{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/wsus/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Windows Server Update Services"],"_cs_severities":["medium"],"_cs_tags":["lateral-movement","wsus","psexec","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThis detection identifies potential abuse of Windows Server Update Services (WSUS) for lateral movement by executing PsExec. WSUS is designed to manage updates for Microsoft products, ensuring only signed binaries are executed. Attackers can exploit this by using WSUS to distribute and execute Microsoft-signed tools like PsExec, which can then be used to move laterally within the network. This technique leverages the trust relationship inherent in WSUS to bypass security controls. The rule focuses on detecting suspicious processes initiated by \u003ccode\u003ewuauclt.exe\u003c/code\u003e (the Windows Update client) executing PsExec from the SoftwareDistribution Download Install directories. Defenders should monitor WSUS activity and PsExec executions to detect and respond to this potential threat.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker compromises a system within the target network.\u003c/li\u003e\n\u003cli\u003eThe attacker gains control over the WSUS server or performs a man-in-the-middle attack to spoof WSUS.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the compromised WSUS server to approve a malicious update containing PsExec.\u003c/li\u003e\n\u003cli\u003eThe WSUS client (\u003ccode\u003ewuauclt.exe\u003c/code\u003e) on targeted machines downloads the \u0026ldquo;approved\u0026rdquo; update from the WSUS server, placing PsExec in the \u003ccode\u003eC:\\Windows\\SoftwareDistribution\\Download\\Install\\\u003c/code\u003e directory.\u003c/li\u003e\n\u003cli\u003eThe WSUS client executes PsExec.\u003c/li\u003e\n\u003cli\u003ePsExec is used to execute commands or transfer files to other systems on the network.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the compromised systems to gather credentials or move laterally to other high-value targets.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their objective, such as data exfiltration or ransomware deployment.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows attackers to achieve lateral movement within the network, leading to the compromise of additional systems and sensitive data. This can result in data breaches, financial loss, and reputational damage. The scope of impact depends on the level of access achieved by the attacker and the value of the compromised systems.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eWSUS PsExec Execution\u003c/code\u003e to detect potential WSUS abuse involving PsExec execution.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon process creation logging (Event ID 1) to gain visibility into process executions, as referenced in the \u003ca href=\"https://ela.st/sysmon-event-1-setup\"\u003esetup instructions\u003c/a\u003e.\u003c/li\u003e\n\u003cli\u003eImplement enhanced monitoring and logging for WSUS activities to detect unauthorized changes or updates.\u003c/li\u003e\n\u003cli\u003eInvestigate and remove any unauthorized binaries found in the \u003ccode\u003eC:\\Windows\\SoftwareDistribution\\Download\\Install\\\u003c/code\u003e directory.\u003c/li\u003e\n\u003cli\u003eReview and restrict the accounts authorized to manage WSUS to prevent unauthorized modifications.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-04T14:17:05Z","date_published":"2026-05-04T14:17:05Z","id":"/briefs/2024-07-wsus-psexec/","summary":"Adversaries may exploit Windows Server Update Services (WSUS) to execute PsExec for lateral movement within a network by abusing the trusted update mechanism to run signed binaries.","title":"Potential WSUS Abuse for Lateral Movement via PsExec","url":"https://feed.craftedsignal.io/briefs/2024-07-wsus-psexec/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7,"id":"CVE-2026-26174"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["cve-2026-26174","privilege-escalation","windows","wsus"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eCVE-2026-26174 describes a race condition vulnerability within the Windows Server Update Service (WSUS). Disclosed on April 14, 2026, this flaw allows a locally authenticated attacker with limited privileges to elevate their privileges to SYSTEM. The vulnerability stems from improper synchronization when WSUS handles concurrent requests, leading to a race condition that can be exploited to overwrite critical system files or manipulate system processes. Successful exploitation could grant an attacker full control over the affected system, potentially enabling lateral movement within the network, data exfiltration, or deployment of malware. Due to the critical role of WSUS in managing updates across an enterprise, this vulnerability poses a significant risk to organizations relying on WSUS for patch management.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker authenticates to the target Windows system with a low-privileged account.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious request designed to trigger the race condition in WSUS. This might involve sending multiple, simultaneous update requests.\u003c/li\u003e\n\u003cli\u003eWSUS processes the crafted requests concurrently, leading to unsynchronized access to shared resources.\u003c/li\u003e\n\u003cli\u003eDue to the race condition, the attacker gains the ability to manipulate a shared resource, such as a temporary file or a registry key, used by WSUS.\u003c/li\u003e\n\u003cli\u003eThe attacker exploits the manipulated shared resource to overwrite a critical system file within the WSUS directory (e.g., a DLL loaded by the WSUS service) or modify a registry setting used by WSUS for configuration.\u003c/li\u003e\n\u003cli\u003eWSUS service restarts or reloads the modified component, executing the attacker\u0026rsquo;s injected code with elevated privileges.\u003c/li\u003e\n\u003cli\u003eThe attacker\u0026rsquo;s code executes with SYSTEM privileges, granting them full control over the system.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the elevated privileges to install malicious software, create new accounts, or perform other unauthorized actions.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-26174 allows a local attacker to elevate privileges to SYSTEM. This level of access grants complete control over the compromised machine. In a networked environment, this could lead to lateral movement to other systems, exfiltration of sensitive data, or the deployment of ransomware. Given that WSUS is often deployed across numerous systems, a single successful exploit could compromise a large number of machines. The vulnerability has a CVSS v3.1 score of 7.0, indicating a high severity.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the patch released by Microsoft to address CVE-2026-26174 on all WSUS servers immediately.\u003c/li\u003e\n\u003cli\u003eMonitor process creation events for unusual processes spawned by the WSUS service (w3wp.exe) using the \u0026ldquo;Detect Suspicious WSUS Child Processes\u0026rdquo; Sigma rule to detect potential exploitation attempts.\u003c/li\u003e\n\u003cli\u003eMonitor file modifications within the WSUS installation directory (typically \u003ccode\u003eC:\\Program Files\\Update Services\\\u003c/code\u003e) using the \u0026ldquo;Detect WSUS File Modifications\u0026rdquo; Sigma rule.\u003c/li\u003e\n\u003cli\u003eReview WSUS logs for any unusual activity or errors that might indicate an attempted exploitation of CVE-2026-26174.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-14T18:23:14Z","date_published":"2026-04-14T18:23:14Z","id":"/briefs/2026-04-wsus-privesc/","summary":"CVE-2026-26174 is a race condition vulnerability in Windows Server Update Service that allows an authorized attacker to elevate privileges locally.","title":"Windows Server Update Service (WSUS) Privilege Escalation via CVE-2026-26174","url":"https://feed.craftedsignal.io/briefs/2026-04-wsus-privesc/"}],"language":"en","title":"CraftedSignal Threat Feed — Wsus","version":"https://jsonfeed.org/version/1.1"}