WSUSpect in Custody: CVE-2025-59287 (#3743)

* WSUSpect in Custody: CVE-2025-59287

* WSUS and Updates

* :jt_stare:

* Update windows_wsus_spawning_shell.yml

* Update w3wp_spawning_shell.yml

* deprecate rules and map analytic stories

---------

Co-authored-by: Nasreddine Bencherchali <[email protected]>

Author: MHaggis

…s/endpoint/linux_java_spawning_shell.yml …deprecated/linux_java_spawning_shell.ymldetections/endpoint/linux_java_spawning_shell.yml renamed to detections/deprecated/linux_java_spawning_shell.yml detections/endpoint/linux_java_spawning_shell.yml renamed to detections/deprecated/linux_java_spawning_shell.yml

@@ -1,9 +1,9 @@
 name: Linux Java Spawning Shell
 id: 7b09db8a-5c20-11ec-9945-acde48001122
-version: 9
-date: '2025-10-07'
+version: 10
+date: '2025-10-25'
 author: Michael Haag, Splunk
-status: production
+status: deprecated
 type: TTP
 description: The following analytic detects instances where Java, or Tomcat
   processes spawn a Linux shell, which may indicate exploitation attempts, such as

…ndpoint/windows_java_spawning_shells.yml …recated/windows_java_spawning_shells.ymldetections/endpoint/windows_java_spawning_shells.yml renamed to detections/deprecated/windows_java_spawning_shells.yml detections/endpoint/windows_java_spawning_shells.yml renamed to detections/deprecated/windows_java_spawning_shells.yml

@@ -1,9 +1,9 @@
 name: Windows Java Spawning Shells
 id: 28c81306-5c47-11ec-bfea-acde48001122
-version: 11
-date: '2025-10-07'
+version: 12
+date: '2025-10-25'
 author: Michael Haag, Splunk
-status: experimental
+status: deprecated
 type: TTP
 description: The following analytic identifies instances where java.exe or w3wp.exe
   spawns a Windows shell, such as cmd.exe or powershell.exe. This detection leverages

detections/endpoint/cisco_nvm___curl_execution_with_insecure_flags.yml

@@ -1,7 +1,7 @@
 name: Cisco NVM - Curl Execution With Insecure Flags
 id: cc695238-3117-4e60-aa83-4beac2a42c69
-version: 3
-date: '2025-09-10'
+version: 4
+date: '2025-10-24'
 author: Nasreddine Bencherchali, Splunk
 status: production
 type: Anomaly
@@ -85,6 +85,7 @@ tags:
   analytic_story:
   - Cisco Network Visibility Module Analytics
   - PromptLock
+  - Microsoft WSUS CVE-2025-59287
   asset_type: Endpoint
   mitre_attack_id:
   - T1197

detections/endpoint/malicious_powershell_process___encoded_command.yml

@@ -1,7 +1,7 @@
 name: Malicious PowerShell Process - Encoded Command
 id: c4db14d9-7909-48b4-a054-aa14d89dbb19
-version: 17
-date: '2025-09-16'
+version: 18
+date: '2025-10-24'
 author: David Dorsey, Michael Haag, Splunk, SirDuckly, GitHub Community
 status: production
 type: Hunting
@@ -63,6 +63,7 @@ tags:
   - Microsoft SharePoint Vulnerabilities
   - Scattered Spider
   - GhostRedirector IIS Module and Rungan Backdoor
+  - Microsoft WSUS CVE-2025-59287
   asset_type: Endpoint
   mitre_attack_id:
   - T1027

detections/endpoint/possible_lateral_movement_powershell_spawn.yml

@@ -1,7 +1,7 @@
 name: Possible Lateral Movement PowerShell Spawn
 id: cb909b3e-512b-11ec-aa31-3e22fbd008af
 version: 12
-date: '2025-10-21'
+date: '2025-10-24'
 author: Mauricio Velazco, Michael Haag, Splunk
 status: production
 type: TTP
@@ -78,6 +78,7 @@ tags:
   - Data Destruction
   - Scheduled Tasks
   - CISA AA24-241A
+  - Microsoft WSUS CVE-2025-59287
   asset_type: Endpoint
   mitre_attack_id:
   - T1021.003

detections/endpoint/powershell_4104_hunting.yml

@@ -1,7 +1,7 @@
 name: PowerShell 4104 Hunting
 id: d6f2b006-0041-11ec-8885-acde48001122
 version: 21
-date: '2025-10-14'
+date: '2025-10-24'
 author: Michael Haag, Splunk
 status: production
 type: Hunting
@@ -86,6 +86,7 @@ tags:
   - APT37 Rustonotto and FadeStealer
   - GhostRedirector IIS Module and Rungan Backdoor
   - Hellcat Ransomware
+  - Microsoft WSUS CVE-2025-59287
   asset_type: Endpoint
   mitre_attack_id:
   - T1059.001

detections/endpoint/powershell_domain_enumeration.yml

@@ -1,7 +1,7 @@
 name: PowerShell Domain Enumeration
 id: e1866ce2-ca22-11eb-8e44-acde48001122
-version: 10
-date: '2025-07-28'
+version: 11
+date: '2025-10-24'
 author: Michael Haag, Splunk
 status: production
 type: TTP
@@ -65,6 +65,7 @@ tags:
   - CISA AA23-347A
   - Data Destruction
   - Interlock Ransomware
+  - Microsoft WSUS CVE-2025-59287
   asset_type: Endpoint
   mitre_attack_id:
   - T1059.001

detections/endpoint/powershell_fileless_script_contains_base64_encoded_content.yml

