Goline Logo
Goline It Services Logo

Home

About Us

Services

Solutions

Systems Architecture

Support

FAQ

News

  • GOLINE SA Announces Strategic Partnership with NetApp November 7th, 2025
    GOLINE SA is excited to announce a new partnership with NetApp, a global leader in cloud data services and storage solutions. This collaboration aims to help organizations modernize their IT infrastructure, streamline data management, and enhance performance across cloud and hybrid environments. Modern Data Solutions for Businesses Through this partnership, GOLINE integrates advanced data management solutions, enabling businesses to securely store, manage, and access critical information across cloud, on-premises, or hybrid setups. Clients can benefit from: Flexible and scalable storage solutions to meet growing data needs Simplified management of cloud and on-premises environments Enterprise-grade security for sensitive and mission-critical data...
  • GOLINE SA Announces Partnership with Omnissa November 7th, 2025
    GOLINE SA is proud to announce a new strategic partnership with Omnissa, a global leader in digital workspace platforms and Horizon Cloud Service solutions. This collaboration marks a significant step forward in helping organizations embrace secure, flexible, and high-performance work environments. Why Choose Omnissa for Your Business? The platform enables virtual desktops, applications, and unified endpoint management. Organizations can deploy scalable workspaces across cloud, hybrid, or on-premises setups. Key benefits include: Easy access to desktops and apps on any device Centralized management for Windows, macOS, iOS, Android, and ChromeOS Strong security with access controls and multi-factor authentication Automated scaling to...
  • GOLINE SA partners with Cloudflare November 6th, 2025
    Goline is proud to announce a strategic partnership with Cloudflare, the world leader in web performance and security solutions. This collaboration aims to provide goline.ch customers with state-of-the-art protection against cyber threats while delivering lightning-fast website performance. Through this partnership, Goline integrates Cloudflare’s advanced services, including DDoS protection, CDN caching, DNS security, and edge computing, allowing businesses to secure and optimize their websites effortlessly. Users will benefit from improved page load speed, enhanced reliability, and robust defense against malicious attacks. This partnership with Cloudflare enables goline to offer unmatched security and performance solutions to clients. By leveraging Cloudflare’s cutting-edge technology,...

SharePoint CVE-2025-53770 (ToolShell) Incident Response Guide

Caparrelli Paolo SharePoint 21 July 2025

SharePoint CVE-2025-53770 (ToolShell) Incident Response Guide

Executive Summary

This comprehensive guide details the detection, analysis, and remediation of SharePoint Server compromises through CVE-2025-53770, also known as “ToolShell”. This critical vulnerability allows unauthenticated remote code execution and has been actively exploited in the wild since July 2025.

Table of Contents

  1. Vulnerability Overview
  2. Initial Detection
  3. Forensic Analysis
  4. Containment Steps
  5. Eradication Process
  6. Recovery Procedures
  7. Post-Incident Activities

1. Vulnerability Overview

CVE Details

  • CVE ID: CVE-2025-53770-38094
  • Severity: CRITICAL (CVSS 9.8)
  • Attack Vector: Network
  • Privileges Required: None
  • User Interaction: None
  • Affected Versions: SharePoint Server 2016, 2019, Subscription Edition
  • Patch Released: July 2025 Security Update

Attack Methodology

Attackers exploit the vulnerability through:

  1. Unauthenticated access to /_layouts/15/ToolPane.aspx
  2. Remote code execution via deserialization vulnerability
  3. Deployment of web shells (commonly spinstall0.aspx)
  4. Theft of machine keys for persistent access

Known Indicators of Compromise (IoCs)

  • Malicious Files: spinstall0.aspx, spinstall1.aspx
  • Attack IPs: 107.191.58.76, 104.238.159.149
  • File Sizes: Often 666 bytes or under 1KB
  • Locations: /_layouts/ directories

2. Initial Detection

Quick Detection Script

# SharePoint CVE-2025-53770 Quick Detection Script Write-Host "=== SHAREPOINT TOOLSHELL DETECTION ===" -ForegroundColor Red # Check for known backdoor files $backdoorPaths = @( "C:Program FilesCommon Filesmicrosoft sharedWeb Server Extensions16TEMPLATELAYOUTSspinstall*.aspx", "C:Program FilesCommon Filesmicrosoft sharedWeb Server Extensions15TEMPLATELAYOUTSspinstall*.aspx", "C:inetpubwwwrootwssVirtualDirectories*_layouts*spinstall*.aspx" ) $foundBackdoors = @() foreach ($path in $backdoorPaths) { $files = Get-ChildItem -Path $path -ErrorAction SilentlyContinue if ($files) { $foundBackdoors += $files } } if ($foundBackdoors.Count -gt 0) { Write-Host "`nCRITICAL: Backdoor files detected!" -ForegroundColor Red $foundBackdoors | Format-Table FullName, Length, CreationTime, LastWriteTime -AutoSize } else { Write-Host "`nNo known backdoor files found (further investigation needed)" -ForegroundColor Yellow } # Check for suspicious ASPX files Write-Host "`nChecking for suspicious ASPX files..." -ForegroundColor Yellow $suspiciousFiles = Get-ChildItem -Path "C:Program FilesCommon Filesmicrosoft sharedWeb Server Extensions*TEMPLATELAYOUTS" -Filter "*.aspx" -Recurse | Where-Object { $_.Length -eq 666 -or $_.Length -lt 1000 -or $_.CreationTime -gt (Get-Date).AddDays(-30) -or $_.LastWriteTime -gt (Get-Date).AddDays(-30) } if ($suspiciousFiles) { Write-Host "Suspicious files found:" -ForegroundColor Yellow $suspiciousFiles | Select-Object FullName, Length, CreationTime, LastWriteTime | Format-Table -AutoSize } # Check IIS logs for ToolPane.aspx access Write-Host "`nChecking IIS logs for exploitation attempts..." -ForegroundColor Yellow $iisLogs = Get-ChildItem "C:inetpublogsLogFilesW3SVC*" -Filter "*.log" -Recurse | Where-Object {$_.LastWriteTime -gt (Get-Date).AddDays(-90)} $exploitAttempts = 0 foreach ($log in $iisLogs) { $matches = Select-String -Path $log.FullName -Pattern "ToolPane.aspx|spinstall" -Quiet if ($matches) { $exploitAttempts++ Write-Host " Suspicious activity in: $($log.Name)" -ForegroundColor Red } } if ($exploitAttempts -eq 0) { Write-Host " No ToolPane.aspx access found in recent logs" -ForegroundColor Green } # Check for recent SharePoint errors $recentErrors = Get-EventLog -LogName Application -Source "SharePoint*" -EntryType Error -After (Get-Date).AddDays(-7) | Where-Object {$_.Message -match "ToolPane|spinstall|deserialization"} if ($recentErrors) { Write-Host "`nSharePoint errors potentially related to exploitation:" -ForegroundColor Red $recentErrors | Select-Object TimeGenerated, Message -First 5 }

Advanced Detection Commands

# Deep scan for all ASPX files modified recently $modifiedASPX = Get-ChildItem -Path "C:Program FilesCommon Filesmicrosoft sharedWeb Server Extensions" -Filter "*.aspx" -Recurse | Where-Object {$_.LastWriteTime -gt (Get-Date).AddDays(-90)} | Sort-Object LastWriteTime -Descending | Select-Object FullName, Length, LastWriteTime, CreationTime # Check for persistence mechanisms Get-ScheduledTask | Where-Object { $_.TaskName -match "update|windows|system|microsoft" -and $_.Date -gt (Get-Date).AddDays(-90) } | Format-Table TaskName, State, Date -AutoSize # Check for new local users Get-LocalUser | Where-Object { $_.PrincipalSource -eq "Local" -and $_.Enabled -eq $true } | Format-Table Name, Enabled, PasswordLastSet -AutoSize # Network connections analysis Get-NetTCPConnection | Where-Object { $_.State -eq 'Established' -and $_.RemoteAddress -notmatch '^(10.|172.(1[6-9]|2[0-9]|3[01]).|192.168.|127.)' } | Format-Table LocalPort, RemoteAddress, RemotePort, @{N='Process';E={(Get-Process -Id $_.OwningProcess).Name}} -AutoSize

3. Forensic Analysis

Evidence Collection Script

# Create incident response directory $incidentDate = Get-Date -Format 'yyyyMMdd_HHmmss' $evidencePath = "C:INCIDENT_CVE_2025_53770_$incidentDate" New-Item -ItemType Directory -Path $evidencePath -Force New-Item -ItemType Directory -Path "$evidencePathLogs" -Force New-Item -ItemType Directory -Path "$evidencePathMalware" -Force New-Item -ItemType Directory -Path "$evidencePathConfigs" -Force New-Item -ItemType Directory -Path "$evidencePathMemory" -Force Write-Host "Evidence collection started. Path: $evidencePath" -ForegroundColor Green # Collect suspicious files $suspiciousPatterns = @("*spinstall*", "*shell*", "*cmd*", "*backdoor*") foreach ($pattern in $suspiciousPatterns) { $files = Get-ChildItem -Path "C:Program FilesCommon Filesmicrosoft sharedWeb Server Extensions" -Filter $pattern -Recurse -ErrorAction SilentlyContinue foreach ($file in $files) { $destPath = "$evidencePathMalware$($file.Name)_$(Get-Random)" Copy-Item $file.FullName $destPath -Force # Calculate hashes $hashes = @{ MD5 = (Get-FileHash $file.FullName -Algorithm MD5).Hash SHA256 = (Get-FileHash $file.FullName -Algorithm SHA256).Hash FilePath = $file.FullName CopiedTo = $destPath } $hashes | ConvertTo-Json | Out-File "$destPath.hashes.json" } } # Collect IIS logs $iisLogs = Get-ChildItem "C:inetpublogsLogFiles" -Filter "*.log" -Recurse | Where-Object {$_.LastWriteTime -gt (Get-Date).AddDays(-30)} Copy-Item $iisLogs.FullName -Destination "$evidencePathLogs" -Force # Collect SharePoint logs $spLogs = Get-ChildItem "C:Program FilesCommon Filesmicrosoft sharedWeb Server Extensions16LOGS" -Filter "*.log" | Where-Object {$_.LastWriteTime -gt (Get-Date).AddDays(-7)} Copy-Item $spLogs.FullName -Destination "$evidencePathLogsSharePoint" -Force # Export current configuration Get-SPWebApplication | ForEach-Object { $wa = $_ $configFile = "$evidencePathConfigsWebApp_$($wa.Name -replace '[^w]','_').xml" $wa | Export-Clixml -Path $configFile } # Collect web.config files Get-SPWebApplication | ForEach-Object { $_.Sites | ForEach-Object { $site = $_ $webConfig = Join-Path $site.WebApplication.IisSettings[[Microsoft.SharePoint.Administration.SPUrlZone]::Default].Path "web.config" if (Test-Path $webConfig) { $destName = "web.config_$($site.Url -replace '[^w]','_')" Copy-Item $webConfig "$evidencePathConfigs$destName" -Force } $site.Dispose() } } # Document running processes Get-Process | Export-Csv "$evidencePathprocesses.csv" -NoTypeInformation Get-CimInstance Win32_Process | Select-Object Name, ProcessId, ParentProcessId, CommandLine, CreationDate | Export-Csv "$evidencePathprocesses_detailed.csv" -NoTypeInformation # Network connections netstat -anob - "$evidencePathnetstat.txt" Get-NetTCPConnection | Export-Csv "$evidencePathtcp_connections.csv" -NoTypeInformation # Services Get-Service | Export-Csv "$evidencePathservices.csv" -NoTypeInformation # Scheduled tasks Get-ScheduledTask | Export-Csv "$evidencePathscheduled_tasks.csv" -NoTypeInformation Write-Host "`nEvidence collection completed!" -ForegroundColor Green

Backdoor Analysis

# Analyze backdoor capabilities function Analyze-Backdoor { param($FilePath) Write-Host "`nAnalyzing file: $FilePath" -ForegroundColor Yellow $content = Get-Content $FilePath -Raw $dangerousPatterns = @{ "Command Execution" = "System.Diagnostics.Process|cmd.exe|powershell.exe" "File Operations" = "System.IO.File|FileStream|Directory." "Network Operations" = "WebClient|HttpWebRequest|Socket|TcpClient" "Encryption/Keys" = "MachineKey|ValidationKey|DecryptionKey|Encrypt|Decrypt|AES|RSA" "Reflection/Evasion" = "Assembly.Load|Reflection|Invoke|DynamicMethod" "Data Exfiltration" = "Upload|Download|Send|Post|Response.Write" "Persistence" = "Registry|ScheduledTask|Service|StartUp" } $foundCapabilities = @() foreach ($pattern in $dangerousPatterns.GetEnumerator()) { if ($content -match $pattern.Value) { $foundCapabilities += $pattern.Key Write-Host " [!] $($pattern.Key) capability detected" -ForegroundColor Red } } # Check for base64 encoded content if ($content -match "[A-Za-z0-9+/]{20,}={0,2}") { Write-Host " [!] Base64 encoded content detected" -ForegroundColor Red } # Extract strings for further analysis $strings = [regex]::Matches($content, '[a-zA-Z]{4,}') | Select-Object -ExpandProperty Value -Unique $suspiciousStrings = $strings | Where-Object {$_ -match "password|key|token|secret|credential"} if ($suspiciousStrings) { Write-Host " [!] Suspicious strings found: $($suspiciousStrings -join ', ')" -ForegroundColor Red } return $foundCapabilities }

4. Containment Steps

Immediate Containment

# 1. Isolate the server Write-Host "=== EMERGENCY CONTAINMENT ===" -ForegroundColor Red # Block external access (adjust IP ranges for your network) New-NetFirewallRule -DisplayName "BLOCK External Access - CVE-2025-53770" ` -Direction Inbound -Action Block ` -RemoteAddress @("0.0.0.0-9.255.255.255", "11.0.0.0-172.15.255.255", "172.32.0.0-192.167.255.255", "192.169.0.0-255.255.255.255") ` -Protocol Any -Enabled True # Block known attacker IPs $knownAttackerIPs = @("107.191.58.76", "104.238.159.149") foreach ($ip in $knownAttackerIPs) { New-NetFirewallRule -DisplayName "BLOCK Attacker IP $ip" ` -Direction Inbound -Action Block -RemoteAddress $ip ` -Protocol Any -Enabled True New-NetFirewallRule -DisplayName "BLOCK Attacker IP $ip Outbound" ` -Direction Outbound -Action Block -RemoteAddress $ip ` -Protocol Any -Enabled True } # 2. Disable vulnerable endpoints in IIS Import-Module WebAdministration # Block access to ToolPane.aspx $sites = Get-Website | Where-Object {$_.Name -like "*SharePoint*"} foreach ($site in $sites) { # Add request filtering Add-WebConfigurationProperty -PSPath "IIS:Sites$($site.Name)" ` -Filter "system.webServer/security/requestFiltering/denyUrlSequences" ` -Name "." -Value @{sequence="ToolPane.aspx"} Add-WebConfigurationProperty -PSPath "IIS:Sites$($site.Name)" ` -Filter "system.webServer/security/requestFiltering/denyUrlSequences" ` -Name "." -Value @{sequence="spinstall"} Write-Host "Blocked vulnerable endpoints on: $($site.Name)" -ForegroundColor Yellow } # 3. Stop SharePoint services temporarily Stop-Service SPTimerV4 -Force Stop-Service SPAdminV4 -Force Write-Host "SharePoint services stopped for containment" -ForegroundColor Yellow

Advanced Containment

# Disable external access to SharePoint sites $spWebApps = Get-SPWebApplication foreach ($webapp in $spWebApps) { # Document current settings $webapp | Select-Object Url, @{N='IISSettings';E={$_.IisSettings}} | Export-Clixml "$evidencePathwebapp_settings_$(($webapp.Url -replace '[^w]','_')).xml" Write-Host "Documented settings for: $($webapp.Url)" -ForegroundColor Green } # Kill suspicious processes $suspiciousProcesses = Get-Process | Where-Object { $_.ProcessName -match "cmd|powershell|cscript|wscript" -and $_.Parent.ProcessName -eq "w3wp" } foreach ($proc in $suspiciousProcesses) { Write-Host "Terminating suspicious process: $($proc.ProcessName) (PID: $($proc.Id))" -ForegroundColor Red Stop-Process -Id $proc.Id -Force }

5. Eradication Process

Remove Backdoors

# Comprehensive backdoor removal Write-Host "=== BACKDOOR ERADICATION ===" -ForegroundColor Red # Find all spinstall files $backdoorFiles = Get-ChildItem -Path "C:" -Filter "*spinstall*.aspx" -Recurse -ErrorAction SilentlyContinue foreach ($file in $backdoorFiles) { Write-Host "Found backdoor: $($file.FullName)" -ForegroundColor Red # Backup for forensics $backupPath = "$evidencePathMalware$(($file.Name))_$(Get-Date -Format 'yyyyMMddHHmmss').bak" Copy-Item $file.FullName $backupPath -Force # Remove file Remove-Item $file.FullName -Force Write-Host " Removed!" -ForegroundColor Green } # Find other suspicious ASPX files $suspiciousASPX = Get-ChildItem -Path "C:Program FilesCommon Filesmicrosoft sharedWeb Server Extensions" ` -Filter "*.aspx" -Recurse | Where-Object { $_.Length -lt 1KB -or $_.Length -eq 666 -or (Get-Content $_.FullName -Raw) -match "eval|System.Diagnostics.Process|cmd.exe" } foreach ($file in $suspiciousASPX) { Write-Host "Suspicious file found: $($file.FullName) (Size: $($file.Length))" -ForegroundColor Yellow # Manual review required }

Clean Persistence Mechanisms

# Check and clean scheduled tasks $maliciousTasks = Get-ScheduledTask | Where-Object { ($_.TaskName -match "update|windows|system" -and $_.Author -ne "Microsoft Corporation") -or $_.Actions.Execute -match "powershell|cmd|cscript|wscript|mshta" } foreach ($task in $maliciousTasks) { Write-Host "Suspicious scheduled task: $($task.TaskName)" -ForegroundColor Red # Unregister-ScheduledTask -TaskName $task.TaskName -Confirm:$false } # Check registry run keys $runKeys = @( "HKLM:SOFTWAREMicrosoftWindowsCurrentVersionRun", "HKLM:SOFTWAREMicrosoftWindowsCurrentVersionRunOnce", "HKLM:SOFTWAREWOW6432NodeMicrosoftWindowsCurrentVersionRun", "HKCU:SOFTWAREMicrosoftWindowsCurrentVersionRun" ) foreach ($key in $runKeys) { $values = Get-ItemProperty -Path $key -ErrorAction SilentlyContinue $values.PSObject.Properties | Where-Object {$_.Name -notmatch "^PS"} | ForEach-Object { if ($_.Value -match "powershell|cmd|cscript|wscript") { Write-Host "Suspicious registry entry: $($_.Name) = $($_.Value)" -ForegroundColor Red } } }

Reset Machine Keys

# CRITICAL: Generate new machine keys for all web applications Write-Host "`n=== RESETTING MACHINE KEYS ===" -ForegroundColor Red function New-MachineKey { param( [int]$validationKeyLength = 128, [int]$decryptionKeyLength = 64 ) function Get-RandomHexString { param([int]$length) $bytes = New-Object byte[] ($length/2) $rng = [System.Security.Cryptography.RNGCryptoServiceProvider]::Create() $rng.GetBytes($bytes) $rng.Dispose() return [BitConverter]::ToString($bytes).Replace('-','') } @{ ValidationKey = Get-RandomHexString -length $validationKeyLength DecryptionKey = Get-RandomHexString -length $decryptionKeyLength } } # Generate new keys for each site $sites = Get-SPSite -Limit All foreach ($site in $sites) { $webApp = $site.WebApplication $iisPath = $webApp.IisSettings[[Microsoft.SharePoint.Administration.SPUrlZone]::Default].Path $webConfigPath = Join-Path $iisPath "web.config" if (Test-Path $webConfigPath) { Write-Host "Generating new keys for: $($site.Url)" -ForegroundColor Yellow $newKeys = New-MachineKey $machineKeyXml = @"  "@ Write-Host " New keys generated. Update web.config manually!" -ForegroundColor Cyan $machineKeyXml | Out-File "$evidencePathConfigsnew_machinekey_$($site.Url -replace '[^w]','_').txt" } $site.Dispose() }

6. Recovery Procedures

Apply Security Updates

# Check current patch level $spProduct = Get-SPProduct -Local $currentVersion = (Get-SPFarm).BuildVersion Write-Host "Current SharePoint version: $currentVersion" -ForegroundColor Cyan # Download and install the security update # July 2025 Security Update URLs: # SharePoint 2019: https://www.microsoft.com/en-us/download/details.aspx?id=106041 # SharePoint 2016: https://www.microsoft.com/en-us/download/details.aspx?id=105984 Write-Host @" `nDOWNLOAD AND INSTALL THE APPROPRIATE SECURITY UPDATE: - SharePoint 2019: KB5002604 - SharePoint 2016: KB5002603 - SharePoint Subscription Edition: Latest CU After installation, run: PSConfig.exe -cmd upgrade -inplace b2b -wait -cmd applicationcontent -install -cmd installfeatures -cmd secureresources "@ -ForegroundColor Yellow

Clean Missing Features

# Remove orphaned features that may cause issues Write-Host "`n=== CLEANING ORPHANED FEATURES ===" -ForegroundColor Yellow $totalRemoved = 0 Get-SPContentDatabase | ForEach-Object { $db = $_ Write-Host "Processing database: $($db.Name)" -ForegroundColor Cyan $removed = 0 $db.Sites | ForEach-Object { $site = $_ $site.Features | Where-Object { -not (Get-SPFeature -Identity $_.DefinitionId -ErrorAction SilentlyContinue) } | ForEach-Object { try { $site.Features.Remove($_.DefinitionId, $true) $removed++ } catch {} } $site.AllWebs | ForEach-Object { $web = $_ $web.Features | Where-Object { -not (Get-SPFeature -Identity $_.DefinitionId -ErrorAction SilentlyContinue) } | ForEach-Object { try { $web.Features.Remove($_.DefinitionId, $true) $removed++ } catch {} } $web.Dispose() } $site.Dispose() } Write-Host " Removed $removed orphaned features" -ForegroundColor Green $totalRemoved += $removed } Write-Host "`nTotal orphaned features removed: $totalRemoved" -ForegroundColor Green

Restore Services

# Restart SharePoint services Write-Host "`n=== RESTARTING SERVICES ===" -ForegroundColor Green # Start services in correct order Start-Service SPTimerV4 Start-Service SPAdminV4 Start-Service SPSearchHostController -ErrorAction SilentlyContinue Start-Service OSearch16 -ErrorAction SilentlyContinue Start-Service SPWriterV4 # Reset IIS iisreset /restart /timeout:120 # Verify all services are running Get-Service SP* | Format-Table Name, Status, StartType -AutoSize # Test SharePoint sites Get-SPSite -Limit All | ForEach-Object { $site = $_ try { $web = Invoke-WebRequest -Uri $site.Url -UseBasicParsing -TimeoutSec 10 Write-Host "$($site.Url) - Status: $($web.StatusCode) OK" -ForegroundColor Green } catch { Write-Host "$($site.Url) - ERROR: $_" -ForegroundColor Red } $site.Dispose() }

