Associated Vulnerability
Title:Microsoft SharePoint Server Remote Code Execution Vulnerability (CVE-2025-53770)Description:Deserialization of untrusted data in on-premises Microsoft SharePoint Server allows an unauthorized attacker to execute code over a network. Microsoft is aware that an exploit for CVE-2025-53770 exists in the wild. Microsoft is preparing and fully testing a comprehensive update to address this vulnerability. In the meantime, please make sure that the mitigation provided in this CVE documentation is in place so that you are protected from exploitation.
Description
Honeypot for CVE-2025-53770 aka ToolShell
Readme
# ToolShell-Honeypot (SharePoint Zero-Day)
A Docker-based honeypot focused on detecting and logging exploitation attempts against Microsoft SharePoint zero-day vulnerabilities.
**This honeypot is designed for early detection and threat intelligence, not for simulating a full SharePoint environment or post-exploitation activity.**
## Main Features
- **Advanced tag-based detection** (IOC, Pattern, Heuristic categories)
- **R7 Metasploit exploit analysis** with complete payload decompression
- **Sub-100ms response times** via asynchronous Sensor+Analyzer architecture
- YARA-based detection on raw **and decompressed** payloads
- Logs all HTTP requests with enhanced analysis and IIS header emulation
- **Intelligence dashboard** with real-time analytics and tag filtering
- HTTPS with self-signed certificate
- Modular 3-service Docker architecture
## Coverage and Limitations
**What this honeypot does:**
- Detects and logs exploit attempts targeting known SharePoint vulnerabilities ([CVE-2025-49704](https://www.cve.org/CVERecord?id=CVE-2025-49704), [CVE-2025-49706](https://www.cve.org/CVERecord?id=CVE-2025-49706), [CVE-2025-53770](https://www.cve.org/CVERecord?id=CVE-2025-53770), [CVE-2025-53771](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-53771))
- Captures payloads, including webshells, encoded commands, and obfuscated content
- Provides IOC and YARA-based detection for threat intelligence and research
**What this honeypot does NOT do:**
- Does **not** simulate full SharePoint authentication, session management, or dynamic content
- Does **not** allow post-exploitation interaction (e.g., webshell command execution, file download/upload, lateral movement)
- Attackers may quickly realize the system is a honeypot after the initial response
## Architecture
```
Docker Compose
├── honeypot (Sensor - HTTP capture, port 443, <100ms response)
├── analyzer (Deep analysis engine, tag-driven processing)
└── dashboard (Intelligence dashboard, port 8501)
```
### Data Flow
```
HTTP Request → Sensor → Event Queue → Analyzer → Dashboard
↓ ↓ ↓
Fast Response SHA256 Body Deep Analysis
Tag Assignment Raw Storage YARA + R7
```
**Key Improvements:**
- Asynchronous processing (responses never blocked by analysis)
- Tag-driven pipeline (IOC/Pattern/Heuristic classification)
- Complete R7 exploit analysis (Gzip→Base64→.NET decompression)
- SHA256-based body deduplication
## Detection Pipeline
```mermaid
flowchart TD
A[HTTP Request] --> B[Sensor: Tag Assignment]
B --> C{Route-Based IOCs}
B --> D{Pattern Detection}
B --> E{Heuristic Analysis}
C --> F[IOC Tags]
D --> G[Pattern Tags]
E --> H[Heuristic Tags]
F --> I[Event JSON + Body Storage]
G --> I
H --> I
I --> J[Event Queue]
J --> K[Analyzer: Deep Analysis]
K --> L{Tag-Driven Pipeline}
L -->|R7_PAYLOAD| M[Gzip→Base64→.NET Analysis]
L -->|LARGE_B64| N[Generic Base64 Decoding]
L -->|Always| O[YARA Scanning]
M --> P[Enhanced Event JSON]
N --> P
O --> P
P --> Q[Dashboard Intelligence]
```
### Tag Categories
- **IOC Tags**: High-confidence indicators (IOC:ENDPOINT_TOOLPANE, IOC:CVE_2025_53771)
- **Pattern Tags**: Known exploit signatures (PATTERN:R7_PAYLOAD, PATTERN:YSOSERIAL)
- **Heuristic Tags**: Anomaly detection (HEURISTIC:LARGE_B64, HEURISTIC:UNUSUAL_METHOD)
## Available Tags Reference
### 🔴 IOC Tags (High Risk Indicators)
*High-confidence compromise indicators with immediate alert priority*
**Endpoint-based IOCs:**
- `IOC:ENDPOINT_TOOLPANE` - Access to /_layouts/15|16/ToolPane.aspx
