Suspicious Process Spawned by CentreStack Portal AppPool

calendar Oct 23, 2025 · attack.persistence attack.execution attack.t1059.003 attack.t1505.003 cve.2025-30406 detection.emerging-threats  ·
Share on: linkedin copy

Detects unexpected command shell execution (cmd.exe) from w3wp.exe when tied to CentreStack's portal.config, indicating potential exploitation (e.g., CVE-2025-30406)

Sigma rule (View on GitHub)

 1title: Suspicious Process Spawned by CentreStack Portal AppPool
 2id: 2d79e371-2a27-42de-87a4-b4213fc72a6a
 3status: experimental
 4description: |
 5        Detects unexpected command shell execution (cmd.exe) from w3wp.exe when tied to CentreStack's portal.config, indicating potential exploitation (e.g., CVE-2025-30406)
 6references:
 7    - https://nvd.nist.gov/vuln/detail/CVE-2025-30406
 8    - https://blackpointcyber.com/blog/racing-to-exploit-centrestacks-cve-2025-30406/
 9    - https://gladinetsupport.s3.us-east-1.amazonaws.com/gladinet/securityadvisory-cve-2005.pdf
10    - https://www.bleepingcomputer.com/news/security/centrestack-rce-exploited-as-zero-day-to-breach-file-sharing-servers/
11author: Jason Rathbun (Blackpoint Cyber)
12date: 2025-04-17
13tags:
14    - attack.persistence
15    - attack.execution
16    - attack.t1059.003
17    - attack.t1505.003
18    - cve.2025-30406
19    - detection.emerging-threats
20logsource:
21    category: process_creation
22    product: windows
23detection:
24    selection:
25        ParentImage|endswith: '\w3wp.exe'
26        ParentCommandLine|contains: '\portal\portal.config'
27        Image|endswith: '\cmd.exe'
28    condition: selection
29falsepositives:
30    - Potentially if other portal services run on w3wp with a apppool\portal\portal.config, if you want to increase scope you could add user IIS APPPOOL\portal.
31level: high

References

Related rules

to-top