Reports/Microsoft April Patch Tuesday: 167 Fixes, a Wormable TCP/IP Bug, and a Leaked Zero-Day

Microsoft April Patch Tuesday: 167 Fixes, a Wormable TCP/IP Bug, and a Leaked Zero-Day

Threat Inteltacticalpatch-tuesdaymicrosoftzero-daysharepointhunt-report

April 16, 20264,002 words~17 min read

Report to review:

Microsoft shipped 167 security fixes on April 8, 2026, making this the second-largest Patch Tuesday release, nearing the record set in October 2025 with 167 CVEs [1][2]. The batch includes two zero-days: one actively exploited SharePoint spoofing flaw already on CISA's Known Exploited Vulnerabilities catalog [3], and a Microsoft Defender privilege escalation bug (CVE-2026-33825) that was publicly disclosed [2]. A TCP/IP remote code execution vulnerability with a 9.8 CVSS score rounds out the most urgent items [2].

Q1 Context: The Volume Trend

April didn't come out of nowhere. The 2026 quarterly pattern tells the story clearly: January saw 112 CVEs with 3 zero-days, February dropped to 59 CVEs but included 6 zero-days, and March addressed 83 CVEs [7]. April's 167 CVEs represent a sharp spike. Tenable's count puts the number at 163 [2], while BleepingComputer lists 167 [1]. The discrepancy comes down to counting methodology for Edge/Chromium flaws, 80 of which were fixed separately by Google [1].

Either way, this is near the all-time record set in October 2025 at 167 CVEs [2]. The broader trend: vulnerability volume is climbing, zero-days are a monthly fixture, and organizations are patching more frequently with less time to test.

Vulnerability Breakdown by Severity

Of the 163-167 CVEs (depending on source), 8 are rated Critical, with 7 involving remote code execution and one denial of service flaw [1]. A full 57.1% of this month's vulnerabilities are elevation of privilege flaws [2]. That's a telling distribution: attackers who already have initial access are the primary concern this cycle.

The remaining patches cover remote code execution, information disclosure, spoofing, denial of service, and security feature bypass categories [1].

The CVEs That Matter, Sorted by Product

Not every patch deserves weekend overtime. Below is a prioritized breakdown by product, starting with the most critical items.

Windows TCP/IP

CVE-2026-33827 carries a CVSS score of 9.8 and is the single most dangerous fix this month [2]. This vulnerability has a 9.8 CVSS score and allows remote code execution without authentication on systems with IPv6 and IPSec enabled. The bug affects systems with IPv6 and IPSec enabled. The vulnerability has a High exploitability rating on CVSS.

Patch priority: Immediate. Any internet-facing Windows system with IPv6 and IPSec enabled is a candidate for exploitation. This is the kind of vulnerability that ransomware operators build into automated tooling.

Windows IKE Extension

CVE-2026-33824 also scores 9.8 on CVSS and is a remote code execution flaw in the Windows IKE Extension [2]. IKE handles VPN key negotiation, so this puts VPN gateways and any system using IPSec directly at risk.

Patch priority: Immediate for VPN infrastructure and systems running IPSec.

Microsoft SharePoint Server

CVE-2026-32201 is the actively exploited zero-day with a CVSS score of 6.5 [2]. It is an improper input validation vulnerability that allows an unauthorized attacker to perform spoofing over the network [3]. CISA added it to the KEV catalog on April 14, 2026, with a federal agency remediation deadline of April 28 [3].

The moderate CVSS score is deceptive. Chinese state threat actors Linen Typhoon, Violet Typhoon, and Storm-2603 have previously run exploitation campaigns against on-premises SharePoint, deploying web shells for persistent access [6]. In earlier SharePoint campaigns, threat actors exploited similar flaws to deploy Warlock ransomware through what CISA called the "ToolShell" attack chain [7].

Patch priority: Immediate for any on-premises SharePoint deployment. Do not let the 6.5 CVSS lull you into complacency. Active exploitation means it is already being weaponized.

Microsoft Defender

CVE-2026-33825 is the publicly disclosed zero-day, a local privilege escalation flaw [2]. It allows attackers to achieve SYSTEM-level access.

Patch priority: High. The exploit is public. Any system running Defender without this patch has a known, reliable privilege escalation path available to any attacker with local access.

Microsoft Office

Multiple Critical-rated Office bugs were patched where the Preview Pane itself serves as the exploitation vector [1]. That means simply previewing a malicious document in Outlook or File Explorer triggers the vulnerability without opening the file.

