{"description": "Enterprise techniques used by SharePoint ToolShell Exploitation, ATT&CK campaign C0058 (v1.0)", "name": "SharePoint ToolShell Exploitation (C0058)", "domain": "enterprise-attack", "versions": {"layer": "4.5", "attack": "19", "navigator": "5.3.2"}, "techniques": [{"techniqueID": "T1583", "showSubtechniques": true}, {"techniqueID": "T1583.001", "comment": "During [SharePoint ToolShell Exploitation](https://attack.mitre.org/campaigns/C0058), threat actors registered C2 domains to spoof legitimate Microsoft domains.(Citation: Microsoft SharePoint Exploit JUL 2025)(Citation: Palo Alto SharePoint Vulnerabilities JUL 2025)\n", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1595", "showSubtechniques": true}, {"techniqueID": "T1595.002", "comment": "During [SharePoint ToolShell Exploitation](https://attack.mitre.org/campaigns/C0058), threat actors scanned for SharePoint servers vulnerable to CVE-2025-53770.(Citation: Palo Alto SharePoint Vulnerabilities JUL 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1071", "showSubtechniques": true}, {"techniqueID": "T1071.001", "comment": "During [SharePoint ToolShell Exploitation](https://attack.mitre.org/campaigns/C0058), threat actors issued HTTP `POST` requests to web shells with spoofed or empty Referrer headers, to circumvent authorization controls.(Citation: Microsoft SharePoint Exploit JUL 2025)(Citation: Eye Research ToolShell JUL 2025)(Citation: Trend Micro SharePoint Attacks JUL 2025)(Citation: SentinelOne ToolShell JUL 2025)(Citation: Palo Alto SharePoint Vulnerabilities JUL 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1119", "comment": "During [SharePoint ToolShell Exploitation](https://attack.mitre.org/campaigns/C0058), threat actors used a command shell to automatically iterate through web.config files to expose and collect machineKey settings.(Citation: Trend Micro SharePoint Attacks JUL 2025)(Citation: Palo Alto SharePoint Vulnerabilities JUL 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1059", "showSubtechniques": true}, {"techniqueID": "T1059.001", "comment": "During [SharePoint ToolShell Exploitation](https://attack.mitre.org/campaigns/C0058), threat actors used PowerShell to execute attacker-controlled encoded commands.(Citation: Microsoft SharePoint Exploit JUL 2025)(Citation: Eye Research ToolShell JUL 2025)(Citation: SentinelOne ToolShell JUL 2025)(Citation: Palo Alto SharePoint Vulnerabilities JUL 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1059.003", "comment": "During [SharePoint ToolShell Exploitation](https://attack.mitre.org/campaigns/C0058), threat actors utilized `cmd.exe` and batch scripts within the victim environment.(Citation: Microsoft SharePoint Exploit JUL 2025)(Citation: ESET ToolShell JUL 2025)(Citation: Eye Research ToolShell JUL 2025)(Citation: SentinelOne ToolShell JUL 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1486", "comment": "During [SharePoint ToolShell Exploitation](https://attack.mitre.org/campaigns/C0058), threat actors deployed ransomware including 4L4MD4R and Warlock.(Citation: Microsoft SharePoint Exploit JUL 2025)(Citation: Palo Alto SharePoint Vulnerabilities JUL 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1005", "comment": "During [SharePoint ToolShell Exploitation](https://attack.mitre.org/campaigns/C0058), threat actors extracted information from the compromised systems.(Citation: Microsoft SharePoint Exploit JUL 2025)(Citation: ESET ToolShell JUL 2025)(Citation: SentinelOne ToolShell JUL 2025)(Citation: Palo Alto SharePoint Vulnerabilities JUL 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1074", "showSubtechniques": true}, {"techniqueID": "T1074.001", "comment": "During [SharePoint ToolShell Exploitation](https://attack.mitre.org/campaigns/C0058), threat actors staged stolen data from web.config files to debug_dev.js.(Citation: Palo Alto SharePoint Vulnerabilities JUL 2025)(Citation: Trend Micro SharePoint Attacks JUL 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1140", "comment": "During [SharePoint ToolShell Exploitation](https://attack.mitre.org/campaigns/C0058), threat actors decrypted scripts prior to execution.(Citation: Palo Alto SharePoint Vulnerabilities JUL 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1685", "comment": "During [SharePoint ToolShell Exploitation](https://attack.mitre.org/campaigns/C0058), threat actors disabled Microsoft Defender through Registry settings and real-time monitoring via PowerShell.