Wusa.EXE Executed By Parent Process Located In Suspicious Location

 1title: Wusa.EXE Executed By Parent Process Located In Suspicious Location
 2id: ef64fc9c-a45e-43cc-8fd8-7d75d73b4c99
 3status: experimental
 4description: |
 5    Detects execution of the "wusa.exe" (Windows Update Standalone Installer) utility by a parent process that is located in a suspicious location.
 6    Attackers could instantiate an instance of "wusa.exe" in order to bypass User Account Control (UAC). They can duplicate the access token from "wusa.exe" to gain elevated privileges.    
 7references:
 8    - https://www.fortinet.com/blog/threat-research/konni-campaign-distributed-via-malicious-document
 9author: X__Junior (Nextron Systems)
10date: 2023-11-26
11modified: 2024-08-15
12tags:
13    - attack.execution
14logsource:
15    category: process_creation
16    product: windows
17detection:
18    selection_img:
19        Image|endswith: '\wusa.exe'
20    selection_paths_1:
21        ParentImage|contains:
22            # Note: Add additional suspicious locations to increase coverage
23            - ':\Perflogs\'
24            - ':\Users\Public\'
25            - ':\Windows\Temp\'
26            - '\Appdata\Local\Temp\'
27            - '\Temporary Internet'
28    selection_paths_2:
29        - ParentImage|contains|all:
30              - ':\Users\'
31              - '\Favorites\'
32        - ParentImage|contains|all:
33              - ':\Users\'
34              - '\Favourites\'
35        - ParentImage|contains|all:
36              - ':\Users\'
37              - '\Contacts\'
38        - ParentImage|contains|all:
39              - ':\Users\'
40              - '\Pictures\'
41    filter_main_msu:
42        # Note: We exclude MSU extension files. A better approach is to baseline installation of updates in your env to avoid false negatives.
43        CommandLine|contains: '.msu'
44    condition: selection_img and 1 of selection_paths_* and not 1 of filter_main_*
45falsepositives:
46    - Unknown
47level: high