The DuCsps.dll<\/em> imports 2 APIs from UpdateAPI.dll<\/em>: <\/p>\n\n\n\n The problem is that there is no UpdateAPI.dll.<\/em> It may be present in other versions of Windows, but it’s not present in 22H2 (note: I have not tested all the subversions, so YMMV).<\/p>\n\n\n\n tssrvlic.dll<\/strong> on Windows 11 Pro 22H2<\/p>\n\n\n\n The same goes for tssrvlic.dll<\/em> that imports 3 APIs from a non-existing TlsBrand.dll<\/em>:<\/p>\n\n\n\n They both create a lolbin opportunity via a missing phantom DLL, and an attacker can simply bring in their versions of malicious UpdateAPI.dll<\/em> or TlsBrand.dll<\/em>, and then run (from the same directory where these payloads are located) the following rundll32 commands:<\/p>\n\n\n\n where foo<\/em> and bar<\/em> can be anything.<\/p>\n\n\n\n See below:<\/p>\n\n\n\n This may be a new, kinda ephemereal addition to the lolbin world (not sure if anyone covered it before). Windows 11 comes with a large number of DLLs – some of which are broken. DuCsps.dll on Windows 11 Pro 22H2 … Continue reading \n
\n
rundll32 DuCsps.dll, foo\n\nrundll32 tssrvlic.dll, bar<\/pre>\n\n\n\n
![\"\"](\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2024\/09\/rundll32_phantomdll.gif\")
<\/a><\/figure>\n","protected":false},"excerpt":{"rendered":"