No writeup available at this time. For now, please check out the following tweet for more context on this finding.
Related Articles
Other threads in the archive worth reading next.
Living off the Land
Living of the Land - DISM Sandbox Provider Hijack
A look at how DISM's sandbox path can be combined with the provider loader to redirect provider DLL loading from a copied DISM directory.
Living off the Land
Living of the Land - Curl - Percent Encoded URLs
Exploring the curl utility's ability to accept percent encoded URLs and its implications for security and detection.
Living off the Land
Living of the Land - AgentExecutor
Detailed analysis of the AgentExecutor binary, its execution paths, and how it can be leveraged for code execution. Based on version 1.80.133.0 and Microsoft.Management.Clients.IntuneManagementExtension.WinGetLibrary.dll version 1.79.160.0.