A high-performance PowerShell 7+ script for scanning IIS logs to detect signs of exploitation related to ToolShell, specifically targeting the zero-day vulnerabilities CVE-2025-53770 and CVE-2025-53771 in Microsoft SharePoint.
This script is hacked together to help DFIR teams, sysadmins, and security professionals identify suspicious activity associated with these vulnerabilities in SharePoint environments and is ideal for defenders who prefer native PowerShell.
Version PS5 is being replaced by version PS7
- Version PS7 will only work in PowerShell 7+ (https://learn.microsoft.com/en-us/powershell/scripting/install/installing-powershell-on-windows?view=powershell-7.5#zip)
CVE-2025-53770 and CVE-2025-53771 are recently disclosed vulnerabilities affecting Microsoft SharePoint, potentially allowing remote code execution and exploitation via crafted requests to /ToolPane.aspx, suspicious uploads, or exploitation of ViewState parameters. Attackers may leave forensic traces in IIS logs.
- 🔍 Scans IIS W3C logs recursively from a given root directory.
- 🧠 Detects:
- ToolPane abuse (
ToolPane.aspxexploitation) - Suspicious file accesses (e.g.
spinstall.aspx,ghostfile.aspx, etc.) - Requests from known malicious IPs (via external blocklist)
- ToolPane abuse (
- ⚙️ Fully parallelized using
ForEach-Object -Parallelfor speed. - 🧾 Outputs CSV results for DFIR reporting or SIEM ingestion.
- PowerShell 7.0 or newer
- Admin/Read access to IIS log files
- Internet access to retrieve remote IP blocklist (optional)
-
Edit the top of the script:
$logRoot = "C:\inetpub\logs\LogFiles" # Your log folder $ThrottleLimit = 12 # Number of parallel threads
-
Run the script:
.\toolshellfinderPS7.ps1
-
Results will be saved to:
IIS_IoC_Matches.csv
✅ IoC Set 1 — CVE-2025-53771 (ToolPane abuse)
- POST or GET to:
/_layouts/15/ToolPane.aspx /_layouts/16/ToolPane.aspx
- With query:
DisplayMode=Edit&a=/ToolPane.aspx
- And referer:
/_layouts/SignOut.aspx or "-"
✅ IoC Set 2 — CVE-2025-53770 (Suspicious file names)
- Access to files matching:
spinstall.aspx, spinstall*.aspx, ghostfile.aspx, debug_dev.js, info.js, machinekey.aspx, ghost.aspx, etc.
- Located under:
/_layouts/15/ /_layouts/16/
- With referer:
/SignOut.aspx or -
✅ IoC Set 3 — Malicious IP addresses
- The script dynamically downloads a threat intel list from:
https://raw.githubusercontent.com/zach115th/BlockLists/main/emerging-threats/2025/toolshell/toolshell_ips.txt
ToolShellFinder is a fast, flexible, and battle-tested PowerShell script for detecting real-world exploitation of SharePoint zero-days via log review. Use it in your DFIR toolkit to catch what your EDR may have missed.
