Potential WSUS Abuse for Lateral Movement

Identifies a potential Windows Server Update Services (WSUS) abuse to execute psexec to enable for lateral movement. WSUS is limited to executing Microsoft signed binaries, which limits the executables that can be used to tools published by Microsoft.

Elastic rule (View on GitHub)

 1[metadata]
 2creation_date = "2024/07/19"
 3integration = ["endpoint", "windows", "system","sentinel_one_cloud_funnel", "m365_defender", "crowdstrike"]
 4maturity = "production"
 5min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
 6min_stack_version = "8.14.0"
 7updated_date = "2025/01/15"
 8
 9[rule]
10author = ["Elastic"]
11description = """
12Identifies a potential Windows Server Update Services (WSUS) abuse to execute psexec to enable for lateral movement.
13WSUS is limited to executing Microsoft signed binaries, which limits the executables that can be used to tools published
14by Microsoft.
15"""
16from = "now-9m"
17index = ["logs-endpoint.events.process-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-sentinel_one_cloud_funnel.*", "logs-m365_defender.event-*", "logs-system.security-*", "winlogbeat-*", "logs-crowdstrike.fdr*"]
18language = "eql"
19license = "Elastic License v2"
20name = "Potential WSUS Abuse for Lateral Movement"
21references = ["https://www.thehacker.recipes/a-d/movement/mitm-and-coerced-authentications/wsus-spoofing"]
22risk_score = 47
23rule_id = "8e2485b6-a74f-411b-bf7f-38b819f3a846"
24severity = "medium"
25tags = [
26    "Domain: Endpoint",
27    "OS: Windows",
28    "Use Case: Threat Detection",
29    "Tactic: Lateral Movement",
30    "Data Source: Elastic Endgame",
31    "Data Source: Elastic Defend",
32    "Data Source: Sysmon",
33    "Data Source: SentinelOne",
34    "Data Source: Microsoft Defender for Endpoint",
35    "Data Source: System",
36    "Data Source: Crowdstrike",
37    "Resources: Investigation Guide",
38]
39timestamp_override = "event.ingested"
40type = "eql"
41
42query = '''
43process where host.os.type == "windows" and event.type == "start" and process.parent.name : "wuauclt.exe" and
44process.executable : (
45    "?:\\Windows\\SoftwareDistribution\\Download\\Install\\*",
46    "\\Device\\HarddiskVolume?\\Windows\\SoftwareDistribution\\Download\\Install\\*"
47) and
48(process.name : "psexec64.exe" or ?process.pe.original_file_name : "psexec.c")
49'''
50note = """## Triage and analysis
51
52> **Disclaimer**:
53> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
54
55### Investigating Potential WSUS Abuse for Lateral Movement
56
57Windows Server Update Services (WSUS) is a system that manages updates for Microsoft products, ensuring that only signed binaries are executed. Adversaries may exploit WSUS to run Microsoft-signed tools like PsExec for lateral movement within a network. The detection rule identifies suspicious processes initiated by WSUS, specifically targeting PsExec executions, to flag potential abuse attempts.
58
59### Possible investigation steps
60
61- Review the alert details to confirm the presence of the suspicious process execution, specifically checking for the parent process name "wuauclt.exe" and the child process name "psexec64.exe" or original file name "psexec.c".
62- Examine the process execution path to verify if it matches the specified directories: "?:\\Windows\\SoftwareDistribution\\Download\\Install\\*" or "\\Device\\HarddiskVolume?\\Windows\\SoftwareDistribution\\Download\\Install\\*".
63- Investigate the source and destination hosts involved in the alert to determine if there are any unauthorized or unexpected connections, focusing on potential lateral movement activities.
64- Check the timeline of events leading up to and following the alert to identify any other suspicious activities or patterns that may indicate a broader attack.
65- Correlate the alert with other security logs and alerts from data sources like Elastic Endgame, Sysmon, or Microsoft Defender for Endpoint to gather additional context and confirm the legitimacy of the activity.
66- Assess the user accounts involved in the process execution to ensure they are legitimate and have not been compromised, paying attention to any anomalies in user behavior or access patterns.
67
68### False positive analysis
69
70- Legitimate administrative tasks using PsExec may trigger the rule. To manage this, create exceptions for known administrative accounts or specific times when these tasks are scheduled.
71- Automated scripts or software deployment tools that use PsExec for legitimate purposes can cause false positives. Identify these tools and exclude their process hashes or specific execution paths from the rule.
72- Security software or monitoring tools that utilize PsExec for scanning or remediation might be flagged. Verify these tools and whitelist their activities by excluding their specific process names or parent processes.
73- Test environments where PsExec is used for development or testing purposes can generate alerts. Exclude these environments by specifying their IP ranges or hostnames in the rule exceptions.
74
75### Response and remediation
76
77- Isolate the affected system immediately to prevent further lateral movement within the network. Disconnect it from the network or use network segmentation to contain the threat.
78- Terminate any suspicious processes identified as PsExec executions initiated by WSUS, specifically those matching the query criteria, to stop any ongoing malicious activity.
79- Conduct a thorough review of the affected system's update logs and WSUS configuration to identify any unauthorized changes or updates that may have been exploited.
80- Remove any unauthorized or malicious binaries found in the specified directories (e.g., Windows\\SoftwareDistribution\\Download\\Install) to prevent further execution.
81- Reset credentials for any accounts that may have been compromised or used in the lateral movement attempt, especially those with administrative privileges.
82- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems have been affected.
83- Implement enhanced monitoring and logging for WSUS activities and PsExec executions to detect and respond to similar threats more effectively in the future."""
84
85
86[[rule.threat]]
87framework = "MITRE ATT&CK"
88[[rule.threat.technique]]
89id = "T1210"
90name = "Exploitation of Remote Services"
91reference = "https://attack.mitre.org/techniques/T1210/"
92
93
94[rule.threat.tactic]
95id = "TA0008"
96name = "Lateral Movement"
97reference = "https://attack.mitre.org/tactics/TA0008/"
...
toml

