Phoenix
Sigma IntelligenceBeta
Back to Rules
Detectionmediumtest

Potentially Suspicious Wuauclt Network Connection

Detects the use of the Windows Update Client binary (wuauclt.exe) to proxy execute code and making network connections. One could easily make the DLL spawn a new process and inject to it to proxy the network connection and bypass this rule.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)Created Mon Oct 12Updated Tue Mar 12c649a6c7-cd8c-4a78-9c04-000fc76df954windows
Log Source
WindowsNetwork Connection
ProductWindows← raw: windows
CategoryNetwork Connection← raw: network_connection

Events for outbound and inbound network connections including DNS resolution.

Definition

Requirements: The CommandLine field enrichment is required in order for this rule to be used.

Detection Logic
Detection Logic7 selectors
detection:
    selection:
        Image|contains: 'wuauclt'
        CommandLine|contains: ' /RunHandlerComServer'
    # "C:\WINDOWS\uus\AMD64\wuauclt.exe" /DeploymentHandlerFullPath \\?\C:\Windows\UUS\AMD64\UpdateDeploy.dll /ClassId aaa256e1-5b21-4993-9188-18f07ccb3b98 /RunHandlerComServer
    filter_main_ip:
        DestinationIp|cidr: # Ranges excluded based on https://github.com/SigmaHQ/sigma/blob/0f176092326ab9d1e19384d30224e5f29f760d82/rules/windows/network_connection/net_connection_win_dllhost_net_connections.yml
            - '127.0.0.0/8'
            - '10.0.0.0/8'
            - '169.254.0.0/16'  # link-local address
            - '172.16.0.0/12'
            - '192.168.0.0/16'
            - '::1/128'  # IPv6 loopback
            - 'fe80::/10'  # IPv6 link-local addresses
            - 'fc00::/7'  # IPv6 private addresses
    filter_main_msrange:  # Sysmon
        DestinationIp|cidr:
            - '20.184.0.0/13' # Microsoft Corporation
            - '20.192.0.0/10' # Microsoft Corporation
            - '23.79.0.0/16' # Microsoft Corporation
            - '51.10.0.0/15'
            - '51.103.0.0/16' # Microsoft Corporation
            - '51.104.0.0/15' # Microsoft Corporation
            - '52.224.0.0/11' # Microsoft Corporation
    filter_main_uus:
        CommandLine|contains:
            - ':\Windows\UUS\Packages\Preview\amd64\updatedeploy.dll /ClassId'
            - ':\Windows\UUS\amd64\UpdateDeploy.dll /ClassId'
    filter_main_winsxs:
        CommandLine|contains|all:
            - ':\Windows\WinSxS\'
            - '\UpdateDeploy.dll /ClassId '
    filter_main_cli_null:
        CommandLine: null
    filter_main_cli_empty:
        CommandLine: ''
    condition: selection and not 1 of filter_main_*
False Positives
Unknown

False positive likelihood has not been assessed. Additional context may be needed during triage.

References
1
Resolving title…
dtm.uk
MITRE ATT&CK
Rule Metadata
Rule ID
c649a6c7-cd8c-4a78-9c04-000fc76df954
Status
test
Level
medium
Type
Detection
Created
Mon Oct 12
Modified
Tue Mar 12
Author
Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
Path
rules/windows/network_connection/net_connection_win_wuauclt_network_connection.yml
Raw Tags
attack.defense-evasionattack.t1218
View on GitHub