CVE-2026-20963 Microsoft Sentinel · KQL

Detect Microsoft SharePoint Deserialization of Untrusted Data (CVE-2026-20963) in Microsoft Sentinel

Detects exploitation of CVE-2026-20963, a deserialization of untrusted data vulnerability in Microsoft SharePoint. Attackers can send crafted serialized payloads to SharePoint endpoints, leading to remote code execution in the context of the SharePoint application pool. This CVE is listed on the CISA KEV catalog, indicating active exploitation in the wild.

MITRE ATT&CK

Tactic
Initial Access Execution Persistence

KQL Detection Query

Microsoft Sentinel (KQL)
kusto 
union DeviceNetworkEvents, DeviceProcessEvents
| where Timestamp > ago(7d)
| where DeviceName has_any ("sharepoint", "wfe", "app") or InitiatingProcessName has_any ("w3wp.exe", "owstimer.exe", "spmigrationjob.exe")
| where (ActionType == "InboundConnectionAccepted" and RemotePort in (80, 443)) or (FileName in~ ("powershell.exe", "cmd.exe", "wscript.exe", "cscript.exe", "mshta.exe", "certutil.exe") and InitiatingProcessParentFileName =~ "w3wp.exe")
| extend Indicator = case(
    FileName in~ ("powershell.exe", "cmd.exe", "wscript.exe", "cscript.exe", "mshta.exe", "certutil.exe") and InitiatingProcessParentFileName =~ "w3wp.exe", "SharePoint worker spawned suspicious child process",
    ActionType == "InboundConnectionAccepted", "Inbound connection to SharePoint host",
    "Unknown"
)
| project Timestamp, DeviceName, ActionType, FileName, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessParentFileName, RemoteIP, RemotePort, Indicator
critical severity high confidence

Detects SharePoint IIS worker process (w3wp.exe) spawning suspicious child processes indicative of post-deserialization code execution, or inbound network connections to SharePoint hosts.

Data Sources

Microsoft Defender for EndpointMicrosoft Sentinel

Required Tables

DeviceProcessEventsDeviceNetworkEvents

False Positives & Tuning

  • Legitimate SharePoint administrative scripts launched via scheduled tasks under w3wp.exe context
  • Monitoring agents or backup software that invoke cmd.exe under IIS worker processes
  • SharePoint health analyzer tasks spawning PowerShell for maintenance

Other platforms for CVE-2026-20963

Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Simulate SharePoint Deserialization Child Process Spawn

    Expected signal: Process creation event (Event ID 4688 or Sysmon Event ID 1) with ParentImage matching w3wp_sim.exe and Image matching powershell.exe

  2. Test 2Craft and Submit Malformed Serialized Payload to SharePoint Endpoint

    Expected signal: IIS access log entry showing POST to /_api/web/lists with non-JSON content-type or anomalous body size; WAF or SIEM alert on malformed serialized content

  3. Test 3Simulate Credential Dumping Post-Exploitation via w3wp.exe Context

    Expected signal: Process creation event showing cmd.exe or tasklist.exe executed under SharePoint application pool identity; Event ID 4656/4663 if LSASS handle access is attempted

Last updated: 2026-06-19 Research depth: standard
References (2)

Unlock Pro Content

Get the full detection package for CVE-2026-20963 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Tactic Hubs

TA0001Initial AccessTA0002ExecutionTA0003Persistence

Related Techniques

T1190Exploit Public-Facing ApplicationT1059.001PowerShellT1003OS Credential Dumping

Same Tactic: Initial Access

Popular Detections