30 lines
953 B
YAML
30 lines
953 B
YAML
title: Wuauclt Network Connection
|
|
author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
|
|
date: 2020/10/12
|
|
description: Detects the use of the Windows Update Client binary (wuauclt.exe) to
|
|
proxy execute code and making a network connections. One could easily make the
|
|
DLL spawn a new process and inject to it to proxy the network connection and bypass
|
|
this rule.
|
|
detection:
|
|
SELECTION_1:
|
|
EventID: 3
|
|
SELECTION_2:
|
|
Image: '*wuauclt*'
|
|
condition: (SELECTION_1 and SELECTION_2)
|
|
falsepositives:
|
|
- Legitimate use of wuauclt.exe over the network.
|
|
id: c649a6c7-cd8c-4a78-9c04-000fc76df954
|
|
level: medium
|
|
logsource:
|
|
category: network_connection
|
|
product: windows
|
|
references:
|
|
- https://dtm.uk/wuauclt/
|
|
status: experimental
|
|
tags:
|
|
- attack.defense_evasion
|
|
- attack.t1218
|
|
yml_filename: sysmon_wuauclt_network_connection.yml
|
|
yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/network_connection
|
|
|