SharePoint ToolShell Exploitation
TheSharePoint ToolShell Exploitation campaign was conducted in July 2025 and encompassed the first waves of exploitation against incompletely patched spoofing (CVE-2025-49706) and remote code execution (CVE-2025-49704) vulnerabilities affecting on-premises Microsoft SharePoint servers. Later patched and updated as CVE-2025-53770 and CVE-2025-53771, the ToolShell vulnerabilities were widely exploited including by China-based ransomware actor Storm-2603 and espionage actorsThreat Group-3390 andZIRCONIUM.SharePoint ToolShell Exploitation targeted multiple regions and industries including finance, education, energy, and healthcare across Asia, Europe, and the United States.[1][2][3][4][5]
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1583 | .001 | Acquire Infrastructure:Domains | DuringSharePoint ToolShell Exploitation, threat actors registered C2 domains to spoof legitimate Microsoft domains.[1][2] |
| Enterprise | T1595 | .002 | Active Scanning:Vulnerability Scanning | DuringSharePoint ToolShell Exploitation, threat actors scanned for SharePoint servers vulnerable to CVE-2025-53770.[2] |
| Enterprise | T1071 | .001 | Application Layer Protocol:Web Protocols | DuringSharePoint ToolShell Exploitation, threat actors issued HTTP |
| Enterprise | T1119 | Automated Collection | DuringSharePoint ToolShell Exploitation, threat actors used a command shell to automatically iterate through web.config files to expose and collect machineKey settings.[5][2] | |
| Enterprise | T1059 | .001 | Command and Scripting Interpreter:PowerShell | DuringSharePoint ToolShell Exploitation, threat actors used PowerShell to execute attacker-controlled encoded commands.[1][3][6][2] |
| .003 | Command and Scripting Interpreter:Windows Command Shell | DuringSharePoint ToolShell Exploitation, threat actors utilized | ||
| Enterprise | T1486 | Data Encrypted for Impact | DuringSharePoint ToolShell Exploitation, threat actors deployed ransomware including 4L4MD4R and Warlock.[1][2] | |
| Enterprise | T1005 | Data from Local System | DuringSharePoint ToolShell Exploitation, threat actors extracted information from the compromised systems.[1][4][6][2] | |
| Enterprise | T1074 | .001 | Data Staged:Local Data Staging | DuringSharePoint ToolShell Exploitation, threat actors staged stolen data from web.config files to debug_dev.js.[2][5] |
| Enterprise | T1140 | Deobfuscate/Decode Files or Information | DuringSharePoint ToolShell Exploitation, threat actors decrypted scripts prior to execution.[2] | |
| Enterprise | T1484 | .001 | Domain or Tenant Policy Modification:Group Policy Modification | DuringSharePoint ToolShell Exploitation, threat actors, including Storm-2603, modified group policy to enable ransomware distribution.[1] |
| Enterprise | T1585 | .002 | Establish Accounts:Email Accounts | DuringSharePoint ToolShell Exploitation, threat actors created Proton mail accounts for communication with organizations infected with ransomware.[2] |
| Enterprise | T1041 | Exfiltration Over C2 Channel | DuringSharePoint ToolShell Exploitation, threat actors exfiltrated stolen credentials and internal data over HTTPS to C2 infrastructure.[1] | |
| Enterprise | T1190 | Exploit Public-Facing Application | DuringSharePoint ToolShell Exploitation, threat actors exploited authentication bypass and remote code execution vulnerabilities (CVE-2025-49706 and CVE-2025-49704) against on-premises SharePoint servers. This activity was characterized by crafted | |
| Enterprise | T1083 | File and Directory Discovery | DuringSharePoint ToolShell Exploitation, threat actors leveraged commands to locate accessible file shares, backup paths, or SharePoint content.[1] | |
| Enterprise | T1657 | Financial Theft | DuringSharePoint ToolShell Exploitation, threat actors demanded ransom payments to unencrypt filesystems and to refrain from publishing sensitive data exfiltrated from victim networks.[2] | |
| Enterprise | T1562 | .001 | Impair Defenses:Disable or Modify Tools | DuringSharePoint ToolShell Exploitation, threat actors disabled Microsoft Defender through Registry settings and real-time monitoring via PowerShell.[1][2] |
