IT Security

Part 2: Dissecting the SharePoint Exploit – Persistence, Detection, and Lessons

By Shawn Voong
| August 8, 2025

In Part 1, we explored the critical zero-day vulnerabilities CVE-2025-53770 (CVSS 9.8, RCE) and CVE-2025-53771 (CVSS 6.3, Spoofing/Path Traversal) targeting on-premises Microsoft SharePoint servers. We outlined the timeline of the “ToolShell” exploit chain, its technical mechanics, and urgent mitigation steps. In this second installment, we dive deeper into attacker persistence strategies, advanced detection methods, real-world incident response case studies, and strategic recommendations to secure SharePoint environments beyond applying patches. This post incorporates updates from the last couple weeks, reflecting the evolving threat landscape and recent findings from security researchers and vendors.

How Attackers Maintain Persistence After Initial Exploitation

The exploitation of CVE-2025-53770 and CVE-2025-53771 allows unauthenticated attackers to achieve remote code execution (RCE) and establish persistent access to compromised SharePoint servers. Even after applying Microsoft’s emergency patches (released July 19–22, 2025, for SharePoint Server 2016, 2019, and Subscription Edition), organizations remain at risk if attackers have already deployed backdoors or stolen cryptographic material. Below, we detail the observed persistence mechanisms and their implications.

Post-Exploit Actions Observed

ViewState Forgery Using Stolen Machine Keys

Attackers exploit the CVE-2025-53770 deserialization vulnerability to extract the SharePoint server’s ValidationKey and DecryptionKey from the ASP.NET configuration. These keys allow attackers to forge valid __VIEWSTATE payloads, enabling re-entry to the server even after patching. Forged ViewState payloads bypass authentication and session validation, making this a stealthy persistence method. Attackers can re-establish access without triggering alerts, as the forged ViewState appears legitimate to SharePoint’s request handling. In one observed attack, a forged ViewState was used to execute commands 72 hours after the initial patch, indicating persistent access via stolen keys.

Web Shell Deployment

Attackers deploy obfuscated ASPX web shells to maintain persistent access. While spinstall0.aspx (SHA256: 92bb4ddb98eeaf11fc15bb32e71d0a63256a0ed826a03ba293ce3a8bf057a514) is the most commonly reported web shell, variants with randomized filenames have been observed, including:

- default0.aspx
- admin_panel.aspx
- core.aspx
- svcutil.aspx

These shells often contain embedded PowerShell or .NET payloads, enabling remote command execution. Some shells include anti-detection mechanisms, such as disabling AMSI or encrypting communications with C2 servers. These shells survive reboots, maintaining persistence and, in some cases, patching, allowing attackers to maintain a foothold.

The web shells are typically written to the SharePoint LAYOUTS directory:

C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\16\TEMPLATE\LAYOUTS\

Credential Dumping and Lateral Movement

Attackers use stolen SharePoint credentials or service accounts to pivot to adjacent systems, such as Microsoft Exchange, SQL Server, or Active Directory (AD). In some cases, attackers create mimicked SharePoint service accounts like SP_Svc_Proxy to blend with legitimate activity, evading detection. Attackers exploit SharePoint’s integration with Microsoft services (e.g., Teams, OneDrive) to harvest sensitive data or move laterally across the network. In a U.S. financial institution breach, attackers used stolen credentials to access an Exchange server, deploying a malicious Outlook rule to exfiltrate emails.

Scheduled Tasks and Registry Modifications

To ensure persistence, attackers create scheduled tasks or modify registry keys to execute malicious payloads at system startup or regular intervals. Tasks are often named to resemble legitimate SharePoint processes likeSPHealthCheckand execute encoded PowerShell scripts. A European government agency found a scheduled task named SPUpdateSync that ran a base64-encoded PowerShell script every 15 minutes, maintaining C2 communication.

- Malicious entries in HKLM\Software\Microsoft\Windows\CurrentVersion\Run or HKCU\Software\Microsoft\Windows\CurrentVersion\Run ensure payloads are re-executed post-reboot.

