Wusa Extracting Cab Files
Detects usage of the "wusa.exe" (Windows Update Standalone Installer) utility to extract cab using the "/extract" argument which is not longer supported. This could indicate an attacker using an old technique
Sigma rule (View on GitHub)
1title: Wusa Extracting Cab Files
2id: 59b39960-5f9d-4a49-9cef-1e4d2c1d0cb9
3status: test
4description: Detects usage of the "wusa.exe" (Windows Update Standalone Installer) utility to extract cab using the "/extract" argument which is not longer supported. This could indicate an attacker using an old technique
5references:
6 - https://web.archive.org/web/20180331144337/https://www.fireeye.com/blog/threat-research/2018/03/sanny-malware-delivery-method-updated-in-recently-observed-attacks.html
7author: Nasreddine Bencherchali (Nextron Systems)
8date: 2022/08/04
9tags:
10 - attack.execution
11logsource:
12 category: process_creation
13 product: windows
14detection:
15 selection:
16 Image|endswith: '\wusa.exe'
17 CommandLine|contains: '/extract:'
18 condition: selection
19falsepositives:
20 - The "extract" flag still works on older 'wusa.exe' versions, which could be a legitimate use (monitor the path of the cab being extracted)
21level: medium
References
Related rules
- AMSI Bypass Pattern Assembly GetType
- AWS EC2 Startup Shell Script Change
- Arbitrary Shell Command Execution Via Settingcontent-Ms
- Atlassian Confluence CVE-2022-26134
- Audit CVE Event