wuauclt.exe

  • File Path: C:\Windows\system32\wuauclt.exe
  • Description: Windows Update

Hashes

Type Hash
MD5 95E303BF80AECA5A296E519C61F42427
SHA1 B523E0CD46B3E5F6CDCD6F99E8CC9932D9585B9E
SHA256 AC52D02086B83A2FA92E305E1EACD490101D08BE6C47210989BAA192E030DC06
SHA384 9C899FC7C606C6A2B9BF926510CBE2A902F82DAE7496BEBF83A844C066107C44BE2F01D8CBEF3B8F6952D63F4F3E5FEB
SHA512 884A18F68FE328958AD7B0EBA5A13515C517992423CF123DC81D44D0EAC5988771F7958D877997E9BFCA74427F99E2B87EFBCA8A44132164A6928E0368D3F125
SSDEEP 1536:HK0TzC8tY6HAqCsd56ncymh7TpkwsZYm+P/:HKE+8tY6H/FPRkLYm+n

Runtime Data

Loaded Modules:

Path
C:\Windows\System32\combase.dll
C:\Windows\System32\KERNEL32.DLL
C:\Windows\System32\KERNELBASE.dll
C:\Windows\SYSTEM32\ntdll.dll
C:\Windows\System32\RPCRT4.dll
C:\Windows\System32\ucrtbase.dll
C:\Windows\system32\wuauclt.exe

Signature

  • Status: Signature verified.
  • Serial: 3300000266BD1580EFA75CD6D3000000000266
  • Thumbprint: A4341B9FD50FB9964283220A36A1EF6F6FAA7840
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: wuauclt.exe
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.19041.423 (WinBuild.160101.0800)
  • Product Version: 10.0.19041.423
  • Language: Language Neutral
  • Legal Copyright: Microsoft Corporation. All rights reserved.

File Similarity (ssdeep match)

File Score
C:\Windows\system32\wuauclt.exe 88
C:\Windows\system32\wuauclt.exe 68
C:\Windows\system32\wuauclt.exe 68
C:\Windows\system32\wuauclt.exe 90

Possible Misuse

The following table contains possible examples of wuauclt.exe being misused. While wuauclt.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma net_connection_win_wuauclt_network_connection.yml title: Wuauclt Network Connection DRL 1.0
sigma net_connection_win_wuauclt_network_connection.yml description: Detects the use of the Windows Update Client binary (wuauclt.exe) to proxy execute code and making a network connections. One could easily make the DLL spawn a new process and inject to it to proxy the network connection and bypass this rule. DRL 1.0
sigma net_connection_win_wuauclt_network_connection.yml - https://dtm.uk/wuauclt/ DRL 1.0
sigma net_connection_win_wuauclt_network_connection.yml Image\|contains: wuauclt DRL 1.0
sigma net_connection_win_wuauclt_network_connection.yml - Legitimate use of wuauclt.exe over the network. DRL 1.0
sigma proc_creation_win_lolbas_execution_of_wuauclt.yml title: Monitoring Wuauclt.exe For Lolbas Execution Of DLL DRL 1.0
sigma proc_creation_win_lolbas_execution_of_wuauclt.yml description: Adversaries can abuse wuauclt.exe (Windows Update client) to run code execution by specifying an arbitrary DLL. DRL 1.0
sigma proc_creation_win_lolbas_execution_of_wuauclt.yml - https://dtm.uk/wuauclt/ DRL 1.0
sigma proc_creation_win_lolbas_execution_of_wuauclt.yml CommandLine\|re: '(?i)wuauclt\.exe.*\/UpdateDeploymentProvider.*\/Runhandlercomserver' DRL 1.0
sigma proc_creation_win_proxy_execution_wuauclt.yml title: Proxy Execution via Wuauclt DRL 1.0
sigma proc_creation_win_proxy_execution_wuauclt.yml description: Detects the use of the Windows Update Client binary (wuauclt.exe) to proxy execute code. DRL 1.0
sigma proc_creation_win_proxy_execution_wuauclt.yml - https://dtm.uk/wuauclt/ DRL 1.0
sigma proc_creation_win_proxy_execution_wuauclt.yml - Image\|contains: wuauclt DRL 1.0
sigma proc_creation_win_proxy_execution_wuauclt.yml - OriginalFileName: wuauclt.exe DRL 1.0
sigma proc_creation_win_susp_spoolsv_child_processes.yml - \wuauclt.exe DRL 1.0
sigma proc_creation_win_susp_wuauclt.yml description: Detects code execution via the Windows Update client (wuauclt) DRL 1.0
sigma proc_creation_win_susp_wuauclt.yml - https://dtm.uk/wuauclt/ DRL 1.0
sigma proc_creation_win_susp_wuauclt.yml - '\wuauclt.exe' DRL 1.0
sigma proc_creation_win_susp_wuauclt_cmdline.yml description: Detects suspicious Windows Update Agent activity in which a wuauclt.exe process command line doesn't contain any command line flags DRL 1.0
sigma proc_creation_win_susp_wuauclt_cmdline.yml Image\|endswith: '\Wuauclt.exe' DRL 1.0
sigma proc_creation_win_susp_wuauclt_cmdline.yml CommandLine\|endswith: '\Wuauclt.exe' DRL 1.0
sigma registry_event_persistence_search_order.yml - C:\WINDOWS\system32\wuauclt.exe DRL 1.0
LOLBAS Wuauclt.yml Name: wuauclt.exe  
LOLBAS Wuauclt.yml - Command: wuauclt.exe /UpdateDeploymentProvider Full_Path_To_DLL /RunHandlerComServer  
LOLBAS Wuauclt.yml - Path: C:\Windows\System32\wuauclt.exe  
LOLBAS Wuauclt.yml - IOC: wuauclt run with a parameter of a DLL path  
LOLBAS Wuauclt.yml - IOC: Suspicious wuauclt Internet/network connections  
LOLBAS Wuauclt.yml - Link: https://dtm.uk/wuauclt/  
signature-base apt_putterpanda.yar $x0 = “WUAUCLT.EXE” fullword wide /* PEStudio Blacklist: strings / / score: ‘20.01’ */ CC BY-NC 4.0

MIT License. Copyright (c) 2020-2021 Strontic.