Security researcher David Middlehurst (@dtmsecurity) posted a blog yesterday briefly detailing a method that attackers could use to evade detection by using the Windows Update client to run arbitrary DLLs on the system. Using the “/UpdateDeploymentProvider” command line argument, a file path to a malicious DLL and the “/RunHandlerComServer” argument after, it is possible to get code execution through Windows Update. After his discovery, Middlehurst also found a sample in the wild taking advantage of this functionality. Although the original post does not provide a lot of detail, a second blog post through @MDSecLabs will eventually be shared.
Watch the Video
How does Binary Defense help protect your organization? With best in breed cybersecurity tactics, techniques, and services, we make sure that your environment is secure against the most advanced attacks.