Date: 08/07/2025
Severity: Critical
Summary
Detects the exploitation of SharePoint servers through ToolShell CVE-2025-53770. The previous related CVEs are CVE-2025-49706 and CVE-2025-49704. CVE-2025-53770 introduces a new and stealthy webshell, known as SharpyShell, which extracts and leaks cryptographic secrets from the SharePoint server via a basic GET request.
Indicators of Compromise (IOC) List
Domains\URLs: | /_layouts/15/ToolPane.aspx DisplayMode=Edit /_layouts/15/spinstall0.aspx |
IP Address : | 107.191.58.76 104.238.159.149 96.9.125.1 |
Hash : | 92bb4ddb98eeaf11fc15bb32e71d0a63256a0ed826a03ba293ce3a8bf057a514
|
Commandline : | EncodedCommand JABiAGEAcwBlADYANABTAHQAcgBpAG4AZwAgAD0 Spinstall yoserial |
Useragent : | Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64;+rv:120.0)+Gecko/20100101+Firefox/120.0 /_layouts/SignOut.aspx |
Filename : | TEMPLATE\LAYOUTS\spinstall0.aspx |
Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection
Domains\URLs: | domainname like "/_layouts/15/ToolPane.aspx DisplayMode=Edit" or url like "/_layouts/15/ToolPane.aspx DisplayMode=Edit" or siteurl like "/_layouts/15/ToolPane.aspx DisplayMode=Edit" or domainname like "/_layouts/15/spinstall0.aspx" or url like "/_layouts/15/spinstall0.aspx" or siteurl like "/_layouts/15/spinstall0.aspx" |
IP Address : | dstipaddress IN ("107.191.58.76","104.238.159.149","96.9.125.1") or srcipaddress IN ("107.191.58.76","104.238.159.149","96.9.125.1") |
Hash : | sha256hash IN ("92bb4ddb98eeaf11fc15bb32e71d0a63256a0ed826a03ba293ce3a8bf057a514")
|
Commandline : | commandline like "EncodedCommand JABiAGEAcwBlADYANABTAHQAcgBpAG4AZwAgAD0" or commandline like "Spinstall" or commandline like "yoserial" |
Useragent : | useragent like "Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64;+rv:120.0)+Gecko/20100101+Firefox/120.0 /_layouts/SignOut.aspx" |
Filename : | Resourcename like "Windows Security" and eventtype = "4663" and objectname like "TEMPLATE\LAYOUTS\spinstall0.aspx" |
Reference:
https://www.cisa.gov/news-events/analysis-reports/ar25-218a