Detectionhighexperimental
Suspicious File Write to SharePoint Layouts Directory
Detects suspicious file writes to SharePoint layouts directory which could indicate webshell activity or post-exploitation. This behavior has been observed in the exploitation of SharePoint vulnerabilities such as CVE-2025-49704, CVE-2025-49706 or CVE-2025-53770.
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Launch
Swachchhanda Shrawan Poudel (Nextron Systems)Created Thu Jul 241f0489be-b496-4ddf-b3a9-5900f2044e9cwindows
Log Source
WindowsFile Event
ProductWindows← raw: windows
CategoryFile Event← raw: file_event
Events for file system activity including creation, modification, and deletion.
Detection Logic
Detection Logic1 selector
detection:
selection:
Image|endswith:
- '\cmd.exe'
- '\powershell_ise.exe'
- '\powershell.exe'
- '\pwsh.exe'
- '\w3wp.exe'
TargetFilename|startswith:
- 'C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\'
- 'C:\Program Files (x86)\Common Files\Microsoft Shared\Web Server Extensions\'
TargetFilename|contains:
- '\15\TEMPLATE\LAYOUTS\'
- '\16\TEMPLATE\LAYOUTS\'
TargetFilename|endswith:
- '.asax'
- '.ascx'
- '.ashx'
- '.asmx'
- '.asp'
- '.aspx'
- '.bat'
- '.cmd'
- '.cer'
- '.config'
- '.hta'
- '.js'
- '.jsp'
- '.jspx'
- '.php'
- '.ps1'
- '.vbs'
condition: selectionFalse Positives
Unknown
False positive likelihood has not been assessed. Additional context may be needed during triage.
MITRE ATT&CK
Sub-techniques
Rule Metadata
Rule ID
1f0489be-b496-4ddf-b3a9-5900f2044e9c
Status
experimental
Level
high
Type
Detection
Created
Thu Jul 24
Path
rules/windows/file/file_event/file_event_win_susp_filewrite_in_sharepoint_layouts_dir.yml
Raw Tags
attack.initial-accessattack.t1190attack.persistenceattack.t1505.003