Which SIEM platforms have a CVE-2025-59374 detection rule?

df00tech provides CVE-2025-59374 (ASUS Live Update Embedded Malicious Code (CVE-2025-59374)) detection queries for 7 SIEM platforms: Microsoft Sentinel / Defender, Splunk, Elastic Security (EQL), IBM QRadar (AQL), Sumo Logic CSE, Google Chronicle / SecOps, CrowdStrike LogScale (CQL).

What data sources are required to detect ASUS Live Update Embedded Malicious Code (CVE-2025-59374) (CVE-2025-59374)?

Detecting ASUS Live Update Embedded Malicious Code (CVE-2025-59374) requires the following data sources: Microsoft Defender for Endpoint, Microsoft Sentinel DeviceProcessEvents, Microsoft Sentinel DeviceNetworkEvents.

What severity and confidence is the CVE-2025-59374 detection?

The CVE-2025-59374 detection is rated critical severity with high confidence.

What are common false positives for CVE-2025-59374?

Common false positives for CVE-2025-59374 include: Legitimate ASUS Live Update performing routine software updates may spawn child installer processes; ASUS diagnostic tools launched from within the update framework; Administrator-initiated update tasks that invoke cmd.exe or powershell.exe for scripted installs.

CVE-2025-59374

ASUS Live Update Embedded Malicious Code (CVE-2025-59374)

Initial Access Execution Persistence Lateral Movement Command and Control Last updated: June 19, 2026

Detects indicators of compromise related to CVE-2025-59374, a supply chain attack where ASUS Live Update software contained embedded malicious code (CWE-506). This mirrors the ShadowHammer operation pattern where threat actors compromised the ASUS software update infrastructure to deliver backdoored updates to endpoints. Detection focuses on suspicious child processes spawned by ASUS Live Update, anomalous network connections, and staging activity consistent with backdoor execution.

Vulnerability Intelligence

KEV — Known Exploited

CVE

CVE-2025-59374↗ NVD

Affected Software

Vendor: ASUS
Product: Live Update

Weakness (CWE)

CWE-506

Timeline

Disclosed: December 17, 2025

References & Proof of Concept

CVSS

Unscored

Write-up coming soon

What is CVE-2025-59374 ASUS Live Update Embedded Malicious Code (CVE-2025-59374)?

ASUS Live Update Embedded Malicious Code (CVE-2025-59374) (CVE-2025-59374) maps to the Initial Access and Execution and Persistence and Lateral Movement and Command and Control tactics — the adversary is trying to get into your network in MITRE ATT&CK.

This page provides production-ready detection logic for ASUS Live Update Embedded Malicious Code (CVE-2025-59374), covering the data sources and telemetry it touches: Microsoft Defender for Endpoint, Microsoft Sentinel DeviceProcessEvents, Microsoft Sentinel DeviceNetworkEvents. The queries below are rated critical severity at high confidence, and ship for 7 SIEM platforms — KQL, SPL, Elastic, QRadar, Sumo, YARA-L, LogScale.

MITRE ATT&CK

Tactic: Initial Access Execution Persistence Lateral Movement Command and Control

Microsoft Sentinel / Defender

kusto

let AsusUpdateProcs = dynamic(['LivaUpdate.exe', 'LiveUpdate.exe', 'ASUS Live Update.exe', 'AsusLiveUpdate.exe']);
let SuspiciousChildProcs = dynamic(['cmd.exe', 'powershell.exe', 'wscript.exe', 'cscript.exe', 'mshta.exe', 'rundll32.exe', 'regsvr32.exe', 'certutil.exe', 'bitsadmin.exe', 'wmic.exe', 'net.exe', 'net1.exe', 'schtasks.exe', 'at.exe', 'sc.exe']);
DeviceProcessEvents
| where TimeGenerated >= ago(30d)
| where InitiatingProcessFileName in~ (AsusUpdateProcs)
   or FileName in~ (AsusUpdateProcs)
| where FileName in~ (SuspiciousChildProcs)
   or (InitiatingProcessFileName in~ (AsusUpdateProcs) and not(FileName in~ (AsusUpdateProcs)))
| project TimeGenerated, DeviceId, DeviceName, AccountName, InitiatingProcessFileName, InitiatingProcessCommandLine, FileName, ProcessCommandLine, FolderPath, SHA256
| union (
    DeviceNetworkEvents
    | where TimeGenerated >= ago(30d)
    | where InitiatingProcessFileName in~ (AsusUpdateProcs)
    | where RemotePort in (80, 443, 4444, 8080, 8443, 1337)
    | project TimeGenerated, DeviceId, DeviceName, InitiatingProcessFileName, RemoteIP, RemotePort, RemoteUrl, LocalIP
)
| order by TimeGenerated desc

