Potential WSUS Abuse for Lateral Movement
Identifies a potential Windows Server Update Services (WSUS) abuse to execute psexec to enable for lateral movement. WSUS is limited to executing Microsoft signed binaries, which limits the executables that can be used to tools published by Microsoft.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2024/07/19"
3integration = ["endpoint", "windows", "system","sentinel_one_cloud_funnel", "m365_defender"]
4maturity = "production"
5min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
6min_stack_version = "8.14.0"
7updated_date = "2024/10/15"
8
9[rule]
10author = ["Elastic"]
11description = """
12Identifies a potential Windows Server Update Services (WSUS) abuse to execute psexec to enable for lateral movement.
13WSUS is limited to executing Microsoft signed binaries, which limits the executables that can be used to tools published
14by Microsoft.
15"""
16from = "now-9m"
17index = ["logs-endpoint.events.process-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-sentinel_one_cloud_funnel.*", "logs-m365_defender.event-*", "logs-system.security-*", "winlogbeat-*"]
18language = "eql"
19license = "Elastic License v2"
20name = "Potential WSUS Abuse for Lateral Movement"
21references = ["https://www.thehacker.recipes/a-d/movement/mitm-and-coerced-authentications/wsus-spoofing"]
22risk_score = 47
23rule_id = "8e2485b6-a74f-411b-bf7f-38b819f3a846"
24severity = "medium"
25tags = [
26 "Domain: Endpoint",
27 "OS: Windows",
28 "Use Case: Threat Detection",
29 "Tactic: Lateral Movement",
30 "Data Source: Elastic Endgame",
31 "Data Source: Elastic Defend",
32 "Data Source: Sysmon",
33 "Data Source: SentinelOne",
34 "Data Source: Microsoft Defender for Endpoint",
35 "Data Source: System",
36]
37timestamp_override = "event.ingested"
38type = "eql"
39
40query = '''
41process where host.os.type == "windows" and event.type == "start" and process.parent.name : "wuauclt.exe" and
42process.executable : "?:\\Windows\\SoftwareDistribution\\Download\\Install\\*" and
43(process.name : "psexec64.exe" or ?process.pe.original_file_name : "psexec.c")
44'''
45
46
47[[rule.threat]]
48framework = "MITRE ATT&CK"
49[[rule.threat.technique]]
50id = "T1210"
51name = "Exploitation of Remote Services"
52reference = "https://attack.mitre.org/techniques/T1210/"
53
54
55[rule.threat.tactic]
56id = "TA0008"
57name = "Lateral Movement"
58reference = "https://attack.mitre.org/tactics/TA0008/"
References
Related rules
- Microsoft Exchange Server UM Spawning Suspicious Processes
- Mounting Hidden or WebDav Remote Shares
- Remote File Copy to a Hidden Share
- AdFind Command Activity
- Adding Hidden File Attribute via Attrib