diff --git a/rules-emerging-threats/2025/Exploits/CVE-2025-59287/proc_creation_win_exploit_cve_2025_59287.yml b/rules-emerging-threats/2025/Exploits/CVE-2025-59287/proc_creation_win_exploit_cve_2025_59287.yml new file mode 100644 index 000000000..a959df688 --- /dev/null +++ b/rules-emerging-threats/2025/Exploits/CVE-2025-59287/proc_creation_win_exploit_cve_2025_59287.yml @@ -0,0 +1,38 @@ +title: Exploitation Activity of CVE-2025-59287 - WSUS Suspicious Child Process +id: 43259cc4-1b80-4931-bd98-baea01afc196 +status: experimental +description: | + Detects the creation of command-line interpreters (cmd.exe, powershell.exe) as child processes of Windows Server Update Services (WSUS) related process wsusservice.exe. + This behavior is a key indicator of exploitation for the critical remote code execution vulnerability such as CVE-2025-59287, where attackers spawn shells to conduct reconnaissance and further post-exploitation activities. +references: + - https://unit42.paloaltonetworks.com/microsoft-cve-2025-59287/ + - https://www.huntress.com/blog/exploitation-of-windows-server-update-services-remote-code-execution-vulnerability + - https://hawktrace.com/blog/CVE-2025-59287-UNAUTH +author: Huntress Labs, Swachchhanda Shrawan Poudel (Nextron Systems) +date: 2025-10-31 +tags: + - attack.execution + - attack.initial-access + - attack.t1190 + - attack.t1203 + - cve.2025-59287 + - detection.emerging-threats +logsource: + category: process_creation + product: windows +detection: + selection_parent_wsusservice: + ParentImage|endswith: '\wsusservice.exe' + selection_parent_w3wp_wsuspool: + ParentImage|endswith: '\w3wp.exe' + ParentCommandLine|contains: 'WsusPool' + selection_child: + Image|endswith: + - '\cmd.exe' + - '\powershell.exe' + - '\pwsh.exe' + - '\powershell_ise.exe' + condition: 1 of selection_parent_* and selection_child +falsepositives: + - If this activity is expected, consider filtering based on specific command lines, user context (e.g., `nt authority\network service`), or parent process command lines to reduce noise. +level: high diff --git a/rules-emerging-threats/2025/Exploits/CVE-2025-59287/win_wsus_exploit_cve_2025_59287.yml b/rules-emerging-threats/2025/Exploits/CVE-2025-59287/win_wsus_exploit_cve_2025_59287.yml new file mode 100644 index 000000000..c5a908bfa --- /dev/null +++ b/rules-emerging-threats/2025/Exploits/CVE-2025-59287/win_wsus_exploit_cve_2025_59287.yml @@ -0,0 +1,37 @@ +title: Exploitation Activity of CVE-2025-59287 - WSUS Deserialization +id: e5f66e87-7d6b-404f-92fe-7aa67814b5cd +status: experimental +description: | + Detects cast exceptions in Windows Server Update Services (WSUS) application logs that highly indicate exploitation attempts of CVE-2025-59287, a deserialization vulnerability in WSUS. +references: + - https://unit42.paloaltonetworks.com/cve-2025-59287/ + - https://hawktrace.com/blog/CVE-2025-59287-UNAUTH + - https://github.com/0xBruno/WSUSploit.NET/tree/e239bce9d6b5f46a346e1e4c4d5e0a2a20d5c639 + - https://www.huntress.com/blog/exploitation-of-windows-server-update-services-remote-code-execution-vulnerability +author: Swachchhanda Shrawan Poudel (Nextron Systems) +date: 2025-10-31 +tags: + - attack.execution + - attack.initial-access + - attack.t1190 + - attack.t1203 + - cve.2025-59287 + - detection.emerging-threats +logsource: + product: windows + service: application +detection: + selection: + Provider_Name: 'Windows Server Update Services' + EventID: 7053 + Data|contains|all: + # Indicators of untrusted deserialization exploitation attempts + # https://github.com/pwntester/ysoserial.net/issues/114 + - 'System.InvalidCastException' + - 'System.Windows.Data.ObjectDataProvider' + - 'Unable to cast object of type' + - 'System.Windows.Media.Brush' + condition: selection +falsepositives: + - Legitimate WSUS operations that may trigger similar error messages +level: high