{
    "file_item": {
        "filepath": "security-advisories",
        "filename": "CERT-EU-SA2025-027.pdf"
    },
    "title": "Critical Vulnerabilities in Microsoft SharePoint",
    "serial_number": "2025-027",
    "publish_date": "24-07-2025 09:03:42",
    "description": "On July 19, 2025, Microsoft released an out-of-bound advisory addressing two vulnerabilities on Microsoft SharePoint, one of which being rated as critical and allowing unauthenticated remote attacker to execute arbitrary code on vulnerable systems. These vulnerabilities apply to on-premises SharePoint Servers only. SharePoint Online in Microsoft 365 is not impacted. These critical flaws are actively being exploited in the wild since at least 18th of July 2025. <br>\nIt is recommended isolating vulnerable system from the Internet, but also from internal systems, and running a compromise assessment before updating.<br>\n",
    "url_title": "2025-027",
    "content_markdown": "---    \ntitle: 'Critical Vulnerabilities in\u00a0Microsoft\u00a0SharePoint'\nnumber: '2025-027'\nversion: '1.3'\noriginal_date: '2025-07-19'\ndate: '2025-07-24'\n---\n\n_History:_\n\n* _21/07/2025 --- v1.0 -- Initial publication_\n* _21/07/2025 --- v1.1 -- Updated information_\n* _22/07/2025 --- v1.2 -- Updated information from Microsoft_\n* _24/07/2025 --- v1.3 -- Further updated information from Microsoft_\n\n# Summary\n\nOn July 19, 2025, Microsoft released an out-of-bound advisory addressing two vulnerabilities on Microsoft SharePoint, one of which being rated as critical and allowing unauthenticated remote attacker to execute arbitrary code on vulnerable systems [1,2]. These vulnerabilities apply to on-premises SharePoint Servers only. SharePoint Online in Microsoft 365 is not impacted. **These critical flaws are actively being exploited in the wild since at least 18th of July 2025** [4]. \n\nIt is recommended isolating vulnerable system from the Internet, but also from internal systems, and running a compromise assessment before updating.\n\n# Technical Details\n\nThe vulnerability **CVE-2025-53770**, with a CVSS score of 9.8, is due to the deserialisation of untrusted data. This flaw allows an unauthorised attacker to execute code over a network [2].\n\nThe vulnerability **CVE-2025-53771**, with a CVSS score of 6.3, is a spoofing vulnerability due to improper limitation of a path name to a restricted directory (_path traversal_) [3].\n\n# Affected Products\n\nThe vulnerabilities **CVE-2025-53770** and **CVE-2025-53771** affect:\n\n- Microsoft SharePoint Server Subscription Edition\n- Microsoft SharePoint Server 2019\n- Microsoft SharePoint Enterprise Server 2016\n\n>**[Updated]** _Note: All prior versions of SharePoint are no longer supported and should be considered vulnerable, but **will not be patched** by Microsoft._\n\n# Recommendations\n\nIt is recommended isolating vulnerable system from the Internet, but also from internal systems, and running a compromise assessment before updating.\n\n**[Updated]** After running a compromise assessment and updating affected servers, it is strongly recommended rotating SharePoint Server ASP.NET machine keys, before restarting the IIS service using `iisreset.exe` [1,5].\n\n## Mitigation\n\nThe vendor strongly advises deploying Microsoft Defender for Endpoint protection, or equivalent threat solutions, as well as enabling and properly configuring the Antimalware Scan Interface [1].\n\n## Threat Hunting\n\nTo identify possible exploitation of the vulnerabilities, it is possible to execute the following queries in the Microsoft 365 security centre's Advanced Hunting page [1,6].