Reading Time: < 1 minute

to check if a Win domain is a possible candidate to a MITM WSUS attack check

reg query HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate /v WUServer

https://github.com/pimps/wsuxploit/ (requires a MITM attack for ex. with bettercap)

https://github.com/GoSecure/WSuspicious/ (all in one tool, with changing local proxy settings )

Update : CVE-2020-1013 if patched, Windows update will use the SYSTEM proxy settings and not the User proxy.

If regkey HKLM\Software\Policies\Microsoft\WindowsUpdate\SetProxybehaviorForUpdateDetection is set to reg_dword : 1

Then only if system proxy doesn’t work, then user proxy will be used.

References :

https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsUpdate::CorpWuURL

https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#wsus

0