Hacking WSUS

If you have an own PKI in your AD, you may stop reading and move on. Nothing to see here. My gut however tell me, many mid-sized companies don’t have one and are at the mercy of Alex Neff’s Python script.1 Wsuks2 positions itself as man-in-the-middle between a Windows Update Server (WSUS) and the various servers/clients. It spoofs the WSUS IP in the ARP table. Upon contact (default: every 24 hours), a psexec64.exe along with a PowerShell script is distributed to the machines and executed, including elevation to Administrator. The payload can be adjusted arbitrarily. Read more