SharpWSUS is a CSharp instrument for lateral motion by means of WSUS. There’s a corresponding weblog (https://labs.nettitude.com/weblog/introducing-sharpwsus/) which has extra detailed details about the tooling, use case and detection.
Credit
Huge credit score to the under sources that basically did 90% of this for me. This instrument is simply an enhancement of the under for C2 reliability and adaptability.
Assist Menu
____ _ __ ______ _ _ ____
/ ___|| |__ __ _ _ __ _ _ / / ___|| | | / ___|
___ | '_ / _` | '__| '_ / / /___ | | | ___
___) | | | | (_| | | | |_) V V / ___) | |_| |___) |
|____/|_| |_|__,_|_| | .__/ _/_/ |____/ ___/|____/
|_|
Phil Keeble @ Nettitude Crimson StaffInstructions listed under have elective parameters in <>.
Find the WSUS server:
SharpWSUS.exe find
Examine the WSUS server, enumerating shoppers, servers and current teams:
SharpWSUS.exe examine
Create an replace (NOTE: The payload needs to be a home windows signed binary):
SharpWSUS.exe create /payload:[File location] /args:[Args for payload] </title:[Update title] /date:[YYYY-MM-DD] /kb:[KB on update] /ranking:[Rating of update] /msrc:[MS RC] /description:[description] /url:[url]>
Approve an replace:
SharpWSUS.exe approve /updateid:[UpdateGUID] /computername:[Computer to target] </groupname:[Group for computer to be added too] /approver:[Name of approver]>
Examine standing of an replace:
SharpWSUS.exe examine /updateid:[UpdateGUID] /computername:[Target FQDN]
Delete replace and clear up teams added:
SharpWSUS.exe delete /updateid:[UpdateGUID] /computername:[Target FQDN] </groupname:[GroupName] /keepgroup>
Instance Utilization
- Binary needs to be home windows signed, so psexec, msiexec, msbuild and so on might be helpful for lateral motion.
- The metadata on the create command isn’t wanted, however is helpful for mixing in to the setting.
- If testing in a lab the primary is often fast, then every subsequent replace will take a pair hours (this is because of how home windows evaluates whether or not an replace is put in already or not)