\n\n### Advanced Hunting in Microsoft Defender XDR\n\n>_NOTE: The following sample queries search for a week\u2019s worth of events. For longer timespans, the default settings of Advanced Hunting would need to be adapted [1]._\n\n#### Successful exploitation using file creation\n\nSearch for the creation of `spinstall0.aspx`, which indicates successful post-exploitation of CVE-2025-53770:\n\n```\nDeviceFileEvents \n| where FolderPath has_any (\"microsoft shared\\\\Web Server Extensions\\\\15\\\\TEMPLATE\\\\LAYOUTS\", \"microsoft shared\\\\Web Server Extensions\\\\16\\\\TEMPLATE\\\\LAYOUTS\") \n| where FileName contains \"spinstall\"\n| project Timestamp, DeviceName, InitiatingProcessFileName, InitiatingProcessCommandLine, FileName, FolderPath, ReportId, ActionType, SHA256 \n| order by Timestamp desc\n```\n\n#### Post-exploitation PowerShell dropping web shell\n\nSearch for process creations, where `w3wp.exe` is spawning encoded PowerShell involving the `spinstall0` file or the file paths it has been known to be written to:\n\n```\nDeviceProcessEvents\n| where InitiatingProcessFileName has \"w3wp.exe\"\n    and InitiatingProcessCommandLine !has \"DefaultAppPool\"\n    and FileName =~ \"cmd.exe\"\n    and ProcessCommandLine has_all (\"cmd.exe\", \"powershell\")\n    and ProcessCommandLine has_any (\"EncodedCommand\", \"-ec\")\n| extend CommandArguments = split(ProcessCommandLine, \" \")\n| mv-expand CommandArguments to typeof(string)\n| where CommandArguments matches regex \"^[A-Za-z0-9+/=]{15,}$\"\n| extend B64Decode = replace(\"\\\\x00\", \"\", base64_decodestring(tostring(CommandArguments)))   \n| where B64Decode contains \"spinstall\", @'C:\\PROGRA~1\\COMMON~1\\MICROS~1\\WEBSER~1\\15\\TEMPLATE\\LAYOUTS', @'C:\\PROGRA~1\\COMMON~1\\MICROS~1\\WEBSER~1\\16\\TEMPLATE\\LAYOUTS')\n```\n\n#### Post-exploitation web shell dropped\n\nSearch for the web shell dropped using the PowerShell command:\n\n```\nDeviceFileEvents\n| where Timestamp >ago(7d)\n| where InitiatingProcessFileName=~\"powershell.exe\"\n| where FileName contains \"spinstall\"\n```\n\n#### Exploitation detected by Defender\n\nSearch at Microsoft Defender for Endpoint telemetry to determine if specific alerts fired in your environment:\n\n```\nAlertEvidence \n| where Timestamp > ago(7d) \n| where Title has \"SuspSignoutReq\" \n| extend _DeviceKey = iff(isnotempty(DeviceId), bag_pack_columns(DeviceId, DeviceName),\"\") \n| summarize min(Timestamp), max(Timestamp), count_distinctif(DeviceId,isnotempty(DeviceId)), make_set(Title), make_set_if(_DeviceKey, isnotempty(_DeviceKey) )\n```\n\n### Unified Advanced Hunting query\n\n#### Find exposed devices\n\nSearch for devices vulnerable to the CVEs listed in blog [5]:\n\n```\nDeviceTvmSoftwareVulnerabilities\n| where CveId in (\"CVE-2025-49706\",\"CVE-2025-53770\")\n```\n\n#### Web shell C2 communication\n\nFind devices that may have communicated with Storm-2603 web shell C2, that may indicate a compromised device beaconing to Storm-2603 controlled infrastructure:\n\n```\nlet domainList = \"update.updatemicfosoft.com\";\nunion\n(\n    DnsEvents\n    | where QueryType has_any(domainList) or Name has_any(domainList) or QueryType matches regex @\"^.*\\.devtunnels\\.ms$\" or Name matches regex @\"^.*\\.devtunnels\\.ms$\"\n    | project TimeGenerated, Domain = QueryType, SourceTable = \"DnsEvents\"\n),\n(\n    IdentityQueryEvents\n    | where QueryTarget has_any(domainList) or QueryType matches regex @\"^.*\\.devtunnels\\.ms$\"\n    | project Timestamp, Domain = QueryTarget, SourceTable = \"IdentityQueryEvents\"\n),\n(\n    DeviceNetworkEvents\n    | where RemoteUrl has_any(domainList) or RemoteUrl matches regex @\"^.