关联漏洞
介绍
# 🧠 LetsDefend SharePoint Zero-Day Analysis (ToolShell - SOC342-CVE-2025-53770)
## 📘 Introduction
I investigated a SharePoint zero-day called **ToolShell (CVE-2025-53770)** in the **LetsDefend** cyber lab.
The exercise mimicked a **real-world zero-day RCE attack** where a malicious POST request bypassed authentication, executed PowerShell to steal *MachineKeySection* keys, compiled `payload.exe`, and dropped a malicious web shell (`spinstall0.aspx`).
This README documents the **attack process, forensic steps, containment actions**, and **lessons learned**.
---
## ⚙️ Lab Overview
| Field | Details |
|-------|----------|
| **Platform** | LetsDefend Cyber Range |
| **Target** | SharePoint Server (`SharePoint01`) |
| **CVE** | CVE-2025-53770 |
| **Objective** | Analyze RCE, practice detection & containment |
| **Tools Used** | Windows PowerShell, VirusTotal, AbuseIPDB, Talosintelligence, LetsDefend Log Management, LetsDefend Endpoint Security, Base64 Decoder, LetsDefend Threat Intel |
---
## 🚨 The Alert
A **critical alert** flagged suspicious activity targeting `ToolPane.aspx` in SharePoint with a large payload and spoofed *Referer*.
This correlates with **CVE-2025-53770**, a zero-day vulnerability allowing **unauthenticated RCE** via crafted POST requests.
## 🚨 Alert Breakdown — SOC342: CVE-2025-53770 SharePoint ToolShell Auth Bypass & RCE
---
### 🔴 **Critical**
**What it is:** The severity level assigned to this alert — highest and most urgent.
**Why it matters:** Indicates this event could lead to **full system compromise (RCE)**. Treat as **top-priority**: isolate and investigate immediately.
---
### 🕒 **Jul 22, 2025 — 01:07 PM**
**What it is:** The timestamp when the alert was triggered.
**Why it matters:** Use it to **locate logs**, correlate related events, and **build a timeline** (search ± few minutes or hours).
---
### ⭐ **SOC342 — CVE-2025-53770 SharePoint ToolShell Auth Bypass and RCE (Rule)**
**What it is:** The **detection rule or signature** that fired, describing the matched condition (ToolShell exploit attempt).
**Why it matters:** Identifies **what attack pattern** was detected — useful for hunting similar cases (e.g., unauthenticated POSTs to admin pages or potential webshell uploads).
---
### 🧩 **320 (EventID)**
**What it is:** Numeric identifier for this specific alert instance or rule (vendor-defined).
**Why it matters:** Helps with **tracking**, filtering, and referencing this alert in tickets or reports.
---
### 🌐 **Web Attack (Category)**
**What it is:** High-level classification — this alert targets **web infrastructure**.
**Why it matters:** Routes incident to the **web/SharePoint/infra** team and applies **web-specific playbooks**.
---
### 👤 **Level: Security Analyst**
**What it is:** Analyst role or escalation level expected to handle the alert.
**Why it matters:** Indicates this is **not a Tier-1** alert — requires a **Security Analyst** (experienced responder) for immediate action.
---
### 🖥️ **Hostname: SharePoint01**
**What it is:** Name of the affected host (target or origin of the activity).
**Why it matters:** This is the **primary containment target** — isolate, collect evidence, and monitor this system first.
---
### 🌍 **Source IP Address: 107.191.58.76**
**What it is:** The IP sending the suspicious request (attacker or proxy).
**Why it matters:** **Block** it at the firewall/WAF, **search** for other hits from it, and check ownership/geo info. Note: IPs can be **spoofed** or part of **botnets**.
---
### 🧭 **Destination IP Address: 172.16.20.17**
**What it is:** The internal target IP (SharePoint01).
**Why it matters:** Confirms which internal system was targeted — map it to hostname and **review internal access paths/firewall rules**.
---
### 📬 **HTTP Request Method: POST**
**What it is:** The HTTP verb used — client sent data to the server.
**Why it matters:** **POSTs to admin endpoints** are suspicious when unauthenticated or large — they can carry **exploit payloads or webshells**.
---
### 📎 **Requested URL:**
`/_layouts/15/ToolPane.aspx?DisplayMode=Edit&a=/ToolPane.aspx`
**What it is:** The exact targeted web path and parameters.
**Why it matters:** This is a **SharePoint admin/layout endpoint** — commonly abused by attackers for **auth bypass or code uploads**. Hunt for other requests to the same path.
