{"id":61186,"date":"2025-07-24T11:46:27","date_gmt":"2025-07-24T19:46:27","guid":{"rendered":"https:\/\/www.sumologic.com\/blog\/sharepoint-toolshell-%e3%82%bc%e3%83%ad%e3%83%87%e3%82%a4"},"modified":"2026-02-25T04:26:35","modified_gmt":"2026-02-25T12:26:35","slug":"investigate-sharepoint-toolshell","status":"publish","type":"blog","link":"https:\/\/www.sumologic.com\/ja\/blog\/investigate-sharepoint-toolshell","title":{"rendered":"SharePoint &#8220;ToolShell&#8221; \u30bc\u30ed\u30c7\u30a4"},"content":{"rendered":"\n<section class=\"e-stn e-stn-0d652506f82b000a392973813b918ee25d5b4211 e-stn--glossary-inner-content e-stn--table-of-content\"><div class=\"container\">\n<div class=\"wp-block-b3rg-row e-row row\">\n<div class=\"wp-block-b3rg-column e-col e-col-1f7b3997080fc292474d26ff00c905d99d3520fa e-col--content-wrapper  col-sm-12 col-lg-12 col-xl-12\">\n<div class=\"e-div e-div-a1b32f66e1749758df41d5aea14f647cd10e362c e-div--card-btn-link\"><div class=\"e-img \">\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"293\" src=\"https:\/\/www.sumologic.com\/wp-content\/uploads\/\/header-ThreatLabs_Sharepoint_blog_700x200-1024x293.png\" alt=\"Sumo Logic: &#010;CVE-2025-53770&#010;CVE-2025-53771\" class=\"wp-image-49078\" title=\"\" srcset=\"https:\/\/www.sumologic.com\/wp-content\/uploads\/header-ThreatLabs_Sharepoint_blog_700x200-1024x293.png 1024w, https:\/\/www.sumologic.com\/wp-content\/uploads\/header-ThreatLabs_Sharepoint_blog_700x200-300x86.png 300w, https:\/\/www.sumologic.com\/wp-content\/uploads\/header-ThreatLabs_Sharepoint_blog_700x200-768x219.png 768w, https:\/\/www.sumologic.com\/wp-content\/uploads\/header-ThreatLabs_Sharepoint_blog_700x200-575x164.png 575w, https:\/\/www.sumologic.com\/wp-content\/uploads\/header-ThreatLabs_Sharepoint_blog_700x200.png 1400w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n<\/div>\n\n\n<p><\/p>\n\n\n\n<p>Microsoft\u306e\u30aa\u30f3\u30d7\u30ec\u30df\u30b9SharePoint\u30b5\u30fc\u30d0\u30fc\u306b\u5bfe\u3059\u308b\u300cToolShell\u300d\u653b\u6483\u306b\u95a2\u3057\u3066\u3001\u30b3\u30df\u30e5\u30cb\u30c6\u30a3\u3084\u696d\u754c\u304c\u884c\u3063\u305f\u7d20\u6674\u3089\u3057\u3044\u4f5c\u696d\u306b\u8131\u5e3d\u3067\u3059\u3002\u3053\u306e\u8a18\u4e8b\u306e\u76ee\u7684\u306f\u3001\u305d\u306e\u7d20\u6674\u3089\u3057\u3044\u4f5c\u696d\u3092\u57fa\u306b\u3001\u30aa\u30f3\u30d7\u30ec\u30df\u30b9\u306eSharePoint\u30b5\u30fc\u30d0\u30fc\u3092\u4f7f\u7528\u3057\u3066\u3044\u308bSumo Logic\u306e\u304a\u5ba2\u69d8\u304c\u3001\u74b0\u5883\u5185\u306e\u8a3c\u62e0\u3092\u8abf\u67fb\u3057\u3066\u7279\u5b9a\u3067\u304d\u308b\u3088\u3046\u306b\u3059\u308b\u3053\u3068\u3067\u3059\u3002   <\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"a-quick-summary-of-events\">\u51fa\u6765\u4e8b\u306e\u7c21\u5358\u306a\u8981\u7d04<\/h2>\n\n\n\n<p>2025\u5e747\u670818\u65e5\u3001Eye Security \u793e\u306f\u30aa\u30f3\u30d7\u30ec\u30df\u30b9\u7248 SharePoint \u30b5\u30fc\u30d0\u30fc\u306b\u5bfe\u3059\u308b\u653b\u6483\u3092\u7279\u5b9a\u3057\u307e\u3057\u305f\u3002\u3053\u306e\u653b\u6483\u306b\u3088\u308a\u3001\u4e0d\u5be9\u306a .aspx \u30d5\u30a1\u30a4\u30eb\u304c\u66f8\u304d\u8fbc\u307e\u308c\u3001\u30c7\u30b8\u30bf\u30eb\u30fb\u30de\u30b7\u30f3\u30ad\u30fc\u304c\u62bd\u51fa\u3055\u308c\u3066\u3044\u307e\u3057\u305f\u3002\u653b\u6483\u30c1\u30a7\u30fc\u30f3\u306e\u5206\u6790\u306e\u7d50\u679c\u3001Microsoft \u304c\u904e\u53bb\u306b\u516c\u958b\u3057\u305f\u4e00\u5bfe\u306e\u8106\u5f31\u6027\u304a\u3088\u3073\u305d\u306e\u30d1\u30c3\u30c1\u306b\u95a2\u9023\u3059\u308b\u3001\u5225\u306e 2\u4ef6\u306e\u8106\u5f31\u6027\u304c\u5b58\u5728\u3059\u308b\u3053\u3068\u304c\u5224\u660e\u3057\u307e\u3057\u305f\u3002\u00a0<\/p>\n\n\n\n<p>\u653b\u6483\u8005\u306f\u3001\u30aa\u30f3\u30d7\u30ec\u30df\u30b9\u7248SharePoint\u30b5\u30fc\u30d0\u30fc\uff082013\u30012016\u30012019\u3001 \u304a\u3088\u3073\u30b5\u30d6\u30b9\u30af\u30ea\u30d7\u30b7\u30e7\u30f3\u7248\uff09\u306b\u5bfe\u3057\u3066\u3001\u30b5\u30fc\u30d0\u30fc\u306e\u30c7\u30b8\u30bf\u30eb\u30de\u30b7\u30f3\u30ad\u30fc\u3078\u306e\u30a2\u30af\u30bb\u30b9\u6a29\u3092\u53d6\u5f97\u3059\u308b\u3053\u3068\u3092\u76ee\u7684\u3068\u3057\u3066\u3001\u30a6\u30a7\u30d6\u30b7\u30a7\u30eb\u3092\u5c55\u958b\u3059\u308b\u305f\u3081\u306b2\u3064\u306e\u8106\u5f31\u6027\uff08\u91cd\u5927\u306a\u30ea\u30e2\u30fc\u30c8\u30b3\u30fc\u30c9\u5b9f\u884c\u8106\u5f31\u6027\uff08<a href=\"https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2025-53770\" target=\"_blank\" rel=\"noreferrer noopener\">CVE-2025-53770<\/a>\uff09\u3068\u30b5\u30fc\u30d0\u30fc\u306a\u308a\u3059\u307e\u3057\u8106\u5f31\u6027\uff08<a href=\"https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2025-53771\" target=\"_blank\" rel=\"noreferrer noopener\">CVE-2025-53771<\/a>\uff09\uff09\u306e\u5229\u7528\u304c\u78ba\u8a8d\u3055\u308c\u307e\u3057\u305f\u3002<\/p>\n\n\n\n<p>2025\u5e747\u670819\u65e5\u3001Microsoft\u306f<a