LoFP / limited false positives are expected as spinstall0.aspx is not a legitimate sharepoint component. however, security teams investigating the incident might also access this file for analysis purposes. verify the source ip addresses against known security team ips and the timing of the requests in relation to the initial exploitation attempt.

Techniques

• T1190
• T1505.003
• T1552

Sample rules

Windows SharePoint Spinstall0 GET Request

• source: splunk
• technicques:
  • T1190
  • T1505.003
  • T1552

Description

The following analytic detects potential post-exploitation activity related to the Microsoft SharePoint CVE-2025-53770 vulnerability. After successful exploitation via the ToolPane.aspx endpoint, attackers typically deploy a webshell named “spinstall0.aspx” in the SharePoint layouts directory. This detection identifies GET requests to this webshell, which indicates active use of the backdoor for command execution, data exfiltration, or credential/key extraction. Attackers commonly use these webshells to extract encryption keys, authentication tokens, and other sensitive information from the compromised SharePoint server.

Detection logic

| tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Web where Web.url="*/_layouts/15/spinstall0.aspx*" Web.http_method="GET" by Web.url Web.src Web.dest Web.status Web.http_user_agent Web.url_length sourcetype 
| `drop_dm_object_name("Web")` 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `windows_sharepoint_spinstall0_get_request_filter`