(Citation: Microsoft SharePoint Exploit JUL 2025)(Citation: Palo Alto SharePoint Vulnerabilities JUL 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1484", "showSubtechniques": true}, {"techniqueID": "T1484.001", "comment": "During [SharePoint ToolShell Exploitation](https://attack.mitre.org/campaigns/C0058), threat actors, including Storm-2603, modified group policy to enable ransomware distribution.(Citation: Microsoft SharePoint Exploit JUL 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1585", "showSubtechniques": true}, {"techniqueID": "T1585.002", "comment": "During [SharePoint ToolShell Exploitation](https://attack.mitre.org/campaigns/C0058), threat actors created Proton mail accounts for communication with organizations infected with ransomware.(Citation: Palo Alto SharePoint Vulnerabilities JUL 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1041", "comment": "During [SharePoint ToolShell Exploitation](https://attack.mitre.org/campaigns/C0058), threat actors exfiltrated stolen credentials and internal data over HTTPS to C2 infrastructure.(Citation: Microsoft SharePoint Exploit JUL 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1190", "comment": "During [SharePoint ToolShell Exploitation](https://attack.mitre.org/campaigns/C0058), threat actors exploited authentication bypass and remote code execution vulnerabilities (CVE-2025-49706 and CVE-2025-49704) against on-premises SharePoint servers. This activity was characterized by crafted `POST` requests to the ToolPane endpoint `/_layouts/15/ToolPane.aspx`.(Citation: Microsoft SharePoint Exploit JUL 2025)(Citation: ESET ToolShell JUL 2025)(Citation: Eye Research ToolShell JUL 2025)(Citation: Trend Micro SharePoint Attacks JUL 2025)(Citation: SentinelOne ToolShell JUL 2025)(Citation: Palo Alto SharePoint Vulnerabilities JUL 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1083", "comment": "During [SharePoint ToolShell Exploitation](https://attack.mitre.org/campaigns/C0058), threat actors leveraged commands to locate accessible file shares, backup paths, or SharePoint content.(Citation: Microsoft SharePoint Exploit JUL 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1657", "comment": "During [SharePoint ToolShell Exploitation](https://attack.mitre.org/campaigns/C0058), threat actors demanded ransom payments to unencrypt filesystems and to refrain from publishing sensitive data exfiltrated from victim networks.(Citation: Palo Alto SharePoint Vulnerabilities JUL 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1105", "comment": "During [SharePoint ToolShell Exploitation](https://attack.mitre.org/campaigns/C0058), threat actors used a loader to download and execute ransomware.(Citation: Palo Alto SharePoint Vulnerabilities JUL 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1570", "comment": "During [SharePoint ToolShell Exploitation](https://attack.mitre.org/campaigns/C0058), threat actors used [Impacket](https://attack.mitre.org/software/S0357) to remotely stage and execute payloads via WMI.(Citation: Microsoft SharePoint Exploit JUL 2025)\n", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1112", "comment": "During [SharePoint ToolShell Exploitation](https://attack.mitre.org/campaigns/C0058), threat actors, including Storm-2603, disabled security services via Registry modifications.(Citation: Microsoft SharePoint Exploit JUL 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1027", "showSubtechniques": true}, {"techniqueID": "T1027.002", "comment": "During [SharePoint ToolShell Exploitation](https://attack.mitre.org/campaigns/C0058), threat actors UPX-packed malicous payloads including 4L4MD4R ransomware.(Citation: Palo Alto SharePoint Vulnerabilities JUL 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1027.010", "comment": "During [SharePoint ToolShell Exploitation](https://attack.mitre.org/campaigns/C0058), threat actors executed Base64-encoded PowerShell commands.(Citation: Microsoft SharePoint Exploit JUL 2025)(Citation: Eye Research ToolShell JUL 2025)(Citation: Trend Micro SharePoint Attacks JUL 2025)(Citation: SentinelOne ToolShell JUL 2025)(Citation: Palo Alto SharePoint Vulnerabilities JUL 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1588", "showSubtechniques": true}, {"techniqueID": "T1588.002", "comment": "During [SharePoint ToolShell Exploitation](https://attack.mitre.org/campaigns/C0058), threat actors leveraged tools including [Impacket](https://attack.mitre.org/software/S0357), [PsExec](https://attack.mitre.org/software/S0029), and [Mimikatz](https://attack.mitre.org/software/S0002).(Citation: Microsoft SharePoint Exploit JUL 2025)\n", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1003", "showSubtechniques": true}, {"techniqueID": "T1003.001", "comment": "During [SharePoint ToolShell Exploitation](https://attack.mitre.org/campaigns/C0058), threat actors used [Mimikatz](https://attack.mitre.org/software/S0002) to dump LSASS memory.(Citation: Microsoft SharePoint Exploit JUL 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1572", "comment": "During [SharePoint ToolShell Exploitation](https://attack.mitre.org/campaigns/C0058), threat actors utilized [ngrok](https://attack.mitre.org/software/S0508) tunnels to deliver PowerShell payloads.(Citation: Microsoft SharePoint Exploit JUL 2025)\n\n", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1090", "comment": "During [SharePoint ToolShell Exploitation](https://attack.mitre.org/campaigns/C0058), threat actors used Fast Reverse Proxy to communicate with C2.(Citation: Microsoft SharePoint Exploit JUL 2025)(Citation: ESET ToolShell JUL 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1620", "comment": "During [SharePoint ToolShell Exploitation](https://attack.mitre.org/campaigns/C0058), threat actors reflectively loaded payloads using `System.Reflection.Assembly.Load`.(Citation: Microsoft SharePoint Exploit JUL 2025)(Citation: Eye Research ToolShell JUL 2025)(Citation: Trend Micro SharePoint Attacks JUL 2025)(Citation: SentinelOne ToolShell JUL 2025)(Citation: Palo Alto SharePoint Vulnerabilities JUL 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1053", "showSubtechniques": true}, {"techniqueID": "T1053.005", "comment": "During [SharePoint ToolShell Exploitation](https://attack.mitre.org/campaigns/C0058), threat actors used scheduled tasks to help establish persistence.(Citation: Microsoft SharePoint Exploit JUL 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1505", "showSubtechniques": true}, {"techniqueID": "T1505.003", "comment": "\nDuring [SharePoint ToolShell Exploitation](https://attack.mitre.org/campaigns/C0058), threat actors followed exploitation of SharePoint servers with installation of a malicious .aspx web shell (spinstall0.aspx) that was written to the `_layouts/15/` directory, granting persistent HTTP-based access.(Citation: Microsoft SharePoint Exploit JUL 2025)(Citation: ESET ToolShell JUL 2025)(Citation: Eye Research ToolShell JUL 2025)(Citation: Trend Micro SharePoint Attacks JUL 2025)(Citation: SentinelOne ToolShell JUL 2025)(Citation: Palo Alto SharePoint Vulnerabilities JUL 2025)\n", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1505.004", "comment": "During [SharePoint ToolShell Exploitation](https://attack.mitre.org/campaigns/C0058), threat actors modified Internet Information Services (IIS) components to load suspicious .NET assemblies for persistence.(Citation: Microsoft SharePoint Exploit JUL 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1082", "comment": "During [SharePoint ToolShell Exploitation](https://attack.mitre.org/campaigns/C0058), threat actors fingerprinted targeted SharePoint servers to identify OS version and running processes.(Citation: Microsoft SharePoint Exploit JUL 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1033", "comment": "During [SharePoint ToolShell Exploitation](https://attack.mitre.org/campaigns/C0058), threat actors executed `whoami` on victim machines to enumerate user context and validate privilege levels.(Citation: Microsoft SharePoint Exploit JUL 2025)(Citation: SentinelOne ToolShell JUL 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1569", "showSubtechniques": true}, {"techniqueID": "T1569.002", "comment": "During [SharePoint ToolShell Exploitation](https://attack.mitre.org/campaigns/C0058), threat actors leveraged [PsExec](https://attack.mitre.org/software/S0029) for command execution and used `services.exe` to disable Microsoft Defender via Registry keys.(Citation: Microsoft SharePoint Exploit JUL 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1552", "showSubtechniques": true}, {"techniqueID": "T1552.001", "comment": "During [SharePoint ToolShell Exploitation](https://attack.mitre.org/campaigns/C0058), threat actors accessed web.config and machine.config to extract MachineKey values, enabling them to forge legitimate VIEWSTATE tokens for future deserialization payloads.(Citation: Microsoft SharePoint Exploit JUL 2025)(Citation: Eye Research ToolShell JUL 2025)(Citation: Trend Micro SharePoint Attacks JUL 2025)(Citation: SentinelOne ToolShell JUL 2025)(Citation: Palo Alto SharePoint Vulnerabilities JUL 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1047", "comment": "During [SharePoint ToolShell Exploitation](https://attack.mitre.org/campaigns/C0058), threat actors used WMI for execution.(Citation: Microsoft SharePoint Exploit JUL 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by SharePoint ToolShell Exploitation", "color": "#66b1ff"}]}