C0058: SharePoint ToolShell Exploitation
The SharePoint ToolShell Exploitation campaign was conducted in July 2025 and encompassed the first waves of exploitation against incompletely patched spoofing (CVE-2025-49706) and remote code execution (CVE-2025-49704) vulnerabilities affecting on-premises Microsoft SharePoint servers. Later patched and updated as CVE-2025-53770 and CVE-2025-53771, the ToolShell vulnerabilities were widely exploited including by China-based ransomware actor Storm-2603 and espionage actors Threat Group-3390 and ZIRCONIUM. SharePoint ToolShell Exploitation targeted multiple regions and industries including finance, education, energy, and healthcare across Asia, Europe, and the United States.[1][2][3][4][5]
Analyst context for executives and security teams
SharePoint ToolShell Exploitation matters because it describes real-world exploitation waves against incompletely patched on-premises Microsoft SharePoint servers. For leaders, the decision point is not just “was the patch applied,” but whether exposed SharePoint systems were fully updated, monitored, and reviewed for follow-on activity such as credential theft, remote execution, staging, tunneling, and exfiltration.
Executive priority
Treat this as a vulnerability-management and incident-readiness priority for any organization running on-premises SharePoint, especially where SharePoint supports regulated, business-critical, or sensitive collaboration workflows. Executives should ask for evidence of complete remediation for CVE-2025-49706, CVE-2025-49704, CVE-2025-53770, and CVE-2025-53771; confirmation of internet exposure; and a post-patch compromise assessment, because the ATT&CK relationships include credential access, collection, command-and-control, lateral execution tools, and exfiltration behaviors.
Technical view
The campaign object has no official ATT&CK detection text or campaign-level tactics/platforms, but its description and relationships point defenders toward an on-prem SharePoint initial-access scenario followed by Windows-centric execution, discovery, credential dumping, persistence, staging, tunneling, and exfiltration. SOC and IR teams should validate whether SharePoint/web server events can be correlated with host telemetry for PowerShell, cmd, WMI, scheduled tasks, registry modification, LSASS access, PsExec/Impacket-style remote execution, ngrok-like tunneling, local data staging, and outbound web/proxy traffic.
Likely telemetry
- SharePoint and web server access/error logs for vulnerable on-premises SharePoint systems
- Vulnerability and patch inventory showing remediation status for CVE-2025-49706, CVE-2025-49704, CVE-2025-53770, and CVE-2025-53771
- Windows process creation and command-line logging for PowerShell, cmd, WMI, PsExec-like execution, and scripting activity
- Endpoint security telemetry for LSASS access, credential dumping tools such as Mimikatz, packed binaries, decoded payloads, and suspicious file writes
- Scheduled task creation/modification and Windows Registry modification events
Detection direction
- Start with exposure and patch validation: identify all on-premises SharePoint servers and confirm they were completely remediated, not only partially patched.
- Correlate suspected SharePoint exploitation windows with new child processes, web service account activity, tool downloads, scheduled tasks, registry changes, and unusual outbound connections.
- Tune carefully for dual-use tools. PsExec, Impacket, WMI, PowerShell, and ngrok can have legitimate administrative uses, so detection should rely on context: source host, account, timing, command line, destination, and change-ticket evidence.
- Hunt for credential-access and follow-on movement indicators after SharePoint events, especially LSASS access and use of alternate remote execution mechanisms.
- Validate egress visibility. Web-protocol C2 and proxy/tunnel behavior can blend into normal traffic, making DNS, proxy, firewall, and TLS metadata important for triage.
Mitigation priorities
- Prioritize complete patching and verification for affected on-premises SharePoint servers, including the later updated CVEs named in the ATT&CK description.
- Reduce unnecessary internet exposure for SharePoint and enforce strong access controls around administrative interfaces and service accounts.
- Harden Windows hosts supporting SharePoint with least privilege, credential-protection practices, and monitoring for LSASS access and suspicious administrative tool use.
- Restrict and monitor outbound traffic from SharePoint servers, especially unauthorized proxy/tunnel tools, external tool transfer, and unusual HTTP/S destinations.
- Maintain centralized logging for SharePoint, Windows endpoints, authentication, scheduled tasks, registry changes, and network egress so incident responders can reconstruct activity after patching.
Analyst notes and limits
The supplied ATT&CK object describes a July 2025 campaign involving exploitation of incompletely patched on-premises SharePoint vulnerabilities and lists related software and techniques, including Mimikatz, PsExec, Impacket, ngrok, public-facing application exploitation, LSASS credential access, command execution, discovery, collection, proxy/C2, tool transfer, and exfiltration. This supports a defensive focus on both vulnerability remediation and post-exploitation hunting.
