WSUS over HTTP → push code to managed clients

§ Context

Assumed environment: WSUS is configured over HTTP (not HTTPS), attacker is on-path or in the same VLAN with the ability to ARP/DNS spoof.

§ Steps

1. 01
   Attacker on the LANInitial Access

   T1078— Valid Accounts
2. 02
   SYSTEM on client at next syncExecution

   T1059— Command and Scripting Interpreter
3. 03
   MITM client → WSUS trafficCredential Access

   T1557.001— LLMNR/NBT-NS Poisoning and SMB Relay
4. 04
   Inject signed auxiliary updatePrivilege Escalation

   AD-WSUS— WSUS Update Injection (HTTP)

   PyWSUS / WSUSpect — wrap PsExec.exe + benign-looking commands.

§ References

• T1078Valid Accounts
• T1059Command and Scripting Interpreter
• T1557.001LLMNR/NBT-NS Poisoning and SMB Relay

§ Frequently asked

What is the "WSUS over HTTP → push code to managed clients" attack path?

Clients using an HTTP WSUS server can be MITM'd to receive an attacker-signed (but Microsoft-trusted) auxiliary update that executes arbitrary commands as SYSTEM. It chains 4 steps drawn from real-world offensive-security techniques.

What starting position does this attack require?

The first step is Attacker on the LAN (T1078) — a initial access primitive. Assumed environment: WSUS is configured over HTTP (not HTTPS), attacker is on-path or in the same VLAN with the ability to ARP/DNS spoof.

What is the final impact of this kill-chain?

The final step lands on Inject signed auxiliary update (AD-WSUS), which falls under Privilege Escalation. From here, an operator typically pivots into post-exploitation or maintains persistence.

How can defenders detect or prevent this attack?

Detection and prevention vary per step. Refer to each linked MITRE ATT&CK entry under "References" — every technique on that page lists defensive controls, detection telemetry, and known threat-actor usage.

§ Related dossiers

• Shared techniques3

  SCCM site takeover via NTLM relay (Takeover-1)

  Coerce the SCCM site server to authenticate, relay to MSSQL on the site database, and grant yourself Full Administrator inside SCCM.

• Shared techniques2

  io_uring UAF → modprobe_path overwrite → root

  Use an io_uring UAF to land arbitrary kernel write, repoint /proc/sys/kernel/modprobe to an attacker binary, then trigger a kernel auto-modprobe — runs the binary as root.

• Shared techniques2

  nf_tables UAF → kernel R/W → root

  CVE-2024-1086-class nf_tables UAF reachable from a user namespace. Win the race with userfaultfd to land an attacker object in the freed slot, build a kernel R/W primitive, overwrite the current task's cred struct.

• Shared techniques2

  BYOVD → kernel-level disable of EDR callbacks

  From local admin, load a signed-but-vulnerable driver. Use its kernel primitive to walk the EDR's PsSetCreateProcessNotifyRoutine entries and unlink them — EDR stops receiving events while still 'running'.

• Shared techniques2

  Process doppelgänging → spawn signed image with attacker bytes

  Use NTFS transactional file APIs to overlay an attacker image during process creation. The final mapped process differs from the on-disk file — AV sees only the legit signed image at scan time.

• Shared techniques2

  certutil + bitsadmin → AV-friendly stager chain

  Initial access dropped a tiny .bat. It uses certutil to decode a base64 blob and bitsadmin to fetch the real beacon, then schtasks for persistence. Every binary is signed Microsoft.