EXPLORE
Sign In
← Back to Explore
sigmahighHunting

Proxy Execution Via Wuauclt.EXE

Detects the use of the Windows Update Client binary (wuauclt.exe) for proxy execution.

MITRE ATT&CK

T1218
defense-evasionexecution

Detection Query

selection_img:
  - Image|endswith: \wuauclt.exe
  - OriginalFileName: wuauclt.exe
selection_cli:
  CommandLine|contains|all:
    - UpdateDeploymentProvider
    - RunHandlerComServer
filter_main_generic:
  CommandLine|contains: " /UpdateDeploymentProvider UpdateDeploymentProvider.dll "
filter_main_wuaueng:
  CommandLine|contains: " wuaueng.dll "
filter_main_uus:
  CommandLine|contains:
    - :\Windows\UUS\Packages\Preview\amd64\updatedeploy.dll /ClassId
    - :\Windows\UUS\amd64\UpdateDeploy.dll /ClassId
filter_main_winsxs:
  CommandLine|contains|all:
    - :\Windows\WinSxS\
    - "\\UpdateDeploy.dll /ClassId "
condition: all of selection_* and not 1 of filter_main_*

Author

Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), Florian Roth (Nextron Systems), Sreeman, FPT.EagleEye Team

Created

2020-10-12

Data Sources

windowsProcess Creation Events

Platforms

windows

References

Tags

attack.defense-evasionattack.t1218attack.execution
Raw Content
title: Proxy Execution Via Wuauclt.EXE
id: af77cf95-c469-471c-b6a0-946c685c4798
related:
    - id: ba1bb0cb-73da-42de-ad3a-de10c643a5d0
      type: obsolete
    - id: d7825193-b70a-48a4-b992-8b5b3015cc11
      type: obsolete
status: test
description: Detects the use of the Windows Update Client binary (wuauclt.exe) for proxy execution.
references:
    - https://dtm.uk/wuauclt/
    - https://blog.malwarebytes.com/threat-intelligence/2022/01/north-koreas-lazarus-apt-leverages-windows-update-client-github-in-latest-campaign/
author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), Florian Roth (Nextron Systems), Sreeman, FPT.EagleEye Team
date: 2020-10-12
modified: 2023-11-11
tags:
    - attack.defense-evasion
    - attack.t1218
    - attack.execution
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith: '\wuauclt.exe'
        - OriginalFileName: 'wuauclt.exe'
    selection_cli:
        CommandLine|contains|all:
            - 'UpdateDeploymentProvider'
            - 'RunHandlerComServer'
    filter_main_generic:
        # Note: Please enhance this if you find the full path
        CommandLine|contains: ' /UpdateDeploymentProvider UpdateDeploymentProvider.dll '
    filter_main_wuaueng:
        # Note: Please enhance this if you find the full path
        CommandLine|contains: ' wuaueng.dll '
    filter_main_uus:
        CommandLine|contains:
            - ':\Windows\UUS\Packages\Preview\amd64\updatedeploy.dll /ClassId'
            - ':\Windows\UUS\amd64\UpdateDeploy.dll /ClassId'
    filter_main_winsxs:
        CommandLine|contains|all:
            - ':\Windows\WinSxS\'
            - '\UpdateDeploy.dll /ClassId '
    condition: all of selection_* and not 1 of filter_main_*
falsepositives:
    - Unknown
level: high