dtm.uk Open in urlscan Pro
54.36.229.177  Public Scan

Form analysis
0 forms found in the DOM

Text Content

@dtmsecurity
 * Home
 * Research & Development
 * Twitter

Code execution via the Windows Update client (wuauclt)



CODE EXECUTION VIA THE WINDOWS UPDATE CLIENT (WUAUCLT)


 * DTM
   
   Read more posts by this author.

DTM

12 Oct 2020 • 2 min read

Its been a few months since my last post about uploading and downloading data
with certreq.exe as a potential alternative to certutil.exe in LOLBIN land. I've
been having a blast starting my new role in the MDSec ActiveBreach team.

Today I wanted to share something a little more juicy. Enter the 'WSUS Useful
Client' as they describe here. The Windows Update client (wuauclt.exe) is a bit
elusive with only small number of Microsoft articles about it [1] [2] and these
articles do not seem to document all of the available command line options.

This binary lives here:

C:\Windows\System32\wuauclt.exe

I discovered (When I get a chance I will be sharing further details of the
methodology I used to find this on a blog post @MDSecLabs) you can gain code
execution by specifying an arbitrary DLL with the following command line options
on the test Windows 10 systems I tried:

wuauclt.exe /UpdateDeploymentProvider <Full_Path_To_DLL> /RunHandlerComServer

There's some fantastic work already in the community for raising the awareness
of LOLBINs and for sharing new candidates and their capabilities with the
excellent LOLBAS project. I have made the following pull request to this
project:

Create Wuauclt.yml by dtmsecurity · Pull Request #99 · LOLBAS-Project/LOLBAS

LOLBAS-ProjectGitHub


After discovering this LOLBIN independently some brief searching highlighted a
sample on Joe Sandbox leveraging it in the wild:

Automated Malware Analysis Report for - Generated by Joe Sandbox
Automated Malware Analysis - Joe Sandbox Analysis Report
Joe Security LLCJoe Security LLC


Finally, come and hang out at the RedTeamSec Discord here. It's been great to
see this community grow over the past few months, with some great content being
shared.


COBALT STRIKE DNS DIRECT EGRESS NOT THAT FAR AWAY

Cobalt Strike 4.3 added a bunch of useful new DNS beacon features which allow
the behaviour to be tweaked more than before. Prior to this release the
configuration was

 * DTM

DTM 3 Mar 2021 • 2 min read


UPLOAD AND DOWNLOAD SMALL FILES WITH CERTREQ.EXE

I stumbled on another lesser known LOLBAS (https://lolbas-project.github.io/)
for upload and downloading (small) files. CertReq.exe is present on Windows and
its intended use to to assist

 * DTM

DTM 7 Jul 2020 • 2 min read
@dtmsecurity © 2023
Latest Posts Twitter Ghost
For informational and educational purposes only.

"Sometimes, hacking is just someone spending more time on something than anyone
else might reasonably expect." @JGamblin