ATT&CK does not provide official detection guidance, campaign-level tactics, or campaign-level platforms for this object. The take therefore uses the official description plus the supplied relationship context and avoids asserting environment-specific exposure or detection coverage without local evidence.
SharePoint ToolShell Exploitation
The SharePoint ToolShell Exploitation campaign was conducted in July 2025 and encompassed the first waves of exploitation against incompletely patched spoofing (CVE-2025-49706) and remote code execution (CVE-2025-49704) vulnerabilities affecting on-premises Microsoft SharePoint servers. Later patched and updated as CVE-2025-53770 and CVE-2025-53771, the ToolShell vulnerabilities were widely exploited including by China-based ransomware actor Storm-2603 and espionage actors Threat Group-3390 and ZIRCONIUM. SharePoint ToolShell Exploitation targeted multiple regions and industries including finance, education, energy, and healthcare across Asia, Europe, and the United States.[1][2][3][4][5]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1053.005 | Scheduled Task Sub-technique | During SharePoint ToolShell Exploitation, threat actors used scheduled tasks to help establish persistence.CitationMicrosoft SharePoint Exploit JUL 2025 |
| Enterprise | T1033 | System Owner/User Discovery | During SharePoint ToolShell Exploitation, threat actors executed `whoami` on victim machines to enumerate user context and validate privilege levels.CitationMicrosoft SharePoint Exploit JUL 2025CitationSentinelOne ToolShell JUL 2025 |
| Enterprise | T1552.001 | Credentials In Files Sub-technique | During SharePoint ToolShell Exploitation, threat actors accessed web.config and machine.config to extract MachineKey values, enabling them to forge legitimate VIEWSTATE tokens for future deserialization payloads.CitationMicrosoft SharePoint Exploit JUL 2025CitationEye Research ToolShell JUL 2025CitationTrend Micro SharePoint Attacks JUL 2025CitationSentinelOne ToolShell JUL 2025CitationPalo Alto SharePoint Vulnerabilities JUL 2025 |
| Enterprise | T1027.002 | Software Packing Sub-technique | During SharePoint ToolShell Exploitation, threat actors UPX-packed malicous payloads including 4L4MD4R ransomware.CitationPalo Alto SharePoint Vulnerabilities JUL 2025 |
| Enterprise | T1071.001 | Web Protocols Sub-technique | During SharePoint ToolShell Exploitation, threat actors issued HTTP `POST` requests to web shells with spoofed or empty Referrer headers, to circumvent authorization controls.CitationMicrosoft SharePoint Exploit JUL 2025CitationEye Research ToolShell JUL 2025CitationTrend Micro SharePoint Attacks JUL 2025CitationSentinelOne ToolShell JUL 2025CitationPalo Alto SharePoint Vulnerabilities JUL 2025 |
| Enterprise | T1083 | File and Directory Discovery | During SharePoint ToolShell Exploitation, threat actors leveraged commands to locate accessible file shares, backup paths, or SharePoint content.CitationMicrosoft SharePoint Exploit JUL 2025 |
| Enterprise | T1505.003 | Web Shell Sub-technique | During SharePoint ToolShell Exploitation, threat actors followed exploitation of SharePoint servers with installation of a malicious .aspx web shell (spinstall0.aspx) that was written to the `_layouts/15/` directory, granting persistent HTTP-based access.CitationMicrosoft SharePoint Exploit JUL 2025CitationESET ToolShell JUL 2025CitationEye Research ToolShell JUL 2025CitationTrend Micro SharePoint Attacks JUL 2025CitationSentinelOne ToolShell JUL 2025CitationPalo Alto SharePoint Vulnerabilities JUL 2025 |
| Enterprise | T1583.001 | Domains Sub-technique | During SharePoint ToolShell Exploitation, threat actors registered C2 domains to spoof legitimate Microsoft domains.CitationMicrosoft SharePoint Exploit JUL 2025CitationPalo Alto SharePoint Vulnerabilities JUL 2025 |
| Enterprise | T1140 | Deobfuscate/Decode Files or Information | During SharePoint ToolShell Exploitation, threat actors decrypted scripts prior to execution.CitationPalo Alto SharePoint Vulnerabilities JUL 2025 |
| Enterprise | T1484.001 | Group Policy Modification Sub-technique | During SharePoint ToolShell Exploitation, threat actors, including Storm-2603, modified group policy to enable ransomware distribution.CitationMicrosoft SharePoint Exploit JUL 2025 |
