Intelligence / TIPublic intelligence

Active SharePoint exploitation targets IIS machine keys

CISA reports remote code execution, machine-key theft, deserialization-based persistence, and malware deployment across supported on-premises SharePoint Server editions.

Published
2026-07-15
Reading time
4 min read

Operational layer / Use first

Detection & hunt kit

Deployable logic, required telemetry, and review state. Expand an artifact without leaving the intelligence report.

01 / DetectionIIS Worker Process Spawning a Command InterpreterDetects an IIS worker process starting a Windows command or scripting interpreter, a high-risk post-exploitation behavior relevant to remote code execution against on-premises SharePoint Server.high / stableView detailsMinimize
Use
Detection
Confidence state
stable
Priority
high
ATT&CK
T1059.001 / T1059.003

Required telemetry

category
process_creation
product
windows
Sigma sourceInline / YAML
title: IIS Worker Process Spawning a Command Interpreter
id: f7a7275e-806c-4757-ba7f-b2d0d4d02137
status: stable
author: FRAME ZERO
date: 2026-07-15
description: Detects an IIS worker process starting a Windows command or scripting interpreter, a high-risk post-exploitation behavior relevant to remote code execution against on-premises SharePoint Server.
references:
  - https://www.cisa.gov/news-events/alerts/2026/07/14/cisa-urges-sharepoint-hardening-after-new-exploitations
logsource:
  category: process_creation
  product: windows
detection:
  selection_parent:
    ParentImage|endswith: '\\w3wp.exe'
  selection_child:
    Image|endswith:
      - '\\cmd.exe'
      - '\\powershell.exe'
      - '\\pwsh.exe'
      - '\\cscript.exe'
      - '\\wscript.exe'
  condition: selection_parent and selection_child
falsepositives:
  - Approved IIS or SharePoint administrative extensions that intentionally start a command interpreter
  - Documented maintenance automation executed through an application pool identity
level: high
tags:
  - attack.execution
  - attack.t1059.001
  - attack.t1059.003
telemetry_assumptions:
  - Process creation telemetry records full parent and child image paths on SharePoint servers.
  - Command line, application pool identity, network request, and file activity are available for triage.
related_publication: sharepoint-active-exploitation-machine-key-theft
02 / Threat huntSharePoint IIS Post-Exploitation ActivityHunts for broader SharePoint and IIS post-exploitation activity involving worker processes, command execution, machine-key or configuration access, and web-root changes.medium / experimentalView detailsMinimize
Use
Threat hunt
Confidence state
experimental
Priority
medium
Review after
2026-08-14

Required telemetry

product
windows

ATT&CK / T1059.001 / T1059.003 / T1505.003

Sigma sourceInline / YAML
title: SharePoint IIS Post-Exploitation Activity
id: e406b7f6-2e59-4a27-a1c3-c19b26e6263f
status: experimental
author: FRAME ZERO
date: 2026-07-15
description: Hunts for broader SharePoint and IIS post-exploitation activity involving worker processes, command execution, machine-key or configuration access, and web-root changes.
references:
  - https://www.cisa.gov/news-events/alerts/2026/07/14/cisa-urges-sharepoint-hardening-after-new-exploitations
logsource:
  product: windows
detection:
  selection_worker_image:
    Image|endswith: '\w3wp.exe'
  selection_worker_parent:
    ParentImage|endswith: '\w3wp.exe'
  selection_interpreter:
    Image|endswith:
      - '\cmd.exe'
      - '\powershell.exe'
      - '\pwsh.exe'
      - '\cscript.exe'
      - '\wscript.exe'
  selection_key_or_config_command:
    CommandLine|contains:
      - 'machineKey'
      - 'aspnet_regiis'
      - 'web.config'
  selection_sensitive_file:
    TargetFilename|contains:
      - '\inetpub\wwwroot\'
      - '\Web Server Extensions\'
    TargetFilename|endswith:
      - '.aspx'
      - '.config'
      - '.dll'
      - '.js'
  condition: (selection_worker_image or selection_worker_parent) and (selection_interpreter or selection_key_or_config_command or selection_sensitive_file)
falsepositives:
  - Approved SharePoint maintenance, deployment, backup, or application-pool administration
  - Authorized extensions that execute child processes or update application files
  - Planned machine-key rotation performed after incident containment
level: medium
tags:
  - attack.execution
  - attack.t1059.001
  - attack.t1059.003
  - attack.persistence
  - attack.t1505.003
telemetry_assumptions:
  - Endpoint telemetry on SharePoint servers records process lineage, command lines, and file activity with the initiating process.
  - IIS request logs, application-pool identity, antimalware alerts, and access to machine-key material are available for analyst correlation.
  - The rule is used as a hunt across correlated events rather than as a single-event alert.
related_publication: sharepoint-active-exploitation-machine-key-theft

Analysis

CISA reports active exploitation of CVE-2026-32201, CVE-2026-45659, and CVE-2026-56164 against on-premises SharePoint Server. The vulnerabilities affect all supported editions, including Subscription Edition, 2019, and 2016. Threat actors have used the access for remote code execution, theft of IIS machine keys, deserialization-based persistence, and malware deployment.

