Hunting the Elusive ToolShell In-Memory Payloads in Microsoft SharePoint

Listen to this Post

Featured ImageIn July 2025, cybersecurity professionals faced a new wave of threats targeting Microsoft SharePoint. Known as ToolShell, this exploit chain leverages deserialization and authentication bypass vulnerabilities, specifically CVE-2025-53770 and CVE-2025-53771, in on-premises SharePoint Server 2016, 2019, and Subscription editions. Initially, threat actors attempted to upload web shells directly to SharePoint file systems, but these were easily detected by modern Endpoint Detection and Response (EDR) tools. Adapting quickly, attackers shifted to executing payloads entirely in-memory, making them far harder to detect and analyze. This article explores the step-by-step approach to hunting these in-memory ToolShell payloads using Zeek, DaemonLogger, and Wireshark, revealing how defenders can uncover and decode these sophisticated attacks.

Understanding the Threat Landscape

ToolShell represents a significant evolution in SharePoint-targeted attacks. Early attacks relied on web shells that could be identified by conventional EDR solutions, leaving traces in the file system. The move to in-memory execution means that payloads no longer persist on disk, allowing attackers to operate stealthily. This type of attack exploits weaknesses in deserialization processes, allowing malicious data to execute arbitrary code when improperly processed by the server. For security teams, the challenge lies in identifying these ephemeral threats before they cause damage or exfiltrate sensitive data.

Hunting for Indicators Using Zeek

The first step in identifying ToolShell activity is examining HTTP traffic. By analyzing Zeek HTTP logs, security analysts can detect suspicious POST requests targeting URLs like /layouts/15/ToolPane.aspx or /layouts/16/ToolPane.aspx with unusual parameters or Referer headers. Special attention is given to requests with a non-zero body length, indicating the potential presence of an exploit payload. By leveraging tools like zcat and zcutter.py, analysts can efficiently review multiple days of compressed logs and filter out entries that match these malicious indicators. This log analysis is critical for narrowing down the investigation to specific suspicious requests.

Preparing PCAP Files for Deep Analysis

Once potential malicious requests are identified, packet captures (PCAPs) provide a detailed view of network activity. Tools like DaemonLogger can capture daily network traffic, producing multiple PCAP files that need merging using Wireshark’s mergecap tool. The combined PCAP ensures that no packets are overlooked, providing a complete dataset for subsequent analysis. This step is essential for capturing the full payload transmission and understanding how the in-memory execution is triggered.

Detailed Packet Analysis in Wireshark

Wireshark allows analysts to filter network traffic to focus on POST requests to targeted SharePoint URLs. By examining specific timestamps, analysts can isolate the request containing the MSOtlPn_DWP parameter, which holds the CompressedDataTable property. This property often contains a base64-encoded payload designed to exploit deserialization vulnerabilities. By extracting this property and decoding it, analysts can reveal the actual in-memory payload and its components, including potentially malicious .NET DLLs.

Decoding Malicious Payloads

Decoding the CompressedDataTable property involves several steps: URL decoding, base64 decoding, and decompression. After these steps, the payload often reveals a method parameter containing a known malicious DLL, such as osvmhdfl.dll. Successfully executed, this payload can extract machine keys and system information, sending it back to the attacker’s server. Additional payloads discovered include security scanner templates and encoded PowerShell commands, which can further compromise system integrity if executed.

Discovering Advanced Payload Variants

Some ToolShell payloads contain Nuclei Scanner templates, which target CVE-2025-53770, sending DLL binaries like jlaneafi.dll to the SharePoint server. Other payloads include encoded PowerShell commands capable of exfiltrating system information over unconventional ports. These variants demonstrate the adaptability of threat actors and the increasing complexity of SharePoint attacks.

What Undercode Say: Analytical Insights

The evolution from traditional web shell deployment to in-memory execution marks a critical escalation in SharePoint exploitation. In-memory payloads evade conventional file-based EDR tools, making network and memory-level monitoring essential. Zeek logs and PCAP analysis are indispensable for identifying subtle indicators, but proactive measures should include enhanced anomaly detection, real-time monitoring, and behavior-based heuristics. The reliance on deserialization vulnerabilities highlights the ongoing risk of poorly validated input in enterprise applications.
Moreover, the presence of encoded PowerShell commands indicates attackers are not only stealing data but also establishing potential persistence mechanisms. Organizations should assume that once a ToolShell payload executes, lateral movement is possible, and subsequent attacks could target other servers within the environment. Threat intelligence integration and frequent updates to detection rules, particularly for parameters like MSOtlPn_DWP and CompressedDataTable, are critical.
Another key insight is the value of packet-level analysis. While Zeek logs highlight suspicious activity, Wireshark provides the granular view necessary to decode payloads fully. Analysts who master these combined tools can detect in-memory attacks before they escalate, uncovering both the initial payload and secondary exploits. Finally, the discovery of scanner templates underscores that threat actors may use automated tools to identify and exploit vulnerable SharePoint servers, emphasizing the need for constant patching and vulnerability management.

Fact Checker Results

✅ CVE-2025-53770 and CVE-2025-53771 are legitimate SharePoint vulnerabilities.

✅ In-memory ToolShell payloads bypass traditional file-based detection.

❌ ToolShell attacks are not limited to web shells; they include PowerShell and DLL-based payloads.

Prediction

📊 ToolShell attacks will likely evolve to target SharePoint Subscription Edition with more sophisticated in-memory techniques, including multi-stage payloads. Security teams can expect increased use of encoded PowerShell and DLL payloads that leverage network exfiltration, requiring enhanced real-time monitoring and proactive memory inspection strategies. Emerging detection tools combining network logs, memory forensics, and AI-assisted anomaly detection could become standard defenses against these stealthy attacks.
This proactive approach ensures that organizations are not only responding to ToolShell attacks but actively anticipating the next wave of SharePoint exploitation.

🕵️‍📝✔️Let’s dive deep and fact‑check.

References:

Reported By: isc.sans.edu
Extra Source Hub (Possible Sources for article):
https://www.facebook.com
Wikipedia
OpenAi & Undercode AI

Image Source:

Unsplash
Undercode AI DI v2
Bing

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeNews & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky | 🐘Mastodon