detection.wiki

Detection rules › Sigma

Suspicious File Write to SharePoint Layouts Directory

Severity
high
Author
Swachchhanda Shrawan Poudel (Nextron Systems)
Source
upstream

Detects suspicious file writes to SharePoint layouts directory which could indicate webshell activity or post-exploitation. This behavior has been observed in the exploitation of SharePoint vulnerabilities such as CVE-2025-49704, CVE-2025-49706 or CVE-2025-53770.

MITRE ATT&CK coverage

TacticTechniques
Initial AccessT1190 Exploit Public-Facing Application
PersistenceT1505.003 Server Software Component: Web Shell

Event coverage

ProviderEvent IDTitle
Sysmon11FileCreate

Stages and Predicates

Stage 1: selection

or:
Image|endswith: '\cmd.exe'
Image|endswith: '\powershell.exe'
Image|endswith: '\powershell_ise.exe'
Image|endswith: '\pwsh.exe'
Image|endswith: '\w3wp.exe'
or:
TargetFilename|endswith: .asax
TargetFilename|endswith: .ascx
TargetFilename|endswith: .ashx
TargetFilename|endswith: .asmx
TargetFilename|endswith: .asp
TargetFilename|endswith: .aspx
TargetFilename|endswith: .bat
TargetFilename|endswith: .cer
TargetFilename|endswith: .cmd
TargetFilename|endswith: .config
TargetFilename|endswith: .hta
TargetFilename|endswith: .js
TargetFilename|endswith: .jsp
TargetFilename|endswith: .jspx
TargetFilename|endswith: .php
TargetFilename|endswith: .ps1
TargetFilename|endswith: .vbs
or:
TargetFilename|contains: '\15\TEMPLATE\LAYOUTS\'
TargetFilename|contains: '\16\TEMPLATE\LAYOUTS\'
or:
TargetFilename|startswith: 'C:\Program Files (x86)\Common Files\Microsoft Shared\Web Server Extensions\'
TargetFilename|startswith: 'C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\'

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

FieldKindValues
Imageends_with
  • \cmd.exe corpus 92 (sigma 92)
  • \powershell.exe corpus 143 (sigma 143)
  • \powershell_ise.exe corpus 27 (sigma 27)
  • \pwsh.exe corpus 140 (sigma 140)
  • \w3wp.exe corpus 6 (sigma 6)
TargetFilenameends_with
  • .asax
  • .ascx
  • .ashx corpus 3 (sigma 3)
  • .asmx
  • .asp corpus 4 (sigma 4)
  • .aspx corpus 5 (sigma 5)
  • .bat corpus 15 (sigma 15)
  • .cer corpus 2 (sigma 2)
  • .cmd corpus 8 (sigma 8)
  • .config
  • .hta corpus 12 (sigma 12)
  • .js corpus 8 (sigma 8)
  • .jsp corpus 2 (sigma 2)
  • .jspx
  • .php
  • .ps1 corpus 15 (sigma 15)
  • .vbs corpus 16 (sigma 16)
TargetFilenamematch
  • \15\TEMPLATE\LAYOUTS\
  • \16\TEMPLATE\LAYOUTS\
TargetFilenamestarts_with
  • C:\Program Files (x86)\Common Files\Microsoft Shared\Web Server Extensions\
  • C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\