On July 8, 2025, Microsoft patched two vulnerabilities in versions of its on-premises SharePoint server: a code-injection flaw (CVE-2025-49704) and an improper authentication flaw (CVE-2025-49706). These became known as the ToolShell flaws, which were discovered and presented by Viettel Security at the Pwn2Own conference in Berlin in May 2025. Attackers began exploiting the vulnerabilities just before Microsoft issued patches, making them zero-day vulnerabilities. It has been suggested that information related to the flaws might have leaked through the Microsoft Active Protections Program, which gives a heads-up to vendors about vulnerabilities to be patched. To make matters worse, the original patches for the flaws were not effective, and attackers began exploiting two related zero-day flaws — CVE-2025-53770, a deserialization of untrusted data flaw, and CVE-2025-53771, a path traversal flaw. In some cases, the attackers installed web shells on affected systems. The activity was widespread. Palo Alto Networks Unit 42 identified dozens of compromised government and commercial organizations. Eye Security, which detected the initial exploitation activity, found more than 400 compromised SharePoint servers worldwide. The Dutch Institute for Vulnerability Disclosure (DIVD) also identified at least 20 compromised organizations.
On July 22, 2025, Microsoft published findings related to attribution. It said that two nation-state Chinese advanced persistent threat (APT) groups, Linen Typhoon and Violet Typhoon, had been exploiting the ToolShell flaws along with another group, Storm-2603, that had been observed deploying ransomware. The Linen Typhoon group has focused on stealing intellectual property since 2012 and has targeted government, defense, strategic planning and human rights organizations. Microsoft traces Violet Typhoon back to 2015 and noted it has an espionage agenda. The group has targeted former government and military personnel along with nongovernmental organizations (NGOs), think tanks, education and media entities as well as the financial and health verticals. Perhaps appropriate for the SharePoint situation, Violet Typhoon “persistently scans for vulnerabilities in the exposed web infrastructure of target organizations, exploiting discovered weaknesses to install web shells,” which is exactly what incident responders discovered with SharePoint exploitation. Less is known about the third group, Storm-2603. Microsoft assessed with “moderate confidence” that it is China-based but says it has not identified links between Storm-2603 and other China groups. However, it is a known ransomware actor that has deployed the Warlock and LockBit strains in the past. In this incident, Storm-2603 was exploiting the SharePoint flaws to deploy the Warlock ransomware.
In this blog post, we will conduct a targeted threat hunt intended to uncover malicious activity associated with ToolShell exploitation using Intel 471’s HUNTER platform. HUNTER contains sets of prewritten threat hunt queries for a variety of security information and event management (SIEM), endpoint detection and response (EDR) and other logging system platforms. Threat hunters can use these queries to search for malicious activity associated with malware and other types of intrusion campaigns, which are drawn from Intel 471’s intelligence and open sources.
This hunt is called “Suspect Child Process to IIS Worker Process (w3wp.exe) - Potential Exploitation” and it is available in the Community Edition of HUNTER for free upon registration. The IIS Worker Process runs web applications and handles requests sent to a web server for a specific application pool. It is also the parent process for many living-off-the-land binaries (LOLBins), which are native Windows tools installed on the operating system (OS), such as the command line (cmd.exe), PowerShell scripting language (powershell.exe) and Windows Management Instrumentation Command-line (WMIC). These LOLBins are often co-opted by attackers, as using native Windows tools means there is less of a chance of being caught by security tools versus custom malware.
Detecting this w3wp.exe artifact could be a sign of an intrusion. This pattern has been observed in numerous types of malware and exploitation campaigns involving Microsoft products, including the ProxyShell vulnerabilities and in ransomware/extortion attacks by groups including Cl0p, ALPHV and Warlock.
Here’s an example. Palo Alto Networks Unit 42 analyzed an attack from October 2023 executed by Pink Sandstorm aka Agonizing Serpens, Agrius, an APT suspected to be linked to Iran and known for malware wiper and fake ransomware attacks. The attackers leveraged the IIS Worker Process to launch a sequence of post-exploitation commands for internal reconnaissance and data staging. The activity is indicative of an attacker trying to establish a foothold via a web-facing application and then conducting enumeration and lateral discovery directly from the compromised server. Palo Alto diagramed the activity as:
A diagram by Palo Alto Networks showing the reconnaissance commands using the Windows command line from the parent w3wp.exe process.