---
### 🧠 **User-Agent:**
`Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.0`
**What it is:** The browser string reported by the client.
**Why it matters:** Often **spoofed** by attackers to look legitimate — can help **filter logs**, but **don’t rely on it for attribution**.
---
### 🔗 **Referer:**
`/_layouts/SignOut.aspx`
**What it is:** HTTP header claiming the request came from SharePoint’s sign-out page.
**Why it matters:** **Spoofed referers** are suspicious — may be used to **bypass checks or mimic normal traffic**. Compare with legitimate navigation flows.
---
### 📦 **Content-Length:** `7699`
**What it is:** Size of the HTTP request body (in bytes).
**Why it matters:** A **large POST body** to an admin endpoint suggests a **serialized exploit or file upload**. Look for other POSTs of similar size to same URL.
---
### ⚠️ **Alert Trigger Reason**
**Text:** Suspicious unauthenticated POST request targeting `ToolPane.aspx` with large payload size and spoofed referer — indicative of **CVE-2025-53770** exploitation.
**What it is:** Rule explanation summarizing the matched behavior.
**Why it matters:** Describes **exactly why** the alert fired — verify whether the request was unauthenticated, what payload was sent, and if it matches known exploit patterns.
---
### 🚧 **Device Action: Allowed**
**What it is:** Indicates the **protecting device’s response** (e.g., WAF/firewall).
**Why it matters:** Since it was **allowed**, the **attack reached the host** — treat as potential compromise.
**Immediate actions:**
- **Block source IP** (`107.191.58.76`)
- Enable blocking rules
- Investigate destination host (`SharePoint01`)
- **Tune WAF/firewall** to block future requests with similar patterns.
---
**🔎 Summary:**
This alert reflects an unauthenticated exploit attempt exploiting **ToolPane.aspx** (SharePoint RCE CVE-2025-53770). The POST request contained a large payload and spoofed referer, consistent with **ToolShell zero-day exploitation behavior**. Because the device allowed the request, assume **possible compromise** until proven otherwise. 🟥 **Severity:** Critical
---
## Quick checks (1–3 minutes)
1. **Search IIS/WAF for POSTs to ToolPane.aspx** (around `2025-07-22 13:07`):
`Select-String -Path "C:\inetpub\logs\LogFiles\**\*.log" -Pattern "/_layouts/15/ToolPane.aspx" | Out-File .\IIS_ToolPane_hits.txt`
2. **Pull full POST body** from WAF/proxy or packet capture and save to forensic share.
3. **Look for new/modified ASPX in webroot** (webshells):
`Get-ChildItem "C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\**\*.aspx" -Recurse | Sort LastWriteTime -Desc | Select FullName,LastWriteTime`
4. **Block attacker & isolate host**: block `107.191.58.76` at perimeter/WAF and move `SharePoint01` to quarantine (or restrict egress).
> **Do not delete** suspected files — make forensic copies first.
## 🧩 What is SharePoint?
**Microsoft SharePoint** is a collaboration and document management platform.
It provides secure file storage, version control, and intranet portals, integrated with **Active Directory, Teams, Outlook, and Power BI.**
### 🔐 Security Considerations
- Uses AD/SSO for authentication
- Data encryption at rest & in transit
- Web parts and layouts can be abused if misconfigured
- Requires regular patching to defend against zero-days
---
## 🧨 CVE-2025-53770 (ToolShell)
A **critical unauthenticated RCE** vulnerability in **Microsoft SharePoint Server** exploiting insecure deserialization.
Attackers use it to:
- Execute code remotely
- Exfiltrate MachineKey material
- Deploy web shells for persistence
🧮 **CVSS Score:** 9.8 (Critical)
📡 **Exploitation:** Active in the wild
---
## 🧠 Attack Analysis with VirusTotal
**Source IP:** `107.191.58.76`
🧩 **Result:** 15/95 security vendors flagged it as malicious.
### 🌍 IP Location & Reputation
Checked via **AbuseIPDB** — IP linked to:
- Hacking and brute-force attempts
- Web app attacks
- Port scanning
- DNS poisoning
### 🌐 Talos IP Reputation
Checked via **Talos Intelligence** — IP/subnet characteristics:
- Hosted by **Vultr (cloud provider)**
- Hostnames in the range: `*.vultrusercontent.com`
- Forward/reverse DNS mostly **not matched**
- Email reputation: Mostly **Neutral**, some **Poor**
- Minimal email volume (0–0.6 per day/month)
- Indicates occasional misuse, supporting **malicious activity context**
---
## 🖥️ Endpoint Analysis
Located host **SharePoint01** in Endpoint Security.
