Detection coverage update: Sigma rules for CVE-2025-53770 (“ToolShell”)
My team member @_swachchhanda_ contributed a set of Sigma rules that detect different stages of the recent SharePoint exploitation (CVE-2025-53770).
The rules are now public:
https://t.co/orTjB0ZDUh
They provide coverage for:
- Web shell deployment
- Post-exploitation behavior
- IIS log artefacts (initial exploitation)
These rules help detect both the initial access vector and follow-up activity using host and network data sources. They complement our YARA rules for the payloads themselves:
https://t.co/v27uvFhtrc
References:
- https://t.co/KpInABItqj
- https://t.co/6wTlOfugaN
#SharePoint #CVE202553770 #ToolShell #Sigma
@TrungTPhan Yeah, its sad. We had a great childhood. Kids today cannot be kids - we are constantly telling them how to play, what to do. I thinks this impacts thier independence and decision making skills.