Patch priority: High. Preview Pane attacks require zero clicks beyond normal email triage workflow.

Remaining Products

The balance of the 167 fixes spans Windows Kernel, Windows Hyper-V, Windows NTFS, Microsoft Edge, Azure services, and various Windows components [1][2]. Most carry Important severity ratings with elevation of privilege being the dominant vulnerability class [2].

Patch priority: Standard cycle for most of these, with exceptions for any internet-facing services.

Secure Boot Certificate Deadline

One additional pressure point: Secure Boot certificates are set to expire starting in June 2026 [6]. Organizations that haven't been tracking Secure Boot DB updates throughout 2025 and early 2026 face a hard deadline. Systems that miss the certificate rotation will fail to boot with Secure Boot enabled. This isn't directly tied to April's patches, but it compounds the operational burden on patching teams who are already stretched thin.

IOC Table

Note: These IOCs are from previous SharePoint exploitation campaigns in 2025 and may not be directly related to CVE-2026-32201 exploitation.

The following indicators are associated with previous SharePoint exploitation campaigns by Chinese state actors.

Type	Value	Context	Source
IP	`65.38.121.198`	C2 infrastructure in SharePoint exploitation campaigns	[6]
IP	`131.226.2.6`	SharePoint exploitation activity	[6]
IP	`134.199.202.205`	SharePoint attack infrastructure	[6]
IP	`104.238.159.149`	C2 server for SharePoint exploitation	[6]
IP	`188.130.206.168`	Attack infrastructure	[6]
IP	`107.191.58.76`	Scanning and exploitation since July 2025	[7]
IP	`96.9.125.147`	Scanning and exploitation activity	[7]
Domain	`update.updatemicfosoft.com`	Typosquatted C2 domain	[6]
Filename	`spinstall0.aspx`	Web shell on compromised SharePoint servers	[6]
Malware	`China Chopper`	Web shell for persistence on SharePoint	[6]
Malware	`Warlock ransomware`	Deployed on compromised SharePoint systems	[7]
Malware	`BlueHammer`	Privilege escalation exploit targeting Defender	[2]

MITRE ATT&CK Techniques

ID	Technique	Relevance
T1068	Exploitation for Privilege Escalation	CVE-2026-33825 and multiple EoP flaws this cycle [2]
T1190	Exploit Public-Facing Application	SharePoint CVE-2026-32201 exploited in the wild [3][6]
T1505.003	Server Software Component: Web Shell	China Chopper and .aspx web shells on SharePoint servers [6][7]
T1210	Exploitation of Remote Services	TCP/IP CVE-2026-33827 requires no authentication [2]
T1078	Valid Accounts	SharePoint spoofing enables unauthorized access [3]

Detection and Hunting

For CVE-2026-33827 (TCP/IP RCE):

Monitor for anomalous IPv6 traffic patterns on IPSec-enabled hosts. Network IDS signatures should flag unexpected IKE/IPSec negotiation attempts from external sources. Look for crash dumps or unexpected restarts on systems running IPv6 with IPSec, which could indicate failed exploitation attempts.

For CVE-2026-32201 (SharePoint Exploitation):

Review SharePoint ULS logs and IIS logs for unusual POST requests to SharePoint endpoints. Hunt for the web shell filename spinstall0.aspx across all SharePoint content directories [6]. Query DNS logs for the typosquatted domain update.updatemicfosoft.com [6]. Block the IOC IP addresses listed above at perimeter firewalls and check historical NetFlow for prior connections.

index=dns query="*updatemicfosoft*"
| stats count by src_ip, query

index=proxy OR index=firewall dest_ip IN (65.38.121.198, 131.226.2.6, 134.199.202.205, 104.238.159.149, 188.130.206.168, 107.191.58.76, 96.9.125.147)
| stats count by src_ip, dest_ip, dest_port

For CVE-2026-33825 (Defender LPE):

Monitor for unusual interactions between MsMpEng.exe and system processes. Look for unexpected SYSTEM-level process creation originating from Defender-related paths. Endpoint detection tools should flag privilege escalation patterns.

For Office Preview Pane Attacks:

Monitor for Office process crashes or unusual child processes spawned from outlook.exe or explorer.exe during document preview operations. Restrict Preview Pane in environments where it is not operationally necessary.

