Step 2, Hunt for compromise indicators: Review SharePoint server logs, IIS logs, and Windows Event Logs for anomalous HTTP requests, unexpected process spawning from SharePoint worker processes (w3wp.exe), and unusual outbound connections from SharePoint hosts. Reference Cyberbit's ToolShell campaign analysis for stage-specific behavioral indicators.
Detection & Analysis
NIST 800-61r3 §3.2 (Detection and Analysis)
NIST 800-53 AU-2 (Audit Events)
NIST 800-53 SI-4 (Information System Monitoring)
CIS 8.1 (Establish Centralized Log Management)
CIS 13.7 (Verify User Activity)
Compensating Control
Without SIEM: parse logs locally using PowerShell or grep. Check IIS logs (C:\inetpub\logs\LogFiles\W3SVC*\*.log) for POST requests to /_vti_bin/ or /sites/ with unusual QueryStrings; grep for HTTP 200/302 responses to suspicious payloads. Check Windows Event Viewer for Event ID 4688 (Process Creation) filtering for w3wp.exe spawning cmd.exe, powershell.exe, or rundll32.exe. Use 'Get-EventLog -LogName Security -InstanceId 4688 -ComputerName [hostname] | Where-Object {$_.Message -match 'w3wp'}'.
Preserve Evidence
Preserve unmodified IIS logs (entire W3SVC* directories), Windows Security Event Log exports (Event IDs 4688, 4689, 4624, 4625), and application event logs for SharePoint. Capture memory dump of w3wp.exe processes (use ProcDump.exe -ma w3wp.exe for forensic analysis) and network traffic via netsh trace if available. Extract SharePoint ULS logs (C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\[version]\LOGS\) before analysis.
