Suspicious File Write to SharePoint Layouts Directory

 1title: Suspicious File Write to SharePoint Layouts Directory
 2id: 1f0489be-b496-4ddf-b3a9-5900f2044e9c
 3status: experimental
 4description: |
 5    Detects suspicious file writes to SharePoint layouts directory which could indicate webshell activity or post-exploitation.
 6    This behavior has been observed in the exploitation of SharePoint vulnerabilities such as CVE-2025-49704, CVE-2025-49706 or CVE-2025-53770.    
 7references:
 8    - https://unit42.paloaltonetworks.com/microsoft-sharepoint-cve-2025-49704-cve-2025-49706-cve-2025-53770/
 9    - https://www.microsoft.com/en-us/security/blog/2025/07/22/disrupting-active-exploitation-of-on-premises-sharepoint-vulnerabilities/
10author: Swachchhanda Shrawan Poudel (Nextron Systems)
11date: 2025-07-24
12tags:
13    - attack.initial-access
14    - attack.t1190
15    - attack.persistence
16    - attack.t1505.003
17logsource:
18    product: windows
19    category: file_event
20detection:
21    selection:
22        Image|endswith:
23            - '\cmd.exe'
24            - '\powershell_ise.exe'
25            - '\powershell.exe'
26            - '\pwsh.exe'
27            - '\w3wp.exe'
28        TargetFilename|startswith:
29            - 'C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\'
30            - 'C:\Program Files (x86)\Common Files\Microsoft Shared\Web Server Extensions\'
31        TargetFilename|contains:
32            - '\15\TEMPLATE\LAYOUTS\'
33            - '\16\TEMPLATE\LAYOUTS\'
34        TargetFilename|endswith:
35            - '.asax'
36            - '.ascx'
37            - '.ashx'
38            - '.asmx'
39            - '.asp'
40            - '.aspx'
41            - '.bat'
42            - '.cmd'
43            - '.cer'
44            - '.config'
45            - '.hta'
46            - '.js'
47            - '.jsp'
48            - '.jspx'
49            - '.php'
50            - '.ps1'
51            - '.vbs'
52    condition: selection
53falsepositives:
54    - Unknown
55level: high

References

• Active Exploitation of Microsoft SharePoint Vulnerabilities: Threat Brief (Updated August 12)

  

  Unit 42 has observed active exploitation of recent Microsoft SharePoint vulnerabilities. Here’s how you can protect your organization.

  
  Read More

• Disrupting active exploitation of on-premises SharePoint vulnerabilities | Microsoft Security Blog

  

  Microsoft has observed two named Chinese nation-state actors, Linen Typhoon and Violet Typhoon, exploiting vulnerabilities targeting internet-facing SharePoint servers. In addition, we have observed another China-based threat actor, tracked as Storm-2603, exploiting these vulnerabilities. Microsoft has released new comprehensive security updates for all supported versions of SharePoint Server (Subscription Edition, 2019, and 2016) that protect customers against these new vulnerabilities. Customers should apply these updates immediately to ensure they are protected.

  
  Read More

Related rules

• Potential SAP NetViewer Webshell Command Execution
• Suspicious Process By Web Server Process
• Suspicious Child Process Of SQL Server
• Suspicious File Drop by Exchange
• Suspicious MSExchangeMailboxReplication ASPX Write