IMPORTANT: No additional bug fixes or documentation updates will be released for this version. For the latest information, see the current release documentation.

« Potential Upgrade of Non-interactive Shell Potential Veeam Credential Access Command »

› › ›

Potential VIEWSTATE RCE Attempt on SharePoint/IIS

edit

A newer version is available. Check out the latest documentation.

Potential VIEWSTATE RCE Attempt on SharePoint/IIS

edit

Detects potential remote code execution (RCE) attempts targeting IIS web servers running SharePoint via malicious VIEWSTATE payloads in HTTP POST requests. Attackers may exploit insecure deserialization in the VIEWSTATE parameter to execute arbitrary code. This rule identifies suspicious requests containing VIEWSTATE data and other indicators of exploitation, specifically those associated with the Toolshell exploit chain. Toolshell leverages vulnerabilities (CVE-2025-53770 and CVE-2025-53771) for initial access, enabling adversaries to deploy a webshell, steal machine keys, sign VIEWSTATE payloads offline, and subsequently send signed payloads to the server to achieve code execution.

Rule type: query

Rule indices:

logs-network_traffic.http*

Severity: medium

Risk score: 47

Runs every: 60m

Searches indices from: now-119m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

Tags:

Domain: Network
Tactic: Initial Access
Use Case: Exploit Detection
Data Source: Network Traffic
Data Source: Network Traffic HTTP Logs
Rule Type: BBR

Version: 1

Rule authors:

Elastic

Rule license: Elastic License v2

Setup

edit

Network Traffic Setup

This rule requires network traffic logs to be collected from HTTP endpoints, focusing on IIS web servers and SharePoint sites. Ensure logging captures HTTP request and response details, including headers and request bodies for POST requests. Monitoring VIEWSTATE content is critical for detecting deserialization attacks.

Rule query

edit

data_stream.dataset : "network_traffic.http" and
    network.direction: "ingress" and
    http.request.method: "POST" and
    http.request.referrer: *SignOut.aspx and
    http.request.body.content: *__VIEWSTATE=* and
    http.request.body.bytes >= 500 and
    http.response.headers.server: Microsoft-IIS*

Framework: MITRE ATT&CK^TM

Tactic:
- Name: Initial Access
- ID: TA0001
- Reference URL: https://attack.mitre.org/tactics/TA0001/
Technique:
- Name: Exploit Public-Facing Application
- ID: T1190
- Reference URL: https://attack.mitre.org/techniques/T1190/

« Potential Upgrade of Non-interactive Shell Potential Veeam Credential Access Command »