Hats off to the great work the community and industry has done regarding the “ToolShell” attack against Microsoft’s On-Premise SharePoint servers. The goal of this article is to build on that great work and help Sumo Logic customers with on-prem SharePoint servers investigate and identify evidence within their environments.
A quick summary of events
On Jul 18, 2025 Eye Security1 identified an attack on On-Prem SharePoint servers leading to a suspicious .aspx file being written and digital machine keys being extracted. Analysis of the attack chain identified a pair of vulnerabilities related to a previous pair of vulnerabilities and patches issued by Microsoft.
The attackers were observed using two vulnerabilities, a critical remote code execution vulnerability (CVE-2025-53770) and a server spoofing vulnerability (CVE-2025-53771) against On-Prem SharePoint Servers (2013, 2016, 2019, and Subscription Edition) to deploy a webshell with the objective to gain access to the server’s digital machine keys.
On Jul 19, 2025 Microsoft issued an emergency out-of-band patch for SharePoint servers in addition to customer guidance with MSRC blog post on patching the SharePoint servers, rotating the SharePoint Server ASP.NET machine keys, with additional recommendations for detection and hunting.
Let’s get into hunting and detection in Sumo Logic:
Breaking down the attack into component pieces will help us build out searches and Cloud SIEM detections.
Let’s use example searches of the raw logs in a customer’s environment with the Sumo Logic Platform and the normalized records from the Sumo Logic Cloud SIEM.
To kick off the exploitation chain the initial access begins with a POST to the ToolPane.aspx, which is identifiable in the logs with a distinct URI pattern. These stub queries let you hunt for attempts to interact with SharePoint via this method.
_sourceCategory=prod/web/iis "ToolPane"
| parse "* * * * * * * * * * * * * * *" as date time cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs(User-Agent) sc-status sc-substatus sc-win32-status time-taken
| where cs-method matches "POST"
AND cs-uri-stem matches "*/_layouts/*/ToolPane.aspx*"
Cloud SIEM record search:
_index=sec_record_network "ToolPane"
| where http_method matches "POST"
AND %"fields.cs-uri-stem" matches "*/_layouts/*/ToolPane.aspx*"
AND http_referer_path matches "/_layouts/SignOut.aspx"
The http_referrer_path = /_layouts/SignOut.aspx is another key aspect of the exploit chain, as the spoofed referrer enables a bypass of authentication controls.
Here is a search for the key malicious element of this attack chain, the webshell the attackers have been observed using to extract machine keys and other objectives from the target SharePoint server.
Sumo Logic search:
_sourceCategory=prod/web/iis
| parse "* * * * * * * * * * * * * * *" as date time cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs(User-Agent) sc-status sc-substatus sc-win32-status time-taken
| where cs-uri-stem matches /spinstall\S?\.aspx/
AND cs-method = "GET"
Cloud SIEM record search:
_index=sec_record_network "aspx"
| where http_method = "GET"
AND %"fields.cs-uri-stem" matches /spinstall\S?\.aspx/
The webshell above provides attackers with the ability to execute objectives on the target server, this activity as called out by defenders is an important and detectable deviation in behavior for SharePoint servers.
First, let’s look for w3wp.exe as the parent process for a cmd.exe process, the output of these searches will be used in subsequent searches for PowerShell execution and in the context of this attack webshell .aspx files.
Sumo Logic Search:
_sourceCategory=windows_event_logs
| json field=_raw "EventData.CommandLine" as commandLine
| json field=_raw "Computer"
| json field=_raw "EventData.ParentImage" as parentImage
| json field=_raw "EventData.Image" as image
| where toLowerCase(Image) matches "*cmd.exe"
AND toLowerCase(parentImage) matches "*w3wp.exe"
| count by Computer,parentImage,image,commandLine
Cloud SIEM record search:
_index=sec_record_endpoint
| where toLowerCase(parentBaseImage) matches "*w3wp.exe"
AND toLowerCase(baseImage) matches "*cmd.exe"
| count by device_hostname,parentBaseImage,baseImage,commandLine
Cloud SIEM tip: Use the above queries to find hosts that deserve a closer look (and increased severity in SIEM alerting).
Using Match Lists, a helpful feature for Cloud SIEM customers, you can add metadata to the normalized records. This is also helpful in keeping track of sensitive devices for quick record searches. Additionally there is the functionality of Entity tagging and Entity criticality, criticality increases the severity calculator of signals for that particular entity.
