Potential WSUS Abuse for Lateral Movement

Identifies a potential Windows Server Update Services (WSUS) abuse to execute psexec to enable for lateral movement. WSUS is limited to executing Microsoft signed binaries, which limits the executables that can be used to tools published by Microsoft.

Elastic rule (View on GitHub)

 1[metadata]
 2creation_date = "2024/07/19"
 3integration = ["endpoint", "windows", "system","sentinel_one_cloud_funnel", "m365_defender"]
 4maturity = "production"
 5min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
 6min_stack_version = "8.14.0"
 7updated_date = "2024/10/15"
 8
 9[rule]
10author = ["Elastic"]
11description = """
12Identifies a potential Windows Server Update Services (WSUS) abuse to execute psexec to enable for lateral movement.
13WSUS is limited to executing Microsoft signed binaries, which limits the executables that can be used to tools published
14by Microsoft.
15"""
16from = "now-9m"
17index = ["logs-endpoint.events.process-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-sentinel_one_cloud_funnel.*", "logs-m365_defender.event-*", "logs-system.security-*", "winlogbeat-*"]
18language = "eql"
19license = "Elastic License v2"
20name = "Potential WSUS Abuse for Lateral Movement"
21references = ["https://www.thehacker.recipes/a-d/movement/mitm-and-coerced-authentications/wsus-spoofing"]
22risk_score = 47
23rule_id = "8e2485b6-a74f-411b-bf7f-38b819f3a846"
24severity = "medium"
25tags = [
26    "Domain: Endpoint",
27    "OS: Windows",
28    "Use Case: Threat Detection",
29    "Tactic: Lateral Movement",
30    "Data Source: Elastic Endgame",
31    "Data Source: Elastic Defend",
32    "Data Source: Sysmon",
33    "Data Source: SentinelOne",
34    "Data Source: Microsoft Defender for Endpoint",
35    "Data Source: System",
36]
37timestamp_override = "event.ingested"
38type = "eql"
39
40query = '''
41process where host.os.type == "windows" and event.type == "start" and process.parent.name : "wuauclt.exe" and
42process.executable : "?:\\Windows\\SoftwareDistribution\\Download\\Install\\*" and
43(process.name : "psexec64.exe" or ?process.pe.original_file_name : "psexec.c")
44'''
45
46
47[[rule.threat]]
48framework = "MITRE ATT&CK"
49[[rule.threat.technique]]
50id = "T1210"
51name = "Exploitation of Remote Services"
52reference = "https://attack.mitre.org/techniques/T1210/"
53
54
55[rule.threat.tactic]
56id = "TA0008"
57name = "Lateral Movement"
58reference = "https://attack.mitre.org/tactics/TA0008/"

References

Related rules

to-top