Potential SharePoint ToolShell CVE-2025-53770 Exploitation - File Create

calendar Jul 28, 2025 · attack.initial-access attack.t1190 cve.2025-53770 detection.emerging-threats  ·
Share on: linkedin copy

Detects the creation of file such as spinstall0.aspx which may indicate successful exploitation of CVE-2025-53770. CVE-2025-53770 is a zero-day vulnerability in SharePoint that allows remote code execution.

Sigma rule (View on GitHub)

 1title: Potential SharePoint ToolShell CVE-2025-53770 Exploitation - File Create
 2id: ba479447-721f-42a9-9af2-6dcd517bbdb3
 3status: experimental
 4description: |
 5    Detects the creation of file such as spinstall0.aspx which may indicate successful exploitation of CVE-2025-53770.
 6    CVE-2025-53770 is a zero-day vulnerability in SharePoint that allows remote code execution.    
 7references:
 8    - https://research.eye.security/sharepoint-under-siege/
 9    - https://msrc.microsoft.com/blog/2025/07/customer-guidance-for-sharepoint-vulnerability-cve-2025-53770/
10    - https://unit42.paloaltonetworks.com/microsoft-sharepoint-cve-2025-49704-cve-2025-49706-cve-2025-53770/
11author: Swachchhanda Shrawan Poudel (Nextron Systems)
12date: 2025-07-21
13modified: 2025-07-24
14tags:
15    - attack.initial-access
16    - attack.t1190
17    - cve.2025-53770
18    - detection.emerging-threats
19logsource:
20    product: windows
21    category: file_event
22detection:
23    selection:
24        TargetFilename|startswith:
25            - 'C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\'
26            - 'C:\Program Files (x86)\Common Files\Microsoft Shared\Web Server Extensions\'
27        TargetFilename|contains:
28            - '\15\TEMPLATE\LAYOUTS\'
29            - '\16\TEMPLATE\LAYOUTS\'
30        TargetFilename|endswith:
31            - '\spinstall.aspx'
32            - '\spinstall?.aspx'
33            - '\debug_dev.js'
34    condition: selection
35falsepositives:
36    - Unknown
37level: critical

References

Related rules

to-top