All of these features used together will allow for: quick identification of SharePoint servers in your environment in record searches (match lists) and tagging the SharePoint servers for use in increasing the Entity criticality to ensure signals and Insights are created within the Sumo Logic Cloud SIEM.
Second, PowerShell execution using the hosts from above.
Sumo Logic Search:
_sourceCategory=windows_event_logs
| json field=_raw "Computer"
| json field=_raw "EventData.ParentImage" as parentImage
| json field=_raw "EventData.Image" as image
| where Computer IN ("[insert list of hosts above]","...")
AND toLowerCase(image) matches "*powershell.exe"
Cloud SIEM record search:
_index=sec_record_endpoint
| where device_hostname IN ("[insert list of hosts above]","...")
AND toLowerCase(baseImage) matches "*powershell.exe"
A caveat with this search: PowerShell has multiple ways of being invoked via commandLine, this is one way and the way that appears across the reference material on this attack. It is recommended to go deep on these machines and others that may be within the impact radius of this attack, as time and the incident permits.
A third step in the process, the writing of the webshell to the file system on hosts across the network.
Sumo Logic search:
"aspx"
| json field=_raw "EventData.TargetFilename" as targetFilename nodrop
| json field=_raw "EventData.CommandLine" as commandLine nodrop
| json field=_raw "Computer" nodrop
| json field=_raw "EventData.ParentImage" as parentImage nodrop
| json field=_raw "EventData.Image" as image nodrop
| where toLowerCase(targetFilename) contains "aspx"
Cloud SIEM record search:
_index=sec_record_endpoint aspx
| where baseImage matches "*powershell.exe"
AND changeTarget contains "aspx"
[Bonus content] A riff on the above search to look for possible other sources of .aspx files being written within endpoint records.
Cloud SIEM record search:
_index=sec_record_endpoint aspx
| where changeTarget contains "aspx"
This will identify .aspx file creation within normalized endpoint records; however, it will not be constrained to PowerShell writing those files. Keep in mind this is a hunting analytic and is intended for very specific exploration rather than continued use.
Note: the scoping the query with the use of _sourceCategory= (raw logs) and utilizing the sec_record indexes is highly recommended for scoped and performant searches, however in the case of looking for suspicious activity across multiple source categories, starting broad is a way to quickly identify activity and scope the searches as needed.
These queries are not intended to be exhaustive in the exploration of impacted SharePoint infrastructure, they are intended to accelerate investigation with potentially impacted environments.
Sumo Logic Cloud SIEM detections
Sumo Logic Cloud SIEM customers have the following rules running in their environments, which help them identify and respond to signals and insights from impacted systems (and other related Entities).
For Cloud SIEM rules, the following focus on suspicious execution on the target SharePoint server, these look for a range activity (some more general than the others) largely around SharePoint.
As mentioned above, Cloud SEIM has Entity tagging and Match Lists that are valuable tools for identifying and increasing severity on SharePoint servers.
| Cloud SIEM rule ID | Rule name |
| MATCH-S00164 | Suspicious Shells Spawned by Web Servers |
| MATCH-S00539 | Web Servers Executing Suspicious Processes* |
| FIRST-S00010 | First Seen PowerShell Execution from Computer |
| MATCH-S00136 | PowerShell Encoded Command |
* MATCH-S00539 requires the creation and population of the “web_servers” match list for scoped detection of process execution from your web servers. Here is how to create a match list.
Threat Intelligence is key to detecting new and emerging threats, as Indicators of Compromise have been shared around this attack. We recommend looking at Threat Intel matches related to your SharePoint infrastructure for possible investigation opportunities. At the time of this writing indicators have been shared within blog posts, and have not necessarily appeared in the larger threat feeds.
| Cloud SIEM rule ID | Rule name |
| MATCH-S01023 | Threat Intel – Inbound Traffic from Threat Feed IP (High Confidence) |
| MATCH-S01027 | Threat Intel – Inbound Traffic from Threat Feed IP (Medium Confidence) |
| MATCH-S01025 | Threat Intel – Inbound Traffic from Threat Feed IP (Low Confidence) |
| MATCH-S01000 | Threat Intel – MD5 Match |
| MATCH-S01003 | Threat Intel – SHA1 Match |
| MATCH-S01004 | Threat Intel – SHA256 Match |
With Sumo Logic Threat Intelligence, customers can upload their own indicators, as well as ingest from custom sources. Given the few indicators shared amongst the community, creating a Threat Intelligence source for Cloud SIEM rules is an option for quick coverage and incorporation into the above rules. Customers can also create local Threat Intelligence rules, leveraging the custom source they created (i.e. hasThreatMatch([srcDevice_ip,file_hash_md5,file_hash_sha256], source=”toolshell iocs”).