Disclaimer: This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.

Windows Server Update Services (WSUS) is a system that manages updates for Microsoft products, ensuring that only signed binaries are executed. Adversaries may exploit WSUS to run Microsoft-signed tools like PsExec for lateral movement within a network. The detection rule identifies suspicious processes initiated by WSUS, specifically targeting PsExec executions, to flag potential abuse attempts.

  • Review the alert details to confirm the presence of the suspicious process execution, specifically checking for the parent process name "wuauclt.exe" and the child process name "psexec64.exe" or original file name "psexec.c".
  • Examine the process execution path to verify if it matches the specified directories: "?:\Windows\SoftwareDistribution\Download\Install*" or "\Device\HarddiskVolume?\Windows\SoftwareDistribution\Download\Install*".
  • Investigate the source and destination hosts involved in the alert to determine if there are any unauthorized or unexpected connections, focusing on potential lateral movement activities.
  • Check the timeline of events leading up to and following the alert to identify any other suspicious activities or patterns that may indicate a broader attack.
  • Correlate the alert with other security logs and alerts from data sources like Elastic Endgame, Sysmon, or Microsoft Defender for Endpoint to gather additional context and confirm the legitimacy of the activity.
  • Assess the user accounts involved in the process execution to ensure they are legitimate and have not been compromised, paying attention to any anomalies in user behavior or access patterns.
  • Legitimate administrative tasks using PsExec may trigger the rule. To manage this, create exceptions for known administrative accounts or specific times when these tasks are scheduled.
  • Automated scripts or software deployment tools that use PsExec for legitimate purposes can cause false positives. Identify these tools and exclude their process hashes or specific execution paths from the rule.
  • Security software or monitoring tools that utilize PsExec for scanning or remediation might be flagged. Verify these tools and whitelist their activities by excluding their specific process names or parent processes.
  • Test environments where PsExec is used for development or testing purposes can generate alerts. Exclude these environments by specifying their IP ranges or hostnames in the rule exceptions.
  • Isolate the affected system immediately to prevent further lateral movement within the network. Disconnect it from the network or use network segmentation to contain the threat.
  • Terminate any suspicious processes identified as PsExec executions initiated by WSUS, specifically those matching the query criteria, to stop any ongoing malicious activity.
  • Conduct a thorough review of the affected system's update logs and WSUS configuration to identify any unauthorized changes or updates that may have been exploited.
  • Remove any unauthorized or malicious binaries found in the specified directories (e.g., Windows\SoftwareDistribution\Download\Install) to prevent further execution.
  • Reset credentials for any accounts that may have been compromised or used in the lateral movement attempt, especially those with administrative privileges.
  • Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems have been affected.
  • Implement enhanced monitoring and logging for WSUS activities and PsExec executions to detect and respond to similar threats more effectively in the future.

References

Related rules

to-top