C0058 SharePoint ToolShell Exploitation
The SharePoint ToolShell Exploitation campaign was conducted in July 2025 and encompassed the first waves of exploitation against incompletely patched spoofing (CVE-2025-49706) and remote code execution (CVE-2025-49704) vulnerabilities affecting on-premises Microsoft SharePoint servers. Later patched and updated as CVE-2025-53770 and CVE-2025-53771, the ToolShell vulnerabilities were widely exploited including by China-based ransomware actor Storm-2603 and espionage actors Threat Group-3390 and ZIRCONIUM. SharePoint ToolShell Exploitation targeted multiple regions and industries including finance, education, energy, and healthcare across Asia, Europe, and the United States.45321
| Item | Value |
|---|---|
| ID | C0058 |
| Associated Names | |
| First Seen | July 2025 |
| Last Seen | July 2025 |
| Version | 1.0 |
| Created | 15 October 2025 |
| Last Modified | 12 November 2025 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1583 | Acquire Infrastructure | - |
| enterprise | T1583.001 | Domains | During SharePoint ToolShell Exploitation, threat actors registered C2 domains to spoof legitimate Microsoft domains.45 |
| enterprise | T1595 | Active Scanning | - |
| enterprise | T1595.002 | Vulnerability Scanning | During SharePoint ToolShell Exploitation, threat actors scanned for SharePoint servers vulnerable to CVE-2025-53770.5 |
| enterprise | T1071 | Application Layer Protocol | - |
| enterprise | T1071.001 | Web Protocols | During SharePoint ToolShell Exploitation, threat actors issued HTTP POST requests to web shells with spoofed or empty Referrer headers, to circumvent authorization controls.43165 |
| enterprise | T1119 | Automated Collection | During SharePoint ToolShell Exploitation, threat actors used a command shell to automatically iterate through web.config files to expose and collect machineKey settings.15 |
| enterprise | T1059 | Command and Scripting Interpreter | - |
| enterprise | T1059.001 | PowerShell | During SharePoint ToolShell Exploitation, threat actors used PowerShell to execute attacker-controlled encoded commands.4365 |
| enterprise | T1059.003 | Windows Command Shell | During SharePoint ToolShell Exploitation, threat actors utilized cmd.exe and batch scripts within the victim environment.4236 |
| enterprise | T1486 | Data Encrypted for Impact | During SharePoint ToolShell Exploitation, threat actors deployed ransomware including 4L4MD4R and Warlock.45 |
| enterprise | T1005 | Data from Local System | During SharePoint ToolShell Exploitation, threat actors extracted information from the compromised systems.4265 |
| enterprise | T1074 | Data Staged | - |
| enterprise | T1074.001 | Local Data Staging | During SharePoint ToolShell Exploitation, threat actors staged stolen data from web.config files to debug_dev.js.51 |
| enterprise | T1140 | Deobfuscate/Decode Files or Information | During SharePoint ToolShell Exploitation, threat actors decrypted scripts prior to execution.5 |
| enterprise | T1484 | Domain or Tenant Policy Modification | - |
| enterprise | T1484.001 | Group Policy Modification | During SharePoint ToolShell Exploitation, threat actors, including Storm-2603, modified group policy to enable ransomware distribution.4 |
| enterprise | T1585 | Establish Accounts | - |
| enterprise | T1585.002 | Email Accounts | During SharePoint ToolShell Exploitation, threat actors created Proton mail accounts for communication with organizations infected with ransomware.5 |
| enterprise | T1041 | Exfiltration Over C2 Channel | During SharePoint ToolShell Exploitation, threat actors exfiltrated stolen credentials and internal data over HTTPS to C2 infrastructure.4 |
| enterprise | T1190 | Exploit Public-Facing Application | During SharePoint ToolShell Exploitation, threat actors exploited authentication bypass and remote code execution vulnerabilities (CVE-2025-49706 and CVE-2025-49704) against on-premises SharePoint servers. This activity was characterized by crafted POST requests to the ToolPane endpoint /_layouts/15/ToolPane.aspx.423165 |
| enterprise | T1083 | File and Directory Discovery | During SharePoint ToolShell Exploitation, threat actors leveraged commands to locate accessible file shares, backup paths, or SharePoint content.4 |
| enterprise | T1657 | Financial Theft | During SharePoint ToolShell Exploitation, threat actors demanded ransom payments to unencrypt filesystems and to refrain from publishing sensitive data exfiltrated from victim networks.5 |
