Exploitation Activity of CVE-2025-59287 - WSUS Suspicious Child Process
Detects the creation of command-line interpreters (cmd.exe, powershell.exe) as child processes of Windows Server Update Services (WSUS) related process wsusservice.exe. This behavior is a key indicator of exploitation for the critical remote code execution vulnerability such as CVE-2025-59287, where attackers spawn shells to conduct reconnaissance and further post-exploitation activities.
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Developed to detect an active or emerging threat. Prioritize investigation of any alerts and correlate with threat intelligence.
Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.
detection:
selection_parent_wsusservice:
ParentImage|endswith: '\wsusservice.exe'
selection_parent_w3wp_wsuspool:
ParentImage|endswith: '\w3wp.exe'
ParentCommandLine|contains: 'WsusPool'
selection_child:
Image|endswith:
- '\cmd.exe'
- '\powershell.exe'
- '\pwsh.exe'
- '\powershell_ise.exe'
condition: 1 of selection_parent_* and selection_childIf this activity is expected, consider filtering based on specific command lines, user context (e.g., `nt authority\network service`), or parent process command lines to reduce noise.
Other