Proposed detection theories for local rule development
Here are a few samples of detection theory turned into Cloud SIEM match expressions to get you started in crafting rules in your environments to detect elements of this attack.
Cloud SIEM the initial access POST request for the exploit chain:
http_method = 'POST'
AND http_response_statusCode IN (200, 302)
AND http_referer_path MATCHES /(?i)_layouts\/1[56]\/signout\.aspx$/
AND fields['cs_uri_stem'] MATCHES /(?i)_layouts\/1[56]\/toolpane\.aspx$/
Theory: detecting the POST that kicks off initial access of the attack, leading to the webshell being installed on the vulnerable system.
Cloud SIEM executable file added to IIS directory:
action = "FileCreate"
AND changeTarget MATCHES /(?i:\\wwwroot\\|\\windows\\microsoft\.net\\framework\\|\\microsoft shared\\web server extensions\\).+\.(?i:as[hmp]x|cshtml)$/
AND baseImage NOT MATCHES /(?i)(?:\\w3wp|\\msdeploy|\\svchost|\\explorer)\.exe$/
Theory: detecting the action of a FileCreate for an executable (webshell in this context) being written to the IIS directory.
Cloud SIEM detecting interaction with the webshell via GET:
http_method = 'GET'
AND http_response_statusCode IN (200,302)
AND fields['cs_uri_stem'] MATCHES /(?i)_layouts\/1[56]\/spinstall\d{0,2}\.aspx/
Theory: after the attacker has compromised the system with the exploit chain started with the POST above, this detection will capture interaction with the webshell as they execute objectives on the target.
These detection theories are shared as prototypes to accelerate the crafting of local detection rules, aiding detection and investigating suspected vulnerable environments. These are specifically designed to run as match expressions for Sumo Logic Cloud SIEM, and can be adapted to yield results similar to the shared searches above.
Recommendations
Microsoft provides detailed guidance for how to protect against potential exploits of this vulnerability in your environment as well as remediation steps if you determine that your Sharepoint servers have been compromised.
Exploitation of the SharePoint vulnerabilities is trivial. If you have vulnerable SharePoint servers in your environment, you will need to determine whether they were compromised, and if so, the extent of the damage and the mitigations that will be required. Once attackers have successfully compromised your SharePoint servers, they can pivot from SharePoint to other assets in your environment. The queries contained in this article can help you determine whether a compromise took place.
Now, you have a brief analysis and timeline of the ongoing attack against on-prem SharePoint servers and how to use Sumo Logic to search for and detect suspicious related activities. If you want to dig deeper into the topic, you can read more sources below.
And as always, if you don’t yet have Cloud SIEM and want to understand how it can help you detect and respond to threats like these, book a demo to learn more.
References and further resources
NIST vulnerability information:
Microsoft MSRC blog for impacted SharePoint customers:
Eye Security’s blog post first reporting the attack:
Cybersecurity community resources and reports documenting the attack:
- https://www.crowdstrike.com/en-us/blog/crowdstrike-detects-blocks-sharepoint-zero-day-exploitation/
- https://www.thawd.com.sa/post/cve-2025-53770-unauthenticated-sharepoint-rce-toolshell-exploit-uncovered
- https://blog.qualys.com/vulnerabilities-threat-research/2025/07/21/toolshell-zero-day-microsoft-rushes-emergency-patch-for-actively-exploited-sharepoint-vulnerabilities
- https://www.microsoft.com/en-us/security/blog/2025/07/22/disrupting-active-exploitation-of-on-premises-sharepoint-vulnerabilities/
- https://unit42.paloaltonetworks.com/microsoft-sharepoint-cve-2025-49704-cve-2025-49706-cve-2025-53770/
- https://www.rapid7.com/blog/post/etr-zero-day-exploitation-of-microsoft-sharepoint-servers-cve-2025-53770/