CISA added CVE-2026-32201 to the Known Exploited Vulnerabilities Catalog on 14 April 2026, CVE-2026-45659 on 1 July, and CVE-2026-56164 on 14 July. The agency also identified CVE-2026-55040 and CVE-2026-58644 as patching priorities, while stating that those two vulnerabilities were not known to be exploited when the alert was published.

Exploitation reaches the SharePoint application process

The alert does not identify the initial request sequence or attribute the activity to a named actor. It confirms that exploitation gives attackers unauthorized access to internet-facing SharePoint instances and enables remote code execution. That foothold places attacker-controlled execution in the IIS application context used by SharePoint.

Post-exploitation activity includes access to IIS machine keys. ASP.NET uses those secrets to protect application state. A stolen key can allow an actor to construct data that passes integrity checks, supporting later deserialization attempts and persistence even after the original vulnerable request path is patched. CISA advises organizations to hunt for machine-key harvesters and other intrusion artifacts before rotating the keys, because an unremediated foothold can steal the replacements again.

CISA also reports malware deployment after exploitation. The alert does not provide actor infrastructure, request samples, filenames, hashes, or a victim count. Those gaps limit campaign clustering, while the confirmed behavior still supports urgent server-level investigation.

Process lineage provides a durable detection point

The included Sigma rule detects w3wp.exe starting cmd.exe, PowerShell, or Windows script hosts. CISA specifically recommends reviewing suspicious SharePoint worker-process activity after the reported remote code execution. The rule translates that guidance into a behavior-based analytic that does not depend on an IP address, domain, file hash, or vulnerability-specific request pattern.

An alert requires investigation rather than automatic confirmation. Administrators can build approved SharePoint extensions or maintenance processes that start interpreters. Triage should establish the application pool identity, full command line, parent process, initiating request, child network activity, file writes, and any access to machine-key material. The process behavior maps to PowerShell (T1059.001) or Windows Command Shell (T1059.003) when the relevant interpreter is present. Exploitation of an internet-facing SharePoint application maps to Exploit Public-Facing Application (T1190).

CISA lists four Microsoft detections for additional coverage. Exploit:Script/SuspSignoutReqBody.A covers request-body scanning on SharePoint Server Subscription Edition. Exploit:Script/ToolPaneAuthBypass.A covers request-header scanning, and Exploit:Script/ToolPaneAuthBypass.C covers remote-code-execution activity across SharePoint Server 2016, 2019, and Subscription Edition. Backdoor:MSIL/LeakFang.A!dha addresses post-exploitation access to IIS-protected secrets.

The accompanying experimental hunt broadens the process alert to worker-process activity associated with interpreters, machine-key or configuration access, and changes to SharePoint or IIS application files. It requires endpoint process and file telemetry plus IIS and identity context. Approved farm maintenance, application deployment, and key rotation can produce matches and must be checked against change records.

Telemetry and remediation priorities

SharePoint operators should apply the latest Microsoft updates and verify successful installation. AMSI integration should be enabled for every SharePoint web application, with Full Mode request-body scanning where the edition and operating requirements permit it. Internet exposure should be removed when it is unnecessary. Required external access should pass through an authenticated Layer 7 reverse proxy or equivalent control that can inspect requests.

Central Administration should remain inaccessible from external networks. Farm and database communication should be restricted to required systems. Security teams need off-host retention for IIS requests, Windows process creation, PowerShell, Windows Application events, file changes under the web root, antimalware detections, and access to configuration or machine-key material.

When compromise is suspected, responders should preserve evidence, identify persistence, remove web shells or harvesters, and validate the application state before rotating IIS machine keys. Key rotation is part of remediation after the foothold has been removed.

Scope and limitations

This analysis relies on one authoritative CISA alert. It establishes active exploitation and the affected SharePoint editions, but it does not identify the actors, affected organizations, exploitation volume, or infrastructure. The included Sigma rule covers one post-exploitation process pattern. It will not detect deserialization that remains within the IIS worker process, theft performed without a child interpreter, or activity on servers that lack complete process lineage.

Sources

Evidence register
  1. CISA Urges SharePoint Hardening After New Exploitationsprimary