Potential SharePoint ToolShell CVE-2025-53770 Exploitation Indicators

    Tuesday, July 22, 2025 In: Threat Research Print

    Date: 07/22/2025

    Severity: High

    Summary

    Detects potential exploitation of CVE-2025-53770 by monitoring for indicators like suspicious command-line activity observed during post-exploitation stages. CVE-2025-53770 is a zero-day vulnerability in SharePoint that enables remote code execution.

    Indicators of Compromise (IOC) List

    Parentprocessname

    '\w3wp.exe'

    CommandLine

    'spinstall0.aspx'

    ':\PROGRA~1\COMMON~1\MICROS~1\WEBSER~1\15\TEMPLATE\LAYOUTS'

    ':\PROGRA~1\COMMON~1\MICROS~1\WEBSER~1\16\TEMPLATE\LAYOUTS'

    ':\Program Files\Common Files\Microsoft Shared\Web Server Extensions\15\TEMPLATE\LAYOUTS'

    ':\Program Files\Common Files\Microsoft Shared\Web Server Extensions\16\TEMPLATE\LAYOUTS'

    '-EncodedCommand JABiAGEAcwBlADYANABTAHQAcgBpAG4AZwAgAD0'

    'TEMPLATE\LAYOUTS\spinstall0.aspx'

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1 : 

    ((resourcename = "Windows Security"  AND eventtype = "4688") AND ((parentprocessname like "\w3wp.exe" AND (commandline like "spinstall0.aspx" OR commandline like ":\PROGRA~1\COMMON~1\MICROS~1\WEBSER~1\15\TEMPLATE\LAYOUTS" OR commandline like ":\PROGRA~1\COMMON~1\MICROS~1\WEBSER~1\16\TEMPLATE\LAYOUTS" OR commandline like ":\Program Files\Common Files\Microsoft Shared\Web Server Extensions\15\TEMPLATE\LAYOUTS" OR commandline like ":\Program Files\Common Files\Microsoft Shared\Web Server Extensions\16\TEMPLATE\LAYOUTS")) OR (commandline like "-EncodedCommand JABiAGEAcwBlADYANABTAHQAcgBpAG4AZwAgAD0" OR commandline like "TEMPLATE\LAYOUTS\spinstall0.aspx")))

    Detection Query 2 : 

    ((technologygroup = "EDR") AND ((parentprocessname like "\w3wp.exe" AND (commandline like "spinstall0.aspx" OR commandline like ":\PROGRA~1\COMMON~1\MICROS~1\WEBSER~1\15\TEMPLATE\LAYOUTS" OR commandline like ":\PROGRA~1\COMMON~1\MICROS~1\WEBSER~1\16\TEMPLATE\LAYOUTS" OR commandline like ":\Program Files\Common Files\Microsoft Shared\Web Server Extensions\15\TEMPLATE\LAYOUTS" OR commandline like ":\Program Files\Common Files\Microsoft Shared\Web Server Extensions\16\TEMPLATE\LAYOUTS")) OR (commandline like "-EncodedCommand JABiAGEAcwBlADYANABTAHQAcgBpAG4AZwAgAD0" OR commandline like "TEMPLATE\LAYOUTS\spinstall0.aspx")))

    Reference:    

    https://github.com/SigmaHQ/sigma/blob/master/rules-emerging-threats/2025/Exploits/CVE-2025-53770/proc_creation_win_exploit_cve_2025_53770_indicators.yml


    Tags

    SigmaVulnerabilityCVE-2025ExploitZero-daySharePoint

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2025 by Gurucul - All rights reserved.