Potential WSUS Abuse for Lateral Movement

calendar Nov 5, 2024 · Domain: Endpoint OS: Windows Use Case: Threat Detection Tactic: Lateral Movement Data Source: Elastic Endgame Data Source: Elastic Defend Data Source: Sysmon Data Source: SentinelOne Data Source: Microsoft Defender for Endpoint Data Source: System Data Source: Crowdstrike  ·
Share on: linkedin copy

Identifies a potential Windows Server Update Services (WSUS) abuse to execute psexec to enable for lateral movement. WSUS is limited to executing Microsoft signed binaries, which limits the executables that can be used to tools published by Microsoft.

Elastic rule (View on GitHub)

 1[metadata]
 2creation_date = "2024/07/19"
 3integration = ["endpoint", "windows", "system","sentinel_one_cloud_funnel", "m365_defender", "crowdstrike"]
 4maturity = "production"
 5min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
 6min_stack_version = "8.14.0"
 7updated_date = "2024/11/02"
 8
 9[rule]
10author = ["Elastic"]
11description = """
12Identifies a potential Windows Server Update Services (WSUS) abuse to execute psexec to enable for lateral movement.
13WSUS is limited to executing Microsoft signed binaries, which limits the executables that can be used to tools published
14by Microsoft.
15"""
16from = "now-9m"
17index = ["logs-endpoint.events.process-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-sentinel_one_cloud_funnel.*", "logs-m365_defender.event-*", "logs-system.security-*", "winlogbeat-*", "logs-crowdstrike.fdr*"]
18language = "eql"
19license = "Elastic License v2"
20name = "Potential WSUS Abuse for Lateral Movement"
21references = ["https://www.thehacker.recipes/a-d/movement/mitm-and-coerced-authentications/wsus-spoofing"]
22risk_score = 47
23rule_id = "8e2485b6-a74f-411b-bf7f-38b819f3a846"
24severity = "medium"
25tags = [
26    "Domain: Endpoint",
27    "OS: Windows",
28    "Use Case: Threat Detection",
29    "Tactic: Lateral Movement",
30    "Data Source: Elastic Endgame",
31    "Data Source: Elastic Defend",
32    "Data Source: Sysmon",
33    "Data Source: SentinelOne",
34    "Data Source: Microsoft Defender for Endpoint",
35    "Data Source: System",
36    "Data Source: Crowdstrike",
37]
38timestamp_override = "event.ingested"
39type = "eql"
40
41query = '''
42process where host.os.type == "windows" and event.type == "start" and process.parent.name : "wuauclt.exe" and
43process.executable : (
44    "?:\\Windows\\SoftwareDistribution\\Download\\Install\\*",
45    "\\Device\\HarddiskVolume?\\Windows\\SoftwareDistribution\\Download\\Install\\*"
46) and
47(process.name : "psexec64.exe" or ?process.pe.original_file_name : "psexec.c")
48'''
49
50
51[[rule.threat]]
52framework = "MITRE ATT&CK"
53[[rule.threat.technique]]
54id = "T1210"
55name = "Exploitation of Remote Services"
56reference = "https://attack.mitre.org/techniques/T1210/"
57
58
59[rule.threat.tactic]
60id = "TA0008"
61name = "Lateral Movement"
62reference = "https://attack.mitre.org/tactics/TA0008/"

References

Related rules

to-top