{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/t1552/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["SharePoint"],"_cs_severities":["high"],"_cs_tags":["sharepoint","webshell","cve-2025-53770","t1190","t1505.003","t1552"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThe Microsoft SharePoint vulnerability CVE-2025-53770 allows attackers to deploy a webshell named \u0026quot;spinstall0.aspx\u0026quot; within the SharePoint layouts directory after successful exploitation via the ToolPane.aspx endpoint. This webshell serves as a backdoor, enabling attackers to execute commands, exfiltrate data, and extract sensitive information such as encryption keys and authentication tokens from the compromised SharePoint server. The presence of \u0026quot;spinstall0.aspx\u0026quot; and subsequent GET requests to it strongly indicate active post-exploitation activity, potentially leading to significant data breaches and privilege escalation within the organization. The exploitation of CVE-2025-53770 and the use of the spinstall0.aspx webshell pose a significant threat to organizations utilizing vulnerable SharePoint instances.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Access:\u003c/strong\u003e The attacker gains initial access to the SharePoint server, exploiting CVE-2025-53770 via a specially crafted request to the ToolPane.aspx endpoint.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eWebshell Deployment:\u003c/strong\u003e Successful exploitation leads to the deployment of the \u0026quot;spinstall0.aspx\u0026quot; webshell in the SharePoint layouts directory, typically located at \u003ccode\u003e/_layouts/15/\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eBackdoor Establishment:\u003c/strong\u003e The webshell acts as a persistent backdoor, allowing the attacker to execute arbitrary commands on the SharePoint server.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eReconnaissance:\u003c/strong\u003e The attacker uses the webshell to perform reconnaissance activities, gathering information about the system, network, and user accounts.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eCredential Access:\u003c/strong\u003e The attacker attempts to extract sensitive information, such as encryption keys, authentication tokens, and stored credentials, from the compromised SharePoint server.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eData Exfiltration:\u003c/strong\u003e The attacker uses the webshell to exfiltrate sensitive data from the SharePoint server to an external location.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eLateral Movement:\u003c/strong\u003e The attacker leverages the compromised SharePoint server as a pivot point to move laterally within the network, targeting other systems and resources.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2025-53770 and deployment of the spinstall0.aspx webshell can lead to complete compromise of the SharePoint server and potentially the entire network. Attackers can steal sensitive data, including confidential documents, employee credentials, and customer information. This can result in significant financial losses, reputational damage, and legal liabilities. The number of victims and the extent of the damage depend on the attacker's objectives and the security measures in place.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eSharePoint spinstall0.aspx Webshell GET Request\u003c/code\u003e to detect GET requests to the spinstall0.aspx webshell.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for requests to URLs matching the pattern \u003ccode\u003e*/_layouts/15/spinstall0.aspx*\u003c/code\u003e, as indicated in the IOCs, to identify potential webshell activity.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule or manual analysis of web server logs to determine the source and scope of the attack.\u003c/li\u003e\n\u003cli\u003ePatch CVE-2025-53770 on all SharePoint servers immediately to prevent initial exploitation.\u003c/li\u003e\n\u003cli\u003eEnable comprehensive logging for SharePoint web servers and ensure that all HTTP requests are being captured and forwarded to your SIEM, as described in the \u0026quot;How to Implement\u0026quot; section of the original source.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-26T12:00:00Z","date_published":"2024-01-26T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-sharepoint-spinstall0-webshell/","summary":"This brief describes the detection of GET requests to the spinstall0.aspx webshell, commonly deployed after exploiting CVE-2025-53770 in Microsoft SharePoint, indicating potential command execution, data exfiltration, or credential harvesting.","title":"SharePoint spinstall0.aspx Webshell Activity","url":"https://feed.craftedsignal.io/briefs/2024-01-sharepoint-spinstall0-webshell/"}],"language":"en","title":"CraftedSignal Threat Feed - T1552","version":"https://jsonfeed.org/version/1.1"}