Analysis

The 57.1% concentration of elevation of privilege vulnerabilities tells us something specific about the current threat model [2]. Attackers aren't struggling to get initial access. They're looking for reliable ways to move from standard user to SYSTEM or domain admin. This aligns with the post-exploitation focus we've seen from ransomware operators throughout 2025 and into 2026.

SharePoint continues to be a preferred target for Chinese state actors [6][7]. The pattern is consistent: exploit a web-facing SharePoint flaw, drop a web shell, establish persistence, and either exfiltrate data or hand off access for ransomware deployment. CVE-2026-32201 fits neatly into this playbook.

🐑

Red Sheep Assessment

Confidence: Moderate

The combination of a TCP/IP vulnerability with a 9.8 CVSS score (CVE-2026-33827), a publicly disclosed privilege escalation exploit (CVE-2026-33825), and an actively exploited SharePoint flaw creates a compounding risk that individual CVSS scores don't capture. An attacker chaining CVE-2026-33827 for initial access with CVE-2026-33825 for privilege escalation would have a fully remote path to SYSTEM on any Windows host running IPv6, IPSec, and Defender.

The massive patch volume could indicate improved internal detection rather than a worsening security posture. The company may be finding and fixing more bugs proactively. But the presence of two zero-days (one already exploited, one already disclosed) undercuts that optimistic interpretation. You don't get zero-days from proactive internal audits.

🛡️

Defender's Checklist

▢[ ] Patch CVE-2026-33827 (TCP/IP RCE) within 48 hours on all internet-facing Windows systems with IPv6 and IPSec enabled. Disable IPv6 as a temporary mitigation where operationally feasible.
▢[ ] Patch CVE-2026-32201 (SharePoint) by April 28 per CISA's KEV deadline. Hunt for IOCs from the table above across DNS, proxy, and firewall logs. Query: index=dns query="updatemicfosoft" [3][6].
▢[ ] Verify Microsoft Defender definitions updated to confirm CVE-2026-33825 is mitigated. Audit for unexpected SYSTEM processes originating from Defender-related paths.
▢[ ] Disable Preview Pane in Outlook and Explorer via Group Policy where not required: HKCU\Software\Microsoft\Office\16.0\Outlook\Preferences\ShowReadingPane = 0.
▢[ ] Begin Secure Boot certificate rotation planning now. The June 2026 deadline leaves approximately 10 weeks. Test DB updates in a lab environment before broad deployment [6].

References

[1] https://www.bleepingcomputer.com/news/microsoft/microsoft-april-2026-patch-tuesday-fixes-167-flaws-2-zero-days/

[2] https://www.tenable.com/blog/microsofts-april-2026-patch-tuesday-addresses-163-cves-cve-2026-32201

[3] https://www.cisa.gov/news-events/alerts/2026/04/14/cisa-adds-two-known-exploited-vulnerabilities-catalog

[4] https://zecurit.com/endpoint-management/patch-tuesday/

[5] https://www.zerodayinitiative.com/blog/2026/4/14/the-april-2026-security-update-review

[6] https://www.microsoft.com/en-us/security/blog/2025/07/22/disrupting-active-exploitation-of-on-premises-sharepoint-vulnerabilities/

[7] https://www.cisa.gov/news-events/alerts/2025/07/20/update-microsoft-releases-guidance-exploitation-sharepoint-vulnerabilities

[8] https://msrc.microsoft.com/update-guide/releaseNote/2026-Apr

📊

Visual Intelligence

Timeline (3 events)

Apr 8, 2026

Report to review: Microsoft shipped 167 security fixes on April 8, 2026, making this the second-largest Patch Tuesday release, nearing the record set in October 2025 with 167 CVEs.

cyber

Microsoft

Apr 14, 2026

CISA added it to the KEV catalog on April 14, 2026, with a federal agency remediation deadline of April 28.

intelligence

CISA

Apr 28, 2026

Disable IPv6 as a temporary mitigation where operationally feasible.

cyber

CISA

Entity Graph (14 entities, 16 relationships)

organization cve country malware ip

Diamond Model

Adversary

Unknown

Capability

CVE-2026-33825 CVE-2026-33827 CVE-2026-32201 China Chopper

Infrastructure

65.38.121.198 131.226.2.6 134.199.202.205 104.238.159.149 188.130.206.168 107.191.58.76 96.9.125.147

Victim

Microsoft CISA

Relationships

capability → victim: affected_by (CVE-2026-33825, Microsoft)

---

Hunt Guide: Hunt Report: Microsoft April 2026 Critical Vulnerabilities - TCP/IP Worm and Active SharePoint Exploitation

Hypothesis: If threat actors are exploiting CVE-2026-33827 (TCP/IP RCE), CVE-2026-32201 (SharePoint), or CVE-2026-33825 (Defender LPE) in our environment, we expect to observe anomalous IPv6/IPSec traffic, SharePoint web shell deployments, suspicious Defender process interactions, and connections to known C2 infrastructure in network logs, endpoint telemetry, and web server logs.

