WSUS Is SUS: NTLM Relay Attacks in Plain Sight

This report demonstrates how WSUS traffic (default ports 8530/8531) can be intercepted on a local network to capture machine and user NTLM hashes and enable NTLM relay attacks; it covers unauthenticated and authenticated enumeration, HTTP exploitation via ARP/DNS spoofing and ntlmrelayx, HTTPS interception by abusing AD CS templates to obtain trusted certificates, and defensive mitigations including HTTPS, AD CS hardening, and SMB/LDAP signing.