Detection / HNTPublic file

SharePoint IIS Post-Exploitation Activity

Hunts for broader SharePoint and IIS post-exploitation activity involving worker processes, command execution, machine-key or configuration access, and web-root changes.

Sigma source

Raw YAML
title: SharePoint IIS Post-Exploitation Activity
id: e406b7f6-2e59-4a27-a1c3-c19b26e6263f
status: experimental
author: FRAME ZERO
date: 2026-07-15
description: Hunts for broader SharePoint and IIS post-exploitation activity involving worker processes, command execution, machine-key or configuration access, and web-root changes.
references:
  - https://www.cisa.gov/news-events/alerts/2026/07/14/cisa-urges-sharepoint-hardening-after-new-exploitations
logsource:
  product: windows
detection:
  selection_worker_image:
    Image|endswith: '\w3wp.exe'
  selection_worker_parent:
    ParentImage|endswith: '\w3wp.exe'
  selection_interpreter:
    Image|endswith:
      - '\cmd.exe'
      - '\powershell.exe'
      - '\pwsh.exe'
      - '\cscript.exe'
      - '\wscript.exe'
  selection_key_or_config_command:
    CommandLine|contains:
      - 'machineKey'
      - 'aspnet_regiis'
      - 'web.config'
  selection_sensitive_file:
    TargetFilename|contains:
      - '\inetpub\wwwroot\'
      - '\Web Server Extensions\'
    TargetFilename|endswith:
      - '.aspx'
      - '.config'
      - '.dll'
      - '.js'
  condition: (selection_worker_image or selection_worker_parent) and (selection_interpreter or selection_key_or_config_command or selection_sensitive_file)
falsepositives:
  - Approved SharePoint maintenance, deployment, backup, or application-pool administration
  - Authorized extensions that execute child processes or update application files
  - Planned machine-key rotation performed after incident containment
level: medium
tags:
  - attack.execution
  - attack.t1059.001
  - attack.t1059.003
  - attack.persistence
  - attack.t1505.003
telemetry_assumptions:
  - Endpoint telemetry on SharePoint servers records process lineage, command lines, and file activity with the initiating process.
  - IIS request logs, application-pool identity, antimalware alerts, and access to machine-key material are available for analyst correlation.
  - The rule is used as a hunt across correlated events rather than as a single-event alert.
related_publication: sharepoint-active-exploitation-machine-key-theft

Relationships

Related files