SharePoint IIS Post-Exploitation Activity
Hunts for broader SharePoint and IIS post-exploitation activity involving worker processes, command execution, machine-key or configuration access, and web-root changes.
Sigma source
Raw YAMLtitle: SharePoint IIS Post-Exploitation Activity
id: e406b7f6-2e59-4a27-a1c3-c19b26e6263f
status: experimental
author: FRAME ZERO
date: 2026-07-15
description: Hunts for broader SharePoint and IIS post-exploitation activity involving worker processes, command execution, machine-key or configuration access, and web-root changes.
references:
- https://www.cisa.gov/news-events/alerts/2026/07/14/cisa-urges-sharepoint-hardening-after-new-exploitations
logsource:
product: windows
detection:
selection_worker_image:
Image|endswith: '\w3wp.exe'
selection_worker_parent:
ParentImage|endswith: '\w3wp.exe'
selection_interpreter:
Image|endswith:
- '\cmd.exe'
- '\powershell.exe'
- '\pwsh.exe'
- '\cscript.exe'
- '\wscript.exe'
selection_key_or_config_command:
CommandLine|contains:
- 'machineKey'
- 'aspnet_regiis'
- 'web.config'
selection_sensitive_file:
TargetFilename|contains:
- '\inetpub\wwwroot\'
- '\Web Server Extensions\'
TargetFilename|endswith:
- '.aspx'
- '.config'
- '.dll'
- '.js'
condition: (selection_worker_image or selection_worker_parent) and (selection_interpreter or selection_key_or_config_command or selection_sensitive_file)
falsepositives:
- Approved SharePoint maintenance, deployment, backup, or application-pool administration
- Authorized extensions that execute child processes or update application files
- Planned machine-key rotation performed after incident containment
level: medium
tags:
- attack.execution
- attack.t1059.001
- attack.t1059.003
- attack.persistence
- attack.t1505.003
telemetry_assumptions:
- Endpoint telemetry on SharePoint servers records process lineage, command lines, and file activity with the initiating process.
- IIS request logs, application-pool identity, antimalware alerts, and access to machine-key material are available for analyst correlation.
- The rule is used as a hunt across correlated events rather than as a single-event alert.
related_publication: sharepoint-active-exploitation-machine-key-theft