Detect CVE-2026-45659 Microsoft SharePoint Server Deserialization RCE in Sumo Logic CSE
Detects exploitation of CVE-2026-45659, a critical deserialization of untrusted data vulnerability in Microsoft SharePoint Server. Successful exploitation allows remote code execution by sending crafted serialized .NET objects to SharePoint web endpoints. This CVE is listed in CISA KEV indicating active exploitation in the wild.
MITRE ATT&CK
- Tactic
- Initial Access Execution Persistence
Sumo Detection Query
_sourceCategory=iis OR _sourceCategory=windows/security OR _sourceCategory=sysmon
| parse "* * * * * * * * * * * * *" as date, time, s_sitename, s_computername, s_ip, cs_method, cs_uri_stem, cs_uri_query, s_port, cs_username, c_ip, cs_useragent, sc_status nodrop
| parse "ProcessId=* ParentProcessId=* Image=* ParentImage=* CommandLine=*" as pid, ppid, image, parent_image, cmdline nodrop
| eval is_iis_record = if(!isNull(cs_method), 1, 0)
| eval is_process_record = if(!isNull(image), 1, 0)
| eval sharepoint_endpoint = if(is_iis_record=1 AND (cs_method in ("POST","PUT")) AND (cs_uri_stem matches "(?i).*(_vti_bin|_layouts|_api|upload\.aspx|viewlsts\.aspx).*"), 1, 0)
| eval suspicious_child = if(is_process_record=1 AND (parent_image matches "(?i).*(w3wp|owstimer)\.exe.*") AND (image matches "(?i).*(cmd|powershell|wscript|cscript|mshta|rundll32|certutil|bitsadmin)\.exe.*"), 1, 0)
| where sharepoint_endpoint=1 OR suspicious_child=1
| eval detection_type = if(sharepoint_endpoint=1, "Suspicious SharePoint HTTP Request", "SharePoint Process Spawned Malicious Child")
| fields _sourceHost, _sourceCategory, detection_type, cs_uri_stem, cs_method, sc_status, c_ip, image, parent_image, cmdline
| sort by _messageTime desc Sumo Logic query detecting SharePoint deserialization exploitation by correlating IIS log entries for anomalous POST requests to sensitive SharePoint endpoints with process creation events showing suspicious child processes spawned by w3wp.exe.
Data Sources
False Positives & Tuning
- SharePoint document library operations involving large file uploads through the _layouts or _vti_bin interfaces
- Automated SharePoint reporting or analytics tools making scheduled POST requests to SharePoint APIs
- IT operations scripts that interact with SharePoint and invoke system utilities as part of normal workflows
Other platforms for CVE-2026-45659
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1CVE-2026-45659 SharePoint Deserialization Simulation via ysoserial.net
Expected signal: IIS logs should show POST request to /_vti_bin/UserProfileService.asmx with large cs-bytes; Sysmon Event ID 1 should capture cmd.exe spawned by w3wp.exe with CommandLine containing whoami
- Test 2SharePoint Worker Process Suspicious Child Simulation
Expected signal: Sysmon Event ID 1 showing cmd.exe execution with Network Service account; Windows Security Event ID 4688 capturing process creation with suspicious command line arguments
- Test 3SharePoint Endpoint Fuzzing and Web Shell Upload Detection Test
Expected signal: Sysmon Event ID 11 (FileCreate) capturing .aspx file creation in SharePoint web directory path; Windows Security Event ID 4663 (file access) if object access auditing is enabled
References (4)
- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-45659
- https://www.cisa.gov/news-events/directives/bod-26-04-prioritizing-security-updates-based-risk
- https://www.cisa.gov/news-events/directives/bod-26-04-implementation-guidance-prioritizing-security-updates-based-risk
- https://nvd.nist.gov/vuln/detail/CVE-2026-45659
Unlock Pro Content
Get the full detection package for CVE-2026-45659 including response playbook, investigation guide, and atomic red team tests.