Techniques
Sample rules
Wusa Extracting Cab Files
- source: sigma
- technicques:
Description
Detects usage of the “wusa.exe” (Windows Update Standalone Installer) utility to extract cab using the “/extract” argument which is not longer supported. This could indicate an attacker using an old technique
Detection logic
condition: selection
selection:
CommandLine|contains: '/extract:'
Image|endswith: \wusa.exe