href=\"https:\/\/msrc.microsoft.com\/blog\/2025\/07\/customer-guidance-for-sharepoint-vulnerability-cve-2025-53770\/\" target=\"_blank\" rel=\"noreferrer noopener\">SharePoint\u30b5\u30fc\u30d0\u30fc<\/a>\u5411\u3051\u306b\u7dca\u6025\u306e\u5e2f\u57df\u5916\u30d1\u30c3\u30c1\u3092\u767a\u884c\u3057\u307e\u3057\u305f\u3002\u3053\u308c\u306b\u52a0\u3048\u3001MSRC\u30d6\u30ed\u30b0\u8a18\u4e8b\u3067SharePoint\u30b5\u30fc\u30d0\u30fc\u306e\u30d1\u30c3\u30c1\u9069\u7528\u3001SharePoint Server ASP.NET\u30de\u30b7\u30f3\u30ad\u30fc\u306e\u30ed\u30fc\u30c6\u30fc\u30b7\u30e7\u30f3\u306b\u95a2\u3059\u308b\u9867\u5ba2\u5411\u3051\u30ac\u30a4\u30c0\u30f3\u30b9\u3092\u63d0\u4f9b\u3057\u3001\u691c\u77e5\u3068\u30cf\u30f3\u30c6\u30a3\u30f3\u30b0\u306b\u95a2\u3059\u308b\u8ffd\u52a0\u306e\u63a8\u5968\u4e8b\u9805\u3092\u63d0\u793a\u3057\u307e\u3057\u305f\u3002<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"let-s-get-into-hunting-and-detection-in-sumo-logic\">Sumo Logic\u3067\u306e\u76e3\u8996\u3068\u691c\u77e5\u306b\u3064\u3044\u3066\u898b\u3066\u3044\u304d\u307e\u3057\u3087\u3046\u3002<\/h2>\n\n\n\n<p>\u653b\u6483\u3092\u69cb\u6210\u8981\u7d20\u306b\u5206\u89e3\u3059\u308b\u3053\u3068\u3067\u3001\u691c\u7d22\u3068Cloud SIEM\u691c\u77e5\u306e\u69cb\u7bc9\u306b\u5f79\u7acb\u3061\u307e\u3059\u3002\u00a0<\/p>\n\n\n\n<p>Sumo Logic Platform\u3092\u4f7f\u7528\u3057\u305f\u9867\u5ba2\u74b0\u5883\u306e\u751f\u306e\u30ed\u30b0\u3068\u3001Sumo Logic Cloud SIEM\u304b\u3089\u6b63\u898f\u5316\u3055\u308c\u305f\u30ec\u30b3\u30fc\u30c9\u3092\u7528\u3044\u305f\u691c\u7d22\u4f8b\u3092\u898b\u3066\u307f\u307e\u3057\u3087\u3046\u3002<\/p>\n\n\n\n<p>\u30a8\u30af\u30b9\u30d7\u30ed\u30a4\u30c8\u30c1\u30a7\u30fc\u30f3\u3092\u958b\u59cb\u3059\u308b\u305f\u3081\u3001\u521d\u671f\u30a2\u30af\u30bb\u30b9\u306fToolPane.aspx\u3078\u306ePOST\u30ea\u30af\u30a8\u30b9\u30c8\u304b\u3089\u59cb\u307e\u308a\u307e\u3059\u3002\u3053\u308c\u306f\u30ed\u30b0\u4e0a\u3067\u56fa\u6709\u306eURI\u30d1\u30bf\u30fc\u30f3\u306b\u3088\u3063\u3066\u8b58\u5225\u53ef\u80fd\u3067\u3059\u3002\u3053\u308c\u3089\u306e\u30b9\u30bf\u30d6\u30af\u30a8\u30ea\u3092\u4f7f\u7528\u3059\u308b\u3068\u3001\u3053\u306e\u30e1\u30bd\u30c3\u30c9\u3092\u4ecb\u3057\u305fSharePoint\u3068\u306e\u3084\u308a\u53d6\u308a\u306e\u8a66\u884c\u3092\u691c\u51fa\u3067\u304d\u307e\u3059\u3002<\/p>\n\n\n\n<code>_sourceCategory=prod\/web\/iis \"ToolPane\"<br\/>| parse \"* * * * * * * * * * * * * * *\" as date time cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs(User-Agent) sc-status sc-substatus sc-win32-status time-taken<br\/>| where cs-method matches \"POST\"\u00a0<br\/>\u00a0\u00a0\u00a0AND cs-uri-stem matches \"*\/_layouts\/*\/ToolPane.aspx*\"<\/code>\n\n\n\n<p><\/p>\n\n\n\n<p>Cloud SIEM record search:<\/p>\n\n\n\n<code>_index=sec_record_network \"ToolPane\"<br\/>| where http_method matches \"POST\"\u00a0<br\/>\u00a0\u00a0\u00a0AND %\"fields.cs-uri-stem\" matches \"*\/_layouts\/*\/ToolPane.aspx*\"<br\/>\u00a0\u00a0\u00a0AND http_referer_path matches \"\/_layouts\/SignOut.aspx\"<\/code>\n\n\n\n<p><\/p>\n\n\n\n<p><code>http_referrer_path = \/_layouts\/SignOut.aspx<\/code> \u306f\u3001\u507d\u88c5\u3055\u308c\u305f\u30ea\u30d5\u30a1\u30e9\u30fc\u304c\u8a8d\u8a3c\u5236\u5fa1\u306e\u30d0\u30a4\u30d1\u30b9\u3092\u53ef\u80fd\u306b\u3059\u308b\u305f\u3081\u3001\u30a8\u30af\u30b9\u30d7\u30ed\u30a4\u30c8\u30c1\u30a7\u30fc\u30f3\u306e\u3082\u3046\u4e00\u3064\u306e\u91cd\u8981\u306a\u8981\u7d20\u3067\u3059\u3002<\/p>\n\n\n\n<p>\u3053\u306e\u653b\u6483\u30c1\u30a7\u30fc\u30f3\u306b\u304a\u3051\u308b\u4e3b\u8981\u306a\u60aa\u610f\u306e\u3042\u308b\u8981\u7d20\u3001\u3059\u306a\u308f\u3061\u653b\u6483\u8005\u304c\u6a19\u7684\u306eSharePoint\u30b5\u30fc\u30d0\u30fc\u304b\u3089\u30de\u30b7\u30f3\u30ad\u30fc\u3084\u305d\u306e\u4ed6\u306e\u76ee\u7684\u3092\u62bd\u51fa\u3059\u308b\u305f\u3081\u306b\u4f7f\u7528\u3057\u3066\u3044\u308b\u3053\u3068\u304c\u78ba\u8a8d\u3055\u308c\u305fWeb\u30b7\u30a7\u30eb\u3092\u7279\u5b9a\u3059\u308b\u305f\u3081\u306e\u8abf\u67fb\u3067\u3059\u3002<\/p>\n\n\n\n<p>Sumo Logic search:<\/p>\n\n\n\n<code>_sourceCategory=prod\/web\/iis<br\/>| parse \"* * * * * * * * * * * * * * *\" as date time cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs(User-Agent) sc-status sc-substatus sc-win32-status time-taken<br\/>| where cs-uri-stem matches \/spinstall\\S?\\.aspx\/<br\/>\u00a0\u00a0\u00a0\u00a0AND cs-method = \"GET\"<\/code>\n\n\n\n<p><\/p>\n\n\n\n<p>Cloud SIEM record search:<\/p>\n\n\n\n<code>_index=sec_record_network \"aspx\"<br\/>| where http_method = \"GET\"<br\/>\u00a0\u00a0\u00a0\u00a0AND %\"fields.cs-uri-stem\" matches \/spinstall\\S?