Detects a persistent webshell named 'spinstall0.aspx' deployed on Microsoft SharePoint servers.
This file exposes sensitive cryptographic machineKey values from the SharePoint configuration,
indicating the presence of a ToolShell backdoor implant. This implant is linked to targeted
post-auth RCE campaigns exploiting CVE-2025-53770.
PoC代码[已公开]
id: sharepoint-toolshell-backdoor
info:
name: SharePoint Webshell - ToolShell
author: johnk3r
severity: critical
description: |
Detects a persistent webshell named 'spinstall0.aspx' deployed on Microsoft SharePoint servers.
This file exposes sensitive cryptographic machineKey values from the SharePoint configuration,
indicating the presence of a ToolShell backdoor implant. This implant is linked to targeted
post-auth RCE campaigns exploiting CVE-2025-53770.
reference:
- https://research.eye.security/sharepoint-under-siege/
metadata:
verified: true
max-request: 1
shodan-query: http.component:"Sharepoint"
tags: sharepoint,webshell,implant,aspx,backdoor,vuln
http:
- method: GET
path:
- "{{BaseURL}}/_layouts/15/spinstall0.aspx"
matchers:
- type: dsl
dsl:
- 'len(body) <= 160'
- 'status_code == 200'
- 'contains(to_lower(header), "microsoftsharepointteamservices")'
- 'contains_all(to_lower(body), "hmacsha256", "framework20sp1", "auto")'
condition: and
extractors:
- type: regex
name: machinekey
regex:
- '^[A-Z0-9]{64}\|HMACSHA256\|[A-Z0-9]{64}\|Auto\|Framework20SP1$'
# digest: 4a0a0047304502204ce6e0753098b2e51b2d950d66037623c2fbed1085dbc210c8f1ca5459de877c022100ee4bd6266174a0ec2e462452d7d7d341bdb0e2c4860143a5d5365288fc63dc19:922c64590222798bb761d5b6d8e72950