Threat detection for SharePoint vulnerabilities – Canadian Centre for Cyber Security

Threat detection for SharePoint vulnerabilities – Canadian Centre for Cyber Security

Summary

The Canadian Centre for Cyber Security (Cyber Centre) has published a technical analysis of active campaigns exploiting critical on-premises Microsoft SharePoint vulnerabilities (CVE-2025-49704, CVE-2025-49706, CVE-2025-53770 and CVE-2025-53771) using an exploit chain dubbed “ToolShell”. The report reconstructs the full attack path from initial exploitation (observed up to 12 days before public disclosure) through post-exploitation activities, including custom in-memory .NET payloads, credential theft, lateral movement via SMB, persistence via web‑shell-like modules and encrypted exfiltration over HTTPS.

The Cyber Centre analysed dozens of dynamically generated DLL payloads extracted from running IIS processes, identified MITRE ATT&CK techniques used by the actor, and published indicators of compromise (IoCs), YARA rules and detection guidance. They also note that some common IoCs (for example spinstall0.aspx) were not present in this campaign because the attacker used novel custom payloads and ViewState-based techniques, meaning patching alone may not be sufficient until keys are rotated and servers restarted.

Author style: Punchy — this is a technical, high‑priority write‑up with practical detection and mitigation steps.

Source

Source: https://cyber.gc.ca/en/news-events/threat-detection-sharepoint-vulnerabilities

Key Points

1. Multiple on‑premises SharePoint CVEs (including CVE-2025-53770) were exploited in the wild before public disclosure; the campaign is linked to an exploit chain called ToolShell.
2. Initial compromise was observed around Day -12; attackers uploaded many custom .NET DLLs into IIS process memory to maintain and extend access.
3. Payloads performed web request interception, cryptographic configuration extraction (ViewState keys), SAM dumping and bespoke SMB client operations for lateral movement and data collection.
4. Patching alone may be insufficient if validation/decryption keys have been exfiltrated—keys must be rotated and servers restarted to prevent continued ViewState deserialization RCE.
5. Attackers used HTTPS externally and SMB internally; they also abused compromised network devices to obfuscate origin IPs and reduce the value of IP‑based IoCs.
6. Observed MITRE ATT&CK techniques include Exploit Public‑Facing Application, Web Shells, Credential Dumping, Privilege Escalation (e.g. PrintNotifyPotato), SMB lateral movement and Encrypted Exfiltration.
7. Detection opportunities: monitor IIS processes for unusual outgoing SMB (port 445) connections, watch for anomalous requests to SharePoint resources (e.g. ows.js) with custom headers, and use YARA rules provided by the Cyber Centre to detect LDAP scraping and related payloads.
8. The Cyber Centre released YARA rules, enhanced .NET decompilation tooling and shared IoCs via AVENTAIL and CSIRT to assist defenders.

Why should I read this?

Short answer: because this is exactly the kind of campaign that can hit well‑maintained networks and it used sneaky in‑memory .NET tricks so it can evade simple file‑based checks. Read it if you manage Windows servers, run SharePoint or IIS, or look after detection engineering — it tells you what to hunt for, why patching alone might not stop an active attacker, and what immediate steps reduce risk.

Practical takeaways

Rotate validation/decryption keys and restart SharePoint servers after patching; apply available patches promptly; inspect IIS process network behaviour (especially unexpected SMB port 445 activity); deploy YARA rules and enhanced .NET decompilation or telemetry to catch in‑memory payloads; rotate any credentials exposed and treat compromised accounts as suspect for cloud resources too.

Source

Source: https://cyber.gc.ca/en/news-events/threat-detection-sharepoint-vulnerabilities