Intelligence Summary: Microsoft patched 167 vulnerabilities including a wormable TCP/IP bug (CVE-2026-33827, CVSS 9.8), an actively exploited SharePoint flaw (CVE-2026-32201) already on CISA's KEV, and a publicly disclosed Defender privilege escalation (CVE-2026-33825). Chinese state actors previously exploited similar SharePoint vulnerabilities to deploy web shells and ransomware.

Confidence: High | Priority: Critical

Scope

Networks: All Windows systems with IPv6/IPSec enabled, all SharePoint servers, all endpoints with Microsoft Defender
Timeframe: Initial sweep: 90 days historical. Ongoing: Real-time alerting
Priority Systems: Internet-facing Windows servers, SharePoint farms, VPN gateways, domain controllers

MITRE ATT&CK Techniques

T1190 — Exploit Public-Facing Application (Initial Access) [P1]

CVE-2026-33827 enables unauthenticated RCE on Windows systems with IPv6/IPSec enabled. CVE-2026-32201 SharePoint spoofing vulnerability actively exploited in the wild.

Splunk SPL:

index=windows EventCode IN (4625,4624) | where match(IpAddress, "(?:[0-9a-fA-F]{1,4}:){7}[0-9a-fA-F]{1,4}") | stats count by IpAddress, LogonType, TargetUserName | where count>50

Elastic KQL:

event.code:(4625 OR 4624) AND source.ip:*:* AND NOT source.ip:127.0.0.1 | stats count by source.ip, winlog.event_data.LogonType

Sigma Rule:

title: Suspicious IPv6 Authentication Attempts
id: 8b4d7e12-9c21-4a85-b9e7-1f4d8c9a2e3b
status: experimental
author: RedSheep Security/Stone
description: Detects multiple failed IPv6 authentication attempts that may indicate TCP/IP exploitation
references:
  - Internal research
logsource:
  product: windows
  service: security
detection:
  selection:
    EventID:
      - 4625
      - 4624
    IpAddress|contains: ':'
  filter:
    IpAddress:
      - '::1'
      - '127.0.0.1'
  timeframe: 5m
  condition: selection and not filter | count(IpAddress) by IpAddress > 20
falsepositives:
  - Legitimate IPv6 authentication
level: high

Focus on external IPv6 sources. Internal IPv6 may generate false positives during normal operations.

T1505.003 — Server Software Component: Web Shell (Persistence) [P1]

Chinese actors deploy web shells like China Chopper and spinstall0.aspx on compromised SharePoint servers for persistent access.

Splunk SPL:

index=iis cs_uri_stem IN ("*.aspx", "*.asmx") cs_method=POST sc_status=200 | regex cs_uri_stem="(spinstall|shell|cmd|upload|backdoor)" | stats count by c_ip, cs_uri_stem, cs_host

Elastic KQL:

event.dataset:iis.access AND http.request.method:POST AND url.path:(*.aspx OR *.asmx) AND http.response.status_code:200 AND url.path:(*spinstall* OR *shell* OR *cmd* OR *upload*)

Sigma Rule:

title: SharePoint Web Shell Detection
id: 7f5e3a32-4d89-4b72-9e81-2c4d7e8a9f5b
status: stable
author: Microsoft Threat Intelligence
description: Detects known web shell patterns on SharePoint servers
references:
  - https://www.microsoft.com/en-us/security/blog/2025/07/22/disrupting-active-exploitation-of-on-premises-sharepoint-vulnerabilities/
logsource:
  category: webserver
  product: iis
detection:
  selection:
    cs-method: 'POST'
    cs-uri-stem|contains:
      - 'spinstall'
      - '.aspx'
    sc-status: 200
  suspicious_patterns:
    cs-uri-stem|contains:
      - 'spinstall0.aspx'
      - 'shell.aspx'
      - 'cmd.aspx'
  condition: selection and suspicious_patterns
falsepositives:
  - Legitimate SharePoint administrative tools
level: high

Monitor for new ASPX files in SharePoint directories. Cross-reference with file creation events.

