title: Windows Update Client LOLBIN
id: d7825193-b70a-48a4-b992-8b5b3015cc11
status: experimental
description: Detects code execution via the Windows Update client (wuauclt)
references:
    - https://dtm.uk/wuauclt/
author: FPT.EagleEye Team
date: 2020/10/17
tags:
    - attack.command_and_control
    - attack.execution
    - attack.t1105
    - attack.t1218
logsource:
    product: windows
    service: process_creation
detection:
    selection:
        ProcessCommandline|contains|all: 
            - '/UpdateDeploymentProvider'
            - '/RunHandlerComServer'
        Image|endswith: 
            - '\wuauclt.exe'
    condition: selection
falsepositives:
    - Unknown
level: high