| Enterprise | T1105 | Ingress Tool Transfer | DuringSharePoint ToolShell Exploitation, threat actors used a loader to download and execute ransomware.[2] | |
| Enterprise | T1570 | Lateral Tool Transfer | DuringSharePoint ToolShell Exploitation, threat actors usedImpacket to remotely stage and execute payloads via WMI.[1] | |
| Enterprise | T1112 | Modify Registry | DuringSharePoint ToolShell Exploitation, threat actors, including Storm-2603, disabled security services via Registry modifications.[1] | |
| Enterprise | T1027 | .002 | Obfuscated Files or Information:Software Packing | DuringSharePoint ToolShell Exploitation, threat actors UPX-packed malicous payloads including 4L4MD4R ransomware.[2] |
| .010 | Obfuscated Files or Information:Command Obfuscation | DuringSharePoint ToolShell Exploitation, threat actors executed Base64-encoded PowerShell commands.[1][3][5][6][2] | ||
| Enterprise | T1588 | .002 | Obtain Capabilities:Tool | DuringSharePoint ToolShell Exploitation, threat actors leveraged tools includingImpacket,PsExec, andMimikatz.[1] |
| Enterprise | T1003 | .001 | OS Credential Dumping:LSASS Memory | DuringSharePoint ToolShell Exploitation, threat actors usedMimikatz to dump LSASS memory.[1] |
| Enterprise | T1572 | Protocol Tunneling | DuringSharePoint ToolShell Exploitation, threat actors utilizedngrok tunnels to deliver PowerShell payloads.[1] | |
| Enterprise | T1090 | Proxy | DuringSharePoint ToolShell Exploitation, threat actors used Fast Reverse Proxy to communicate with C2.[1][4] | |
| Enterprise | T1620 | Reflective Code Loading | DuringSharePoint ToolShell Exploitation, threat actors reflectively loaded payloads using | |
| Enterprise | T1053 | .005 | Scheduled Task/Job:Scheduled Task | DuringSharePoint ToolShell Exploitation, threat actors used scheduled tasks to help establish persistence.[1] |
| Enterprise | T1505 | .003 | Server Software Component:Web Shell | DuringSharePoint ToolShell Exploitation, threat actors followed exploitation of SharePoint servers with installation of a malicious .aspx web shell (spinstall0.aspx) that was written to the |
| .004 | Server Software Component:IIS Components | DuringSharePoint ToolShell Exploitation, threat actors modified Internet Information Services (IIS) components to load suspicious .NET assemblies for persistence.[1] | ||
| Enterprise | T1082 | System Information Discovery | DuringSharePoint ToolShell Exploitation, threat actors fingerprinted targeted SharePoint servers to identify OS version and running processes.[1] | |
| Enterprise | T1033 | System Owner/User Discovery | DuringSharePoint ToolShell Exploitation, threat actors executed | |
| Enterprise | T1569 | .002 | System Services:Service Execution | DuringSharePoint ToolShell Exploitation, threat actors leveragedPsExec for command execution and used |
| Enterprise | T1552 | .001 | Unsecured Credentials:Credentials In Files | DuringSharePoint ToolShell Exploitation, threat actors accessed web.config and machine.config to extract MachineKey values, enabling them to forge legitimate VIEWSTATE tokens for future deserialization payloads.[1][3][5][6][2] |
| Enterprise | T1047 | Windows Management Instrumentation | DuringSharePoint ToolShell Exploitation, threat actors used WMI for execution.[1] | |
Software
References
- Microsoft Threat Intelligence. (2025, July 22). Disrupting active exploitation of on-premises SharePoint vulnerabilities. Retrieved October 15, 2025.
- Unit 42. (2025, July 31). Active Exploitation of Microsoft SharePoint Vulnerabilities: Threat Brief (Updated). Retrieved October 15, 2025.
- Eye Security. (2025, July 19). SharePoint Under Siege: ToolShell Exploit (CVE-2025-49706 & CVE-2025-49704). Retrieved October 15, 2025.
- ESET Research. (2025, July 24). ToolShell: An all-you-can-eat buffet for threat actors. Retrieved October 15, 2025.
- Trend Micro Research. (2022, July 22). Proactive Security Insights for SharePoint Attacks (CVE-2025-53770 and CVE-2025-53771). Retrieved October 15, 2025.
- Kenin, S. et al. (2025, July 21). SharePoint ToolShell | Zero-Day Exploited in-the-Wild Targets Enterprise Servers. Retrieved October 15, 2025.