Potential WSUS Abuse for Lateral Movement via PsExec

hello@craftedsignal.io — Mon, 04 May 2026 14:17:05 +0000

This detection identifies potential abuse of Windows Server Update Services (WSUS) for lateral movement by executing PsExec. WSUS is designed to manage updates for Microsoft products, ensuring only signed binaries are executed. Attackers can exploit this by using WSUS to distribute and execute Microsoft-signed tools like PsExec, which can then be used to move laterally within the network. This technique leverages the trust relationship inherent in WSUS to bypass security controls. The rule focuses on detecting suspicious processes initiated by wuauclt.exe (the Windows Update client) executing PsExec from the SoftwareDistribution Download Install directories. Defenders should monitor WSUS activity and PsExec executions to detect and respond to this potential threat.

Attack Chain

The attacker compromises a system within the target network.
The attacker gains control over the WSUS server or performs a man-in-the-middle attack to spoof WSUS.
The attacker uses the compromised WSUS server to approve a malicious update containing PsExec.
The WSUS client (wuauclt.exe) on targeted machines downloads the “approved” update from the WSUS server, placing PsExec in the C:\Windows\SoftwareDistribution\Download\Install\ directory.
The WSUS client executes PsExec.
PsExec is used to execute commands or transfer files to other systems on the network.
The attacker uses the compromised systems to gather credentials or move laterally to other high-value targets.
The attacker achieves their objective, such as data exfiltration or ransomware deployment.

Impact

Successful exploitation allows attackers to achieve lateral movement within the network, leading to the compromise of additional systems and sensitive data. This can result in data breaches, financial loss, and reputational damage. The scope of impact depends on the level of access achieved by the attacker and the value of the compromised systems.

Recommendation

Deploy the Sigma rule WSUS PsExec Execution to detect potential WSUS abuse involving PsExec execution.
Enable Sysmon process creation logging (Event ID 1) to gain visibility into process executions, as referenced in the setup instructions.
Implement enhanced monitoring and logging for WSUS activities to detect unauthorized changes or updates.
Investigate and remove any unauthorized binaries found in the C:\Windows\SoftwareDistribution\Download\Install\ directory.
Review and restrict the accounts authorized to manage WSUS to prevent unauthorized modifications.

Windows Server Update Service (WSUS) Privilege Escalation via CVE-2026-26174

hello@craftedsignal.io — Tue, 14 Apr 2026 18:23:14 +0000

CVE-2026-26174 describes a race condition vulnerability within the Windows Server Update Service (WSUS). Disclosed on April 14, 2026, this flaw allows a locally authenticated attacker with limited privileges to elevate their privileges to SYSTEM. The vulnerability stems from improper synchronization when WSUS handles concurrent requests, leading to a race condition that can be exploited to overwrite critical system files or manipulate system processes. Successful exploitation could grant an attacker full control over the affected system, potentially enabling lateral movement within the network, data exfiltration, or deployment of malware. Due to the critical role of WSUS in managing updates across an enterprise, this vulnerability poses a significant risk to organizations relying on WSUS for patch management.

Attack Chain

Attacker authenticates to the target Windows system with a low-privileged account.
The attacker crafts a malicious request designed to trigger the race condition in WSUS. This might involve sending multiple, simultaneous update requests.
WSUS processes the crafted requests concurrently, leading to unsynchronized access to shared resources.
Due to the race condition, the attacker gains the ability to manipulate a shared resource, such as a temporary file or a registry key, used by WSUS.
The attacker exploits the manipulated shared resource to overwrite a critical system file within the WSUS directory (e.g., a DLL loaded by the WSUS service) or modify a registry setting used by WSUS for configuration.
WSUS service restarts or reloads the modified component, executing the attacker’s injected code with elevated privileges.
The attacker’s code executes with SYSTEM privileges, granting them full control over the system.
The attacker leverages the elevated privileges to install malicious software, create new accounts, or perform other unauthorized actions.

Impact

Successful exploitation of CVE-2026-26174 allows a local attacker to elevate privileges to SYSTEM. This level of access grants complete control over the compromised machine. In a networked environment, this could lead to lateral movement to other systems, exfiltration of sensitive data, or the deployment of ransomware. Given that WSUS is often deployed across numerous systems, a single successful exploit could compromise a large number of machines. The vulnerability has a CVSS v3.1 score of 7.0, indicating a high severity.

Recommendation

Apply the patch released by Microsoft to address CVE-2026-26174 on all WSUS servers immediately.
Monitor process creation events for unusual processes spawned by the WSUS service (w3wp.exe) using the “Detect Suspicious WSUS Child Processes” Sigma rule to detect potential exploitation attempts.
Monitor file modifications within the WSUS installation directory (typically C:\Program Files\Update Services\) using the “Detect WSUS File Modifications” Sigma rule.
Review WSUS logs for any unusual activity or errors that might indicate an attempted exploitation of CVE-2026-26174.

Wsus — CraftedSignal Threat Feed

Potential WSUS Abuse for Lateral Movement via PsExec

Attack Chain

Impact

Recommendation

Windows Server Update Service (WSUS) Privilege Escalation via CVE-2026-26174

Attack Chain

Impact

Recommendation