SigmaHQ · RG9n · Apr 11, 2025 · Apr 11, 2025 · Apr 11, 2025 · Apr 14, 2025
diff --git a/...25/Exploits/proc_creation_win_exploit_cve_2025_30406_centrestack_portal_child_process.yml b/...25/Exploits/proc_creation_win_exploit_cve_2025_30406_centrestack_portal_child_process.yml
@@ -0,0 +1,30 @@
+title: Suspicious Process Spawned by CentreStack Portal AppPool
+id: 2d79e371-2a27-42de-87a4-b4213fc72a6a
+status: experimental
+description: |
+    Detects unexpected command shell execution (cmd.exe) from w3wp.exe when tied to CentreStack's portal.config, indicating potential exploitation (e.g., CVE-2025-30406)
+references:
+    - https://nvd.nist.gov/vuln/detail/CVE-2025-30406
+    - https://blackpointcyber.com/blog/racing-to-exploit-centrestacks-cve-2025-30406/
+    - https://gladinetsupport.s3.us-east-1.amazonaws.com/gladinet/securityadvisory-cve-2005.pdf
+    - https://www.bleepingcomputer.com/news/security/centrestack-rce-exploited-as-zero-day-to-breach-file-sharing-servers/
+author: Jason Rathbun (Blackpoint Cyber)
+date: 2025-04-17
+tags:
+    - attack.execution
+    - attack.t1059.003
+    - attack.t1505.003
+    - cve.2025-30406
+    - detection.emerging-threats
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection:
+        ParentImage|endswith: '\w3wp.exe'
+        ParentCommandLine|contains: '\portal\portal.config'
+        Image|endswith: '\cmd.exe'
+    condition: selection
+falsepositives:
+    - Potentially if other portal services run on w3wp with a apppool\portal\portal.config, if you want to increase scope you could add user IIS APPPOOL\portal.
+level: high