Suspicious Windows Update Agent Empty Cmdline
Detects suspicious Windows Update Agent activity in which a wuauclt.exe process command line doesn't contain any command line flags
Sigma rule (View on GitHub)
1title: Suspicious Windows Update Agent Empty Cmdline
2id: 52d097e2-063e-4c9c-8fbb-855c8948d135
3status: experimental
4description: Detects suspicious Windows Update Agent activity in which a wuauclt.exe process command line doesn't contain any command line flags
5references:
6 - https://redcanary.com/blog/blackbyte-ransomware/
7author: Florian Roth (Nextron Systems)
8date: 2022/02/26
9modified: 2022/05/13
10tags:
11 - attack.defense_evasion
12 - attack.t1036
13logsource:
14 category: process_creation
15 product: windows
16detection:
17 selection_img:
18 - Image|endswith: '\Wuauclt.exe'
19 - OriginalFileName: 'Wuauclt.exe'
20 selection_cli:
21 CommandLine|endswith: '\Wuauclt.exe'
22 condition: all of selection*
23falsepositives:
24 - Unknown
25level: high
References
-
BlackByte ransomware leverages ProxyShell Microsoft Exchange vulnerabilities for initial access and Cobalt Strike for lateral movement.
Read More
Related rules
- Interactive Bash Suspicious Children
- Password Protected ZIP File Opened (Suspicious Filenames)
- Potentially Suspicious Execution From Tmp Folder
- Suspicious Child Process Of Wermgr.EXE
- Suspicious Computer Account Name Change CVE-2021-42287