The rule "Windows WSUS Spawning Shell" identifies instances where a shell (either PowerShell.exe or Cmd.exe) is spawned from wsusservice.exe, which is the process associated with Windows Server Update Services (WSUS). This detection leverages various data sources, particularly from Endpoint Detection and Response (EDR) agents, focusing on process creation events. This behavior is particularly significant as it may indicate the exploitation of a critical deserialization vulnerability noted as CVE-2025-59287, allowing unauthenticated remote code execution on WSUS servers. If confirmed as malicious, such actions could enable attackers to execute arbitrary commands, which can lead to system compromise, data exfiltration, and lateral movement within networks. Implementing this detection requires ingesting specific logs that detail process activity, and ensuring they are properly normalized via the Splunk Common Information Model (CIM) for effective analysis. The rule is designed to flag unusual spawnings of interactive shells from the WSUS service and recommends further review of the associated command line arguments and user contexts involved in these processes.