\\.aspx\/<\/code>\n\n\n\n<p><\/p>\n\n\n\n<p>\u4e0a\u8a18\u306e\u30a6\u30a7\u30d6\u30b7\u30a7\u30eb\u306f\u3001\u653b\u6483\u8005\u306b\u30bf\u30fc\u30b2\u30c3\u30c8\u30b5\u30fc\u30d0\u30fc\u4e0a\u3067\u76ee\u7684\u3092\u5b9f\u884c\u3059\u308b\u80fd\u529b\u3092\u63d0\u4f9b\u3057\u307e\u3059\u3002\u3053\u306e\u6d3b\u52d5\u306f\u3001\u30bb\u30ad\u30e5\u30ea\u30c6\u30a3\u5c02\u9580\u5bb6\uff08\u9632\u5fa1\u5074\uff09\u304c\u6307\u6458\u3057\u3066\u3044\u308b\u901a\u308a\u3001SharePoint\u30b5\u30fc\u30d0\u30fc\u306e\u632f\u308b\u821e\u3044\u3068\u3057\u3066\u306f\u91cd\u8981\u304b\u3064\u691c\u51fa\u53ef\u80fd\u306a\u9038\u8131\u3067\u3059\u3002<\/p>\n\n\n\n<p>\u307e\u305a\u3001cmd.exe\u30d7\u30ed\u30bb\u30b9\u306e\u89aa\u30d7\u30ed\u30bb\u30b9\u3068\u3057\u3066<code>w3wp.exe<\/code>\u3092\u63a2\u3057\u307e\u3059\u3002\u3053\u308c\u3089\u306e\u691c\u7d22\u7d50\u679c\u306f\u3001PowerShell\u5b9f\u884c\u306e\u305d\u306e\u5f8c\u306e\u691c\u7d22\u3084\u3001\u3053\u306e\u653b\u6483\u306b\u304a\u3051\u308bWeb\u30b7\u30a7\u30eb.aspx\u30d5\u30a1\u30a4\u30eb\u306e\u6587\u8108\u3067\u4f7f\u7528\u3055\u308c\u307e\u3059\u3002<\/p>\n\n\n\n<p>Sumo Logic Search:<\/p>\n\n\n\n<code>_sourceCategory=windows_event_logs<br\/>| json field=_raw \"EventData.CommandLine\" as commandLine<br\/>| json field=_raw \"Computer\"<br\/>| json field=_raw \"EventData.ParentImage\" as parentImage<br\/>| json field=_raw \"EventData.Image\" as image<br\/>| where toLowerCase(Image) matches \"*cmd.exe\"<br\/>\u00a0\u00a0\u00a0AND toLowerCase(parentImage) matches \"*w3wp.exe\"<br\/>| count by Computer,parentImage,image,commandLine<\/code>\n\n\n\n<p><\/p>\n\n\n\n<p>Cloud SIEM record search:<\/p>\n\n\n\n<code>_index=sec_record_endpoint\u00a0<br\/>| where toLowerCase(parentBaseImage) matches \"*w3wp.exe\"<br\/>\u00a0\u00a0\u00a0\u00a0AND toLowerCase(baseImage) matches \"*cmd.exe\"<br\/>| count by device_hostname,parentBaseImage,baseImage,commandLine<\/code>\n\n\n\n<p><\/p>\n\n\n\n<p>Cloud SIEM\u306e\u30d2\u30f3\u30c8\uff1a \u4e0a\u8a18\u306e\u30af\u30a8\u30ea\u3092\u4f7f\u7528\u3057\u3066\u3001\u3088\u308a\u8a73\u7d30\u306a\u8abf\u67fb\u304c\u5fc5\u8981\uff08\u304b\u3064SIEM\u30a2\u30e9\u30fc\u30c8\u306e\u6df1\u523b\u5ea6\u3092\u4e0a\u3052\u308b\u3079\u304d\uff09\u306a\u30db\u30b9\u30c8\u3092\u7279\u5b9a\u3057\u3066\u304f\u3060\u3055\u3044\u3002<\/p>\n\n\n\n<p>\u30af\u30e9\u30a6\u30c9SIEM\u306e\u304a\u5ba2\u69d8\u306b\u4fbf\u5229\u306a\u6a5f\u80fd\u3067\u3042\u308b\u30de\u30c3\u30c1\u30ea\u30b9\u30c8\u3092\u4f7f\u7528\u3059\u308b\u3068\u3001\u6b63\u898f\u5316\u3055\u308c\u305f\u30ec\u30b3\u30fc\u30c9\u306b\u30e1\u30bf\u30c7\u30fc\u30bf\u3092\u8ffd\u52a0\u3067\u304d\u307e\u3059\u3002\u3053\u308c\u306f\u3001\u6a5f\u5bc6\u6027\u306e\u9ad8\u3044\u30c7\u30d0\u30a4\u30b9\u3092\u8ffd\u8de1\u3057\u3066\u3001\u30ec\u30b3\u30fc\u30c9\u3092\u3059\u3070\u3084\u304f\u691c\u7d22\u3059\u308b\u306e\u306b\u3082\u5f79\u7acb\u3061\u307e\u3059\u3002\u3055\u3089\u306b\u3001\u30a8\u30f3\u30c6\u30a3\u30c6\u30a3\u306e\u30bf\u30b0\u4ed8\u3051\u3068\u30a8\u30f3\u30c6\u30a3\u30c6\u30a3\u306e\u30af\u30ea\u30c6\u30a3\u30ab\u30ea\u30c6\u30a3\u306e\u6a5f\u80fd\u304c\u3042\u308a\u3001\u30af\u30ea\u30c6\u30a3\u30ab\u30ea\u30c6\u30a3\u306f\u305d\u306e\u7279\u5b9a\u306e\u30a8\u30f3\u30c6\u30a3\u30c6\u30a3\u306e\u30b7\u30b0\u30ca\u30eb\u306e\u91cd\u5927\u5ea6\u8a08\u7b97\u6a5f\u3092\u5897\u52a0\u3055\u305b\u307e\u3059\u3002\u00a0<\/p>\n\n\n\n<p>\u3053\u308c\u3089\u306e\u6a5f\u80fd\u3092\u7d44\u307f\u5408\u308f\u305b\u3066\u4f7f\u7528\u3059\u308b\u3053\u3068\u3067\u3001\u4ee5\u4e0b\u306e\u3053\u3068\u304c\u53ef\u80fd\u306b\u306a\u308a\u307e\u3059\uff1a- \u30ec\u30b3\u30fc\u30c9\u691c\u7d22\uff08\u30de\u30c3\u30c1\u30ea\u30b9\u30c8\uff09\u306b\u304a\u3051\u308b\u74b0\u5883\u5185\u306eSharePoint\u30b5\u30fc\u30d0\u30fc\u306e\u8fc5\u901f\u306a\u8b58\u5225- SharePoint\u30b5\u30fc\u30d0\u30fc\u3078\u306e\u30bf\u30b0\u4ed8\u3051\uff08\u30a8\u30f3\u30c6\u30a3\u30c6\u30a3\u91cd\u8981\u5ea6\u306e\u5411\u4e0a\u306b\u4f7f\u7528\uff09- Sumo Logic Cloud SIEM\u5185\u3067\u306e\u30b7\u30b0\u30ca\u30eb\u3068\u30a4\u30f3\u30b5\u30a4\u30c8\u306e\u78ba\u5b9f\u306a\u751f\u6210<\/p>\n\n\n\n<p>\u6b21\u306b\u3001\u4e0a\u8a18\u306e\u30db\u30b9\u30c8\u3092\u4f7f\u7528\u3057\u305fPowerShell\u306e\u5b9f\u884c\u3067\u3059\u3002<\/p>\n\n\n\n<p>Sumo Logic Search:<\/p>\n\n\n\n<code>_sourceCategory=windows_event_logs<br\/>| json field=_raw \"Computer\"<br\/>| json field=_raw \"EventData.ParentImage\" as parentImage<br\/>| json field=_raw \"EventData.Image\" as image<br\/>| where Computer IN (\"[insert list of hosts above]\",\"...\")<br\/>\u00a0\u00a0\u00a0\u00a0AND toLowerCase(image) matches \"*powershell.exe\"<\/code>\n\n\n\n<p><\/p>\n\n\n\n<p>Cloud SIEM record search:<\/p>\n\n\n\n<code>_index=sec_record_endpoint\u00a0<br\/>| where device_hostname IN (\"[insert list of hosts above]\",\"...