Security researcher David Middlehurst (@dtmsecurity) posted a blog yesterday briefly detailing a method that attackers could use to evade detection by using the Windows Update client to run arbitrary DLLs on the system. Using the “/UpdateDeploymentProvider” command line argument, a file path to a malicious DLL and the “/RunHandlerComServer” argument after, it is possible to get code execution through Windows Update. After his discovery, Middlehurst also found a sample in the wild taking advantage of this functionality. Although the original post does not provide a lot of detail, a second blog post through @MDSecLabs will eventually be shared.
Leveraging Microsoft-signed binaries to run code could allow an attacker to bypass typical anti-virus solutions and certificate validations. Defenders should be on the lookout for process execution events where “wuauclt.exe” is launched with the “/UpdateDeploymentProvider” and “/RunHandlerComServer” command line arguments. If there is legitimate usage, further tuning could be done to ignore specific DLLs provided.