Volver al hub

CVE-2025-59287 - WSUS Identification+Vulnerability Query

The query below outputs a list of your Windows servers with a Falcon sensor, tells you if they need to be patched for the CVE or not, when the data was last updated, and if WSUS was "detected". https://www.reddit.com/r/crowdstrike/comments/1ohdzpm/comment/nlnti7p/

EDRdetection
FDR intermediatepor AAuraa (cql-hub.com) 2 min read

Query

// Make a bad attempt to locate WSUS-involved devices
| defineTable(query={
  #repo = "base_sensor" #event_simpleName="ProcessRollup2" and "WSUS"
  | groupBy([ComputerName])
}, include=[ComputerName], name="LocateAnythingWSUS", start=1d)


// Get OsVersionInfo events; sent by sensor every 24-hours or at sensor start or update
| #event_simpleName=OsVersionInfo
 
// Narrow search to only include Windows systems
| in(field="event_platform", values=[Win])
| in(field=ProductName, values=["*server*"], ignoreCase=true)


| case {
    event_platform=Win MajorVersion=10 MinorVersion=0 BuildNumber=17763 SubBuildNumber<7922 | Status:="NEEDS PATCH";
    event_platform=Win MajorVersion=10 MinorVersion=0 BuildNumber=20348 SubBuildNumber<4297 | Status:="NEEDS PATCH";
    event_platform=Win MajorVersion=10 MinorVersion=0 BuildNumber=26100 SubBuildNumber<6905 | Status:="NEEDS PATCH";
    event_platform=Win MajorVersion=10 MinorVersion=0 BuildNumber=25398 SubBuildNumber<1916 | Status:="NEEDS PATCH";
    event_platform=Win MajorVersion=10 MinorVersion=0 BuildNumber=26100 SubBuildNumber<6905 | Status:="NEEDS PATCH";
    event_platform=Win MajorVersion=10 MinorVersion=0 BuildNumber=14393 SubBuildNumber<8524 | Status:="NEEDS PATCH";
    event_platform=Win MajorVersion=6 MinorVersion=2 BuildNumber=9200 SubBuildNumber<25728 | Status:="NEEDS PATCH";
    event_platform=Win MajorVersion=6 MinorVersion=3 BuildNumber=9600 SubBuildNumber<22826 | Status:="NEEDS PATCH";
    event_platform=Win                                                 | Status:="OK";
    *;
}
| OSVersion := format(format="%s.%s.%s.%s", field=[MajorVersion, MinorVersion, BuildNumber, SubBuildNumber])
 
// Aggregate results into tabular format
| groupBy([ComputerName], function=([selectLast([aid, ComputerName, event_platform, ProductName, OSVersion, Status, LocalAddressIP4, @timestamp])]), limit=max)
 
// Move timestamps from epoch to human readable
| formatTime(format="%F %T", as="LastUpdated", field=@timestamp) 
// Modify field names for easier reading
| rename([[aid, "Agent ID"], [event_platform, Platform]])


// Aggregate results into tabular format with cleaner ordering
| groupBy(["Agent ID", ComputerName, Platform, ProductName, OSVersion, Status, "External IP", LocalAddressIP4, LastUpdated], function=[], limit=max)
 
// Set default values for easier reading
| default(value="-", field=[ComputerName, OSVersion, Status, LocalAddressIP4, LastUpdated, WSUSDetected], replaceEmpty=true)
| case {
  match(file="LocateAnythingWSUS", field=ComputerName, column=ComputerName)
  | WSUSDetected := "Potentially";
  *
  | WSUSDetected := "No";
}
| drop(@timestamp)
| sort(WSUSDetected, ComputerName)

Explicación

Importado desde cql-hub.com. Agrega explicación de pipes aquí.

Variables a ajustar

Revisa y ajusta los valores según tu entorno.