LoFP LoFP / t1505.003

t1505.003

TitleTags
admin activity
baseline your environment before production. it is possible build systems using iis will spawn cmd.exe to perform a software build. filter as needed.
crazy web applications
false positives are present when the values are set to 1 for utf and lookup. it's possible to raise this to ttp (direct finding) if removal of other_lookups occur and score is raised to 2 (down from 4).
legitimate administrator or developer creating legitimate executable files in a web application folder
legitimate application and websites that use windows paths in their url
legitimate configuration changes during routine maintenance or device setup may trigger this detection, especially when multiple related changes are made in a single session. network administrators often make several configuration changes in sequence during maintenance windows. to reduce false positives, consider implementing a baseline of expected administrative activities, including approved administrative usernames and scheduled maintenance windows. the detection includes a threshold (count > 2) to filter out isolated configuration changes, but this threshold may need to be adjusted based on your environment's normal activity patterns.
legitimate os functions called by vendor applications, baseline the environment and filter before enabling. recommend throttle by dest/process_name
limited false positives are expected as legitimate use of the toolpane.aspx endpoint with displaymode=edit parameter in post requests is uncommon. however, some sharepoint administration activities might trigger this detection. verify against known administrator ips and activity patterns.
limited false positives are expected as spinstall0.aspx is not a legitimate sharepoint component. however, security teams investigating the incident might also access this file for analysis purposes. verify the source ip addresses against known security team ips and the timing of the requests in relation to the initial exploitation attempt.
limited false positives are expected as the spinstall0.aspx file is not a legitimate sharepoint component. however, there might be rare cases where legitimate files with similar names are created during sharepoint updates or maintenance. verify the process that created the file and the file content to confirm malicious intent.
limited false positives should occur as this pattern is highly specific to cve-2025-24813 exploitation. however, legitimate application errors that use similar cookie patterns and result in 500 status codes might trigger false positives. review the jsessionid cookie format and the associated request context to confirm exploitation attempts.
particular web applications may spawn a shell process legitimately
some legitimate applications might use put requests to create .session files, especially in custom implementations that leverage tomcat's session persistence mechanism. verify if the detected activity is part of a normal application flow or if it correlates with other suspicious behavior, such as subsequent get requests with manipulated jsessionid cookies.
the jsp file names are static names used in current proof of concept code. =
the query is structured in a way that `action` (read, create) is not defined. review the results of this query, filter, and tune as necessary. it may be necessary to generate this query specific to your endpoint product.
there might be false positives associted with this detection since items like args as a web argument is pretty generic.
unknown
unknown as it may vary from organisation to organisation how admins use to install iis modules
user searches in search boxes of the respective website
web applications that invoke linux command line tools
web applications that use the same url parameters as regeorg
web sites like wikis with articles on os commands and pages that include the os commands in the urls