When your patch server turns on you: rogue WSUS update to SYSTEM

The thing every machine trusts to patch it can also be the thing that compromises every machine at once.

How the attack works

An attacker who controls the WSUS server, or who can man-in-the-middle its HTTP traffic, publishes and approves a malicious update consisting of a signed binary plus an arbitrary command line. Clients poll WSUS, detect the approved update, download it, and the Windows Update agent installs it and runs the command as SYSTEM. Because the approval targets every computer group, the payload lands fleet-wide as machines cycle, establishing SYSTEM persistence and beaconing out from many hosts simultaneously. This is T1072, Software Deployment Tools, used as a T1195 Supply Chain Compromise to gain T1059 execution.

Why it works

WSUS is a deployment chokepoint that clients trust implicitly. When client communication runs over plain HTTP it can be tampered with in transit, and when approval rights are loosely held, a single compromised approval point yields domain-wide SYSTEM execution. The root cause is unauthenticated, tamper-able deployment combined with broad approval rights.

How to fix it

The non-obvious move is that you never push a fix through the compromised channel. Decline and remove the rogue approval, take WSUS offline, and treat it as compromised: isolate and rebuild rather than trusting it to deliver remediation. Remediate already-infected clients out-of-band, scoping the executed set from WSUS install-status reporting correlated with client process-creation events rather than the target-group list. Then harden WSUS as Tier-0: require HTTPS for client communication, enforce proper update signing and validation, and tightly restrict and monitor who can approve updates.

Practice it

We built this as a GraphLattice Range scenario so administrators can cut the deployment channel, scope the real blast radius, and rehearse rebuilding WSUS as Tier-0.