Detectionhightest

Proxy Execution Via Wuauclt.EXE

Detects the use of the Windows Update Client binary (wuauclt.exe) for proxy execution.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), Florian Roth (Nextron Systems), Sreeman, FPT.EagleEye TeamCreated Mon Oct 12Updated Sat Nov 11af77cf95-c469-471c-b6a0-946c685c4798windows

Log Source

WindowsProcess Creation

ProductWindows← raw: windows

CategoryProcess Creation← raw: process_creation

Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.

Detection Logic

detection:
    selection_img:
        - Image|endswith: '\wuauclt.exe'
        - OriginalFileName: 'wuauclt.exe'
    selection_cli:
        CommandLine|contains|all:
            - 'UpdateDeploymentProvider'
            - 'RunHandlerComServer'
    filter_main_generic:
        # Note: Please enhance this if you find the full path
        CommandLine|contains: ' /UpdateDeploymentProvider UpdateDeploymentProvider.dll '
    filter_main_wuaueng:
        # Note: Please enhance this if you find the full path
        CommandLine|contains: ' wuaueng.dll '
    filter_main_uus:
        CommandLine|contains:
            - ':\Windows\UUS\Packages\Preview\amd64\updatedeploy.dll /ClassId'
            - ':\Windows\UUS\amd64\UpdateDeploy.dll /ClassId'
    filter_main_winsxs:
        CommandLine|contains|all:
            - ':\Windows\WinSxS\'
            - '\UpdateDeploy.dll /ClassId '
    condition: all of selection_* and not 1 of filter_main_*