Sigma rules for CVE-2024-28962
9 rules · scoped to cve · back to CVE-2024-28962
Direct rules mention this entity in their title or description. Related rules cover the techniques this entity is known to use.
title: Suspicious Windows Update Agent Empty Cmdline
id: 52d097e2-063e-4c9c-8fbb-855c8948d135
status: test
description: |
Detects suspicious Windows Update Agent activity in which a wuauclt.exe process command line doesn't contain any command line flags
references:
- https://redcanary.com/blog/blackbyte-ransomware/
author: Florian Roth (Nextron Systems)
date: 2022-02-26
modified: 2023-11-11
tags:
- attack.stealth
- attack.t1036
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\Wuauclt.exe'
- OriginalFileName: 'Wuauclt.exe'
selection_cli:
CommandLine|endswith:
- 'Wuauclt'
- 'Wuauclt.exe'
condition: all of selection*
falsepositives:
- Unknown
level: high
title: Suspicious BitLocker Access Agent Update Utility Execution
id: 9f38c1db-e2ae-40bf-81d0-5b68f73fb512
related:
- id: 6e8fe0a8-ba0b-4a93-8f9e-82657e7a5984 # BaaUpdate.exe Suspicious DLL Load
type: similar
status: experimental
description: |
Detects the execution of the BitLocker Access Agent Update Utility (baaupdate.exe) which is not a common parent process for other processes.
Suspicious child processes spawned by baaupdate.exe could indicate an attempt at lateral movement via BitLocker DCOM & COM Hijacking.
references:
- https://github.com/rtecCyberSec/BitlockMove
author: andrewdanis, Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-10-18
tags:
- attack.stealth
- attack.t1218
- attack.lateral-movement
- attack.t1021.003
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith: '\baaupdate.exe'
Image|endswith:
- '\bitsadmin.exe'
- '\cmd.exe'
- '\cscript.exe'
- '\mshta.exe'
- '\powershell_ise.exe'
- '\powershell.exe'
- '\regsvr32.exe'
- '\rundll32.exe'
- '\schtasks.exe'
- '\wmic.exe'
- '\wscript.exe'
condition: selection
falsepositives:
- Unknown
level: high
title: Suspicious Scheduled Task Update
id: 614cf376-6651-47c4-9dcc-6b9527f749f4
related:
- id: 1c0e41cd-21bb-4433-9acc-4a2cd6367b9b # ProcCreation schtasks change
type: similar
status: test
description: Detects update to a scheduled task event that contain suspicious keywords.
references:
- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4698
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-12-05
tags:
- attack.execution
- attack.privilege-escalation
- attack.persistence
- attack.t1053.005
logsource:
product: windows
service: security
definition: 'The Advanced Audit Policy setting Object Access > Audit Other Object Access Events has to be configured to allow this detection. We also recommend extracting the Command field from the embedded XML in the event data.'
detection:
selection_eid:
EventID: 4702
selection_paths:
TaskContentNew|contains:
- '\AppData\Local\Temp\'
- '\AppData\Roaming\'
- '\Users\Public\'
- '\WINDOWS\Temp\'
- 'C:\Temp\'
- '\Desktop\'
- '\Downloads\'
- '\Temporary Internet'
- 'C:\ProgramData\'
- 'C:\Perflogs\'
selection_commands:
TaskContentNew|contains:
- 'regsvr32'
- 'rundll32'
- 'cmd.exe</Command>'
- 'cmd</Command>'
- '<Arguments>/c '
- '<Arguments>/k '
- '<Arguments>/r '
- 'powershell'
- 'pwsh'
- 'mshta'
- 'wscript'
- 'cscript'
- 'certutil'
- 'bitsadmin'
- 'bash.exe'
- 'bash '
- 'scrcons'
- 'wmic '
- 'wmic.exe'
- 'forfiles'
- 'scriptrunner'
- 'hh.exe'
condition: all of selection_*
falsepositives:
- Unknown
level: high
title: Flash Player Update from Suspicious Location
id: 4922a5dd-6743-4fc2-8e81-144374280997
status: test
description: Detects a flashplayer update from an unofficial location
references:
- https://gist.github.com/roycewilliams/a723aaf8a6ac3ba4f817847610935cfb
author: Florian Roth (Nextron Systems)
date: 2017-10-25
modified: 2022-08-08
tags:
- attack.initial-access
- attack.stealth
- attack.t1189
- attack.execution
- attack.t1204.002
- attack.t1036.005
logsource:
category: proxy
detection:
selection:
- c-uri|contains: '/flash_install.php'
- c-uri|endswith: '/install_flash_player.exe'
filter:
cs-host|endswith: '.adobe.com'
condition: selection and not filter
falsepositives:
- Unknown flash download locations
level: high
title: Firewall Rule Update Via Netsh.EXE
id: a70dcb37-3bee-453a-99df-d0c683151be6
status: test
description: Detects execution of netsh with the "advfirewall" and the "set" option in order to set new values for properties of a existing rule
references:
- https://ss64.com/nt/netsh.html
author: X__Junior (Nextron Systems)
date: 2023-07-18
tags:
- attack.defense-impairment
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\netsh.exe'
- OriginalFileName: 'netsh.exe'
selection_cli:
CommandLine|contains|all:
# Example 1: netsh advfirewall firewall set rule "group=\"Network Discovery\" " new enable=Yes"
# Example 2: netsh advfirewall firewall set rule "group=\"File and Printer Sharing\" " new enable=Yes"
- ' firewall '
- ' set '
condition: all of selection_*
falsepositives:
- Legitimate administration activity
- Software installations and removal
level: medium
title: Sysmon Configuration Update
id: 87911521-7098-470b-a459-9a57fc80bdfd
status: test
description: Detects updates to Sysmon's configuration. Attackers might update or replace the Sysmon configuration with a bare bone one to avoid monitoring without shutting down the service completely
references:
- https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-03-09
modified: 2024-03-13
tags:
- attack.defense-impairment
- attack.t1685
logsource:
category: process_creation
product: windows
detection:
selection_pe:
- Image|endswith:
- \Sysmon64.exe
- \Sysmon.exe
- Description: 'System activity monitor'
selection_cli:
CommandLine|contains|windash: '-c'
condition: all of selection_*
falsepositives:
- Legitimate administrators might use this command to update Sysmon configuration.