Fileless Execution (Advanced Clusters)

In more sophisticated attacks, such as the “no shell” cluster observed by SentinelOne, attackers avoid writing web shells to disk, instead using in-memory .NET module execution or PowerShell reflection. This fileless approach significantly complicates detection, as no persistent artifacts are left on the filesystem.

Implications of Persistence

The combination of stolen cryptographic keys, web shells, and lateral movement capabilities makes CVE-2025-53770 a systemic threat. Attackers can maintain access even after patches are applied, necessitating comprehensive incident response and remediation beyond patching. SharePoint’s deep integration with Microsoft’s ecosystem (e.g., Office, Teams, OneDrive) amplifies the risk, as a single compromise can lead to network-wide breaches, data theft, or ransomware deployment (e.g., Warlock ransomware observed in some campaigns).

Detection Deep Dive: Finding the Needle in the SharePoint Stack

The ToolShell exploit chain blends seamlessly with legitimate SharePoint traffic, making detection challenging. Attackers exploit the /ToolPane.aspx endpoint with a spoofed Referer header (/_layouts/SignOut.aspx), which SharePoint misinterprets as a legitimate request. Below, we outline advanced detection strategies to identify compromise indicators, drawing from recent third party telemetry and security research.

1. Web Log Analysis

Monitor Internet Information Services (IIS) logs for suspicious activity targeting the vulnerable endpoint:

/_layouts/15/ToolPane.aspx?DisplayMode=Edit

POST requests with a Referer header set to /._layouts/SignOut.aspx.

Look for isolated sessions with no prior user navigation (e.g., no GET requests to other SharePoint pages), as these indicate automated or tool-based exploitation.

Example Log Entry:

2025-07-18 18:06:45 107.191.58.76 POST /_layouts/15/ToolPane.aspx?DisplayMode=Edit – 443 – 96.9.125.147 – Referer: /_layouts/SignOut.aspx

Correlate with anomalous session durations or high-frequency POST requests from a single IP. Known malicious IPs include 107.191.58.76, 104.238.159.149, and 96.9.125.147.

2. File Integrity Monitoring (FIM)

Implement FIM on the SharePoint LAYOUTS directory to detect unauthorized ASPX file creation:

C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\16\TEMPLATE\LAYOUTS\

Key Files to Monitor: spinstall0.aspx, default0.aspx, admin_panel.aspx, core.aspx, or any unexpected .aspx files.
SHA256 of Known Malicious File (spinstall0.aspx): 92bb4ddb98eeaf11fc15bb32e71d0a63256a0ed826a03ba293ce3a8bf057a514
Use EDR solutions to alert on file creation events in this directory.

3. PowerShell Audit Logs

Enable advanced PowerShell logging to detect malicious executions, particularly those spawned by the IIS worker process (w3wp.exe).

Enable Script Block Logging and Module Logging via Group Policy
Look for base64-encoded commands or PowerShell scripts executed by w3wp.exe, which is unusual for legitimate SharePoint operations.
Example Payload: Attackers may use scripts like:

  $base64String = "[...]"
  $destinationFile = "C:\PROGRA~1\COMMON~1\MICROS~1\WEBSER~1\16\TEMPLATE\LAYOUTS\spinstall0.aspx"
  $decodedBytes = [System.Convert]::FromBase64String($base64String)
  $decodedContent = [System.Text.Encoding]::UTF8.GetString($decodedBytes)
  $decodedContent | Set-Content -Path $destinationFile -ErrorAction Stop

Tip: Enable Enhanced PowerShell Logging to capture detailed script execution context.

4. Network Traffic Analysis

Monitor for connections to known malicious IPs associated with the ToolShell campaign:

IPs: 107.191.58.76, 104.238.159.149, 96.9.125.147
Tip: Use next-generation firewalls to block known C2 IPs and detect anomalous outbound traffic.

