Suspicious Process Spawned by CentreStack Portal AppPool

Rule Info

Name
Suspicious Process Spawned by CentreStack Portal AppPool
Author
Jason Rathbun (Blackpoint Cyber)
Description
Detects unexpected command shell execution (cmd.exe) from w3wp.exe when tied to CentreStack's portal.config, indicating potential exploitation (e.g., CVE-2025-30406)
Reference
https://nvd.nist.gov/vuln/detail/CVE-2025-30406
Date
2025-04-17 00:00:00
Modified
None
Id
2d79e371-2a27-42de-87a4-b4213fc72a6a
Tags
attack.execution attack.t1059.003 attack.t1505.003 cve.2025-30406 detection.emerging-threats
Type
Community Rule
Link to Public Repo
https://github.com/SigmaHQ/sigma/search?q=2d79e371-2a27-42de-87a4-b4213fc72a6a

Rule History

Author
Title
Date
Commit
RG9n
Merge PR #5263 from @RG9n - Add `Suspicious Process Spawned by CentreStack Portal AppPool`
2025-04-17
3d17247df
THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022