wuauclt.exe

Windows Update Client

Paths

• C:\Windows\System32\wuauclt.exe
• C:\Windows\UUS\amd64\wuauclt.exe

Commands

Execute

Loads and executes DLL code on attach.

Use case: Execute dll via attach/detach methods

Privileges: User

wuauclt.exe /UpdateDeploymentProvider {PATH_ABSOLUTE:.dll} /RunHandlerComServer

Detection

• Sigma: https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/network_connection/net_connection_win_wuauclt_network_connection.yml
• Sigma: https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/process_creation/proc_creation_win_lolbin_wuauclt.yml
• Sigma: https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/process_creation/proc_creation_win_wuauclt_execution.yml
• IOC: wuauclt run with a parameter of a DLL path
• IOC: Suspicious wuauclt Internet/network connections

Resources

• https://dtm.uk/wuauclt/