5. SIEM Hunting Queries

Leverage advanced hunting queries to detect compromise indicators:

Web Shell Detection: where FileName has “spinstall0” or FileName endswith “.aspx” and where the FolderPath is \TEMPLATE\LAYOUTS
Suspicious Process Activity: where the initiating process is “w3wp.exe” and where process command line contains “spinstall0” or contains base64

6. Advanced Indicators (Fileless Attacks)

For fileless attacks observed in the “no shell” cluster, monitor for:

In-memory .NET execution by looking for System.Reflection.Assembly.Load calls in PowerShell logs, indicating dynamic assembly loading, behavioral anomalies like unusual memory usage spikes or w3wp.exe processes with high CPU/network activity. Use Sysinternals Process Monitor or Defender for Endpoint or other EDR to detect in-memory execution patterns.

Recent Developments (July 2025)

Since the initial disclosure of CVE-2025-53770 and CVE-2025-53771 on July 19, 2025, the ToolShell campaign has evolved rapidly:

Widespread Exploitation: Eye Security reported over 400 compromised SharePoint servers by July 22, with Check Point Research noting 4,600 compromise attempts across 300+ organizations by July 24. Affected sectors include government, energy, education, finance, and telecommunications.
Ransomware Deployment: On July 25, SOCRadar confirmed instances of Warlock ransomware deployed via the ToolShell exploit, targeting organizations in the U.S. and Europe. This underscores the campaign’s shift toward destructive payloads.
Nation-State Involvement: Microsoft identified Chinese nation-state actors Linen Typhoon, Violet Typhoon, and Storm-2603 exploiting these vulnerabilities, with Storm-2603 linked to ransomware attacks.
Public PoC Exploits: By July 21, proof-of-concept (PoC) exploits for CVE-2025-53770 and CVE-2025-53771 were published on GitHub, accelerating exploitation by less sophisticated actors.
Patch Status: Microsoft released patches for SharePoint Server 2019 and Subscription Edition on July 19, followed by SharePoint 2016 on July 22 (builds 16.0.5513.1001 and 16.0.18526.20508). However, end-of-life versions (SharePoint 2010 and 2013) remain vulnerable with no patches available.

Case Studies: Lessons from Real-World Compromises

Below are updated case studies illustrating the impact of the ToolShell campaign and lessons learned from incident response efforts.

Case Study 1: U.S. Energy Sector Firm

Initial Entry: Attackers exploited CVE-2025-53770 on July 18, 2025, from IP 107.191.58.76, deploying spinstall0.aspx to the LAYOUTS directory.
Persistence: Stolen MachineKey enabled attackers to forge ViewState payloads, regaining access 48 hours after the July 19 patch was applied.
Damage: Lateral movement to a domain controller via stolen SharePoint service account credentials; exfiltration of 2 GB of sensitive data, including employee records and intellectual property.
Missed Opportunity: Microsoft Defender alerts for suspicious PowerShell execution were dismissed as “normal SharePoint activity” for three days.
Resolution: Full Active Directory rebuild, key rotation, and implementation of network segmentation. The organization migrated to SharePoint Online to reduce future exposure.
Lesson: Timely alert triage and key rotation are critical to prevent re-entry post-patching.

Case Study 2: European University

Initial Entry: Attack from IP 104.238.159.149 on July 19 exploited CVE-2025-53770, dropping a modified spinstall0.aspx with AMSI-disabling logic.
Persistence: A scheduled task (SPConfigSync) executed a base64-encoded PowerShell payload every 30 minutes, maintaining C2 communication.
Damage: Compromised student and faculty data, with attackers pivoting to a linked OneDrive instance to exfiltrate research documents.
Missed Opportunity: Defender logs flagged anomalous w3wp.exe activity six days prior, but lack of expertise led to delayed response.
Resolution: Full system rebuild, registry scrub, and temporary suspension of internet-facing SharePoint services. The university accelerated plans for cloud migration.
Lesson: Advanced logging and skilled analysts are essential to detect sophisticated attacks early.

