Adversaries may be deploying webshells or persistence mechanisms by writing malicious files to the SharePoint layouts directory, a common target for post-exploitation activities. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential webshell deployments and mitigate advanced persistent threats.
Detection Rule
title: Suspicious File Write to SharePoint Layouts Directory
id: 1f0489be-b496-4ddf-b3a9-5900f2044e9c
status: experimental
description: |
Detects suspicious file writes to SharePoint layouts directory which could indicate webshell activity or post-exploitation.
This behavior has been observed in the exploitation of SharePoint vulnerabilities such as CVE-2025-49704, CVE-2025-49706 or CVE-2025-53770.
references:
- https://unit42.paloaltonetworks.com/microsoft-sharepoint-cve-2025-49704-cve-2025-49706-cve-2025-53770/
- https://www.microsoft.com/en-us/security/blog/2025/07/22/disrupting-active-exploitation-of-on-premises-sharepoint-vulnerabilities/
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-07-24
tags:
- attack.initial-access
- attack.t1190
- attack.persistence
- attack.t1505.003
logsource:
product: windows
category: file_event
detection:
selection:
Image|endswith:
- '\cmd.exe'
- '\powershell_ise.exe'
- '\powershell.exe'
- '\pwsh.exe'
- '\w3wp.exe'
TargetFilename|startswith:
- 'C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\'
- 'C:\Program Files (x86)\Common Files\Microsoft Shared\Web Server Extensions\'
TargetFilename|contains:
- '\15\TEMPLATE\LAYOUTS\'
- '\16\TEMPLATE\LAYOUTS\'
TargetFilename|endswith:
- '.asax'
- '.ascx'
- '.ashx'
- '.asmx'
- '.asp'
- '.aspx'
- '.bat'
- '.cmd'
- '.cer'
- '.config'
- '.hta'
- '.js'
- '.jsp'
- '.jspx'
- '.php'
- '.ps1'
- '.vbs'
condition: selection
falsepositives:
- Unknown
level: high
imFileEvent
| where (TargetFilePath endswith "\\cmd.exe" or TargetFilePath endswith "\\powershell_ise.exe" or TargetFilePath endswith "\\powershell.exe" or TargetFilePath endswith "\\pwsh.exe" or TargetFilePath endswith "\\w3wp.exe") and (TargetFileName startswith "C:\\Program Files\\Common Files\\Microsoft Shared\\Web Server Extensions\\" or TargetFileName startswith "C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Web Server Extensions\\") and (TargetFileName contains "\\15\\TEMPLATE\\LAYOUTS\\" or TargetFileName contains "\\16\\TEMPLATE\\LAYOUTS\\") and (TargetFileName endswith ".asax" or TargetFileName endswith ".ascx" or TargetFileName endswith ".ashx" or TargetFileName endswith ".asmx" or TargetFileName endswith ".asp" or TargetFileName endswith ".aspx" or TargetFileName endswith ".bat" or TargetFileName endswith ".cmd" or TargetFileName endswith ".cer" or TargetFileName endswith ".config" or TargetFileName endswith ".hta" or TargetFileName endswith ".js" or TargetFileName endswith ".jsp" or TargetFileName endswith ".jspx" or TargetFileName endswith ".php" or TargetFileName endswith ".ps1" or TargetFileName endswith ".vbs")Scenario: SharePoint Timer Service Scheduled Job
Description: Legitimate SharePoint Timer Service jobs may write files to the layouts directory during routine maintenance or updates.
Filter/Exclusion: Check the EventID or ProcessName for Microsoft.SharePoint.Timer or SPTimerV4. Exclude file writes with EventID 4104 or EventID 4105.
Scenario: SharePoint Farm Configuration Backup
Description: Backup processes or configuration exports may temporarily write files to the layouts directory.
Filter/Exclusion: Filter by ProcessName containing stsadm or powershell with a script that includes Backup-SPFarm or Export-SPWeb.
Scenario: SharePoint Custom Solution Deployment
Description: Deploying custom solutions (e.g., using stsadm or SharePoint Solution Deployment) may involve writing files to the layouts directory.
Filter/Exclusion: Exclude file writes originating from ProcessName w3wp.exe or iisexpress.exe with a command line containing stsadm or Add-SPSolution.
Scenario: SharePoint PowerShell Script Execution
Description: PowerShell scripts running under SharePoint farm admin credentials may write files to the layouts directory as part of configuration changes.
Filter/Exclusion: Filter by ProcessName powershell.exe and check for Command lines containing Add-SPSolution, Install-SPSolution, or Set-SPWeb.
Scenario: SharePoint Add-in or App Deployment
Description: Deploying SharePoint add-ins or apps may involve writing files to the layouts directory during installation.
Filter/Exclusion: Exclude file writes with ProcessName iisexpress.exe or w3wp.exe and check for `Command