Suspicious File Write to SharePoint Layouts Directory
Last updated on:
In this page
About the rule
Rule Type
Standard
Rule Description
Detects suspicious file writes to SharePoint layouts directory which could indicate webshell activity or post-exploitation. This behavior has been observed in the exploitation of SharePoint vulnerabilities such as CVE-2025-49704, CVE-2025-49706 or CVE-2025-53770.
Severity
Trouble
Rule Requirement
Criteria
Action1:
actionname = "File Created or Modified" AND ( PROCESSNAME endswith "\cmd.exe,\powershell_ise.exe,\powershell.exe,\pwsh.exe,\w3wp.exe" ) AND (( ACCESSLIST contains "writedata" AND OBJECTNAME contains "\Program Files\Common Files\Microsoft Shared\Web Server Extensions\,\Program Files (x86)\Common Files\Microsoft Shared\Web Server Extensions" AND OBJECTNAME contains "\15\TEMPLATE\LAYOUTS\,\16\TEMPLATE\LAYOUTS" AND OBJECTNAME endswith ".asax,.ascx,.ashx,.asmx,.asp,.aspx,.bat,.cmd,.cer,.config,.hta,.js,.jsp,.jspx,.php,.ps1,.vbs" ) OR ( FILENAME contains "\Program Files\Common Files\Microsoft Shared\Web Server Extensions\,\Program Files (x86)\Common Files\Microsoft Shared\Web Server Extensions" AND FILENAME contains "\15\TEMPLATE\LAYOUTS\,\16\TEMPLATE\LAYOUTS" AND FILENAME endswith ".asax,.ascx,.ashx,.asmx,.asp,.aspx,.bat,.cmd,.cer,.config,.hta,.js,.jsp,.jspx,.php,.ps1,.vbs" ))
select Action1.HOSTNAME,Action1.MESSAGE,Action1.USERNAME,Action1.DOMAIN,Action1.OBJECTNAME,Action1.FILENAME,Action1.PROCESSNAME,Action1.FILETYPE,Action1.ACCESSLIST
Detection
Execution Mode
realtime
Log Sources
Windows
Author
@Swachchhanda Shrawan Poudel (Nextron Systems)


