Detect Microsoft WSUS Deserialization of Untrusted Data (CVE-2025-59287) in Elastic Security
Detects exploitation of CVE-2025-59287, a deserialization of untrusted data vulnerability in Microsoft Windows Server Update Services (WSUS). Successful exploitation allows an attacker to execute arbitrary code in the context of the WSUS service by sending a crafted serialized object. This vulnerability is listed in CISA KEV, indicating active exploitation in the wild.
MITRE ATT&CK
Elastic Detection Query
sequence by host.name with maxspan=2m
[process where event.type == "start"
and (process.parent.name : ("w3wp.exe", "wsusservice.exe")
and process.parent.command_line : ("*WsusPool*", "*WSUSContent*", "*ApiRemoting30*"))
] by process.parent.entity_id
[process where event.type == "start"
and process.name : ("cmd.exe", "powershell.exe", "wscript.exe", "cscript.exe",
"mshta.exe", "rundll32.exe", "regsvr32.exe", "certutil.exe",
"bitsadmin.exe", "whoami.exe", "nltest.exe", "net.exe", "net1.exe")
] by process.parent.entity_idUses EQL sequence to detect a WSUS worker process followed by a suspicious child process within a 2-minute window, strongly indicating successful deserialization exploitation.
Data Sources
Required Tables
False Positives & Tuning
- Legitimate administrative activity using PowerShell under WSUS context
- Authorized WSUS health monitoring scripts that spawn child processes
- Security tooling or EDR performing process inspection under WSUS identity
- Custom patch orchestration tools invoking utilities via WSUS service context
Other platforms for CVE-2025-59287
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Simulate WSUS Deserialization Child Process Execution
Expected signal: Sysmon Event ID 1 or Windows Security Event ID 4688 showing whoami.exe process creation; EDR process tree view should show PowerShell as parent.
- Test 2WSUS Endpoint Reconnaissance via Malformed HTTP Request
Expected signal: IIS log entry for POST /ApiRemoting30/WebService.asmx with unusually large request body (cs-bytes); network capture shows malformed SOAP payload; Windows Firewall logs if enabled.
- Test 3Post-Exploitation WSUS Lateral Movement Simulation
Expected signal: Sysmon Event ID 1 entries for nltest.exe, net.exe, whoami.exe with associated command-line arguments; Windows Security Event ID 4688 if command-line auditing is enabled; EDR behavioral alert for domain trust enumeration.
- Test 4Certutil Download Cradle from WSUS Context
Expected signal: Sysmon Event ID 1 for certutil.exe with -urlcache and -f arguments; Sysmon Event ID 11 for file creation at C:\Windows\Temp\wsus_test_artifact.txt; Windows Defender SmartScreen or AMSI telemetry if enabled; EDR network event for loopback HTTP connection from certutil.exe.
Unlock Pro Content
Get the full detection package for CVE-2025-59287 including response playbook, investigation guide, and atomic red team tests.