CVE-2025-62221 CrowdStrike LogScale · LogScale

Detect CVE-2025-62221 Microsoft Windows Use After Free Exploitation in CrowdStrike LogScale

Detects exploitation attempts of CVE-2025-62221, a use-after-free vulnerability in Microsoft Windows. This class of memory corruption flaw allows attackers to execute arbitrary code by manipulating freed memory objects. As a CISA KEV entry, active exploitation in the wild has been confirmed. Detection focuses on anomalous process behavior, kernel-mode memory corruption indicators, crash telemetry, and privilege escalation patterns consistent with UAF exploitation chains.

MITRE ATT&CK

Tactic
Privilege Escalation Execution

LogScale Detection Query

CrowdStrike LogScale (LogScale)
cql 
#event_simpleName=ProcessRollup2
| ParentBaseFileName in ("lsass.exe", "csrss.exe", "winlogon.exe", "services.exe", "svchost.exe")
| ImageFileName not in ("lsass.exe", "csrss.exe", "winlogon.exe", "services.exe", "svchost.exe", "conhost.exe", "WerFault.exe", "wermgr.exe")
| TokenIsElevated = "1"
| table _time, ComputerName, UserName, ImageFileName, ParentBaseFileName, CommandLine, IntegrityLevel, TokenIsElevated
| eval cve = "CVE-2025-62221"
| sort - _time
| limit 500
critical severity medium confidence

CrowdStrike Falcon query detecting elevated token processes launched from critical Windows system process parents, a key indicator of CVE-2025-62221 use-after-free exploitation leading to privilege escalation.

Data Sources

CrowdStrike Falcon EDR

Required Tables

ProcessRollup2

False Positives & Tuning

  • CrowdStrike sensor itself or other security agents launching elevated processes from system parents
  • Windows system updates and servicing stack operations spawning elevated processes from service parents
  • Legitimate administrative utilities like PsExec or remote management tools run in elevated context

Other platforms for CVE-2025-62221

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Simulate UAF-style anomalous child process from lsass.exe parent (lab only)

    Expected signal: Sysmon Event ID 1 with ParentImage pointing to lsass.exe and Image of cmd.exe; Windows Security EventID 4688 with anomalous parent-child relationship

  2. Test 2WER crash trigger on system process to simulate pre-exploit crash artifacts

    Expected signal: Windows Event ID 1000 (Application Error) and 1001 (Windows Error Reporting) in Application event log; WER report created in %LOCALAPPDATA%\Microsoft\Windows\WER\ReportQueue

  3. Test 3Elevated token process launch from spoofed system parent context

    Expected signal: Sysmon Event ID 1 showing cmd.exe with IntegrityLevel=System spawned by psexec service; Windows Security EventID 4688 with elevated token; EventID 4672 (special privileges assigned to new logon)

  4. Test 4Heap spray pattern simulation via PowerShell memory allocation

    Expected signal: PowerShell Script Block Logging (EventID 4104) capturing the allocation loop; potential AMSI or Defender behavioral alert on large sequential memory allocation patterns

Last updated: 2026-06-19 Research depth: standard
References (2)

Unlock Pro Content

Get the full detection package for CVE-2025-62221 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Tactic Hubs

TA0004Privilege EscalationTA0002Execution

Related Techniques

T1068Exploitation for Privilege EscalationT1203Exploitation for Client ExecutionT1055Process Injection

Same Tactic: Privilege Escalation

Popular Detections