HackTool - SharpWSUS/WSUSpendu Execution

calendar Aug 29, 2024 · attack.execution attack.lateral-movement attack.t1210  ·
Share on: linkedin copy

Detects the execution of SharpWSUS or WSUSpendu, utilities that allow for lateral movement through WSUS. Windows Server Update Services (WSUS) is a critical component of Windows systems and is frequently configured in a way that allows an attacker to circumvent internal networking limitations.

Sigma rule (View on GitHub)

 1title: HackTool - SharpWSUS/WSUSpendu Execution
 2id: b0ce780f-10bd-496d-9067-066d23dc3aa5
 3status: experimental
 4description: |
 5    Detects the execution of SharpWSUS or WSUSpendu, utilities that allow for lateral movement through WSUS.
 6    Windows Server Update Services (WSUS) is a critical component of Windows systems and is frequently configured in a way that allows an attacker to circumvent internal networking limitations.    
 7references:
 8    - https://labs.nettitude.com/blog/introducing-sharpwsus/
 9    - https://github.com/nettitude/SharpWSUS
10    - https://web.archive.org/web/20210512154016/https://github.com/AlsidOfficial/WSUSpendu/blob/master/WSUSpendu.ps1
11author: '@Kostastsale, Nasreddine Bencherchali (Nextron Systems)'
12date: 2022-10-07
13modified: 2024-08-23
14tags:
15    - attack.execution
16    - attack.lateral-movement
17    - attack.t1210
18logsource:
19    product: windows
20    category: process_creation
21detection:
22    selection_wsuspendu_inject:
23        CommandLine|contains: ' -Inject '
24    selection_wsuspendu_payload:
25        CommandLine|contains:
26            - ' -PayloadArgs '
27            - ' -PayloadFile '
28    selection_sharpwsus_commands:
29        CommandLine|contains:
30            - ' approve '
31            - ' create '
32            - ' check '
33            - ' delete '
34    selection_sharpwsus_flags:
35        CommandLine|contains:
36            - ' /payload:'
37            - ' /payload='
38            - ' /updateid:'
39            - ' /updateid='
40    condition: all of selection_wsuspendu_* or all of selection_sharpwsus_*
41falsepositives:
42    - Unknown
43level: high

References

Related rules

to-top