windows Server Update Service Spawning Suspicious Processes"
 25references = [
 26    "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-59287",
 27    "https://hawktrace.com/blog/CVE-2025-59287"
 28]
 29risk_score = 73
 30rule_id = "1ac027c2-8c60-4715-af73-927b9c219e20"
 31severity = "high"
 32tags = [
 33    "Domain: Endpoint",
 34    "OS: Windows",
 35    "Use Case: Threat Detection",
 36    "Tactic: Initial Access",
 37    "Data Source: Elastic Endgame",
 38    "Data Source: Elastic Defend",
 39    "Data Source: Sysmon",
 40    "Data Source: Microsoft Defender XDR",
 41    "Data Source: SentinelOne",
 42    "Resources: Investigation Guide",
 43]
 44timestamp_override = "event.ingested"
 45type = "eql"
 46
 47query = '''
 48process where host.os.type == "windows" and event.type == "start" and
 49  process.name : ("cmd.exe", "powershell.exe", "pwsh.exe", "powershell_ise.exe", "rundll32.exe", "curl.exe") and
 50  (
 51   (process.parent.name : "w3wp.exe" and process.parent.args : "WsusPool") or
 52   process.parent.name : "WsusService.exe"
 53   )
 54'''
 55
 56note = """## Triage and analysis
 57
 58### Investigating Windows Server Update Service Spawning Suspicious Processes
 59
 60#### Possible investigation steps
 61
 62- What does the alert-local WSUS parent-child path show?
 63  - Focus: child `process.executable` and `process.command_line`, plus `process.parent.name`, `process.parent.executable`, and `process.parent.args`, especially "w3wp.exe" with "WsusPool" or "WsusService.exe".
 64  - Implication: escalate when a WSUS web or service component launches a shell, PowerShell, "rundll32.exe", or "curl.exe" for interpreter, download, or proxy-execution behavior; lower suspicion only when the parent-child pair and arguments match a narrow recognized WSUS setup, cleanup, or repair pattern.
 65- Does the child command and binary identity fit bounded WSUS maintenance?
 66  - Why: WSUS children can inherit service context; visible user fields may not prove human initiation.
 67  - Focus: `process.command_line`, `process.executable`, `process.pe.original_file_name`, `process.code_signature.subject_name`/`trusted`, and child processes. $investigate_1
 68  - Hint: for PowerShell with script-block telemetry, anchor on `host.id` + `process.entity_id` or `host.id` + `process.pid` in a tight alert window. Reconstruct `powershell.file.script_block_id`, `powershell.total`, `powershell.sequence`, and `powershell.file.script_block_text`; missing script-block telemetry is unresolved, not benign.
 69  - Implication: escalate on encoded script content, external retrieval, discovery, archive, remote-admin, temp-path DLL activity, or a renamed/unsigned/mismatched child; lower suspicion only when command scope, path, PE identity, and signer all match the same narrow WSUS task. Identity alone does not clear the launch chain.
 70- Did the child stage payloads or WSUS-content artifacts?
 71  - Focus: process-scoped file `file.path`, `file.Ext.original.path`, `file.origin_url`, and `file.Ext.windows.zone_identifier`; missing file telemetry is unresolved, not benign. $investigate_2
 72  - Hint: scope by `host.id` + `process.entity_id`, or `host.id` + `process.pid` if absent; check later starts where `process.executable` equals the written path.
 73  - Implication: escalate when the child writes scripts, DLLs, EXEs, archives, or renamed content under WSUS, IIS, temp, or user-writable paths, especially if later executed; lower suspicion only when writes stay inside the same narrow WSUS maintenance path.
 74- Did the child retrieve tooling, call back, or reach destinations outside the WSUS role?
 75  - Focus: process-scoped DNS `event.action`, `dns.question.name`, `dns.resolved_ip`, and connection `destination.ip`/`destination.port`; missing network telemetry is unresolved, not benign. $investigate_3
 76  - Hint: scope by `host.id` + `process.entity_id`, or `host.id` + `process.pid` if absent. Compare DNS "lookup_result" `dns.resolved_ip` with later `destination.ip` from the same process.
 77  - Implication: escalate when the child retrieves tools from public infrastructure, connects to rare or unrelated systems, or uses destinations inconsistent with WSUS update distribution; lower suspicion when the same process reaches only recognized internal mirrors, proxies, or vendor services that fit command and parent context.
 78- If local findings are suspicious or unresolved, does same-host scope show broader WSUS compromise?
 79  - Focus: related alerts on the same `host.id`, especially repeated WSUS-spawned tools and complementary webshell, credential-access, discovery, archive, or lateral-movement activity. $investigate_0
 80  - Range: start with the alert window; expand to 48 hours only if parent-child, command, artifact, or destination evidence remains suspicious or incomplete.
