We reported in September that Windows Defender has added the ability to download files via the command line using the app, e.g.

MpCmdRun.exe -DownloadFile -url [url] -path [path_to_save_file]

… which could be used to download an abitrary binary from the internet.

While not an exploit in itself, the feature allows a script which can launch the command line to import further files from the internet using native so-called living-off-the-land binaries or LOLBINs.

Now a similar feature has been discovered in Windows Update which lets hackers execute malicious files.

Bleeping Computer reports that MDSec researcher David Middlehurst has discovered that wuauclt can also be used by attackers to execute malicious code on Windows 10 systems by loading it from an arbitrary specially crafted DLL with the following command-line options:

wuauclt.exe /UpdateDeploymentProvider [path_to_dll] /RunHandlerComServer

The trick bypasses Windows User Account Control (UAC) or Windows Defender Application Control (WDAC) and can be used to gain persistence on already compromised systems.

After making the discovery, he also discovered hackers had been first, as he found a sample using it in trick in the wild.

In response to the earlier report, Microsoft removed the capability to download files from MpCmdRun.exe. It remains to be seen how Microsoft will respond to the latest revelation.

Read more detail at Bleepingcomputer here.

Comments