EXPLORE
Sign In
← Back to Explore
crowdstrike_cqlTTP

CVE-2025-59287 - WSUS Identification+Vulnerability Query

The query below outputs a list of your Windows servers with a Falcon sensor, tells you if they need to be patched for the CVE or not, when the data was last updated, and if WSUS was "detected". https://www.reddit.com/r/crowdstrike/comments/1ohdzpm/comment/nlnti7p/

Detection Query

// Make a bad attempt to locate WSUS-involved devices
| defineTable(query={
  #repo = "base_sensor" #event_simpleName="ProcessRollup2" and "WSUS"
  | groupBy([ComputerName])
}, include=[ComputerName], name="LocateAnythingWSUS", start=1d)


// Get OsVersionInfo events; sent by sensor every 24-hours or at sensor start or update
| #event_simpleName=OsVersionInfo
 
// Narrow search to only include Windows systems
| in(field="event_platform", values=[Win])
| in(field=ProductName, values=["*server*"], ignoreCase=true)


| case {
    event_platform=Win MajorVersion=10 MinorVersion=0 BuildNumber=17763 SubBuildNumber<7922 | Status:="NEEDS PATCH";
    event_platform=Win MajorVersion=10 MinorVersion=0 BuildNumber=20348 SubBuildNumber<4297 | Status:="NEEDS PATCH";
    event_platform=Win MajorVersion=10 MinorVersion=0 BuildNumber=26100 SubBuildNumber<6905 | Status:="NEEDS PATCH";
    event_platform=Win MajorVersion=10 MinorVersion=0 BuildNumber=25398 SubBuildNumber<1916 | Status:="NEEDS PATCH";
    event_platform=Win MajorVersion=10 MinorVersion=0 BuildNumber=26100 SubBuildNumber<6905 | Status:="NEEDS PATCH";
    event_platform=Win MajorVersion=10 MinorVersion=0 BuildNumber=14393 SubBuildNumber<8524 | Status:="NEEDS PATCH";
    event_platform=Win MajorVersion=6 MinorVersion=2 BuildNumber=9200 SubBuildNumber<25728 | Status:="NEEDS PATCH";
    event_platform=Win MajorVersion=6 MinorVersion=3 BuildNumber=9600 SubBuildNumber<22826 | Status:="NEEDS PATCH";
    event_platform=Win                                                 | Status:="OK";
    *;
}
| OSVersion := format(format="%s.%s.%s.%s", field=[MajorVersion, MinorVersion, BuildNumber, SubBuildNumber])
 
// Aggregate results into tabular format
| groupBy([ComputerName], function=([selectLast([aid, ComputerName, event_platform, ProductName, OSVersion, Status, LocalAddressIP4, @timestamp])]), limit=max)
 
// Move timestamps from epoch to human readable
| formatTime(format="%F %T", as="LastUpdated", field=@timestamp) 
// Modify field names for easier reading
| rename([[aid, "Agent ID"], [event_platform, Platform]])


// Aggregate results into tabular format with cleaner ordering
| groupBy(["Agent ID", ComputerName, Platform, ProductName, OSVersion, Status, "External IP", LocalAddressIP4, LastUpdated], function=[], limit=max)
 
// Set default values for easier reading
| default(value="-", field=[ComputerName, OSVersion, Status, LocalAddressIP4, LastUpdated, WSUSDetected], replaceEmpty=true)
| case {
  match(file="LocateAnythingWSUS", field=ComputerName, column=ComputerName)
  | WSUSDetected := "Potentially";
  *
  | WSUSDetected := "No";
}
| drop(@timestamp)
| sort(WSUSDetected, ComputerName)

Author

AAuraa

Data Sources

Endpoint

Platforms

windows

Tags

Detectioncs_module:Insight
Raw Content
# --- Query Metadata ---
# Human-readable name for the query. Will be displayed as the title.
name: CVE-2025-59287 - WSUS Identification+Vulnerability Query