 81  - Implication: broaden containment when related alerts corroborate WSUS compromise or post-exploitation; keep scope local when surrounding activity is limited to one fully explained maintenance action.
 82- Escalate for unexplained service-side execution, payload staging, suspicious destinations, or broader WSUS compromise; close only when parent-child path, command intent, service context, binary identity, artifacts, destinations, and same-host scope prove one exact recognized WSUS maintenance or validation workflow; preserve artifacts and escalate when evidence is mixed or optional telemetry is missing.
 83
 84### False positive analysis
 85
 86- WSUS installation, post-install repair, cleanup, health-check, migration, or authorized CVE validation can launch bounded shell or PowerShell children from "WsusPool" or "WsusService.exe". Close only when parent `process.parent.name`/`process.parent.args`, child command, path, hash or signer, `user.id`, and `host.id` prove the same narrow task; artifact and destination telemetry should corroborate when available, and missing recovery that leaves staging or callback unresolved requires confirmation or escalation.
 87- Before creating an exception, validate stability across prior alerts for the same WSUS server: parent context, child path/hash/signer, exact `process.command_line`, `user.id`, `host.id`, and any bounded artifact or destination pattern. Avoid exceptions on "WsusService.exe", "w3wp.exe", `process.name`, or `host.id` alone.
 88
 89### Response and remediation
 90
 91- If confirmed benign, reverse temporary containment and document the parent context, child `process.executable`, `process.command_line`, signer or hash, `user.id`, `host.id`, and bounded artifact or destination evidence that proved the WSUS workflow. Create an exception only from that full stable pattern.
 92- If suspicious but unconfirmed, preserve the case export, process tree, child `process.entity_id`, `process.pid`, `process.command_line`, parent context, `user.id`, `host.id`, recovered staged paths, recovered DNS or destination indicators, and related-alert identifiers before containment. Apply reversible containment first: block confirmed malicious destinations, restrict inbound WSUS exposure on ports 8530/8531, limit external access to the affected service, or increase monitoring. Isolate the host only when artifact, destination, or related-alert evidence shows active compromise and the server role can tolerate disruption.
 93- If confirmed malicious, isolate the WSUS host or terminate the malicious child only after preserving process identifiers, command lines, parent context, hashes, staged paths, destination indicators, and related-alert evidence. Then disable the exposed WSUS service path or block inbound 8530/8531 until patched, scope other servers and accounts for confirmed indicators, remove only artifacts identified during triage, restore WSUS/IIS content, rotate exposed credentials if configuration material was accessed, apply the relevant Microsoft WSUS update, and retain case logs.
 94"""
 95
 96setup = """## Setup
 97
 98This rule is designed for data generated by [Elastic Defend](https://www.elastic.co/security/endpoint-security), which provides native endpoint detection and response, along with event enrichments designed to work with our detection rules.
 99
100Setup instructions: https://ela.st/install-elastic-defend
101
102### Additional data sources
103
104This rule also supports the following third-party data sources. For setup instructions, refer to the links below:
105
106- [Microsoft Defender XDR](https://ela.st/m365-defender)
107- [SentinelOne Cloud Funnel](https://ela.st/sentinel-one-cloud-funnel)
108- [Sysmon Event ID 1 - Process Creation](https://ela.st/sysmon-event-1-setup)
109"""
110
111[rule.investigation_fields]
112field_names = [
113    "@timestamp",
114    "host.id",
115    "user.id",
116    "process.entity_id",
117    "process.pid",
118    "process.executable",
119    "process.command_line",
120    "process.args",
121    "process.pe.original_file_name",
122    "process.code_signature.subject_name",
123    "process.code_signature.trusted",
124    "process.parent.name",
125    "process.parent.executable",
126    "process.parent.command_line",
127    "process.parent.args",
128]
129
130[transform]
131
132[[transform.investigate]]
133label = "Alerts associated with the host"
134description = ""
135providers = [
136  [
137    { excluded = false, field = "event.kind", queryType = "phrase", value = "signal", valueType = "string" },
138    { excluded = false, field = "host.id", queryType = "phrase", value = "{{host.id}}", valueType = "string" }
139  ]
140]
141relativeFrom = "now-48h/h"
142relativeTo = "now"
143