T1068 — Exploitation for Privilege Escalation (Privilege Escalation) [P1]

CVE-2026-33825 allows local attackers to escalate from standard user to SYSTEM via Microsoft Defender. Multiple other EoP vulnerabilities patched this cycle.

Splunk SPL:

index=sysmon EventCode=1 ParentImage="*\\MsMpEng.exe" IntegrityLevel=System | where User!="NT AUTHORITY\\SYSTEM" | stats count by Image, CommandLine, User

Elastic KQL:

event.code:1 AND process.parent.executable:*\\MsMpEng.exe AND winlog.event_data.IntegrityLevel:System AND NOT user.name:"NT AUTHORITY\\SYSTEM"

Sigma Rule:

title: Microsoft Defender Privilege Escalation
id: 9a8d5e21-7c34-4b92-8e71-3f5d9c7a1e2b
status: experimental
author: RedSheep Security/Stone
description: Detects suspicious SYSTEM process creation from Defender that may indicate CVE-2026-33825 exploitation
references:
  - CVE-2026-33825
logsource:
  product: windows
  category: process_creation
detection:
  selection:
    ParentImage|endswith: '\MsMpEng.exe'
    IntegrityLevel: 'System'
  filter:
    User: 'NT AUTHORITY\SYSTEM'
    Image|endswith:
      - '\MpCmdRun.exe'
      - '\MpSigStub.exe'
  condition: selection and not filter
falsepositives:
  - Legitimate Defender operations
level: high

Baseline normal Defender child processes. Alert on unusual SYSTEM processes spawned from MsMpEng.exe.

T1071.001 — Application Layer Protocol: Web Protocols (Command and Control) [P1]

Threat actors communicate with C2 infrastructure using typosquatted domains and known malicious IPs associated with SharePoint campaigns.

Splunk SPL:

index=dns query="*updatemicfosoft*" OR query IN ("65.38.121.198", "131.226.2.6", "134.199.202.205", "104.238.159.149", "188.130.206.168", "107.191.58.76", "96.9.125.147") | stats count by src_ip, query, answer

Elastic KQL:

dns.question.name:*updatemicfosoft* OR destination.ip:(65.38.121.198 OR 131.226.2.6 OR 134.199.202.205 OR 104.238.159.149 OR 188.130.206.168 OR 107.191.58.76 OR 96.9.125.147)

Sigma Rule:

title: SharePoint C2 Infrastructure Communication
id: 6b7d8e11-5a23-4c89-9f82-1e3d7b9a3f4c
status: stable
author: CISA
description: Detects communication with known SharePoint exploitation C2 infrastructure
references:
  - https://www.cisa.gov/news-events/alerts/2025/07/20/update-microsoft-releases-guidance-exploitation-sharepoint-vulnerabilities
logsource:
  category: dns
detection:
  selection_domain:
    query|contains: 'updatemicfosoft'
  selection_ip:
    answer:
      - '65.38.121.198'
      - '131.226.2.6'
      - '134.199.202.205'
      - '104.238.159.149'
      - '188.130.206.168'
      - '107.191.58.76'
      - '96.9.125.147'
  condition: 1 of selection_*
falsepositives:
  - Unlikely
level: critical

These IPs are confirmed malicious. Any connection should trigger immediate investigation.

T1210 — Exploitation of Remote Services (Lateral Movement) [P2]

CVE-2026-33827 TCP/IP and CVE-2026-33824 IKE Extension vulnerabilities enable remote exploitation without authentication on IPSec-enabled systems.

Splunk SPL:

index=windows EventCode=5156 Direction=Inbound Protocol=50 | where NOT cidrmatch("10.0.0.0/8", SourceAddress) AND NOT cidrmatch("172.16.0.0/12", SourceAddress) AND NOT cidrmatch("192.168.0.0/16", SourceAddress) | stats count by SourceAddress, DestAddress, DestPort

Elastic KQL:

event.code:5156 AND network.direction:inbound AND network.protocol:50 AND NOT source.ip:(10.0.0.0/8 OR 172.16.0.0/12 OR 192.168.0.0/16)

Sigma Rule:

title: Suspicious IPSec Traffic from External Sources
id: 4c9d7f22-8b31-4a75-9e62-2d4c8f7b2e1a
status: experimental
author: RedSheep Security/Stone
description: Detects unusual IPSec ESP traffic from external sources that may indicate CVE-2026-33827 exploitation
references:
  - CVE-2026-33827
logsource:
  product: windows
  service: security
detection:
  selection:
    EventID: 5156
    Direction: '%%14592'  # Inbound
    Protocol: '50'  # ESP
  filter:
    SourceAddress|cidr:
      - '10.0.0.0/8'
      - '172.16.0.0/12'
      - '192.168.0.0/16'
  condition: selection and not filter
falsepositives:
  - Legitimate VPN connections
level: high

Baseline normal IPSec sources. New external IPSec connections warrant investigation.

Indicators of Compromise

Type	Value	Context
ip	`65.38.121.198`	C2 infrastructure used in SharePoint exploitation campaigns by Chinese state actors
ip	`131.226.2.6`	SharePoint exploitation activity infrastructure
ip	`134.199.202.205`	SharePoint attack infrastructure
ip	`104.238.159.149`	C2 server for SharePoint exploitation
ip	`188.130.206.168`	Attack infrastructure
ip	`107.191.58.76`	Scanning and exploitation activity since July 2025
ip	`96.9.125.147`	Scanning and exploitation activity
domain	`update.updatemicfosoft.com`	Typosquatted C2 domain used in SharePoint campaigns
filename	`spinstall0.aspx`	Web shell deployed on compromised SharePoint servers

IOC Sweep Queries (Splunk):

index=* dest_ip="65.38.121.198" OR src_ip="65.38.121.198" | stats count by index, sourcetype, src_ip, dest_ip, dest_port

index=* dest_ip="131.226.2.6" OR src_ip="131.226.2.6" | stats count by index, sourcetype, src_ip, dest_ip, dest_port

index=* dest_ip="134.199.202.205" OR src_ip="134.199.202.205" | stats count by index, sourcetype, src_ip, dest_ip, dest_port

index=* dest_ip="104.238.159.149" OR src_ip="104.238.159.149" | stats count by index, sourcetype, src_ip, dest_ip, dest_port

index=* dest_ip="188.130.206.168" OR src_ip="188.130.206.168" | stats count by index, sourcetype, src_ip, dest_ip, dest_port

index=* dest_ip="107.191.58.76" OR src_ip="107.191.58.76" | stats count by index, sourcetype, src_ip, dest_ip, dest_port

index=* dest_ip="96.9.125.147" OR src_ip="96.9.125.147" | stats count by index, sourcetype, src_ip, dest_ip, dest_port

index=dns query="*updatemicfosoft*" OR index=proxy url="*updatemicfosoft*" | stats count by src_ip, query, url

index=* "spinstall0.aspx" | stats count by index, sourcetype, src_ip, dest_ip, host

YARA Rules

SharePoint_WebShell_Indicators — Detects China Chopper variants and SharePoint-specific web shells

rule SharePoint_WebShell_Indicators
{
    meta:
        description = "Detects China Chopper variants and SharePoint web shells"
        author = "Microsoft Threat Intelligence"
        reference = "https://www.microsoft.com/en-us/security/blog/2025/07/22/disrupting-active-exploitation-of-on-premises-sharepoint-vulnerabilities/"
        date = "2026-04-08"
        severity = "critical"

    strings:
        $a1 = "spinstall0.aspx" ascii nocase
        $a2 = "eval(Request.Item[" ascii
        $a3 = "eval(Request[" ascii
        $a4 = "System.Reflection.Assembly.Load" ascii
        $a5 = "Response.Write(Server.MapPath" ascii
        $b1 = {65 76 61 6C 28 52 65 71 75 65 73 74}
        $b2 = "unsafe" ascii
        $b3 = "ProcessStartInfo" ascii
        $c1 = "China Chopper" ascii nocase
        $c2 = "z1" ascii
        $c3 = "z2" ascii

    condition:
        (any of ($a*) and any of ($b*)) or all of ($c*)
}

Defender_Privilege_Escalation_Exploit — Detects potential exploitation of CVE-2026-33825 Defender LPE

rule Defender_Privilege_Escalation_Exploit
{
    meta:
        description = "Detects exploitation attempts against Microsoft Defender CVE-2026-33825"
        author = "RedSheep Security/Stone"
        date = "2026-04-08"
        reference = "CVE-2026-33825"
        severity = "high"

