New Case Study: Threat Hunter finds renamed system utilities by file hash to uncover multiple attacks   

Read Case Study


Even Windows Update Can Be Used as an Intrusion Tool

October 13, 2020

Security researcher David Middlehurst (@dtmsecurity) posted a blog yesterday briefly detailing a method that attackers could use to evade detection by using the Windows Update client to run arbitrary DLLs on the system. Using the “/UpdateDeploymentProvider” command line argument, a file path to a malicious DLL and the “/RunHandlerComServer” argument after, it is possible to get code execution through Windows Update. After his discovery, Middlehurst also found a sample in the wild taking advantage of this functionality. Although the original post does not provide a lot of detail, a second blog post through @MDSecLabs will eventually be shared.

Analyst Notes

Leveraging Microsoft-signed binaries to run code could allow an attacker to bypass typical anti-virus solutions and certificate validations. Defenders should be on the lookout for process execution events where “wuauclt.exe” is launched with the “/UpdateDeploymentProvider” and “/RunHandlerComServer” command line arguments. If there is legitimate usage, further tuning could be done to ignore specific DLLs provided.