Potential SharePoint ToolShell CVE-2025-53770 Exploitation - File Create
Last updated on:
In this page
About the rule
Rule Type
Standard
Rule Description
Detects the creation of file such as spinstall0.aspx which may indicate successful exploitation of CVE-2025-53770. This CVE is a zero-day vulnerability in SharePoint that allows remote code execution.
Severity
Trouble
Rule Requirement
Criteria
Action1:
actionname = "File Created or Modified" AND ((( OBJECTNAME contains "Program Files\Common Files\Microsoft Shared\Web Server Extensions\,Program Files (x86)\Common Files\Microsoft Shared\Web Server Extensions" AND ACCESSLIST contains "writedata" AND OBJECTNAME contains "\15\TEMPLATE\LAYOUTS\,\16\TEMPLATE\LAYOUTS" ) OR ( FILENAME contains "Program Files\Common Files\Microsoft Shared\Web Server Extensions\,Program Files (x86)\Common Files\Microsoft Shared\Web Server Extensions" AND FILENAME contains "\15\TEMPLATE\LAYOUTS\,\16\TEMPLATE\LAYOUTS" )) AND ( OBJECTNAME contains "\spinstall,\debug_dev" OR FILENAME contains "\spinstall,\debug_dev" ) AND ( OBJECTNAME endswith ".aspx,.js" OR FILENAME endswith ".aspx,.js" ))
select Action1.HOSTNAME,Action1.MESSAGE,Action1.USERNAME,Action1.DOMAIN,Action1.OBJECTNAME,Action1.FILENAME,Action1.PROCESSNAME,Action1.FILETYPE,Action1.ACCESSLIST
Detection
Execution Mode
realtime
Log Sources
Windows
Author
@Swachchhanda Shrawan Poudel (Nextron Systems)


