Abuse of the Windows Server Update Services (WSUS) for lateral movement.

calendar Aug 10, 2024 · attack.execution attack.lateral_movement attack.T1210  ·
Share on: linkedin copy

Windows Server Update Services (WSUS) is a critical component of Windows systems and is frequently configured in a way that allows an attacker to circumvent internal networking limitations. Some tools, such as SharpWSUS and WSUSpendu, support lateral movement through WSUS.This rule covers those two main tools used for that purpose.

Sigma rule (View on GitHub)

 1title: Abuse of the Windows Server Update Services (WSUS) for lateral movement.
 2id: b0ce780f-10bd-496d-9067-066d23dc3aa5
 3status: Experimental
 4description: Windows Server Update Services (WSUS) is a critical component of Windows systems and is frequently configured in a way that allows an attacker to circumvent internal networking limitations. Some tools, such as SharpWSUS and WSUSpendu, support lateral movement through WSUS.This rule covers those two main tools used for that purpose.
 5author: \@Kostastsale
 6references: 
 7  - https://labs.nettitude.com/blog/introducing-sharpwsus/
 8  - https://github.com/nettitude/SharpWSUS
 9  - https://github.com/AlsidOfficial/WSUSpendu/blob/master/WSUSpendu.ps1
10date: 2022/10/07
11logsource:
12  product: windows
13  category: process_creation
14detection:
15  selection1:
16    CommandLine|contains:
17      - ' /payload:'
18      - ' -PayloadArgs '
19      - ' /updateid:'
20      - ' -PayloadFile '
21  selection2:
22    CommandLine|contains:
23      - ' create '
24      - ' check '
25      - ' delete '
26      - '-Inject'
27  condition: selection1 and selection2
28falsepositives:
29  - Uknown
30level: high
31tags:
32  - attack.execution
33  - attack.lateral_movement
34  - attack.T1210```

References

Related rules

to-top