Microsoft SharePoint zero-day exploited in RCE attacks, no patch available

Critical zero-day vulnerabilities in Microsoft SharePoint, tracked as CVE-2025-53770 and CVE-2025-53771, have been actively exploited since at least July 18th, with no patch available and at least 85 servers already compromised worldwide.

Here’s a LC Detection rule that is based on the KQL from Microsoft’s post.

Suspicious IIS Worker Process Spawning Encoded PowerShell:
          data:
            detect:
              event: NEW_PROCESS
              op: and
              rules:
                - op: is windows
                - op: and
                  rules:
                    - op: ends with
                      case sensitive: false
                      path: routing/parent/FILE_PATH
                      value: \w3wp.exe
                    - op: contains
                      not: true
                      case sensitive: false
                      path: routing/parent/COMMAND_LINE
                      value: DefaultAppPool
                - op: and
                  rules:
                    - op: ends with
                      case sensitive: false
                      path: event/FILE_PATH
                      value: \cmd.exe
                    - op: contains
                      case sensitive: false
                      path: event/COMMAND_LINE
                      value: powershell
                    - op: or
                      rules:
                        - op: contains
                          case sensitive: false
                          path: event/COMMAND_LINE
                          value: ' EncodedCommand '
                        - op: contains
                          case sensitive: false
                          path: event/COMMAND_LINE
                          value: ' -ec '
                    - op: matches
                      case sensitive: true
                      path: event/COMMAND_LINE
                      re: \b[A-Za-z0-9+/=]{15,}\b
            respond:
              - action: report
                name: Suspicious IIS Worker Process Spawning Encoded PowerShell
                priority: high
                metadata:
                  description: >-
                    Detects the IIS Worker Process (w3wp.exe), excluding the "DefaultAppPool",
                    spawning cmd.exe to launch a PowerShell process with an encoded command.
                    This pattern is highly indicative of a web shell being used to execute
                    commands, often following the exploitation of vulnerabilities in Microsoft
                    Exchange or SharePoint. While this rule cannot decode PowerShell strings,
                    the preceding indicators are a very strong signal of malicious activity.
                  author: Josh Lemon (SoteriaSec)
                  mitre:
                    - T1505.003
                    - T1059.001
              - action: add tag
                tag: suspicious-iis-activity
                ttl: 86400
          usr_mtd:
            enabled: true
            expiry: 0
            comment: ""
1 Like

Nice! Thank you Josh!

1 Like