Hello and welcome to the Thursday, July 24, 2025 edition of the Sands and then at Storm Center's Stormcast.

My name is Johannes Ulrich, recording today from Jacksonville, Florida.

And this episode is brought you by the Sands.edu undergraduate certificate program in Applied Cybersecurity.

Security. Well, today I still spend some time with the

SharePoint tool shell exploits that we have been collecting and others have been collecting

to do a little bit reverse analysis on them. So I figured that I'll summarize some of the things

that I learned here in a quick blog post. Also, I did

a video showing you a little bit how some of this works. And, well, it's actually not terribly

difficult for many of these exploits to figure out exactly what the attacker does. To get

started, first of all, of course, there is the refer.

That's one of the key features here that's being exploited by this vulnerability

or by this exploit.

And then it's really just a lot of decoding base 64.

So there's base 64 and base 64.

That's sort of what it all ends up.

Now it starts out here with this compressed data table feature, which is Bay 64 and compressed and moves on from there. Don't want to go over everything here in the podcast because many of you may not

really be that interested, but here is sort of the final page that was uploaded by some of the

early exploits that stole the machine key from the system. Other than that, no real sort of big

fundamental new use here. Lots of research and I know, scanning for machines that may have this particular backdoor

installed on the system.

This releases the machine keys.

And that's, again, the key lesson I think here that can't be emphasized enough that

...