IIS Worker Process Spawning a Command Interpreter
Detects an IIS worker process starting a Windows command or scripting interpreter, a high-risk post-exploitation behavior relevant to remote code execution against on-premises SharePoint Server.
Sigma source
Raw YAMLtitle: IIS Worker Process Spawning a Command Interpreter
id: f7a7275e-806c-4757-ba7f-b2d0d4d02137
status: stable
author: FRAME ZERO
date: 2026-07-15
description: Detects an IIS worker process starting a Windows command or scripting interpreter, a high-risk post-exploitation behavior relevant to remote code execution against on-premises SharePoint Server.
references:
- https://www.cisa.gov/news-events/alerts/2026/07/14/cisa-urges-sharepoint-hardening-after-new-exploitations
logsource:
category: process_creation
product: windows
detection:
selection_parent:
ParentImage|endswith: '\\w3wp.exe'
selection_child:
Image|endswith:
- '\\cmd.exe'
- '\\powershell.exe'
- '\\pwsh.exe'
- '\\cscript.exe'
- '\\wscript.exe'
condition: selection_parent and selection_child
falsepositives:
- Approved IIS or SharePoint administrative extensions that intentionally start a command interpreter
- Documented maintenance automation executed through an application pool identity
level: high
tags:
- attack.execution
- attack.t1059.001
- attack.t1059.003
telemetry_assumptions:
- Process creation telemetry records full parent and child image paths on SharePoint servers.
- Command line, application pool identity, network request, and file activity are available for triage.
related_publication: sharepoint-active-exploitation-machine-key-theft