Detect ASUS Live Update Embedded Malicious Code (CVE-2025-59374) in Microsoft Sentinel
Detects indicators of compromise related to CVE-2025-59374, a supply chain attack where ASUS Live Update software contained embedded malicious code (CWE-506). This mirrors the ShadowHammer operation pattern where threat actors compromised the ASUS software update infrastructure to deliver backdoored updates to endpoints. Detection focuses on suspicious child processes spawned by ASUS Live Update, anomalous network connections, and staging activity consistent with backdoor execution.
MITRE ATT&CK
KQL Detection Query
let AsusUpdateProcs = dynamic(['LivaUpdate.exe', 'LiveUpdate.exe', 'ASUS Live Update.exe', 'AsusLiveUpdate.exe']);
let SuspiciousChildProcs = dynamic(['cmd.exe', 'powershell.exe', 'wscript.exe', 'cscript.exe', 'mshta.exe', 'rundll32.exe', 'regsvr32.exe', 'certutil.exe', 'bitsadmin.exe', 'wmic.exe', 'net.exe', 'net1.exe', 'schtasks.exe', 'at.exe', 'sc.exe']);
DeviceProcessEvents
| where TimeGenerated >= ago(30d)
| where InitiatingProcessFileName in~ (AsusUpdateProcs)
or FileName in~ (AsusUpdateProcs)
| where FileName in~ (SuspiciousChildProcs)
or (InitiatingProcessFileName in~ (AsusUpdateProcs) and not(FileName in~ (AsusUpdateProcs)))
| project TimeGenerated, DeviceId, DeviceName, AccountName, InitiatingProcessFileName, InitiatingProcessCommandLine, FileName, ProcessCommandLine, FolderPath, SHA256
| union (
DeviceNetworkEvents
| where TimeGenerated >= ago(30d)
| where InitiatingProcessFileName in~ (AsusUpdateProcs)
| where RemotePort in (80, 443, 4444, 8080, 8443, 1337)
| project TimeGenerated, DeviceId, DeviceName, InitiatingProcessFileName, RemoteIP, RemotePort, RemoteUrl, LocalIP
)
| order by TimeGenerated descDetects suspicious child process spawning and anomalous network connections originating from ASUS Live Update binaries, indicative of embedded malicious code execution per CVE-2025-59374.
Data Sources
Required Tables
False Positives & Tuning
- Legitimate ASUS Live Update performing routine software updates may spawn child installer processes
- ASUS diagnostic tools launched from within the update framework
- Administrator-initiated update tasks that invoke cmd.exe or powershell.exe for scripted installs
Other platforms for CVE-2025-59374
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Simulate ASUS Live Update Spawning CMD Child Process
Expected signal: Sysmon Event ID 1 showing LiveUpdate.exe as parent of cmd.exe; DeviceProcessEvents in MDE showing the parent-child relationship with command-line arguments
- Test 2Simulate ASUS Live Update Network Beacon
Expected signal: Sysmon Event ID 3 or DeviceNetworkEvents showing LiveUpdate.exe initiating outbound HTTP connection to external IP; DNS query logs for associated domain lookups
- Test 3Simulate ASUS Live Update Dropping Payload to Temp
Expected signal: Sysmon Event ID 11 (FileCreate) showing executable written to TEMP directory; DeviceFileEvents in MDE capturing the file drop with SHA256 hash
Unlock Pro Content
Get the full detection package for CVE-2025-59374 including response playbook, investigation guide, and atomic red team tests.