Cab File Extraction Via Wusa.EXE From Potentially Suspicious Paths
Detects the execution of the "wusa.exe" (Windows Update Standalone Installer) utility to extract ".cab" files using the "/extract" argument from potentially suspicious paths.
Sigma rule (View on GitHub)
1title: Cab File Extraction Via Wusa.EXE From Potentially Suspicious Paths
2id: c74c0390-3e20-41fd-a69a-128f0275a5ea
3related:
4 - id: 59b39960-5f9d-4a49-9cef-1e4d2c1d0cb9
5 type: derived
6status: test
7description: |
8 Detects the execution of the "wusa.exe" (Windows Update Standalone Installer) utility to extract ".cab" files using the "/extract" argument from potentially suspicious paths.
9references:
10 - https://web.archive.org/web/20180331144337/https://www.fireeye.com/blog/threat-research/2018/03/sanny-malware-delivery-method-updated-in-recently-observed-attacks.html
11 - https://www.echotrail.io/insights/search/wusa.exe/
12author: Nasreddine Bencherchali (Nextron Systems)
13date: 2022-08-05
14modified: 2023-11-28
15tags:
16 - attack.execution
17logsource:
18 category: process_creation
19 product: windows
20detection:
21 selection_root:
22 Image|endswith: '\wusa.exe'
23 CommandLine|contains: '/extract:'
24 selection_paths:
25 CommandLine|contains:
26 - ':\PerfLogs\'
27 - ':\Users\Public\'
28 - ':\Windows\Temp\'
29 - '\Appdata\Local\Temp\'
30 # - '\Desktop\'
31 # - '\Downloads\'
32 condition: all of selection_*
33falsepositives:
34 - Unknown
35level: high
References
Related rules
- Potential DLL Injection Via AccCheckConsole
- Windows Binary Executed From WSL
- Wusa.EXE Executed By Parent Process Located In Suspicious Location
- Potentially Suspicious File Download From File Sharing Domain Via PowerShell.EXE
- Suspicious File Download From File Sharing Domain Via Curl.EXE