Proxy Execution Via Wuauclt.EXE
Detects the use of the Windows Update Client binary (wuauclt.exe) for proxy execution.
Sigma rule (View on GitHub)
1title: Proxy Execution Via Wuauclt.EXE
2id: af77cf95-c469-471c-b6a0-946c685c4798
3related:
4 - id: ba1bb0cb-73da-42de-ad3a-de10c643a5d0
5 type: obsolete
6 - id: d7825193-b70a-48a4-b992-8b5b3015cc11
7 type: obsolete
8status: test
9description: Detects the use of the Windows Update Client binary (wuauclt.exe) for proxy execution.
10references:
11 - https://dtm.uk/wuauclt/
12 - https://blog.malwarebytes.com/threat-intelligence/2022/01/north-koreas-lazarus-apt-leverages-windows-update-client-github-in-latest-campaign/
13author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), Florian Roth (Nextron Systems), Sreeman, FPT.EagleEye Team
14date: 2020-10-12
15modified: 2023-11-11
16tags:
17 - attack.defense-evasion
18 - attack.t1218
19 - attack.execution
20logsource:
21 category: process_creation
22 product: windows
23detection:
24 selection_img:
25 - Image|endswith: '\wuauclt.exe'
26 - OriginalFileName: 'wuauclt.exe'
27 selection_cli:
28 CommandLine|contains|all:
29 - 'UpdateDeploymentProvider'
30 - 'RunHandlerComServer'
31 filter_main_generic:
32 # Note: Please enhance this if you find the full path
33 CommandLine|contains: ' /UpdateDeploymentProvider UpdateDeploymentProvider.dll '
34 filter_main_wuaueng:
35 # Note: Please enhance this if you find the full path
36 CommandLine|contains: ' wuaueng.dll '
37 filter_main_uus:
38 CommandLine|contains:
39 - ':\Windows\UUS\Packages\Preview\amd64\updatedeploy.dll /ClassId'
40 - ':\Windows\UUS\amd64\UpdateDeploy.dll /ClassId'
41 filter_main_winsxs:
42 CommandLine|contains|all:
43 - ':\Windows\WinSxS\'
44 - '\UpdateDeploy.dll /ClassId '
45 condition: all of selection_* and not 1 of filter_main_*
46falsepositives:
47 - Unknown
48level: high
References
Related rules
- Arbitrary File Download Via MSOHTMED.EXE
- Arbitrary File Download Via MSPUB.EXE
- Arbitrary File Download Via PresentationHost.EXE
- Arbitrary MSI Download Via Devinit.EXE
- Binary Proxy Execution Via Dotnet-Trace.EXE