# ============================================================================
# CYBERDUDEBIVASH SENTINEL APEX — Detection Pack
# Traceability:
#   CVE ............ CVE-2026-45659
#   Vendor / Product Microsoft / SharePoint Server
#   CISA KEV ....... added 2026-07-01, federal remediation due 2026-07-04
#   Ransomware ..... Unknown
#   NVD ............ https://nvd.nist.gov/vuln/detail/CVE-2026-45659
#   KEV catalog .... https://www.cisa.gov/known-exploited-vulnerabilities-catalog
# Every claim in this rule's metadata is verifiable against the sources above.
# ============================================================================
title: Microsoft SharePoint Worker Process Spawning Command Shell (CVE-2026-45659)
id: 6150e076-82b7-5aa1-8052-787b43a12c18
status: experimental
description: |
    Detects the IIS SharePoint worker process (w3wp.exe) spawning a command interpreter — the post-exploitation signature of deserialization RCE against SharePoint Server.
references:
    - https://nvd.nist.gov/vuln/detail/CVE-2026-45659
    - https://www.cisa.gov/known-exploited-vulnerabilities-catalog
    - https://blog.cyberdudebivash.in/detections/
author: CYBERDUDEBIVASH SENTINEL APEX
date: 2026/07/05
tags:
    - attack.initial_access
    - attack.t1190
    - attack.execution
    - attack.t1059
    - cve.2026.45659
logsource:
    category: process_creation
    product: windows
detection:
    selection_parent:
        ParentImage|endswith: '\\w3wp.exe'
        ParentCommandLine|contains: 'SharePoint'
    selection_child:
        Image|endswith:
            - '\\cmd.exe'
            - '\\powershell.exe'
            - '\\pwsh.exe'
            - '\\cscript.exe'
            - '\\wscript.exe'
    condition: selection_parent and selection_child
falsepositives:
    - Legitimate SharePoint timer jobs or administrative scripts that shell out (rare — baseline before enabling).
level: high