\")<br\/>\u00a0\u00a0\u00a0\u00a0AND toLowerCase(baseImage) matches \"*powershell.exe\"<\/code>\n\n\n\n<p><\/p>\n\n\n\n<p>\u3053\u306e\u691c\u7d22\u306e\u6ce8\u610f\u70b9\uff1aPowerShell \u306b\u306f commandLine \u7d4c\u7531\u3067\u547c\u3073\u51fa\u3055\u308c\u308b\u8907\u6570\u306e\u65b9\u6cd5\u304c\u3042\u308a\u307e\u3059\u304c\u3001\u3053\u308c\u306f 1 \u3064\u306e\u65b9\u6cd5\u3067\u3042\u308a\u3001\u3053\u306e\u653b\u6483\u306b\u95a2\u3059\u308b\u53c2\u8003\u8cc7\u6599\u5168\u4f53\u306b\u8868\u793a\u3055\u308c\u3066\u3044\u308b\u65b9\u6cd5\u3067\u3059\u3002\u6642\u9593\u3068\u30a4\u30f3\u30b7\u30c7\u30f3\u30c8\u304c\u8a31\u3059\u9650\u308a\u3001\u3053\u308c\u3089\u306e\u30de\u30b7\u30f3\u3084\u3053\u306e\u653b\u6483\u306e\u5f71\u97ff\u7bc4\u56f2\u5185\u306b\u3042\u308b\u53ef\u80fd\u6027\u306e\u3042\u308b\u4ed6\u306e\u30de\u30b7\u30f3\u306b\u3064\u3044\u3066\u6df1\u304f\u8abf\u3079\u308b\u3053\u3068\u3092\u304a\u52e7\u3081\u3057\u307e\u3059\u3002<\/p>\n\n\n\n<p>\u30d7\u30ed\u30bb\u30b9\u306e\u7b2c\u4e09\u6bb5\u968e\u3068\u3057\u3066\u3001\u30cd\u30c3\u30c8\u30ef\u30fc\u30af\u4e0a\u306e\u30db\u30b9\u30c8\u306e\u30d5\u30a1\u30a4\u30eb\u30b7\u30b9\u30c6\u30e0\u3078\u306eWeb\u30b7\u30a7\u30eb\u306e\u66f8\u304d\u8fbc\u307f\u304c\u884c\u308f\u308c\u307e\u3059\u3002<\/p>\n\n\n\n<p>Sumo Logic search:<\/p>\n\n\n\n<code>\"aspx\"<br\/>| json field=_raw \"EventData.TargetFilename\" as targetFilename nodrop<br\/>| json field=_raw \"EventData.CommandLine\" as commandLine nodrop<br\/>| json field=_raw \"Computer\" nodrop<br\/>| json field=_raw \"EventData.ParentImage\" as parentImage nodrop<br\/>| json field=_raw \"EventData.Image\" as image nodrop<br\/>| where toLowerCase(targetFilename) contains \"aspx\"<\/code>\n\n\n\n<p><\/p>\n\n\n\n<p>Cloud SIEM record search:<\/p>\n\n\n\n<code>_index=sec_record_endpoint aspx<br\/>| where baseImage matches \"*powershell.exe\"<br\/>\u00a0\u00a0\u00a0\u00a0\u00a0AND changeTarget contains \"aspx\"<\/code>\n\n\n\n<p><\/p>\n\n\n\n<p>[\u30dc\u30fc\u30ca\u30b9\u30b3\u30f3\u30c6\u30f3\u30c4] \u4e0a\u8a18\u306e\u691c\u7d22\u3092\u5fdc\u7528\u3057\u3001\u30a8\u30f3\u30c9\u30dd\u30a4\u30f3\u30c8\u30ec\u30b3\u30fc\u30c9\u5185\u306b.aspx\u30d5\u30a1\u30a4\u30eb\u304c\u66f8\u304d\u8fbc\u307e\u308c\u308b\u53ef\u80fd\u6027\u306e\u3042\u308b\u4ed6\u306e\u30bd\u30fc\u30b9\u3092\u63a2\u308b\u3002<\/p>\n\n\n\n<p>Cloud SIEM record search:<\/p>\n\n\n\n<code>_index=sec_record_endpoint aspx<br\/>| where changeTarget contains \"aspx\"<\/code>\n\n\n\n<p><\/p>\n\n\n\n<p>\u3053\u308c\u306f\u3001\u6b63\u898f\u5316\u3055\u308c\u305f\u30a8\u30f3\u30c9\u30dd\u30a4\u30f3\u30c8\u30ec\u30b3\u30fc\u30c9\u306e\u4e2d\u304b\u3089 <code>.aspx <\/code>\u30d5\u30a1\u30a4\u30eb\u306e\u4f5c\u6210\u3092\u7279\u5b9a\u3059\u308b\u305f\u3081\u306e\u30af\u30a8\u30ea\u3067\u3059\u304c\u3001\u30d5\u30a1\u30a4\u30eb\u3092\u66f8\u304d\u8fbc\u3093\u3060\u30d7\u30ed\u30bb\u30b9\u3092 PowerShell \u306e\u307f\u306b\u9650\u5b9a\u3059\u308b\u3082\u306e\u3067\u306f\u3042\u308a\u307e\u305b\u3093\u3002\u3053\u308c\u306f\u30cf\u30f3\u30c6\u30a3\u30f3\u30b0\u7528\u306e\u5206\u6790\u3067\u3042\u308a\u3001\u7d99\u7d9a\u7684\u306a\u904b\u7528\u3067\u306f\u306a\u304f\u3001\u975e\u5e38\u306b\u9650\u5b9a\u7684\u306a\u8abf\u67fb\u76ee\u7684\u3067\u306e\u5229\u7528\u3092\u60f3\u5b9a\u3057\u3066\u3044\u307e\u3059\u3002<\/p>\n\n\n\n<p>\u6ce8\uff1a\u30b9\u30b3\u30fc\u30d7\u691c\u7d22\u3068\u30d1\u30d5\u30a9\u30fc\u30de\u30f3\u30b9\u5411\u4e0a\u306e\u305f\u3081\u306b\u306f\u3001<code>_sourceCategory=<\/code>\uff08\u751f\u30ed\u30b0\uff09\u3092\u4f7f\u7528\u3057\u305f\u30af\u30a8\u30ea\u306e\u30b9\u30b3\u30fc\u30d7\u8a2d\u5b9a\u3068<code>sec_record<\/code>\u30a4\u30f3\u30c7\u30c3\u30af\u30b9\u306e\u6d3b\u7528\u3092\u5f37\u304f\u63a8\u5968\u3057\u307e\u3059\u3002\u305f\u3060\u3057\u3001\u8907\u6570\u306e\u30bd\u30fc\u30b9\u30ab\u30c6\u30b4\u30ea\u306b\u307e\u305f\u304c\u308b\u4e0d\u5be9\u306a\u30a2\u30af\u30c6\u30a3\u30d3\u30c6\u30a3\u3092\u8abf\u67fb\u3059\u308b\u5834\u5408\u3001\u5e83\u7bc4\u306a\u691c\u7d22\u304b\u3089\u958b\u59cb\u3059\u308b\u3053\u3068\u3067\u30a2\u30af\u30c6\u30a3\u30d3\u30c6\u30a3\u3092\u8fc5\u901f\u306b\u7279\u5b9a\u3057\u3001\u5fc5\u8981\u306b\u5fdc\u3058\u3066\u691c\u7d22\u7bc4\u56f2\u3092\u7d5e\u308a\u8fbc\u3080\u3053\u3068\u304c\u6709\u52b9\u3067\u3059\u3002<\/p>\n\n\n\n<p>\u3053\u308c\u3089\u306e\u30af\u30a8\u30ea\u306f\u3001\u5f71\u97ff\u3092\u53d7\u3051\u305fSharePoint\u30a4\u30f3\u30d5\u30e9\u30b9\u30c8\u30e9\u30af\u30c1\u30e3\u306e\u8abf\u67fb\u306b\u304a\u3044\u3066\u7db2\u7f85\u7684\u306a\u3082\u306e\u3067\u306f\u3042\u308a\u307e\u305b\u3093\u3002\u6f5c\u5728\u7684\u306b\u5f71\u97ff\u3092\u53d7\u3051\u305f\u74b0\u5883\u306e\u8abf\u67fb\u3092\u52a0\u901f\u3059\u308b\u3053\u3068\u3092\u76ee\u7684\u3068\u3057\u3066\u3044\u307e\u3059\u3002\u00a0<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"sumo-logic-cloud-siem-detections\">Sumo Logic Cloud SIEM \u691c\u77e5<\/h3>\n\n\n\n<p>Sumo Logic Cloud SIEM\u3092\u3054\u5229\u7528\u306e\u304a\u5ba2\u69d8\u306f\u3001\u74b0\u5883\u5185\u3067\u4ee5\u4e0b\u306e\u30eb\u30fc\u30eb\u3092\u5b9f\u884c\u3057\u3066\u3044\u307e\u3059\u3002\u3053\u308c\u306b\u3088\u308a\u3001\u5f71\u97ff\u3092\u53d7\u3051\u305f\u30b7\u30b9\u30c6\u30e0\uff08\u304a\u3088\u3073\u305d\u306e\u4ed6\u306e\u95a2\u9023\u30a8\u30f3\u30c6\u30a3\u30c6\u30a3\uff09\u304b\u3089\u306e\u30b7\u30b0\u30ca\u30eb\u3084\u30a4\u30f3\u30b5\u30a4\u30c8\u3092\u7279\u5b9a\u3057\u3001\u5bfe\u5fdc\u3059\u308b\u3053\u3068\u304c\u53ef\u80fd\u306b\u306a\u308a\u307e\u3059\u3002<\/p>\n\n\n\n<p>Cloud