Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2025-53770 PoC — Microsoft SharePoint Server Remote Code Execution Vulnerability

Source
https://github.com/Cameloo1/sharepoint-toolshell-micro-postmortem
Associated Vulnerability
Title:Microsoft SharePoint Server Remote Code Execution Vulnerability (CVE-2025-53770)
Description:Deserialization of untrusted data in on-premises Microsoft SharePoint Server allows an unauthorized attacker to execute code over a network. Microsoft is aware that an exploit for CVE-2025-53770 exists in the wild. Microsoft is preparing and fully testing a comprehensive update to address this vulnerability. In the meantime, please make sure that the mitigation provided in this CVE documentation is in place so that you are protected from exploitation.
Description
Reproducible incident micro-postmortem for on-prem Microsoft SharePoint “ToolShell” (CVE-2025-53770): ATT&CK snapshot, “logs that matter” table, three hunts (KQL/SPL/Sigma), first-4-hours comms, sample data, and figures. Built for fast triage; no org data; SharePoint Online out of scope.
Readme
# Incident Micro-Postmortem — Microsoft SharePoint (On-Prem) “ToolShell” Campaign
This kit triages the mid-2025 “ToolShell” zero-day campaign against **on-premises** Microsoft SharePoint Server; SharePoint Online is out of scope. It delivers end-to-end reproducible hunts, comms, and figures without relying on external data.

**Why this repo exists:** accelerate analyst triage with reproducible detections and aligned executive communications.

## Scope and Assumptions
- On-prem Microsoft SharePoint Server only.
- Likely attack flow: internet-exposed SharePoint/IIS → crafted deserialization/ViewState abuse → webshell deployment → potential machineKey/ValidationKey theft → token forgery → RCE/lateral movement.
- Synthetic, illustrative data only; no real organizational telemetry or proprietary IOCs.

## ATT&CK Snapshot
Techniques emphasized: T1190 (Exploit Public-Facing Application), T1059.001 (PowerShell), T1505.003 (Web Shell), T1078 (Valid Accounts), T1027 (Obfuscated/Complicated Files), T1003 (OS Credential Dumping), T1082 (System Information Discovery), T1021 (Remote Services), T1071 (Application Layer Protocol), T1567 (Exfiltration Over Web Services).

![ATT&CK mini map](figures/attack-mini.png)

## Logs That Matter (Table)
| Phase | Signal | Log Source | Key Fields | Example Pattern |
| --- | --- | --- | --- | --- |
| Web tier/IIS | Long `__VIEWSTATE` blobs, unusual POSTs to `/_layouts/*`, rare UAs, 500/404 bursts | IIS/W3C logs, SharePoint ULS | `cs-uri-stem`, `cs-useragent`, `sc-status`, payload length | Spikes of large POST bodies followed by 500 errors |
| Process exec | `w3wp.exe -> cmd.exe -> powershell.exe` with `-enc` or `-EncodedCommand` | Windows Security 4688 | `ParentProcessName`, `NewProcessName`, `CommandLine`, `Account` | `C:\Windows\System32\inetsrv\w3wp.exe` spawning PowerShell with encoded payload |
| File create/webshell | Unexpected `.aspx` drops under `\inetpub\wwwroot\wss\...` or `\_layouts\...` | Sysmon 11 / File integrity feeds | `TargetFilename`, `Image`, `Hashes` | New `.aspx` in `\inetpub\wwwroot\wss\VirtualDirectories\80\App_Data\` |
| Identity/token | Abnormal session issuance, admin actions traced to service accounts | SharePoint ULS, AD FS logs | `User`, `ClientIP`, `CorrelationId`, token claims | Service account issuing multiple high-privilege tokens |
| DNS/Proxy | Newly-seen low-prevalence domains after IIS anomalies | DNS, proxy, firewall logs | `query`, `src_ip`, `count`, prevalence scores | First-seen domain resolving shortly after PowerShell execution |

## Run These Hunts Now
- [`hunts/w3wp_powershell_encodedcommand.kql`](hunts/w3wp_powershell_encodedcommand.kql) · [`SPL`](hunts/w3wp_powershell_encodedcommand.spl) · [`Sigma`](hunts/w3wp_powershell_encodedcommand.sigma.yaml): Catch encoded PowerShell spawned from IIS worker.
- [`hunts/sharepoint_webshell_filecreate.kql`](hunts/sharepoint_webshell_filecreate.kql) · [`SPL`](hunts/sharepoint_webshell_filecreate.spl) · [`Sigma`](hunts/sharepoint_webshell_filecreate.sigma.yaml): Identify unexpected `.aspx` files within SharePoint web roots.
- [`hunts/dns_newly_seen_post_iis_anomaly.kql`](hunts/dns_newly_seen_post_iis_anomaly.kql) · [`SPL`](hunts/dns_newly_seen_post_iis_anomaly.spl) · [`Sigma`](hunts/dns_newly_seen_post_iis_anomaly.sigma.yaml): Surface low-prevalence DNS domains following IIS anomalies and suspicious IIS child processes.