144[[transform.investigate]]
145label = "Child processes of the suspicious WSUS child"
146description = ""
147providers = [
148  [
149    { excluded = false, field = "event.category", queryType = "phrase", value = "process", valueType = "string" },
150    { excluded = false, field = "host.id", queryType = "phrase", value = "{{host.id}}", valueType = "string" },
151    { excluded = false, field = "process.parent.entity_id", queryType = "phrase", value = "{{process.entity_id}}", valueType = "string" }
152  ],
153  [
154    { excluded = false, field = "event.category", queryType = "phrase", value = "process", valueType = "string" },
155    { excluded = false, field = "host.id", queryType = "phrase", value = "{{host.id}}", valueType = "string" },
156    { excluded = false, field = "process.parent.pid", queryType = "phrase", value = "{{process.pid}}", valueType = "string" }
157  ]
158]
159relativeFrom = "now-1h"
160relativeTo = "now"
161
162[[transform.investigate]]
163label = "File events for the suspicious child process"
164description = ""
165providers = [
166  [
167    { excluded = false, field = "event.category", queryType = "phrase", value = "file", valueType = "string" },
168    { excluded = false, field = "host.id", queryType = "phrase", value = "{{host.id}}", valueType = "string" },
169    { excluded = false, field = "process.entity_id", queryType = "phrase", value = "{{process.entity_id}}", valueType = "string" }
170  ],
171  [
172    { excluded = false, field = "event.category", queryType = "phrase", value = "file", valueType = "string" },
173    { excluded = false, field = "host.id", queryType = "phrase", value = "{{host.id}}", valueType = "string" },
174    { excluded = false, field = "process.pid", queryType = "phrase", value = "{{process.pid}}", valueType = "string" }
175  ]
176]
177relativeFrom = "now-1h"
178relativeTo = "now"
179
180[[transform.investigate]]
181label = "Network events for the suspicious child process"
182description = ""
183providers = [
184  [
185    { excluded = false, field = "event.category", queryType = "phrase", value = "network", valueType = "string" },
186    { excluded = false, field = "host.id", queryType = "phrase", value = "{{host.id}}", valueType = "string" },
187    { excluded = false, field = "process.entity_id", queryType = "phrase", value = "{{process.entity_id}}", valueType = "string" }
188  ],
189  [
190    { excluded = false, field = "event.category", queryType = "phrase", value = "network", valueType = "string" },
191    { excluded = false, field = "host.id", queryType = "phrase", value = "{{host.id}}", valueType = "string" },
192    { excluded = false, field = "process.pid", queryType = "phrase", value = "{{process.pid}}", valueType = "string" }
193  ]
194]
195relativeFrom = "now-1h"
196relativeTo = "now"
197
198[[rule.threat]]
199framework = "MITRE ATT&CK"
200
201[[rule.threat.technique]]
202id = "T1190"
203name = "Exploit Public-Facing Application"
204reference = "https://attack.mitre.org/techniques/T1190/"
205
206[rule.threat.tactic]
207id = "TA0001"
208name = "Initial Access"
209reference = "https://attack.mitre.org/tactics/TA0001/"
210
211[[rule.threat]]
212framework = "MITRE ATT&CK"
213
214[[rule.threat.technique]]
215id = "T1059"
216name = "Command and Scripting Interpreter"
217reference = "https://attack.mitre.org/techniques/T1059/"
218
219[[rule.threat.technique.subtechnique]]
220id = "T1059.001"
221name = "PowerShell"
222reference = "https://attack.mitre.org/techniques/T1059/001/"
223
224[[rule.threat.technique.subtechnique]]
225id = "T1059.003"
226name = "Windows Command Shell"
227reference = "https://attack.mitre.org/techniques/T1059/003/"
228
229[rule.threat.tactic]
230id = "TA0002"
231name = "Execution"
232reference = "https://attack.mitre.org/tactics/TA0002/"
233
234[[rule.threat]]
235framework = "MITRE ATT&CK"
236
237[[rule.threat.technique]]
238id = "T1218"
239name = "System Binary Proxy Execution"
240reference = "https://attack.mitre.org/techniques/T1218/"
241
242[[rule.threat.technique.subtechnique]]
243id = "T1218.011"
244name = "Rundll32"
245reference = "https://attack.mitre.org/techniques/T1218/011/"
246
247[rule.threat.tactic]
248id = "TA0005"
249name = "Defense Evasion"
250reference = "https://attack.mitre.org/tactics/TA0005/"
251
252[[rule.threat]]
253framework = "MITRE ATT&CK"
254
255[[rule.threat.technique]]
256id = "T1505"
257name = "Server Software Component"
258reference = "https://attack.mitre.org/techniques/T1505/"
259
260[[rule.threat.technique.subtechnique]]
261id = "T1505.003"
262name = "Web Shell"
263reference = "https://attack.mitre.org/techniques/T1505/003/"
264
265[rule.threat.tactic]
266id = "TA0003"
267name = "Persistence"
268reference = "https://attack.mitre.org/tactics/TA0003/"