| enterprise | T1562 | Impair Defenses | - |
| enterprise | T1562.001 | Disable or Modify Tools | During SharePoint ToolShell Exploitation, threat actors disabled Microsoft Defender through Registry settings and real-time monitoring via PowerShell.45 |
| enterprise | T1105 | Ingress Tool Transfer | During SharePoint ToolShell Exploitation, threat actors used a loader to download and execute ransomware.5 |
| enterprise | T1570 | Lateral Tool Transfer | During SharePoint ToolShell Exploitation, threat actors used Impacket to remotely stage and execute payloads via WMI.4 |
| enterprise | T1112 | Modify Registry | During SharePoint ToolShell Exploitation, threat actors, including Storm-2603, disabled security services via Registry modifications.4 |
| enterprise | T1027 | Obfuscated Files or Information | - |
| enterprise | T1027.002 | Software Packing | During SharePoint ToolShell Exploitation, threat actors UPX-packed malicous payloads including 4L4MD4R ransomware.5 |
| enterprise | T1027.010 | Command Obfuscation | During SharePoint ToolShell Exploitation, threat actors executed Base64-encoded PowerShell commands.43165 |
| enterprise | T1588 | Obtain Capabilities | - |
| enterprise | T1588.002 | Tool | During SharePoint ToolShell Exploitation, threat actors leveraged tools including Impacket, PsExec, and Mimikatz.4 |
| enterprise | T1003 | OS Credential Dumping | - |
| enterprise | T1003.001 | LSASS Memory | During SharePoint ToolShell Exploitation, threat actors used Mimikatz to dump LSASS memory.4 |
| enterprise | T1572 | Protocol Tunneling | During SharePoint ToolShell Exploitation, threat actors utilized ngrok tunnels to deliver PowerShell payloads.4 |
| enterprise | T1090 | Proxy | During SharePoint ToolShell Exploitation, threat actors used Fast Reverse Proxy to communicate with C2.42 |
| enterprise | T1620 | Reflective Code Loading | During SharePoint ToolShell Exploitation, threat actors reflectively loaded payloads using System.Reflection.Assembly.Load.43165 |
| enterprise | T1053 | Scheduled Task/Job | - |
| enterprise | T1053.005 | Scheduled Task | During SharePoint ToolShell Exploitation, threat actors used scheduled tasks to help establish persistence.4 |
| enterprise | T1505 | Server Software Component | - |
| enterprise | T1505.003 | Web Shell | |
During SharePoint ToolShell Exploitation, threat actors followed exploitation of SharePoint servers with installation of a malicious .aspx web shell (spinstall0.aspx) that was written to the _layouts/15/ directory, granting persistent HTTP-based access.423165 |
|||
| enterprise | T1505.004 | IIS Components | During SharePoint ToolShell Exploitation, threat actors modified Internet Information Services (IIS) components to load suspicious .NET assemblies for persistence.4 |
| enterprise | T1082 | System Information Discovery | During SharePoint ToolShell Exploitation, threat actors fingerprinted targeted SharePoint servers to identify OS version and running processes.4 |
| enterprise | T1033 | System Owner/User Discovery | During SharePoint ToolShell Exploitation, threat actors executed whoami on victim machines to enumerate user context and validate privilege levels.46 |
| enterprise | T1569 | System Services | - |
| enterprise | T1569.002 | Service Execution | During SharePoint ToolShell Exploitation, threat actors leveraged PsExec for command execution and used services.exe to disable Microsoft Defender via Registry keys.4 |
| enterprise | T1552 | Unsecured Credentials | - |
| enterprise | T1552.001 | Credentials In Files | During SharePoint ToolShell Exploitation, threat actors accessed web.config and machine.config to extract MachineKey values, enabling them to forge legitimate VIEWSTATE tokens for future deserialization payloads.43165 |
| enterprise | T1047 | Windows Management Instrumentation | During SharePoint ToolShell Exploitation, threat actors used WMI for execution.4 |
Software
| ID | Name | Description |
|---|---|---|
| S0357 | Impacket | 4 |
| S0002 | Mimikatz | |
| S0508 | ngrok | |
References
-
ESET Research. (2025, July 24). ToolShell: An all-you-can-eat buffet for threat actors. Retrieved October 15, 2025. ↩↩↩↩↩↩
-
Eye Security. (2025, July 19). SharePoint Under Siege: ToolShell Exploit (CVE-2025-49706 & CVE-2025-49704). Retrieved October 15, 2025. ↩↩↩↩↩↩↩↩↩
-
Kenin, S. et al. (2025, July 21). SharePoint ToolShell | Zero-Day Exploited in-the-Wild Targets Enterprise Servers. Retrieved October 15, 2025. ↩↩↩↩↩↩↩↩↩↩