Exploitation Activity of CVE-2025-59287 - WSUS Suspicious Child Process

calendar Nov 1, 2025 · attack.execution attack.initial-access attack.t1190 attack.t1203 cve.2025-59287 detection.emerging-threats  ·
Share on: linkedin copy

Detects the creation of command-line interpreters (cmd.exe, powershell.exe) as child processes of Windows Server Update Services (WSUS) related process wsusservice.exe. This behavior is a key indicator of exploitation for the critical remote code execution vulnerability such as CVE-2025-59287, where attackers spawn shells to conduct reconnaissance and further post-exploitation activities.

Sigma rule (View on GitHub)

 1title: Exploitation Activity of CVE-2025-59287 - WSUS Suspicious Child Process
 2id: 43259cc4-1b80-4931-bd98-baea01afc196
 3status: experimental
 4description: |
 5    Detects the creation of command-line interpreters (cmd.exe, powershell.exe) as child processes of Windows Server Update Services (WSUS) related process wsusservice.exe.
 6    This behavior is a key indicator of exploitation for the critical remote code execution vulnerability such as CVE-2025-59287, where attackers spawn shells to conduct reconnaissance and further post-exploitation activities.    
 7references:
 8    - https://unit42.paloaltonetworks.com/microsoft-cve-2025-59287/
 9    - https://www.huntress.com/blog/exploitation-of-windows-server-update-services-remote-code-execution-vulnerability
10    - https://hawktrace.com/blog/CVE-2025-59287-UNAUTH
11author: Huntress Labs, Swachchhanda Shrawan Poudel (Nextron Systems)
12date: 2025-10-31
13tags:
14    - attack.execution
15    - attack.initial-access
16    - attack.t1190
17    - attack.t1203
18    - cve.2025-59287
19    - detection.emerging-threats
20logsource:
21    category: process_creation
22    product: windows
23detection:
24    selection_parent_wsusservice:
25        ParentImage|endswith: '\wsusservice.exe'
26    selection_parent_w3wp_wsuspool:
27        ParentImage|endswith: '\w3wp.exe'
28        ParentCommandLine|contains: 'WsusPool'
29    selection_child:
30        Image|endswith:
31            - '\cmd.exe'
32            - '\powershell.exe'
33            - '\pwsh.exe'
34            - '\powershell_ise.exe'
35    condition: 1 of selection_parent_* and selection_child
36falsepositives:
37    - If this activity is expected, consider filtering based on specific command lines, user context (e.g., `nt authority\network service`), or parent process command lines to reduce noise.
38level: high

References

Related rules

to-top