Rule Library
Sigma Rules
146 rules found for "attack.T1190"
3,707Total
3,116Detection
451Emerging
137Hunting
Emerging Threathighexperimental
Exploitation Activity of CVE-2025-59287 - WSUS Suspicious Child Process
Detects the creation of command-line interpreters (cmd.exe, powershell.exe) as child processes of Windows Server Update Services (WSUS) related process wsusservice.exe. This behavior is a key indicator of exploitation for the critical remote code execution vulnerability such as CVE-2025-59287, where attackers spawn shells to conduct reconnaissance and further post-exploitation activities.
WindowsProcess Creation
TA0002 · ExecutionTA0001 · Initial AccessT1190 · Exploit Public-Facing ApplicationT1203 · Exploitation for Client Execution+2
Huntress Labs+1Fri Oct 312025
Emerging Threathighexperimental
Exploitation Activity of CVE-2025-59287 - WSUS Deserialization
Detects cast exceptions in Windows Server Update Services (WSUS) application logs that highly indicate exploitation attempts of CVE-2025-59287, a deserialization vulnerability in WSUS.
Windowsapplication
TA0002 · ExecutionTA0001 · Initial AccessT1190 · Exploit Public-Facing ApplicationT1203 · Exploitation for Client Execution+2
Swachchhanda Shrawan Poudel (Nextron Systems)Fri Oct 312025