Potentially Suspicious Wuauclt Network Connection

 1title: Potentially Suspicious Wuauclt Network Connection
 2id: c649a6c7-cd8c-4a78-9c04-000fc76df954
 3status: test
 4description: |
 5    Detects the use of the Windows Update Client binary (wuauclt.exe) to proxy execute code and making network connections.
 6    One could easily make the DLL spawn a new process and inject to it to proxy the network connection and bypass this rule.    
 7references:
 8    - https://dtm.uk/wuauclt/
 9author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
10date: 2020/10/12
11modified: 2023/11/17
12tags:
13    - attack.defense_evasion
14    - attack.t1218
15logsource:
16    category: network_connection
17    product: windows
18    definition: 'Requirements: The CommandLine field enrichment is required in order for this rule to be used.'
19detection:
20    selection:
21        Image|contains: 'wuauclt'
22        CommandLine|contains: ' /RunHandlerComServer'
23    # "C:\WINDOWS\uus\AMD64\wuauclt.exe" /DeploymentHandlerFullPath \\?\C:\Windows\UUS\AMD64\UpdateDeploy.dll /ClassId aaa256e1-5b21-4993-9188-18f07ccb3b98 /RunHandlerComServer
24    filter_main_ipv4:
25        DestinationIp|startswith: # Ranges excluded based on https://github.com/SigmaHQ/sigma/blob/0f176092326ab9d1e19384d30224e5f29f760d82/rules/windows/network_connection/net_connection_win_dllhost_net_connections.yml
26            - '10.'
27            - '127.'
28            - '169.254.'  # link-local address
29            - '172.16'
30            - '172.17'
31            - '172.18'
32            - '172.19'
33            - '172.20'
34            - '172.21'
35            - '172.22'
36            - '172.23'
37            - '172.24'
38            - '172.25'
39            - '172.26'
40            - '172.27'
41            - '172.28'
42            - '172.29'
43            - '172.30'
44            - '172.31'
45            - '192.168'
46    filter_main_ipv6:
47        DestinationIp|startswith:
48            - '::1'
49            - '0:0:0:0:0:0:0:1'  # IPv6 loopback variant
50            - 'fe80:'  # link-local address
51            - 'fc'  # private address range fc00::/7
52            - 'fd'  # private address range fc00::/7
53    filter_main_msrange:  # Sysmon
54        DestinationIp|startswith:
55            # Subnet: 20.184.0.0/13, 51.103.210.0/23 and others
56            - '20.184.'
57            - '20.185.'
58            - '20.186.'
59            - '20.187.'
60            - '20.188.'
61            - '20.189.'
62            - '20.190.'
63            - '20.191.'
64            - '20.220.'
65            - '20.221.'
66            - '23.79.'
67            - '51.10.'
68            - '51.103.'
69            - '51.104.'
70            - '51.105.'
71            - '52.239.'
72    filter_main_uus:
73        CommandLine|contains:
74            - ':\Windows\UUS\Packages\Preview\amd64\updatedeploy.dll /ClassId'
75            - ':\Windows\UUS\amd64\UpdateDeploy.dll /ClassId'
76    filter_main_winsxs:
77        CommandLine|contains|all:
78            - ':\Windows\WinSxS\'
79            - '\UpdateDeploy.dll /ClassId '
80    filter_main_cli_null:
81        CommandLine: null
82    filter_main_cli_empty:
83        CommandLine: ''
84    condition: selection and not 1 of filter_main_*
85falsepositives:
86    - Unknown
87level: medium