- `IOC:ENDPOINT_SIGNOUT` - Access to /_layouts/SignOut.aspx
- `IOC:ENDPOINT_FAVICON` - Access to /favicon.ico
- `IOC:ENDPOINT_ACLEDITOR` - Access to /_controltemplates/15|16/AclEditor.ascx
- `IOC:ENDPOINT_LAYOUTS_ASPX` - Generic /_layouts/*.aspx endpoint access
- `IOC:WEBSHELL_PROBE` - Webshell probe endpoint detection
**CVE-Specific IOCs:**
- `IOC:CVE_2025_53771` - Trailing slash authentication bypass (CVE-2025-53771)
**Parameter-based IOCs:**
- `IOC:PARAM_DISPLAYMODE_EDIT` - DisplayMode=Edit parameter detected
- `IOC:PARAM_TOOLPANE_REFERENCE` - Parameter value referencing ToolPane
**Header-based IOCs:**
- `IOC:REFERER_SIGNOUT` - Referer header contains SignOut.aspx
- `IOC:SUSPICIOUS_USER_AGENT` - Suspicious User-Agent pattern (e.g., Firefox/120.0)
### 🟠 Pattern Tags (Known Exploits)
*Signatures of known exploit frameworks and payload patterns*
**Exploit Signatures:**
- `PATTERN:R7_PAYLOAD` - Metasploit R7 exploit (MSOTlPn_DWP + CompressedDataTable)
- `PATTERN:VIEWSTATE_EXPLOIT` - __VIEWSTATE exploitation attempt
- `PATTERN:YSOSERIAL` - Java deserialization tool (ysoserial keyword)
**Code Execution Patterns:**
- `PATTERN:POWERSHELL` - PowerShell commands/scripts detected
- `PATTERN:ASPX_WEBSHELL` - ASPX webshell upload attempts
### 🟡 Heuristic Tags (Anomaly Detection)
*Behavioral anomaly detection for unknown threats*
**Payload Anomalies:**
- `HEURISTIC:LARGE_PAYLOAD` - Payload size >1KB (1024 bytes)
- `HEURISTIC:LARGE_B64` - Base64 content >100 characters
- `HEURISTIC:MULTIPLE_B64` - Multiple Base64 strings (>3)
**Parameter Anomalies:**
- `HEURISTIC:MANY_PARAMETERS` - Excessive URL parameters (>10)
- `HEURISTIC:MISSING_CONTENT_TYPE` - POST request without Content-Type
- `HEURISTIC:MALFORMED_MULTIPART` - Malformed multipart data
**Request Anomalies:**
- `HEURISTIC:UNUSUAL_METHOD` - Unusual HTTP methods (PUT/DELETE/PATCH)
- `HEURISTIC:LONG_PATH` - Extremely long URL path (>200 characters)
- `HEURISTIC:UNKNOWN_ENDPOINT` - Unmonitored endpoint (catch-all route)
## Monitored Endpoints and Patterns
- `/` (catch-all)
- `/favicon.ico`
- `/_layouts/SignOut.aspx`
- `/_layouts/15/ToolPane.aspx` and `/_layouts/16/ToolPane.aspx` (POST/GET, parameters DisplayMode=Edit, a=/
ToolPane.aspx)
- `/_layouts/15/spinstall0.aspx`, `/_layouts/16/spinstall0.aspx`, `spinstall.aspx`, `spinstall1.aspx`, `info3.aspx`, `xxx.aspx`
## Indicators of Compromise (IOC)
- ToolPane exploit endpoint (with suspicious params)
- DisplayMode=Edit param
- a=/ToolPane.aspx param
- Referer SignOut.aspx
- Suspicious User-Agent (e.g., Firefox/120.0)
- Webshell probe endpoints
- ViewState payload in POST body
## YARA Rules and Advanced Detection
- Detects known exploits, webshells, PowerShell encoded/obfuscated payloads, and suspicious binaries
- Rules are applied to both raw and decoded (base64, UTF-16LE) payloads
- Easily extensible for new threats
- **Custom Rules**: You can add your own YARA rules to the `yara_rules/` directory
- **Rule Examples**: For additional rule examples and community contributions, see [awesome-yara](https://github.com/InQuest/awesome-yara)
## Data Collected and Displayed
- **Request metadata**: method, path, IP, headers, query args, enhanced tag system (IOC/Pattern/Heuristic)
- **POST bodies**: SHA256-named .bin files with deduplication (replaces daily ZIP archives)
- **Deep analysis results**: R7 payload decompression, YARA matches on raw + decoded content
- **Enhanced logs**: Event-driven JSON with sensor capture and analyzer results
- **Dashboard**: Real-time tag filtering, performance monitoring, R7 exploit alerts, intelligence export
## Quick Start
1. **Generate a self-signed certificate**:
```bash
openssl req -x509 -nodes -days 365 \
-newkey rsa:2048 -keyout key.pem -out cert.pem \
-subj "/CN=sharepoint.local"
cp cert.pem key.pem ToolShell-Honeypot/
```
2. **Build and run all services**:
```bash
cd ToolShell-Honeypot
sudo docker-compose up --build
```
Or use the interactive management script:
```bash
./manage.sh
```
Choose option 6 to start all services, or start components individually.
