Rare MS-Update Server was detected

Cortex XDR Analytics Alert Reference by data source

Product
Cortex XDR
Last date published
2024-11-18
Category
Analytics Alert Reference
Order
data source

Synopsis

Activation Period

14 Days

Training Period

30 Days

Test Period

N/A (single event)

Deduplication Period

2 Days

Required Data

  • Requires:
    • Palo Alto Networks Platform Logs

Detection Modules

Detector Tags

ATT&CK Tactic

Initial Access (TA0001)

ATT&CK Technique

Trusted Relationship (T1199)

Severity

Informational

Description

The endpoint requested an MS-Update operation from a rare update server.

Attacker's Goals

  • The Windows Server Update Services enables machines to discover and download software updates from a dedicated update server.
  • Attacker may use the MS-Update protocol to execute unauthorized code through Microsoft binaries.

Investigative actions

  • Inspect the legitimacy of the server as a WSUS functioning server.
  • Verify that your MS-Update network routine is of HTTPS enforced
  • Verify that this MS-Update server is not a newly deployed server as part of a legitimate IT activity.

Variations

Rare MS-Update Server was detected

Synopsis

ATT&CK Tactic

Initial Access (TA0001)

ATT&CK Technique

Trusted Relationship (T1199)

Severity

Informational

Description

The endpoint requested an MS-Update operation from a rare update server.

Attacker's Goals

  • The Windows Server Update Services enables machines to discover and download software updates from a dedicated update server.
  • Attacker may use the MS-Update protocol to execute unauthorized code through Microsoft binaries.

Investigative actions

  • Inspect the legitimacy of the server as a WSUS functioning server.
  • Verify that your MS-Update network routine is of HTTPS enforced
  • Verify that this MS-Update server is not a newly deployed server as part of a legitimate IT activity.