SIEM\u30eb\u30fc\u30eb\u306b\u3064\u3044\u3066\u306f\u3001\u4ee5\u4e0b\u306e\u3082\u306e\u306f\u5bfe\u8c61\u3068\u306a\u308bSharePoint\u30b5\u30fc\u30d0\u30fc\u4e0a\u3067\u306e\u4e0d\u5be9\u306a\u5b9f\u884c\u306b\u7126\u70b9\u3092\u5f53\u3066\u3066\u304a\u308a\u3001\u3053\u308c\u3089\u306f\u4e3b\u306bSharePoint\u306b\u95a2\u9023\u3059\u308b\u4e00\u9023\u306e\u30a2\u30af\u30c6\u30a3\u30d3\u30c6\u30a3\uff08\u4e00\u90e8\u306f\u4ed6\u3088\u308a\u3082\u4e00\u822c\u7684\u306a\u3082\u306e\uff09\u3092\u691c\u51fa\u3057\u307e\u3059\u3002<\/p>\n\n\n\n<p>\u524d\u8ff0\u306e\u901a\u308a\u3001Cloud SIEM\u306b\u306f<a href=\"https:\/\/help.sumologic.com\/docs\/cse\/match-lists-suppressed-lists\/standard-match-lists\/\" target=\"_blank\" rel=\"noreferrer noopener\">\u30a8\u30f3\u30c6\u30a3\u30c6\u30a3\u30bf\u30b0\u4ed8\u3051\u3068\u30de\u30c3\u30c1\u30ea\u30b9\u30c8\u6a5f\u80fd<\/a>\u304c\u5099\u308f\u3063\u3066\u304a\u308a\u3001\u3053\u308c\u3089\u306fSharePoint\u30b5\u30fc\u30d0\u30fc\u4e0a\u3067\u8105\u5a01\u3092\u7279\u5b9a\u3057\u3001\u305d\u306e\u6df1\u523b\u5ea6\u3092\u8a55\u4fa1\u3059\u308b\u4e0a\u3067\u6709\u7528\u306a\u30c4\u30fc\u30eb\u3067\u3059\u3002\u00a0<\/p>\n\n\n\n<figure class=\"wp-block-table\"><table class=\"has-fixed-layout\"><tbody><tr><td>Cloud SIEM \u30eb\u30fc\u30ebID<\/td><td>\u30eb\u30fc\u30eb\u540d<\/td><\/tr><tr><td>MATCH-S00164<\/td><td>Web\u30b5\u30fc\u30d0\u30fc\u306b\u3088\u3063\u3066\u751f\u6210\u3055\u308c\u305f\u4e0d\u5be9\u306a\u30b7\u30a7\u30eb<\/td><\/tr><tr><td>MATCH-S00539<\/td><td>\u4e0d\u5be9\u306a\u30d7\u30ed\u30bb\u30b9\u3092\u5b9f\u884c\u3057\u3066\u3044\u308bWeb\u30b5\u30fc\u30d0\u30fc*<\/td><\/tr><tr><td>FIRST-S00010<\/td><td>\u30b3\u30f3\u30d4\u30e5\u30fc\u30bf\u30fc\u304b\u3089\u306ePowerShell\u5b9f\u884c\u3092\u521d\u3081\u3066\u78ba\u8a8d<\/td><\/tr><tr><td>MATCH-S00136<\/td><td>PowerShell \u30a8\u30f3\u30b3\u30fc\u30c9\u3055\u308c\u305f\u30b3\u30de\u30f3\u30c9<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<p>* MATCH-S00539 \u3067\u306f\u3001Web \u30b5\u30fc\u30d0\u30fc\u304b\u3089\u306e\u30d7\u30ed\u30bb\u30b9\u5b9f\u884c\u3092\u30b9\u30b3\u30fc\u30d7\u6307\u5b9a\u3057\u3066\u691c\u51fa\u3059\u308b\u305f\u3081\u306b\u3001\u300cweb_servers\u300d\u30de\u30c3\u30c1\u30ea\u30b9\u30c8\u306e\u4f5c\u6210\u3068\u30c7\u30fc\u30bf\u5165\u529b\u304c\u5fc5\u8981\u3067\u3059\u3002\u4ee5\u4e0b\u306f<a href=\"https:\/\/help.sumologic.com\/docs\/cse\/match-lists-suppressed-lists\/create-match-list\/\" target=\"_blank\" rel=\"noreferrer noopener\">\u30de\u30c3\u30c1\u30ea\u30b9\u30c8\u3092\u4f5c\u6210\u3059\u308b<\/a>\u65b9\u6cd5\u3067\u3059\u3002<\/p>\n\n\n\n<p>\u8105\u5a01\u30a4\u30f3\u30c6\u30ea\u30b8\u30a7\u30f3\u30b9\u306f\u3001\u65b0\u3057\u3044\u8105\u5a01\u3084\u51fa\u73fe\u3057\u3064\u3064\u3042\u308b\u8105\u5a01\u3092\u691c\u77e5\u3059\u308b\u305f\u3081\u306e\u9375\u3068\u306a\u308a\u307e\u3059\u3002SharePoint \u30a4\u30f3\u30d5\u30e9\u30b9\u30c8\u30e9\u30af\u30c1\u30e3\u306b\u95a2\u9023\u3059\u308b\u8105\u5a01\u30a4\u30f3\u30c6\u30ea\u30b8\u30a7\u30f3\u30b9\u306b\u76ee\u3092\u901a\u3057\u3001\u8abf\u67fb\u306e\u6a5f\u4f1a\u3092\u5f97\u308b\u3053\u3068\u3092\u304a\u52e7\u3081\u3057\u307e\u3059\u3002\u3053\u306e\u8a18\u4e8b\u3092\u66f8\u3044\u3066\u3044\u308b\u6642\u70b9\u3067\u306f\u3001\u30a4\u30f3\u30b8\u30b1\u30fc\u30bf\u306f\u30d6\u30ed\u30b0\u8a18\u4e8b\u5185\u3067\u5171\u6709\u3055\u308c\u3066\u304a\u308a\u3001\u5fc5\u305a\u3057\u3082\u5927\u898f\u6a21\u306a\u8105\u5a01\u30d5\u30a3\u30fc\u30c9\u306b\u8868\u793a\u3055\u308c\u3066\u3044\u308b\u308f\u3051\u3067\u306f\u3042\u308a\u307e\u305b\u3093\u3002<\/p>\n\n\n\n<figure class=\"wp-block-table\"><table class=\"has-fixed-layout\"><tbody><tr><td>Cloud SIEM \u30eb\u30fc\u30ebID<\/td><td>\u30eb\u30fc\u30eb\u540d<\/td><\/tr><tr><td>MATCH-S01023<\/td><td>\u8105\u5a01\u30a4\u30f3\u30c6\u30ea\u30b8\u30a7\u30f3\u30b9 &#8211; \u8105\u5a01\u30d5\u30a3\u30fc\u30c9IP\u304b\u3089\u306e\u53d7\u4fe1\u30c8\u30e9\u30d5\u30a3\u30c3\u30af\uff08\u9ad8\u4fe1\u983c\u5ea6\uff09<\/td><\/tr><tr><td>MATCH-S01027<\/td><td>\u8105\u5a01\u30a4\u30f3\u30c6\u30ea\u30b8\u30a7\u30f3\u30b9 &#8211; \u8105\u5a01\u30d5\u30a3\u30fc\u30c9IP\u304b\u3089\u306e\u53d7\u4fe1\u30c8\u30e9\u30d5\u30a3\u30c3\u30af\uff08\u4e2d\u7a0b\u5ea6\u306e\u4fe1\u983c\u5ea6\uff09<\/td><\/tr><tr><td>MATCH-S01025<\/td><td>\u8105\u5a01\u30a4\u30f3\u30c6\u30ea\u30b8\u30a7\u30f3\u30b9 &#8211; \u8105\u5a01\u30d5\u30a3\u30fc\u30c9IP\u304b\u3089\u306e\u53d7\u4fe1\u30c8\u30e9\u30d5\u30a3\u30c3\u30af\uff08\u4fe1\u983c\u5ea6\u4f4e\uff09<\/td><\/tr><tr><td>MATCH-S01000<\/td><td>\u8105\u5a01\u30a4\u30f3\u30c6\u30ea\u30b8\u30a7\u30f3\u30b9 &#8211; MD5\u4e00\u81f4<\/td><\/tr><tr><td>MATCH-S01003<\/td><td>\u8105\u5a01\u30a4\u30f3\u30c6\u30ea\u30b8\u30a7\u30f3\u30b9 &#8211; SHA1\u4e00\u81f4<\/td><\/tr><tr><td>MATCH-S01004<\/td><td>\u8105\u5a01\u30a4\u30f3\u30c6\u30ea\u30b8\u30a7\u30f3\u30b9 &#8211; SHA256\u4e00\u81f4<\/td><\/tr><tr><td><\/td><td><\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<p><a