{"id":4419,"date":"2020-10-13T16:42:51","date_gmt":"2020-10-13T16:42:51","guid":{"rendered":"https:\/\/blog.gridinsoft.com\/?p=4419"},"modified":"2020-10-13T16:42:51","modified_gmt":"2020-10-13T16:42:51","slug":"attackers-can-use-windows-update-client-to-execute-malicious-code","status":"publish","type":"post","link":"https:\/\/gridinsoft.com\/blogs\/attackers-can-use-windows-update-client-to-execute-malicious-code\/","title":{"rendered":"Attackers can use Windows Update client to execute malicious code"},"content":{"rendered":"<h4>Hackers can exploit Windows Update client to execute malicious code on the system as part of the Living off the Land (LotL) method.<\/h4>\n<p>The Windows Server Update Services (WSUS)\/Windows Update Client (wuauclt) is a utility located in %windir%\\system32\\ that gives users partial command line control over some of the Windows Update Agent functionality.<\/p>\n<p>It allows checking for new updates and install them without using the Windows user interface.<\/p>\n<p>Using the \/ResetAuthorization parameter allows initiating manual update checks, either on a locally configured WSUS server or through Windows Update.<\/p>\n<p>However, researcher <strong>David Middlehurst<\/strong> of MDSec <a href=\"https:\/\/dtm.uk\/wuauclt\/\" rel=\"noopener noreferrer nofollow\" target=\"_blank\">discovered<\/a> that attackers can also use wuauclt to execute malicious code on Windows 10 systems.<\/p>\n<blockquote><p>\u201cToday I wanted to share something a little more juicy. The Windows Update client (wuauclt.exe) is a bit elusive with only small number of Microsoft articles about it and these articles do not seem to document all of the available command line options&#8221;, &#8211; intrigues David Middlehurst.<\/p><\/blockquote>\n<p>The researcher discovered that wuauclt could be used by cybercriminals by loading it from an arbitrary specially crafted DLL with the following command line parameters:<\/p>\n<ul>\n<li>wuauclt.exe\/UpdateDeploymentProvider [path_to_dll]\/RunHandlerComServer.<\/li>\n<\/ul>\n<p>The MITER ATT &#038; CK knowledge base classifies this bypass method as &#8220;Executing a signed binary proxy through Rundll32&#8221;, allowing attackers to bypass anti-virus protection, application control, and digital certificate verification.<\/p>\n<p>The security researcher also discovered a sample of the Joe Sandbox used in real-life attacks.<\/p>\n<blockquote><p>\u201cAfter discovering this LOLBIN independently some brief searching highlighted a sample on Joe Sandbox leveraging it in the wild\u201d, \u2014 reported David Middlehurst.<\/p><\/blockquote>\n<p>LoLBins are signed by Microsoft (pre-installed or downloaded) executable files that can be used by attackers to evade detection when downloading, installing or executing malicious code.<\/p>\n<p>Hackers may also use them to bypass User Account Control (UAC), control Windows Defender Application Control (WDAC), or provide persistence on a compromised system.<\/p>\n<p>Let me remind you that about the fact that <a href=\"\/blogs\/windows-efs-can-help-encryptors-and-make-work-of-antiviruses-more-difficult\/\">Windows EFS can also help encryptors and make work of antiviruses more difficult<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Hackers can exploit Windows Update client to execute malicious code on the system as part of the Living off the Land (LotL) method. The Windows Server Update Services (WSUS)\/Windows Update Client (wuauclt) is a utility located in %windir%\\system32\\ that gives users partial command line control over some of the Windows Update Agent functionality. It allows [&hellip;]<\/p>\n","protected":false},"author":3,"featured_media":4421,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"content-type":"","_sitemap_exclude":false,"_sitemap_priority":"","_sitemap_frequency":"","footnotes":""},"categories":[15],"tags":[94],"class_list":{"0":"post-4419","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-security-news","8":"tag-microsoft"},"featured_image_src":"https:\/\/gridinsoft.com\/blogs\/wp-content\/uploads\/2020\/10\/msbug.jpg","author_info":{"display_name":"Vladimir Krasnogolovy","author_link":"https:\/\/gridinsoft.com\/blogs\/author\/krasnogolovy\/"},"_links":{"self":[{"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/posts\/4419","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/comments?post=4419"}],"version-history":[{"count":0,"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/posts\/4419\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/media\/4421"}],"wp:attachment":[{"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/media?parent=4419"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/categories?post=4419"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/tags?post=4419"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}