Which SIEM platforms have a CVE-2025-59374 detection rule?

df00tech provides CVE-2025-59374 (ASUS Live Update Embedded Malicious Code (CVE-2025-59374)) detection queries for 7 SIEM platforms: Microsoft Sentinel / Defender, Splunk, Elastic Security (EQL), IBM QRadar (AQL), Sumo Logic CSE, Google Chronicle / SecOps, CrowdStrike LogScale (CQL).

What data sources are required to detect ASUS Live Update Embedded Malicious Code (CVE-2025-59374) (CVE-2025-59374)?

Detecting ASUS Live Update Embedded Malicious Code (CVE-2025-59374) requires the following data sources: Microsoft Defender for Endpoint, Microsoft Sentinel DeviceProcessEvents, Microsoft Sentinel DeviceNetworkEvents.

What severity and confidence is the CVE-2025-59374 detection?

The CVE-2025-59374 detection is rated critical severity with high confidence.

What are common false positives for CVE-2025-59374?

Common false positives for CVE-2025-59374 include: Legitimate ASUS Live Update performing routine software updates may spawn child installer processes; ASUS diagnostic tools launched from within the update framework; Administrator-initiated update tasks that invoke cmd.exe or powershell.exe for scripted installs.

CVE-2025-59374 Splunk · SPL

Detect ASUS Live Update Embedded Malicious Code (CVE-2025-59374) in Splunk

Detects indicators of compromise related to CVE-2025-59374, a supply chain attack where ASUS Live Update software contained embedded malicious code (CWE-506). This mirrors the ShadowHammer operation pattern where threat actors compromised the ASUS software update infrastructure to deliver backdoored updates to endpoints. Detection focuses on suspicious child processes spawned by ASUS Live Update, anomalous network connections, and staging activity consistent with backdoor execution.

MITRE ATT&CK

Tactic: Initial Access Execution Persistence Lateral Movement Command and Control

SPL Detection Query

Splunk (SPL)

spl

index=* sourcetype IN ("XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "WinEventLog:Microsoft-Windows-Sysmon/Operational", "crowdstrike:events:sensor")
(EventCode=1 OR event_simpleName=ProcessRollup2)
| eval parent=coalesce(ParentImage, parent_process_name)
| eval child=coalesce(Image, process_name)
| where match(parent, "(?i)(LiveUpdate|LivaUpdate|AsusLiveUpdate)")
| eval is_suspicious_child=if(match(child, "(?i)(cmd\.exe|powershell\.exe|wscript\.exe|cscript\.exe|mshta\.exe|rundll32\.exe|regsvr32\.exe|certutil\.exe|bitsadmin\.exe|wmic\.exe|schtasks\.exe|sc\.exe)"), 1, 0)
| eval is_network_conn=if(EventCode=3 OR event_simpleName="NetworkConnectIP4", 1, 0)
| search is_suspicious_child=1 OR is_network_conn=1
| table _time, host, user, parent, child, CommandLine, ParentCommandLine, DestinationIp, DestinationPort, Hashes
| sort - _time

critical severity high confidence

Splunk search detecting ASUS Live Update spawning suspicious child processes or establishing unexpected network connections, consistent with CVE-2025-59374 supply chain backdoor activity.

Data Sources

SysmonCrowdStrike FalconWindows Event Log

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/OperationalWinEventLog:Microsoft-Windows-Sysmon/Operationalcrowdstrike:events:sensor

False Positives & Tuning

Legitimate ASUS update processes that invoke system utilities as part of patch installation
IT administrators running scripts from ASUS update directories during maintenance windows
Antivirus or EDR scanning ASUS update binaries triggering process events

Other platforms for CVE-2025-59374

Microsoft Sentinel (KQL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

Test 1Simulate ASUS Live Update Spawning CMD Child Process
Expected signal: Sysmon Event ID 1 showing LiveUpdate.exe as parent of cmd.exe; DeviceProcessEvents in MDE showing the parent-child relationship with command-line arguments
Test 2Simulate ASUS Live Update Network Beacon
Expected signal: Sysmon Event ID 3 or DeviceNetworkEvents showing LiveUpdate.exe initiating outbound HTTP connection to external IP; DNS query logs for associated domain lookups
Test 3Simulate ASUS Live Update Dropping Payload to Temp
Expected signal: Sysmon Event ID 11 (FileCreate) showing executable written to TEMP directory; DeviceFileEvents in MDE capturing the file drop with SHA256 hash

Last updated: 2026-06-19 Research depth: standard

References (2)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for CVE-2025-59374 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Detect ASUS Live Update Embedded Malicious Code (CVE-2025-59374) in Splunk

MITRE ATT&CK

SPL Detection Query

Data Sources

Required Sourcetypes

False Positives & Tuning

Other platforms for CVE-2025-59374

Testing Methodology

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Tactic Hubs

Related Techniques

Same Tactic: Initial Access

Popular Detections

MITRE ATT&CK

SPL Detection Query

Data Sources

Required Sourcetypes

False Positives & Tuning

Other platforms for CVE-2025-59374

Testing Methodology

Unlock Pro Content

Related Detections

Tactic Hubs

Related Techniques

Same Tactic: Initial Access

Popular Detections

Get new detections in your inbox