Attackers abuse Windows Update to execute malicious programs

The Windows Update client has just been added to the list of living-off-the-land binaries (LoLBins) that attackers can use with the purpose of executing malicious code on Windows systems, while avoiding detection while downloading, installing, or executing malicious code. According to Microsoft, using the /ResetAuthorization option allows initiating a manual update check either on the locally configured WSUS server or via the Windows Update service, but it can also be used by attackers to execute malicious code by loading it from the specific DLL with certain command options. Read more...