← Back to Explore
sigmahighHunting
Cab File Extraction Via Wusa.EXE From Potentially Suspicious Paths
Detects the execution of the "wusa.exe" (Windows Update Standalone Installer) utility to extract ".cab" files using the "/extract" argument from potentially suspicious paths.
Detection Query
selection_root:
Image|endswith: \wusa.exe
CommandLine|contains: "/extract:"
selection_paths:
CommandLine|contains:
- :\PerfLogs\
- :\Users\Public\
- :\Windows\Temp\
- \Appdata\Local\Temp\
condition: all of selection_*
Author
Nasreddine Bencherchali (Nextron Systems)
Created
2022-08-05
Data Sources
windowsProcess Creation Events
Platforms
windows
References
Tags
attack.execution
Raw Content
title: Cab File Extraction Via Wusa.EXE From Potentially Suspicious Paths
id: c74c0390-3e20-41fd-a69a-128f0275a5ea
related:
- id: 59b39960-5f9d-4a49-9cef-1e4d2c1d0cb9
type: derived
status: test
description: |
Detects the execution of the "wusa.exe" (Windows Update Standalone Installer) utility to extract ".cab" files using the "/extract" argument from potentially suspicious paths.
references:
- https://web.archive.org/web/20180331144337/https://www.fireeye.com/blog/threat-research/2018/03/sanny-malware-delivery-method-updated-in-recently-observed-attacks.html
- https://www.echotrail.io/insights/search/wusa.exe/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-08-05
modified: 2023-11-28
tags:
- attack.execution
logsource:
category: process_creation
product: windows
detection:
selection_root:
Image|endswith: '\wusa.exe'
CommandLine|contains: '/extract:'
selection_paths:
CommandLine|contains:
- ':\PerfLogs\'
- ':\Users\Public\'
- ':\Windows\Temp\'
- '\Appdata\Local\Temp\'
# - '\Desktop\'
# - '\Downloads\'
condition: all of selection_*
falsepositives:
- Unknown
level: high