# Description of what the query does and its purpose.
description: |
  The query below outputs a list of your Windows servers with a Falcon sensor, tells you if they need to be patched for the CVE or not, when the data was last updated, and if WSUS was "detected".
  https://www.reddit.com/r/crowdstrike/comments/1ohdzpm/comment/nlnti7p/

# The author or team that created the query.
author: AAuraa

# The required log sources to run this query successfully in Next-Gen SIEM.
# This will be displayed in the UI to inform the user.
log_sources:
  - Endpoint

# The CrowdStrike modules required to run this query.
cs_required_modules:
  - Insight

# Tags for filtering and categorization.
# Include relevant techniques, tactics, or platforms.
tags:
  - Detection

# --- Query Content ---
# The actual CrowdStrike Query Language (CQL) code.
# Using the YAML block scalar `|` allows for multi-line strings.
cql: |
  // Make a bad attempt to locate WSUS-involved devices
  | defineTable(query={
    #repo = "base_sensor" #event_simpleName="ProcessRollup2" and "WSUS"
    | groupBy([ComputerName])
  }, include=[ComputerName], name="LocateAnythingWSUS", start=1d)
  
  
  // Get OsVersionInfo events; sent by sensor every 24-hours or at sensor start or update
  | #event_simpleName=OsVersionInfo
   
  // Narrow search to only include Windows systems
  | in(field="event_platform", values=[Win])
  | in(field=ProductName, values=["*server*"], ignoreCase=true)
  
  
  | case {
      event_platform=Win MajorVersion=10 MinorVersion=0 BuildNumber=17763 SubBuildNumber<7922 | Status:="NEEDS PATCH";
      event_platform=Win MajorVersion=10 MinorVersion=0 BuildNumber=20348 SubBuildNumber<4297 | Status:="NEEDS PATCH";
      event_platform=Win MajorVersion=10 MinorVersion=0 BuildNumber=26100 SubBuildNumber<6905 | Status:="NEEDS PATCH";
      event_platform=Win MajorVersion=10 MinorVersion=0 BuildNumber=25398 SubBuildNumber<1916 | Status:="NEEDS PATCH";
      event_platform=Win MajorVersion=10 MinorVersion=0 BuildNumber=26100 SubBuildNumber<6905 | Status:="NEEDS PATCH";
      event_platform=Win MajorVersion=10 MinorVersion=0 BuildNumber=14393 SubBuildNumber<8524 | Status:="NEEDS PATCH";
      event_platform=Win MajorVersion=6 MinorVersion=2 BuildNumber=9200 SubBuildNumber<25728 | Status:="NEEDS PATCH";
      event_platform=Win MajorVersion=6 MinorVersion=3 BuildNumber=9600 SubBuildNumber<22826 | Status:="NEEDS PATCH";
      event_platform=Win                                                 | Status:="OK";
      *;
  }
  | OSVersion := format(format="%s.%s.%s.%s", field=[MajorVersion, MinorVersion, BuildNumber, SubBuildNumber])
   
  // Aggregate results into tabular format
  | groupBy([ComputerName], function=([selectLast([aid, ComputerName, event_platform, ProductName, OSVersion, Status, LocalAddressIP4, @timestamp])]), limit=max)
   
  // Move timestamps from epoch to human readable
  | formatTime(format="%F %T", as="LastUpdated", field=@timestamp) 
  // Modify field names for easier reading
  | rename([[aid, "Agent ID"], [event_platform, Platform]])
  
  
  // Aggregate results into tabular format with cleaner ordering
  | groupBy(["Agent ID", ComputerName, Platform, ProductName, OSVersion, Status, "External IP", LocalAddressIP4, LastUpdated], function=[], limit=max)
   
  // Set default values for easier reading
  | default(value="-", field=[ComputerName, OSVersion, Status, LocalAddressIP4, LastUpdated, WSUSDetected], replaceEmpty=true)
  | case {
    match(file="LocateAnythingWSUS", field=ComputerName, column=ComputerName)
    | WSUSDetected := "Potentially";
    *
    | WSUSDetected := "No";
  }
  | drop(@timestamp)
  | sort(WSUSDetected, ComputerName)