Web Exploitation: Anomalous Child Process from IIS Worker Process w3wp.exe

Detects deserialization exploitation in ASP.NET applications through anomalous child processes launched by w3wp.exe. Covers CVE-2025-53690 Sitecore ViewState, RCE in React Server Components via Flight protocol, and critical vulnerabilities in Fortra GoAnywhere MFT. High-fidelity indicator: w3wp.exe should never spawn shells or reconnaissance tools in production.