title: Wuauclt Network Connection
author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
date: 2020/10/12
description: Detects the use of the Windows Update Client binary (wuauclt.exe) to
    proxy execute code and making a network connections. One could easily make the
    DLL spawn a new process and inject to it to proxy the network connection and bypass
    this rule.
detection:
    SELECTION_1:
        EventID: 3
    SELECTION_2:
        Image: '*wuauclt*'
    condition: (SELECTION_1 and SELECTION_2)
falsepositives:
- Legitimate use of wuauclt.exe over the network.
id: c649a6c7-cd8c-4a78-9c04-000fc76df954
level: medium
logsource:
    category: network_connection
    product: windows
references:
- https://dtm.uk/wuauclt/
status: experimental
tags:
- attack.defense_evasion
- attack.t1218
yml_filename: sysmon_wuauclt_network_connection.yml
yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/network_connection