    strings:
        $a1 = "MsMpEng.exe" ascii wide
        $a2 = "MpCmdRun.exe" ascii wide
        $a3 = "NtSetInformationProcess" ascii
        $a4 = "SeDebugPrivilege" ascii
        $b1 = {4D 73 4D 70 45 6E 67 2E 65 78 65}
        $b2 = {53 65 44 65 62 75 67 50 72 69 76 69 6C 65 67 65}
        $c1 = "TOKEN_PRIVILEGES" ascii
        $c2 = "AdjustTokenPrivileges" ascii

    condition:
        2 of ($a*) and 1 of ($b*) and 1 of ($c*)
}

Suricata Rules

SID 2026040801 — ET EXPLOIT Microsoft SharePoint CVE-2026-32201 Exploitation Attempt

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Microsoft SharePoint CVE-2026-32201 Exploitation Attempt"; flow:to_server,established; content:"POST"; http_method; content:"/_layouts/"; http_uri; content:".aspx"; http_uri; pcre:"/\/_layouts\/[^\s]*(?:spinstall|shell|cmd)[^\s]*\.aspx/i"; reference:cve,2026-32201; classtype:attempted-admin; sid:2026040801; rev:1;)

SID 2026040802 — ET MALWARE China Chopper Web Shell Communication

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE China Chopper Web Shell Communication"; flow:to_server,established; content:"z1="; http_client_body; content:"z2="; http_client_body; distance:0; content:"eval"; http_client_body; reference:url,www.microsoft.com/en-us/security/blog/2025/07/22/disrupting-active-exploitation-of-on-premises-sharepoint-vulnerabilities/; classtype:trojan-activity; sid:2026040802; rev:1;)

SID 2026040803 — ET POLICY Suspicious Typosquatted Microsoft Domain

alert dns $HOME_NET any -> any any (msg:"ET POLICY Suspicious Typosquatted Microsoft Domain"; dns.query; content:"updatemicfosoft"; nocase; reference:url,www.cisa.gov/news-events/alerts/2025/07/20/update-microsoft-releases-guidance-exploitation-sharepoint-vulnerabilities; classtype:policy-violation; sid:2026040803; rev:1;)

SID 2026040804 — ET EXPLOIT Possible CVE-2026-33827 TCP/IP RCE Attempt

alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible CVE-2026-33827 TCP/IP RCE Attempt"; ip_proto:50; content:"|00 00 00 00|"; offset:0; depth:4; byte_test:2,>,1500,20; reference:cve,2026-33827; classtype:attempted-admin; sid:2026040804; rev:1;)

Data Source Requirements

Source	Required For	Notes
Windows Security Event Log	T1190, T1068, T1210	EventID 4624/4625 for auth, 4688 for process creation, 5156 for network connections
Sysmon	T1068, T1505.003	EventID 1 for process creation with command line, EventID 10 for process access
IIS Logs	T1190, T1505.003	W3C extended format required. Must log cs-uri-stem, cs-method, sc-status, c-ip
SharePoint ULS Logs	T1190, T1505.003	Verbose logging recommended for authentication and runtime events
DNS Logs	T1071.001	Query logging required. Windows DNS debug logs or Sysmon EventID 22
Network Traffic Flow	T1190, T1210, T1071.001	NetFlow v5/v9 or equivalent. Zeek logs preferred for protocol analysis
Proxy Logs	T1071.001	Full URL logging including user agent strings

Sources

Found this useful?

Related Reports

Threat IntelApril 16, 2026

Iran's Cyber War Goes Operational: PLC Attacks, Wiper Campaigns, and the Shift to Sustained Targeting of US Infrastructure

tacticalIran APT

Threat IntelApril 13, 2026

Stop Overthinking OT Security: Three Steps That Actually Work

operational technologyindustrial cybersecurity

Threat IntelApril 13, 2026

APT35 Had the Map All Along: How Iran's Cyber Reconnaissance Built the Targeting Package for Operation Epic Fury

tacticalAPT35

← All Reports

Reports/Microsoft April Patch Tuesday: 167 Fixes, a Wormable TCP/IP Bug, and a Leaked Zero-Day

Microsoft April Patch Tuesday: 167 Fixes, a Wormable TCP/IP Bug, and a Leaked Zero-Day

Threat Inteltacticalpatch-tuesdaymicrosoftzero-daysharepointhunt-report

April 16, 20264,002 words~17 min read

Report to review:

Q1 Context: The Volume Trend

Vulnerability Breakdown by Severity

The remaining patches cover remote code execution, information disclosure, spoofing, denial of service, and security feature bypass categories [1].

