Response playbooks, investigation guides, and Atomic Red Team tests are Pro-only. Upgrade to unlock the full detection package for CVE-2026-58644.

Upgrade to Pro
CVE-2026-58644 Google Chronicle · YARA-L

Detect Microsoft SharePoint Deserialization of Untrusted Data Exploitation (CVE-2026-58644) in Google Chronicle

Detects exploitation attempts and post-exploitation indicators associated with CVE-2026-58644, a deserialization of untrusted data vulnerability (CWE-502) in Microsoft SharePoint. This vulnerability is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, indicating confirmed active exploitation in the wild. Successful exploitation typically results in remote code execution via crafted serialized payloads submitted to vulnerable SharePoint endpoints (e.g. ViewState, application pages, or REST/SOAP endpoints), often followed by w3wp.exe spawning abnormal child processes, webshell drops into SharePoint application directories, and LSASS/credential access activity.

MITRE ATT&CK

Tactic
Initial Access Execution Persistence

YARA-L Detection Query

Google Chronicle (YARA-L)
yaral
rule sharepoint_deserialization_cve_2026_58644 {
  meta:
    author = "df00tech"
    description = "Detects suspicious child process execution from SharePoint w3wp.exe consistent with CVE-2026-58644 exploitation"
    severity = "CRITICAL"
    cve = "CVE-2026-58644"
  events:
    $proc.metadata.event_type = "PROCESS_LAUNCH"
    $proc.principal.process.parent_process.file.full_path = /w3wp\.exe/ nocase
    $proc.principal.process.parent_process.command_line = /SharePoint/ nocase
    $proc.target.process.file.full_path = /(cmd\.exe|powershell\.exe|cscript\.exe|wscript\.exe|mshta\.exe|certutil\.exe|rundll32\.exe|regsvr32\.exe)/ nocase
  match:
    $proc over 5m
  condition:
    $proc
}
critical severity high confidence

Chronicle YARA-L rule identifying SharePoint IIS worker process spawning suspicious interpreters/binaries, a strong indicator of remote code execution via CVE-2026-58644 deserialization exploitation.

Data Sources

Chronicle Windows Event Log ingestionSysmon via Chronicle forwarder

Required Tables

PROCESS_LAUNCH

False Positives & Tuning

  • Legitimate SharePoint admin automation under the app pool identity
  • Scheduled timer jobs or Health Analyzer rules invoking utilities
  • EDR/backup agent instrumentation within IIS worker processes

Other platforms for CVE-2026-58644


Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Simulate Suspicious Child Process from w3wp.exe

    Expected signal: Sysmon Event ID 1 process creation showing parent process w3wp.exe launching cmd.exe with command line containing 'whoami'.

  2. Test 2Simulate Webshell Drop in SharePoint Directory

    Expected signal: Sysmon Event ID 11 file creation event for test_atomic.aspx under the SharePoint LAYOUTS directory, ideally attributed to w3wp.exe or an interactive PowerShell session.

  3. Test 3Simulate Encoded PowerShell Execution from IIS Context

    Expected signal: Sysmon Event ID 1 showing powershell.exe with -EncodedCommand flag and a parent process context simulating w3wp.exe.

  4. Test 4Simulate SharePoint ViewState Tampering Request

    Expected signal: IIS W3SVC log entry recording the POST request with an oversized/malformed __VIEWSTATE parameter, and a corresponding SharePoint ULS log exception.

Unlock playbooks & atomic tests with Pro

Get the full detection package for CVE-2026-58644 — response playbook and atomic red team tests, plus investigation guidance and hunting queries.

df00tech Pro — £29/user/month

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Related Detections