AD-WSUSPrivilege Escalation

WSUS Update Injection (HTTP)

If WSUS is HTTP-only, MITM and serve a malicious signed Microsoft binary to push code on clients.

§ Where this technique fits

AD-WSUS is catalogued under the Privilege Escalation tactic of the offensive-security kill-chain. It appears in 1 approved dossier in the registry, typically at step 3 on average.

§ Dossiers chaining this technique

WSUS over HTTP → push code to managed clients
Clients using an HTTP WSUS server can be MITM'd to receive an attacker-signed (but Microsoft-trusted) auxiliary update that executes arbitrary commands as SYSTEM.
step 3 / 4

§ What commonly comes next

01
Command and Scripting Interpreter
T1059 · Execution
seen 1×

§ Where this technique fits

§ Dossiers chaining this technique

WSUS over HTTP → push code to managed clients

§ What commonly comes next