Skip to content

[New Rule] Toolshell Exploit Chain Detections #4928

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 9 commits into
base: main
Choose a base branch
from
+152 −1
Open

[New Rule] Toolshell Exploit Chain Detections #4928

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
9 commits
Select commit Hold shift + click to select a range
728aea0
adding toolshell attack chain rules for exploit and RCE
terrancedejesus Jul 23, 2025
8c05564
updated query
terrancedejesus Jul 23, 2025
a1dd2ca
added references
terrancedejesus Jul 23, 2025
f536d6e
fixed references; linted
terrancedejesus Jul 23, 2025
a452372
Update rules/network/execution_potential_rce_via_toolshell.toml
terrancedejesus Jul 24, 2025
ac7d8c0
Update rules/network/initial_access_potential_toolshell_exploit_attem…
terrancedejesus Jul 24, 2025
9c5dd67
changed to BBR; lowered severity; adjusted queries
terrancedejesus Jul 25, 2025
b26876e
Merge branch 'main' into hunting-toolshell-attack-chain
terrancedejesus Jul 31, 2025
7856e69
Merge branch 'main' into hunting-toolshell-attack-chain
terrancedejesus Aug 1, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
14 changes: 13 additions & 1 deletion detection_rules/etc/non-ecs-schema.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -43,7 +43,7 @@
"TargetLogonId": "keyword",
"TargetProcessGUID": "keyword",
"TargetSid": "keyword",
"SchemaFriendlyName": "keyword",
"SchemaFriendlyName": "keyword",
"Resource": "keyword",
"RpcCallClientLocality": "keyword",
"PrivilegeList": "keyword",
Expand Down Expand Up @@ -207,5 +207,17 @@
"logs-okta*": {
"okta.debug_context.debug_data.flattened.requestedScopes": "keyword",
"okta.debug_context.debug_data.flattened.grantType": "keyword"
},
"logs-network_traffic.http*": {
"data_stream.dataset": "keyword",
"url.path": "keyword",
"http.request.referrer": "keyword",
"http.request.headers.content-type": "keyword",
"network.direction": "keyword",
"http.request.method": "keyword",
"request": "keyword",
"http.request.body.bytes": "long",
"http.request.body.content": "keyword",
"http.response.headers.server": "keyword"
}
}
71 changes: 71 additions & 0 deletions rules_building_block/execution_potential_rce_via_toolshell.toml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,71 @@
[metadata]
creation_date = "2025/07/23"
integration = ["network_traffic"]
maturity = "production"
updated_date = "2025/07/23"

[rule]
author = ["Elastic"]
building_block_type = "default"
description = """
Detects potential remote code execution (RCE) attempts targeting IIS web servers running SharePoint via malicious
VIEWSTATE payloads in HTTP POST requests. Attackers may exploit insecure deserialization in the VIEWSTATE parameter to
execute arbitrary code. This rule identifies suspicious requests containing VIEWSTATE data and other indicators of
exploitation, specifically those associated with the Toolshell exploit chain. Toolshell leverages vulnerabilities
(CVE-2025-53770 and CVE-2025-53771) for initial access, enabling adversaries to deploy a webshell, steal machine keys,
sign VIEWSTATE payloads offline, and subsequently send signed payloads to the server to achieve code execution.
"""
from = "now-9m"
index = ["logs-network_traffic.http*"]
language = "kuery"
license = "Elastic License v2"
max_signals = 100
name = "Potential VIEWSTATE RCE Attempt on SharePoint/IIS"
references = [
"https://research.eye.security/sharepoint-under-siege/",
"https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-53771",
"https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-53770",
"https://msrc.microsoft.com/blog/2025/07/customer-guidance-for-sharepoint-vulnerability-cve-2025-53770/",
]
risk_score = 47
rule_id = "99c9af5a-67cf-11f0-b69e-f661ea17fbcd"
setup = """### Network Traffic Setup

This rule requires network traffic logs to be collected from HTTP endpoints, focusing on IIS web servers and SharePoint sites. Ensure logging captures HTTP request and response details, including headers and request bodies for POST requests. Monitoring VIEWSTATE content is critical for detecting deserialization attacks.
"""
severity = "medium"
tags = [
"Domain: Network",
"Tactic: Initial Access",
"Use Case: Exploit Detection",
"Data Source: Network Traffic",
"Data Source: Network Traffic HTTP Logs",
"Rule Type: BBR"
]
timestamp_override = "event.ingested"
type = "query"

query = '''
data_stream.dataset : "network_traffic.http" and
network.direction: "ingress" and
http.request.method: "POST" and
http.request.referrer: *SignOut.aspx and
http.request.body.content: *__VIEWSTATE=* and
http.request.body.bytes >= 500 and
http.response.headers.server: Microsoft-IIS*
'''


