Volver al hub

CVE-2025-59287 vulnerable WSUS servers identification

This query identifies WSUS servers that have the wsusservice enabled and that are vulnerable to CVE-2025-59287

EDRhuntingmonitoring
FDR intermediatepor Crowdstrike (cql-hub.com) 2 min read

Query

// Make table that contains Agent ID values of Windows systems with WSUS service discovered
| defineTable(query={
  #repo = "base_sensor" event_platform=Win #event_simpleName="ProcessRollup2" FileName="wsusservice.exe"
  | groupBy([aid], function=[]
  ) 
}, include=[aid], name="WsusServiceRunning", start=7d)

// Get OsVersionInfo events; sent by sensor every 24-hours or at sensor start or update
| #event_simpleName=OsVersionInfo event_platform=Win 
 
// Aggregate results to get latest information per Agent ID value
| groupBy([aid], function=([selectLast([@timestamp, ComputerName, event_platform, ProductName, LocalAddressIP4])]), limit=max)
 
// Merge details from AID Master
| match(file="aid_master_main.csv", field=[aid], include=[ProductType])

// Restrict above results to servers or domain controllers
| in(field="ProductType", values=[2,3])

// Evaluate Windows build numbers
| case {
    event_platform=Win MajorVersion=10 MinorVersion=0 BuildNumber=17763 SubBuildNumber<7922 | Status:="NEEDS PATCH";
    event_platform=Win MajorVersion=10 MinorVersion=0 BuildNumber=20348 SubBuildNumber<4297 | Status:="NEEDS PATCH";
    event_platform=Win MajorVersion=10 MinorVersion=0 BuildNumber=26100 SubBuildNumber<6905 | Status:="NEEDS PATCH";
    event_platform=Win MajorVersion=10 MinorVersion=0 BuildNumber=25398 SubBuildNumber<1916 | Status:="NEEDS PATCH";
    event_platform=Win MajorVersion=10 MinorVersion=0 BuildNumber=26100 SubBuildNumber<6905 | Status:="NEEDS PATCH";
    event_platform=Win MajorVersion=10 MinorVersion=0 BuildNumber=14393 SubBuildNumber<8524 | Status:="NEEDS PATCH";
    event_platform=Win MajorVersion=6 MinorVersion=2 BuildNumber=9200 SubBuildNumber<25728  | Status:="NEEDS PATCH";
    event_platform=Win MajorVersion=6 MinorVersion=3 BuildNumber=9600 SubBuildNumber<22826  | Status:="NEEDS PATCH";
    *                                                                                       | Status:="OK";
}
 
// Check to see if WSUS service was discovered on host
| case {
  match(file="WsusServiceRunning", field=aid, column=aid) | WsusService := "YES";
  *                                                       | WsusService := "NO";
}

// Oragnize table
| table([@timestamp, aid, ComputerName, WsusService, Status, ProductName, LocalAddressIP4], sortby=Status, order=asc, limit=50000)

// Make ProductType field human readable
| $falcon/helper:enrich(field=ProductType)

Explicación

Importado desde cql-hub.com. Agrega explicación de pipes aquí.

Variables a ajustar

Revisa y ajusta los valores según tu entorno.