| sigma |
net_connection_win_wuauclt_network_connection.yml |
title: Wuauclt Network Connection |
DRL 1.0 |
| sigma |
net_connection_win_wuauclt_network_connection.yml |
description: Detects the use of the Windows Update Client binary (wuauclt.exe) to proxy execute code and making a network connections. One could easily make the DLL spawn a new process and inject to it to proxy the network connection and bypass this rule. |
DRL 1.0 |
| sigma |
net_connection_win_wuauclt_network_connection.yml |
- https://dtm.uk/wuauclt/ |
DRL 1.0 |
| sigma |
net_connection_win_wuauclt_network_connection.yml |
Image\|contains: wuauclt |
DRL 1.0 |
| sigma |
net_connection_win_wuauclt_network_connection.yml |
- Legitimate use of wuauclt.exe over the network. |
DRL 1.0 |
| sigma |
proc_creation_win_lolbas_execution_of_wuauclt.yml |
title: Monitoring Wuauclt.exe For Lolbas Execution Of DLL |
DRL 1.0 |
| sigma |
proc_creation_win_lolbas_execution_of_wuauclt.yml |
description: Adversaries can abuse wuauclt.exe (Windows Update client) to run code execution by specifying an arbitrary DLL. |
DRL 1.0 |
| sigma |
proc_creation_win_lolbas_execution_of_wuauclt.yml |
- https://dtm.uk/wuauclt/ |
DRL 1.0 |
| sigma |
proc_creation_win_lolbas_execution_of_wuauclt.yml |
CommandLine\|re: '(?i)wuauclt\.exe.*\/UpdateDeploymentProvider.*\/Runhandlercomserver' |
DRL 1.0 |
| sigma |
proc_creation_win_proxy_execution_wuauclt.yml |
title: Proxy Execution via Wuauclt |
DRL 1.0 |
| sigma |
proc_creation_win_proxy_execution_wuauclt.yml |
description: Detects the use of the Windows Update Client binary (wuauclt.exe) to proxy execute code. |
DRL 1.0 |
| sigma |
proc_creation_win_proxy_execution_wuauclt.yml |
- https://dtm.uk/wuauclt/ |
DRL 1.0 |
| sigma |
proc_creation_win_proxy_execution_wuauclt.yml |
- Image\|contains: wuauclt |
DRL 1.0 |
| sigma |
proc_creation_win_proxy_execution_wuauclt.yml |
- OriginalFileName: wuauclt.exe |
DRL 1.0 |
| sigma |
proc_creation_win_susp_spoolsv_child_processes.yml |
- \wuauclt.exe |
DRL 1.0 |
| sigma |
proc_creation_win_susp_wuauclt.yml |
description: Detects code execution via the Windows Update client (wuauclt) |
DRL 1.0 |
| sigma |
proc_creation_win_susp_wuauclt.yml |
- https://dtm.uk/wuauclt/ |
DRL 1.0 |
| sigma |
proc_creation_win_susp_wuauclt.yml |
- '\wuauclt.exe' |
DRL 1.0 |
| sigma |
proc_creation_win_susp_wuauclt_cmdline.yml |
description: Detects suspicious Windows Update Agent activity in which a wuauclt.exe process command line doesn't contain any command line flags |
DRL 1.0 |
| sigma |
proc_creation_win_susp_wuauclt_cmdline.yml |
Image\|endswith: '\Wuauclt.exe' |
DRL 1.0 |
| sigma |
proc_creation_win_susp_wuauclt_cmdline.yml |
CommandLine\|endswith: '\Wuauclt.exe' |
DRL 1.0 |
| sigma |
registry_event_persistence_search_order.yml |
- C:\WINDOWS\system32\wuauclt.exe |
DRL 1.0 |
| LOLBAS |
Wuauclt.yml |
Name: wuauclt.exe |
|
| LOLBAS |
Wuauclt.yml |
- Command: wuauclt.exe /UpdateDeploymentProvider Full_Path_To_DLL /RunHandlerComServer |
|
| LOLBAS |
Wuauclt.yml |
- Path: C:\Windows\System32\wuauclt.exe |
|
| LOLBAS |
Wuauclt.yml |
- IOC: wuauclt run with a parameter of a DLL path |
|
| LOLBAS |
Wuauclt.yml |
- IOC: Suspicious wuauclt Internet/network connections |
|
| LOLBAS |
Wuauclt.yml |
- Link: https://dtm.uk/wuauclt/ |
|
| signature-base |
apt_putterpanda.yar |
$x0 = “WUAUCLT.EXE” fullword wide /* PEStudio Blacklist: strings / / score: ‘20.01’ */ |
CC BY-NC 4.0 |