EXPLORE
Sign In
← Back to Explore
crowdstrike_cqlTTP

CVE-2025-53770 - SharePoint ToolShell

WebShell Discovery from w3wp.exe Falcon has native detection/prevention capabilities for this attack sequence. The following looks for: ``` w3wp.exe --> cmd.exe --> powershell.exe --> .aspx file write ```

MITRE ATT&CK

T1190T1620
initial-access

Detection Query

// CVE-2025-53770 - WebShell Discovery from w3wp.exe

correlate(
    cmd: {
        #event_simpleName=ProcessRollup2 event_platform=Win FileName="cmd.exe" ParentBaseFileName="w3wp.exe"
          } include: [aid, ComputerName, TargetProcessId, ParentBaseFileName, FileName, CommandLine],
    pwsh: {
        #event_simpleName=ProcessRollup2 event_platform=Win FileName="powershell.exe"
          | aid <=> cmd.aid
          | ParentProcessId <=> cmd.TargetProcessId
          } include: [aid, ComputerName, TargetProcessId, ParentBaseFileName, FileName, CommandLine],
    aspx: {
        #event_simpleName=/^(NewScriptWritten|WebScriptFileWritten)$/ event_platform=Win FileName=/\.aspx/i
          | aid <=> cmd.aid
          | ContextProcessId <=> pwsh.TargetProcessId
          } include: [aid, ComputerName, TargetFileName],
sequence=true, within=5m)

Author

CrowdStrike

Data Sources

Endpoint

Platforms

windows

Tags

Detectioncs_module:Insight
Raw Content
# --- Query Metadata ---
# Human-readable name for the query. Will be displayed as the title.
name: CVE-2025-53770 - SharePoint ToolShell

# MITRE ATT&CK technique IDs
mitre_ids:
  - T1190
  - T1620

# Description of what the query does and its purpose.
description: WebShell Discovery from w3wp.exe

# The author or team that created the query.
author: CrowdStrike

# The required log sources to run this query successfully in Next-Gen SIEM.
# This will be displayed in the UI to inform the user.
log_sources:
  - Endpoint

# The CrowdStrike modules required to run this query.
cs_required_modules:
  - Insight

# Tags for filtering and categorization.
# Include relevant techniques, tactics, or platforms.
tags:
  - Detection

# --- Query Content ---
# The actual CrowdStrike Query Language (CQL) code.
# Using the YAML block scalar `|` allows for multi-line strings.
cql: |
  // CVE-2025-53770 - WebShell Discovery from w3wp.exe
  
  correlate(
      cmd: {
          #event_simpleName=ProcessRollup2 event_platform=Win FileName="cmd.exe" ParentBaseFileName="w3wp.exe"
            } include: [aid, ComputerName, TargetProcessId, ParentBaseFileName, FileName, CommandLine],
      pwsh: {
          #event_simpleName=ProcessRollup2 event_platform=Win FileName="powershell.exe"
            | aid <=> cmd.aid
            | ParentProcessId <=> cmd.TargetProcessId
            } include: [aid, ComputerName, TargetProcessId, ParentBaseFileName, FileName, CommandLine],
      aspx: {
          #event_simpleName=/^(NewScriptWritten|WebScriptFileWritten)$/ event_platform=Win FileName=/\.aspx/i
            | aid <=> cmd.aid
            | ContextProcessId <=> pwsh.TargetProcessId
            } include: [aid, ComputerName, TargetFileName],
  sequence=true, within=5m)

# Explanation of the query.
# Using the YAML block scalar `|` allows for multi-line strings.
# Uses markdown for formatting on the webpage.
explanation: |
  Falcon has native detection/prevention capabilities for this attack sequence. The following looks for:
  
  ```
  w3wp.exe --> cmd.exe --> powershell.exe --> .aspx file write
  ```