We can apply this intelligence to the threat hunt query logic as seen below. First, it looks for the w3wp.exe parent process and then looks for a list of nine child processes. We’ve published a validation package that can be run before running the actual query that will ensure the hunt and its logic is functioning correctly. The easiest and most straightforward method to validate would be to run a PowerShell script that renames a copy of cmd.exe or PowerShell.exe as "w3wp.exe" and launches cmd.exe as a child process.
This type of behavioral threat hunting is more likely to turn up broader results that potentially should be investigated. Sometimes attackers will drop their own tools or payloads on machines using cmd.exe, as illustrated in this writeup from Palo Alto’s Cortex threat research team in June 2023. In that incident, the attackers dropped several executables, such as JuicyPotatoNG.exe and iislpe.exe. It would be possible to search for the names of these files as indicators of compromise (IoCs). The problem is that attackers can easily rename these payloads or tools, which means we would miss them if we went hunting solely on indicators from past attacks. That said, hunters should still run searches for IoCs, as it could result in some quick wins. But beware those are likely to change from attack to attack and should not be relied upon as meaning a system has a clean bill of health.
With the ToolShell attacks, investigators recovered specific commands launched by attackers. Eye Security reported attackers dropped a malicious .aspx web shell into a SharePoint LAYOUTS directory and triggered it via hypertext transfer protocol (HTTP). When executed, the .aspx file caused the IIS Worker Process to launch cmd.exe, which in turn spawned powershell.exe with an encoded command enabling remote code execution (RCE). This multistage process exploited SharePoint’s public exposure and the elevated privileges of its application pool, allowing attackers to execute arbitrary commands and potentially move laterally within a network. This again shows that by searching for an indicator of attack or artifact, such as the w3wp.exe parent process, we can see how it spawns suspicious child processes and get a broader view of activity and increase the chances of spotting malicious behaviors.
Let’s put this hunt into practice using Windows Event logs imported into Splunk.
The query logic shows that we are looking for create_process_name, which is w3wp.exe, and then new processes that come from that: cmd.exe. powershell.exe, bitadmin.ext and so forth. The results show that on one endpoint run by “jamesmurphy” — our fictitious end user — cmd.exe was launched. This is the type of child process that merits investigation. The next step would be to drill down into what type of child process command-line arguments were entered and determine if those are malicious. These types of artifacts are valuable. This is where it can quickly get interesting and provide insight into the intent of the adversary’s objectives. It could reveal reconnaissance-related queries as described above, or it could reveal activities such as registry key modifications — a sign of persistence — or network connections, which could indicate command-and-control (C2) activity.
Thanks for joining us for another threat hunt. A video demonstrating this hunt technique can be found here. Be sure to register for a free HUNTER Community Edition account to view other free threat hunt content and our extensive library of threat hunt packages based on our Malware Intelligence and Adversary Intelligence. HUNTER also contains a purpose-built centralized hunt management tool, the HUNT Management Module, for tracking and measuring key hunt performance metrics, coordinating collaborative hunts, managing hunt queries and reporting. For more information, contact Intel 471.
Guided Threat Hunts offers a library of Pivot Queries for hundreds of hunt packages that enable your threat hunters and analysts to overcome uncertainty and boost productivity. Guided Threat Hunts is a set of packages that assists users modify their result set to decide their next step and filter out noise from extraneous results.
The Lumma infostealer malware collects highly sensitive data including logins and session tokens. Here's how to conduct a threat hunt leveraging up-to-date tactics, techniques and procedures used by Lumma.
After compromising a system, attackers seek ways to maintain persistence. Here's how to threat hunt for a common persistence method used by attackers including DragonForce.
Stay informed with our weekly executive update, sending you the latest news and timely data on the threats, risks, and regulations affecting your organization.