Abuse of the Windows Server Update Services (WSUS) for lateral movement.
Windows Server Update Services (WSUS) is a critical component of Windows systems and is frequently configured in a way that allows an attacker to circumvent internal networking limitations. Some tools, such as SharpWSUS and WSUSpendu, support lateral movement through WSUS.This rule covers those two main tools used for that purpose.
Sigma rule (View on GitHub)
1title: Abuse of the Windows Server Update Services (WSUS) for lateral movement.
2status: Experimental
3description: Windows Server Update Services (WSUS) is a critical component of Windows systems and is frequently configured in a way that allows an attacker to circumvent internal networking limitations. Some tools, such as SharpWSUS and WSUSpendu, support lateral movement through WSUS.This rule covers those two main tools used for that purpose.
4author: \@Kostastsale
5references:
6 - https://labs.nettitude.com/blog/introducing-sharpwsus/
7 - https://github.com/nettitude/SharpWSUS
8 - https://github.com/AlsidOfficial/WSUSpendu/blob/master/WSUSpendu.ps1
9date: 2022/10/07
10logsource:
11 product: windows
12 category: process_creation
13detection:
14 selection1:
15 CommandLine|contains:
16 - ' /payload:'
17 - ' -PayloadArgs '
18 - ' /updateid:'
19 - ' -PayloadFile '
20 selection2:
21 CommandLine|contains:
22 - ' create '
23 - ' check '
24 - ' delete '
25 - '-Inject'
26 condition: selection1 and selection2
27falsepositives:
28 - Uknown
29level: high
30tags:
31 - attack.execution
32 - attack.lateral_movement
33 - attack.T1210```
References
-
SharpWSUS is a new tool that permits lateral movement through WSUS abuse, via any comnmand and control (C2) tooling.
Read More -
Related rules
- FakeUpdates/SocGholish Malware Detection
- Scheduled task executing powershell encoded payload from registry
- ms-msdt for RCE CVE-2022-30190
- ms-msdt for RCE - sdiagnhost.exe spawning command
- Using powershell specific download cradle OneLiner