Name:Windows SharePoint ToolPane Endpoint Exploitation Attempt id:508b2649-3a1e-4a4c-ba9d-3cc05e1a1b70 version:1 date:2025-07-20 author:Michael Haag, Splunk status:production type:TTP Description:The following analytic detects potential exploitation attempts against Microsoft SharePoint Server vulnerability CVE-2025-53770, also known as "ToolShell". This detection monitors for POST requests to the ToolPane.aspx endpoint with specific DisplayMode parameter, which is a key indicator of the exploit. This vulnerability allows unauthenticated remote code execution on affected SharePoint servers, enabling attackers to fully access SharePoint content, file systems, internal configurations, and execute code over the network. Data_source:
-Suricata
search:| tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Web where Web.url="*/_layouts/15/ToolPane.aspx*" AND Web.url="*DisplayMode=Edit*" Web.http_method=POST by Web.http_user_agent, Web.status, Web.http_method, Web.url, Web.url_length, Web.src, Web.dest, sourcetype | `drop_dm_object_name("Web")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_sharepoint_toolpane_endpoint_exploitation_attempt_filter`
how_to_implement:This detection requires the Web datamodel to be populated from a supported Technology Add-On like Splunk for Microsoft SharePoint or web proxy logs that capture SharePoint traffic. Configure AMSI integration in SharePoint and deploy Microsoft Defender AV on all SharePoint servers as recommended by Microsoft to provide additional protection. known_false_positives:Limited false positives are expected as legitimate use of the ToolPane.aspx endpoint with DisplayMode=Edit parameter in POST requests is uncommon. However, some SharePoint administration activities might trigger this detection. Verify against known administrator IPs and activity patterns. References: -https://research.eye.security/sharepoint-under-siege/ -https://cybersecuritynews.com/sharepoint-0-day-rce-vulnerability-exploited/ -https://msrc.microsoft.com/blog/2025/07/customer-guidance-for-sharepoint-vulnerability-cve-2025-53770/ -https://www.cisa.gov/news-events/alerts/2025/07/20/microsoft-releases-guidance-exploitation-sharepoint-vulnerability-cve-2025-53770 -https://splunkbase.splunk.com/app/3185 drilldown_searches: name:'View the detection results for - "$dest$" and "$src$"' search:'%original_detection_search% | search dest = "$dest$" src = "$src$"' earliest_offset:'$info_min_time$' latest_offset:'$info_max_time$' name:'View risk events for the last 7 days for - "$dest$"' search:'| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset:'$info_min_time$' latest_offset:'$info_max_time$' tags: analytic_story: - 'Microsoft SharePoint Vulnerabilities' asset_type:Web Server mitre_attack_id: - 'T1190' - 'T1505.003' product: - 'Splunk Enterprise' - 'Splunk Enterprise Security' - 'Splunk Cloud' security_domain:network cve: - 'CVE-2025-53770'
