Suspicious Process Spawned by CentreStack Portal AppPool

calendar Apr 17, 2025 · attack.execution attack.t1059.003 attack.t1505.003 cve.2025-30406 detection.emerging-threats  ·
Share on: linkedin copy

Detects unexpected command shell execution (cmd.exe) from w3wp.exe when tied to CentreStack's portal.config, indicating potential exploitation (e.g., CVE-2025-30406)

Sigma rule (View on GitHub)

 1title: Suspicious Process Spawned by CentreStack Portal AppPool
 2id: 2d79e371-2a27-42de-87a4-b4213fc72a6a
 3status: experimental
 4description: |
 5        Detects unexpected command shell execution (cmd.exe) from w3wp.exe when tied to CentreStack's portal.config, indicating potential exploitation (e.g., CVE-2025-30406)
 6references:
 7    - https://nvd.nist.gov/vuln/detail/CVE-2025-30406
 8    - https://blackpointcyber.com/blog/racing-to-exploit-centrestacks-cve-2025-30406/
 9    - https://gladinetsupport.s3.us-east-1.amazonaws.com/gladinet/securityadvisory-cve-2005.pdf
10    - https://www.bleepingcomputer.com/news/security/centrestack-rce-exploited-as-zero-day-to-breach-file-sharing-servers/
11author: Jason Rathbun (Blackpoint Cyber)
12date: 2025-04-17
13tags:
14    - attack.execution
15    - attack.t1059.003
16    - attack.t1505.003
17    - cve.2025-30406
18    - detection.emerging-threats
19logsource:
20    category: process_creation
21    product: windows
22detection:
23    selection:
24        ParentImage|endswith: '\w3wp.exe'
25        ParentCommandLine|contains: '\portal\portal.config'
26        Image|endswith: '\cmd.exe'
27    condition: selection
28falsepositives:
29    - Potentially if other portal services run on w3wp with a apppool\portal\portal.config, if you want to increase scope you could add user IIS APPPOOL\portal.
30level: high

References

Related rules

to-top