HackTool - SharpWSUS/WSUSpendu Execution
Last updated on:
In this page
Rule name | Rule type | Log sources | MITRE ATT&CK tags | Severity |
HackTool - SharpWSUS/WSUSpendu Execution | Standard | Windows | Lateral Movement: Exploitation of Remote Services (T1210) | Critical |
About the rule
Rule Type
Standard
Rule Description
Detects the execution of SharpWSUS or WSUSpendu, utilities that allow for lateral movement through WSUS. Windows Server Update Services (WSUS) is a critical component of Windows systems and is frequently configured in a way that allows an attacker to circumvent internal networking limitations.
Severity
Trouble
Rule journey
Attack chain scenario
Initial access → Privilege escalation → WSUS enumeration → Malicious update injection → Lateral movement → Execution on targets
Impact
- Unauthorized updates
- Lateral spread
- System compromise
- Network breach
Rule Requirement
Prerequisites
- Using Windows event viewer:
To enable detailed process auditing, log in to a domain controller with domain admin credentials and open the Group Policy Management Console (GPMC). Create or modify a GPO linked to the target OU, then enable Audit Process Creation and Audit Process Termination under Detailed Tracking. For deeper visibility, enable the setting Include command line in process creation events under Audit Process Creation. Finally, ensure the registry key Microsoft-Windows-Security-Auditing/Operational exists under the EventLog path to support enhanced logging.
- Using Sysmon:
Download and install Sysmon from Microsoft Sysinternals, then run it with administrator privileges using a configuration file that enables process creation monitoring. Use the <ProcessCreate> event filter in the config to capture all process creation events. Additionally, ensure the registry key Microsoft-Windows-Sysmon/Operational exists under the EventLog path to support event logging.
Criteria
Action1: actionname = "Process started" AND (COMMANDLINE contains " -Inject " AND COMMANDLINE contains " -PayloadArgs , -PayloadFile ") OR (COMMANDLINE contains " approve , create , check , delete " AND COMMANDLINE contains " /payload:, /payload=, /updateid:, /updateid=") select Action1.HOSTNAME,Action1.MESSAGE,Action1.COMMANDLINE,Action1.FILE_NAME,Action1.PROCESSNAME,Action1.USERNAME,Action1.PARENTPROCESSNAME
Detection
Execution Mode
realtime
Log Sources
Windows
MITRE ATT&CK
- Lateral Movement: Exploitation of Remote Services (T1210)
Security Standards
Enabling this rule will help you meet the security standard's requirement listed below:
1. NIST SP 800-53 Rev. 5 - SI-4 (System Monitoring)
Requires organizations to monitor systems for unusual or unauthorized activities.
Triggering this rule enables the detection of suspicious WSUS-related execution, helping monitor and flag potential lateral movement tactics.
2. NIST SP 800-53 Rev. 5 - AU-6 (Audit Review, Analysis, and Reporting)
Calls for regular audit log review and automated analysis for identifying security-relevant events.
Triggering this rule generates audit trails for unauthorized WSUS tool execution, supporting forensic analysis and compliance.
3. NIST SP 800-53 Rev. 5 - AC-2 (Account Management)
Emphasizes managing and controlling user account activities to prevent misuse.
Triggering this rule exposes potentially unauthorized use of elevated accounts to execute SharpWSUS/WSUSpendu utilities.
4. NIST SP 800-171 - 3.3.1 (System Audit Logs)
Requires the generation and retention of system logs to support security investigations.
Triggering this rule contributes to maintaining detailed logs of malicious WSUS usage, aiding incident response.
5. NIST CSF - DE.CM-7 (Detection Processes)
Ensures continuous monitoring for anomalous activities and potential threats.
Triggering this rule supports continuous threat detection by identifying unusual WSUS activity patterns.
Author
@Kostastsale, Nasreddine Bencherchali (Nextron Systems)
Future actions
Known False Positives
This rule will be triggered when system administrators run legitimate scripts or tools for WSUS diagnostics or internal update testing. Such activity may mimic SharpWSUS behavior but is non-malicious in intent.
Next Steps
When this rule is triggered, the following measures can be implemented:
- Identification: Identify if the flagged event is a new incident or part of an existing incident.
- Analysis: Analyze the impact and extent of the incident to comprehend the severity of the attack using the Incident Workbench.
- Response: Respond promptly by initiating an automated workflow to interrupt the network connections and cease the malicious process.
- Containment: Isolate the affected host from the network to prevent further lateral movement or data collection attempts.
- Eradication: Remove the SharpView tool and any associated malicious scripts or payloads from the compromised system.
Mitigation
Mitigation IDs | Mitigation Name | Description |
M1048 | Application Isolation and Sandboxing | Limit adversary movement by using sandboxing to isolate potential threats and reduce the risk of exploitation through unpatched or unknown vulnerabilities. Complementary techniques like virtualization and application microsegmentation can further contain the impact, though residual risks from other exploits may still remain. |
M1042 | Disable or Remove Feature or Program | Minimize available services to only those that are necessary. |
M1050 | Exploit Protection | Security tools like Windows Defender Exploit Guard (WDEG) and the Enhanced Mitigation Experience Toolkit (EMET) can help detect and block exploitation behaviors. Control flow integrity (CFI) checks also offer protection by identifying and preventing exploit attempts. However, the effectiveness of these defenses depends on system architecture and application compatibility, and may not cover all targeted software or services. |
M1030 | Network Segmentation | Implement proper network and system segmentation to ensure that access to critical systems and services is limited and only permitted through authorized, controlled methods. This minimizes the risk of lateral movement and unauthorized access during an attack. |
M1026 | Privileged Account Management | Restrict permissions and access rights of service accounts to the minimum necessary, reducing the potential impact if they are compromised during exploitation. This limits adversaries' ability to escalate privileges or move laterally within the network. |
M1019 | Threat Intelligence Program | Establish a strong cyber threat intelligence program to identify and assess potential threats, including adversaries likely to use software exploits and zero-day vulnerabilities. This helps tailor defenses and prioritize patching based on the organization's specific risk profile. |
M1051 | Update Software | Update software regularly by employing patch management for internal enterprise endpoints and servers. |
M1016 | Vulnerability Scanning | Regularly scan the internal network for available services to identify new and potentially vulnerable services. |
