#WSUS  #Windows  #Hacking  #AD  #Tools  

July 3, 2025 | 10:20
Reading-Time: ca. 1 Min

Hacking WSUS

If you have an own PKI in your AD, you may stop reading and move on. Nothing to see here. My gut however tell me, many mid-sized companies don’t have one and are at the mercy of Alex Neff’s Python script.1

Wsuks2 positions itself as man-in-the-middle between a Windows Update Server (WSUS) and the various servers/clients. It spoofs the WSUS IP in the ARP table. Upon contact (default: every 24 hours), a psexec64.exe along with a PowerShell script is distributed to the machines and executed, including elevation to Administrator. The payload can be adjusted arbitrarily.

Screenshot of wsuks

So far the only prerequisite: A WSUS must be operated in the AD without TLS.

An elegant, easy-to-use tool for breaching and lateral movement. It’s build on the shoulders of GoSecure and their former tool pywsus, which pointed out the single point of failure, that WSUS represents.3

Yours,
Tomas Jakobs

  1. https://bsky.app/profile/al3x-n3ff.bsky.social ↩︎

  2. https://github.com/NeffIsBack/wsuks ↩︎

  3. https://gosecure.ai/blog/2020/09/03/wsus-attacks-part-1-introducing-pywsus/ ↩︎

Similar articles

© 2025 Tomas Jakobs - Imprint and Legal Notice

Support this blog - Donate a Coffee