Security News > 2020 > October > Windows Update can be abused to execute malicious programs
The Windows Update client has just been added to the list of living-off-the-land binaries attackers can use to execute malicious code on Windows systems.
The WSUS / Windows Update client is a utility located at %windir%system32 that provides users partial control over some of the Windows Update Agent's functionality from the command-line.
Using the /ResetAuthorization option allows initiating a manual update check either on the locally configured WSUS server or via the Windows Update service according to Microsoft.
In this case, it does it by executing malicious code from a DLL loaded using a signed-Microsoft binary, the Windows Update client.
Microsoft recently updated the Windows 10 Microsoft Defender antivirus solution, ironically and quietly adding a way to download files onto Windows devices.