Detectionhightest
HackTool - SharpWSUS/WSUSpendu Execution
Detects the execution of SharpWSUS or WSUSpendu, utilities that allow for lateral movement through WSUS. Windows Server Update Services (WSUS) is a critical component of Windows systems and is frequently configured in a way that allows an attacker to circumvent internal networking limitations.
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Launch
kostastsale, Nasreddine Bencherchali (Nextron Systems)Created Fri Oct 07Updated Fri Aug 23b0ce780f-10bd-496d-9067-066d23dc3aa5windows
Log Source
WindowsProcess Creation
ProductWindows← raw: windows
CategoryProcess Creation← raw: process_creation
Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.
Detection Logic
Detection Logic4 selectors
detection:
selection_wsuspendu_inject:
CommandLine|contains: ' -Inject '
selection_wsuspendu_payload:
CommandLine|contains:
- ' -PayloadArgs '
- ' -PayloadFile '
selection_sharpwsus_commands:
CommandLine|contains:
- ' approve '
- ' create '
- ' check '
- ' delete '
selection_sharpwsus_flags:
CommandLine|contains:
- ' /payload:'
- ' /payload='
- ' /updateid:'
- ' /updateid='
condition: all of selection_wsuspendu_* or all of selection_sharpwsus_*False Positives
Unknown
False positive likelihood has not been assessed. Additional context may be needed during triage.
MITRE ATT&CK
Rule Metadata
Rule ID
b0ce780f-10bd-496d-9067-066d23dc3aa5
Status
test
Level
high
Type
Detection
Created
Fri Oct 07
Modified
Fri Aug 23
Path
rules/windows/process_creation/proc_creation_win_hktl_sharpwsus_wsuspendu_execution.yml
Raw Tags
attack.executionattack.lateral-movementattack.t1210