From 728aea023284f0b4ec9f5ef04ba8a244ac8ec1d3 Mon Sep 17 00:00:00 2001 From: terrancedejesus Date: Wed, 23 Jul 2025 10:26:58 -0400 Subject: [PATCH 1/7] adding toolshell attack chain rules for exploit and RCE --- ...execution_potential_rce_via_toolshell.toml | 56 +++++++++++++++++ ...s_potential_toolshell_exploit_attempt.toml | 61 +++++++++++++++++++ 2 files changed, 117 insertions(+) create mode 100644 rules/network/execution_potential_rce_via_toolshell.toml create mode 100644 rules/network/initial_access_potential_toolshell_exploit_attempt.toml diff --git a/rules/network/execution_potential_rce_via_toolshell.toml b/rules/network/execution_potential_rce_via_toolshell.toml new file mode 100644 index 00000000000..c82f0d701e2 --- /dev/null +++ b/rules/network/execution_potential_rce_via_toolshell.toml @@ -0,0 +1,56 @@ +[metadata] +creation_date = "2025/07/23" +integration = ["network_traffic"] +maturity = "production" +updated_date = "2025/07/23" + +[rule] +author = ["Elastic"] +description = """ +Detects potential remote code execution (RCE) attempts targeting IIS web servers running SharePoint via malicious VIEWSTATE payloads in HTTP POST requests. Attackers may exploit insecure deserialization in the VIEWSTATE parameter to execute arbitrary code. This rule identifies suspicious requests containing VIEWSTATE data and other indicators of exploitation, specifically those associated with the Toolshell exploit chain. Toolshell leverages vulnerabilities (CVE-2025-53770 and CVE-2025-53771) for initial access, enabling adversaries to deploy a webshell, steal machine keys, sign VIEWSTATE payloads offline, and subsequently send signed payloads to the server to achieve code execution. +""" +from = "now-9m" +index = ["logs-network_traffic.http*"] +language = "kuery" +license = "Elastic License v2" +max_signals = 10 +name = "Potential VIEWSTATE RCE Attempt on SharePoint/IIS" +risk_score = 73 +rule_id = "99c9af5a-67cf-11f0-b69e-f661ea17fbcd" +setup = """ +### Network Traffic Setup + +This rule requires network traffic logs to be collected from HTTP endpoints, focusing on IIS web servers and SharePoint sites. Ensure logging captures HTTP request and response details, including headers and request bodies for POST requests. Monitoring VIEWSTATE content is critical for detecting deserialization attacks. +""" +severity = "high" +tags = [ + "Domain: Network", + "Tactic: Initial Access", + "Use Case: Threat Detection", + "Data Source: Network Traffic", + "Data Source: Network Traffic HTTP Logs", +] +timestamp_override = "event.ingested" +type = "query" +query = ''' +data_stream.dataset : "network_traffic.http" and + network.direction: "ingress" and + http.request.method: "POST" and + http.request.body.content: *__VIEWSTATE=* and + http.request.headers.content-type: "application/x-www-form-urlencoded" and + http.request.body.bytes >= 20 and + http.response.headers.server: Microsoft-IIS* +''' + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1203" +name = "Exploitation for Client Execution" +reference = "https://attack.mitre.org/techniques/T1203/" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" diff --git a/rules/network/initial_access_potential_toolshell_exploit_attempt.toml b/rules/network/initial_access_potential_toolshell_exploit_attempt.toml new file mode 100644 index 00000000000..a2bff60fb78 --- /dev/null +++ b/rules/network/initial_access_potential_toolshell_exploit_attempt.toml @@ -0,0 +1,61 @@ + + +[metadata] +creation_date = "2025/05/23" +integration = ["network_traffic"] +maturity = "production" +updated_date = "2025/05/23" + +[rule] +author = ["Elastic"] +description = """ +Identifies potential exploitation of CVE-2025-53770 and CVE-2025-53771 in IIS web servers on SharePoint sites. +Toolshell is an exploit chain that leverages vulnerabilities in SharePoint/IIS to gain unauthorized access +and execute commands. This rule detects HTTP requests that match specific patterns indicative of the exploit attempt. +""" +from = "now-9m" +index = ["logs-network_traffic.http*"] +language = "kuery" +license = "Elastic License v2" +max_signals = 10 +name = "Potential Toolshell Initial Exploit (CVE-2025-53770 & CVE-2025-53771)" +risk_score = 47 +rule_id = "6e4f6446-67ca-11f0-a148-f661ea17fbcd" +setup = """ +### Network Traffic Setup + +This rule requires network traffic logs to be collected from HTTP endpoints, specifically focusing on IIS web servers. Ensure that your network traffic logging is configured to capture HTTP request and response details, including request and response headers. Additionally, request bodies are necessary for content-type `application/x-www-form-urlencoded` to detect potential exploit attempts. +""" +severity = "medium" +tags = [ + "Domain: Network", + "Tactic: Initial Access", + "Use Case: Exploit Detection", + "Data Source: Network Traffic", + "Data Source: Network Traffic HTTP Logs", +] +timestamp_override = "event.ingested" +type = "query" +query = ''' +data_stream.dataset : "network_traffic.http" and + url.path: /_layouts*ToolPane.aspx and + http.request.referrer: *SignOut.aspx and + http.request.headers.content-type: "application/x-www-form-urlencoded" and + network.direction: "ingress" and + http.request.method: "POST" and + request: (*MSOTlPn_Uri* and *DisplayMode*) and + http.request.body.bytes > 5000 +''' + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1190" +name = "Exploit Public-Facing Application" +reference = "https://attack.mitre.org/techniques/T1190/" + +[rule.threat.tactic] +id = "TA0001" +name = "Initial Access" +reference = "https://attack.mitre.org/tactics/TA0001/" From 8c05564c77f2450f2e227069dd9a5acd137b522c Mon Sep 17 00:00:00 2001 From: terrancedejesus Date: Wed, 23 Jul 2025 10:30:35 -0400 Subject: [PATCH 2/7] updated query --- rules/network/execution_potential_rce_via_toolshell.toml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/rules/network/execution_potential_rce_via_toolshell.toml b/rules/network/execution_potential_rce_via_toolshell.toml index c82f0d701e2..9456c1e08af 100644 --- a/rules/network/execution_potential_rce_via_toolshell.toml +++ b/rules/network/execution_potential_rce_via_toolshell.toml @@ -36,9 +36,10 @@ query = ''' data_stream.dataset : "network_traffic.http" and network.direction: "ingress" and http.request.method: "POST" and + http.request.referrer: *SignOut.aspx and http.request.body.content: *__VIEWSTATE=* and http.request.headers.content-type: "application/x-www-form-urlencoded" and - http.request.body.bytes >= 20 and + http.request.body.bytes >= 500 and http.response.headers.server: Microsoft-IIS* ''' From a1dd2ca3fa3687710f12efa8f83470672861f5f2 Mon Sep 17 00:00:00 2001 From: terrancedejesus Date: Wed, 23 Jul 2025 10:32:37 -0400 Subject: [PATCH 3/7] added references --- rules/network/execution_potential_rce_via_toolshell.toml | 6 ++++++ .../initial_access_potential_toolshell_exploit_attempt.toml | 6 ++++++ 2 files changed, 12 insertions(+) diff --git a/rules/network/execution_potential_rce_via_toolshell.toml b/rules/network/execution_potential_rce_via_toolshell.toml index 9456c1e08af..2513c042474 100644 --- a/rules/network/execution_potential_rce_via_toolshell.toml +++ b/rules/network/execution_potential_rce_via_toolshell.toml @@ -15,6 +15,12 @@ language = "kuery" license = "Elastic License v2" max_signals = 10 name = "Potential VIEWSTATE RCE Attempt on SharePoint/IIS" +reference = [ + "https://research.eye.security/sharepoint-under-siege/", + "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-53771", + "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-53770", + "https://msrc.microsoft.com/blog/2025/07/customer-guidance-for-sharepoint-vulnerability-cve-2025-53770/" +] risk_score = 73 rule_id = "99c9af5a-67cf-11f0-b69e-f661ea17fbcd" setup = """ diff --git a/rules/network/initial_access_potential_toolshell_exploit_attempt.toml b/rules/network/initial_access_potential_toolshell_exploit_attempt.toml index a2bff60fb78..bd9cf7b59e4 100644 --- a/rules/network/initial_access_potential_toolshell_exploit_attempt.toml +++ b/rules/network/initial_access_potential_toolshell_exploit_attempt.toml @@ -19,6 +19,12 @@ language = "kuery" license = "Elastic License v2" max_signals = 10 name = "Potential Toolshell Initial Exploit (CVE-2025-53770 & CVE-2025-53771)" +reference = [ + "https://research.eye.security/sharepoint-under-siege/", + "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-53771", + "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-53770", + "https://msrc.microsoft.com/blog/2025/07/customer-guidance-for-sharepoint-vulnerability-cve-2025-53770/" +] risk_score = 47 rule_id = "6e4f6446-67ca-11f0-a148-f661ea17fbcd" setup = """ From f536d6e5c3cd497c8d23fe0bb2c9eb4bfb2d7034 Mon Sep 17 00:00:00 2001 From: terrancedejesus Date: Wed, 23 Jul 2025 19:10:43 -0400 Subject: [PATCH 4/7] fixed references; linted --- detection_rules/etc/non-ecs-schema.json | 14 ++++++++++++- ...execution_potential_rce_via_toolshell.toml | 19 ++++++++++++------ ...s_potential_toolshell_exploit_attempt.toml | 20 +++++++++---------- 3 files changed, 36 insertions(+), 17 deletions(-) diff --git a/detection_rules/etc/non-ecs-schema.json b/detection_rules/etc/non-ecs-schema.json index 412f4bd941d..4e24ae9fab8 100644 --- a/detection_rules/etc/non-ecs-schema.json +++ b/detection_rules/etc/non-ecs-schema.json @@ -43,7 +43,7 @@ "TargetLogonId": "keyword", "TargetProcessGUID": "keyword", "TargetSid": "keyword", - "SchemaFriendlyName": "keyword", + "SchemaFriendlyName": "keyword", "Resource": "keyword", "RpcCallClientLocality": "keyword", "PrivilegeList": "keyword", @@ -207,5 +207,17 @@ "logs-okta*": { "okta.debug_context.debug_data.flattened.requestedScopes": "keyword", "okta.debug_context.debug_data.flattened.grantType": "keyword" + }, + "logs-network_traffic.http*": { + "data_stream.dataset": "keyword", + "url.path": "keyword", + "http.request.referrer": "keyword", + "http.request.headers.content-type": "keyword", + "network.direction": "keyword", + "http.request.method": "keyword", + "request": "keyword", + "http.request.body.bytes": "long", + "http.request.body.content": "keyword", + "http.response.headers.server": "keyword" } } diff --git a/rules/network/execution_potential_rce_via_toolshell.toml b/rules/network/execution_potential_rce_via_toolshell.toml index 2513c042474..33e591684b1 100644 --- a/rules/network/execution_potential_rce_via_toolshell.toml +++ b/rules/network/execution_potential_rce_via_toolshell.toml @@ -7,7 +7,12 @@ updated_date = "2025/07/23" [rule] author = ["Elastic"] description = """ -Detects potential remote code execution (RCE) attempts targeting IIS web servers running SharePoint via malicious VIEWSTATE payloads in HTTP POST requests. Attackers may exploit insecure deserialization in the VIEWSTATE parameter to execute arbitrary code. This rule identifies suspicious requests containing VIEWSTATE data and other indicators of exploitation, specifically those associated with the Toolshell exploit chain. Toolshell leverages vulnerabilities (CVE-2025-53770 and CVE-2025-53771) for initial access, enabling adversaries to deploy a webshell, steal machine keys, sign VIEWSTATE payloads offline, and subsequently send signed payloads to the server to achieve code execution. +Detects potential remote code execution (RCE) attempts targeting IIS web servers running SharePoint via malicious +VIEWSTATE payloads in HTTP POST requests. Attackers may exploit insecure deserialization in the VIEWSTATE parameter to +execute arbitrary code. This rule identifies suspicious requests containing VIEWSTATE data and other indicators of +exploitation, specifically those associated with the Toolshell exploit chain. Toolshell leverages vulnerabilities +(CVE-2025-53770 and CVE-2025-53771) for initial access, enabling adversaries to deploy a webshell, steal machine keys, +sign VIEWSTATE payloads offline, and subsequently send signed payloads to the server to achieve code execution. """ from = "now-9m" index = ["logs-network_traffic.http*"] @@ -15,16 +20,15 @@ language = "kuery" license = "Elastic License v2" max_signals = 10 name = "Potential VIEWSTATE RCE Attempt on SharePoint/IIS" -reference = [ +references = [ "https://research.eye.security/sharepoint-under-siege/", "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-53771", "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-53770", - "https://msrc.microsoft.com/blog/2025/07/customer-guidance-for-sharepoint-vulnerability-cve-2025-53770/" + "https://msrc.microsoft.com/blog/2025/07/customer-guidance-for-sharepoint-vulnerability-cve-2025-53770/", ] risk_score = 73 rule_id = "99c9af5a-67cf-11f0-b69e-f661ea17fbcd" -setup = """ -### Network Traffic Setup +setup = """### Network Traffic Setup This rule requires network traffic logs to be collected from HTTP endpoints, focusing on IIS web servers and SharePoint sites. Ensure logging captures HTTP request and response details, including headers and request bodies for POST requests. Monitoring VIEWSTATE content is critical for detecting deserialization attacks. """ @@ -38,6 +42,7 @@ tags = [ ] timestamp_override = "event.ingested" type = "query" + query = ''' data_stream.dataset : "network_traffic.http" and network.direction: "ingress" and @@ -49,15 +54,17 @@ data_stream.dataset : "network_traffic.http" and http.response.headers.server: Microsoft-IIS* ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1203" name = "Exploitation for Client Execution" reference = "https://attack.mitre.org/techniques/T1203/" + [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + diff --git a/rules/network/initial_access_potential_toolshell_exploit_attempt.toml b/rules/network/initial_access_potential_toolshell_exploit_attempt.toml index bd9cf7b59e4..b652e980ba3 100644 --- a/rules/network/initial_access_potential_toolshell_exploit_attempt.toml +++ b/rules/network/initial_access_potential_toolshell_exploit_attempt.toml @@ -1,5 +1,3 @@ - - [metadata] creation_date = "2025/05/23" integration = ["network_traffic"] @@ -9,9 +7,9 @@ updated_date = "2025/05/23" [rule] author = ["Elastic"] description = """ -Identifies potential exploitation of CVE-2025-53770 and CVE-2025-53771 in IIS web servers on SharePoint sites. -Toolshell is an exploit chain that leverages vulnerabilities in SharePoint/IIS to gain unauthorized access -and execute commands. This rule detects HTTP requests that match specific patterns indicative of the exploit attempt. +Identifies potential exploitation of CVE-2025-53770 and CVE-2025-53771 in IIS web servers on SharePoint sites. Toolshell +is an exploit chain that leverages vulnerabilities in SharePoint/IIS to gain unauthorized access and execute commands. +This rule detects HTTP requests that match specific patterns indicative of the exploit attempt. """ from = "now-9m" index = ["logs-network_traffic.http*"] @@ -19,16 +17,15 @@ language = "kuery" license = "Elastic License v2" max_signals = 10 name = "Potential Toolshell Initial Exploit (CVE-2025-53770 & CVE-2025-53771)" -reference = [ +references = [ "https://research.eye.security/sharepoint-under-siege/", "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-53771", "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-53770", - "https://msrc.microsoft.com/blog/2025/07/customer-guidance-for-sharepoint-vulnerability-cve-2025-53770/" + "https://msrc.microsoft.com/blog/2025/07/customer-guidance-for-sharepoint-vulnerability-cve-2025-53770/", ] risk_score = 47 rule_id = "6e4f6446-67ca-11f0-a148-f661ea17fbcd" -setup = """ -### Network Traffic Setup +setup = """### Network Traffic Setup This rule requires network traffic logs to be collected from HTTP endpoints, specifically focusing on IIS web servers. Ensure that your network traffic logging is configured to capture HTTP request and response details, including request and response headers. Additionally, request bodies are necessary for content-type `application/x-www-form-urlencoded` to detect potential exploit attempts. """ @@ -42,6 +39,7 @@ tags = [ ] timestamp_override = "event.ingested" type = "query" + query = ''' data_stream.dataset : "network_traffic.http" and url.path: /_layouts*ToolPane.aspx and @@ -53,15 +51,17 @@ data_stream.dataset : "network_traffic.http" and http.request.body.bytes > 5000 ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1190" name = "Exploit Public-Facing Application" reference = "https://attack.mitre.org/techniques/T1190/" + [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" + From a4523724c7572c25cd17a12843a3f1644a4106b2 Mon Sep 17 00:00:00 2001 From: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com> Date: Thu, 24 Jul 2025 08:21:13 -0400 Subject: [PATCH 5/7] Update rules/network/execution_potential_rce_via_toolshell.toml Co-authored-by: Mika Ayenson, PhD --- rules/network/execution_potential_rce_via_toolshell.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/network/execution_potential_rce_via_toolshell.toml b/rules/network/execution_potential_rce_via_toolshell.toml index 33e591684b1..513597513a0 100644 --- a/rules/network/execution_potential_rce_via_toolshell.toml +++ b/rules/network/execution_potential_rce_via_toolshell.toml @@ -35,7 +35,7 @@ This rule requires network traffic logs to be collected from HTTP endpoints, foc severity = "high" tags = [ "Domain: Network", - "Tactic: Initial Access", + "Tactic: Execution", "Use Case: Threat Detection", "Data Source: Network Traffic", "Data Source: Network Traffic HTTP Logs", From ac7d8c0857016bb6bc34f78fd0c4d87216e2a195 Mon Sep 17 00:00:00 2001 From: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com> Date: Thu, 24 Jul 2025 08:22:30 -0400 Subject: [PATCH 6/7] Update rules/network/initial_access_potential_toolshell_exploit_attempt.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> --- .../initial_access_potential_toolshell_exploit_attempt.toml | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/rules/network/initial_access_potential_toolshell_exploit_attempt.toml b/rules/network/initial_access_potential_toolshell_exploit_attempt.toml index b652e980ba3..2ef4ff82d67 100644 --- a/rules/network/initial_access_potential_toolshell_exploit_attempt.toml +++ b/rules/network/initial_access_potential_toolshell_exploit_attempt.toml @@ -42,13 +42,12 @@ type = "query" query = ''' data_stream.dataset : "network_traffic.http" and - url.path: /_layouts*ToolPane.aspx and + url.path: (/_layouts*ToolPane.aspx* or /_layouts*toolpane.aspx*) and http.request.referrer: *SignOut.aspx and - http.request.headers.content-type: "application/x-www-form-urlencoded" and network.direction: "ingress" and http.request.method: "POST" and request: (*MSOTlPn_Uri* and *DisplayMode*) and - http.request.body.bytes > 5000 + http.request.body.bytes > 2000 ''' From 9c5dd6762a16400d9f0a44728b70f91bf656b0b7 Mon Sep 17 00:00:00 2001 From: terrancedejesus Date: Fri, 25 Jul 2025 12:53:20 -0400 Subject: [PATCH 7/7] changed to BBR; lowered severity; adjusted queries --- .../execution_potential_rce_via_toolshell.toml | 13 +++++++------ ..._access_potential_toolshell_exploit_attempt.toml | 8 +++++--- 2 files changed, 12 insertions(+), 9 deletions(-) rename {rules/network => rules_building_block}/execution_potential_rce_via_toolshell.toml (93%) rename {rules/network => rules_building_block}/initial_access_potential_toolshell_exploit_attempt.toml (95%) diff --git a/rules/network/execution_potential_rce_via_toolshell.toml b/rules_building_block/execution_potential_rce_via_toolshell.toml similarity index 93% rename from rules/network/execution_potential_rce_via_toolshell.toml rename to rules_building_block/execution_potential_rce_via_toolshell.toml index 513597513a0..c43a1dceffd 100644 --- a/rules/network/execution_potential_rce_via_toolshell.toml +++ b/rules_building_block/execution_potential_rce_via_toolshell.toml @@ -6,6 +6,7 @@ updated_date = "2025/07/23" [rule] author = ["Elastic"] +building_block_type = "default" description = """ Detects potential remote code execution (RCE) attempts targeting IIS web