Wusa.EXE Executed By Parent Process Located In Suspicious Location
Last updated on:
In this page
About the rule
Rule Type
Standard
Rule Description
Detects execution of the "wusa.exe" (Windows Update Standalone Installer) utility by a parent process that is located in a suspicious location. Attackers could instantiate an instance of "wusa.exe" in order to bypass User Account Control (UAC). They can duplicate the access token from "wusa.exe" to gain elevated privileges.
Severity
Trouble
Rule Requirement
Criteria
Action1: actionname = "Process started" AND PROCESSNAME endswith "\wusa.exe" AND (PARENTPROCESSNAME contains ":\Perflogs\,:\Users\Public\,:\Windows\Temp\,\Appdata\Local\Temp\,\Temporary Internet" OR ((PARENTPROCESSNAME contains ":\Users" AND PARENTPROCESSNAME contains "\Favorites") OR (PARENTPROCESSNAME contains ":\Users" AND PARENTPROCESSNAME contains "\Favourites") OR (PARENTPROCESSNAME contains ":\Users" AND PARENTPROCESSNAME contains "\Contacts") OR (PARENTPROCESSNAME contains ":\Users" AND PARENTPROCESSNAME contains "\Pictures"))) AND COMMANDLINE notcontains ".msu" select Action1.HOSTNAME,Action1.MESSAGE,Action1.COMMANDLINE,Action1.FILE_NAME,Action1.PROCESSNAME,Action1.USERNAME,Action1.PARENTPROCESSNAME
Detection
Execution Mode
realtime
Log Sources
Windows
Author
X__Junior (Nextron Systems)