Examined **Terminal History** for suspicious commands.
This log shows that at 13:07:11, a PowerShell process ran under the SharePoint application pool, executing a Base64-encoded command. The parent process was services.exe, and the attack targeted SharePoint directories. This is a clear indicator of ToolShell exploitation and remote code execution within the SharePoint server.
---
## 🧾 PowerShell Findings
### What the PowerShell command options mean
- `-nop` = `-NoProfile`: start PowerShell **without loading the user profile** (avoids profile-based detection, runs faster).
- `-w hidden` = `-WindowStyle Hidden`: run **without showing a window** (stealth).
- `-e` = `-EncodedCommand`: the following string is **Base64-encoded** PowerShell content (usually UTF-16LE or sometimes UTF-8) — used to hide code from casual inspection and simple logs.
- `<BASE64>`: long Base64 payload — when decoded it contains an **ASPX server script** (looks like a webshell) that reads `MachineKey` values.
## Command Line Findings with Base64 Decoder:
⚙️ Behavior Summary
- Uses reflection to load System.Web assembly
- Accesses MachineKeySection non-public method
- Reads ValidationKey & DecryptionKey
- Writes results to HTTP response → exfiltration
This indicates MachineKey theft for forging ViewState/auth tokens — classic ToolShell exploitation.
### Command 1 — C# Compilation:
🧩 Finding: Attacker compiled payload.cs into payload.exe using built-in .NET compiler → likely malware.
**What this literally does (step‑by‑step):**
- Runs the program `csc.exe` → the **C# compiler** that ships with the .NET Framework.
- `/out:C:\Windows\Temp\payload.exe` → tells the compiler **where to save the compiled program** and what to name it (`payload.exe`).
- `C:\Windows\Temp\payload.cs` → the **C# source file** (human‑readable code) that the compiler turns into a runnable program.
**Why this is dangerous (novice explanation):**
- The attacker converted text code (`.cs`) into an executable (`.exe`) on the victim machine.
- The binary (`payload.exe`) can perform any actions the attacker programmed: open network connections, spawn shells, install persistence, or steal data.
- Using the built‑in compiler helps attackers avoid dropping obvious malicious binaries and can bypass script‑only monitoring.
**How the attacker likely used it in the attack chain:**
- After achieving code execution via the web exploit, the attacker created or uploaded `payload.cs`.
- They compiled it into `payload.exe` so it could run as a native program on the server.
- The compiled payload was then used to carry out follow‑on actions (beaconing, backdoors, lateral movement).
**Evidence to look for (what to search in logs / files):**
- Process creation events for `csc.exe` with arguments pointing to `payload.cs` or `/out:C:\Windows\Temp\payload.exe`.
- Existence of `C:\Windows\Temp\payload.cs` and `C:\Windows\Temp\payload.exe` (collect forensic copies and compute hashes).
- Parent/child process relationships showing `w3wp.exe` / `powershell.exe` / `cmd.exe` spawning `csc.exe`.
- Network activity or process activity originating from `payload.exe` if it executed.
**One-line summary (for README / ticket):**
`Attacker used the .NET C# compiler (csc.exe) to compile payload.cs into payload.exe on the host — creating a native executable for follow‑on malicious activity.`
---
### Command 2 — Web Shell Deployment:
🧩 Finding:Created spinstall0.aspx inside SharePoint’s LAYOUTS directory → web-accessible backdoor.
**What this literally does (step‑by‑step, plain English):**
- Runs `cmd.exe /c` → starts the Windows command shell to run a single command and then exit.
- `echo <...> > "...\spinstall0.aspx"` → prints the provided HTML/ASPX text and **writes it into the file** `spinstall0.aspx` (the `>` operator creates or overwrites the file).
- The written content includes `runat="server"` → makes the file **server‑side ASPX**, so IIS/SharePoint executes it inside the web application process rather than serving it as static text.
- The `<object>` element contains `Url="http://107.191.58.76/payload.exe"` → instructs the page (or server when executed) to fetch the attacker’s `payload.exe` from the remote host.
**Why this is dangerous (novice explanation):**
- The attacker created a **server‑side page** in a web‑accessible SharePoint folder; because it runs on the server, it can perform actions with the web app’s privileges.
- The page can instruct the server to **download and run** the attacker’s payload, enabling remote code execution and persistence.
- A file in the webroot is easy to trigger via HTTP requests, allowing remote re‑use without additional uploads.
**How the attacker likely used it in the attack chain:**
- After initial code execution via the ToolPane.aspx exploit, the attacker wrote `spinstall0.aspx` into the SharePoint `LAYOUTS` folder.
