Monday, October 19, 17:23
Home security Windows Update: Used to execute malicious code

Windows Update: Used to execute malicious code

Windows Update

The Windows Update client can be used by Criminals of cyberspace for malicious execution on Windows systems. As experts say, the Windows Update added to the list of LoLBins (living-off-the-land binaries).

LoLBins are executable by signature Microsoft (preinstalled or downloaded), which can be used by hackers to avoid detection (upon download) and for malicious code installation or execution.

Also, criminals can choose them to skip him control Windows User Account Control (UAC) or Windows Defender Application Control (WDAC) and to stay for a long time in systems that have already been violated.

Malicious code execution with malicious DLLs

WSUS / Windows Update client (wuauclt) is a utility that is located in% windir% \ system32 \, giving users some control over some of the Windows Update Agent functions from the command line.

Allows users to check for new updates and install them without having to use Windows UI. They can do this from a Command Prompt window.

However, the MDSec researcher, David Middlehurst, found that wuauclt could be used by attackers to execute malicious code on systems running Windows 10, loading it from one specially made DLL:

wuauclt.exe / UpdateDeploymentProvider [path_to_dll] / RunHandlerComServer

As shown in the screenshot above, Full_Path_To_DLL is the only path to the custom DLL file that would execute code.

According to MITRE ATT & CK, this detection avoidance technique belongs to the category Signed Binary Proxy Execution via Rundll32 and allows intruders to bypass the antivirus program, control applications, and validate digital certificates.

According to Bleepingcomputer, in this case, it is done by executing malicious code from a DLL loaded using a signed-Microsoft binaryThe Windows Update client (wuauclt).

After discovering that wuauclt could be used as LoLBin, Middlehurst researcher found a sample that was already in use.

Microsoft recently updated Windows 10 Microsoft Defender, adding a way to download (potentially malicious) files to devices Windows.

Later, remove this feature from MpCmdRun.exe (the Microsoft Antimalware Service Command Line Utility).


Please enter your comment!
Please enter your name here

Digital Fortress
Digital Fortress
Pursue Your Dreams & Live!


How to turn off all vibrations on your iPhone completely

Some people are particularly sensitive to the vibrations of their iPhone, either for personal or medical reasons. Thanks to...

How to convert Keynote presentations to Microsoft PowerPoint

Apple presentation software does all the hard work when converting a PowerPoint presentation to Keynote. Doing the opposite, ...

QAnon Conspiracy Theories: YouTube removes them from the platform

YouTube is the latest social networking site to launch a campaign against the spread of QAnon conspiracy theories.

Vizom: New malware hijacks bank accounts

Vizom disguises itself as a popular "videoconferencing software", with meetings all online due to the pandemic. Investigators...

The Windows 10 Calculator has been ported to Linux

The Windows 10 Calculator has been ported to Linux and can be installed from the Canonical Snap Store. The ...

System breach exposes Kleenheat customer data

Australian-based gas company Kleenheat has warned some of its customers of data breaches, which may ...

US Election: Candidates manipulate voters via email!

The politicians who are candidates for the upcoming US elections use psychological tricks and "dark" patterns in their emails to ...

Google Chrome and Edge create random debug.log logs

An error in the latest version of Chrome and other Chromium-based browsers causes random debug.log files to be created ...

TikTok: Announced bug bounty program to detect vulnerabilities

The company behind the popular video sharing application TikTok announced last week that it has launched a public bug bounty program, ...

Windows 10: Unlock God Mode and see all Settings

Windows 10 comes with the Control Panel and Settings, but the modern application of Settings has a peculiarity, the basic ...