@@ -1,7 +1,7 @@
 name: Powershell Fileless Script Contains Base64 Encoded Content
 id: 8acbc04c-c882-11eb-b060-acde48001122
 version: 14
-date: '2025-10-14'
+date: '2025-10-24'
 author: Michael Haag, Splunk
 status: production
 type: TTP
@@ -67,6 +67,7 @@ tags:
   - APT37 Rustonotto and FadeStealer
   - GhostRedirector IIS Module and Rungan Backdoor
   - Hellcat Ransomware
+  - Microsoft WSUS CVE-2025-59287
   mitre_attack_id:
   - T1027
   - T1059.001

detections/endpoint/web_or_application_server_spawning_a_shell.yml

@@ -18,12 +18,12 @@ data_source:
 - Sysmon for Linux EventID 1
 - Sysmon EventID 1
 search: |
-  | tstats `security_content_summariesonly` 
-    count min(_time) as firstTime 
-          max(_time) as lastTime 
-  
-  from datamodel=Endpoint.Processes where 
-  
+  | tstats `security_content_summariesonly`
+    count min(_time) as firstTime
+          max(_time) as lastTime
+
+  from datamodel=Endpoint.Processes where
+
   (
     Processes.parent_process_name IN ("java", "tomcat*", "httpd", "lighttpd", "apache2", "nginx", "node", "caddy")
     `linux_shells`
@@ -33,15 +33,15 @@ search: |
     Processes.parent_process_name IN ("httpd.exe", "nginx.exe", "php*.exe", "php-cgi.exe", "tomcat*.exe", "caddy.exe", "UMWorkerProcess.exe", "w3wp.exe", "ws_TomcatService.exe", "node.exe", "java.exe")
     `windows_shells`
   )
-  
+
   by Processes.action Processes.dest Processes.original_file_name Processes.parent_process
      Processes.parent_process_exec Processes.parent_process_guid Processes.parent_process_id
      Processes.parent_process_name Processes.parent_process_path Processes.process Processes.process_exec
-     Processes.process_guid Processes.process_hash Processes.process_id Processes.process_integrity_level 
+     Processes.process_guid Processes.process_hash Processes.process_id Processes.process_integrity_level
      Processes.process_name Processes.process_path Processes.user Processes.user_id Processes.vendor_product
-  
-  | `drop_dm_object_name(Processes)` 
-  | `security_content_ctime(firstTime)` 
+
+  | `drop_dm_object_name(Processes)`
+  | `security_content_ctime(firstTime)`
   | `security_content_ctime(lastTime)`
   | `web_or_application_server_spawning_a_shell_filter`
 how_to_implement: |
@@ -87,10 +87,25 @@ rba:
     type: process_name
 tags:
   analytic_story:
-  - Data Destruction
-  - Spring4Shell CVE-2022-22965
-  - Hermetic Wiper
-  - Log4Shell CVE-2021-44228
+    - BlackByte Ransomware
+    - CISA AA22-257A
+    - CISA AA22-264A
+    - Cleo File Transfer Software
+    - Data Destruction
+    - Flax Typhoon
+    - GhostRedirector IIS Module and Rungan Backdoor
+    - HAFNIUM Group
+    - Hermetic Wiper
+    - Log4Shell CVE-2021-44228
+    - Microsoft SharePoint Vulnerabilities
+    - Microsoft WSUS CVE-2025-59287
+    - PHP-CGI RCE Attack on Japanese Organizations
+    - ProxyNotShell
+    - ProxyShell
+    - SAP NetWeaver Exploitation
+    - Spring4Shell CVE-2022-22965
+    - SysAid On-Prem Software CVE-2023-47246 Vulnerability
+    - WS FTP Server Critical Vulnerabilities
   asset_type: Endpoint
   mitre_attack_id:
   - T1190

detections/endpoint/windows_common_abused_cmd_shell_risk_behavior.yml

@@ -1,7 +1,7 @@
 name: Windows Common Abused Cmd Shell Risk Behavior
 id: e99fcc4f-c6b0-4443-aa2a-e3c85126ec9a
-version: 6
-date: '2025-05-02'
+version: 7
+date: '2025-10-24'
 author: Teoderick Contreras, Splunk
 status: production
 type: Correlation
@@ -69,6 +69,7 @@ tags:
   - Windows Defense Evasion Tactics
   - CISA AA23-347A
   - Disabling Security Tools
+  - Microsoft WSUS CVE-2025-59287
   asset_type: Endpoint
   mitre_attack_id:
   - T1222