CVE-2026-45659 Google Chronicle · YARA-L

Detect CVE-2026-45659 Microsoft SharePoint Server Deserialization RCE in Google Chronicle

Detects exploitation of CVE-2026-45659, a critical deserialization of untrusted data vulnerability in Microsoft SharePoint Server. Successful exploitation allows remote code execution by sending crafted serialized .NET objects to SharePoint web endpoints. This CVE is listed in CISA KEV indicating active exploitation in the wild.

MITRE ATT&CK

Tactic
Initial Access Execution Persistence

YARA-L Detection Query

Google Chronicle (YARA-L)
yaral
rule cve_2026_45659_sharepoint_deserialization {
  meta:
    author = "df00tech Detection Engineering"
    description = "Detects CVE-2026-45659 SharePoint Server deserialization exploitation"
    severity = "CRITICAL"
    priority = "HIGH"
    yara_version = "YL2.0"
    rule_version = "1.0"
    reference = "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-45659"

  events:
    // Web request to sensitive SharePoint endpoint with large POST body
    (
      $web_request.metadata.event_type = "NETWORK_HTTP"
      and (
        re.regex($web_request.network.http.target_url, `(?i)(_vti_bin|_layouts|_api|upload\.aspx|viewlsts\.aspx)`)
      )
      and $web_request.network.http.method = "POST"
      and $web_request.network.sent_bytes > 5000
      and $web_request.principal.hostname = $host
    )
    or
    // Suspicious child process spawned from SharePoint/IIS worker
    (
      $proc_event.metadata.event_type = "PROCESS_LAUNCH"
      and re.regex($proc_event.principal.process.file.full_path, `(?i)(w3wp|owstimer)\.exe`)
      and re.regex($proc_event.target.process.file.full_path, `(?i)(cmd|powershell|wscript|cscript|mshta|rundll32|certutil|bitsadmin)\.exe`)
      and $proc_event.principal.hostname = $host
    )

  match:
    $host over 2m

  outcome:
    $risk_score = max(
      if($web_request.network.sent_bytes > 10000, 85, 70),
      if($proc_event.target.process.file.full_path != "", 95, 0)
    )

  condition:
    $web_request or $proc_event
}
critical severity high confidence

Chronicle YARA-L rule detecting CVE-2026-45659 SharePoint deserialization exploitation through anomalous HTTP POST requests to sensitive SharePoint paths and suspicious child process spawning from IIS worker processes.

Data Sources

Chronicle UDMGoogle Cloud IDSWindows Event Logs

Required Tables

UDM Events

False Positives & Tuning

  • Legitimate SharePoint Online or on-premises content sync operations generating large POST payloads to API endpoints
  • SharePoint farm administrative PowerShell operations running in context of IIS application pool identity
  • Third-party SharePoint add-ins or connectors that invoke system processes as part of integration workflows

Other platforms for CVE-2026-45659


Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1CVE-2026-45659 SharePoint Deserialization Simulation via ysoserial.net

    Expected signal: IIS logs should show POST request to /_vti_bin/UserProfileService.asmx with large cs-bytes; Sysmon Event ID 1 should capture cmd.exe spawned by w3wp.exe with CommandLine containing whoami

  2. Test 2SharePoint Worker Process Suspicious Child Simulation

    Expected signal: Sysmon Event ID 1 showing cmd.exe execution with Network Service account; Windows Security Event ID 4688 capturing process creation with suspicious command line arguments

  3. Test 3SharePoint Endpoint Fuzzing and Web Shell Upload Detection Test

    Expected signal: Sysmon Event ID 11 (FileCreate) capturing .aspx file creation in SharePoint web directory path; Windows Security Event ID 4663 (file access) if object access auditing is enabled

Unlock Pro Content

Get the full detection package for CVE-2026-45659 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Related Detections