Case Study 3: Asian Telecommunications Provider

Initial Entry: Exploitation on July 17 from IP 96.9.125.147, part of the “no shell” cluster, using in-memory .NET execution to avoid disk-based artifacts.
Persistence: Attackers modified registry keys (HKLM\Software\Microsoft\Windows\CurrentVersion\Run) to execute a reflective DLL at startup.
Damage: Deployment of Warlock ransomware, encrypting critical billing and customer management systems.
Missed Opportunity: Lack of network egress controls allowed C2 communication to go undetected for 48 hours.
Resolution: Engaged Unit 42’s incident response team, restored systems from backups, and implemented Palo Alto Networks’ Cortex XDR for enhanced monitoring.
Lesson: Fileless attacks require behavioral monitoring and strict network controls to detect and prevent.

Strategic Recommendations (Beyond Patching)

To mitigate the ongoing threat of CVE-2025-53770 and CVE-2025-53771, organizations must adopt a layered defense strategy. Below are detailed recommendations based on the latest guidance from Microsoft, CISA, and security researchers.

Rotate ASP.NET Machine Keys Immediately

- Stolen ValidationKey and DecryptionKey allow attackers to forge ViewState payloads, bypassing patches and PowerShell can be used to rotate the keys. Assume compromise for any internet facing SharePoint servers unpatched before July 20, 2025 and then restart IIS.

Audit Scheduled Tasks and Registry Entries

- Attackers use scheduled tasks and registry keys for persistence.
  - Check for suspicious tasks using schtasks /query /fo LIST /v.
  - Audit HKLM\Software\Microsoft\Windows\CurrentVersion\Run and HKCU\Software\Microsoft\Windows\CurrentVersion\Run for unauthorized entries.
- Look for tasks or keys with names mimicking SharePoint processes such as SPUpdate, SPHealth.

Implement File Integrity Monitoring (FIM)

- Detect unauthorized ASPX uploads to the LAYOUTS directory and monitor for any .aspx file creation or modification.

Monitor for ViewState Anomalies

- Forged __VIEWSTATE payloads are a common re-entry mechanism so use WAF or IDS rules to detect unusually large __VIEWSTATE fields (>10 KB) or unexpected POST requests to /ToolPane.aspx.

Segregate SharePoint Servers

- Prevent lateral movement to critical systems by placing SharePoint servers in a dedicated VLAN with strict ingress/egress controls. Use private access tools to limit internet exposure. Disable unnecessary integrations with Teams, OneDrive, or Outlook until the environment is secured.

Enable AMSI and Deploy Endpoint Protection

- AMSI blocks malicious payload execution, and EDR solutions detect post-exploit activity. Enable AMSI in Full Mode on SharePoint servers (enabled by default since September 2023 for SharePoint 2016/2019) and deploy an EDR solution.

It’s Not Over

The CVE-2025-53770 and CVE-2025-53771 exploitation campaign, dubbed ToolShell, highlights the devastating impact of deserialization vulnerabilities combined with authentication bypass flaws. The campaign’s rapid evolution fueled by public PoC exploits and nation-state actors underscores the need for proactive defense strategies. Patching alone is insufficient. Organizations must assume compromise for any on-premises SharePoint servers and implement comprehensive remediation, including key rotation, advanced monitoring, and network segmentation.

The ToolShell campaign also serves as a wake-up call for organizations relying on legacy on-premises SharePoint deployments. Migrating to SharePoint Online, where these vulnerabilities do not apply, may be a long-term solution for some. For those unable to migrate, layered defenses and vigilant monitoring are non-negotiable.

Sources:

Migrating to SharePoint Online, where these vulnerabilities do not apply, may be a long-term solution for some.

TeckPath News

Cybersecurity

Supply-Chain Cyber Attacks: Why Your Small Business Is Only as Secure as Your Vendors

Today’s SMBs depend on a long list of tools and service providers—cloud apps, accounting platforms, CRMs, industry-specific systems, vendors, subcontractors, and logistics partners. This interconnected