the \"extract\" flag still works on older 'wusa.exe' versions, which could be a legitimate use (monitor the path of the cab being extracted)

windows
sigma

Techniques

Sample rules

Wusa Extracting Cab Files

source: sigma
technicques:

Description

Detects usage of the “wusa.exe” (Windows Update Standalone Installer) utility to extract cab using the “/extract” argument which is not longer supported. This could indicate an attacker using an old technique

Detection logic

condition: selection
selection:
  CommandLine|contains: '/extract:'
  Image|endswith: \wusa.exe