From 651e156583ebe2edc1779aec0d8a3d960a8ea5a9 Mon Sep 17 00:00:00 2001
From: "@dtmsecurity" <dtm@dtm.uk>
Date: Mon, 12 Oct 2020 19:24:45 +0100
Subject: [PATCH] Create Wuauclt.yml

---
 yml/OSBinaries/Wuauclt.yml | 26 ++++++++++++++++++++++++++
 1 file changed, 26 insertions(+)
 create mode 100644 yml/OSBinaries/Wuauclt.yml

diff --git a/yml/OSBinaries/Wuauclt.yml b/yml/OSBinaries/Wuauclt.yml
new file mode 100644
index 0000000..ba02158
--- /dev/null
+++ b/yml/OSBinaries/Wuauclt.yml
@@ -0,0 +1,26 @@
+---
+Name: wuauclt.exe
+Description: Windows Update Client
+Author: 'David Middlehurst'
+Created: '2020-09-23'
+Commands:
+  - Command: wuauclt.exe /UpdateDeploymentProvider <Full_Path_To_DLL> /RunHandlerComServer
+    Description: Full_Path_To_DLL would be the abosolute path to .DLL file and would execute code on attach.
+    Usecase: Execute dll via attach/detach methods
+    Category: Execute
+    Privileges: User
+    MitreID: T1085
+    MitreLink: https://attack.mitre.org/wiki/Technique/T1085
+    OperatingSystem: Windows 10
+Full_Path:
+  - Path: C:\Windows\System32\wuauclt.exe
+Code_Sample: 
+- Code:
+Detection:
+ - IOC: wuauclt run with a parameter of a DLL path
+Resources:
+  - Link: https://dtm.uk/wuauclt/
+Acknowledgement:
+  - Person: David Middlehurst
+    Handle: '@dtmsecurity'
+---