Abuse of the Windows Server Update Services (WSUS) for lateral movement.
Windows Server Update Services (WSUS) is a critical component of Windows systems and is frequently configured in a way that allows an attacker to circumvent internal networking limitations. Some tools, such as SharpWSUS and WSUSpendu, support lateral movement through WSUS.This rule covers those two main tools used for that purpose.
Sigma rule (View on GitHub)
1title: Abuse of the Windows Server Update Services (WSUS) for lateral movement.
2id: b0ce780f-10bd-496d-9067-066d23dc3aa5
3status: Experimental
4description: Windows Server Update Services (WSUS) is a critical component of Windows systems and is frequently configured in a way that allows an attacker to circumvent internal networking limitations. Some tools, such as SharpWSUS and WSUSpendu, support lateral movement through WSUS.This rule covers those two main tools used for that purpose.
5author: \@Kostastsale
6references:
7 - https://labs.nettitude.com/blog/introducing-sharpwsus/
8 - https://github.com/nettitude/SharpWSUS
9 - https://github.com/AlsidOfficial/WSUSpendu/blob/master/WSUSpendu.ps1
10date: 2022/10/07
11logsource:
12 product: windows
13 category: process_creation
14detection:
15 selection1:
16 CommandLine|contains:
17 - ' /payload:'
18 - ' -PayloadArgs '
19 - ' /updateid:'
20 - ' -PayloadFile '
21 selection2:
22 CommandLine|contains:
23 - ' create '
24 - ' check '
25 - ' delete '
26 - '-Inject'
27 condition: selection1 and selection2
28falsepositives:
29 - Uknown
30level: high
31tags:
32 - attack.execution
33 - attack.lateral_movement
34 - attack.T1210```
References
-
SharpWSUS is a new tool that permits lateral movement through WSUS abuse, via any comnmand and control (C2) tooling.
Read More -
Related rules
- Execution of ZeroLogon PoC executable
- SMBexec.py Execution
- Wmiexec.py Execution
- Execution of ZeroLogon PoC executable
- Possible Impacket DCOMExec Connection Attempt - Zeek