Detect Microsoft WSUS Deserialization of Untrusted Data (CVE-2025-59287) in IBM QRadar
Detects exploitation of CVE-2025-59287, a deserialization of untrusted data vulnerability in Microsoft Windows Server Update Services (WSUS). Successful exploitation allows an attacker to execute arbitrary code in the context of the WSUS service by sending a crafted serialized object. This vulnerability is listed in CISA KEV, indicating active exploitation in the wild.
MITRE ATT&CK
QRadar Detection Query
SELECT
DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS event_time,
logsourcename(logsourceid) AS log_source,
username,
"ParentProcessName",
"ProcessName",
"CommandLine",
sourceip,
destinationip
FROM events
WHERE LOGSOURCETYPENAME(devicetype) IN ('Microsoft Windows Security Event Log', 'Sysmon')
AND (
("ParentProcessName" ILIKE '%w3wp.exe%' AND "CommandLine" ILIKE ANY ('%WsusPool%', '%WSUSContent%', '%ApiRemoting30%'))
OR "ParentProcessName" ILIKE '%wsusservice.exe%'
)
AND "ProcessName" ILIKE ANY (
'%cmd.exe%', '%powershell.exe%', '%wscript.exe%', '%cscript.exe%',
'%mshta.exe%', '%rundll32.exe%', '%regsvr32.exe%', '%certutil.exe%',
'%bitsadmin.exe%', '%whoami.exe%', '%nltest.exe%', '%net.exe%'
)
AND LOGSOURCEGROUPNAME(logsourcegroupid) = 'Windows'
LAST 7 DAYS
ORDER BY starttime DESCQRadar AQL query identifying suspicious process execution chains originating from WSUS IIS worker or service processes, consistent with deserialization exploitation.
Data Sources
Required Tables
False Positives & Tuning
- WSUS maintenance scripts legitimately spawning PowerShell or cmd.exe
- Authorized administrative activity under the WSUS application pool
- Patch management integrations that use command-line utilities under WSUS context
- Security scanning solutions operating under WSUS service credentials
Other platforms for CVE-2025-59287
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Simulate WSUS Deserialization Child Process Execution
Expected signal: Sysmon Event ID 1 or Windows Security Event ID 4688 showing whoami.exe process creation; EDR process tree view should show PowerShell as parent.
- Test 2WSUS Endpoint Reconnaissance via Malformed HTTP Request
Expected signal: IIS log entry for POST /ApiRemoting30/WebService.asmx with unusually large request body (cs-bytes); network capture shows malformed SOAP payload; Windows Firewall logs if enabled.
- Test 3Post-Exploitation WSUS Lateral Movement Simulation
Expected signal: Sysmon Event ID 1 entries for nltest.exe, net.exe, whoami.exe with associated command-line arguments; Windows Security Event ID 4688 if command-line auditing is enabled; EDR behavioral alert for domain trust enumeration.
- Test 4Certutil Download Cradle from WSUS Context
Expected signal: Sysmon Event ID 1 for certutil.exe with -urlcache and -f arguments; Sysmon Event ID 11 for file creation at C:\Windows\Temp\wsus_test_artifact.txt; Windows Defender SmartScreen or AMSI telemetry if enabled; EDR network event for loopback HTTP connection from certutil.exe.
Unlock Pro Content
Get the full detection package for CVE-2025-59287 including response playbook, investigation guide, and atomic red team tests.