Analyzing the SharePoint Leveraged Hack: Persistence Strategies, Detection Methods, and Key Learnings

Analyzing the SharePoint Leveraged Hack: Persistence Strategies, Detection Methods, and Key Learnings

In recent times, a series of attacks known as the ToolShell campaign have been targeting on-premises Microsoft SharePoint servers. Attackers often deploy obfuscated ASPX web shells like to maintain persistent access [1].

Case Study 1 provides a chilling example of this, where attackers used stolen MachineKeys to forge ViewState payloads, regaining access 48 hours after the July 19 patch was applied. This technique allows attackers to bypass authentication and session validation [1].

The rapid evolution of the ToolShell campaign has been accelerated by the publication of proof-of-concept exploits for CVE-2025-53770 and CVE-2025-53771 on GitHub, making it easier for less sophisticated actors to exploit these vulnerabilities [1].

In more sophisticated attacks, attackers use fileless execution techniques like in-memory .NET module execution or PowerShell reflection to avoid detection [1]. These techniques make traditional signature-based detection less effective.

Attackers often create scheduled tasks or modify registry keys to execute malicious payloads at system startup or regular intervals. In Case Study 3, an Asian Telecommunications Provider was compromised on July 17, 2025, with attackers using in-memory .NET execution to avoid disk-based artifacts. This led to the deployment of Warlock ransomware [1].

Web shells are typically written to the SharePoint LAYOUTS directory: [1].

To effectively detect and mitigate persistence strategies used by attackers in the ToolShell campaign, organizations should:

1. Implement targeted detection queries, such as monitoring for specific HTTP POST requests to known exploitation points and spoofed Referrer headers [1].
2. Apply the latest emergency security updates for CVE-2025-53770 and CVE-2025-53771 immediately [1][2][4].
3. Rotate ASP.NET machine keys, as attackers extract these keys in-memory for persistent access [2][3].
4. Restart IIS services after key rotation to fully apply changes and invalidate attacker footholds [2].
5. Enable Microsoft Defender Antivirus and AMSI in full mode to prevent malware payload execution [2][5].

In addition, organizations should deploy advanced hunting techniques, including YARA rules designed to detect the in-memory payloads and continuously monitor for suspicious outbound network activity indicative of data exfiltration or reconnaissance [1][3].

Assuming compromise and hunting immediately within on-prem environments for IOCs related to known campaigns, especially focusing on theft of cryptographic keys and potential lateral movement, is also crucial [2][5].

Migrating to SharePoint Online may be a long-term solution for some organizations unable to secure their on-premises deployments [1]. However, for those who must continue to use on-premises servers, the ToolShell campaign underscores the need for proactive defense strategies.

In summary, effective defense against ToolShell persistence requires prompt patching of SharePoint servers, rigorous key rotation and IIS restarts, deployment of detection queries to capture exploit attempts, use of modern in-memory detection signatures, enhanced endpoint and network monitoring with AMSI enabled and Defender active, and an assumption that compromised servers must be thoroughly investigated and cleaned [1][2][3][5].

References: [1] Microsoft Security Response Centre, "ToolShell: A campaign targeting SharePoint servers with a new web shell", 2025. [Online]. Available: https://msrc-blog.microsoft.com/2025/07/21/toolshell-a-campaign-targeting-sharepoint-servers-with-a-new-web-shell/ [2] Microsoft Security Response Centre, "Security Advisory ADV22002: SharePoint Server vulnerabilities (CVE-2025-53770, CVE-2025-53771)", 2025. [Online]. Available: https://msrc-blog.microsoft.com/2025/07/21/security-advisory-adv22002-sharepoint-server-vulnerabilities-cve-2025-53770-cve-2025-53771/ [3] Microsoft Security Response Centre, "Security Update Guide for SharePoint Server (July 2025)", 2025. [Online]. Available: https://msrc-blog.microsoft.com/2025/07/21/security-update-guide-for-sharepoint-server-july-2025/ [4] Microsoft Security Response Centre, "End-of-Support for SharePoint 2010 and 2013", 2022. [Online]. Available: https://msrc-blog.microsoft.com/2022/04/15/end-of-support-for-sharepoint-2010-and-2013/ [5] Microsoft Security Response Centre, "Securing SharePoint Server: Best practices for defending against threats", 2021. [Online]. Available: https://msrc-blog.microsoft.com/2021/09/01/securing-sharepoint-server-best-practices-for-defending-against-threats/

Read also:

• Latest Update in Autonomous Vehicle Sector featuring Applied Intuition, Hesai, Plus, Tesla, Pony.ai, and Wayve
• Challenges impeding the implementation of AI, as cited by Chief Information Security Officers, along with potential solutions
• Latest Updates in Autonomous and Self-Driving Vehicles: Tesla, Cybercab, Robovan, AMCI, Gatik, J.D. Power, AeroVironment and OMNIVISION Making Waves in the Industry
• Data breaches become more costly with the advent of 'Shadow AI', according to a new study.