Merge PR #5731 from @swachchhanda000 - Add rules for CVE-2025-59287

new: Exploitation Activity of CVE-2025-59287 - WSUS Suspicious Child Process new: Exploitation Activity of CVE-2025-59287 - WSUS Deserialization --------- Signed-off-by: swachchhanda000 <87493836+swachchhanda000@users.noreply.github.com> Co-authored-by: frack113 <62423083+frack113@users.noreply.github.com> Co-authored-by: Nasreddine Bencherchali
2025-11-02 05:05:51 +05:45
parent 941f2e9df4
commit b65441821c
2 changed files with 75 additions and 0 deletions
@@ -0,0 +1,38 @@
+title: Exploitation Activity of CVE-2025-59287 - WSUS Suspicious Child Process
+id: 43259cc4-1b80-4931-bd98-baea01afc196
+status: experimental
+description: |
+    Detects the creation of command-line interpreters (cmd.exe, powershell.exe) as child processes of Windows Server Update Services (WSUS) related process wsusservice.exe.
+    This behavior is a key indicator of exploitation for the critical remote code execution vulnerability such as CVE-2025-59287, where attackers spawn shells to conduct reconnaissance and further post-exploitation activities.
+references:
+    - https://unit42.paloaltonetworks.com/microsoft-cve-2025-59287/
+    - https://www.huntress.com/blog/exploitation-of-windows-server-update-services-remote-code-execution-vulnerability
+    - https://hawktrace.com/blog/CVE-2025-59287-UNAUTH
+author: Huntress Labs, Swachchhanda Shrawan Poudel (Nextron Systems)
+date: 2025-10-31
+tags:
+    - attack.execution
+    - attack.initial-access
+    - attack.t1190
+    - attack.t1203
+    - cve.2025-59287
+    - detection.emerging-threats
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection_parent_wsusservice:
+        ParentImage|endswith: '\wsusservice.exe'
+    selection_parent_w3wp_wsuspool:
+        ParentImage|endswith: '\w3wp.exe'
+        ParentCommandLine|contains: 'WsusPool'
+    selection_child:
+        Image|endswith:
+            - '\cmd.exe'
+            - '\powershell.exe'
+            - '\pwsh.exe'
+            - '\powershell_ise.exe'
+    condition: 1 of selection_parent_* and selection_child
+falsepositives:
+    - If this activity is expected, consider filtering based on specific command lines, user context (e.g., `nt authority\network service`), or parent process command lines to reduce noise.
+level: high
@@ -0,0 +1,37 @@
+title: Exploitation Activity of CVE-2025-59287 - WSUS Deserialization
+id: e5f66e87-7d6b-404f-92fe-7aa67814b5cd
+status: experimental
+description: |
+    Detects cast exceptions in Windows Server Update Services (WSUS) application logs that highly indicate exploitation attempts of CVE-2025-59287, a deserialization vulnerability in WSUS.
+references:
+    - https://unit42.paloaltonetworks.com/cve-2025-59287/
+    - https://hawktrace.com/blog/CVE-2025-59287-UNAUTH
+    - https://github.com/0xBruno/WSUSploit.NET/tree/e239bce9d6b5f46a346e1e4c4d5e0a2a20d5c639
+    - https://www.huntress.com/blog/exploitation-of-windows-server-update-services-remote-code-execution-vulnerability
+author: Swachchhanda Shrawan Poudel (Nextron Systems)
+date: 2025-10-31
+tags:
+    - attack.execution
+    - attack.initial-access
+    - attack.t1190
+    - attack.t1203
+    - cve.2025-59287
+    - detection.emerging-threats
+logsource:
+    product: windows
+    service: application
+detection:
+    selection:
+        Provider_Name: 'Windows Server Update Services'
+        EventID: 7053
+        Data|contains|all:
+           # Indicators of untrusted deserialization exploitation attempts
+           # https://github.com/pwntester/ysoserial.net/issues/114
+            - 'System.InvalidCastException'
+            - 'System.Windows.Data.ObjectDataProvider'
+            - 'Unable to cast object of type'
+            - 'System.Windows.Media.Brush'
+    condition: selection
+falsepositives:
+    - Legitimate WSUS operations that may trigger similar error messages
+level: high