Detect Microsoft WSUS Deserialization of Untrusted Data (CVE-2025-59287) in Google Chronicle
Detects exploitation of CVE-2025-59287, a deserialization of untrusted data vulnerability in Microsoft Windows Server Update Services (WSUS). Successful exploitation allows an attacker to execute arbitrary code in the context of the WSUS service by sending a crafted serialized object. This vulnerability is listed in CISA KEV, indicating active exploitation in the wild.
MITRE ATT&CK
YARA-L Detection Query
rule wsus_deserialization_cve_2025_59287 {
meta:
author = "df00tech Detection Engineering"
description = "Detects exploitation of CVE-2025-59287: WSUS deserialization spawning suspicious child processes"
severity = "CRITICAL"
yara_version = "YL2.0"
rule_version = "1.0"
reference = "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2025-59287"
events:
$parent.metadata.event_type = "PROCESS_LAUNCH"
$parent.principal.process.file.full_path = /(?i)(w3wp\.exe|wsusservice\.exe)/
(
$parent.principal.process.command_line = /(?i)(WsusPool|WSUSContent|ApiRemoting30)/
or $parent.principal.process.file.full_path = /(?i)wsusservice\.exe/
)
$child.metadata.event_type = "PROCESS_LAUNCH"
$child.principal.process.parent_process.file.full_path = $parent.principal.process.file.full_path
$child.target.process.file.full_path = /(?i)(cmd\.exe|powershell\.exe|wscript\.exe|cscript\.exe|mshta\.exe|rundll32\.exe|regsvr32\.exe|certutil\.exe|bitsadmin\.exe|whoami\.exe|nltest\.exe|net\.exe|net1\.exe)/
$parent.metadata.event_timestamp.seconds <= $child.metadata.event_timestamp.seconds
$child.metadata.event_timestamp.seconds <= $parent.metadata.event_timestamp.seconds + 120
condition:
$parent and $child
}Chronicle YARA-L rule detecting WSUS deserialization exploitation via suspicious child process chains, correlated within a 2-minute window.
Data Sources
Required Tables
False Positives & Tuning
- Authorized WSUS maintenance PowerShell scripts
- Legitimate administrative use of cmd.exe under WSUS application pool identity
- Patch management tooling that invokes net.exe or other utilities via WSUS
- Security scanners assessing WSUS configuration through command-line tools
Other platforms for CVE-2025-59287
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Simulate WSUS Deserialization Child Process Execution
Expected signal: Sysmon Event ID 1 or Windows Security Event ID 4688 showing whoami.exe process creation; EDR process tree view should show PowerShell as parent.
- Test 2WSUS Endpoint Reconnaissance via Malformed HTTP Request
Expected signal: IIS log entry for POST /ApiRemoting30/WebService.asmx with unusually large request body (cs-bytes); network capture shows malformed SOAP payload; Windows Firewall logs if enabled.
- Test 3Post-Exploitation WSUS Lateral Movement Simulation
Expected signal: Sysmon Event ID 1 entries for nltest.exe, net.exe, whoami.exe with associated command-line arguments; Windows Security Event ID 4688 if command-line auditing is enabled; EDR behavioral alert for domain trust enumeration.
- Test 4Certutil Download Cradle from WSUS Context
Expected signal: Sysmon Event ID 1 for certutil.exe with -urlcache and -f arguments; Sysmon Event ID 11 for file creation at C:\Windows\Temp\wsus_test_artifact.txt; Windows Defender SmartScreen or AMSI telemetry if enabled; EDR network event for loopback HTTP connection from certutil.exe.
Unlock Pro Content
Get the full detection package for CVE-2025-59287 including response playbook, investigation guide, and atomic red team tests.