Detection rules › Sigma
Wusa.EXE Executed By Parent Process Located In Suspicious Location
Detects execution of the "wusa.exe" (Windows Update Standalone Installer) utility by a parent process that is located in a suspicious location. Attackers could instantiate an instance of "wusa.exe" in order to bypass User Account Control (UAC). They can duplicate the access token from "wusa.exe" to gain elevated privileges.
Event coverage
| Provider | Event ID | Title |
|---|---|---|
| Sysmon | 1 | Process creation |
| Security-Auditing | 4688 | A new process has been created. |
Stages and Predicates
Stage 1: selection_img
Image|endswith: '\wusa.exe'
Stage 2: 1 of selection_paths_1
or:
ParentImage|contains: ':\Perflogs\'
ParentImage|contains: ':\Users\Public\'
ParentImage|contains: ':\Windows\Temp\'
ParentImage|contains: '\Appdata\Local\Temp\'
ParentImage|contains: '\Temporary Internet'
Stage 3: 1 of selection_paths_2
or:
ParentImage|contains: ':\Users\'
ParentImage|contains: '\Contacts\'
ParentImage|contains: ':\Users\'
ParentImage|contains: '\Favorites\'
ParentImage|contains: ':\Users\'
ParentImage|contains: '\Favourites\'
ParentImage|contains: ':\Users\'
ParentImage|contains: '\Pictures\'
Stage 4: not 1 of filter_main_msu
CommandLine|contains: .msu
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
CommandLine | match |
|
Image | ends_with |
|
ParentImage | match |
|
Neighbors
Stricter alternatives (narrower than this rule)
The rules below may be useful if you find the current rule is too noisy / lacks specificity.