Rules: Windows Update Agent DLL Changed
The Windows Update Agent executable, wuauclt.exe, can be abused by attackers to execute malicious code with elevated privileges by changing the DLL file loaded by the process. This technique is most commonly reported as part of phishing campaigns where the initial payload is a macro-enabled Microsoft Word document.
| Detail | Value |
|---|---|
| Type | Templated Match |
| Category | Defense Evasion |
| Apply Risk to Entities | user_username, device_hostname |
| Signal Name | Windows Update Agent DLL Changed |
| Summary Expression | User {{user_username}} ran a command on host {{device_hostname}} to modify the Windows Update Agent |
| Score/Severity | Static: 4 |
| Enabled by Default | True |
| Prototype | False |
| Tags | _mitreAttackTechnique:T1218.011, _mitreAttackTactic:TA0005, _mitreAttackTechnique:T1129 |
| Origin | Field |
|---|---|
| Normalized Schema | commandLine |
| Normalized Schema | device_hostname |
| Normalized Schema | user_username |