| Enterprise | T1003.001 | LSASS Memory Sub-technique | During SharePoint ToolShell Exploitation, threat actors used Mimikatz to dump LSASS memory.CitationMicrosoft SharePoint Exploit JUL 2025 |
| Enterprise | T1059.001 | PowerShell Sub-technique | During SharePoint ToolShell Exploitation, threat actors used PowerShell to execute attacker-controlled encoded commands.CitationMicrosoft SharePoint Exploit JUL 2025CitationEye Research ToolShell JUL 2025CitationSentinelOne ToolShell JUL 2025CitationPalo Alto SharePoint Vulnerabilities JUL 2025 |
| Enterprise | T1657 | Financial Theft | During SharePoint ToolShell Exploitation, threat actors demanded ransom payments to unencrypt filesystems and to refrain from publishing sensitive data exfiltrated from victim networks.CitationPalo Alto SharePoint Vulnerabilities JUL 2025 |
| Enterprise | T1190 | Exploit Public-Facing Application | During SharePoint ToolShell Exploitation, threat actors exploited authentication bypass and remote code execution vulnerabilities (CVE-2025-49706 and CVE-2025-49704) against on-premises SharePoint servers. This activity was characterized by crafted `POST` requests to the ToolPane endpoint `/_layouts/15/ToolPane.aspx`.CitationMicrosoft SharePoint Exploit JUL 2025CitationESET ToolShell JUL 2025CitationEye Research ToolShell JUL 2025CitationTrend Micro SharePoint Attacks JUL 2025CitationSentinelOne ToolShell JUL 2025CitationPalo Alto SharePoint Vulnerabilities JUL 2025 |
| Enterprise | T1047 | Windows Management Instrumentation | During SharePoint ToolShell Exploitation, threat actors used WMI for execution.CitationMicrosoft SharePoint Exploit JUL 2025 |
| Enterprise | T1119 | Automated Collection | During SharePoint ToolShell Exploitation, threat actors used a command shell to automatically iterate through web.config files to expose and collect machineKey settings.CitationTrend Micro SharePoint Attacks JUL 2025CitationPalo Alto SharePoint Vulnerabilities JUL 2025 |
| Enterprise | T1572 | Protocol Tunneling | During SharePoint ToolShell Exploitation, threat actors utilized ngrok tunnels to deliver PowerShell payloads.CitationMicrosoft SharePoint Exploit JUL 2025 |
| Enterprise | T1585.002 | Email Accounts Sub-technique | During SharePoint ToolShell Exploitation, threat actors created Proton mail accounts for communication with organizations infected with ransomware.CitationPalo Alto SharePoint Vulnerabilities JUL 2025 |
| Enterprise | T1082 | System Information Discovery | During SharePoint ToolShell Exploitation, threat actors fingerprinted targeted SharePoint servers to identify OS version and running processes.CitationMicrosoft SharePoint Exploit JUL 2025 |
| Enterprise | T1486 | Data Encrypted for Impact | During SharePoint ToolShell Exploitation, threat actors deployed ransomware including 4L4MD4R and Warlock.CitationMicrosoft SharePoint Exploit JUL 2025CitationPalo Alto SharePoint Vulnerabilities JUL 2025 |
| Enterprise | T1074.001 | Local Data Staging Sub-technique | During SharePoint ToolShell Exploitation, threat actors staged stolen data from web.config files to debug_dev.js.CitationPalo Alto SharePoint Vulnerabilities JUL 2025CitationTrend Micro SharePoint Attacks JUL 2025 |
| Enterprise | T1505.004 | IIS Components Sub-technique | During SharePoint ToolShell Exploitation, threat actors modified Internet Information Services (IIS) components to load suspicious .NET assemblies for persistence.CitationMicrosoft SharePoint Exploit JUL 2025 |
| Enterprise | T1059.003 | Windows Command Shell Sub-technique | During SharePoint ToolShell Exploitation, threat actors utilized `cmd.exe` and batch scripts within the victim environment.CitationMicrosoft SharePoint Exploit JUL 2025CitationESET ToolShell JUL 2025CitationEye Research ToolShell JUL 2025CitationSentinelOne ToolShell JUL 2025 |
| Enterprise | T1027.010 | Command Obfuscation Sub-technique | During SharePoint ToolShell Exploitation, threat actors executed Base64-encoded PowerShell commands.CitationMicrosoft SharePoint Exploit JUL 2025CitationEye Research ToolShell JUL 2025CitationTrend Micro SharePoint Attacks JUL 2025CitationSentinelOne ToolShell JUL 2025CitationPalo Alto SharePoint Vulnerabilities JUL 2025 |
