August 11, 2025
-
Anomali Threat Research
,
ToolShell is a term used by researchers to describe a sophisticated post-exploitation attack chain targeting Microsoft SharePoint servers. This campaign has been widely observed exploiting a zero-day vulnerability now registered as, CVE-2025-53770, allowing unauthenticated remote code execution via crafted requests to ToolPane.aspx. Threat actors, including those attributed to China-based groups such as Linen Typhoon, Violet Typhoon, and Storm-2603, began abusing this flaw in mid-2025. The attack chain involves harvesting cryptographic keys, crafting valid signed payloads, and achieving persistent access. This report walks through the exploitation steps, detection strategies, and four Anomali Query Language (AQL) queries designed to assist defenders in identifying potential suspicious activity.
The CVE-2025-53770 vulnerability affects SharePoint Server 2016, 2019, and Subscription Edition. It allows threat actors to exploit the ToolPane.aspx endpoint without authentication by spoofing the Referrer header to point to SignOut.aspx. If successful, the attacker can drop a reconnaissance payload (spinstall0.aspx) and begin harvesting the server’s cryptographic keys.
This report aims to provide a detection-focused breakdown of this threat, outlining four AQL log-based hunting queries that security teams can deploy to uncover different stages of the attack chain.
"ToolShell" is a name given by cybersecurity researchers to a SharePoint-focused attack sequence, not a downloadable toolkit. The attack involves:
Key behaviors observed:
A spoofed HTTP POST request is sent to:
/layouts/15/ToolPane.aspx?DisplayMode=Edit
with a Referrer header set to SignOut.aspx, bypassing authentication checks.4
A PowerShell command writes payload (spinstall0.aspx) into the SharePoint LAYOUTS directory.5
spinstall0.aspx is invoked via HTTP GET, dumping sensitive values such as:
These are typically found in the web.config file or pulled from memory.6
With the keys, attackers use ysoserial.net to create malicious ViewState payloads that allow unauthenticated command execution.7
Command execution typically involves PowerShell payloads, in-memory .NET reflection, or outbound Command and Control (C2) to hardcoded IPs such as 107.191.58[.]76.8
Detection is structured into four categories, each with a tailored AQL query:
| Category | Purpose |
|---|---|
| HTTP Request | Detect POST to ToolPane.aspx (initial exploit) |
| Web Shell Indicators | Catch access or creation of spinstall0.aspx |
| Process Indicators | Detect suspicious child processes from w3wp.exe |
| Network Indicators | Identify C2 connections or IOC-based traffic |
spinstall0.aspx is not a web shell in the conventional sense. It does not provide interactive access but instead performs a single function, dumping cryptographic key material from the SharePoint environment. This file is a key part of the attack chain and should be treated as a high-confidence IOC.9
This detection query targets the initial access vector of the ToolShell attack chain by identifying suspicious HTTP POST requests to ToolPane.aspx, a key component exploited in CVE-2025-53770.
The query focuses on web logs and filters for requests where the URL includes /layouts/15/ToolPane.aspx or /layouts/16/ToolPane.aspx, combined with the query parameter DisplayMode=Edit. This specific parameter is required to trigger the vulnerable SharePoint control.
To catch authentication bypass attempts, the query looks for spoofed Referrer headers referencing /layouts/SignOut.aspx. Multiple fields such as url, dest, file_path, action_detail are checked to account for differences in how various logging systems store request data. The use of the POST method, the exact path and parameter combination, and the forged referrer together form a high-confidence indicator of a possible exploitation attempt. This approach aims to ensure visibility into both successful and blocked requests, while minimising false positives.
The query tightens focus by inspecting web request metadata for ToolShell specific indicators, including:
This detection query identifies post-exploitation activity tied to the deployment and use of malicious .aspx files, specifically reconnaissance payloads like spinstall0.aspx used in the ToolShell attack chain. It monitors both HTTP GET requests and local file system activity to catch cases where these payloads are either accessed via the web or created on disk.
The query looks for .aspx file creation, modification, or access events under typical SharePoint paths such as LAYOUTS, wwwroot, inetpub, Microsoft Shared, as these are common targets for attacker webshell drops. Moreover, the query inspects URL and destination fields for known ToolShell-related filenames such as spinstall0.aspx and patterns "spinstall\d+.aspx" as well as generic web shell indicators like cmd.aspx or webshell.aspx.
Furthermore, the query flags suspicious URL parameters that signal key extraction such as ValidationKey, DecryptionKey, MachineKey or remote code execution attempts cmd=, exec=, eval=. This two-fold focus on both file activity and HTTP traffic ensures the detection can catch both interactive web shell use and stealthy reconnaissance payloads that masquerade as legitimate content.
The query tightens focus by detecting malicious file activity and HTTP access patterns, including:
This query is designed to detect malicious post-exploitation behaviour tied to the ToolShell attack chain, specifically focusing on process creation events stemming from SharePoint's IIS worker process w3wp.exe.
It identifies instances where w3wp.exe spawns suspicious child processes like cmd.exe or powershell.exe. This is highly abnormal in legitimate SharePoint operation and typically signals the execution of malicious payloads.
The query tightens focus by inspecting the command_line field for known ToolShell indicators, including:
It also ensures the context is SharePoint-specific by looking for hosts or file paths referencing SharePoint, layouts, inetpub, or .aspx files, common in the observed attack path. If any command execution includes those terms and is linked to a w3wp.exe parent, it is a strong indication of ToolShell exploitation in progress.
This detection query identifies potential C2 communication related to ToolShell, by monitoring for traffic involving known malicious IPs attributed to the campaign 96.9.125[.]147, 107.191.58[.]76, 104.238.159[.]149. These IPs were publicly shared in research and incident reports and are consistently used across multiple infection stages.
The query checks both src_ip and dest_ip, as well as src and dest fields, to cover variation in log field naming. The inclusion of action_detail ensures visibility into auxiliary log fields that might contain embedded IP references from network appliance alerts or enriched metadata.
To avoid false positives from irrelevant hits, it requires some evidence of successful or attempted communication. This guarantees that events captured involve active data flow rather than passive background noise.
The host filter restricts results to SharePoint-relevant infrastructure, catching outbound requests from affected systems or inbound scans to known exploitation paths like /ToolPane.aspx. Together, these conditions help analysts flag command-and-control traffic, exfil attempts, or lateral movement signalling active compromise.
The query tightens focus by inspecting network traffic fields for ToolShell related C2 activity, including:
The ToolShell attack chain highlights the ongoing risk of web application vulnerabilities being chained with misconfigurations and credential harvesting. While ToolShell is not a downloadable toolkit, the techniques used in the chain represent a serious threat to SharePoint infrastructure. Defenders should prioritise hunting based on the provided queries and update detections to include signs of ViewState forgery, dropped reconnaissance payloads, and suspicious outbound network activity.
Anomali ThreatStream users can access a full write-up on ToolShell within the ThreatStream UI, including more detail on CVE-2025-53770, associated threat actors, and recommended queries for detecting ToolShell activity.
Anomali's Threat Research team continually tracks security threats to identify when new, highly critical security threats emerge. The Anomali Threat Research team's briefings discuss current threats and risks like botnets, data breaches, misconfigurations, ransomware, threat groups, and various vulnerabilities. The team also creates free and premium threat intelligence feeds for Anomali's industry-leading Threat Intelligence Platform, ThreatStream.
Get the latest news about cybersecurity, threat intelligence, and Anomali's Security and IT Operations platform.
Learn how Anomali can help you cost-effectively improve your security posture.