Analytics Story: Microsoft SharePoint Vulnerabilities

Date: 2025-07-20 ID: a6667fd2-3dbb-4de3-97ff-29356761ff57 Author: Michael Haag, Splunk Product: Splunk Enterprise Security

Description

This analytic story addresses critical vulnerabilities in Microsoft SharePoint that allow attackers to gain unauthorized access, execute code remotely, and elevate privileges. It includes detections for known exploit patterns and post-exploitation activities to help organizations identify and respond to SharePoint-targeted attacks.

Why it matters

Microsoft SharePoint is a widely deployed collaboration platform in enterprise environments, making it an attractive target for threat actors. Recent vulnerabilities have enabled attackers to compromise SharePoint servers through various attack vectors.

The "ToolShell" vulnerability (CVE-2025-53770) allows unauthenticated remote code execution via the ToolPane.aspx endpoint. This vulnerability is particularly dangerous as it enables attackers to fully access SharePoint content, file systems, internal configurations, and execute code over the network without authentication. CISA has reported active exploitation in the wild with specific IP addresses identified as attack sources.

Another significant vulnerability is the SharePoint Server Elevation of Privilege (CVE-2023-29357), which allows attackers to elevate their privileges by exploiting the SharePoint API.

This analytic story provides detections for these vulnerabilities, focusing on identifying exploitation attempts through web traffic analysis. The detections look for specific indicators such as POST requests to vulnerable endpoints with particular parameters and suspicious API calls that may indicate privilege escalation attempts.

Organizations should implement Microsoft's recommended mitigations, including configuring AMSI in SharePoint, deploying Microsoft Defender AV on all SharePoint servers, and applying the latest security updates. Additionally, monitoring web traffic to SharePoint servers and implementing comprehensive logging are essential for early detection of exploitation attempts.

Detections

Name ▲▼	Technique ▲▼	Type ▲▼
Malicious PowerShell Process - Encoded Command	Obfuscated Files or Information	Hunting
W3WP Spawning Shell	Web Shell	TTP
Windows SharePoint Spinstall0 Webshell File Creation	Exploit Public-Facing Application, Web Shell	TTP
Windows Suspicious Child Process Spawned From WebServer	Web Shell	TTP
Windows SharePoint Spinstall0 GET Request	Exploit Public-Facing Application, Web Shell, Unsecured Credentials	TTP
Windows SharePoint ToolPane Endpoint Exploitation Attempt	Exploit Public-Facing Application, Web Shell	TTP

Data Sources

Name ▲▼	Platform ▲▼	Sourcetype ▲▼	Source ▲▼
CrowdStrike ProcessRollup2	N/A	`crowdstrike:events:sensor`	`crowdstrike`
Suricata	N/A	`suricata`	`suricata`
Sysmon EventID 1	Windows	`XmlWinEventLog`	`XmlWinEventLog:Microsoft-Windows-Sysmon/Operational`
Sysmon EventID 11	Windows	`XmlWinEventLog`	`XmlWinEventLog:Microsoft-Windows-Sysmon/Operational`
Windows Event Log Security 4688	Windows	`XmlWinEventLog`	`XmlWinEventLog:Security`

References

Source: GitHub | Version: 1