3. **Test the honeypot**:
```bash
# Comprehensive test suite covering all features
./test_comprehensive.sh
```
4. **Access the dashboard**:
Open `http://localhost:8501` to view the intelligence dashboard with:
- Tag-based filtering (IOC, Pattern, Heuristic categories)
- R7 exploit detection alerts with payload decompression status
- Real-time performance metrics (response times, analysis speed)
- Export capabilities (JSON, CSV, raw payloads)
The test scripts simulate real-world attack scenarios. Check the dashboard to review results, IOC detection, and data analysis.
## Service Management (manage.sh)
A management script is provided for easy control of the honeypot and dashboard services.
**Usage:**
```bash
cd ToolShell-Honeypot
chmod +x manage.sh # (first time only)
./manage.sh
```
**Menu options:**
- 0: Build all Docker images
- 1: Start only the honeypot (sensor)
- 2: Start only the analyzer
- 3: Start only the dashboard
- 4: Start honeypot + analyzer
- 5: Start analyzer + dashboard
- 6: Start all services (honeypot + analyzer + dashboard)
- 7: Show status
- 8-11: Stop individual services
- q: Quit
## Notes
- Data is saved in ./data with structure: /raw_bodies, /events/{new,processed,error}
- SHA256-based body deduplication (replaces daily ZIP archives)
- Dashboard, honeypot (sensor), and analyzer are separated for security and performance
- access.log is SIEM-compatible with enhanced tag information
- Sub-100ms response times achieved via asynchronous processing
## Threat Intelligence and Detection Logic
The IOC patterns, YARA rules, and detection logic are based on real-world attack campaigns and public threat intelligence for ToolShell/SharePoint vulnerabilities, including:
- Exploit attempts on ToolPane.aspx endpoints with specific parameters
- Use of known malicious Referer and User-Agent headers
- Probing of webshell endpoints
- Detection of ViewState payloads in POST bodies
- Advanced PowerShell obfuscation and webshell delivery techniques
**Relevant CVEs:**
- [CVE-2025-49704](https://www.cve.org/CVERecord?id=CVE-2025-49704): Improper code generation control (code injection) in SharePoint
- [CVE-2025-49706](https://www.cve.org/CVERecord?id=CVE-2025-49706): Improper authentication in SharePoint
- [CVE-2025-53770](https://www.cve.org/CVERecord?id=CVE-2025-53770): Deserialization of untrusted data in SharePoint
- [CVE-2025-53771](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-53771): Path traversal in SharePoint
## TODO
- Webhook alerting, advanced parsing, SIEM integration, dashboard authentication, extend honeypot capabilities to simulate authentication, session management, dynamic content, limited post-exploitation interaction (e.g., webshell command execution, file upload/download) for deeper attacker engagement and analysis and many more...
File Snapshot
[4.0K] /data/pocs/6e226dad1f17c28516d9bb2208c897ada421057c
├── [ 14K] analyzer.py
├── [ 17K] dashboard.py
├── [ 719] docker-compose.yml
├── [ 708] Dockerfile.analyzer
├── [ 201] Dockerfile.dashboard
├── [ 203] Dockerfile.honeypot
├── [ 13K] honeypot.py
├── [1.8K] manage.sh
├── [ 10K] README.md
├── [ 97] requirements.txt
├── [ 17K] test_comprehensive.sh
└── [4.0K] yara_rules
└── [3.4K] toolshell_honeypot.yar
2 directories, 12 files
Remarks
1. It is advised to access via the original source first.
2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →