ToolShell-led SharePoint intrusions in Q3 2025: a practitioner’s playbook for forensics, detection, and rapid eviction

Cisco Talos Incident Response reports that over 60% of their Q3 2025 engagements began with exploitation of public‑facing applications, driven largely by the ToolShell attack chain against on‑premises Microsoft SharePoint; roughly 40% of all engagements involved ToolShell activity. Talos also saw more post‑compromise phishing launched from valid internal accounts and a marked emphasis on segmentation and rapid eviction to contain spread. Ransomware made up about 20% of cases, with actors observed deploying a SharePoint webshell (notably spinstall0.aspx) and, in at least one case, abusing Velociraptor for persistence. Talos IR Q3 2025.

Microsoft confirmed mass, fast exploitation beginning July 18, 2025, with emergency guidance and updates that fully protect supported on‑prem SharePoint versions; SharePoint Online is unaffected. Microsoft provides concrete hunts (including for spinstall0.aspx) and prescribes enabling AMSI, patching, and rotating ASP.NET machine keys. Microsoft Security Blog, MSRC guidance.

ToolShell in one slide (for investigators)

• Initial access: unauthenticated exploitation of on‑prem SharePoint via the ToolShell chain associated with CVE‑2025‑53770 and CVE‑2025‑53771, related to earlier July fixes for CVE‑2025‑49704 and CVE‑2025‑49706. Talos, Microsoft Security Blog, MSRC.
• Persistence/post‑exploitation: webshells such as spinstall0.aspx, machine key theft, w3wp.exe spawning cmd/powershell; in some cases internal phishing from valid accounts as the follow‑on. Talos, MSRC.
• Scope and speed: exploitation began July 18, 2025, with automated scanning; Microsoft and multiple vendors observed rapid waves. Microsoft Security Blog, Sophos, CrowdStrike.
• ATT&CK mapping: T1190 (Exploit Public‑Facing Application), T1505.003 (Web Shell), T1078 (Valid Accounts), T1566 (Phishing). MITRE T1190, MITRE T1505.003, MITRE T1078, MITRE T1566.

First 60 minutes: containment and preservation

• Isolate the SharePoint front‑end(s) from the internet; keep power on, preserve state. MSRC.
• Snapshot VMs and capture volatile forensics (memory, handles, net conns, loaded DLLs). Prioritize the IIS worker process (w3wp.exe) and any shellspawned children. Microsoft Sysmon (process creation).
• Stage updates for all supported on‑prem SharePoint versions; Microsoft states the latest updates fully protect SharePoint Server SE/2019/2016. MSRC.
• Enable or verify SharePoint AMSI integration and Defender AV, then rotate ASP.NET machine keys and restart IIS post‑patch. MSRC.
• Implement emergency segmentation between SharePoint FE and backend SQL and management networks (block lateral except essential ports/hosts). CISA Ransomware Guide.

Where to look: high‑value artefacts and log paths

File system

• Common webshell drops observed: LAYOUTS path with spinstall0.aspx; variants like info3.aspx were also seen by vendors. Default LAYOUTS may be under 15 or 16 hive depending on version. MSRC KQL shows 15/16 LAYOUTS paths, Sophos.

IIS/W3C web logs

• Default location: %SystemDrive%\inetpub\logs\LogFiles\W3SVC. Microsoft TechCommunity (IIS Support Blog).
• Hunt for suspicious POSTs to ToolShell‑related endpoints (e.g., /_layouts/15/ToolPane.aspx) around first execution; vendors observed this during active exploitation. Sophos.

SharePoint ULS logs

• Default trace logs for on‑prem 2016/2019/SE are typically in %ProgramFiles%\Common Files\Microsoft Shared\Web Server Extensions\16\LOGS (15 for SP2013). Nintex doc (ULS paths), Nintex SE/2019.

Windows eventing

• Security 4688 (process creation) with command line enabled: look for w3wp.exe spawning cmd.exe and powershell.exe, especially with base64/EncodedCommand. Windows 4688, Sysmon Event ID 1.

Quick hunts and triage queries

IIS W3C logs (PowerShell one‑liner)

# Adjust W3SVC path/siteId and timeframe as needed
Get-ChildItem "C:\inetpub\logs\LogFiles\W3SVC*" -Recurse |
  Get-Content |
  Select-String "/_layouts/15/ToolPane.aspx|/_layouts/16/ToolPane.aspx" |
  Select Line | Select -First 200

Reference: IIS default log path. Microsoft TechCommunity. ToolPane observation during exploitation. Sophos.

File drop hunt (webshell)

Get-ChildItem -Path "${env:ProgramFiles}\Common Files\Microsoft Shared\Web Server Extensions\15\TEMPLATE\LAYOUTS",
                      "${env:ProgramFiles}\Common Files\Microsoft Shared\Web Server Extensions\16\TEMPLATE\LAYOUTS" -Filter "spinstall0*.aspx" -Recurse -ErrorAction SilentlyContinue |
  Select FullName, LastWriteTime, Length | Format-List

Reference: LAYOUTS paths used in Microsoft’s advanced hunting guidance. MSRC.

Process tree anomalies (Security 4688)

$start=(Get-Date).AddDays(-7)
Get-WinEvent -FilterHashtable @{LogName='Security';Id=4688; StartTime=$start} |
  Where-Object { $_.Properties[13].Value -like '*\\w3wp.exe' -and 
                 $_.Properties[5].Value -match '(cmd|powershell)\.exe' } |
  Select TimeCreated, @{n='Parent';e={$_.Properties[13].Value}}, @{n='Child';e={$_.Properties[5].Value}},
         @{n='CmdLine';e={$_.Properties[8].Value}} | Out-GridView

Reference: event semantics for 4688 and Sysmon process creation. Windows 4688, Sysmon.

Microsoft 365 Defender KQL (from Microsoft guidance)

// Webshell drop indicator (spinstall0)
DeviceFileEvents
| where FolderPath has_any (@'microsoft shared\Web Server Extensions\16\TEMPLATE\LAYOUTS', @'microsoft shared\Web Server Extensions\15\TEMPLATE\LAYOUTS')
| where FileName has "spinstall0"
| project Timestamp, DeviceName, InitiatingProcessFileName, InitiatingProcessCommandLine, FileName, FolderPath
| order by Timestamp desc

Reference: MSRC advanced hunting. MSRC.

Post‑compromise phishing from valid accounts: what to collect and hunt

Talos highlights a rise in internal phishing launched from compromised valid accounts, often hiding traffic with mailbox rules. Talos. Investigate with the Unified Audit Log (UAL) and Defender XDR playbooks:

• Prioritize UAL queries for New‑InboxRule/Set‑InboxRule/Set‑Mailbox over the time window of compromise; the legacy mailbox audit search is being retired in favor of UAL. TechCommunity (audit logging changes), Purview audit troubleshooting.
• Use Defender XDR guidance to triage “suspicious inbox manipulation/forwarding rules” alerts and pivot to IP, ISP, and rule destinations. Defender XDR inbox manipulation playbook, inbox forwarding playbook.

Example UAL query (PowerShell)

# Exchange Online PowerShell module required
Search-UnifiedAuditLog -StartDate (Get-Date).AddDays(-14) -EndDate (Get-Date) \
  -Operations New-InboxRule,Set-InboxRule,Set-Mailbox |
  Select CreationDate, UserIds, Operations, AuditData | Export-Csv InboxRule_Audit.csv -NoTypeInformation

Reference: UAL hunting and New‑InboxRule indicators. TechCommunity, Purview.

Forensic deep‑dive checklist

1. Host scope and pivot

• Enumerate other SharePoint FE/APP servers and the SQL back‑end; review trust paths where Talos observed lateral movement from an internet‑facing FE to a SharePoint database server. Talos.

2. Web tier artefacts

• Pull LAYOUTS directory listings and hashes; compare timestamps to first suspicious POST; verify unexpected .aspx files. MSRC (LAYOUTS KQL), Sophos.
• Parse IIS logs for POSTs around /_layouts/15 or /16 ToolPane.aspx and unusual client IPs. Sophos, Microsoft TechCommunity.

3. Process and memory

• Trace w3wp.exe child processes; capture command lines; memory dump for loaded assemblies and PowerShell script blocks. Windows 4688, Sysmon.

4. SharePoint diagnostics

• Merge ULS logs across the farm and filter by correlation IDs/time; default paths are under Web Server Extensions\16\LOGS (15 for 2013). Nintex ULS paths, Nintex SE/2019.

5. Credential/key theft

• Hunt for indicators of machine key extraction misuse; rotate ASP.NET machine keys and restart IIS across all SharePoint servers as part of eviction. MSRC.

6. Cloud/email follow‑through

• Investigate mailbox rules and forwarding destinations; apply Defender XDR playbooks to classify and remediate. Defender XDR inbox manipulation, inbox forwarding.

Detection engineering notes (what “good” looks like)

• Webshell behaviors: alert when a web server process (w3wp.exe) spawns cmd.exe/powershell.exe, whoami, ipconfig, net, or archives; this is canonical webshell telemetry. MITRE T1505.003, Sysmon.
• Endpoint hunts: block/alert on base64‑encoded PowerShell spawned by w3wp.exe; Microsoft’s advanced hunting examples include decoding to find LAYOUTS references and spinstall0 indicators. MSRC.
• Network: detect abnormal POSTs to /_layouts/15 or /16/ToolPane.aspx from rare IPs/user‑agents; baseline normal SharePoint APIs. Vendor reporting tied ToolPane POSTs to in‑the‑wild exploitation. Sophos.
• Email: continuous monitoring for inbox rule creation and external forwarding, enriched with geovelocity and ISP anomalies per XDR playbooks. Defender XDR inbox manipulation, inbox forwarding.

Rapid eviction and hardening: a repeatable plan

1. Patch and protect

• Apply the latest SharePoint security updates; Microsoft states these fully protect supported versions (SE/2019/2016). MSRC.
• Enable SharePoint AMSI integration and Defender AV/EDR on all SharePoint servers. MSRC.

2. Key rotation and token hygiene

• Rotate ASP.NET machine keys across the farm and restart IIS; repeat after isolating if AMSI could not be enabled prior to patch. MSRC.

3. Segmentation and blast‑radius control

• Move internet‑facing SharePoint into a DMZ‑style segment; restrict east‑west to only required SQL/management flows; block direct access to file shares and management networks. CISA Ransomware Guide, CISA network segmentation.

4. Message hygiene

• Disable malicious inbox/forwarding rules; reset credentials; investigate shared IP/ISP patterns across tenants per XDR playbooks. Defender XDR inbox manipulation, inbox forwarding.

5. Validate eradication

• Re‑scan LAYOUTS for webshell files; replay IIS logs post‑fix; confirm no w3wp‑spawned shells; confirm UAL is clean of new rules. MSRC KQL, Microsoft TechCommunity IIS logs.

Notes on actor activity seen around ToolShell

• Talos observed spinstall0.aspx used to extract sensitive cryptographic keys and emphasized poor segmentation enabling lateral movement to a SharePoint database server prior to ransomware staging. Talos.
• Microsoft reported China‑based actors (including Storm‑2603) exploiting the SharePoint vulnerabilities to deploy ransomware, and reiterated that SharePoint Online is not impacted. Microsoft Security Blog.
• Multiple vendors documented spinstall0.aspx and related in‑memory/file‑drop behaviors as part of real‑world attempts. Sophos, CrowdStrike.

ATT&CK technique focus

• Initial Access: Exploit Public‑Facing Application (T1190). MITRE T1190.
• Persistence: Web Shell (T1505.003). MITRE T1505.003.
• Credential Access/Lateral: Valid Accounts (T1078). MITRE T1078.
• Initial Access/Recon: Internal spearphishing from compromised accounts (T1566). MITRE T1566.

Takeaways

• Patch and protect: Apply July and subsequent SharePoint updates for SE/2019/2016; enable AMSI; rotate ASP.NET machine keys and restart IIS. MSRC.
• Hunt now: Search for spinstall0.aspx in LAYOUTS, ToolPane.aspx POSTs in IIS logs, and w3wp→cmd/powershell process chains. MSRC, Sophos, Windows 4688.
• Segment aggressively: Put SharePoint in a DMZ, restrict east‑west, and validate ACLs between FE/DB hosts to limit ToolShell blast radius. CISA.
• Evict mailbox abuse: Sweep for new/modified inbox and forwarding rules and reset affected accounts. Defender XDR playbooks, Purview UAL.
• Keep watch: Expect continued use of webshells and valid accounts; build detections mapped to ATT&CK T1190/T1505.003/T1078/T1566. MITRE, MITRE, MITRE, MITRE.