Skip to content

Steveo21/ToolShell-Emulation

Repository files navigation

ToolShell BAS — Defanged Artifact Emulator

A purple-team / detection-engineering module that emulates the observable artifacts of the ToolShell SharePoint attack chain (CVE-2025-53770 / CVE-2025-49706 / CVE-2025-53771) so you can validate SIEM/EDR detection content against realistic signal — without running a live exploit.

What it is (and isn't)

It emits IOC-matching telemetry: an inert spinstall0.aspx (+ variants) under the LAYOUTS tree, IIS access-log lines for the ToolPane.aspx POST and the spinstall0.aspx GET, a w3wp.exe → cmd.exe → powershell -EncodedCommand process record, and a fake pipe-delimited machineKey exfil shape.

It does not implement the auth bypass, the .NET deserialization/gadget chain, any real machineKey derivation, or any functional web shell. Dropped files are inert stubs (banner + no-op). Everything is gated behind --i-own-this-lab and confined to --lab-root.

Safety model

Control Mechanism
Authorization gate --i-own-this-lab required or the tool refuses to run
Blast-radius --lab-root required; LabGuard blocks any write that resolves outside it
Inert payloads Web-shell stubs contain no executable handler; PowerShell payload decodes to Write-Output
Fake secrets only machineKey placeholder is all-zero, clearly labelled, never derived from real material
Attribution Every artifact carries the TOOLSHELL-BAS-EMULATION-DO-NOT-TREAT-AS-REAL marker
Reversibility Append-only JSONL manifest; cleanup removes every emitted artifact

Usage

python toolshell_bas_emulator.py --i-own-this-lab --lab-root C:\bas_lab run-all
python toolshell_bas_emulator.py --i-own-this-lab --lab-root C:\bas_lab emit-process-chain --live-spawn
python toolshell_bas_emulator.py --i-own-this-lab --lab-root C:\bas_lab cleanup

Subcommands: emit-webshell, emit-iis-logs, emit-process-chain (--live-spawn optional, Windows-only real chain), emit-machinekey, run-all, cleanup. Flags: --sp-version {15,16}, --client-ip.

Files

  • toolshell_bas_emulator.py — the emulator
  • attack_navigator_layer.json — ATT&CK Navigator layer (v4.5)
  • coverage_matrix.md — technique → artifact → detection → status
  • sigma/ — three highest-value Sigma rule stubs

Two documented fidelity gaps (expected, correct)

  1. Hash/content signatures won't fire on the inert stub — by design; use vendor test files for those detection classes.
  2. --live-spawn parentage isn't w3wp.exe (real parent is this script). The synthetic Sysmon EID 1 carries correct w3wp.exe parentage and is what you use to validate the parentage rule in the SIEM.

See coverage_matrix.md for the full mapping and run order.

About

No description, website, or topics provided.

Resources

Stars

0 stars

Watchers

0 watching

Forks

Releases

No releases published

Packages

 
 
 

Contributors

Languages