- The web shell is triggered by visiting the page or invoked by application code, causing the server to fetch `payload.exe` from the attacker host.
- The fetched payload is then executed or staged, providing a persistent backdoor for the attacker.
**Evidence to look for (what to search in logs / files):**
- File present at:
`C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\16\TEMPLATE\LAYOUTS\spinstall0.aspx` — collect a forensic copy and compute SHA256.
- File creation/write events (Sysmon EventID 11 or Windows Audit 4663) showing `cmd.exe` writing to that path.
- IIS logs showing requests to `spinstall0.aspx` or outgoing requests to `http://107.191.58.76/payload.exe`.
- Process creation or network activity immediately after accesses to `spinstall0.aspx` (indicating payload download/execution).
- Other suspicious ASPX files in SharePoint LAYOUTS with similar content or names.
**One-line summary (for README / ticket):**
`Attacker created a server‑side ASPX web shell (spinstall0.aspx) in SharePoint’s LAYOUTS folder that instructs the server to fetch/run payload.exe from attacker infrastructure — persistent remote backdoor.`
### Command 3 — MachineKey Exfiltration:
🧩 Finding: Executed PowerShell to read and exfiltrate MachineKey configuration — direct RCE precondition.
**What this literally does (step‑by‑step):**
- Runs `powershell.exe` → the Windows scripting shell.
- `-Command` tells PowerShell to execute the following expression.
- `[System.Web.Configuration.MachineKeySection]::GetApplicationConfig()` calls into .NET to retrieve the ASP.NET **machineKey** configuration object (includes `ValidationKey`, `DecryptionKey`, and related settings).
- In short: the attacker asked .NET (via PowerShell) to return the web app’s secret machineKey values.
**Why this is dangerous (novice explanation):**
- The `machineKey` holds secrets that ASP.NET uses to:
- Sign and validate `ViewState` and forms‑auth cookies.
- Encrypt/decrypt sensitive web tokens.
- If an attacker obtains `ValidationKey`/`DecryptionKey`, they can:
- Forge signed `ViewState` or auth cookies, or decrypt tokens.
- Make the server accept forged requests → **bypass authentication**, enable RCE or privilege escalation.
**How the attacker likely used it in the attack chain:**
- Exploit `ToolPane.aspx` to run code inside the SharePoint app process.
- Execute this PowerShell command (or an ASPX that does the same) to read the machineKey.
- Capture `ValidationKey` / `DecryptionKey`.
- Use keys to craft signed payloads (e.g., malicious `ViewState`) or valid auth cookies to escalate access.
**Evidence to look for (what to search in logs / files):**
- Process creation events showing `powershell.exe` with `GetApplicationConfig` or `MachineKeySection` in the command line.
- Web responses, logs, or saved files containing long hex strings (likely `ValidationKey` / `DecryptionKey`).
- ASPX pages or webshells that call `MachineKeySection` / `GetApplicationConfig`.
- Unusual activity by the web app pool user (e.g., `IIS APPPOOL\SharePoint`) at same timestamps.
**One-line summary (for README / ticket):**
`Attacker executed PowerShell to call System.Web.Configuration.MachineKeySection::GetApplicationConfig() — attempting to exfiltrate ASP.NET machineKey (ValidationKey/DecryptionKey), enabling token forgery and authentication bypass.`
## 🔍 Threat Intelligence Findings
**Source:** LetsDefend Threat Intel (queried by IP `107.191.58.76`)
- Tagged with **CVE‑2025‑53770** and observed `Referer: /_layouts/SignOut.aspx`.
**Interpretation:** The attacker likely spoofed legitimate SharePoint sign‑out traffic to mask malicious POST requests. Containment was initiated immediately.
---
## 🧩 Indicators of Compromise (IOCs)
| Type | Indicator | Description |
|--------|----------------------------------------------------------------|------------------------------------------------|
| IP | `107.191.58.76` | Attacker source IP sending exploit POST |
| URL | `/_layouts/15/ToolPane.aspx?DisplayMode=Edit` | Exploit endpoint |
| File | `spinstall0.aspx` | Deployed malicious ASPX web shell |
| String | `MachineKeySection` | Evidence of machineKey exfiltration attempt |
---
## 🧾 Analyst Note (SOC-342)
- **Date/Time:** 2025-07-22 13:07
- **Case ID:** SOC-342
- **Host:** SharePoint01
- **Severity:** 🔴 Critical
- **Analyst:** `Victor`
### 📋 Summary
Detected **ToolShell** zero‑day exploitation (CVE‑2025‑53770) against on‑prem SharePoint (`SharePoint01`). The attacker (IP `107.191.58.76`) bypassed authentication and performed multiple post‑exploit actions:
- Uploaded `spinstall0.aspx` (web shell) to the SharePoint LAYOUTS directory.
