Skip to content

Hide Navigation Hide TOC

Suspicious File Write to SharePoint Layouts Directory (1f0489be-b496-4ddf-b3a9-5900f2044e9c)

Detects suspicious file writes to SharePoint layouts directory which could indicate webshell activity or post-exploitation. This behavior has been observed in the exploitation of SharePoint vulnerabilities such as CVE-2025-49704, CVE-2025-49706 or CVE-2025-53770.

Cluster A Galaxy A Cluster B Galaxy B Level
Web Shell - T1505.003 (5d0d3609-d06d-49e1-b9c9-b544e0c618cb) Attack Pattern Suspicious File Write to SharePoint Layouts Directory (1f0489be-b496-4ddf-b3a9-5900f2044e9c) Sigma-Rules 1
Suspicious File Write to SharePoint Layouts Directory (1f0489be-b496-4ddf-b3a9-5900f2044e9c) Sigma-Rules Exploit Public-Facing Application - T1190 (3f886f2a-874f-4333-b794-aa6075009b1c) Attack Pattern 1
Web Shell - T1505.003 (5d0d3609-d06d-49e1-b9c9-b544e0c618cb) Attack Pattern Server Software Component - T1505 (d456de47-a16f-4e46-8980-e67478a12dcb) Attack Pattern 2