← Library
sigmaDRL-1.1from SigmaHQ/sigma

Potentially Suspicious Wuauclt Network Connection

Detects the use of the Windows Update Client binary (wuauclt.exe) to proxy execute code and making network connections. One could easily make the DLL spawn a new process and inject to it to proxy the network connection and bypass this rule.

Quality
48
FP risk
Forks
0
Views
0
ATT&CK techniques
T1218
Rule sourcerules/windows/network_connection/net_connection_win_wuauclt_network_connection.yml
title: Potentially Suspicious Wuauclt Network Connection
id: c649a6c7-cd8c-4a78-9c04-000fc76df954
status: test
description: |
    Detects the use of the Windows Update Client binary (wuauclt.exe) to proxy execute code and making network connections.
    One could easily make the DLL spawn a new process and inject to it to proxy the network connection and bypass this rule.
references:
    - https://dtm.uk/wuauclt/
author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
date: 2020-10-12
modified: 2024-03-12
tags:
    - attack.defense-evasion
    - attack.t1218
logsource:
    category: network_connection
    product: windows
    definition: 'Requirements: The CommandLine field enrichment is required in order for this rule to be used.'
detection:
    selection:
        Image|contains: 'wuauclt'
        CommandLine|contains: ' /RunHandlerComServer'
    # "C:\WINDOWS\uus\AMD64\wuauclt.exe" /DeploymentHandlerFullPath \\?\C:\Windows\UUS\AMD64\UpdateDeploy.dll /ClassId aaa256e1-5b21-4993-9188-18f07ccb3b98 /RunHandlerComServer
    filter_main_ip:
        DestinationIp|cidr: # Ranges excluded based on https://github.com/SigmaHQ/sigma/blob/0f176092326ab9d1e19384d30224e5f29f760d82/rules/windows/network_connection/net_connection_win_dllhost_net_connections.yml
            - '127.0.0.0/8'
            - '10.0.0.0/8'
            - '169.254.0.0/16'  # link-local address
            - '172.16.0.0/12'
            - '192.168.0.0/16'
            - '::1/128'  # IPv6 loopback
            - 'fe80::/10'  # IPv6 link-local addresses
            - 'fc00::/7'  # IPv6 private addresses
    filter_main_msrange:  # Sysmon
        DestinationIp|cidr:
            - '20.184.0.0/13' # Microsoft Corporation
            - '20.192.0.0/10' # Microsoft Corporation
            - '23.79.0.0/16' # Microsoft Corporation
            - '51.10.0.0/15'
            - '51.103.0.0/16' # Microsoft Corporation
            - '51.104.0.0/15' # Microsoft Corporation
            - '52.224.0.0/11' # Microsoft Corporation
    filter_main_uus:
        CommandLine|contains:
            - ':\Windows\UUS\Packages\Preview\amd64\updatedeploy.dll /ClassId'
            - ':\Windows\UUS\amd64\UpdateDeploy.dll /ClassId'
    filter_main_winsxs:
        CommandLine|contains|all:
            - ':\Windows\WinSxS\'
            - '\UpdateDeploy.dll /ClassId '
    filter_main_cli_null:
        CommandLine: null
    filter_main_cli_empty:
        CommandLine: ''
    condition: selection and not 1 of filter_main_*
falsepositives:
    - Unknown
level: medium