CVE-2025-59287 Microsoft Sentinel · KQL

Detect Microsoft WSUS Deserialization of Untrusted Data (CVE-2025-59287) in Microsoft Sentinel

Detects exploitation of CVE-2025-59287, a deserialization of untrusted data vulnerability in Microsoft Windows Server Update Services (WSUS). Successful exploitation allows an attacker to execute arbitrary code in the context of the WSUS service by sending a crafted serialized object. This vulnerability is listed in CISA KEV, indicating active exploitation in the wild.

MITRE ATT&CK

Tactic
Initial Access Execution Lateral Movement

KQL Detection Query

Microsoft Sentinel (KQL)
kusto 
let wsus_processes = dynamic(["WsusPool", "UpdateServicesDbHandler", "wsusservice.exe", "W3wp.exe"]);
let suspicious_children = dynamic(["cmd.exe", "powershell.exe", "wscript.exe", "cscript.exe", "mshta.exe", "rundll32.exe", "regsvr32.exe", "certutil.exe", "bitsadmin.exe", "net.exe", "net1.exe", "whoami.exe", "nltest.exe"]);
union
(
    DeviceProcessEvents
    | where TimeGenerated >= ago(7d)
    | where InitiatingProcessFileName =~ "w3wp.exe"
    | where InitiatingProcessCommandLine has_any ("WsusPool", "WSUSContent", "ApiRemoting30")
    | where FileName in~ (suspicious_children)
    | project TimeGenerated, DeviceName, AccountName, InitiatingProcessFileName, InitiatingProcessCommandLine, FileName, ProcessCommandLine, FolderPath
    | extend DetectionSource = "WSUS_W3WP_SuspiciousChild"
),
(
    DeviceNetworkEvents
    | where TimeGenerated >= ago(7d)
    | where InitiatingProcessFileName =~ "wsusservice.exe" or InitiatingProcessFileName =~ "w3wp.exe"
    | where RemotePort !in (80, 443, 8530, 8531)
    | where RemoteIPType == "Public"
    | project TimeGenerated, DeviceName, InitiatingProcessFileName, RemoteIP, RemotePort, RemoteUrl
    | extend DetectionSource = "WSUS_UnexpectedOutboundNetwork"
),
(
    SecurityEvent
    | where TimeGenerated >= ago(7d)
    | where EventID in (4688, 4648)
    | where ParentProcessName has_any (wsus_processes)
    | where NewProcessName has_any (suspicious_children)
    | project TimeGenerated, Computer, SubjectUserName, ParentProcessName, NewProcessName, CommandLine
    | extend DetectionSource = "WSUS_SuspiciousChildProcess"
)
| sort by TimeGenerated desc
critical severity high confidence

Detects suspicious child processes spawned from WSUS IIS application pool (w3wp.exe with WsusPool identity) or wsusservice.exe, indicative of successful deserialization exploitation. Also monitors for unexpected outbound network connections from WSUS processes.

Data Sources

Microsoft Defender for EndpointMicrosoft SentinelWindows Security EventsDeviceProcessEventsDeviceNetworkEvents

Required Tables

DeviceProcessEventsDeviceNetworkEventsSecurityEvent

False Positives & Tuning

  • Legitimate WSUS administrative scripts or maintenance tasks spawning cmd.exe or powershell.exe
  • Patch management tooling that invokes command-line utilities under the WSUS application pool identity
  • Security scanning tools that enumerate WSUS configuration via command-line utilities
  • Authorized penetration testing activities targeting WSUS infrastructure

Other platforms for CVE-2025-59287

Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Simulate WSUS Deserialization Child Process Execution

    Expected signal: Sysmon Event ID 1 or Windows Security Event ID 4688 showing whoami.exe process creation; EDR process tree view should show PowerShell as parent.

  2. Test 2WSUS Endpoint Reconnaissance via Malformed HTTP Request

    Expected signal: IIS log entry for POST /ApiRemoting30/WebService.asmx with unusually large request body (cs-bytes); network capture shows malformed SOAP payload; Windows Firewall logs if enabled.

  3. Test 3Post-Exploitation WSUS Lateral Movement Simulation

    Expected signal: Sysmon Event ID 1 entries for nltest.exe, net.exe, whoami.exe with associated command-line arguments; Windows Security Event ID 4688 if command-line auditing is enabled; EDR behavioral alert for domain trust enumeration.

  4. Test 4Certutil Download Cradle from WSUS Context

    Expected signal: Sysmon Event ID 1 for certutil.exe with -urlcache and -f arguments; Sysmon Event ID 11 for file creation at C:\Windows\Temp\wsus_test_artifact.txt; Windows Defender SmartScreen or AMSI telemetry if enabled; EDR network event for loopback HTTP connection from certutil.exe.

Last updated: 2026-06-19 Research depth: standard
References (2)

Unlock Pro Content

Get the full detection package for CVE-2025-59287 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Tactic Hubs

TA0001Initial AccessTA0002ExecutionTA0008Lateral Movement

Related Techniques

T1190Exploit Public-Facing ApplicationT1059.001PowerShellT1210Exploitation of Remote ServicesT1072Software Deployment Tools

Same Tactic: Initial Access

Popular Detections