CVE-2025-53770 - SharePoint ToolShell
WebShell Discovery from w3wp.exe
EDRdetectionT1190T1620
FDR intermediatepor CrowdStrike (cql-hub.com) 1 min read
Query
// CVE-2025-53770 - WebShell Discovery from w3wp.exe
correlate(
cmd: {
#event_simpleName=ProcessRollup2 event_platform=Win FileName="cmd.exe" ParentBaseFileName="w3wp.exe"
} include: [aid, ComputerName, TargetProcessId, ParentBaseFileName, FileName, CommandLine],
pwsh: {
#event_simpleName=ProcessRollup2 event_platform=Win FileName="powershell.exe"
| aid <=> cmd.aid
| ParentProcessId <=> cmd.TargetProcessId
} include: [aid, ComputerName, TargetProcessId, ParentBaseFileName, FileName, CommandLine],
aspx: {
#event_simpleName=/^(NewScriptWritten|WebScriptFileWritten)$/ event_platform=Win FileName=/\.aspx/i
| aid <=> cmd.aid
| ContextProcessId <=> pwsh.TargetProcessId
} include: [aid, ComputerName, TargetFileName],
sequence=true, within=5m)Explicación
Importado desde cql-hub.com. Agrega explicación de pipes aquí.
Variables a ajustar
Revisa y ajusta los valores según tu entorno.