Potential SharePoint ToolShell CVE-2025-53770 Exploitation Indicators - Process creation
Last updated on:
In this page
About the rule
Rule Type
Standard
Rule Description
Detects potential exploitation of CVE-2025-53770 by identifying indicators such as suspicious command lines discovered in Post-Exploitation activities. This CVE is a zero-day vulnerability in SharePoint that allows remote code execution.
Severity
Trouble
Rule Requirement
Criteria
Action1:
actionname = "Process started" AND ( PARENTPROCESSNAME endswith "\w3wp.exe" ) AND ( COMMANDLINE contains "spinstall0.aspx" OR COMMANDLINE contains ":\PROGRA~1\COMMON~1\MICROS~1\WEBSER~1\15\TEMPLATE\LAYOUTS,:\PROGRA~1\COMMON~1\MICROS~1\WEBSER~1\16\TEMPLATE\LAYOUTS,:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\15\TEMPLATE\LAYOUTS,:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\16\TEMPLATE\LAYOUTS" OR COMMANDLINE contains "-EncodedCommand JABiAGEAcwBlADYANABTAHQAcgBpAG4AZwAgAD0,TEMPLATE\LAYOUTS\spinstall0.aspx" )
select Action1.HOSTNAME,Action1.MESSAGE,Action1.COMMANDLINE,Action1.FILE_NAME,Action1.PROCESSNAME,Action1.USERNAME,Action1.PARENTPROCESSNAME,Action1.DOMAIN,Action1.ORIGINALFILENAME,Action1.PARENTPROCESSID,Action1.PROCESSID,Action1.PRODUCT_NAME,Action1.SECURITYID
Detection
Execution Mode
realtime
Log Sources
Windows
Author
@Swachchhanda Shrawan Poudel (Nextron Systems)


