Potential SharePoint ToolShell CVE-2025-53770 Exploitation - File Create

    Date: 07/29/2025

    Severity: High

    Summary

    Detects the creation of files like spinstall0.aspx, which may suggest successful exploitation of CVE-2025-53770—a zero-day remote code execution vulnerability in SharePoint.

    Indicators of Compromise (IOC) List

    Filename

    'C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\'
    'C:\Program Files (x86)\Common Files\Microsoft Shared\Web Server Extensions\'
    '\15\TEMPLATE\LAYOUTS\'
    '\16\TEMPLATE\LAYOUTS\'
    '\spinstall.aspx'
    '\spinstall?.aspx'
    '\debug_dev.js'

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection 

    Detection Query 1 : 

    ((resourcename = "Windows Security"  AND eventtype = "4663") AND (filename IN ("C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions","C:\Program Files (x86)\Common Files\Microsoft Shared\Web Server Extensions") AND (filename like "\15\TEMPLATE\LAYOUTS" OR filename like "\16\TEMPLATE\LAYOUTS") AND filename IN ("\spinstall.aspx","\spinstall?.aspx","\debug_dev.js")))

    Detection Query 2 : 

    ((technologygroup = "EDR") AND (filename IN ("C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions","C:\Program Files (x86)\Common Files\Microsoft Shared\Web Server Extensions") AND (filename like "\15\TEMPLATE\LAYOUTS" OR filename like "\16\TEMPLATE\LAYOUTS") AND filename IN ("\spinstall.aspx","\spinstall?.aspx","\debug_dev.js")))

    Reference:    

    https://github.com/SigmaHQ/sigma/blob/master/rules-emerging-threats/2025/Exploits/CVE-2025-53770/file_event_win_exploit_cve_2025_53770.yml                


    Tags

    SigmaVulnerabilityCVE-2025ExploitZero-daySharePoint

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags