DFIR field guide: Investigating ToolShell-driven SharePoint intrusions (Talos IR Q3 2025)

October 25, 2025 (Last Modified: October 25, 2025)

4n6 Beat

7 min read

Cisco Talos IR’s Q3 2025 report highlights a sharp rise in compromises that began with exploitation of on‑premises Microsoft SharePoint via the ToolShell chain. More than 60% of Talos engagements involved exploitation of public‑facing apps, and almost 40% showed ToolShell activity; ransomware dropped to ~20% of cases while post‑exploitation phishing from compromised accounts continued to climb (Talos IR Q3 2025). Microsoft confirms active, multi‑actor abuse of new SharePoint bugs (CVE‑2025‑53770, CVE‑2025‑53771) related to earlier July CVEs (CVE‑2025‑49704, CVE‑2025‑49706), and stresses that only on‑prem servers are affected—not SharePoint Online (Microsoft Security TI, MSRC customer guidance). CISA added CVE‑2025‑53770 to the KEV catalog, underscoring exploitation in the wild (CISA KEV entry).

For DFIR, the ToolShell wave matters because adversaries often steal SharePoint MachineKey material (ValidationKey/DecryptionKey), enabling durable authentication forgery and viewstate abuse even after basic cleanup (Microsoft Security TI, Cloudflare analysis). Talos also observed Storm‑2603 leveraging the open‑source DFIR tool Velociraptor for persistence during ransomware operations, and notes a related Velociraptor privilege‑escalation CVE‑2025‑6264 relevant to responders who find the tool in victim environments (Talos IR Q3 2025, NVD CVE‑2025‑6264).

ToolShell attack chain: what to expect on disk and in logs

Observed sequence on compromised on‑prem SharePoint:

Initial access: unauthenticated HTTP POST to the ToolPane endpoint (/_layouts/15/ToolPane.aspx or 16, depending on version) exploiting CVE‑2025‑53770/53771 related to earlier July fixes (Microsoft Security TI).
Dropper/web shell: attackers upload an ASP.NET payload typically named spinstall0.aspx (variants: spinstall.aspx, spinstall1.aspx, etc.) under the SharePoint LAYOUTS directory to extract MachineKey material (Microsoft Security TI).
Post‑exploitation: w3wp.exe spawning cmd.exe and PowerShell (often with base64 encoded commands), lateral movement, credential access, and in some incidents Warlock/LockBit/Babuk deployment. Talos ties one case to Storm‑2603 and notes Velociraptor abuse for persistence (Talos IR Q3 2025).

Key affected versions and scope:

SharePoint Server 2016/2019/Subscription Edition; SharePoint Online is not affected (MSRC guidance).

Artefact locations and what to collect

Prioritize these sources on each SharePoint/WFE and related database servers:

IIS HTTP logs (default): %SystemDrive%\inetpub\logs\LogFiles — look for POSTs to /_layouts/15/ToolPane.aspx or /_layouts/16/ToolPane.aspx, unusual user‑agents, and spikes in 200/500 around first‑seen times (Microsoft Learn – IIS logging, Microsoft Security TI).
SharePoint ULS logs: %CommonProgramFiles%\Microsoft Shared\Web Server Extensions\16\LOGS (or 15\LOGS on older farms). Use Merge‑SPLogFile for time‑bound aggregation (Microsoft Learn – SP2019 upgrade logs/ULS path, Microsoft Learn – ULS path references).
LAYOUTS web content directories where payloads were observed: C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\16\TEMPLATE\LAYOUTS\ (and 15\TEMPLATE\LAYOUTS\ on some builds). Hunt for spinstall*.aspx and other recent .aspx with anomalous size/timestamps (MSRC hunting query showing these paths).
Windows Event Logs: Application, System, and the “Microsoft‑SharePoint Products/Operational” channels for app pool resets, timer job activity, and unusual authentication messages (Microsoft Learn – SP logging references).
Process execution and persistence: EDR telemetry for w3wp.exe spawning cmd.exe/powershell.exe -EncodedCommand, creation of Scheduled Tasks, unexpected IIS module/assembly loads, and signs of Velociraptor service/binaries if present (Microsoft Security TI, NVD CVE‑2025‑6264).