href=\"https:\/\/help.sumologic.com\/docs\/security\/threat-intelligence\/about-threat-intelligence\/\" target=\"_blank\" rel=\"noreferrer noopener\">Sumo Logic Threat Intelligence<\/a>\u3067\u306f\u3001\u9867\u5ba2\u81ea\u8eab\u306e\u30a4\u30f3\u30c7\u30a3\u30b1\u30fc\u30bf\u30fc\u3092\u30a2\u30c3\u30d7\u30ed\u30fc\u30c9\u3067\u304d\u308b\u307b\u304b\u3001\u72ec\u81ea\u30bd\u30fc\u30b9\u304b\u3089\u306e\u53d6\u308a\u8fbc\u307f\u3082\u53ef\u80fd\u3067\u3059\u3002\u4eca\u56de\u30b3\u30df\u30e5\u30cb\u30c6\u30a3\u3067\u5171\u6709\u3055\u308c\u3066\u3044\u308b\u30a4\u30f3\u30c7\u30a3\u30b1\u30fc\u30bf\u30fc\u306f\u5c11\u6570\u3067\u3059\u304c\u3001Cloud SIEM \u306e\u30eb\u30fc\u30eb\u5411\u3051\u306b Threat Intelligence \u30bd\u30fc\u30b9\u3092\u4f5c\u6210\u3059\u308c\u3070\u3001\u4e0a\u8a18\u30eb\u30fc\u30eb\u3078\u306e\u8fc5\u901f\u306a\u53cd\u6620\u3068\u30ab\u30d0\u30ec\u30c3\u30b8\u62e1\u5927\u304c\u884c\u3048\u307e\u3059\u3002 \u307e\u305f\u3001\u9867\u5ba2\u306f\u81ea\u5206\u305f\u3061\u3067\u4f5c\u6210\u3057\u305f\u30ab\u30b9\u30bf\u30e0\u30bd\u30fc\u30b9\u3092\u5229\u7528\u3057\u3066\u3001\u30ed\u30fc\u30ab\u30eb\u306a Threat Intelligence \u30eb\u30fc\u30eb\u306e\u4f5c\u6210\u3082\u3067\u304d\u307e\u3059\u4f8b\uff1ahasThreatMatch([srcDevice_ip,file_hash_md5,file_hash_sha256],\u00a0source=&#8221;toolshell iocs&#8221;)<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"proposed-detection-theories-for-local-rule-development\">\u30ed\u30fc\u30ab\u30eb\u30eb\u30fc\u30eb\u5f62\u6210\u306b\u95a2\u3059\u308b\u691c\u51fa\u7406\u8ad6\u306e\u63d0\u6848<\/h3>\n\n\n\n<p>\u4ee5\u4e0b\u306b\u3001\u3053\u306e\u653b\u6483\u306e\u8981\u7d20\u3092\u691c\u51fa\u3059\u308b\u305f\u3081\u306e\u30eb\u30fc\u30eb\u4f5c\u6210\u306e\u53c2\u8003\u3068\u3057\u3066\u3001\u691c\u51fa\u7406\u8ad6\u3092Cloud SIEM\u306e\u30de\u30c3\u30c1\u5f0f\u306b\u5909\u63db\u3057\u305f\u30b5\u30f3\u30d7\u30eb\u3092\u3044\u304f\u3064\u304b\u793a\u3057\u307e\u3059\u3002<\/p>\n\n\n\n<p>Cloud SIEM\u306b\u3088\u308b\u30a8\u30af\u30b9\u30d7\u30ed\u30a4\u30c8\u30c1\u30a7\u30fc\u30f3\u306e\u521d\u671f\u30a2\u30af\u30bb\u30b9POST\u30ea\u30af\u30a8\u30b9\u30c8\uff1a<\/p>\n\n\n\n<code>http_method = 'POST'<br\/>AND http_response_statusCode IN (200, 302)<br\/>AND http_referer_path MATCHES \/(?i)_layouts\\\/1[56]\\\/signout\\.aspx$\/<br\/>AND fields['cs_uri_stem'] MATCHES \/(?i)_layouts\\\/1[56]\\\/toolpane\\.aspx$\/<\/code>\n\n\n\n<p><\/p>\n\n\n\n<p>\u7406\u8ad6\uff1a\u653b\u6483\u306e\u521d\u671f\u30a2\u30af\u30bb\u30b9\u3092\u958b\u59cb\u3059\u308bPOST\u30ea\u30af\u30a8\u30b9\u30c8\u3092\u691c\u77e5\u3057\u3001\u8106\u5f31\u306a\u30b7\u30b9\u30c6\u30e0\u3078\u306eWeb\u30b7\u30a7\u30eb\u30a4\u30f3\u30b9\u30c8\u30fc\u30eb\u306b\u81f3\u308b\u30d7\u30ed\u30bb\u30b9\u3002<\/p>\n\n\n\n<p>Cloud SIEM\u5b9f\u884c\u30d5\u30a1\u30a4\u30eb\u304cIIS\u30c7\u30a3\u30ec\u30af\u30c8\u30ea\u306b\u8ffd\u52a0\u3055\u308c\u307e\u3057\u305f\uff1a<\/p>\n\n\n\n<code>action = \"FileCreate\"<br\/>AND changeTarget MATCHES \/(?i:\\\\wwwroot\\\\|\\\\windows\\\\microsoft\\.net\\\\framework\\\\|\\\\microsoft shared\\\\web server extensions\\\\).+\\.(?i:as[hmp]x|cshtml)$\/<br\/>AND baseImage NOT MATCHES \/(?i)(?:\\\\w3wp|\\\\msdeploy|\\\\svchost|\\\\explorer)\\.exe$\/<\/code>\n\n\n\n<p><\/p>\n\n\n\n<p>\u7406\u8ad6\uff1aIIS\u30c7\u30a3\u30ec\u30af\u30c8\u30ea\u3078\u306e\u66f8\u304d\u8fbc\u307f\u5bfe\u8c61\u3068\u306a\u308b\u5b9f\u884c\u53ef\u80fd\u30d5\u30a1\u30a4\u30eb\uff08\u3053\u306e\u6587\u8108\u3067\u306f\u30a6\u30a7\u30d6\u30b7\u30a7\u30eb\uff09\u306b\u5bfe\u3059\u308bFileCreate\u30a2\u30af\u30b7\u30e7\u30f3\u306e\u691c\u77e5\u3002<\/p>\n\n\n\n<p>Cloud SIEM\u304cGET\u7d4c\u7531\u3067\u306e\u30a6\u30a7\u30d6\u30b7\u30a7\u30eb\u3068\u306e\u3084\u308a\u53d6\u308a\u3092\u691c\u77e5\uff1a<\/p>\n\n\n\n<code>http_method = 'GET'<br\/>AND http_response_statusCode IN (200,302)<br\/>AND fields['cs_uri_stem'] MATCHES \/(?i)_layouts\\\/1[56]\\\/spinstall\\d{0,2}\\.aspx\/<\/code>\n\n\n\n<p><\/p>\n\n\n\n<p>\u7406\u8ad6\uff1a\u653b\u6483\u8005\u304c\u4e0a\u8a18\u306ePOST\u304b\u3089\u59cb\u307e\u308b\u30a8\u30af\u30b9\u30d7\u30ed\u30a4\u30c8\u30c1\u30a7\u30fc\u30f3\u3067\u30b7\u30b9\u30c6\u30e0\u3092\u4fb5\u5bb3\u3057\u305f\u5f8c\u3001\u3053\u306e\u691c\u77e5\u306f\u6a19\u7684\u306b\u5bfe\u3057\u3066\u76ee\u7684\u3092\u5b9f\u884c\u3059\u308b\u969b\u306b\u30a6\u30a7\u30d6\u30b7\u30a7\u30eb\u3068\u306e\u3084\u308a\u53d6\u308a\u3092\u6355\u6349\u3057\u307e\u3059\u3002<\/p>\n\n\n\n<p>\u3053\u308c\u3089\u306e\u691c\u51fa\u30bb\u30aa\u30ea\u30fc\u306f\u3001\u30ed\u30fc\u30ab\u30eb\u691c\u51fa\u30eb\u30fc\u30eb\u306e\u4f5c\u6210\u3092\u52a0\u901f\u3057\u3001\u691c\u51fa\u3092\u652f\u63f4\u3057\u3001\u7591\u308f\u3057\u3044\u8106\u5f31\u306a\u74b0\u5883\u3092\u8abf\u67fb\u3059\u308b\u305f\u3081\u306e\u30d7\u30ed\u30c8\u30bf\u30a4\u30d7\u3068\u3057\u3066\u5171\u6709\u3055\u308c\u307e\u3059\u3002\u3053\u308c\u3089\u306fSumo Logic Cloud