Wusa.EXE Executed By Parent Process Located In Suspicious Location
Detects execution of the "wusa.exe" (Windows Update Standalone Installer) utility by a parent process that is located in a suspicious location.
Sigma rule (View on GitHub)
1title: Wusa.EXE Executed By Parent Process Located In Suspicious Location
2id: ef64fc9c-a45e-43cc-8fd8-7d75d73b4c99
3status: experimental
4description: |
5 Detects execution of the "wusa.exe" (Windows Update Standalone Installer) utility by a parent process that is located in a suspicious location.
6references:
7 - https://www.fortinet.com/blog/threat-research/konni-campaign-distributed-via-malicious-document
8author: X__Junior (Nextron Systems)
9date: 2023/11/26
10tags:
11 - attack.execution
12logsource:
13 category: process_creation
14 product: windows
15detection:
16 selection_img:
17 Image|endswith: '\wusa.exe'
18 selection_paths_1:
19 ParentImage|contains:
20 - ':\Perflogs\'
21 - ':\Users\Public\'
22 - ':\Windows\Temp\'
23 - '\Appdata\Local\Temp\'
24 - '\Temporary Internet'
25 selection_paths_2:
26 - ParentImage|contains|all:
27 - ':\Users\'
28 - '\Favorites\'
29 - ParentImage|contains|all:
30 - ':\Users\'
31 - '\Favourites\'
32 - ParentImage|contains|all:
33 - ':\Users\'
34 - '\Contacts\'
35 - ParentImage|contains|all:
36 - ':\Users\'
37 - '\Pictures\'
38 condition: selection_img and 1 of selection_paths_*
39falsepositives:
40 - Unknown
41level: high
References
Related rules
- Potential APT FIN7 POWERHOLD Execution
- Potential POWERTRASH Script Execution
- Proxy Execution Via Wuauclt.EXE
- CVE-2023-22518 Exploitation Attempt - Suspicious Confluence Child Process (Linux)
- CVE-2023-22518 Exploitation Attempt - Suspicious Confluence Child Process (Windows)