7. Post-Incident Activities

Monitoring Script

# Create ongoing monitoring script $monitorScript = @' # SharePoint Security Monitor for CVE-2025-53770 param() $logPath = "C:SharePointMonitor" $logFile = Join-Path $logPath "security_monitor_$(Get-Date -Format 'yyyyMMdd').log" if (-not (Test-Path $logPath)) { New-Item -ItemType Directory -Path $logPath -Force } function Write-SecLog { param($Message, $Level = "INFO") $timestamp = Get-Date -Format "yyyy-MM-dd HH:mm:ss" "$timestamp [$Level] $Message" | Out-File $logFile -Append } Write-SecLog "Security monitor started" # Check for new ASPX files $layoutsPath = "C:Program FilesCommon Filesmicrosoft sharedWeb Server Extensions16TEMPLATELAYOUTS" $newFiles = Get-ChildItem $layoutsPath -Filter "*.aspx" -Recurse -ErrorAction SilentlyContinue | Where-Object {$_.CreationTime -gt (Get-Date).AddHours(-1)} if ($newFiles) { $message = "ALERT: New ASPX files detected: $($newFiles.FullName -join '; ')" Write-SecLog $message "CRITICAL" # Send alert (configure email settings) # Send-MailMessage -To "security@company.com" -Subject "SharePoint Security Alert" -Body $message } # Check for ToolPane.aspx access $iisLogs = Get-ChildItem "C:inetpublogsLogFilesW3SVC*" -Filter "*.log" | Sort-Object LastWriteTime -Descending | Select-Object -First 5 foreach ($log in $iisLogs) { $toolPaneAccess = Select-String -Path $log.FullName -Pattern "ToolPane.aspx" -Quiet if ($toolPaneAccess) { Write-SecLog "ToolPane.aspx access attempt detected in $($log.Name)" "CRITICAL" } } # Check for suspicious processes $suspiciousProcs = Get-Process | Where-Object { $_.ProcessName -match "cmd|powershell|cscript" -and (Get-Process -Id $_.Id).Parent.ProcessName -eq "w3wp" } if ($suspiciousProcs) { Write-SecLog "Suspicious processes detected: $($suspiciousProcs.ProcessName -join ', ')" "WARNING" } # Check for external connections $externalConns = Get-NetTCPConnection | Where-Object { $_.State -eq 'Established' -and $_.RemoteAddress -notmatch '^(10.|172.(1[6-9]|2[0-9]|3[01]).|192.168.|127.)' } if ($externalConns) { $uniqueIPs = $externalConns.RemoteAddress | Select-Object -Unique Write-SecLog "External connections detected to: $($uniqueIPs -join ', ')" "WARNING" } Write-SecLog "Security monitor completed" '@ # Save monitoring script $monitorScript | Out-File "C:SharePointMonitorSecurityMonitor.ps1" -Force # Create scheduled task for monitoring $action = New-ScheduledTaskAction -Execute "PowerShell.exe" ` -Argument "-ExecutionPolicy Bypass -File C:SharePointMonitorSecurityMonitor.ps1" $trigger = New-ScheduledTaskTrigger -Once -At (Get-Date) -RepetitionInterval (New-TimeSpan -Hours 1) $principal = New-ScheduledTaskPrincipal -UserId "SYSTEM" -LogonType ServiceAccount -RunLevel Highest Register-ScheduledTask -TaskName "SharePointSecurityMonitor" ` -Action $action -Trigger $trigger -Principal $principal ` -Description "Monitors SharePoint for CVE-2024-38094 exploitation attempts" Write-Host "Monitoring scheduled task created successfully" -ForegroundColor Green

