Suspicious Windows Update Agent Empty Cmdline
Detects suspicious Windows Update Agent activity in which a wuauclt.exe process command line doesn't contain any command line flags
Sigma rule (View on GitHub)
1title: Suspicious Windows Update Agent Empty Cmdline
2id: 52d097e2-063e-4c9c-8fbb-855c8948d135
3status: test
4description: |
5 Detects suspicious Windows Update Agent activity in which a wuauclt.exe process command line doesn't contain any command line flags
6references:
7 - https://redcanary.com/blog/blackbyte-ransomware/
8author: Florian Roth (Nextron Systems)
9date: 2022/02/26
10modified: 2023/11/11
11tags:
12 - attack.defense_evasion
13 - attack.t1036
14logsource:
15 category: process_creation
16 product: windows
17detection:
18 selection_img:
19 - Image|endswith: '\Wuauclt.exe'
20 - OriginalFileName: 'Wuauclt.exe'
21 selection_cli:
22 CommandLine|endswith:
23 - 'Wuauclt'
24 - 'Wuauclt.exe'
25 condition: all of selection*
26falsepositives:
27 - Unknown
28level: high
References
-
BlackByte ransomware leverages ProxyShell Microsoft Exchange vulnerabilities for initial access and Cobalt Strike for lateral movement.
Read More
Related rules
- Suspicious Calculator Usage
- System File Execution Location Anomaly
- Explorer Process Tree Break
- HackTool - XORDump Execution
- Process Memory Dump Via Comsvcs.DLL