Detects suspicious child process spawning and anomalous network connections originating from ASUS Live Update binaries, indicative of embedded malicious code execution per CVE-2025-59374.

critical severity high confidence

Data Sources

Microsoft Defender for Endpoint Microsoft Sentinel DeviceProcessEvents Microsoft Sentinel DeviceNetworkEvents

Required Tables

DeviceProcessEvents DeviceNetworkEvents

False Positives

Legitimate ASUS Live Update performing routine software updates may spawn child installer processes
ASUS diagnostic tools launched from within the update framework
Administrator-initiated update tasks that invoke cmd.exe or powershell.exe for scripted installs

Sigma rule & cross-platform mapping

The detection logic for ASUS Live Update Embedded Malicious Code (CVE-2025-59374) (CVE-2025-59374) above is provided in a vendor-neutral form so you can deploy it on any SIEM. The same logic is shipped here as native KQL (Microsoft Sentinel / Defender), SPL (Splunk), Elastic (Elastic Security (EQL)), QRadar (IBM QRadar (AQL)), Sumo (Sumo Logic CSE), YARA-L (Google Chronicle / SecOps), LogScale (CrowdStrike LogScale (CQL)) queries. In Sigma terms, this detection targets the following logsource:

logsource:
  category: process_creation
  product: windows

Browse the community-maintained Sigma rules for this technique:

SigmaHQ rules for CVE-2025-59374 Sigma rules on detection.fyi

Platform-specific guides for CVE-2025-59374

Detect in Microsoft Sentinel (KQL) Detect in Splunk (SPL) Detect in Elastic Security (Elastic) Detect in IBM QRadar (QRadar) Detect in Sumo Logic CSE (Sumo) Detect in Google Chronicle (YARA-L) Detect in CrowdStrike LogScale (LogScale)

Last updated: 2026-06-19 Research depth: standard

References (2)

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

Test 1Simulate ASUS Live Update Spawning CMD Child Process
Expected signal: Sysmon Event ID 1 showing LiveUpdate.exe as parent of cmd.exe; DeviceProcessEvents in MDE showing the parent-child relationship with command-line arguments
Test 2Simulate ASUS Live Update Network Beacon
Expected signal: Sysmon Event ID 3 or DeviceNetworkEvents showing LiveUpdate.exe initiating outbound HTTP connection to external IP; DNS query logs for associated domain lookups
Test 3Simulate ASUS Live Update Dropping Payload to Temp
Expected signal: Sysmon Event ID 11 (FileCreate) showing executable written to TEMP directory; DeviceFileEvents in MDE capturing the file drop with SHA256 hash

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for CVE-2025-59374 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Vulnerability Intelligence

CVE

Affected Software

Weakness (CWE)

Timeline

References & Proof of Concept

CVSS

What is CVE-2025-59374 ASUS Live Update Embedded Malicious Code (CVE-2025-59374)?

MITRE ATT&CK

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Sigma rule & cross-platform mapping

Platform-specific guides for CVE-2025-59374

Testing Methodology

Unlock Pro Content

Related Detections

Tactic Hubs

Related Techniques

Same Tactic: Initial Access

Popular Detections

Get new detections in your inbox