Detection / DETPublic file

IIS Worker Process Spawning a Command Interpreter

Detects an IIS worker process starting a Windows command or scripting interpreter, a high-risk post-exploitation behavior relevant to remote code execution against on-premises SharePoint Server.

Sigma source

Raw YAML
title: IIS Worker Process Spawning a Command Interpreter
id: f7a7275e-806c-4757-ba7f-b2d0d4d02137
status: stable
author: FRAME ZERO
date: 2026-07-15
description: Detects an IIS worker process starting a Windows command or scripting interpreter, a high-risk post-exploitation behavior relevant to remote code execution against on-premises SharePoint Server.
references:
  - https://www.cisa.gov/news-events/alerts/2026/07/14/cisa-urges-sharepoint-hardening-after-new-exploitations
logsource:
  category: process_creation
  product: windows
detection:
  selection_parent:
    ParentImage|endswith: '\\w3wp.exe'
  selection_child:
    Image|endswith:
      - '\\cmd.exe'
      - '\\powershell.exe'
      - '\\pwsh.exe'
      - '\\cscript.exe'
      - '\\wscript.exe'
  condition: selection_parent and selection_child
falsepositives:
  - Approved IIS or SharePoint administrative extensions that intentionally start a command interpreter
  - Documented maintenance automation executed through an application pool identity
level: high
tags:
  - attack.execution
  - attack.t1059.001
  - attack.t1059.003
telemetry_assumptions:
  - Process creation telemetry records full parent and child image paths on SharePoint servers.
  - Command line, application pool identity, network request, and file activity are available for triage.
related_publication: sharepoint-active-exploitation-machine-key-theft

Relationships

Related files