There's some really cool research coming from @dtmsecurity.... Keep an eye on the @MDSecLabs blog for more info
I found an interesting #LOLBIN using Windows Update Client (wuauclt.exe) as a loader - blog, pull request to LOLBAS and in the wild sample here dtm.uk/wuauclt/ - I am hoping to finalise some of my work on the methodology I used soon @MDSecLabs so keep your eyes posted.
3
4
49
I guess it's a smell of TTPs burning in the morning! ๐Ÿ”ฅ๐Ÿ˜€ Great find guys! Btw customizing DLL path via /UpdateDeploymentProvider was introduced only in Windows 10. On Windows 7 it will always default to loading wuaueng.dll from System32 and this option is missing.
1
0
4
Thanks for the information buddy, suspected it had not been there in earlier versions but did not do much digging ๐Ÿ˜…
1
0
2
GIF
Windows 7 is not that relevant anyway ๐Ÿ˜€ Great job!

8:35 AM ยท Oct 13, 2020

0
0
1