There's some really cool research coming from @dtmsecurity.... Keep an eye on the @MDSecLabs blog for more info
I found an interesting #LOLBIN using Windows Update Client (wuauclt.exe) as a loader - blog, pull request to LOLBAS and in the wild sample here dtm.uk/wuauclt/ - I am hoping to finalise some of my work on the methodology I used soon @MDSecLabs so keep your eyes posted.
3
4
49
I guess it's a smell of TTPs burning in the morning! ๐ฅ๐ Great find guys! Btw customizing DLL path via /UpdateDeploymentProvider was introduced only in Windows 10. On Windows 7 it will always default to loading wuaueng.dll from System32 and this option is missing.
8:16 AM ยท Oct 13, 2020
1
0
4