Security Hardening

# Additional security measures Write-Host "`n=== APPLYING SECURITY HARDENING ===" -ForegroundColor Green # 1. Enable AMSI for SharePoint (when available) # Note: Requires latest Cumulative Update # 2. Restrict file uploads Get-SPWebApplication | ForEach-Object { $_ | Set-SPWebApplication -MaximumFileSize 50 # MB $_.BlockedFileExtensions.Add("aspx") $_.Update() } # 3. Enable detailed logging Set-SPLogLevel -TraceSeverity Verbose -EventSeverity Verbose # 4. Implement IP restrictions (adjust for your environment) $allowedIPs = @("192.168.1.0/24", "10.0.0.0/8") # Example foreach ($webapp in Get-SPWebApplication) { # This requires manual IIS configuration Write-Host "Configure IP restrictions for: $($webapp.Url)" -ForegroundColor Yellow } # 5. Reset all service account passwords Write-Host "`nRESET ALL SERVICE ACCOUNT PASSWORDS IMMEDIATELY!" -ForegroundColor Red Get-SPManagedAccount | Select-Object Username | Format-Table -AutoSize

Final Report Generation

# Generate comprehensive incident report $report = @" SHAREPOINT CVE-2025-53770 INCIDENT REPORT ========================================= Generated: $(Get-Date) Server: $env:COMPUTERNAME EXECUTIVE SUMMARY ----------------- A critical vulnerability (CVE-2024-38094) in SharePoint Server was exploited to gain unauthorized access to the system. The attack resulted in the deployment of web shell backdoors and the theft of cryptographic keys. TIMELINE -------- - Vulnerability Published: July 2025 - Exploitation Detected: [Fill in detection date] - Containment Started: [Fill in containment date] - Eradication Completed: [Fill in completion date] - Recovery Finished: [Fill in recovery date] IMPACT ASSESSMENT ----------------- - Backdoor files deployed: spinstall0.aspx - Machine keys compromised: All SharePoint web applications - Data potentially accessed: [Requires further investigation] - Service downtime: [Calculate based on timestamps] INDICATORS OF COMPROMISE ------------------------ - Malicious Files: spinstall0.aspx (666 bytes) - Attacker IPs: 107.191.58.76, 104.238.159.149 - Exploitation Path: /_layouts/15/ToolPane.aspx ACTIONS TAKEN ------------- 1. Isolated affected systems 2. Removed backdoor files 3. Reset all cryptographic keys 4. Applied security updates 5. Implemented monitoring 6. Hardened configuration RECOMMENDATIONS --------------- 1. Immediate: - Reset all administrative passwords - Review all user permissions - Monitor for suspicious activity 2. Short-term (1-7 days): - Implement network segmentation - Deploy EDR solution - Review and update incident response procedures 3. Long-term (1-3 months): - Conduct security audit - Implement least privilege access - Regular vulnerability assessments LESSONS LEARNED --------------- - Critical patches must be applied immediately - Need for better monitoring of SharePoint environments - Importance of network segmentation - Regular security assessments required EVIDENCE LOCATION ----------------- All evidence collected at: $evidencePath "@ $report | Out-File "$evidencePathFINAL_INCIDENT_REPORT.txt" Write-Host "`nIncident report generated at: $evidencePathFINAL_INCIDENT_REPORT.txt" -ForegroundColor Green

Conclusion

This guide provides a comprehensive approach to detecting, analyzing, and remediating SharePoint compromises through CVE-2025-53770. The key takeaways are:

  1. Act Quickly: This vulnerability allows complete system compromise
  2. Preserve Evidence: Proper forensics are crucial for understanding the breach
  3. Reset Everything: Assume all credentials and keys are compromised
  4. Monitor Continuously: Attackers may have established multiple persistence mechanisms
  5. Patch Immediately: Apply security updates as soon as possible

For additional support, contact Microsoft Security Response Center or engage a specialized incident response team.

Remember: The theft of machine keys means attackers can maintain access even after patching. Complete key rotation and password resets are mandatory.

Visit our FAQ for more information Get more info about Goline
19 / 100 SEO Score
0 0 votes
Article Rating
Subscribe
Notify of
0 Comments
Oldest
Newest Most Voted
Inline Feedbacks
View all comments
0
Would love your thoughts, please comment.x
()
x
| Reply