1. Home
  2. Campaigns
  3. SharePoint ToolShell Exploitation

SharePoint ToolShell Exploitation

The SharePoint ToolShell Exploitation campaign was conducted in July 2025 and encompassed the first waves of exploitation against incompetely patched spoofing (CVE-2025-49706) and remote code execution (CVE-2025-49704) vulnerabilities affecting on-premises Microsoft SharePoint servers. Later patched and updated as CVE-2025-53770 and CVE-2025-53771, the ToolShell vulnerabilities were widely exploited including by China-based ransomware actor Storm-2603 and espionage actors Threat Group-3390 and ZIRCONIUM. SharePoint ToolShell Exploitation targeted multiple regions and industries including finance, education, energy, and healthcare across Asia, Europe, and the United States.[1][2][3][4][5]

ID: C0058
First Seen:  July 2025 [1]
Last Seen:  July 2025 [2]
Version: 1.0
Created: 15 October 2025
Last Modified: 24 October 2025
Version Permalink

Groups

ID Name Description
G0027 Threat Group-3390

During SharePoint ToolShell Exploitation, Threat Group-3390 attempted to exploit CVE-2025-49706 and CVE-2025-49704 to gain initial access to target organizations.[1]
G0128 ZIRCONIUM

During SharePoint ToolShell Exploitation, Threat Group-1314 attempted to exploit CVE-2025-49706 and CVE-2025-49704 to gain initial access to target organizations.[1]
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1583 .001 Acquire Infrastructure: Domains

During SharePoint ToolShell Exploitation, threat actors registered C2 domains to spoof legitimate Microsoft domains.[1][2]
Enterprise T1595 .002 Active Scanning: Vulnerability Scanning

During SharePoint ToolShell Exploitation, threat actors scanned for SharePoint servers vulnerable to CVE-2025-53770.[2]
Enterprise T1071 .001 Application Layer Protocol: Web Protocols

During SharePoint ToolShell Exploitation, threat actors issued HTTP POST requests to web shells with spoofed or empty Referrer headers, to circumvent authorization controls.[1][3][5][6][2]
Enterprise T1119 Automated Collection

During SharePoint ToolShell Exploitation, threat actors used a command shell to automatically iterate through web.config files to expose and collect machineKey settings.[5][2]
Enterprise T1059 .001 Command and Scripting Interpreter: PowerShell

During SharePoint ToolShell Exploitation, threat actors used PowerShell to execute attacker-controlled encoded commands.[1][3][6][2]
.003 Command and Scripting Interpreter: Windows Command Shell

During SharePoint ToolShell Exploitation, threat actors utilized cmd.exe and batch scripts within the victim environment.[1][4][3][6]
Enterprise T1486 Data Encrypted for Impact

During SharePoint ToolShell Exploitation, threat actors deployed ransomware including 4L4MD4R and Warlock.[1][2]
Enterprise T1005 Data from Local System

During SharePoint ToolShell Exploitation, threat actors extracted information from the compromised systems.[1][4][6][2]
Enterprise T1074 .001 Data Staged: Local Data Staging

During SharePoint ToolShell Exploitation, threat actors staged stolen data from web.config files to debug_dev.js.[2][5]
Enterprise T1140 Deobfuscate/Decode Files or Information

During SharePoint ToolShell Exploitation, threat actors decrypted scripts prior to execution.[2]
Enterprise T1484 .001 Domain or Tenant Policy Modification: Group Policy Modification

During SharePoint ToolShell Exploitation, threat actors, including Storm-2603, modified group policy to enable ransomware distribution.[1]
Enterprise T1585 .002 Establish Accounts: Email Accounts

During SharePoint ToolShell Exploitation, threat actors created Proton mail accounts for communication with organizations infected with ransomware.[2]
Enterprise T1041 Exfiltration Over C2 Channel

During SharePoint ToolShell Exploitation, threat actors exfiltrated stolen credentials and internal data over HTTPS to C2 infrastructure.[1]
Enterprise T1190 Exploit Public-Facing Application

During SharePoint ToolShell Exploitation, threat actors exploited authentication bypass and remote code execution vulnerabilities (CVE-2025-49706 and CVE-2025-49704) against on-premises SharePoint servers. This activity was characterized by crafted POST requests to the ToolPane endpoint /_layouts/15/ToolPane.aspx.[1][4][3][5][6][2]
Enterprise T1083 File and Directory Discovery

During SharePoint ToolShell Exploitation, threat actors leveraged commands to locate accessible file shares, backup paths, or SharePoint content.[1]
Enterprise T1657 Financial Theft

During SharePoint ToolShell Exploitation, threat actors demanded ransom payments to unencrypt filesystems and to refrain from publishing sensitive data exfiltrated from victim networks.[2]
Enterprise T1562 .001 Impair Defenses: Disable or Modify Tools