*\\.devtunnels\\.ms$\"\n    | project Timestamp, Domain = RemoteUrl, SourceTable = \"DeviceNetworkEvents\"\n),\n(\n    DeviceNetworkInfo\n    | extend DnsAddresses = parse_json(DnsAddresses), ConnectedNetworks = parse_json(ConnectedNetworks)\n    | mv-expand DnsAddresses, ConnectedNetworks\n    | where DnsAddresses has_any(domainList) or ConnectedNetworks.Name has_any(domainList) or DnsAddresses matches regex @\"^.*\\.devtunnels\\.ms$\" or ConnectedNetworks .Name matches regex @\"^.*\\.devtunnels\\.ms$\"\n    | project Timestamp, Domain = coalesce(DnsAddresses, ConnectedNetworks.Name), SourceTable = \"DeviceNetworkInfo\"\n),\n(\n    VMConnection\n    | extend RemoteDnsQuestions = parse_json(RemoteDnsQuestions), RemoteDnsCanonicalNames = parse_json(RemoteDnsCanonicalNames)\n    | mv-expand RemoteDnsQuestions, RemoteDnsCanonicalNames\n    | where RemoteDnsQuestions has_any(domainList) or RemoteDnsCanonicalNames has_any(domainList) or RemoteDnsQuestions matches regex @\"^.*\\.devtunnels\\.ms$\" or RemoteDnsCanonicalNames matches regex @\"^.*\\.devtunnels\\.ms$\"\n    | project TimeGenerated, Domain = coalesce(RemoteDnsQuestions, RemoteDnsCanonicalNames), SourceTable = \"VMConnection\"\n),\n(\n    W3CIISLog\n    | where csHost has_any(domainList) or csReferer has_any(domainList) or csHost matches regex @\"^.*\\.devtunnels\\.ms$\" or csReferer matches regex @\"^.*\\.devtunnels\\.ms$\"\n    | project TimeGenerated, Domain = coalesce(csHost, csReferer), SourceTable = \"W3CIISLog\"\n),\n(\n    EmailUrlInfo\n    | where UrlDomain has_any(domainList) or UrlDomain matches regex @\"^.*\\.devtunnels\\.ms$\"\n    | project Timestamp, Domain = UrlDomain, SourceTable = \"EmailUrlInfo\"\n),\n(\n    UrlClickEvents\n    | where Url has_any(domainList) or Url matches regex @\"^.*\\.devtunnels\\.ms$\"\n    | project Timestamp, Domain = Url, SourceTable = \"UrlClickEvents\"\n)\n| order by TimeGenerated desc\n```\n\n### Hunting in Microsoft Sentinel\n\n#### Detect network indicators of compromise and file hashes using ASIM\n\n```\n//IP list and domain list- _Im_NetworkSession\nlet lookback = 30d;\nlet ioc_ip_addr = dynamic([\"131.226.2.6\", \"134.199.202.205\", \"104.238.159.149\", \"188.130.206.168\"]);\nlet ioc_domains = dynamic([\"c34718cbb4c6.ngrok-free.app\"]);\n_Im_NetworkSession(starttime=todatetime(ago(lookback)), endtime=now())\n| where DstIpAddr in (ioc_ip_addr) or DstDomain has_any (ioc_domains)\n| summarize imNWS_mintime=min(TimeGenerated), imNWS_maxtime=max(TimeGenerated),\n  EventCount=count() by SrcIpAddr, DstIpAddr, DstDomain, Dvc, EventProduct, EventVendor\n```\n\n```\n//IP list - _Im_WebSession\nlet lookback = 30d;\nlet ioc_ip_addr = dynamic([\"131.226.2.6\", \"134.199.202.205\", \"104.238.159.149\", \"188.130.206.168\"]);\nlet ioc_sha_hashes =dynamic([\"92bb4ddb98eeaf11fc15bb32e71d0a63256a0ed826a03ba293ce3a8bf057a514\"]);\n_Im_WebSession(starttime=todatetime(ago(lookback)), endtime=now())\n| where DstIpAddr in (ioc_ip_addr) or FileSHA256 in (ioc_sha_hashes)\n| summarize imWS_mintime=min(TimeGenerated), imWS_maxtime=max(TimeGenerated),\n  EventCount=count() by SrcIpAddr, DstIpAddr, Url, Dvc, EventProduct, EventVendor\n```\n\n```\n// file hash list - imFileEvent\nlet ioc_sha_hashes = dynamic([\"92bb4ddb98eeaf11fc15bb32e71d0a63256a0ed826a03ba293ce3a8bf057a514\"]);\nimFileEvent\n| where SrcFileSHA256 in (ioc_sha_hashes) or TargetFileSHA256 in (ioc_sha_hashes)\n| extend AccountName = tostring(split(User, @'')[1]), \n  AccountNTDomain = tostring(split(User, @'')[0])\n| extend AlgorithmType = \"SHA256\"\n```\n\n#### Post exploitation C2 or file hashes\n\nFind devices that may have communicated with Storm-2603 