Windows Update can be abused to execute malicious programs


Level 37
Feb 4, 2016
The Windows Update client has just been added to the list of living-off-the-land binaries (LoLBins) attackers can use to execute malicious code on Windows systems.
LoLBins are Microsoft-signed executables (pre-installed or downloaded) that can be abused by threat actors to evade detection while downloading, installing, or executing malicious code.

They can also be used by attackers in their efforts to bypass Windows User Account Control (UAC) or Windows Defender Application Control (WDAC) and to gain persistence on already compromised systems.

Malicious code execution using malicious DLLs​

The WSUS / Windows Update client (wuauclt) is a utility located at %windir%\system32\ that provides users partial control over some of the Windows Update Agent's functionality from the command-line.
It allows checking for new updates and installing them without having to use the Windows user interface but instead triggering them from a Command Prompt window.