Detection rules › Sigma
Potentially Suspicious Wuauclt Network Connection
Detects the use of the Windows Update Client binary (wuauclt.exe) to proxy execute code and making network connections. One could easily make the DLL spawn a new process and inject to it to proxy the network connection and bypass this rule.
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Defense Evasion | T1218 System Binary Proxy Execution |
Event coverage
| Provider | Event ID | Title |
|---|---|---|
| Sysmon | 3 | Network connection |
Stages and Predicates
Stage 1: selection
CommandLine|contains: ' /RunHandlerComServer'
Image|contains: wuauclt
Stage 2: not 1 of filter_main_*
or:
CommandLine|contains: ':\Windows\WinSxS\'
CommandLine|contains: '\UpdateDeploy.dll /ClassId '
CommandLine: ''
CommandLine: null
CommandLine|contains: ':\Windows\UUS\Packages\Preview\amd64\updatedeploy.dll /ClassId'
CommandLine|contains: ':\Windows\UUS\amd64\UpdateDeploy.dll /ClassId'
DestinationIp|cidr: '10.0.0.0/8'
DestinationIp|cidr: '127.0.0.0/8'
DestinationIp|cidr: '169.254.0.0/16'
DestinationIp|cidr: '172.16.0.0/12'
DestinationIp|cidr: '192.168.0.0/16'
DestinationIp|cidr: '20.184.0.0/13'
DestinationIp|cidr: '20.192.0.0/10'
DestinationIp|cidr: '23.79.0.0/16'
DestinationIp|cidr: '51.10.0.0/15'
DestinationIp|cidr: '51.103.0.0/16'
DestinationIp|cidr: '51.104.0.0/15'
DestinationIp|cidr: '52.224.0.0/11'
DestinationIp|cidr: '::1/128'
DestinationIp|cidr: 'fc00::/7'
DestinationIp|cidr: 'fe80::/10'
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
CommandLine | match |
|
DestinationIp | cidr_match |
|
Image | match |
|