Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

evasion_execution_imageload_wuauclt_lolbas.evtx #18

Closed
frack113 opened this issue Nov 9, 2021 · 2 comments
Closed

evasion_execution_imageload_wuauclt_lolbas.evtx #18

frack113 opened this issue Nov 9, 2021 · 2 comments

Comments

@frack113
Copy link

frack113 commented Nov 9, 2021

Hi,
I have try to match sigma to this evtx.
In this file the malicious command is in ParentCommandLine but when I try on a windows 10 it is in CommandLine.

Is it a special case or a bad capture ?

Thanks
@sbousseaden
Copy link
Owner

Hi, its not really a bad capture (missed first process execution), there are legit cases where wuauclt.exe runs DLLs from random paths, so most resilient (and few FPs) approach is to use Sysmon eventid 7 and look for unsigned DLLs loaded there OR look for unusual child processes of wuauclt.exe. The ParentCommandLine /UpdateDeploymentProvider C:\ProgramData\Intel\helpa.dll /RunHandlerComServer in the captrue was due to wuauclt.exe spawning a child after executing code in helpa.dll.

@frack113
Copy link
Author

Ok,
Thanks for the answert.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@sbousseaden @frack113