Anomalous Child Process from IIS Worker: ViewState Deserialization Exploitation

Detects anomalous child processes spawned from w3wp.exe (IIS worker process), primary exploitation vector in CVE-2025-53690 and other .NET deserialization vulnerabilities in ASP.NET applications. Shell or tool execution from w3wp.exe is highly suspicious in production environments.