A purple-team / detection-engineering module that emulates the observable artifacts of the ToolShell SharePoint attack chain (CVE-2025-53770 / CVE-2025-49706 / CVE-2025-53771) so you can validate SIEM/EDR detection content against realistic signal — without running a live exploit.
It emits IOC-matching telemetry: an inert spinstall0.aspx (+ variants)
under the LAYOUTS tree, IIS access-log lines for the ToolPane.aspx POST and
the spinstall0.aspx GET, a w3wp.exe → cmd.exe → powershell -EncodedCommand
process record, and a fake pipe-delimited machineKey exfil shape.
It does not implement the auth bypass, the .NET deserialization/gadget
chain, any real machineKey derivation, or any functional web shell. Dropped
files are inert stubs (banner + no-op). Everything is gated behind
--i-own-this-lab and confined to --lab-root.
| Control | Mechanism |
|---|---|
| Authorization gate | --i-own-this-lab required or the tool refuses to run |
| Blast-radius | --lab-root required; LabGuard blocks any write that resolves outside it |
| Inert payloads | Web-shell stubs contain no executable handler; PowerShell payload decodes to Write-Output |
| Fake secrets only | machineKey placeholder is all-zero, clearly labelled, never derived from real material |
| Attribution | Every artifact carries the TOOLSHELL-BAS-EMULATION-DO-NOT-TREAT-AS-REAL marker |
| Reversibility | Append-only JSONL manifest; cleanup removes every emitted artifact |
python toolshell_bas_emulator.py --i-own-this-lab --lab-root C:\bas_lab run-all
python toolshell_bas_emulator.py --i-own-this-lab --lab-root C:\bas_lab emit-process-chain --live-spawn
python toolshell_bas_emulator.py --i-own-this-lab --lab-root C:\bas_lab cleanup
Subcommands: emit-webshell, emit-iis-logs, emit-process-chain
(--live-spawn optional, Windows-only real chain), emit-machinekey,
run-all, cleanup. Flags: --sp-version {15,16}, --client-ip.
toolshell_bas_emulator.py— the emulatorattack_navigator_layer.json— ATT&CK Navigator layer (v4.5)coverage_matrix.md— technique → artifact → detection → statussigma/— three highest-value Sigma rule stubs
- Hash/content signatures won't fire on the inert stub — by design; use vendor test files for those detection classes.
--live-spawnparentage isn'tw3wp.exe(real parent is this script). The synthetic Sysmon EID 1 carries correctw3wp.exeparentage and is what you use to validate the parentage rule in the SIEM.
See coverage_matrix.md for the full mapping and run order.