Wusa.EXE Extracting Cab Files From Suspicious Paths
Detects usage of the "wusa.exe" (Windows Update Standalone Installer) utility to extract cab using the "/extract" argument from suspicious paths
Sigma rule (View on GitHub)
1title: Wusa.EXE Extracting Cab Files From Suspicious Paths
2id: c74c0390-3e20-41fd-a69a-128f0275a5ea
3status: test
4description: Detects usage of the "wusa.exe" (Windows Update Standalone Installer) utility to extract cab using the "/extract" argument from suspicious paths
5references:
6 - https://web.archive.org/web/20180331144337/https://www.fireeye.com/blog/threat-research/2018/03/sanny-malware-delivery-method-updated-in-recently-observed-attacks.html
7 - https://www.echotrail.io/insights/search/wusa.exe/
8author: Nasreddine Bencherchali (Nextron Systems)
9date: 2022/08/05
10modified: 2023/11/28
11tags:
12 - attack.execution
13logsource:
14 category: process_creation
15 product: windows
16detection:
17 selection_root:
18 Image|endswith: '\wusa.exe'
19 CommandLine|contains: '/extract:'
20 selection_paths:
21 CommandLine|contains:
22 - ':\PerfLogs\'
23 - ':\Users\Public\'
24 - ':\Windows\Temp\'
25 - '\Appdata\Local\Temp\'
26 # - '\Desktop\'
27 # - '\Downloads\'
28 condition: all of selection_*
29falsepositives:
30 - Unknown
31level: high
References
-
As part of recently observed attacks distributing SANNY malware, the threat actor has made significant changes to their usual malware delivery method.
Read More
Related rules
- Add Potential Suspicious New Download Source To Winget
- Alternate PowerShell Hosts Pipe
- Change PowerShell Policies to an Insecure Level
- Change PowerShell Policies to an Insecure Level - PowerShell
- CodeIntegrity - Unmet Signing Level Requirements By File Under Validation