Detection rules › YARA-L
Suspicious Filewrites To Sharepoint Layouts
Detects a command-line interpreter (cmd.exe or powershell.exe) writing a file to a SharePoint (\TEMPLATE\LAYOUTS) directory.
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Persistence | T1505.003 Server Software Component: Web Shell |
Event coverage
| Provider | Event | Title |
|---|---|---|
| Sysmon | Event ID 2 | A process changed a file creation time |
| Sysmon | Event ID 11 | FileCreate |
| Sysmon | Event ID 23 | FileDelete (File Delete archived) |
Rule body yaral
/*
* Copyright 2025 Google LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* https://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
rule ttp_windows_suspicious_filewrites_to_sharepoint_layouts {
meta:
author = "Google Cloud Security"
rule_name = "Suspicious Filewrites To Sharepoint Layouts"
description = "Detects a command-line interpreter (cmd.exe or powershell.exe) writing a file to a SharePoint (\TEMPLATE\LAYOUTS) directory."
severity = "High"
tactic = "TA0003"
technique = "T1505.003"
rule_id = "mr_06c0d5b5-8185-4584-8db0-28c8fd4971ea"
events:
(
$e.metadata.event_type = "FILE_CREATION" or
$e.metadata.event_type = "FILE_MODIFICATION" or
$e.metadata.event_type = "FILE_MOVE"
)
$e.target.file.full_path = /\\\d{1,2}\\TEMPLATE\\LAYOUTS\\[^\\]+$/ nocase
$e.principal.process.file.full_path = /(^|\\)(pwsh|cmd|powershell)\.exe$/ nocase
not $e.principal.process.command_line = /C:\\SP\\Automation\\\\AutoSPInstallerMain.ps1\s+C:\\SP\\Automation\\\\AutoSPInstallerInput.xml/ nocase
outcome:
$principal_hostname = $e.principal.hostname
$risk_score = 85
$vendor_name = array($e.metadata.vendor_name)
$product_name = $e.metadata.product_name
$victim_uid = $e.principal.asset.asset_id
$victim_name = $e.principal.asset.hostname
$victim_netid = array($e.principal.ip)
$adversary_uid = $e.principal.user.userid
$adversary_name = $e.principal.user.user_display_name
$adversary_netid = $e.principal.user.windows_sid
$tmp1 = max(
if($e.security_result.action != "BLOCK" and $e.security_result.action != "UNKNOWN_ACTION", 2)
)
$tmp2 = max(
if($e.security_result.action = "BLOCK", 1)
)
$result = arrays.index_to_str(strings.split("attempted,failed,succeeded,succeeded"), $tmp1 + $tmp2)
$result_time = $e.metadata.event_timestamp.seconds
$event_count = 1
condition:
$e
}
Detection logic
Fires when at least one $e event.
Events
$e
target.file.full_path matches "\\\d{1,2}\\TEMPLATE\\LAYOUTS\\[^\\]+$"principal.process.file.full_path matches "(^|\\)(pwsh|cmd|powershell)\.exe$"principal.process.command_line matches "C:\\SP\\Automation\\\\AutoSPInstallerMain.ps1\s+C:\\SP\\Automation\\\\AutoSPInstallerInput.xml"
Outcome
Fields the detection emits on a match. $risk_score drives alerting; Chronicle surfaces the rest on the detection.
| Field | Expression |
|---|---|
principal_hostname | $e.principal.hostname |
risk_score | 85 |
vendor_name | array($e.metadata.vendor_name) |
product_name | $e.metadata.product_name |
victim_uid | $e.principal.asset.asset_id |
victim_name | $e.principal.asset.hostname |
victim_netid | array($e.principal.ip) |
adversary_uid | $e.principal.user.userid |
adversary_name | $e.principal.user.user_display_name |
adversary_netid | $e.principal.user.windows_sid |
tmp1 | max( if($e.security_result.action != "BLOCK" and $e.security_result.action != "UNKNOWN_ACTION", 2) ) |
tmp2 | max( if($e.security_result.action = "BLOCK", 1) ) |
result | arrays.index_to_str(strings.split("attempted,failed,succeeded,succeeded"), $tmp1 + $tmp2) |
result_time | $e.metadata.event_timestamp.seconds |
event_count | 1 |