During SharePoint ToolShell Exploitation, threat actors disabled Microsoft Defender through Registry settings and real-time monitoring via PowerShell.[1][2]
Enterprise T1105 Ingress Tool Transfer

During SharePoint ToolShell Exploitation, threat actors used a loader to download and execute ransomware.[2]
Enterprise T1570 Lateral Tool Transfer

During SharePoint ToolShell Exploitation, threat actors used Impacket to remotely stage and execute payloads via WMI.[1]
Enterprise T1112 Modify Registry

During SharePoint ToolShell Exploitation, threat actors, including Storm-2603, disabled security services via Registry modifications.[1]
Enterprise T1027 .002 Obfuscated Files or Information: Software Packing

During SharePoint ToolShell Exploitation, threat actors UPX-packed malicous payloads including 4L4MD4R ransomware.[2]
.010 Obfuscated Files or Information: Command Obfuscation

During SharePoint ToolShell Exploitation, threat actors executed Base64-encoded PowerShell commands.[1][3][5][6][2]
Enterprise T1588 .002 Obtain Capabilities: Tool

During SharePoint ToolShell Exploitation, threat actors leveraged tools including Impacket, PsExec, and Mimikatz.[1]
Enterprise T1003 .001 OS Credential Dumping: LSASS Memory

During SharePoint ToolShell Exploitation, threat actors used Mimikatz to dump LSASS memory.[1]
Enterprise T1572 Protocol Tunneling

During SharePoint ToolShell Exploitation, threat actors utilized ngrok tunnels to deliver PowerShell payloads.[1]
Enterprise T1090 Proxy

During SharePoint ToolShell Exploitation, threat actors used Fast Reverse Proxy to communicate with C2.[1][4]
Enterprise T1620 Reflective Code Loading

During SharePoint ToolShell Exploitation, threat actors reflectively loaded payloads using System.Reflection.Assembly.Load.[1][3][5][6][2]
Enterprise T1053 .005 Scheduled Task/Job: Scheduled Task

During SharePoint ToolShell Exploitation, threat actors used scheduled tasks to help establish persistence.[1]
Enterprise T1505 .003 Server Software Component: Web Shell

During SharePoint ToolShell Exploitation, threat actors followed exploitation of SharePoint servers with installation of a malicious .aspx web shell (spinstall0.aspx) that was written to the _layouts/15/ directory, granting persistent HTTP-based access.[1][4][3][5][6][2]
.004 Server Software Component: IIS Components

During SharePoint ToolShell Exploitation, threat actors modified Internet Information Services (IIS) components to load suspicious .NET assemblies for persistence.[1]
Enterprise T1082 System Information Discovery

During SharePoint ToolShell Exploitation, threat actors fingerprinted targeted SharePoint servers to identify OS version and running processes.[1]
Enterprise T1033 System Owner/User Discovery

During SharePoint ToolShell Exploitation, threat actors executed whoami on victim machines to enumerate user context and validate privilege levels.[1][6]
Enterprise T1569 .002 System Services: Service Execution

During SharePoint ToolShell Exploitation, threat actors leveraged PsExec for command execution and used services.exe to disable Microsoft Defender via Registry keys.[1]
Enterprise T1552 .001 Unsecured Credentials: Credentials In Files

During SharePoint ToolShell Exploitation, threat actors accessed web.config and machine.config to extract MachineKey values, enabling them to forge legitimate VIEWSTATE tokens for future deserialization payloads.[1][3][5][6][2]
Enterprise T1047 Windows Management Instrumentation

During SharePoint ToolShell Exploitation, threat actors used WMI for execution.[1]

Software

ID Name Description
S0357 Impacket

[1]
S0002 Mimikatz

[1]
S0508 ngrok

[1]
S0029 PsExec

[1]

References

  1. Microsoft Threat Intelligence. (2025, July 22). Disrupting active exploitation of on-premises SharePoint vulnerabilities. Retrieved October 15, 2025.
  2. Unit 42. (2025, July 31). Active Exploitation of Microsoft SharePoint Vulnerabilities: Threat Brief (Updated). Retrieved October 15, 2025.
  3. Eye Security. (2025, July 19). SharePoint Under Siege: ToolShell Exploit (CVE-2025-49706 & CVE-2025-49704). Retrieved October 15, 2025.
  1. ESET Research. (2025, July 24). ToolShell: An all-you-can-eat buffet for threat actors. Retrieved October 15, 2025.
  2. Trend Micro Research. (2022, July 22). Proactive Security Insights for SharePoint Attacks (CVE-2025-53770 and CVE-2025-53771). Retrieved October 15, 2025.
  3. Kenin, S. et al. (2025, July 21). SharePoint ToolShell | Zero-Day Exploited in-the-Wild Targets Enterprise Servers. Retrieved October 15, 2025.