Proxy Execution Via Wuauclt.EXE

 1title: Proxy Execution Via Wuauclt.EXE
 2id: af77cf95-c469-471c-b6a0-946c685c4798
 3related:
 4    - id: ba1bb0cb-73da-42de-ad3a-de10c643a5d0
 5      type: obsoletes
 6    - id: d7825193-b70a-48a4-b992-8b5b3015cc11
 7      type: obsoletes
 8status: test
 9description: Detects the use of the Windows Update Client binary (wuauclt.exe) for proxy execution.
10references:
11    - https://dtm.uk/wuauclt/
12    - https://blog.malwarebytes.com/threat-intelligence/2022/01/north-koreas-lazarus-apt-leverages-windows-update-client-github-in-latest-campaign/
13author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), Florian Roth (Nextron Systems), Sreeman, FPT.EagleEye Team
14date: 2020/10/12
15modified: 2023/11/11
16tags:
17    - attack.defense_evasion
18    - attack.t1218
19    - attack.execution
20logsource:
21    category: process_creation
22    product: windows
23detection:
24    selection_img:
25        - Image|endswith: '\wuauclt.exe'
26        - OriginalFileName: 'wuauclt.exe'
27    selection_cli:
28        CommandLine|contains|all:
29            - 'UpdateDeploymentProvider'
30            - 'RunHandlerComServer'
31    filter_main_generic:
32        # Note: Please enhance this if you find the full path
33        CommandLine|contains: ' /UpdateDeploymentProvider UpdateDeploymentProvider.dll '
34    filter_main_wuaueng:
35        # Note: Please enhance this if you find the full path
36        CommandLine|contains: ' wuaueng.dll '
37    filter_main_uus:
38        CommandLine|contains:
39            - ':\Windows\UUS\Packages\Preview\amd64\updatedeploy.dll /ClassId'
40            - ':\Windows\UUS\amd64\UpdateDeploy.dll /ClassId'
41    filter_main_winsxs:
42        CommandLine|contains|all:
43            - ':\Windows\WinSxS\'
44            - '\UpdateDeploy.dll /ClassId '
45    condition: all of selection_* and not 1 of filter_main_*
46falsepositives:
47    - Unknown
48level: high