level: medium
title: PUA - Advanced IP/Port Scanner Update Check
id: 1a9bb21a-1bb5-42d7-aa05-3219c7c8f47d
status: test
description: Detect the update check performed by Advanced IP/Port Scanner utilities.
references:
- https://www.advanced-ip-scanner.com/
- https://www.advanced-port-scanner.com/
author: Axel Olsson
date: 2022-08-14
modified: 2024-02-15
tags:
- attack.discovery
- attack.reconnaissance
- attack.t1590
logsource:
category: proxy
detection:
selection:
# Example request: http://www.advanced-port-scanner.com/checkupdate.php?lng=en&ver=2-5-3680&beta=n&type=upd&rmode=p&product=aps
# Example request2: http://www.advanced-ip-scanner.com/checkupdate.php?lng=en&ver=2-5-3499&beta=n&type=upd&rmode=p&product=aips
c-uri|contains: '/checkupdate.php'
c-uri-query|contains|all:
- 'lng='
- 'ver='
- 'beta='
- 'type='
- 'rmode='
- 'product='
condition: selection
falsepositives:
- Expected if you legitimately use the Advanced IP or Port Scanner utilities in your environement.
level: medium
title: DNS Query Request To OneLaunch Update Service
id: df68f791-ad95-447f-a271-640a0dab9cf8
status: test
description: |
Detects DNS query requests to "update.onelaunch.com". This domain is associated with the OneLaunch adware application.
When the OneLaunch application is installed it will attempt to get updates from this domain.
references:
- https://www.malwarebytes.com/blog/detections/pup-optional-onelaunch-silentcf
- https://www.myantispyware.com/2020/12/14/how-to-uninstall-onelaunch-browser-removal-guide/
- https://malware.guide/browser-hijacker/remove-onelaunch-virus/
author: Josh Nickels
date: 2024-02-26
tags:
- attack.credential-access
- attack.collection
- attack.t1056
logsource:
category: dns_query
product: windows
detection:
selection:
QueryName: 'update.onelaunch.com'
Image|endswith: '\OneLaunch.exe'
condition: selection
falsepositives:
- Unlikely
level: low
title: Windows Update Error
id: 13cfeb75-9e33-4d04-b0f7-ab8faaa95a59
status: stable
description: |
Detects Windows update errors including installation failures and connection issues. Defenders should observe this in case critical update KBs aren't installed.
references:
- https://github.com/nasbench/EVTX-ETW-Resources/blob/f1b010ce0ee1b71e3024180de1a3e67f99701fe4/ETWProvidersManifests/Windows10/1903/W10_1903_Pro_20200714_18362.959/WEPExplorer/Microsoft-Windows-WindowsUpdateClient.xml
author: frack113
date: 2021-12-04
modified: 2023-09-07
tags:
- attack.impact
- attack.resource-development
- attack.t1584
logsource:
product: windows
service: system
detection:
selection:
Provider_Name: Microsoft-Windows-WindowsUpdateClient
EventID:
- 16 # Unable to Connect: Windows is unable to connect to the automatic updates service and therefore cannot download and install updates according to the set schedule
- 20 # Installation Failure: Windows failed to install the following update with error
- 24 # Uninstallation Failure: Windows failed to uninstall the following update with error
- 213 # Revert Failure: Windows failed to revert the following update with error
- 217 # Commit Failure: Windows failed to commit the following update with error
condition: selection
falsepositives:
- Unknown
level: informational