Detection rules › Splunk
Windows SharePoint Spinstall0 Webshell File Creation
This detection identifies the creation or modification of the "spinstall0.aspx" webshell file in Microsoft SharePoint directories. This file is a known indicator of compromise associated with the exploitation of CVE-2025-53770 (ToolShell vulnerability). Attackers exploit the vulnerability to drop webshells that provide persistent access to compromised SharePoint servers, allowing them to execute arbitrary commands, access sensitive data, and move laterally within the network.
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Initial Access | T1190 Exploit Public-Facing Application |
| Persistence | T1505.003 Server Software Component: Web Shell |
Event coverage
| Provider | Event ID | Title |
|---|---|---|
| Sysmon | 11 | FileCreate |
Stages and Predicates
Stage 1: tstats
tstats WHERE (Filesystem.file_path="*\\microsoft shared\\Web Server Extensions\\15\\TEMPLATE\\LAYOUTS*" OR Filesystem.file_path="*\\microsoft shared\\Web Server Extensions\\16\\TEMPLATE\\LAYOUTS*") Filesystem.file_name="spinstall0.aspx" BY Filesystem.dest, Filesystem.user, Filesystem.file_create_time, Filesystem.file_name, Filesystem.file_path, Filesystem.action, Filesystem.process_guid, Filesystem.process_id, Filesystem.vendor_product
Stage 2: search
search
Stage 3: search
search
Stage 4: search
search
Stage 5: search
search `macro`
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
Filesystem.file_name | eq |
|
Filesystem.file_path | eq |
|