Attackers can use Windows Update client to execute malicious code

Malicious Windows Update client

Hackers can exploit Windows Update client to execute malicious code on the system as part of the Living off the Land (LotL) method.

The Windows Server Update Services (WSUS)/Windows Update Client (wuauclt) is a utility located in %windir%\system32\ that gives users partial command line control over some of the Windows Update Agent functionality.

It allows checking for new updates and install them without using the Windows user interface.

Using the /ResetAuthorization parameter allows initiating manual update checks, either on a locally configured WSUS server or through Windows Update.

However, researcher David Middlehurst of MDSec discovered that attackers can also use wuauclt to execute malicious code on Windows 10 systems.

“Today I wanted to share something a little more juicy. The Windows Update client (wuauclt.exe) is a bit elusive with only small number of Microsoft articles about it and these articles do not seem to document all of the available command line options”, – intrigues David Middlehurst.

The researcher discovered that wuauclt could be used by cybercriminals by loading it from an arbitrary specially crafted DLL with the following command line parameters:

  • wuauclt.exe/UpdateDeploymentProvider [path_to_dll]/RunHandlerComServer.

The MITER ATT & CK knowledge base classifies this bypass method as “Executing a signed binary proxy through Rundll32”, allowing attackers to bypass anti-virus protection, application control, and digital certificate verification.

The security researcher also discovered a sample of the Joe Sandbox used in real-life attacks.

“After discovering this LOLBIN independently some brief searching highlighted a sample on Joe Sandbox leveraging it in the wild”, — reported David Middlehurst.

LoLBins are signed by Microsoft (pre-installed or downloaded) executable files that can be used by attackers to evade detection when downloading, installing or executing malicious code.

Hackers may also use them to bypass User Account Control (UAC), control Windows Defender Application Control (WDAC), or provide persistence on a compromised system.

Let me remind you that about the fact that Windows EFS can also help encryptors and make work of antiviruses more difficult.

By Vladimir Krasnogolovy

Vladimir is a technical specialist who loves giving qualified advices and tips on GridinSoft's products. He's available 24/7 to assist you in any question regarding internet security.

Leave a comment

Your email address will not be published. Required fields are marked *