limited false positives are expected as the spinstall0.aspx file is not a legitimate sharepoint component. however, there might be rare cases where legitimate files with similar names are created during sharepoint updates or maintenance. verify the process that created the file and the file content to confirm malicious intent.

Techniques

Sample rules

Windows SharePoint Spinstall0 Webshell File Creation

source: splunk
technicques:
- T1190
- T1505.003

Description

This detection identifies the creation or modification of the “spinstall0.aspx” webshell file in Microsoft SharePoint directories. This file is a known indicator of compromise associated with the exploitation of CVE-2025-53770 (ToolShell vulnerability). Attackers exploit the vulnerability to drop webshells that provide persistent access to compromised SharePoint servers, allowing them to execute arbitrary commands, access sensitive data, and move laterally within the network.

Detection logic


| tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Filesystem where Filesystem.file_name="spinstall0.aspx" AND (Filesystem.file_path="*\\microsoft shared\\Web Server Extensions\\16\\TEMPLATE\\LAYOUTS*" OR Filesystem.file_path="*\\microsoft shared\\Web Server Extensions\\15\\TEMPLATE\\LAYOUTS*") by Filesystem.dest Filesystem.user Filesystem.file_create_time Filesystem.file_name Filesystem.file_path Filesystem.action Filesystem.process_guid Filesystem.process_id Filesystem.vendor_product 
| `drop_dm_object_name(Filesystem)` 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `windows_sharepoint_spinstall0_webshell_file_creation_filter`