Cab File Extraction Via Wusa.EXE From Potentially Suspicious Paths

Detects the execution of the "wusa.exe" (Windows Update Standalone Installer) utility to extract ".cab" files using the "/extract" argument from potentially suspicious paths.

Sigma rule (View on GitHub)

 1title: Cab File Extraction Via Wusa.EXE From Potentially Suspicious Paths
 2id: c74c0390-3e20-41fd-a69a-128f0275a5ea
 3related:
 4    - id: 59b39960-5f9d-4a49-9cef-1e4d2c1d0cb9
 5      type: derived
 6status: test
 7description: |
 8        Detects the execution of the "wusa.exe" (Windows Update Standalone Installer) utility to extract ".cab" files using the "/extract" argument from potentially suspicious paths.
 9references:
10    - https://web.archive.org/web/20180331144337/https://www.fireeye.com/blog/threat-research/2018/03/sanny-malware-delivery-method-updated-in-recently-observed-attacks.html
11    - https://www.echotrail.io/insights/search/wusa.exe/
12author: Nasreddine Bencherchali (Nextron Systems)
13date: 2022-08-05
14modified: 2023-11-28
15tags:
16    - attack.execution
17logsource:
18    category: process_creation
19    product: windows
20detection:
21    selection_root:
22        Image|endswith: '\wusa.exe'
23        CommandLine|contains: '/extract:'
24    selection_paths:
25        CommandLine|contains:
26            - ':\PerfLogs\'
27            - ':\Users\Public\'
28            - ':\Windows\Temp\'
29            - '\Appdata\Local\Temp\'
30            # - '\Desktop\'
31            # - '\Downloads\'
32    condition: all of selection_*
33falsepositives:
34    - Unknown
35level: high

References

Related rules

to-top