SIEM\u306e\u30de\u30c3\u30c1\u5f0f\u3068\u3057\u3066\u5b9f\u884c\u3059\u308b\u3088\u3046\u306b\u7279\u5225\u306b\u8a2d\u8a08\u3055\u308c\u3066\u304a\u308a\u3001\u4e0a\u8a18\u306e\u5171\u6709\u691c\u7d22\u3068\u540c\u69d8\u306e\u7d50\u679c\u3092\u5f97\u308b\u305f\u3081\u306b\u9069\u5fdc\u3055\u305b\u308b\u3053\u3068\u304c\u3067\u304d\u307e\u3059\u3002<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"recommendations\">\u63a8\u5968<\/h2>\n\n\n\n<p>Microsoft\u306f\u3001\u3053\u306e\u8106\u5f31\u6027\u304c\u60aa\u7528\u3055\u308c\u308b\u53ef\u80fd\u6027\u304b\u3089\u74b0\u5883\u3092\u4fdd\u8b77\u3059\u308b\u65b9\u6cd5\u306b\u95a2\u3059\u308b <a href=\"https:\/\/msrc.microsoft.com\/blog\/2025\/07\/customer-guidance-for-sharepoint-vulnerability-cve-2025-53770\/#how-to-protect-your-environment\" target=\"_blank\" rel=\"noreferrer noopener\">\u8a73\u7d30\u306a\u30ac\u30a4\u30c0\u30f3\u30b9<\/a> \u3092\u63d0\u4f9b\u3057\u3066\u3044\u307e\u3059\u3002\u307e\u305f\u3001SharePoint\u30b5\u30fc\u30d0\u30fc\u304c\u4fb5\u5bb3\u3055\u308c\u305f\u3068\u5224\u65ad\u3057\u305f\u5834\u5408\u306e\u4fee\u5fa9\u624b\u9806\u3082\u63d0\u4f9b\u3057\u3066\u3044\u307e\u3059\u3002<\/p>\n\n\n\n<p>SharePoint \u306e\u8106\u5f31\u6027\u3092\u60aa\u7528\u3059\u308b\u3053\u3068\u306f\u4e9b\u7d30\u306a\u3053\u3068\u3067\u3059\u3002\u304a\u5ba2\u69d8\u306e\u74b0\u5883\u306b\u8106\u5f31\u6027\u306e\u3042\u308b SharePoint \u30b5\u30fc\u30d0\u30fc\u304c\u3042\u308b\u5834\u5408\u3001\u305d\u306e\u30b5\u30fc\u30d0\u30fc\u304c\u4fb5\u5bb3\u3055\u308c\u305f\u304b\u3069\u3046\u304b\u3001\u307e\u305f\u4fb5\u5bb3\u3055\u308c\u305f\u5834\u5408\u3001\u88ab\u5bb3\u306e\u7a0b\u5ea6\u3068\u5fc5\u8981\u306a\u7de9\u548c\u7b56\u3092\u5224\u65ad\u3059\u308b\u5fc5\u8981\u304c\u3042\u308a\u307e\u3059\u3002\u653b\u6483\u8005\u304c SharePoint \u30b5\u30fc\u30d0\u30fc\u3078\u306e\u4fb5\u5165\u306b\u6210\u529f\u3059\u308b\u3068\u3001SharePoint \u304b\u3089\u74b0\u5883\u5185\u306e\u4ed6\u306e\u8cc7\u7523\u306b\u653b\u6483\u304c\u53ca\u3076\u53ef\u80fd\u6027\u304c\u3042\u308a\u307e\u3059\u3002\u3053\u306e\u8a18\u4e8b\u306b\u542b\u307e\u308c\u308b\u30af\u30a8\u30ea\u306f\u3001\u4fb5\u5bb3\u304c\u884c\u308f\u308c\u305f\u304b\u3069\u3046\u304b\u3092\u5224\u65ad\u3059\u308b\u306e\u306b\u5f79\u7acb\u3061\u307e\u3059\u3002\u00a0<\/p>\n\n\n\n<p>\u73fe\u5728\u3001\u30aa\u30f3\u30d7\u30ec\u30df\u30b9 SharePoint \u30b5\u30fc\u30d0\u30fc\u306b\u5bfe\u3059\u308b\u7d99\u7d9a\u7684\u306a\u653b\u6483\u306e\u6982\u8981\u5206\u6790\u3068\u30bf\u30a4\u30e0\u30e9\u30a4\u30f3\u3001\u304a\u3088\u3073 Sumo Logic \u3092\u4f7f\u7528\u3057\u3066\u95a2\u9023\u3059\u308b\u4e0d\u5be9\u306a\u6d3b\u52d5\u3092\u691c\u7d22\u30fb\u691c\u51fa\u3059\u308b\u65b9\u6cd5\u306b\u3064\u3044\u3066\u8aac\u660e\u3057\u307e\u3059\u3002\u3053\u306e\u30c8\u30d4\u30c3\u30af\u306b\u3064\u3044\u3066\u3055\u3089\u306b\u6df1\u304f\u6398\u308a\u4e0b\u3052\u305f\u3044\u5834\u5408\u306f\u3001\u4ee5\u4e0b\u306e\u60c5\u5831\u6e90\u3092\u53c2\u7167\u3057\u3066\u304f\u3060\u3055\u3044\u3002\u00a0<\/p>\n\n\n\n<p>\u305d\u3057\u3066\u3001\u3053\u308c\u307e\u3067\u3068\u540c\u69d8\u306b\u3001Cloud SIEM\u3092\u307e\u3060\u5c0e\u5165\u3057\u3066\u304a\u3089\u305a\u3001\u3053\u306e\u3088\u3046\u306a\u8105\u5a01\u306e\u691c\u77e5\u3068\u5bfe\u5fdc\u306b\u3069\u306e\u3088\u3046\u306b\u5f79\u7acb\u3064\u304b\u3092\u7406\u89e3\u3057\u305f\u3044\u5834\u5408\u306f\u3001<a href=\"https:\/\/www.sumologic.com\/ja\/request-demo\">\u30c7\u30e2\u3092\u4e88\u7d04\u3057\u3066\u8a73\u7d30\u3092\u3054\u89a7\u304f\u3060\u3055\u3044<\/a>\u3002<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"references-and-further-resources\">\u53c2\u8003\u6587\u732e\u304a\u3088\u3073\u8ffd\u52a0\u60c5\u5831<\/h2>\n\n\n\n<p><strong>NIST\u306e\u8106\u5f31\u6027\u60c5\u5831<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2025-53770\" target=\"_blank\" rel=\"noreferrer noopener\">https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2025-53770<\/a><\/li>\n\n\n\n<li><a href=\"https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2025-53771\" target=\"_blank\" rel=\"noreferrer noopener\">https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2025-53771<\/a><\/li>\n<\/ul>\n\n\n\n<p><strong>\u5f71\u97ff\u3092\u53d7\u3051\u305fSharePoint\u306e\u304a\u5ba2\u69d8\u5411\u3051Microsoft MSRC\u30d6\u30ed\u30b0\uff1a<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/msrc.microsoft.com\/blog\/2025\/07\/customer-guidance-for-sharepoint-vulnerability-cve-2025-53770\/\" target=\"_blank\" rel=\"noreferrer noopener\">https:\/\/msrc.microsoft.com\/blog\/2025\/07\/customer-guidance-for-sharepoint-vulnerability-cve-2025-53770\/<\/a><\/li>\n<\/ul>\n\n\n\n<p><strong>Eye Security\u306b\u3088\u308b\u653b\u6483\u3092\u6700\u521d\u306b\u5831\u544a\u3057\u305f\u30d6\u30ed\u30b0\u8a18\u4e8b\uff1a<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/research.eye.security\/sharepoint-under-siege\/\" target=\"_blank\" rel=\"noreferrer