Quick hunts and detections

Microsoft 365 Defender (KQL) – from MSRC guidance

Look for spinstall0 creation under LAYOUTS folders (MSRC):

DeviceFileEvents
| where FolderPath has_any (@"microsoft shared\Web Server Extensions\16\TEMPLATE\LAYOUTS",
                              @"microsoft shared\Web Server Extensions\15\TEMPLATE\LAYOUTS")
| where FileName has "spinstall0"
| project Timestamp, DeviceName, InitiatingProcessFileName, InitiatingProcessCommandLine, FileName, FolderPath, SHA256
| order by Timestamp desc

Identify suspicious PowerShell spawned by w3wp with base64 payloads (MSRC):

DeviceProcessEvents
| where InitiatingProcessFileName =~ "w3wp.exe"
| where FileName =~ "cmd.exe"
| where ProcessCommandLine has_all ("cmd.exe", "powershell")
| where ProcessCommandLine has_any ("EncodedCommand", "-ec")

Microsoft Defender detection names to watch in telemetry: Exploit:Script/SuspSignoutReq.A, Exploit:Script/SuspSignoutReqBody.A, Trojan:Win32/HijackSharePointServer.A, Trojan:PowerShell/MachineKeyFinder.DA!amsi (MSRC).

Splunk (IIS W3C logs)

Detect ToolPane exploitation attempts:

index=iis sourcetype="ms:iis:auto" OR sourcetype="iis"
| search cs_method=POST cs_uri_stem="/_layouts/*/ToolPane.aspx"
| stats count by _time, cs_uri_stem, cs_Referer, c_ip, cs_User_Agent, sc_status, sc_bytes

Post‑exploit file drop into LAYOUTS (if audited/file‑create telemetry is ingested):

index=edr (file_path="*\\Web Server Extensions\\16\\TEMPLATE\\LAYOUTS\\spinstall*.aspx" OR file_path="*\\Web Server Extensions\\15\\TEMPLATE\\LAYOUTS\\spinstall*.aspx")
| stats values(host) as hosts, min(_time) as first_seen, max(_time) as last_seen by file_path, sha256

Sigma (web server) — exploit touchpoint

title: SharePoint ToolShell ToolPane Exploitation Attempt
logsource:
  category: webserver
  product: iis
  definition: Detects POSTs to ToolPane endpoint often used in ToolShell chain
detection:
  sel:
    cs-method: POST
    cs-uri-stem|contains: "/_layouts/"
    cs-uri-stem|endswith: "/ToolPane.aspx"
  condition: sel
level: high
references:
  - https://www.microsoft.com/en-us/security/blog/2025/07/22/disrupting-active-exploitation-of-on-premises-sharepoint-vulnerabilities/

Local scoping PowerShell (triage)

List suspicious ASPX under LAYOUTS across hives (MSRC paths):

$paths = @(
  "C:\\Program Files\\Common Files\\Microsoft Shared\\Web Server Extensions\\16\\TEMPLATE\\LAYOUTS",
  "C:\\Program Files\\Common Files\\Microsoft Shared\\Web Server Extensions\\15\\TEMPLATE\\LAYOUTS"
)
Get-ChildItem -Path $paths -Filter "spinstall*.aspx" -Recurse -ErrorAction SilentlyContinue |
  Select-Object FullName, Length, CreationTimeUtc, LastWriteTimeUtc

Triage and response workflow (what to do in the first 24–72 hours)

Immediate containment

Remove public exposure: place affected SharePoint servers behind an auth‑gated proxy/VPN or disconnect from the Internet if AMSI cannot be enabled yet (MSRC).
Segmentation: restrict WFE↔DB server communication to known ports; Talos stresses segmentation because actors abused the trusted SharePoint DB link to pivot and drop credential stealers internally (Talos IR Q3 2025).

Patch and harden (in this order)

Apply the latest cumulative SharePoint updates that cover CVE‑2025‑53770/53771 and related July CVEs; supported versions only (Microsoft Security TI, MSRC).
Enable AMSI integration for SharePoint and Defender AV (Full Mode) to block unauthenticated exploit traffic (MSRC).
Rotate ASP.NET MachineKeys farm‑wide and restart IIS on all SharePoint servers; this is critical because actors may already have stolen keys (MSRC, Cloudflare).

Compromise assessment and eradication

Hunt for spinstall*.aspx and any recent .aspx implants under LAYOUTS; remove and retain copies for analysis (Microsoft Security TI).
Review IIS/ULS timelines to establish first exploit time. IIS default logging path and ULS locations linked above (Microsoft Learn – IIS logging, Microsoft Learn – ULS path).
Examine process trees from w3wp.exe for encoded PowerShell, credential access tooling, and lateral movement (PsExec/Impacket). Microsoft’s Storm‑2603 case details these patterns (Microsoft Security TI).
Validate that no unauthorized Scheduled Tasks, IIS modules, or startup persistence remain; Talos also observed Velociraptor used as persistence — scrutinize any Velociraptor servers/agents and remediate versions impacted by CVE‑2025‑6264 (Talos IR Q3 2025, NVD CVE‑2025‑6264).

