SharpWSUS – CSharp tool for lateral movement through WSUS

June 30, 2022
SharpWSUS

SharpWSUS is a CSharp tool for lateral movement through WSUS. There is a corresponding blog (https://labs.nettitude.com/blog/introducing-sharpwsus/) which has more detailed information about the tooling, use case and detection.

Credits

Massive credit to the below resources that really did 90% of this for me. This tool is just an enhancement of the below for C2 reliability and flexibility.

  • https://github.com/AlsidOfficial/WSUSpendu – powershell tool for abusing WSUS
  • https://github.com/ThunderGunExpress/Thunder_Woosus – Csharp tool for abusing WSUS

Help Menu

 ____  _                   __        ______  _   _ ____
/ ___|| |__   __ _ _ __ _ _       / / ___|| | | / ___|
___ | '_  / _` | '__| '_   / / /___ | | | ___ 
 ___) | | | | (_| | |  | |_)  V  V /  ___) | |_| |___) |
|____/|_| |_|__,_|_|  | .__/ _/_/  |____/ ___/|____/
                       |_|
           Phil Keeble @ Nettitude Red Team


Commands listed below have optional parameters in <>.

Locate the WSUS server:
    SharpWSUS.exe locate

Inspect the WSUS server, enumerating clients, servers and existing groups:
    SharpWSUS.exe inspect

Create an update (NOTE: The payload has to be a windows signed binary):
    SharpWSUS.exe create /payload:[File location] /args:[Args for payload] </title:[Update title] /date:[YYYY-MM-DD] /kb:[KB on update] /rating:[Rating of update] /msrc:[MS   RC] /description:[description] /url:[url]>

Approve an update:
    SharpWSUS.exe approve /updateid:[UpdateGUID] /computername:[Computer to target] </groupname:[Group for computer to be added too] /approver:[Name of approver]>

Check status of an update:
    SharpWSUS.exe check /updateid:[UpdateGUID] /computername:[Target FQDN]

Delete update and clean up groups added:
    SharpWSUS.exe delete /updateid:[UpdateGUID] /computername:[Target FQDN] </groupname:[GroupName] /keepgroup>

Example Usage

Notes

  • Binary has to be windows signed, so psexec, msiexec, msbuild etc could be useful for lateral movement.
  • The metadata on the create command is not needed, but is useful for blending in to the environment.
  • If testing in a lab the first is usually quick, then each subsequent update will take a couple hours (this is due to how windows evaluates whether an update is installed already or not)
Download SharpWSUS

If you like the site, please consider joining the telegram channel or supporting us on Patreon using the button below.

Discord

Original Source

You may have missed

image

[BLACKBASTA] – Ransomware Victim: rembe[.]de

November 19, 2024
image

[RANSOMHUB] – Ransomware Victim: tempaircompany[.]com

November 19, 2024
image

[RANSOMHUB] – Ransomware Victim: smawins[.]net

November 19, 2024
image

[RANSOMHUB] – Ransomware Victim: wulffco[.]com

November 19, 2024
image

[RANSOMHUB] – Ransomware Victim: chsplumbing[.]com

November 19, 2024