noopener\">https:\/\/research.eye.security\/sharepoint-under-siege\/<\/a><\/li>\n<\/ul>\n\n\n\n<p><strong>\u30b5\u30a4\u30d0\u30fc\u30bb\u30ad\u30e5\u30ea\u30c6\u30a3\u30b3\u30df\u30e5\u30cb\u30c6\u30a3\u306e\u30ea\u30bd\u30fc\u30b9\u304a\u3088\u3073\u653b\u6483\u3092\u8a18\u9332\u3057\u305f\u5831\u544a\u66f8\uff1a<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/www.crowdstrike.com\/en-us\/blog\/crowdstrike-detects-blocks-sharepoint-zero-day-exploitation\/\" target=\"_blank\" rel=\"noreferrer noopener\">https:\/\/www.crowdstrike.com\/en-us\/blog\/crowdstrike-detects-blocks-sharepoint-zero-day-exploitation\/<\/a><\/li>\n\n\n\n<li><a href=\"https:\/\/www.thawd.com.sa\/post\/cve-2025-53770-unauthenticated-sharepoint-rce-toolshell-exploit-uncovered\" target=\"_blank\" rel=\"noreferrer noopener\">https:\/\/www.thawd.com.sa\/post\/cve-2025-53770-unauthenticated-sharepoint-rce-toolshell-exploit-uncovered<\/a><\/li>\n\n\n\n<li><a href=\"https:\/\/blog.qualys.com\/vulnerabilities-threat-research\/2025\/07\/21\/toolshell-zero-day-microsoft-rushes-emergency-patch-for-actively-exploited-sharepoint-vulnerabilities\" target=\"_blank\" rel=\"noreferrer noopener\">https:\/\/blog.qualys.com\/vulnerabilities-threat-research\/2025\/07\/21\/toolshell-zero-day-microsoft-rushes-emergency-patch-for-actively-exploited-sharepoint-vulnerabilities<\/a><\/li>\n\n\n\n<li><a href=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2025\/07\/22\/disrupting-active-exploitation-of-on-premises-sharepoint-vulnerabilities\/?msockid=1a581412ba6b61a33ccd06debbde60b2#mitigation-and-protection-guidance\" target=\"_blank\" rel=\"noreferrer noopener\">https:\/\/www.microsoft.com\/en-us\/security\/blog\/2025\/07\/22\/disrupting-active-exploitation-of-on-premises-sharepoint-vulnerabilities\/<\/a><\/li>\n\n\n\n<li><a href=\"https:\/\/unit42.paloaltonetworks.com\/microsoft-sharepoint-cve-2025-49704-cve-2025-49706-cve-2025-53770\/\" target=\"_blank\" rel=\"noreferrer noopener\">https:\/\/unit42.paloaltonetworks.com\/microsoft-sharepoint-cve-2025-49704-cve-2025-49706-cve-2025-53770\/<\/a><\/li>\n\n\n\n<li><a href=\"https:\/\/www.rapid7.com\/blog\/post\/etr-zero-day-exploitation-of-microsoft-sharepoint-servers-cve-2025-53770\/\" target=\"_blank\" rel=\"noreferrer noopener\">https:\/\/www.rapid7.com\/blog\/post\/etr-zero-day-exploitation-of-microsoft-sharepoint-servers-cve-2025-53770\/<\/a><\/li>\n<\/ul>\n\n\n\n<p><\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div><\/section>\n","protected":false},"excerpt":{"rendered":"","protected":false},"author":345,"featured_media":49075,"template":"","meta":{"_acf_changed":false,"show_custom_date":false,"custom_date":"","featured":false,"featured_image":0,"learn_more_label":"","image_alt_text":"","learn_more_type":"","show_popup":false,"learn_more_link_file":0,"event_date":false,"event_start_date":"","event_end_date":"","place_holder_image_url":"","post_reading_time":"3","notification_enabled":false,"notification_text":"","notification_logo":"","notification_expiration_time":0,"is_enable_transparent_header":false,"selected_taxonomy_terms":{"blog-category":[322,323],"blog-tag":[],"translation_priority":[221]},"selected_primary_terms":[],"learn_more_link":[],"featured_page_list":[],"notification_enabled_post_list":[],"_gspb_post_css":"","_relevanssi_hide_post":"","_relevanssi_hide_content":"","_relevanssi_pin_for_all":"","_relevanssi_pin_keywords":"","_relevanssi_unpin_keywords":"","_relevanssi_related_keywords":"","_relevanssi_related_include_ids":"","_relevanssi_related_exclude_ids":"","_relevanssi_related_no_append":"","_relevanssi_related_not_related":"","_relevanssi_related_posts":"62284,62286,62288","_relevanssi_noindex_reason":"","inline_featured_image":false,"footnotes":""},"blog-category":[322,323],"blog-tag":[],"class_list":["post-61186","blog","type-blog","status-publish","has-post-thumbnail","hentry","blog-category-cloud-siem","blog-category-secops-security"],"acf":[],"_links":{"self":[{"href":"https:\/\/www.sumologic.com\/ja\/wp-json\/wp\/v2\/blog\/61186","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.sumologic.com\/ja\/wp-json\/wp\/v2\/blog"}],"about":[{"href":"https:\/\/www.sumologic.com\/ja\/wp-json\/wp\/v2\/types\/blog"}],"author":[{"embeddable":true,"href":"https:\/\/www.sumologic.com\/ja\/wp-json\/wp\/v2\/users\/345"}],"version-history":[{"count":9,"href":"https:\/\/www.sumologic.com\/ja\/wp-json\/wp\/v2\/blog\/61186\/revisions"}],"predecessor-version":[{"id":70190,"href":"https:\/\/www.sumologic.com\/ja\/wp-json\/wp\/v2\/blog\/61186\/revisions\/70190"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.sumologic.com\/ja\/wp-json\/wp\/v2\/media\/49075"}],"wp:attachment":[{"href":"https:\/\/www.sumologic.com\/ja\/wp-json\/wp\/v2\/media?parent=61186"}],"wp:term":[{"taxonomy":"blog-category","embeddable":true,"href":"https:\/\/www.sumologic.com\/ja\/wp-json\/wp\/v2\/blog-category?post=61186"},{"taxonomy":"blog-tag","embeddable":true,"href":"https:\/\/www.sumologic.com\/ja\/wp-json\/wp\/v2\/blog-tag?post=61186"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}