Suspicious File Write to SharePoint Layouts Directory

Title: Suspicious File Write to SharePoint Layouts Directory
Status: experimental
Description:Detects suspicious file writes to SharePoint layouts directory which could indicate webshell activity or post-exploitation. This behavior has been observed in the exploitation of SharePoint vulnerabilities such as CVE-2025-49704, CVE-2025-49706 or CVE-2025-53770.
References:
  -https://unit42.paloaltonetworks.com/microsoft-sharepoint-cve-2025-49704-cve-2025-49706-cve-2025-53770/
  -https://www.microsoft.com/en-us/security/blog/2025/07/22/disrupting-active-exploitation-of-on-premises-sharepoint-vulnerabilities/
Author: Swachchhanda Shrawan Poudel (Nextron Systems)
Date: 2025-07-24
modified:None
Tags:

• -'attack.initial-access'
• -'attack.t1190'
• -'attack.persistence'
• -'attack.t1505.003'

Logsource:

• product: windows
• category: file_event

Detection:
  selection:
    Image|endswith:
      -'\cmd.exe'
      -'\powershell_ise.exe'
      -'\powershell.exe'
      -'\pwsh.exe'
      -'\w3wp.exe'

    TargetFilename|startswith:
      -'C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\'
      -'C:\Program Files (x86)\Common Files\Microsoft Shared\Web Server Extensions\'

    TargetFilename|contains:
      -'\15\TEMPLATE\LAYOUTS\'
      -'\16\TEMPLATE\LAYOUTS\'

    TargetFilename|endswith:
      -'.asax'
      -'.ascx'
      -'.ashx'
      -'.asmx'
      -'.asp'
      -'.aspx'
      -'.bat'
      -'.cmd'
      -'.cer'
      -'.config'
      -'.hta'
      -'.js'
      -'.jsp'
      -'.jspx'
      -'.php'
      -'.ps1'
      -'.vbs'

  condition:selection
Falsepositives:
  -Unknown
Level: high