Wusa.EXE Executed By Parent Process Located In Suspicious Location

calendar Nov 28, 2023 · attack.execution  ·
Share on: linkedin copy

Detects execution of the "wusa.exe" (Windows Update Standalone Installer) utility by a parent process that is located in a suspicious location.

Sigma rule (View on GitHub)

 1title: Wusa.EXE Executed By Parent Process Located In Suspicious Location
 2id: ef64fc9c-a45e-43cc-8fd8-7d75d73b4c99
 3status: experimental
 4description: |
 5        Detects execution of the "wusa.exe" (Windows Update Standalone Installer) utility by a parent process that is located in a suspicious location.
 6references:
 7    - https://www.fortinet.com/blog/threat-research/konni-campaign-distributed-via-malicious-document
 8author: X__Junior (Nextron Systems)
 9date: 2023/11/26
10tags:
11    - attack.execution
12logsource:
13    category: process_creation
14    product: windows
15detection:
16    selection_img:
17        Image|endswith: '\wusa.exe'
18    selection_paths_1:
19        ParentImage|contains:
20            - ':\Perflogs\'
21            - ':\Users\Public\'
22            - ':\Windows\Temp\'
23            - '\Appdata\Local\Temp\'
24            - '\Temporary Internet'
25    selection_paths_2:
26        - ParentImage|contains|all:
27              - ':\Users\'
28              - '\Favorites\'
29        - ParentImage|contains|all:
30              - ':\Users\'
31              - '\Favourites\'
32        - ParentImage|contains|all:
33              - ':\Users\'
34              - '\Contacts\'
35        - ParentImage|contains|all:
36              - ':\Users\'
37              - '\Pictures\'
38    condition: selection_img and 1 of selection_paths_*
39falsepositives:
40    - Unknown
41level: high

References

Related rules

to-top