-
Notifications
You must be signed in to change notification settings - Fork 600
[New Rule] Toolshell Exploit Chain Detections #4928
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Merged
Merged
Changes from 9 commits
Commits
Show all changes
16 commits
Select commit
Hold shift + click to select a range
728aea0
adding toolshell attack chain rules for exploit and RCE
terrancedejesus 8c05564
updated query
terrancedejesus a1dd2ca
added references
terrancedejesus f536d6e
fixed references; linted
terrancedejesus a452372
Update rules/network/execution_potential_rce_via_toolshell.toml
terrancedejesus ac7d8c0
Update rules/network/initial_access_potential_toolshell_exploit_attem…
terrancedejesus 9c5dd67
changed to BBR; lowered severity; adjusted queries
terrancedejesus b26876e
Merge branch 'main' into hunting-toolshell-attack-chain
terrancedejesus 7856e69
Merge branch 'main' into hunting-toolshell-attack-chain
terrancedejesus 7bef319
Merge branch 'main' into hunting-toolshell-attack-chain
terrancedejesus e6b2bee
Update rules_building_block/execution_potential_rce_via_toolshell.toml
terrancedejesus 10e8e0e
Update rules_building_block/execution_potential_rce_via_toolshell.toml
terrancedejesus 72a4a9b
Merge branch 'main' into hunting-toolshell-attack-chain
terrancedejesus f67ce00
fixed from and interval failures
terrancedejesus 8e72510
Merge branch 'main' into hunting-toolshell-attack-chain
terrancedejesus 71ac7e5
changed file name
terrancedejesus File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
71 changes: 71 additions & 0 deletions
71
rules_building_block/execution_potential_rce_via_toolshell.toml
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,71 @@ | ||
| [metadata] | ||
| creation_date = "2025/07/23" | ||
| integration = ["network_traffic"] | ||
| maturity = "production" | ||
| updated_date = "2025/07/23" | ||
|
|
||
| [rule] | ||
| author = ["Elastic"] | ||
| building_block_type = "default" | ||
| description = """ | ||
| Detects potential remote code execution (RCE) attempts targeting IIS web servers running SharePoint via malicious | ||
| VIEWSTATE payloads in HTTP POST requests. Attackers may exploit insecure deserialization in the VIEWSTATE parameter to | ||
| execute arbitrary code. This rule identifies suspicious requests containing VIEWSTATE data and other indicators of | ||
| exploitation, specifically those associated with the Toolshell exploit chain. Toolshell leverages vulnerabilities | ||
| (CVE-2025-53770 and CVE-2025-53771) for initial access, enabling adversaries to deploy a webshell, steal machine keys, | ||
| sign VIEWSTATE payloads offline, and subsequently send signed payloads to the server to achieve code execution. | ||
| """ | ||
| from = "now-9m" | ||
| index = ["logs-network_traffic.http*"] | ||
| language = "kuery" | ||
| license = "Elastic License v2" | ||
| max_signals = 100 | ||
| name = "Potential VIEWSTATE RCE Attempt on SharePoint/IIS" | ||
| references = [ | ||
| "https://research.eye.security/sharepoint-under-siege/", | ||
| "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-53771", | ||
| "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-53770", | ||
| "https://msrc.microsoft.com/blog/2025/07/customer-guidance-for-sharepoint-vulnerability-cve-2025-53770/", | ||
| ] | ||
| risk_score = 47 | ||
| rule_id = "99c9af5a-67cf-11f0-b69e-f661ea17fbcd" | ||
| setup = """### Network Traffic Setup | ||
|
|
||
| This rule requires network traffic logs to be collected from HTTP endpoints, focusing on IIS web servers and SharePoint sites. Ensure logging captures HTTP request and response details, including headers and request bodies for POST requests. Monitoring VIEWSTATE content is critical for detecting deserialization attacks. | ||
| """ | ||
| severity = "medium" | ||
| tags = [ | ||
| "Domain: Network", | ||
| "Tactic: Initial Access", | ||
| "Use Case: Exploit Detection", | ||
| "Data Source: Network Traffic", | ||
| "Data Source: Network Traffic HTTP Logs", | ||
| "Rule Type: BBR" | ||
| ] | ||
| timestamp_override = "event.ingested" | ||
| type = "query" | ||
|
|
||
| query = ''' | ||
| data_stream.dataset : "network_traffic.http" and | ||
| network.direction: "ingress" and | ||
| http.request.method: "POST" and | ||
| http.request.referrer: *SignOut.aspx and | ||
| http.request.body.content: *__VIEWSTATE=* and | ||
| http.request.body.bytes >= 500 and | ||
| http.response.headers.server: Microsoft-IIS* | ||
| ''' | ||
|
|
||
|
|
||
| [[rule.threat]] | ||
| framework = "MITRE ATT&CK" | ||
| [[rule.threat.technique]] | ||
| id = "T1203" | ||
| name = "Exploitation for Client Execution" | ||
| reference = "https://attack.mitre.org/techniques/T1203/" | ||
|
|
||
|
|
||
| [rule.threat.tactic] | ||
| id = "TA0002" | ||
| name = "Execution" | ||
| reference = "https://attack.mitre.org/tactics/TA0002/" | ||
terrancedejesus marked this conversation as resolved.
