Steven Lim

🏆 365 Days of KQL Today marks the completion of my #365DaysOfKQL challenge! 🎉 I hit 365 KQLs in just under a year—starting this journey on August 2, 2024, and wrapping it up on July 28, 2025. It’s been an incredibly rewarding ride, sharing security operations and threat…

🚨 ToolShell Threat Alert 🚨 @GreyNoiseIO Threat Intelligence has detected multiple DigitalOcean IPs probing for the Microsoft SharePoint ToolShell implant via spinstall0.aspx. ⚠️ If you're running SharePoint on your perimeter, it's time to check your defenses and hunt for…

🚨 60 SharePoint instances pwned in just 4 days — exposed by data and MDE 🕵️‍♂️ With the SHA256 hash of spinstall0.aspx and FileProfile in Defender XDR, I pinpointed: • 🗓️ The first attack timestamp • 🌐 60 SharePoint instances hit by a zero-day attack. Because data never lie —…

Microsoft Defender Threat Intelligence (MDTI) Search 🔍 I’ve created a simple JavaScript bookmarklet to help fellow defenders perform one-click searches in MDTI using Intel Explorer. In the demo video, I search for “spider” across all threat intelligence articles—just one click…

Toolshell Attack - GhostWebShell and KeySiphon Detection 🚨 FortiGuard Labs exposes “ToolShell” — a stealthy exploit chain hitting Microsoft SharePoint via patched + zero-day CVEs. Attackers deploy GhostWebShell for fileless RCE & KeySiphon to steal decryption keys.…

🔐 𝗧𝗼𝗸𝗲𝗻 𝗣𝗿𝗼𝘁𝗲𝗰𝘁𝗶𝗼𝗻 𝗨𝗽𝗱𝗮𝘁𝗲 (𝗨𝗻𝗼𝗳𝗳𝗶𝗰𝗶𝗮𝗹) No official word from Microsoft yet—but GitHub docs were quietly updated 4 days ago to include 𝗘𝗻𝘁𝗿𝗮 𝗣1 licensing for token protection. If confirmed, this means 𝗯𝗿𝗼𝗮𝗱𝗲𝗿 𝗮𝗰𝗰𝗲𝘀𝘀 to detection…

#ToolShell #Warlock 🚨 KQLWizard intel update: Storm-2603 exploited CVE-2025-53770 on 4 internet-facing SharePoint servers on 22 July, deploying Warlock ransomware via ToolShell. Initial access confirmed via observed hash for IIS_Server_dll.dll (Storm-2603 IIS Backdoor).…

Sentinel Data Lake microsoft.com/en-us/security…

🚨 Active exploitation alert: Microsoft warns of ongoing attacks targeting on-prem SharePoint servers via CVE-2025-49706 & CVE-2025-49704. Chinese threat actors (Linen Typhoon, Violet Typhoon, Storm-2603) observed deploying web shells via spoofed POST requests.…

Microsoft has issued a security update for SharePoint Subscription Edition which mitigates CVE-2025-53770 and CVE-2025-53771. Defenders should apply the update immediately.🫡 #Cybersecurity #Sharepoint #toolshell microsoft.com/en-us/download…

CISA Adds One Known Exploited Vulnerability, CVE-2025-53770 “ToolShell,” to Catalog cisa.gov/news-events/al… #Cybersecurity #Sharepoint #toolshell

🔥 SharePoint CVE-2025-53770 Attack Surface Alert Defender Tip: Hopefully this KQL hasn’t lit up your dashboard 🙏 If it has, initiate a web shell scan immediately and isolate the affected server from the internet until a patch lands. 🫡 detections.ai/share/rule/rLG… #Cybersecurity…

Fresh from the oven ... Threat Analytics Report on Microsoft SharePoint Server Remote Code Execution Vulnerability. You may want to head over to DefenderXDR portal. 🫡