Improve README

NeffIsBack · NeffIsBack · commit 8c9fed3bf348 · 2026-03-17T05:01:25.000-04:00
diff --git a/README.md b/README.md
@@ -3,12 +3,11 @@
 # wsuks
 _Automating the WSUS Attack_
 
-Gaining local administrative access to a Windows machine that is part of a domain is typically the first step in gaining domain admin privileges during a penetration test. In many cases, the Windows Server Update Service (WSUS) is configured to deploy updates to clients over the local network using HTTP. Without the security of HTTPS, an attacker can mount a machine-in-the-middle attack to serve an update to the client, which will then execute with SYSTEM privileges. Any Microsoft signed executable can be served as an update, including a custom command with which the executable is executed. Should an attacker be able to obtain a TLS-certificate for the WSUS server, the attack can be performed over HTTPS as well (see [ESC17](https://github.com/NeffIsBack/esc17-wiki/blob/master/06-%E2%80%90-Privilege-Escalation.md#esc17-enrollee-supplied-subject-for-server-authentication) and our [blog post](https://blog.digitrace.de/2026/01/using-adcs-to-attack-https-enabled-wsus-clients/)).
+Gaining local administrative access to a domain-joined Windows machine is typically the first step during a penetration test. In many cases, the Windows Server Update Service (WSUS) is configured to deploy updates to clients over the local network using HTTP. Without the security of HTTPS, an attacker can mount a machine-in-the-middle attack to serve an update to the client, which will then execute with SYSTEM privileges. Any Microsoft signed executable can be served as an update, including a custom command with which the executable is executed. Should an attacker be able to obtain a TLS-certificate for the WSUS server, this technique can also be performed over HTTPS (see [ESC17](https://github.com/NeffIsBack/esc17-wiki/blob/master/06-%E2%80%90-Privilege-Escalation.md#esc17-enrollee-supplied-subject-for-server-authentication) and our [blog post](https://blog.digitrace.de/2026/01/using-adcs-to-attack-https-enabled-wsus-clients/)).
 
-To automatically exploit the WSUS attack, this tool spoofs the IP address of the WSUS server on the network using ARP, and when the client requests Windows updates, it serves PsExec64.exe with a predefined PowerShell script to gain local admin privileges. Both the executable file that is served (default: PsExec64.exe) and the command that is executed can be changed if required.\
+To automatically exploit the WSUS attack, this tool spoofs the IP address of the WSUS server on the network using ARP, and when the targeted client requests Windows updates, it serves PsExec64.exe with a predefined PowerShell script to gain local admin privileges. Both the executable file that is served (default: PsExec64.exe) and the command that is executed can be changed if required.\
 By default, a Windows client will check for updates approximately every 24 hours.
 
-
 Prerequisits:
 - The target client must be on the local network
 - The Windows Server Update Service (WSUS) must be configured using HTTP or [ESC17](https://github.com/NeffIsBack/esc17-wiki/blob/master/06-%E2%80%90-Privilege-Escalation.md#esc17-enrollee-supplied-subject-for-server-authentication) must be present
