The Windows Update client has been added to the list of living-off-the-land binaries (LoLBins) attackers can use to execute malicious code on Windows systems. LoLBins are Microsoft-signed executables (pre-installed or downloaded) that can be abused by threat actors to evade detection while downloading, installing, or executing malicious code. They can also be used by attackers in their efforts to bypass Windows User Account Control (UAC) or Windows Defender Application Control (WDAC) and gain persistence on already compromised systems.
Source: https://www.bleepingcomputer.com/news/security/windows-update-can-be-abused-to-execute-malicious-programs/