Suspicious IIS Child Process - Possible ViewState Deserialization Exploitation

Detects shell or scripting processes spawned as direct children of w3wp.exe or iisexpress.exe, a high-fidelity indicator of deserialization vulnerability exploitation such as CVE-2025-53690 in Sitecore. This pattern occurs when an attacker exploits .NET ViewState to achieve remote code execution on IIS servers and runs OS commands.