| ID | Technique | Tactic |
|---|---|---|
| T1190 | Exploit Public-Facing Application | Initial Access |
| T1505.003 | Web Shell | Persistence |
| T1552 | Unsecured Credentials | Credential Access |
Detection: Windows SharePoint Spinstall0 GET Request
Description
The following analytic detects potential post-exploitation activity related to the Microsoft SharePoint CVE-2025-53770 vulnerability. After successful exploitation via the ToolPane.aspx endpoint, attackers typically deploy a webshell named "spinstall0.aspx" in the SharePoint layouts directory. This detection identifies GET requests to this webshell, which indicates active use of the backdoor for command execution, data exfiltration, or credential/key extraction. Attackers commonly use these webshells to extract encryption keys, authentication tokens, and other sensitive information from the compromised SharePoint server.
Search
1
2| tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Web where Web.url="*/_layouts/15/spinstall0.aspx*" Web.http_method="GET" by Web.url Web.src Web.dest Web.status Web.http_user_agent Web.url_length sourcetype
3| `drop_dm_object_name("Web")`
4| `security_content_ctime(firstTime)`
5| `security_content_ctime(lastTime)`
6| `windows_sharepoint_spinstall0_get_request_filter`
Data Source
| Name | Platform | Sourcetype | Source |
|---|---|---|---|
| Suricata | N/A | 'suricata' |
'suricata' |
Macros Used
| Name | Value |
|---|---|
| security_content_ctime | convert timeformat="%Y-%m-%dT%H:%M:%S" ctime($field$) |
| windows_sharepoint_spinstall0_get_request_filter | search * |
windows_sharepoint_spinstall0_get_request_filter is an empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.
Annotations
MITRE ATT&CK
Kill Chain Phases
NIST
CIS
Threat Actors
Delivery
Exploitation
Installation
DE.CM
CIS 13
APT29
APT32
APT38
APT39
APT41
APT5
Agrius
Axiom
BackdoorDiplomacy
BlackByte
BlackTech
Blue Mockingbird
CURIUM
Cinnamon Tempest
Deep Panda
Dragonfly
Earth Lusca
Ember Bear
FIN13
FIN7
Fox Kitten
GALLIUM
GOLD SOUTHFIELD
HAFNIUM
INC Ransom
Ke3chang
Kimsuky
Leviathan
Magic Hound
Moses Staff
MuddyWater
OilRig
Play
Rocke
Salt Typhoon
Sandworm Team
Sea Turtle
Threat Group-3390
ToddyCat
Tonto Team
Tropic Trooper
Volatile Cedar
Volt Typhoon
Winter Vivern
menuPass
Default Configuration
This detection is configured by default in Splunk Enterprise Security to run with the following settings:
| Setting | Value |
|---|---|
| Disabled | true |
| Cron Schedule | 0 * * * * |
| Earliest Time | -70m@m |
| Latest Time | -10m@m |
| Schedule Window | auto |
| Creates Notable | Yes |
| Rule Title | %name% |
| Rule Description | %description% |
| Notable Event Fields | user, dest |
| Creates Risk Event | True |
This configuration file applies to all detections of type TTP. These detections will use Risk Based Alerting and generate Notable Events.
Implementation
This detection requires the Web datamodel to be populated from a supported Technology Add-On like Splunk for Microsoft SharePoint or web proxy logs that capture SharePoint traffic. The detection focuses on GET requests to the spinstall0.aspx file, which is a known webshell deployed after successful exploitation of the CVE-2025-53770 vulnerability. Configure comprehensive logging for your SharePoint web servers and ensure that all HTTP requests are being captured and forwarded to your SIEM. Ensure proper IIS logging is enabled. Tune, modify the analytic as needed based on HTTP methods.
Known False Positives
Limited false positives are expected as spinstall0.aspx is not a legitimate SharePoint component. However, security teams investigating the incident might also access this file for analysis purposes. Verify the source IP addresses against known security team IPs and the timing of the requests in relation to the initial exploitation attempt.
Associated Analytic Story
Risk Based Analytics (RBA)
Risk Message:
Potential access to SharePoint webshell (spinstall0.aspx) detected from $src$ targeting $dest$
| Risk Object | Risk Object Type | Risk Score | Threat Objects |
|---|---|---|---|
| dest | system | 85 | src |
References
Detection Testing
| Test Type | Status | Dataset | Source | Sourcetype |
|---|---|---|---|---|
| Validation | ✅ Passing | N/A | N/A | N/A |
| Unit | ✅ Passing | Dataset | suricata |
suricata |
| Integration | ✅ Passing | Dataset | suricata |
suricata |
Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI.
Alternatively you can replay a dataset into a Splunk Attack Range
Source: GitHub | Version: 1