| Enterprise | T1090 | Proxy | During SharePoint ToolShell Exploitation, threat actors used Fast Reverse Proxy to communicate with C2.CitationMicrosoft SharePoint Exploit JUL 2025CitationESET ToolShell JUL 2025 |
| Enterprise | T1685 | Disable or Modify Tools | During SharePoint ToolShell Exploitation, threat actors disabled Microsoft Defender through Registry settings and real-time monitoring via PowerShell.CitationMicrosoft SharePoint Exploit JUL 2025CitationPalo Alto SharePoint Vulnerabilities JUL 2025 |
| Enterprise | T1588.002 | Tool Sub-technique | During SharePoint ToolShell Exploitation, threat actors leveraged tools including Impacket, PsExec, and Mimikatz.CitationMicrosoft SharePoint Exploit JUL 2025 |
| Enterprise | T1569.002 | Service Execution Sub-technique | During SharePoint ToolShell Exploitation, threat actors leveraged PsExec for command execution and used `services.exe` to disable Microsoft Defender via Registry keys.CitationMicrosoft SharePoint Exploit JUL 2025 |
| Enterprise | T1112 | Modify Registry | During SharePoint ToolShell Exploitation, threat actors, including Storm-2603, disabled security services via Registry modifications.CitationMicrosoft SharePoint Exploit JUL 2025 |
| Enterprise | T1620 | Reflective Code Loading | During SharePoint ToolShell Exploitation, threat actors reflectively loaded payloads using `System.Reflection.Assembly.Load`.CitationMicrosoft SharePoint Exploit JUL 2025CitationEye Research ToolShell JUL 2025CitationTrend Micro SharePoint Attacks JUL 2025CitationSentinelOne ToolShell JUL 2025CitationPalo Alto SharePoint Vulnerabilities JUL 2025 |
| Enterprise | T1595.002 | Vulnerability Scanning Sub-technique | During SharePoint ToolShell Exploitation, threat actors scanned for SharePoint servers vulnerable to CVE-2025-53770.CitationPalo Alto SharePoint Vulnerabilities JUL 2025 |
| Enterprise | T1105 | Ingress Tool Transfer | During SharePoint ToolShell Exploitation, threat actors used a loader to download and execute ransomware.CitationPalo Alto SharePoint Vulnerabilities JUL 2025 |
| Enterprise | T1570 | Lateral Tool Transfer | During SharePoint ToolShell Exploitation, threat actors used Impacket to remotely stage and execute payloads via WMI.CitationMicrosoft SharePoint Exploit JUL 2025 |
| Enterprise | T1041 | Exfiltration Over C2 Channel | During SharePoint ToolShell Exploitation, threat actors exfiltrated stolen credentials and internal data over HTTPS to C2 infrastructure.CitationMicrosoft SharePoint Exploit JUL 2025 |
| Enterprise | T1005 | Data from Local System | During SharePoint ToolShell Exploitation, threat actors extracted information from the compromised systems.CitationMicrosoft SharePoint Exploit JUL 2025CitationESET ToolShell JUL 2025CitationSentinelOne ToolShell JUL 2025CitationPalo Alto SharePoint Vulnerabilities JUL 2025 |
Groups, software, and campaigns
S0029: PsExec
S0002: Mimikatz
S0508: ngrok
S0357: Impacket
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 4725934193e7… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Microsoft SharePoint Exploit JUL 2025
Microsoft Threat Intelligence. (2025, July 22). Disrupting active exploitation of on-premises SharePoint vulnerabilities. Retrieved October 15, 2025.
Open source URL -
[2]
Palo Alto SharePoint Vulnerabilities JUL 2025
Unit 42. (2025, July 31). Active Exploitation of Microsoft SharePoint Vulnerabilities: Threat Brief (Updated). Retrieved October 15, 2025.
Open source URL -
[3]
Eye Research ToolShell JUL 2025
Eye Security. (2025, July 19). SharePoint Under Siege: ToolShell Exploit (CVE-2025-49706 & CVE-2025-49704). Retrieved October 15, 2025.
Open source URL -
[4]
ESET ToolShell JUL 2025
ESET Research. (2025, July 24). ToolShell: An all-you-can-eat buffet for threat actors. Retrieved October 15, 2025.
Open source URL -
[5]
Trend Micro SharePoint Attacks JUL 2025
Trend Micro Research. (2022, July 22). Proactive Security Insights for SharePoint Attacks (CVE-2025-53770 and CVE-2025-53771). Retrieved October 15, 2025.
Open source URL -
[6]
mitre-attack C0058Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.