Potential SharePoint ToolShell CVE-2025-53770 Exploitation Indicators

 1title: Potential SharePoint ToolShell CVE-2025-53770 Exploitation Indicators
 2id: 7477881c-ec3b-49d6-aced-7255944e5c59
 3status: experimental
 4description: |
 5    Detects potential exploitation of CVE-2025-53770 by identifying indicators such as suspicious command lines discovered in Post-Exploitation activities.
 6    CVE-2025-53770 is a zero-day vulnerability in SharePoint that allows remote code execution.    
 7references:
 8    - https://research.eye.security/sharepoint-under-siege/
 9    - https://msrc.microsoft.com/blog/2025/07/customer-guidance-for-sharepoint-vulnerability-cve-2025-53770/
10author: Swachchhanda Shrawan Poudel (Nextron Systems)
11date: 2025-07-21
12tags:
13    - attack.initial-access
14    - attack.t1190
15    - cve.2025-53770
16    - detection.emerging-threats
17logsource:
18    category: process_creation
19    product: windows
20detection:
21    selection_img:
22        ParentImage|endswith: '\w3wp.exe'
23    selection_encoded_aspx:
24        - CommandLine|wide|base64offset|contains: 'spinstall0.aspx'
25        - CommandLine|base64|contains: 'spinstall0.aspx'
26    selection_encoded_path:
27        CommandLine|wide|base64offset|contains:
28            - ':\PROGRA~1\COMMON~1\MICROS~1\WEBSER~1\15\TEMPLATE\LAYOUTS'
29            - ':\PROGRA~1\COMMON~1\MICROS~1\WEBSER~1\16\TEMPLATE\LAYOUTS'
30            - ':\Program Files\Common Files\Microsoft Shared\Web Server Extensions\15\TEMPLATE\LAYOUTS'
31            - ':\Program Files\Common Files\Microsoft Shared\Web Server Extensions\16\TEMPLATE\LAYOUTS'
32    selection_ioc:
33        CommandLine|contains:
34            - '-EncodedCommand JABiAGEAcwBlADYANABTAHQAcgBpAG4AZwAgAD0'
35            - 'TEMPLATE\LAYOUTS\spinstall0.aspx'
36    condition: (selection_img and 1 of selection_encoded_*) or selection_ioc
37falsepositives:
38    - Unknown
39level: high