Suspicious Process Spawned by CentreStack Portal AppPool

    Wednesday, April 23, 2025 In: Threat Research Print

    Date: 04/23/2025

    Severity: High

    Summary

    Detects suspicious command shell execution (cmd.exe) initiated by w3wp.exe, potentially linked to the exploitation of CentreStack’s portal.config—indicative of CVE-2025-30406 activity.

    Indicators of Compromise (IOC) List

    ParentImage

    '\w3wp.exe'

    ParentCommandLine

    '\portal\portal.config'

    Image

    '\cmd.exe'

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1

    ((resourcename in ("Windows Security") AND eventtype = "4688") AND processname like "\cmd.exe" AND parentprocessname like "\w3wp.exe" AND parentcommandline like "\portal\portal.config")

    Detection Query 2

    (technologygroup = "EDR" AND processname like "\cmd.exe" AND parentprocessname like "\w3wp.exe" AND parentcommandline like "\portal\portal.config")

    Detection Query 3

    ((resourcename in ("Sysmon") AND eventtype = "1") AND processname like "\cmd.exe" AND parentprocessname like "\w3wp.exe" AND parentcommandline like "\portal\portal.config")

    Reference:

    https://github.com/SigmaHQ/sigma/blob/master/rules-emerging-threats/2025/Exploits/proc_creation_win_exploit_cve_2025_30406_centrestack_portal_child_process.yml


    Tags

    SigmaVulnerabilityExploitCVE-2025CentreStack

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2025 by Gurucul - All rights reserved.