Potential Webshell Upload in SharePoint or Exchange Directories

Rule Info

Name
Potential Webshell Upload in SharePoint or Exchange Directories
Author
Swachchhanda Shrawan Poudel (Nextron Systems)
Description
Detects the creation of suspicious files in SharePoint or Exchange directories that could indicate a webshell upload. Webshells are malicious scripts that threat actors install/upload on targeted websites to gain remote access to the system. Often, they serve as an initial point of infection in cyberattacks.
Reference
Internal Research
Date
2025-04-22 00:00:00
Modified
None
Id
2b959d4e-5a74-4f0b-a90d-5b01fa12126e
Tags
attack.persistence attack.t1505.003
Type
Nextron Sigma feed only (private)

Rule History

THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022