Persistence via Update Orchestrator Service Hijackedit
Identifies potential hijacking of the Microsoft Update Orchestrator Service to establish persistence with an integrity level of SYSTEM.
Rule type: eql
Rule indices:
- winlogbeat-*
- logs-endpoint.events.*
- logs-windows.*
Severity: high
Risk score: 73
Runs every: 5m
Searches indices from: now-9m (Date Math format, see also Additional look-back time)
Maximum alerts per execution: 100
References:
Tags:
- Elastic
- Host
- Windows
- Threat Detection
- Persistence
- CVE-2020-1313
Version: 100
Rule authors:
- Elastic
Rule license: Elastic License v2
Investigation guideedit
Rule queryedit
process where event.type == "start" and
process.parent.executable : "C:\\Windows\\System32\\svchost.exe" and
process.parent.args : "UsoSvc" and
not process.executable :
("?:\\ProgramData\\Microsoft\\Windows\\UUS\\Packages\\*\\amd64\\MoUsoCoreWorker.exe",
"?:\\Windows\\System32\\UsoClient.exe",
"?:\\Windows\\System32\\MusNotification.exe",
"?:\\Windows\\System32\\MusNotificationUx.exe",
"?:\\Windows\\System32\\MusNotifyIcon.exe",
"?:\\Windows\\System32\\WerFault.exe",
"?:\\Windows\\System32\\WerMgr.exe",
"?:\\Windows\\UUS\\amd64\\MoUsoCoreWorker.exe",
"?:\\Windows\\System32\\MoUsoCoreWorker.exe",
"?:\\Windows\\UUS\\amd64\\UsoCoreWorker.exe",
"?:\\Windows\\System32\\UsoCoreWorker.exe",
"?:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\OfficeC2RClient.exe") and
not process.name : ("MoUsoCoreWorker.exe", "OfficeC2RClient.exe")
Framework: MITRE ATT&CKTM
-
Tactic:
- Name: Persistence
- ID: TA0003
- Reference URL: https://attack.mitre.org/tactics/TA0003/
-
Technique:
- Name: Create or Modify System Process
- ID: T1543
- Reference URL: https://attack.mitre.org/techniques/T1543/
-
Sub-technique:
- Name: Windows Service
- ID: T1543.003
- Reference URL: https://attack.mitre.org/techniques/T1543/003/