Echoes in the Shell: Legacy Tooling Behind Ongoing SharePoint ‘ToolShell’ Exploitation

MITRE Techniques

• [T1595.002 ] Active Scanning: Vulnerability Scanning – Identified vulnerable SharePoint servers via scanning to facilitate targeted exploitation (‘Attackers perform active scanning to identify vulnerable SharePoint servers exposed to the internet or internal network, facilitating targeted exploitation efforts.’)
• [T1190 ] Exploit Public-Facing Application – Exploited SharePoint deserialization and other flaws for unauthenticated RCE (‘Attackers exploit the CVE-2025-53770 vulnerability in Microsoft SharePoint to gain unauthorized remote code execution on exposed servers without authentication.’)
• [T1059.001 ] Command and Scripting Interpreter: PowerShell – Spawned PowerShell from w3wp.exe to execute encoded payloads and write files (‘The attacker spawns PowerShell processes from w3wp.exe to execute commands.’)
• [T1059.003 ] Command and Scripting Interpreter: Windows Command Shell – Spawned cmd.exe from w3wp.exe to run system commands and certutil for decoding (‘The attacker spawns cmd.exe processes from w3wp.exe to execute commands.’)
• [T1505.003 ] Server Software Component: Web Shell – Dropped malicious ASPX web shells (spinstall0.aspx, listdisplay.aspx) to maintain persistent remote access (‘Malicious ASPX web shells such as spinstall0.aspx are deployed on IIS web servers to maintain persistent remote access, execute arbitrary commands, and enable further lateral movement.’)
• [T1505.004 ] Server Software Component: IIS Components – Abused w3wp.exe and IIS components for stealthy execution and persistence (‘Adversaries install or abuse the IIS w3wp.exe process, IIS ISAPI extensions, filters, modules (DLL/.NET) to intercept, modify, or proxy web requests/responses, enabling stealthy command execution, persistence, and manipulation of web traffic.’)
• [T1620 ] Reflective Code Loading – Used System.Reflection.Assembly.Load() to load assemblies and extract machineKey values in-memory (‘The malicious .aspx scripts use .NET reflection via System.Reflection.Assembly.Load() to dynamically load code in memory, without writing additional binaries to disk.’)
• [T1046 ] Network Service Discovery – Executed commands like ipconfig and ping for network reconnaissance (‘Execution of commands like ipconfig, ping for network reconnaissance.’)
• [T1087.002 ] Account Discovery: Domain Account – Queried LDAP to enumerate domain users and groups in Active Directory (‘Adversaries attempt to get a listing of domain accounts via LDAP queries.’)
• [T1140 ] Deobfuscate/Decode Files or Information – Used certutil.exe and PowerShell to decode Base64-encoded payloads (‘Use of certutil.exe (a legitimate Windows tool) to decode Base64-encoded payloads, bypassing defenses that monitor PowerShell or direct downloads.’)
• [T1036.008 ] Masquerading: Masquerade File Type – Dropped payloads with benign-looking extensions (e.g., .css) to evade detection (‘Dropping payloads with benign-looking file extensions (e.g., .css, .txt) in legitimate SharePoint directories to avoid detection.’)
• [T1213.002 ] Data from Information Repositories: SharePoint – Leveraged SharePoint repositories to collect sensitive organizational data post-compromise (‘Adversaries leverage SharePoint repositories to collect sensitive organizational information, including policies, network diagrams, system documentation, development credentials, source code snippets, and internal resource links.’)
• [T1071.001 ] Application Layer Protocol: Web Protocols – Interacted with web shells via HTTP(S) POST/GET to execute commands and exfiltrate data (‘Attackers interact with the web shell (e.g., spinstall0.aspx) using standard HTTP/S requests, issuing POST or GET commands that execute system commands or retrieve data over a web protocol.’)