From 6a970925af3cba1376e64d7ab674a9d207c0e816 Mon Sep 17 00:00:00 2001
From: QU35T-code <github@qu35t-mail.simplelogin.com>
Date: Fri, 26 Sep 2025 11:04:21 +0200
Subject: [PATCH] Add WSUS enum doc

---
 SUMMARY.md                                       |  1 +
 winrm-protocol/wsus-configuration-enumeration.md | 15 +++++++++++++++
 2 files changed, 16 insertions(+)
 create mode 100644 winrm-protocol/wsus-configuration-enumeration.md

diff --git a/SUMMARY.md b/SUMMARY.md
index 1f0a63a..5819cf9 100644
--- a/SUMMARY.md
+++ b/SUMMARY.md
@@ -131,6 +131,7 @@
 * [Authentication](winrm-protocol/authentication.md)
 * [Command Execution](winrm-protocol/command-execution.md)
 * [Defeating LAPS](winrm-protocol/defeating-laps.md)
+* [WSUS Configuration Enumeration](winrm-protocol/wsus-configuration-enumeration.md)
 
 ## MSSQL protocol
 
diff --git a/winrm-protocol/wsus-configuration-enumeration.md b/winrm-protocol/wsus-configuration-enumeration.md
new file mode 100644
index 0000000..23d9f9d
--- /dev/null
+++ b/winrm-protocol/wsus-configuration-enumeration.md
@@ -0,0 +1,15 @@
+# WSUS Configuration Enumeration
+
+This module (`wsus_enum`) enumerates a host's **Windows Update configuration** to determine whether it is configured to use a **WSUS server** and whether that configuration is vulnerable to **WSUS spoofing**.
+
+`wsus_enum` collects the relevant Windows Update settings (**registry values**) and evaluates whether the machine is enforcing a WSUS server. The module reports the configured `WUServer / WUStatusServer` values as well as flags such as `UseWUServer`, `NoAutoUpdate` and `AUOptions`.
+
+```bash
+nxc winrm <ip> -u user -p pass -M wsus_enum
+```
+
+If WinRM is not available, you can run the module over SMB (**requires administrative privileges**):
+
+```bash
+nxc smb <ip> -u user -p pass -M wsus_enum
+```