Detects execution of the “wusa.exe” (Windows Update Standalone Installer) utility by a parent process that is located in a suspicious location. Attackers could instantiate an instance of “wusa.exe” in
title: Wusa.EXE Executed By Parent Process Located In Suspicious Location
id: ef64fc9c-a45e-43cc-8fd8-7d75d73b4c99
status: test
description: |
Detects execution of the "wusa.exe" (Windows Update Standalone Installer) utility by a parent process that is located in a suspicious location.
Attackers could instantiate an instance of "wusa.exe" in order to bypass User Account Control (UAC). They can duplicate the access token from "wusa.exe" to gain elevated privileges.
references:
- https://www.fortinet.com/blog/threat-research/konni-campaign-distributed-via-malicious-document
author: X__Junior (Nextron Systems)
date: 2023-11-26
modified: 2024-08-15
tags:
- attack.execution
logsource:
category: process_creation
product: windows
detection:
selection_img:
Image|endswith: '\wusa.exe'
selection_paths_1:
ParentImage|contains:
# Note: Add additional suspicious locations to increase coverage
- ':\Perflogs\'
- ':\Users\Public\'
- ':\Windows\Temp\'
- '\Appdata\Local\Temp\'
- '\Temporary Internet'
selection_paths_2:
- ParentImage|contains|all:
- ':\Users\'
- '\Favorites\'
- ParentImage|contains|all:
- ':\Users\'
- '\Favourites\'
- ParentImage|contains|all:
- ':\Users\'
- '\Contacts\'
- ParentImage|contains|all:
- ':\Users\'
- '\Pictures\'
filter_main_msu:
# Note: We exclude MSU extension files. A better approach is to baseline installation of updates in your env to avoid false negatives.
CommandLine|contains: '.msu'
condition: selection_img and 1 of selection_paths_* and not 1 of filter_main_*
falsepositives:
- Unknown
level: high
imProcessCreate
| where TargetProcessName endswith "\\wusa.exe" and (((ParentProcessName contains ":\\Perflogs\\" or ParentProcessName contains ":\\Users\\Public\\" or ParentProcessName contains ":\\Windows\\Temp\\" or ParentProcessName contains "\\Appdata\\Local\\Temp\\" or ParentProcessName contains "\\Temporary Internet") or (ActingProcessName contains ":\\Perflogs\\" or ActingProcessName contains ":\\Users\\Public\\" or ActingProcessName contains ":\\Windows\\Temp\\" or ActingProcessName contains "\\Appdata\\Local\\Temp\\" or ActingProcessName contains "\\Temporary Internet")) or (((ParentProcessName contains ":\\Users\\" and ParentProcessName contains "\\Favorites\\") or (ActingProcessName contains ":\\Users\\" and ActingProcessName contains "\\Favorites\\")) or ((ParentProcessName contains ":\\Users\\" and ParentProcessName contains "\\Favourites\\") or (ActingProcessName contains ":\\Users\\" and ActingProcessName contains "\\Favourites\\")) or ((ParentProcessName contains ":\\Users\\" and ParentProcessName contains "\\Contacts\\") or (ActingProcessName contains ":\\Users\\" and ActingProcessName contains "\\Contacts\\")) or ((ParentProcessName contains ":\\Users\\" and ParentProcessName contains "\\Pictures\\") or (ActingProcessName contains ":\\Users\\" and ActingProcessName contains "\\Pictures\\")))) and (not(TargetProcessCommandLine contains ".msu"))| Sentinel Table | Notes |
|---|---|
imProcessCreate | Ensure this data connector is enabled |