post exploitation C2 or contain known Storm-2603 file hashes:\n\n```\n//IP list - _Im_WebSession\nlet lookback = 30d;\nlet ioc_ip_addr = dynamic([\"65.38.121.198\"]);\nlet ioc_sha_hashes =dynamic([\"92bb4ddb98eeaf11fc15bb32e71d0a63256a0ed826a03ba293ce3a8bf057a514\", \n\"24480dbe306597da1ba393b6e30d542673066f98826cc07ac4b9033137f37dbf\", \n\"b5a78616f709859a0d9f830d28ff2f9dbbb2387df1753739407917e96dadf6b0\", \n\"c27b725ff66fdfb11dd6487a3815d1d1eba89d61b0e919e4d06ed3ac6a74fe94\", \n\"1eb914c09c873f0a7bcf81475ab0f6bdfaccc6b63bf7e5f2dbf19295106af192\", \n\"4c1750a14915bf2c0b093c2cb59063912dfa039a2adfe6d26d6914804e2ae928\", \n\"83705c75731e1d590b08f9357bc3b0f04741e92a033618736387512b40dab060\", \n\"f54ae00a9bae73da001c4d3d690d26ddf5e8e006b5562f936df472ec5e299441\", \n\"b180ab0a5845ed619939154f67526d2b04d28713fcc1904fbd666275538f431d\", \n\"6753b840cec65dfba0d7d326ec768bff2495784c60db6a139f51c5e83349ac4d\", \n\"7ae971e40528d364fa52f3bb5e0660ac25ef63e082e3bbd54f153e27b31eae68\", \n\"567cb8e8c8bd0d909870c656b292b57bcb24eb55a8582b884e0a228e298e7443\", \n\"445a37279d3a229ed18513e85f0c8d861c6f560e0f914a5869df14a74b679b86\", \n\"ffbc9dfc284b147e07a430fe9471e66c716a84a1f18976474a54bee82605fa9a\", \n\"6b273c2179518dacb1218201fd37ee2492a5e1713be907e69bf7ea56ceca53a5\", \n\"c2c1fec7856e8d49f5d49267e69993837575dbbec99cd702c5be134a85b2c139\"]);\n_Im_WebSession(starttime=todatetime(ago(lookback)), endtime=now())\n| where DstIpAddr in (ioc_ip_addr) or FileSHA256 in (ioc_sha_hashes)\n| summarize imWS_mintime=min(TimeGenerated), imWS_maxtime=max(TimeGenerated),\n  EventCount=count() by SrcIpAddr, DstIpAddr, Url, Dvc, EventProduct, EventVendor\n```\n\n#### Storm-2603 C2 communication\n\nSearch for devices that may have communicated with Storm-2603 C2 infrastructure as part of this activity:\n\n```\n//IP list and domain list- _Im_NetworkSession\nlet lookback = 30d;\nlet ioc_ip_addr = dynamic([\"65.38.121.198\"]);\nlet ioc_domains = dynamic([\"update.updatemicfosoft.com\"]);\n_Im_NetworkSession(starttime=todatetime(ago(lookback)), endtime=now())\n| where DstIpAddr in (ioc_ip_addr) or DstDomain has_any (ioc_domains)\n| summarize imNWS_mintime=min(TimeGenerated), imNWS_maxtime=max(TimeGenerated),\n  EventCount=count() by SrcIpAddr, DstIpAddr, DstDomain, Dvc, EventProduct, EventVendor\n```\n\n\n# References\n\n[1] <https://msrc.microsoft.com/blog/2025/07/customer-guidance-for-sharepoint-vulnerability-cve-2025-53770/>\n\n[2] <https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-53770>\n\n[3] <https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-53771>\n\n[4] <https://research.eye.security/sharepoint-under-siege/>\n\n[5] <https://www.microsoft.com/en-us/security/blog/2025/07/22/disrupting-active-exploitation-of-on-premises-sharepoint-vulnerabilities/#mitigation-and-protection-guidance>\n\n[6] <https://www.microsoft.com/en-us/security/blog/2025/07/22/disrupting-active-exploitation-of-on-premises-sharepoint-vulnerabilities/#indicators-of-compromise>",
    "content_html": "<p><em>History:</em></p><ul><li><em>21/07/2025 --- v1.0 -- Initial publication</em></li><li><em>21/07/2025 --- v1.1 -- Updated information</em></li><li><em>22/07/2025 --- v1.2 -- Updated information from Microsoft</em></li><li><em>24/07/2025 --- v1.3 -- Further updated information from Microsoft</em></li></ul><h2 id=\"summary\">Summary</h2><p>On July 19, 2025, Microsoft released an out-of-bound advisory addressing two vulnerabilities on Microsoft SharePoint, one of which being rated as critical and allowing unauthenticated remote attacker to execute arbitrary code on vulnerable systems [1,2]. These vulnerabilities apply to on-premises SharePoint Servers only. SharePoint Online in Microsoft 365 is not impacted. <strong>These critical flaws are actively being exploited in the wild since at least 18th of July 2025</strong> [4]. </p><p>It is recommended isolating vulnerable system from the Internet, but also from internal systems, and running a compromise assessment before updating.