- Compiled `payload.exe` locally using the .NET C# compiler.
- Executed PowerShell to read/exfiltrate ASP.NET **MachineKey** values.
**Conclusion:** Confirmed compromise — web‑shell deployment, key exfiltration, and on‑host payload compilation.
---
## 🧰 Containment & Remediation
### ✅ Recommended Actions
- **Contain:** Isolate `SharePoint01` (quarantine VLAN) or block attacker IPs at perimeter/WAF/firewall.
- **Hunt:** Search all SharePoint servers for `spinstall*.aspx`, `payload.exe` (by filename/hash), and `GetApplicationConfig`/`MachineKeySection` usage.
- **Eradicate:** Remove `spinstall0.aspx`, unauthorized scheduled tasks/services, and any detected malware (after collecting forensic copies).
- **Mitigate:** Rotate ASP.NET `machineKey` values (coordinate with app owners) and apply Microsoft **July 2025 emergency patches** to all on‑prem SharePoint instances.
- **Detect & Prevent:**
- Add detections for encoded PowerShell (`-EncodedCommand` / `-e`) on web servers.
- Alert on `csc.exe` usage compiling code in `C:\Windows\Temp` on web hosts.
- Block unauthenticated large `POST` to ToolPane.aspx via WAF rules.
---
## 📚 Lessons Learned
- Zero‑day exploits commonly chain stages: **RCE → persistence → exfiltration**.
- **MachineKey exfiltration** is a high‑risk indicator for SharePoint attacks — treat any attempt as critical.
- Built‑in system binaries (`csc.exe`, `cmd.exe`, `powershell.exe`) are frequently abused post‑exploit; monitor for unexpected usage on web servers.
- Rapid detection, containment, and forensic preservation are essential to limit impact.
---
## 📝 Quick responder checklist (summary)
1. Quarantine `SharePoint01` and block `107.191.58.76`.
2. Collect forensic copies of `spinstall0.aspx`, `payload.cs`, `payload.exe` (preserve timestamps).
3. Compute SHA256 hashes and submit to intel/EDR (if allowed).
4. Dump memory of `w3wp.exe` / `payload.exe` for analysis.
5. Hunt across infrastructure for the IOCs above.
6. Rotate `machineKey` and affected credentials **after** evidence collection.
7. Patch SharePoint immediately; consider host rebuild if persistence is confirmed.
---
文件快照
[4.0K] /data/pocs/f6b689c76ea7f842a07b10e1f08a479789589ea4
├── [4.0K] Lets defend
│ ├── [141K] Abus.jpg
│ ├── [162K] Alert.jpg
│ ├── [116K] Case.jpg
│ ├── [102K] Event.jpg
│ ├── [ 85K] Screenshot 2025-09-29 133717.jpg
│ ├── [172K] Screenshot 2025-09-29 135646.jpg
│ ├── [197K] Screenshot 2025-09-29 140024.jpg
│ ├── [116K] Screenshot 2025-09-29 140231.jpg
│ ├── [ 83K] Screenshot 2025-09-29 141241.jpg
│ ├── [110K] Screenshot 2025-09-29 141653.jpg
│ ├── [263K] Screenshot 2025-09-29 152735.jpg
│ ├── [ 78K] Screenshot 2025-09-29 153925.jpg
│ ├── [ 98K] Screenshot 2025-09-29 154319.jpg
│ ├── [ 83K] Screenshot 2025-09-29 154445.jpg
│ ├── [ 60K] Screenshot 2025-09-29 154857.jpg
│ ├── [264K] Screenshot 2025-09-29 155002.jpg
│ ├── [109K] Screenshot 2025-09-29 155029.jpg
│ ├── [135K] Screenshot 2025-09-29 155055.jpg
│ ├── [110K] Screenshot 2025-09-29 155122.jpg
│ ├── [ 82K] Screenshot 2025-10-04 131953.jpg
│ ├── [ 89K] Screenshot 2025-10-04 132038.jpg
│ ├── [103K] Screenshot 2025-10-04 132449.jpg
│ ├── [150K] Screenshot 2025-10-04 132608.jpg
│ └── [ 40K] Screenshot 2025-10-04 150722.jpg
└── [ 25K] README.md
1 directory, 25 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。