wuauclt.exe

  • File Path: C:\windows\system32\wuauclt.exe
  • Description: Windows Update

Hashes

Type Hash
MD5 96712975BEC3BA3D244B2C0D02B42A7A
SHA1 EBE9EAB10D63B7AE87B89C9FBFDA7D28CC4DBC7D
SHA256 4D781547BB37E50919D6A8598277DC9DE7DD5ED4378CBAF87CDA98E48587E31E
SHA384 1934E377D82739DAAC4D639F0B00B6F37785408A57607E64D5CAC91442DC04E81311FEF58B258790F043FC64C07D80ED
SHA512 483151B76DCB28D9840C6A01D5DCD620B20F01B3695244E8DF5D199266DA4C7A67B783C610E5D7EC3B8036588CE894CE0510923EB77AAD4485D723B7A61ACAC5
SSDEEP 3072:htEamiH8qJPhtIijg1PeBhehkJCyTqCoTa5:8GJptIijgsBhZJf97

Signature

  • Status: Signature verified.
  • Serial: 330000023241FB59996DCC4DFF000000000232
  • Thumbprint: FF82BC38E1DA5E596DF374C53E3617F7EDA36B06
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: wuauclt.exe
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 7.9.9600.19670 (winblue_ltsb.200307-0600)
  • Product Version: 7.9.9600.19670
  • Language: Language Neutral
  • Legal Copyright: Microsoft Corporation. All rights reserved.

Possible Misuse

The following table contains possible examples of wuauclt.exe being misused. While wuauclt.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma net_connection_win_wuauclt_network_connection.yml title: Wuauclt Network Connection DRL 1.0
sigma net_connection_win_wuauclt_network_connection.yml description: Detects the use of the Windows Update Client binary (wuauclt.exe) to proxy execute code and making a network connections. One could easily make the DLL spawn a new process and inject to it to proxy the network connection and bypass this rule. DRL 1.0
sigma net_connection_win_wuauclt_network_connection.yml - https://dtm.uk/wuauclt/ DRL 1.0
sigma net_connection_win_wuauclt_network_connection.yml Image\|contains: wuauclt DRL 1.0
sigma net_connection_win_wuauclt_network_connection.yml - Legitimate use of wuauclt.exe over the network. DRL 1.0
sigma proc_creation_win_lolbas_execution_of_wuauclt.yml title: Monitoring Wuauclt.exe For Lolbas Execution Of DLL DRL 1.0
sigma proc_creation_win_lolbas_execution_of_wuauclt.yml description: Adversaries can abuse wuauclt.exe (Windows Update client) to run code execution by specifying an arbitrary DLL. DRL 1.0
sigma proc_creation_win_lolbas_execution_of_wuauclt.yml - https://dtm.uk/wuauclt/ DRL 1.0
sigma proc_creation_win_lolbas_execution_of_wuauclt.yml CommandLine\|re: '(?i)wuauclt\.exe.*\/UpdateDeploymentProvider.*\/Runhandlercomserver' DRL 1.0
sigma proc_creation_win_proxy_execution_wuauclt.yml title: Proxy Execution via Wuauclt DRL 1.0
sigma proc_creation_win_proxy_execution_wuauclt.yml description: Detects the use of the Windows Update Client binary (wuauclt.exe) to proxy execute code. DRL 1.0
sigma proc_creation_win_proxy_execution_wuauclt.yml - https://dtm.uk/wuauclt/ DRL 1.0
sigma proc_creation_win_proxy_execution_wuauclt.yml - Image\|contains: wuauclt DRL 1.0
sigma proc_creation_win_proxy_execution_wuauclt.yml - OriginalFileName: wuauclt.exe DRL 1.0
sigma proc_creation_win_susp_spoolsv_child_processes.yml - \wuauclt.exe DRL 1.0
sigma proc_creation_win_susp_wuauclt.yml description: Detects code execution via the Windows Update client (wuauclt) DRL 1.0
sigma proc_creation_win_susp_wuauclt.yml - https://dtm.uk/wuauclt/ DRL 1.0
sigma proc_creation_win_susp_wuauclt.yml - '\wuauclt.exe' DRL 1.0
sigma proc_creation_win_susp_wuauclt_cmdline.yml description: Detects suspicious Windows Update Agent activity in which a wuauclt.exe process command line doesn't contain any command line flags DRL 1.0
sigma proc_creation_win_susp_wuauclt_cmdline.yml Image\|endswith: '\Wuauclt.exe' DRL 1.0
sigma proc_creation_win_susp_wuauclt_cmdline.yml CommandLine\|endswith: '\Wuauclt.exe' DRL 1.0
sigma registry_event_persistence_search_order.yml - C:\WINDOWS\system32\wuauclt.exe DRL 1.0
LOLBAS Wuauclt.yml Name: wuauclt.exe  
LOLBAS Wuauclt.yml - Command: wuauclt.exe /UpdateDeploymentProvider Full_Path_To_DLL /RunHandlerComServer  
LOLBAS Wuauclt.yml - Path: C:\Windows\System32\wuauclt.exe  
LOLBAS Wuauclt.yml - IOC: wuauclt run with a parameter of a DLL path  
LOLBAS Wuauclt.yml - IOC: Suspicious wuauclt Internet/network connections  
LOLBAS Wuauclt.yml - Link: https://dtm.uk/wuauclt/  
signature-base apt_putterpanda.yar $x0 = “WUAUCLT.EXE” fullword wide /* PEStudio Blacklist: strings / / score: ‘20.01’ */ CC BY-NC 4.0

MIT License. Copyright (c) 2020-2021 Strontic.