Critical zero-day vulnerabilities in Microsoft SharePoint, tracked as CVE-2025-53770 and CVE-2025-53771, have been actively exploited since at least July 18th, with no patch available and at least 85 servers already compromised worldwide.
Here’s a LC Detection rule that is based on the KQL from Microsoft’s post.
Suspicious IIS Worker Process Spawning Encoded PowerShell:
data:
detect:
event: NEW_PROCESS
op: and
rules:
- op: is windows
- op: and
rules:
- op: ends with
case sensitive: false
path: routing/parent/FILE_PATH
value: \w3wp.exe
- op: contains
not: true
case sensitive: false
path: routing/parent/COMMAND_LINE
value: DefaultAppPool
- op: and
rules:
- op: ends with
case sensitive: false
path: event/FILE_PATH
value: \cmd.exe
- op: contains
case sensitive: false
path: event/COMMAND_LINE
value: powershell
- op: or
rules:
- op: contains
case sensitive: false
path: event/COMMAND_LINE
value: ' EncodedCommand '
- op: contains
case sensitive: false
path: event/COMMAND_LINE
value: ' -ec '
- op: matches
case sensitive: true
path: event/COMMAND_LINE
re: \b[A-Za-z0-9+/=]{15,}\b
respond:
- action: report
name: Suspicious IIS Worker Process Spawning Encoded PowerShell
priority: high
metadata:
description: >-
Detects the IIS Worker Process (w3wp.exe), excluding the "DefaultAppPool",
spawning cmd.exe to launch a PowerShell process with an encoded command.
This pattern is highly indicative of a web shell being used to execute
commands, often following the exploitation of vulnerabilities in Microsoft
Exchange or SharePoint. While this rule cannot decode PowerShell strings,
the preceding indicators are a very strong signal of malicious activity.
author: Josh Lemon (SoteriaSec)
mitre:
- T1505.003
- T1059.001
- action: add tag
tag: suspicious-iis-activity
ttl: 86400
usr_mtd:
enabled: true
expiry: 0
comment: ""
1 Like
Nice! Thank you Josh!
1 Like