← Back to Explore
sigmamediumHunting
Potentially Suspicious Wuauclt Network Connection
Detects the use of the Windows Update Client binary (wuauclt.exe) to proxy execute code and making network connections. One could easily make the DLL spawn a new process and inject to it to proxy the network connection and bypass this rule.
Detection Query
selection:
Image|contains: wuauclt
CommandLine|contains: " /RunHandlerComServer"
filter_main_ip:
DestinationIp|cidr:
- 127.0.0.0/8
- 10.0.0.0/8
- 169.254.0.0/16
- 172.16.0.0/12
- 192.168.0.0/16
- ::1/128
- fe80::/10
- fc00::/7
filter_main_msrange:
DestinationIp|cidr:
- 20.184.0.0/13
- 20.192.0.0/10
- 23.79.0.0/16
- 51.10.0.0/15
- 51.103.0.0/16
- 51.104.0.0/15
- 52.224.0.0/11
filter_main_uus:
CommandLine|contains:
- :\Windows\UUS\Packages\Preview\amd64\updatedeploy.dll /ClassId
- :\Windows\UUS\amd64\UpdateDeploy.dll /ClassId
filter_main_winsxs:
CommandLine|contains|all:
- :\Windows\WinSxS\
- "\\UpdateDeploy.dll /ClassId "
filter_main_cli_null:
CommandLine: null
filter_main_cli_empty:
CommandLine: ""
condition: selection and not 1 of filter_main_*
Author
Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
Created
2020-10-12
Data Sources
windowsNetwork Connection Events
Platforms
windows
References
Tags
attack.defense-evasionattack.t1218
Raw Content
title: Potentially Suspicious Wuauclt Network Connection
id: c649a6c7-cd8c-4a78-9c04-000fc76df954
status: test
description: |
Detects the use of the Windows Update Client binary (wuauclt.exe) to proxy execute code and making network connections.
One could easily make the DLL spawn a new process and inject to it to proxy the network connection and bypass this rule.
references:
- https://dtm.uk/wuauclt/
author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
date: 2020-10-12
modified: 2024-03-12
tags:
- attack.defense-evasion
- attack.t1218
logsource:
category: network_connection
product: windows
definition: 'Requirements: The CommandLine field enrichment is required in order for this rule to be used.'
detection:
selection:
Image|contains: 'wuauclt'
CommandLine|contains: ' /RunHandlerComServer'
# "C:\WINDOWS\uus\AMD64\wuauclt.exe" /DeploymentHandlerFullPath \\?\C:\Windows\UUS\AMD64\UpdateDeploy.dll /ClassId aaa256e1-5b21-4993-9188-18f07ccb3b98 /RunHandlerComServer
filter_main_ip:
DestinationIp|cidr: # Ranges excluded based on https://github.com/SigmaHQ/sigma/blob/0f176092326ab9d1e19384d30224e5f29f760d82/rules/windows/network_connection/net_connection_win_dllhost_net_connections.yml
- '127.0.0.0/8'
- '10.0.0.0/8'
- '169.254.0.0/16' # link-local address
- '172.16.0.0/12'
- '192.168.0.0/16'
- '::1/128' # IPv6 loopback
- 'fe80::/10' # IPv6 link-local addresses
- 'fc00::/7' # IPv6 private addresses
filter_main_msrange: # Sysmon
DestinationIp|cidr:
- '20.184.0.0/13' # Microsoft Corporation
- '20.192.0.0/10' # Microsoft Corporation
- '23.79.0.0/16' # Microsoft Corporation
- '51.10.0.0/15'
- '51.103.0.0/16' # Microsoft Corporation
- '51.104.0.0/15' # Microsoft Corporation
- '52.224.0.0/11' # Microsoft Corporation
filter_main_uus:
CommandLine|contains:
- ':\Windows\UUS\Packages\Preview\amd64\updatedeploy.dll /ClassId'
- ':\Windows\UUS\amd64\UpdateDeploy.dll /ClassId'
filter_main_winsxs:
CommandLine|contains|all:
- ':\Windows\WinSxS\'
- '\UpdateDeploy.dll /ClassId '
filter_main_cli_null:
CommandLine: null
filter_main_cli_empty:
CommandLine: ''
condition: selection and not 1 of filter_main_*
falsepositives:
- Unknown
level: medium