GoSecure Investigates Abusing Windows Server Update Services (WSUS) to Enable NTLM Relaying Attacks - GoSecure
Tags
attack-pattern: Credentials - T1589.001 Dcsync - T1003.006 Domain Accounts - T1078.002 Domains - T1583.001 Domains - T1584.001 Python - T1059.006 Server - T1583.004 Server - T1584.004 Software - T1592.002 Vulnerabilities - T1588.006
Show in Graph
Common Information
Type Value
UUID 0ef64ae5-69c2-45a4-b1d1-a20cfd2911bf
Fingerprint bf1e915909a199c6
Analysis status DONE
Considered CTI value 2
Text language
Published Nov. 22, 2021, 4:53 p.m.
Added to db Jan. 18, 2023, 11:19 p.m.
Last updated Nov. 17, 2024, 6:54 p.m.
Headline GoSecure Investigates Abusing Windows Server Update Services (WSUS) to Enable NTLM Relaying Attacks
Title GoSecure Investigates Abusing Windows Server Update Services (WSUS) to Enable NTLM Relaying Attacks - GoSecure
Detected Hints/Tags/Attributes 71/1/32
Source URLs
Redirection Url
Details Source https://www.gosecure.net/blog/2021/11/22/gosecure-investigates-abusing-windows-server-update-services-wsus-to-enable-ntlm-relaying-attacks/
URL Provider
Details Provider Source level domain
Details gosecure.net www.gosecure.net
Attributes
Details Type #Events CTI Value
Details CVE 2 
cve-2020-1013
Details CVE 2 
cve-2021-1694
Details Domain 1 
scanwsusgpo.py
Details Domain 23 
ntlmrelayx.py
Details Domain 1 
ldap-scanner.py
Details Domain 88 
secretsdump.py
Details Domain 8 
addcomputer.py
Details Domain 13 
getst.py
Details File 1 
scanwsusgpo.py
Details File 1 
simpleauth.asmx
Details File 1 
client.asmx
Details File 22 
ntlmrelayx.py
Details File 18 
targets.txt
Details File 6 
c:\test.txt
Details File 103 
test.txt
Details File 1 
ldap-scanner.py
Details File 85 
secretsdump.py
Details File 8 
addcomputer.py
Details File 12 
getst.py
Details md5 33 
aad3b435b51404eeaad3b435b51404ee
Details md5 1 
e45a314c664d40a227f9540121d1a29d
Details md5 19 
31d6cfe0d16ae931b73c59d7e0c089c0
Details md5 1 
f871aa595bee37b7fdf553ad510fe810
Details md5 1 
018e9ac18981be35c6beb17966e99237
Details IPv4 1 
172.16.200.8
Details IPv4 1 
172.16.205.26
Details IPv4 1 
172.16.200.5
Details IPv4 2 
172.16.205.20
Details Microsoft Patch Numbers 2 
KB4571756
Details Microsoft Patch Numbers 2 
KB4577041
Details Url 1 
http://hl-wsus01.hackinglabs.lan:8530
Details Windows Registry Key 1 
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate