Windows Update Error
Detects Windows update errors including installation failures and connection issues. Defenders should observe this in case critical update KBs aren't installed.
Sigma rule (View on GitHub)
1title: Windows Update Error
2id: 13cfeb75-9e33-4d04-b0f7-ab8faaa95a59
3status: stable
4description: |
5 Detects Windows update errors including installation failures and connection issues. Defenders should observe this in case critical update KBs aren't installed.
6references:
7 - https://github.com/nasbench/EVTX-ETW-Resources/blob/f1b010ce0ee1b71e3024180de1a3e67f99701fe4/ETWProvidersManifests/Windows10/1903/W10_1903_Pro_20200714_18362.959/WEPExplorer/Microsoft-Windows-WindowsUpdateClient.xml
8author: frack113
9date: 2021/12/04
10modified: 2023/09/07
11tags:
12 - attack.impact
13 - attack.resource_development
14 - attack.t1584
15logsource:
16 product: windows
17 service: system
18detection:
19 selection:
20 Provider_Name: Microsoft-Windows-WindowsUpdateClient
21 EventID:
22 - 16 # Unable to Connect: Windows is unable to connect to the automatic updates service and therefore cannot download and install updates according to the set schedule
23 - 20 # Installation Failure: Windows failed to install the following update with error
24 - 24 # Uninstallation Failure: Windows failed to uninstall the following update with error
25 - 213 # Revert Failure: Windows failed to revert the following update with error
26 - 217 # Commit Failure: Windows failed to commit the following update with error
27 condition: selection
28falsepositives:
29 - Unknown
30level: informational
References
-
Event Tracing For Windows (ETW) Resources. Contribute to nasbench/EVTX-ETW-Resources development by creating an account on GitHub.
Read More
Related rules
- Program Executions in Suspicious Folders
- Application Uninstalled
- Deletion of Volume Shadow Copies via WMI with PowerShell
- Important Scheduled Task Deleted
- Locked Workstation