Microsoft SharePoint Worker Process Spawning Command Shell
Detects the IIS SharePoint worker process (w3wp.exe) spawning a command interpreter — the post-exploitation signature of deserialization RCE against SharePoint Server.
Production-ready Sigma rules for vulnerabilities that are confirmed exploited in the wild by CISA. Every rule is traceable: its CVE, its KEV catalog entry with the exact date, and its vendor advisory — no black-box "threat feed."
Detects the IIS SharePoint worker process (w3wp.exe) spawning a command interpreter — the post-exploitation signature of deserialization RCE against SharePoint Server.
Detects w3wp.exe hosting SharePoint spawning reconnaissance or web-shell-dropping utilities following exploitation of the SharePoint improper-input-validation vulnerability.
Detects non-SYSTEM writes into the Microsoft Defender Antimalware Platform directory, consistent with the access-control LPE (ransomware-linked in the CISA KEV catalog).
Detects the Ivanti Sentry web/application service spawning a shell interpreter — the signature of OS command injection against the appliance.
Detects the Ivanti Endpoint Manager Mobile (EPMM) application server spawning a shell — the post-exploitation signature of the improper-input-validation RCE.
Detects HTTP requests to SimpleHelp administrative/toolbox endpoints returning success without a preceding authenticated session — consistent with the authentication-bypass vulnerability.
Detects access to Splunk management/REST endpoints from outside expected management ranges, consistent with exploitation of the missing-authentication-for-critical-function vulnerability.
Detects access to FortiClient EMS API/console endpoints from unexpected sources, consistent with exploitation of the improper-access-control vulnerability.
These CVEs aren't chosen by hunch. See the Exploitation Velocity Index — our reproducible analysis of which vendors and weakness classes actually dominate real-world exploitation.