[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1203"
name = "Exploitation for Client Execution"
reference = "https://attack.mitre.org/techniques/T1203/"
Comment on lines +59 to +64
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1203"
name = "Exploitation for Client Execution"
reference = "https://attack.mitre.org/techniques/T1203/"
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1190"
name = "Exploit Public-Facing Application"
reference = "https://attack.mitre.org/techniques/T1190/"



[rule.threat.tactic]
id = "TA0002"
name = "Execution"
reference = "https://attack.mitre.org/tactics/TA0002/"
Comment on lines +68 to +70
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
id = "TA0002"
name = "Execution"
reference = "https://attack.mitre.org/tactics/TA0002/"
id = "TA0001"
name = "Initial Access"
reference = "https://attack.mitre.org/tactics/TA0001/"


68 changes: 68 additions & 0 deletions rules_building_block/initial_access_potential_toolshell_exploit_attempt.toml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,68 @@
[metadata]
creation_date = "2025/05/23"
integration = ["network_traffic"]
maturity = "production"
updated_date = "2025/05/23"

[rule]
author = ["Elastic"]
building_block_type = "default"
description = """
Identifies potential exploitation of CVE-2025-53770 and CVE-2025-53771 in IIS web servers on SharePoint sites. Toolshell
is an exploit chain that leverages vulnerabilities in SharePoint/IIS to gain unauthorized access and execute commands.
This rule detects HTTP requests that match specific patterns indicative of the exploit attempt.
"""
from = "now-9m"
index = ["logs-network_traffic.http*"]
language = "kuery"
license = "Elastic License v2"
max_signals = 100
name = "Potential Toolshell Initial Exploit (CVE-2025-53770 & CVE-2025-53771)"
references = [
"https://research.eye.security/sharepoint-under-siege/",
"https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-53771",
"https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-53770",
"https://msrc.microsoft.com/blog/2025/07/customer-guidance-for-sharepoint-vulnerability-cve-2025-53770/",
]
risk_score = 21
rule_id = "6e4f6446-67ca-11f0-a148-f661ea17fbcd"
setup = """### Network Traffic Setup

This rule requires network traffic logs to be collected from HTTP endpoints, specifically focusing on IIS web servers. Ensure that your network traffic logging is configured to capture HTTP request and response details, including request and response headers. Additionally, request bodies are necessary for content-type `application/x-www-form-urlencoded` to detect potential exploit attempts.
"""
severity = "low"
tags = [
"Domain: Network",
"Tactic: Initial Access",
"Use Case: Exploit Detection",
"Data Source: Network Traffic",
"Data Source: Network Traffic HTTP Logs",
"Rule Type: BBR"
]
timestamp_override = "event.ingested"
type = "query"

query = '''
data_stream.dataset : "network_traffic.http" and
url.path: (/_layouts*ToolPane.aspx* or /_layouts*toolpane.aspx*) and
http.request.referrer: *SignOut.aspx and
network.direction: "ingress" and
http.request.method: "POST" and
request: (*MSOTlPn_Uri* and *DisplayMode*) and
http.request.body.bytes > 2000
'''


[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1190"
name = "Exploit Public-Facing Application"
reference = "https://attack.mitre.org/techniques/T1190/"

Comment on lines +56 to +62
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1190"
name = "Exploit Public-Facing Application"
reference = "https://attack.mitre.org/techniques/T1190/"
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1190"
name = "Exploit Public-Facing Application"
reference = "https://attack.mitre.org/techniques/T1190/"


[rule.threat.tactic]
id = "TA0001"
name = "Initial Access"
reference = "https://attack.mitre.org/tactics/TA0001/"
Comment on lines +65 to +67
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
id = "TA0001"
name = "Initial Access"
reference = "https://attack.mitre.org/tactics/TA0001/"
id = "TA0001"
name = "Initial Access"
reference = "https://attack.mitre.org/tactics/TA0001/"


Loading