Windows Update Error

Severity: informational
Author: frack113
Source: upstream

Detects Windows update errors including installation failures and connection issues. Defenders should observe this in case critical update KBs aren't installed.

MITRE ATT&CK coverage

Tactic	Techniques
Resource Development	`T1584` Compromise Infrastructure

Event coverage

Provider	Event ID	Title
WindowsUpdateClient	16	Unable to Connect: Windows is unable to connect to the automatic updates service and therefore cannot download and install updates according to the...
WindowsUpdateClient	20	Installation Failure: Windows failed to install the following update with error errorCode: updateTitle.
WindowsUpdateClient	24	Uninstallation Failure: Windows failed to uninstall the following update with error errorCode: updatelist.
WindowsUpdateClient	213	Revert Failure: Windows failed to revert the following update with error errorCode: updatelist.
WindowsUpdateClient	217	Commit Failure: Windows failed to commit the following update with error errorCode: updatelist.

Stages and Predicates

Stage 1: `selection`

Provider_Name: 'Microsoft-Windows-WindowsUpdateClient'

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

Field	Kind	Values
`Provider_Name`	eq	`Microsoft-Windows-WindowsUpdateClient`

Neighbors

Often fire together

Rules that target events appearing in the same incident timelines. They pattern-match on adjacent steps of the same TTP, so an alert from one is often paired with alerts from these. Useful for triage context and for assembling chained-detection rules.

No Suitable Encryption Key Found For Generating Kerberos Ticket [sigma]
WMI Event Subscription [sigma]