## How To Reproduce On This Repo
- Review `samples/example_events.json` for representative Windows Security 4688, Sysmon 11, and DNS entries aligned to each hunt (benign noise included).
- Expected outputs (abridged):
  - PowerShell spawn hunt: `Account` of the app pool service account, `CommandLine` containing `-enc`, with 3 malicious hits and 1 benign admin script note.
  - Webshell file create hunt: aggregation showing 2 `.aspx` paths under `\inetpub\wwwroot\wss\VirtualDirectories\80\Layouts\` during the attack hour and a benign deployment entry.
  - DNS newly-seen hunt: domains `cdn-msupdate.example`, `toolshare-sync.example` tied to the IIS host IP with `<5` total queries in 24h plus one benign corporate CDN domain ignored by thresholding.
- False-positive tuning: align allowlists to documented admin automation windows, deployment change tickets, known CDN domains, and scripted maintenance tasks. Adjust time bins and prevalence thresholds based on platform norms; track service account behavior via baseline comparisons.

## First 4 Hours — Comms Plan
- See `comms/first_4h.md` for ready-to-send templates and placeholders.
- Cadence: T+0–30 triage notification (stakeholders aligned), T+30–120 hourly scoping stand-ups, T+120–240 containment status plus executive brief aligned to the decision tree.
- Decision tree visual: `figures/decision-tree.png` mirrors the ASCII logic in the comms pack.

## Falsifiability and Limitations
- If IIS app pool automation legitimately launches PowerShell with encoded scripts (e.g., DevOps tooling), the PowerShell hunt will trigger; maintain maintenance allowlists and track known automation accounts.
- Rapid attacker cleanup or alternative tooling (e.g., unmanaged CLR webshells, C# assemblies) may evade file creation telemetry, especially if Sysmon coverage is incomplete or tamper-prone.

## Future Work (Optional)
- AppSec guardrails for SharePoint-adjacent apps: secret scanning for machine keys, CI checks for dangerous deserialization patterns, and web-root integrity monitoring during build pipelines.

## Sources (Non-quoted, general references)
- Microsoft security guidance (on-prem scope):
https://www.microsoft.com/en-us/msrc/blog/2025/07/customer-guidance-for-sharepoint-vulnerability-cve-2025-53770
- NVD CVE (mid-2025 SharePoint on-prem):
https://nvd.nist.gov/vuln/detail/CVE-2025-53770
- CISA advisory/MAR (mid-2025 SharePoint):
https://www.cisa.gov/news-events/analysis-reports/ar25-218a

Vendor research:
- Unit 42 — https://unit42.paloaltonetworks.com/microsoft-sharepoint-cve-2025-49704-cve-2025-49706-cve-2025-53770/
- SentinelOne — https://www.sentinelone.com/blog/sharepoint-toolshell-zero-day-exploited-in-the-wild-targets-enterprise-servers/
- Trend Micro — https://www.trendmicro.com/en_us/research.html
 (search: “SharePoint ToolShell CVE-2025-53770”)

## After-Build Notes — How to Adapt to Live SIEM/EDR
- Update index/table names (`index=*`, `SecurityEvent`, `Sysmon`) to match local data models (e.g., `m365:security`, `wineventlog`).
- Replace placeholder fields (`Account`, `ClientIP`, `TargetFilename`) with environment-specific aliases or normalized schemas (e.g., `user`, `ip_src`, `file_path`).
- Confirm timezone alignment; adjust `ago(24h)` or earliest windows to match fleet retention and detection latency.
- Embed environment-specific allowlists (service accounts, deployment hosts) to reduce noise while preserving attacker coverage.
File Snapshot

 [4.0K]  /data/pocs/5a5cc68c1f6b39af132da744750ecc12603690f9
├── [4.0K]  comms
│   └── [2.6K]  first_4h.md
├── [4.0K]  figures
│   ├── [4.9K]  attack-mini.png
│   ├── [7.0K]  decision-tree.png
│   ├── [ 11K]  generate_figures.py
│   └── [  34]  Makefile
├── [4.0K]  hunts
│   ├── [ 352]  dns_newly_seen_post_iis_anomaly.kql
│   ├── [1.1K]  dns_newly_seen_post_iis_anomaly.sigma.yaml
│   ├── [ 460]  dns_newly_seen_post_iis_anomaly.spl
│   ├── [ 241]  sharepoint_webshell_filecreate.kql
│   ├── [ 446]  sharepoint_webshell_filecreate.sigma.yaml
│   ├── [ 235]  sharepoint_webshell_filecreate.spl
│   ├── [ 314]  w3wp_powershell_encodedcommand.kql
│   ├── [ 481]  w3wp_powershell_encodedcommand.sigma.yaml
│   └── [ 274]  w3wp_powershell_encodedcommand.spl
├── [4.0K]  ioc
│   └── [ 477]  iocs.csv
├── [1.0K]  LICENSE
├── [4.0K]  onepager
│   └── [ 954]  README.onepager-stub.md
├── [4.0K]  pics
│   ├── [ 19K]  decision_tree.png
│   ├── [ 35K]  dns_spl_query.png
│   ├── [204K]  full_pdf.png
│   ├── [ 96K]  logs_that_matter.png
│   └── [ 48K]  sigma_rules_dns.png
├── [6.7K]  README.md
├── [4.0K]  samples
│   └── [ 12K]  example_events.json
└── [4.0K]  tools
    ├── [3.1K]  lint_sigma.py
    └── [1.3K]  validate_samples.py

9 directories, 26 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →