Velociraptor WSUS Exploitation, Pt. I: WSUS-Up?

MITRE Techniques

• [T1190] Exploit Public-Facing Application – Threat actors exploited a WSUS deserialization vulnerability (CVE-2025-59287) to gain initial access. Quote: ‘the deployment of Velociraptor by threat actors after they had gained initial access through exploitation of a flaw in WSUS (Microsoft’s centralized update distribution service…)’
• [T1105] Ingress Tool Transfer – Malicious MSI retrieved from an external storage domain and installed on the host. Quote: ‘installing a malicious MSI package from s3[.]wasabisys[.]com.’
• [T1547.001] Boot or Logon Autostart Execution: Registry Run Keys and Startup Folder (service) – Velociraptor was installed as a service and configured for auto start. Quote: ‘Service Control Manager/7045;Velociraptor Service…user mode service,auto start,LocalSystem’
• [T1059.001] Command and Scripting Interpreter: PowerShell – Velociraptor spawned base64-encoded PowerShell commands to perform discovery. Quote: ‘we observed a number of base64-encoded PowerShell commands, which were child processes of Velociraptor.exe’
• [T1083] File and Directory Discovery – Commands launched to enumerate system information and configurations (e.g., ipconfig, quser). Quote: ‘These commands launched a series of discovery queries, allowing the threat actor to gather information about users, running services, configurations, and more.’
• [T1016] System Network Configuration Discovery – Use of ipconfig to collect network configuration as part of discovery. Quote: ‘”C:Windowssystem32ipconfig.exe” /al’
• [T1033] System Owner/User Discovery – Use of quser to enumerate logged-on users. Quote: ‘”C:Windowssystem32quser.exe”‘
• [T1087.002] Account Discovery: Domain Account – Use of net.exe to query domain groups and setspn to find service accounts. Quote: ‘”C:Windowssystem32net.exe” group “domain computers” /do’ and ‘”C:Windowssystem32setspn.exe” -Q VeeamBackupSVC/*”‘