Detectioninformationalstable
Windows Update Error
Detects Windows update errors including installation failures and connection issues. Defenders should observe this in case critical update KBs aren't installed.
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Launch
Log Source
Windowssystem
ProductWindows← raw: windows
Servicesystem← raw: system
Detection Logic
Detection Logic1 selector
detection:
selection:
Provider_Name: Microsoft-Windows-WindowsUpdateClient
EventID:
- 16 # Unable to Connect: Windows is unable to connect to the automatic updates service and therefore cannot download and install updates according to the set schedule
- 20 # Installation Failure: Windows failed to install the following update with error
- 24 # Uninstallation Failure: Windows failed to uninstall the following update with error
- 213 # Revert Failure: Windows failed to revert the following update with error
- 217 # Commit Failure: Windows failed to commit the following update with error
condition: selectionFalse Positives
Unknown
False positive likelihood has not been assessed. Additional context may be needed during triage.
References
MITRE ATT&CK
Rule Metadata
Rule ID
13cfeb75-9e33-4d04-b0f7-ab8faaa95a59
Status
stable
Level
informational
Type
Detection
Created
Sat Dec 04
Modified
Thu Sep 07
Author
Path
rules/windows/builtin/system/microsoft_windows_windows_update_client/win_system_susp_system_update_error.yml
Raw Tags
attack.impactattack.resource-developmentattack.t1584