</p><h2 id=\"technical-details\">Technical Details</h2><p>The vulnerability <strong>CVE-2025-53770</strong>, with a CVSS score of 9.8, is due to the deserialisation of untrusted data. This flaw allows an unauthorised attacker to execute code over a network [2].</p><p>The vulnerability <strong>CVE-2025-53771</strong>, with a CVSS score of 6.3, is a spoofing vulnerability due to improper limitation of a path name to a restricted directory (<em>path traversal</em>) [3].</p><h2 id=\"affected-products\">Affected Products</h2><p>The vulnerabilities <strong>CVE-2025-53770</strong> and <strong>CVE-2025-53771</strong> affect:</p><ul><li>Microsoft SharePoint Server Subscription Edition</li><li>Microsoft SharePoint Server 2019</li><li>Microsoft SharePoint Enterprise Server 2016</li></ul><blockquote><p><strong>[Updated]</strong> <em>Note: All prior versions of SharePoint are no longer supported and should be considered vulnerable, but <strong>will not be patched</strong> by Microsoft.</em></p></blockquote><h2 id=\"recommendations\">Recommendations</h2><p>It is recommended isolating vulnerable system from the Internet, but also from internal systems, and running a compromise assessment before updating.</p><p><strong>[Updated]</strong> After running a compromise assessment and updating affected servers, it is strongly recommended rotating SharePoint Server ASP.NET machine keys, before restarting the IIS service using <code>iisreset.exe</code> [1,5].</p><h3 id=\"mitigation\">Mitigation</h3><p>The vendor strongly advises deploying Microsoft Defender for Endpoint protection, or equivalent threat solutions, as well as enabling and properly configuring the Antimalware Scan Interface [1].</p><h3 id=\"threat-hunting\">Threat Hunting</h3><p>To identify possible exploitation of the vulnerabilities, it is possible to execute the following queries in the Microsoft 365 security centre's Advanced Hunting page [1,6].</p><h4 id=\"advanced-hunting-in-microsoft-defender-xdr\">Advanced Hunting in Microsoft Defender XDR</h4><blockquote><p><em>NOTE: The following sample queries search for a week\u2019s worth of events. For longer timespans, the default settings of Advanced Hunting would need to be adapted [1].</em></p></blockquote><h5 id=\"successful-exploitation-using-file-creation\">Successful exploitation using file creation</h5><p>Search for the creation of <code>spinstall0.aspx</code>, which indicates successful post-exploitation of CVE-2025-53770:</p><pre><code>DeviceFileEvents \n| where FolderPath has_any (\"microsoft shared\\\\Web Server Extensions\\\\15\\\\TEMPLATE\\\\LAYOUTS\", \"microsoft shared\\\\Web Server Extensions\\\\16\\\\TEMPLATE\\\\LAYOUTS\") \n| where FileName contains \"spinstall\"\n| project Timestamp, DeviceName, InitiatingProcessFileName, InitiatingProcessCommandLine, FileName, FolderPath, ReportId, ActionType, SHA256 \n| order by Timestamp desc\n</code></pre><h5 id=\"post-exploitation-powershell-dropping-web-shell\">Post-exploitation PowerShell dropping web shell</h5><p>Search for process creations, where <code>w3wp.exe</code> is spawning encoded PowerShell involving the <code>spinstall0</code> file or the file paths it has been known to be written to:</p><pre><code>DeviceProcessEvents\n| where InitiatingProcessFileName has \"w3wp.exe\"\n    and InitiatingProcessCommandLine !has \"DefaultAppPool\"\n    and FileName =~ \"cmd.exe\"\n    and ProcessCommandLine has_all (\"cmd.exe\", \"powershell\")\n    and ProcessCommandLine has_any (\"EncodedCommand\", \"-ec\")\n| extend CommandArguments = split(ProcessCommandLine, \" \")\n| mv-expand CommandArguments to typeof(string)\n| where CommandArguments matches regex \"^[A-Za-z0-9+/=]{15,}$\"\n| extend B64Decode = replace(\"\\\\x00\", \"\", base64_decodestring(tostring(CommandArguments)))   \n| where B64Decode contains \"spinstall\", @'C:\\PROGRA~1\\COMMON~1\\MICROS~1\\WEBSER~1\\15\\TEMPLATE\\LAYOUTS', @'C:\\PROGRA~1\\COMMON~1\\MICROS~1\\WEBSER~1\\16\\TEMPLATE\\LAYOUTS')\n</code></pre><h5 id=\"post-exploitation-web-shell-dropped\">Post-exploitation web shell dropped</h5><p>Search for the web shell dropped using the PowerShell command:</p><pre><code>DeviceFileEvents\n| where Timestamp &gt;ago(7d)\n| where InitiatingProcessFileName=~\"powershell.exe\"\n| where FileName contains \"spinstall\"\n</code></pre><h5 id=\"exploitation-detected-by-defender\">Exploitation detected by Defender</h5><p>Search at Microsoft Defender for Endpoint telemetry to determine if specific alerts fired in your environment:</p><pre><code>AlertEvidence \n| where Timestamp &gt; ago(7d) \n| where Title has \"SuspSignoutReq\" \n| extend _DeviceKey = iff(isnotempty(DeviceId), bag_pack_columns(DeviceId, DeviceName),\"\") \n| summarize min(Timestamp), max(Timestamp), count_distinctif(DeviceId,isnotempty(DeviceId)), make_set(Title), make_set_if(_DeviceKey, isnotempty(_DeviceKey) )\n</code></pre><h4 id=\"unified-advanced-hunting-query\">Unified Advanced Hunting query</h4><h5 id=\"find-exposed-devices\">Find exposed devices</h5><p>Search for devices vulnerable to the CVEs listed in blog [5]:</p><pre><code>DeviceTvmSoftwareVulnerabilities\n| where CveId in (\"CVE-2025-49706\",\"CVE-2025-53770\")\n</code></pre><h5 id=\"web-shell-c2-communication\">Web shell C2 communication</h5><p>Find devices that may have communicated with Storm-2603 web shell C2, that may indicate a compromised device beaconing to Storm-2603 controlled infrastructure:</p><pre><code>let domainList = \"update.updatemicfosoft.com\";\nunion\n(\n    DnsEvents\n    | where QueryType has_any(domainList) or Name has_any(domainList) or QueryType matches regex @\"^.*\\.devtunnels\\.ms$\" or Name matches regex @\"^.*\\.devtunnels\\.ms$\"\n    | project TimeGenerated, Domain = QueryType, SourceTable = \"DnsEvents\"\n),\n(\n    IdentityQueryEvents\n    | where QueryTarget has_any(domainList) or QueryType matches regex @\"^.*\\.devtunnels\\.ms$\"\n    | project Timestamp, Domain = QueryTarget, SourceTable = \"IdentityQueryEvents\"\n),\n(\n    DeviceNetworkEvents\n    | where RemoteUrl has_any(domainList) or RemoteUrl matches regex @\"^.*\\.devtunnels\\.ms$\"\n    | project Timestamp, Domain = RemoteUrl, SourceTable = \"DeviceNetworkEvents\"\n),\n(\n    DeviceNetworkInfo\n    | extend DnsAddresses = parse_json(DnsAddresses), ConnectedNetworks = parse_json(ConnectedNetworks)\n    | mv-expand DnsAddresses, ConnectedNetworks\n    | where DnsAddresses has_any(domainList) or ConnectedNetworks.Name has_any(domainList) or DnsAddresses matches regex @\"^.*\\.devtunnels\\.ms$\" or ConnectedNetworks .Name matches regex @\"^.*\\.devtunnels\\.ms$\"\n    | project Timestamp, Domain = coalesce(DnsAddresses, ConnectedNetworks.Name), SourceTable = \"DeviceNetworkInfo\"\n),\n(\n    VMConnection\n    | extend RemoteDnsQuestions = parse_json(RemoteDnsQuestions), RemoteDnsCanonicalNames = parse_json(RemoteDnsCanonicalNames)\n    | mv-expand RemoteDnsQuestions, RemoteDnsCanonicalNames\n    | where RemoteDnsQuestions has_any(domainList) or RemoteDnsCanonicalNames has_any(domainList) or RemoteDnsQuestions matches regex @\"^.