The Windows Update client can be used by Criminals of cyberspace for malicious execution on Windows systems. As experts say, the Windows Update added to the list of LoLBins (living-off-the-land binaries).
LoLBins are executable by signature Microsoft (preinstalled or downloaded), which can be used by hackers to avoid detection (upon download) and for malicious code installation or execution.
Also, criminals can choose them to skip him control Windows User Account Control (UAC) or Windows Defender Application Control (WDAC) and to stay for a long time in systems that have already been violated.
Malicious code execution with malicious DLLs
WSUS / Windows Update client (wuauclt) is a utility that is located in% windir% \ system32 \, giving users some control over some of the Windows Update Agent functions from the command line.
Allows users to check for new updates and install them without having to use Windows UI. They can do this from a Command Prompt window.
However, the MDSec researcher, David Middlehurst, found that wuauclt could be used by attackers to execute malicious code on systems running Windows 10, loading it from one specially made DLL:
wuauclt.exe / UpdateDeploymentProvider [path_to_dll] / RunHandlerComServer
As shown in the screenshot above, Full_Path_To_DLL is the only path to the custom DLL file that would execute code.
According to MITRE ATT & CK, this detection avoidance technique belongs to the category Signed Binary Proxy Execution via Rundll32 and allows intruders to bypass the antivirus program, control applications, and validate digital certificates.
According to Bleepingcomputer, in this case, it is done by executing malicious code from a DLL loaded using a signed-Microsoft binaryThe Windows Update client (wuauclt).
After discovering that wuauclt could be used as LoLBin, Middlehurst researcher found a sample that was already in use.
Microsoft recently updated Windows 10 Microsoft Defender, adding a way to download (potentially malicious) files to devices Windows.
Later, remove this feature from MpCmdRun.exe (the Microsoft Antimalware Service Command Line Utility).