Skip to content

[New Rule] Potential WSUS Abuse for Lateral Movement #3908

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 4 commits into from
Jul 22, 2024
Merged

[New Rule] Potential WSUS Abuse for Lateral Movement #3908

Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
137067f
[New Rule] Potential WSUS Abuse for Lateral Movement
w0rk3r Jul 19, 2024
2d4d8a5
Update lateral_movement_via_wsus_update.toml
w0rk3r Jul 19, 2024
53a2bff
Update lateral_movement_via_wsus_update.toml
w0rk3r Jul 22, 2024
fcc9e89
Merge branch 'main' into wsus_1
w0rk3r Jul 22, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
56 changes: 56 additions & 0 deletions rules/windows/lateral_movement_via_wsus_update.toml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,56 @@
[metadata]
creation_date = "2024/07/19"
integration = ["endpoint", "windows", "system","sentinel_one_cloud_funnel", "m365_defender"]
maturity = "production"
updated_date = "2024/07/19"

[rule]
author = ["Elastic"]
description = """
Identifies a potential Windows Server Update Services (WSUS) abuse to execute psexec to enable for lateral movement.
WSUS is limited to executing Microsoft signed binaries, which limits the executables that can be used to tools published
by Microsoft.
"""
from = "now-9m"
index = ["logs-endpoint.events.process-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-sentinel_one_cloud_funnel.*", "logs-m365_defender.event-*", "logs-system.security-*"]
language = "eql"
license = "Elastic License v2"
name = "Potential WSUS Abuse for Lateral Movement"
references = ["https://www.thehacker.recipes/a-d/movement/mitm-and-coerced-authentications/wsus-spoofing"]
risk_score = 47
rule_id = "8e2485b6-a74f-411b-bf7f-38b819f3a846"
severity = "medium"
tags = [
"Domain: Endpoint",
"OS: Windows",
"Use Case: Threat Detection",
"Tactic: Lateral Movement",
"Data Source: Elastic Endgame",
"Data Source: Elastic Defend",
"Data Source: Sysmon",
"Data Source: SentinelOne",
"Data Source: Microsoft Defender for Endpoint"
]
timestamp_override = "event.ingested"
type = "eql"

query = '''
process where host.os.type == "windows" and event.type == "start" and process.parent.name : "wuauclt.exe" and
process.executable : "?:\\Windows\\SoftwareDistribution\\Download\\Install\\*" and
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Restricting this to the folder where the updates seems to be drop.

(process.name : "psexec64.exe" or ?process.pe.original_file_name : "psexec.c")
'''


[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1210"
name = "Exploitation of Remote Services"
reference = "https://attack.mitre.org/techniques/T1210/"


[rule.threat.tactic]
id = "TA0008"
name = "Lateral Movement"
reference = "https://attack.mitre.org/tactics/TA0008/"

Loading