*\\.devtunnels\\.ms$\" or RemoteDnsCanonicalNames matches regex @\"^.*\\.devtunnels\\.ms$\"\n    | project TimeGenerated, Domain = coalesce(RemoteDnsQuestions, RemoteDnsCanonicalNames), SourceTable = \"VMConnection\"\n),\n(\n    W3CIISLog\n    | where csHost has_any(domainList) or csReferer has_any(domainList) or csHost matches regex @\"^.*\\.devtunnels\\.ms$\" or csReferer matches regex @\"^.*\\.devtunnels\\.ms$\"\n    | project TimeGenerated, Domain = coalesce(csHost, csReferer), SourceTable = \"W3CIISLog\"\n),\n(\n    EmailUrlInfo\n    | where UrlDomain has_any(domainList) or UrlDomain matches regex @\"^.*\\.devtunnels\\.ms$\"\n    | project Timestamp, Domain = UrlDomain, SourceTable = \"EmailUrlInfo\"\n),\n(\n    UrlClickEvents\n    | where Url has_any(domainList) or Url matches regex @\"^.*\\.devtunnels\\.ms$\"\n    | project Timestamp, Domain = Url, SourceTable = \"UrlClickEvents\"\n)\n| order by TimeGenerated desc\n</code></pre><h4 id=\"hunting-in-microsoft-sentinel\">Hunting in Microsoft Sentinel</h4><h5 id=\"detect-network-indicators-of-compromise-and-file-hashes-using-asim\">Detect network indicators of compromise and file hashes using ASIM</h5><pre><code>//IP list and domain list- _Im_NetworkSession\nlet lookback = 30d;\nlet ioc_ip_addr = dynamic([\"131.226.2.6\", \"134.199.202.205\", \"104.238.159.149\", \"188.130.206.168\"]);\nlet ioc_domains = dynamic([\"c34718cbb4c6.ngrok-free.app\"]);\n_Im_NetworkSession(starttime=todatetime(ago(lookback)), endtime=now())\n| where DstIpAddr in (ioc_ip_addr) or DstDomain has_any (ioc_domains)\n| summarize imNWS_mintime=min(TimeGenerated), imNWS_maxtime=max(TimeGenerated),\n  EventCount=count() by SrcIpAddr, DstIpAddr, DstDomain, Dvc, EventProduct, EventVendor\n</code></pre><pre><code>//IP list - _Im_WebSession\nlet lookback = 30d;\nlet ioc_ip_addr = dynamic([\"131.226.2.6\", \"134.199.202.205\", \"104.238.159.149\", \"188.130.206.168\"]);\nlet ioc_sha_hashes =dynamic([\"92bb4ddb98eeaf11fc15bb32e71d0a63256a0ed826a03ba293ce3a8bf057a514\"]);\n_Im_WebSession(starttime=todatetime(ago(lookback)), endtime=now())\n| where DstIpAddr in (ioc_ip_addr) or FileSHA256 in (ioc_sha_hashes)\n| summarize imWS_mintime=min(TimeGenerated), imWS_maxtime=max(TimeGenerated),\n  EventCount=count() by SrcIpAddr, DstIpAddr, Url, Dvc, EventProduct, EventVendor\n</code></pre><pre><code>// file hash list - imFileEvent\nlet ioc_sha_hashes = dynamic([\"92bb4ddb98eeaf11fc15bb32e71d0a63256a0ed826a03ba293ce3a8bf057a514\"]);\nimFileEvent\n| where SrcFileSHA256 in (ioc_sha_hashes) or TargetFileSHA256 in (ioc_sha_hashes)\n| extend AccountName = tostring(split(User, @'')[1]), \n  AccountNTDomain = tostring(split(User, @'')[0])\n| extend AlgorithmType = \"SHA256\"\n</code></pre><h5 id=\"post-exploitation-c2-or-file-hashes\">Post exploitation C2 or file hashes</h5><p>Find devices that may have communicated with Storm-2603 post exploitation C2 or contain known Storm-2603 file hashes:</p><pre><code>//IP list - _Im_WebSession\nlet lookback = 30d;\nlet ioc_ip_addr = dynamic([\"65.38.121.198\"]);\nlet ioc_sha_hashes =dynamic([\"92bb4ddb98eeaf11fc15bb32e71d0a63256a0ed826a03ba293ce3a8bf057a514\", \n\"24480dbe306597da1ba393b6e30d542673066f98826cc07ac4b9033137f37dbf\", \n\"b5a78616f709859a0d9f830d28ff2f9dbbb2387df1753739407917e96dadf6b0\", \n\"c27b725ff66fdfb11dd6487a3815d1d1eba89d61b0e919e4d06ed3ac6a74fe94\", \n\"1eb914c09c873f0a7bcf81475ab0f6bdfaccc6b63bf7e5f2dbf19295106af192\", \n\"4c1750a14915bf2c0b093c2cb59063912dfa039a2adfe6d26d6914804e2ae928\", \n\"83705c75731e1d590b08f9357bc3b0f04741e92a033618736387512b40dab060\", \n\"f54ae00a9bae73da001c4d3d690d26ddf5e8e006b5562f936df472ec5e299441\", \n\"b180ab0a5845ed619939154f67526d2b04d28713fcc1904fbd666275538f431d\", \n\"6753b840cec65dfba0d7d326ec768bff2495784c60db6a139f51c5e83349ac4d\", \n\"7ae971e40528d364fa52f3bb5e0660ac25ef63e082e3bbd54f153e27b31eae68\", \n\"567cb8e8c8bd0d909870c656b292b57bcb24eb55a8582b884e0a228e298e7443\", \n\"445a37279d3a229ed18513e85f0c8d861c6f560e0f914a5869df14a74b679b86\", \n\"ffbc9dfc284b147e07a430fe9471e66c716a84a1f18976474a54bee82605fa9a\", \n\"6b273c2179518dacb1218201fd37ee2492a5e1713be907e69bf7ea56ceca53a5\", \n\"c2c1fec7856e8d49f5d49267e69993837575dbbec99cd702c5be134a85b2c139\"]);\n_Im_WebSession(starttime=todatetime(ago(lookback)), endtime=now())\n| where DstIpAddr in (ioc_ip_addr) or FileSHA256 in (ioc_sha_hashes)\n| summarize imWS_mintime=min(TimeGenerated), imWS_maxtime=max(TimeGenerated),\n  EventCount=count() by SrcIpAddr, DstIpAddr, Url, Dvc, EventProduct, EventVendor\n</code></pre><h5 id=\"storm-2603-c2-communication\">Storm-2603 C2 communication</h5><p>Search for devices that may have communicated with Storm-2603 C2 infrastructure as part of this activity:</p><pre><code>//IP list and domain list- _Im_NetworkSession\nlet lookback = 30d;\nlet ioc_ip_addr = dynamic([\"65.38.121.198\"]);\nlet ioc_domains = dynamic([\"update.updatemicfosoft.com\"]);\n_Im_NetworkSession(starttime=todatetime(ago(lookback)), endtime=now())\n| where DstIpAddr in (ioc_ip_addr) or DstDomain has_any (ioc_domains)\n| summarize imNWS_mintime=min(TimeGenerated), imNWS_maxtime=max(TimeGenerated),\n  EventCount=count() by SrcIpAddr, DstIpAddr, DstDomain, Dvc, EventProduct, EventVendor\n</code></pre><h2 id=\"references\">References</h2><p>[1] <a rel=\"noopener\" target=\"_blank\" href=\"https://msrc.microsoft.com/blog/2025/07/customer-guidance-for-sharepoint-vulnerability-cve-2025-53770/\">https://msrc.microsoft.com/blog/2025/07/customer-guidance-for-sharepoint-vulnerability-cve-2025-53770/</a></p><p>[2] <a rel=\"noopener\" target=\"_blank\" href=\"https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-53770\">https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-53770</a></p><p>[3] <a rel=\"noopener\" target=\"_blank\" href=\"https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-53771\">https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-53771</a></p><p>[4] <a rel=\"noopener\" target=\"_blank\" href=\"https://research.eye.security/sharepoint-under-siege/\">https://research.eye.security/sharepoint-under-siege/</a></p><p>[5] <a rel=\"noopener\" target=\"_blank\" href=\"https://www.microsoft.com/en-us/security/blog/2025/07/22/disrupting-active-exploitation-of-on-premises-sharepoint-vulnerabilities/#mitigation-and-protection-guidance\">https://www.microsoft.com/en-us/security/blog/2025/07/22/disrupting-active-exploitation-of-on-premises-sharepoint-vulnerabilities/#mitigation-and-protection-guidance</a></p><p>[6] <a rel=\"noopener\" target=\"_blank\" href=\"https://www.microsoft.com/en-us/security/blog/2025/07/22/disrupting-active-exploitation-of-on-premises-sharepoint-vulnerabilities/#indicators-of-compromise\">https://www.microsoft.com/en-us/security/blog/2025/07/22/disrupting-active-exploitation-of-on-premises-sharepoint-vulnerabilities/#indicators-of-compromise</a></p>",
    "licence": {
        "title": "Creative Commons Attribution 4.0 International (CC-BY 4.0)",
        "link": "https://creativecommons.org/licenses/by/4.0/",
        "restrictions": "https://cert.europa.eu/legal-notice",
        "author": "The Cybersecurity Service for the Union institutions, bodies, offices and agencies"
    }
}