# ============================================================================
# CYBERDUDEBIVASH SENTINEL APEX — Detection Pack
# Traceability:
#   CVE ............ CVE-2026-32201
#   Vendor / Product Microsoft / SharePoint Server
#   CISA KEV ....... added 2026-04-14, federal remediation due 2026-04-28
#   Ransomware ..... Unknown
#   NVD ............ https://nvd.nist.gov/vuln/detail/CVE-2026-32201
#   KEV catalog .... https://www.cisa.gov/known-exploited-vulnerabilities-catalog
# Every claim in this rule's metadata is verifiable against the sources above.
# ============================================================================
title: SharePoint Server Anomalous Child Process (CVE-2026-32201)
id: b3724bf5-fb3a-597a-8de9-211670f7664d
status: experimental
description: |
    Detects w3wp.exe hosting SharePoint spawning reconnaissance or web-shell-dropping utilities following exploitation of the SharePoint improper-input-validation vulnerability.
references:
    - https://nvd.nist.gov/vuln/detail/CVE-2026-32201
    - https://www.cisa.gov/known-exploited-vulnerabilities-catalog
    - https://blog.cyberdudebivash.in/detections/
author: CYBERDUDEBIVASH SENTINEL APEX
date: 2026/07/05
tags:
    - attack.initial_access
    - attack.t1190
    - attack.persistence
    - attack.t1505.003
    - cve.2026.32201
logsource:
    category: process_creation
    product: windows
detection:
    selection_parent:
        ParentImage|endswith: '\\w3wp.exe'
    selection_child:
        Image|endswith:
            - '\\whoami.exe'
            - '\\net.exe'
            - '\\net1.exe'
            - '\\ipconfig.exe'
            - '\\certutil.exe'
    condition: selection_parent and selection_child
    fields:
        - CommandLine
        - ParentCommandLine
falsepositives:
    - SharePoint patch/config tooling invoked by administrators.
level: high
