Date: 07/29/2025
Severity: High
Summary
Detects the creation of files like spinstall0.aspx, which may suggest successful exploitation of CVE-2025-53770—a zero-day remote code execution vulnerability in SharePoint.
Indicators of Compromise (IOC) List
Filename | 'C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\'
'C:\Program Files (x86)\Common Files\Microsoft Shared\Web Server Extensions\'
'\15\TEMPLATE\LAYOUTS\'
'\16\TEMPLATE\LAYOUTS\'
'\spinstall.aspx'
'\spinstall?.aspx'
'\debug_dev.js' |
Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection
Detection Query 1 : | ((resourcename = "Windows Security" AND eventtype = "4663") AND (filename IN ("C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions","C:\Program Files (x86)\Common Files\Microsoft Shared\Web Server Extensions") AND (filename like "\15\TEMPLATE\LAYOUTS" OR filename like "\16\TEMPLATE\LAYOUTS") AND filename IN ("\spinstall.aspx","\spinstall?.aspx","\debug_dev.js"))) |
Detection Query 2 : | ((technologygroup = "EDR") AND (filename IN ("C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions","C:\Program Files (x86)\Common Files\Microsoft Shared\Web Server Extensions") AND (filename like "\15\TEMPLATE\LAYOUTS" OR filename like "\16\TEMPLATE\LAYOUTS") AND filename IN ("\spinstall.aspx","\spinstall?.aspx","\debug_dev.js"))) |
Reference:
https://github.com/SigmaHQ/sigma/blob/master/rules-emerging-threats/2025/Exploits/CVE-2025-53770/file_event_win_exploit_cve_2025_53770.yml