Outdated
Show resolved
Hide resolved
|
||
|
|
||
68 changes: 68 additions & 0 deletions
68
rules_building_block/initial_access_potential_toolshell_exploit_attempt.toml
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,68 @@ | ||
| [metadata] | ||
| creation_date = "2025/05/23" | ||
| integration = ["network_traffic"] | ||
| maturity = "production" | ||
| updated_date = "2025/05/23" | ||
|
|
||
| [rule] | ||
| author = ["Elastic"] | ||
| building_block_type = "default" | ||
| description = """ | ||
| Identifies potential exploitation of CVE-2025-53770 and CVE-2025-53771 in IIS web servers on SharePoint sites. Toolshell | ||
| is an exploit chain that leverages vulnerabilities in SharePoint/IIS to gain unauthorized access and execute commands. | ||
| This rule detects HTTP requests that match specific patterns indicative of the exploit attempt. | ||
| """ | ||
| from = "now-9m" | ||
| index = ["logs-network_traffic.http*"] | ||
| language = "kuery" | ||
| license = "Elastic License v2" | ||
| max_signals = 100 | ||
| name = "Potential Toolshell Initial Exploit (CVE-2025-53770 & CVE-2025-53771)" | ||
| references = [ | ||
| "https://research.eye.security/sharepoint-under-siege/", | ||
| "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-53771", | ||
| "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-53770", | ||
| "https://msrc.microsoft.com/blog/2025/07/customer-guidance-for-sharepoint-vulnerability-cve-2025-53770/", | ||
| ] | ||
| risk_score = 21 | ||
| rule_id = "6e4f6446-67ca-11f0-a148-f661ea17fbcd" | ||
| setup = """### Network Traffic Setup | ||
|
|
||
| This rule requires network traffic logs to be collected from HTTP endpoints, specifically focusing on IIS web servers. Ensure that your network traffic logging is configured to capture HTTP request and response details, including request and response headers. Additionally, request bodies are necessary for content-type `application/x-www-form-urlencoded` to detect potential exploit attempts. | ||
| """ | ||
| severity = "low" | ||
| tags = [ | ||
| "Domain: Network", | ||
| "Tactic: Initial Access", | ||
| "Use Case: Exploit Detection", | ||
| "Data Source: Network Traffic", | ||
| "Data Source: Network Traffic HTTP Logs", | ||
| "Rule Type: BBR" | ||
| ] | ||
| timestamp_override = "event.ingested" | ||
| type = "query" | ||
|
|
||
| query = ''' | ||
| data_stream.dataset : "network_traffic.http" and | ||
| url.path: (/_layouts*ToolPane.aspx* or /_layouts*toolpane.aspx*) and | ||
| http.request.referrer: *SignOut.aspx and | ||
| network.direction: "ingress" and | ||
| http.request.method: "POST" and | ||
| request: (*MSOTlPn_Uri* and *DisplayMode*) and | ||
| http.request.body.bytes > 2000 | ||
| ''' | ||
|
|
||
|
|
||
| [[rule.threat]] | ||
| framework = "MITRE ATT&CK" | ||
| [[rule.threat.technique]] | ||
| id = "T1190" | ||
| name = "Exploit Public-Facing Application" | ||
| reference = "https://attack.mitre.org/techniques/T1190/" | ||
|
|
||
terrancedejesus marked this conversation as resolved.
Show resolved
Hide resolved
|
||
|
|
||
| [rule.threat.tactic] | ||
| id = "TA0001" | ||
| name = "Initial Access" | ||
| reference = "https://attack.mitre.org/tactics/TA0001/" | ||
terrancedejesus marked this conversation as resolved.
Show resolved
Hide resolved
|
||
|
|
||
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Uh oh!
There was an error while loading. Please reload this page.