Identity and email hardening (to blunt the observed follow‑on phishing)

Enforce strong MFA, detect MFA bombing/bypass, and monitor for impossible travel. Talos saw a third of cases involve MFA abuse and internal phishing from compromised mailboxes (Talos IR Q3 2025).

Ransomware and tradecraft notes for examiners

Talos responded to Warlock, Babuk, Kraken, Qilin and LockBit variants in Q3; one Storm‑2603 case chained ToolShell exploitation to ransomware and Velociraptor persistence (Talos IR Q3 2025).
Microsoft attributes exploitation to multiple China‑nexus actors (Linen Typhoon, Violet Typhoon, Storm‑2603) and documents typical discovery, credential theft (LSASS/Mimikatz), lateral movement (PsExec, WMI), and GPO‑based ransomware deployment (Microsoft Security TI).

Implication: if you find MachineKey theft, treat any later O365/Entra anomalies and on‑prem SSO apps as potentially affected due to token forgery risk (Cloudflare).

Prevent, detect, and monitor going forward

Patch velocity and coverage: ensure all SharePoint farms run supported versions with current updates for CVE‑2025‑53770/53771 and July CVEs; validate AMSI Full Mode is enabled on SharePoint (2016/2019 enablement shipped in Sept 2023, 23H2 for Subscription Edition) (MSRC).
External exposure: keep SharePoint off the raw Internet where possible; front with auth‑gated reverse proxy/VPN and a WAF that knows the ToolShell patterns (MSRC).
Logging hygiene: centralize IIS/ULS logs (default IIS path %SystemDrive%\inetpub\logs\LogFiles; ULS %CommonProgramFiles%\Microsoft Shared\Web Server Extensions\16\LOGS) with adequate retention and forward to SIEM (Microsoft Learn – IIS logging, Microsoft Learn – ULS path).
Detections: keep the ToolPane POST detection in place, file‑creation alerts for LAYOUTS spinstall*.aspx, and EDR analytics for w3wp.exe → cmd.exe/powershell with encoded payloads (Microsoft Security TI, MSRC).

Takeaways

Prioritize SharePoint: assume compromise if on‑prem WFEs were Internet‑exposed in July–August; patch, enable AMSI, rotate MachineKeys, and restart IIS (MSRC).
Hunt immediately: query for ToolPane POSTs, spinstall*.aspx under LAYOUTS, and w3wp.exe spawning encoded PowerShell (Microsoft Security TI).
Contain laterally: segment SharePoint/SQL and treat the farm as a potential credential‑stealing bridgehead, as observed by Talos (Talos IR Q3 2025).
Watch for persistence: investigate any Velociraptor deployments and remediate vulnerable versions (CVE‑2025‑6264) if found (NVD CVE‑2025‑6264).
Prepare for phishing fallout: strengthen MFA and detections for internal phishing and mailbox rule abuse (Talos IR Q3 2025).

Sources / References

Cisco Talos IR Trends Q3 2025: https://blog.talosintelligence.com/ir-trends-q3-2025/
Microsoft Security TI: Disrupting active exploitation of on‑prem SharePoint vulnerabilities: https://www.microsoft.com/en-us/security/blog/2025/07/22/disrupting-active-exploitation-of-on-premises-sharepoint-vulnerabilities/
MSRC guidance for CVE‑2025‑53770: https://www.microsoft.com/en-us/msrc/blog/2025/07/customer-guidance-for-sharepoint-vulnerability-cve-2025-53770/
CISA KEV entry for CVE‑2025‑53770: https://www.cisa.gov/news-events/alerts/2025/07/20/cisa-adds-one-known-exploited-vulnerability-cve-2025-53770-toolshell-catalog
Cloudflare: ToolShell and MachineKey abuse: https://blog.cloudflare.com/cloudflare-protects-against-critical-sharepoint-vulnerability-cve-2025-53770/
Microsoft Learn: IIS logging defaults: https://learn.microsoft.com/en-us/iis/manage/provisioning-and-managing-iis/configure-logging-in-iis
Microsoft Learn: SP2019 ULS log location: https://learn.microsoft.com/en-us/sharepoint/upgrade-and-update/verify-upgrade-for-databases-2019
NVD: Velociraptor CVE‑2025‑6264: https://nvd.nist.gov/vuln/detail/CVE-2025-6264