[New WTFBin]: Update.exe

Question

[New WTFBin]: Update.exe

redblueops opened this issue 4 months ago · 1 comments

redblueops commented 4 months ago

**Contributor Name: Alexandros Pappas
**Application/Executable: Update.exe
**WTF Behavior Description: 'LOLBIN created a PowerShell script file Prevent' generated by XDR BIOC detected on host XXXX involving user XXXX\XXXX
**Link to Documentation of Behavior: N/A
**Please provide any images for additional evidence. Please see attached images.

![wtfbin2](https://github.com/user-attachments/assets/68079b06-fc78-419d-a292-5807d037f94c)

Answer 1 · 2024-10-14T03:55:33.000Z

Hey @redblueops, thank you for the submission!

I think this one needs a bit more detail. Update.exe is a common tool used by Squirrel apps, and its behavior is largely up to the updating application. This is not necessarily an unexpected behavior for an installation/update service. This seems more like a tuning issue for the XDR.

Unless this particular PowerShell script is particularly weird, I am gonna close this one out.