rules_building_block/initial_access_potential_toolshell_exploit_attempt.toml

[metadata]
creation_date = "2025/05/23"
integration = ["network_traffic"]
maturity = "production"
updated_date = "2025/05/23"

[rule]
author = ["Elastic"]
building_block_type = "default"
description = """
Identifies potential exploitation of CVE-2025-53770 and CVE-2025-53771 in IIS web servers on SharePoint sites. Toolshell
is an exploit chain that leverages vulnerabilities in SharePoint/IIS to gain unauthorized access and execute commands.
This rule detects HTTP requests that match specific patterns indicative of the exploit attempt.
"""
from = "now-119m"
interval = "60m"
index = ["logs-network_traffic.http*"]
language = "kuery"
license = "Elastic License v2"
max_signals = 100
name = "Potential Toolshell Initial Exploit (CVE-2025-53770 & CVE-2025-53771)"
references = [
    "https://research.eye.security/sharepoint-under-siege/",
    "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-53771",
    "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-53770",
    "https://msrc.microsoft.com/blog/2025/07/customer-guidance-for-sharepoint-vulnerability-cve-2025-53770/",
]
risk_score = 21
rule_id = "6e4f6446-67ca-11f0-a148-f661ea17fbcd"
setup = """### Network Traffic Setup

This rule requires network traffic logs to be collected from HTTP endpoints, specifically focusing on IIS web servers. Ensure that your network traffic logging is configured to capture HTTP request and response details, including request and response headers. Additionally, request bodies are necessary for content-type `application/x-www-form-urlencoded` to detect potential exploit attempts.
"""
severity = "low"
tags = [
    "Domain: Network",
    "Tactic: Initial Access",
    "Use Case: Exploit Detection",
    "Data Source: Network Traffic",
    "Data Source: Network Traffic HTTP Logs",
    "Rule Type: BBR"
]
timestamp_override = "event.ingested"
type = "query"

query = '''
data_stream.dataset : "network_traffic.http" and
    url.path: (/_layouts*ToolPane.aspx* or /_layouts*toolpane.aspx*) and
    http.request.referrer: *SignOut.aspx and
    network.direction: "ingress" and
    http.request.method: "POST" and
    request: (*MSOTlPn_Uri* and *DisplayMode*) and
    http.request.body.bytes >  2000
'''


[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1190"
name = "Exploit Public-Facing Application"
reference = "https://attack.mitre.org/techniques/T1190/"


[rule.threat.tactic]
id = "TA0001"
name = "Initial Access"
reference = "https://attack.mitre.org/tactics/TA0001/"
[New Rule] Toolshell Exploit Chain Detections (#4928 ) 2025-08-29 15:17:52 -04:00			`[metadata]`
			`creation_date = "2025/05/23"`
			`integration = ["network_traffic"]`
			`maturity = "production"`
			`updated_date = "2025/05/23"`

			`[rule]`
			`author = ["Elastic"]`
			`building_block_type = "default"`
			`description = """`
			`Identifies potential exploitation of CVE-2025-53770 and CVE-2025-53771 in IIS web servers on SharePoint sites. Toolshell`
			`is an exploit chain that leverages vulnerabilities in SharePoint/IIS to gain unauthorized access and execute commands.`
			`This rule detects HTTP requests that match specific patterns indicative of the exploit attempt.`
			`"""`
			`from = "now-119m"`
			`interval = "60m"`
			`index = ["logs-network_traffic.http*"]`
			`language = "kuery"`
			`license = "Elastic License v2"`
			`max_signals = 100`
			`name = "Potential Toolshell Initial Exploit (CVE-2025-53770 & CVE-2025-53771)"`
			`references = [`
			`"https://research.eye.security/sharepoint-under-siege/",`
			`"https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-53771",`
			`"https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-53770",`
			`"https://msrc.microsoft.com/blog/2025/07/customer-guidance-for-sharepoint-vulnerability-cve-2025-53770/",`
			`]`
			`risk_score = 21`
			`rule_id = "6e4f6446-67ca-11f0-a148-f661ea17fbcd"`
			`setup = """### Network Traffic Setup`

			This rule requires network traffic logs to be collected from HTTP endpoints, specifically focusing on IIS web servers. Ensure that your network traffic logging is configured to capture HTTP request and response details, including request and response headers. Additionally, request bodies are necessary for content-type `application/x-www-form-urlencoded` to detect potential exploit attempts.
			`"""`
			`severity = "low"`
			`tags = [`
			`"Domain: Network",`
			`"Tactic: Initial Access",`
			`"Use Case: Exploit Detection",`
			`"Data Source: Network Traffic",`
			`"Data Source: Network Traffic HTTP Logs",`
			`"Rule Type: BBR"`
			`]`
			`timestamp_override = "event.ingested"`
			`type = "query"`

			`query = '''`
			`data_stream.dataset : "network_traffic.http" and`
			`url.path: (/_layoutsToolPane.aspx or /_layoutstoolpane.aspx) and`
			`http.request.referrer: *SignOut.aspx and`
			`network.direction: "ingress" and`
			`http.request.method: "POST" and`
			`request: (MSOTlPn_Uri and DisplayMode) and`
			`http.request.body.bytes > 2000`
			`'''`


			`[[rule.threat]]`
			`framework = "MITRE ATT&CK"`
			`[[rule.threat.technique]]`
			`id = "T1190"`
			`name = "Exploit Public-Facing Application"`
			`reference = "https://attack.mitre.org/techniques/T1190/"`


			`[rule.threat.tactic]`
			`id = "TA0001"`
			`name = "Initial Access"`
			`reference = "https://attack.mitre.org/tactics/TA0001/"`