servers running SharePoint via malicious VIEWSTATE payloads in HTTP POST requests. Attackers may exploit insecure deserialization in the VIEWSTATE parameter to @@ -18,7 +19,7 @@ from = "now-9m" index = ["logs-network_traffic.http*"] language = "kuery" license = "Elastic License v2" -max_signals = 10 +max_signals = 100 name = "Potential VIEWSTATE RCE Attempt on SharePoint/IIS" references = [ "https://research.eye.security/sharepoint-under-siege/", @@ -26,19 +27,20 @@ references = [ "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-53770", "https://msrc.microsoft.com/blog/2025/07/customer-guidance-for-sharepoint-vulnerability-cve-2025-53770/", ] -risk_score = 73 +risk_score = 47 rule_id = "99c9af5a-67cf-11f0-b69e-f661ea17fbcd" setup = """### Network Traffic Setup This rule requires network traffic logs to be collected from HTTP endpoints, focusing on IIS web servers and SharePoint sites. Ensure logging captures HTTP request and response details, including headers and request bodies for POST requests. Monitoring VIEWSTATE content is critical for detecting deserialization attacks. """ -severity = "high" +severity = "medium" tags = [ "Domain: Network", - "Tactic: Execution", - "Use Case: Threat Detection", + "Tactic: Initial Access", + "Use Case: Exploit Detection", "Data Source: Network Traffic", "Data Source: Network Traffic HTTP Logs", + "Rule Type: BBR" ] timestamp_override = "event.ingested" type = "query" @@ -49,7 +51,6 @@ data_stream.dataset : "network_traffic.http" and http.request.method: "POST" and http.request.referrer: *SignOut.aspx and http.request.body.content: *__VIEWSTATE=* and - http.request.headers.content-type: "application/x-www-form-urlencoded" and http.request.body.bytes >= 500 and http.response.headers.server: Microsoft-IIS* ''' diff --git a/rules/network/initial_access_potential_toolshell_exploit_attempt.toml b/rules_building_block/initial_access_potential_toolshell_exploit_attempt.toml similarity index 95% rename from rules/network/initial_access_potential_toolshell_exploit_attempt.toml rename to rules_building_block/initial_access_potential_toolshell_exploit_attempt.toml index 2ef4ff82d67..9a9b60dcbf4 100644 --- a/rules/network/initial_access_potential_toolshell_exploit_attempt.toml +++ b/rules_building_block/initial_access_potential_toolshell_exploit_attempt.toml @@ -6,6 +6,7 @@ updated_date = "2025/05/23" [rule] author = ["Elastic"] +building_block_type = "default" description = """ Identifies potential exploitation of CVE-2025-53770 and CVE-2025-53771 in IIS web servers on SharePoint sites. Toolshell is an exploit chain that leverages vulnerabilities in SharePoint/IIS to gain unauthorized access and execute commands. @@ -15,7 +16,7 @@ from = "now-9m" index = ["logs-network_traffic.http*"] language = "kuery" license = "Elastic License v2" -max_signals = 10 +max_signals = 100 name = "Potential Toolshell Initial Exploit (CVE-2025-53770 & CVE-2025-53771)" references = [ "https://research.eye.security/sharepoint-under-siege/", @@ -23,19 +24,20 @@ references = [ "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-53770", "https://msrc.microsoft.com/blog/2025/07/customer-guidance-for-sharepoint-vulnerability-cve-2025-53770/", ] -risk_score = 47 +risk_score = 21 rule_id = "6e4f6446-67ca-11f0-a148-f661ea17fbcd" setup = """### Network Traffic Setup This rule requires network traffic logs to be collected from HTTP endpoints, specifically focusing on IIS web servers. Ensure that your network traffic logging is configured to capture HTTP request and response details, including request and response headers. Additionally, request bodies are necessary for content-type `application/x-www-form-urlencoded` to detect potential exploit attempts. """ -severity = "medium" +severity = "low" tags = [ "Domain: Network", "Tactic: Initial Access", "Use Case: Exploit Detection", "Data Source: Network Traffic", "Data Source: Network Traffic HTTP Logs", + "Rule Type: BBR" ] timestamp_override = "event.ingested" type = "query"