The CVEs That Matter, Sorted by Product

Not every patch deserves weekend overtime. Below is a prioritized breakdown by product, starting with the most critical items.

Windows TCP/IP

Windows IKE Extension

Patch priority: Immediate for VPN infrastructure and systems running IPSec.

Microsoft SharePoint Server

Patch priority: Immediate for any on-premises SharePoint deployment. Do not let the 6.5 CVSS lull you into complacency. Active exploitation means it is already being weaponized.

Microsoft Defender

CVE-2026-33825 is the publicly disclosed zero-day, a local privilege escalation flaw [2]. It allows attackers to achieve SYSTEM-level access.

Patch priority: High. The exploit is public. Any system running Defender without this patch has a known, reliable privilege escalation path available to any attacker with local access.

Microsoft Office

Patch priority: High. Preview Pane attacks require zero clicks beyond normal email triage workflow.

Remaining Products

Patch priority: Standard cycle for most of these, with exceptions for any internet-facing services.

Secure Boot Certificate Deadline

IOC Table

Note: These IOCs are from previous SharePoint exploitation campaigns in 2025 and may not be directly related to CVE-2026-32201 exploitation.

The following indicators are associated with previous SharePoint exploitation campaigns by Chinese state actors.

Type	Value	Context	Source
IP	`65.38.121.198`	C2 infrastructure in SharePoint exploitation campaigns	[6]
IP	`131.226.2.6`	SharePoint exploitation activity	[6]
IP	`134.199.202.205`	SharePoint attack infrastructure	[6]
IP	`104.238.159.149`	C2 server for SharePoint exploitation	[6]
IP	`188.130.206.168`	Attack infrastructure	[6]
IP	`107.191.58.76`	Scanning and exploitation since July 2025	[7]
IP	`96.9.125.147`	Scanning and exploitation activity	[7]
Domain	`update.updatemicfosoft.com`	Typosquatted C2 domain	[6]
Filename	`spinstall0.aspx`	Web shell on compromised SharePoint servers	[6]
Malware	`China Chopper`	Web shell for persistence on SharePoint	[6]
Malware	`Warlock ransomware`	Deployed on compromised SharePoint systems	[7]
Malware	`BlueHammer`	Privilege escalation exploit targeting Defender	[2]

MITRE ATT&CK Techniques

ID	Technique	Relevance
T1068	Exploitation for Privilege Escalation	CVE-2026-33825 and multiple EoP flaws this cycle [2]
T1190	Exploit Public-Facing Application	SharePoint CVE-2026-32201 exploited in the wild [3][6]
T1505.003	Server Software Component: Web Shell	China Chopper and .aspx web shells on SharePoint servers [6][7]
T1210	Exploitation of Remote Services	TCP/IP CVE-2026-33827 requires no authentication [2]
T1078	Valid Accounts	SharePoint spoofing enables unauthorized access [3]

Detection and Hunting

For CVE-2026-33827 (TCP/IP RCE):

For CVE-2026-32201 (SharePoint Exploitation):

index=dns query="*updatemicfosoft*"
| stats count by src_ip, query

index=proxy OR index=firewall dest_ip IN (65.38.121.198, 131.226.2.6, 134.199.202.205, 104.238.159.149, 188.130.206.168, 107.191.58.76, 96.9.125.147)
| stats count by src_ip, dest_ip, dest_port

For CVE-2026-33825 (Defender LPE):

For Office Preview Pane Attacks:

Analysis

🐑

Red Sheep Assessment

Confidence: Moderate

🛡️

Defender's Checklist

▢[ ] Patch CVE-2026-33827 (TCP/IP RCE) within 48 hours on all internet-facing Windows systems with IPv6 and IPSec enabled. Disable IPv6 as a temporary mitigation where operationally feasible.
▢[ ] Patch CVE-2026-32201 (SharePoint) by April 28 per CISA's KEV deadline. Hunt for IOCs from the table above across DNS, proxy, and firewall logs. Query: index=dns query="updatemicfosoft" [3][6].
▢[ ] Verify Microsoft Defender definitions updated to confirm CVE-2026-33825 is mitigated. Audit for unexpected SYSTEM processes originating from Defender-related paths.
▢[ ] Disable Preview Pane in Outlook and Explorer via Group Policy where not required: HKCU\Software\Microsoft\Office\16.0\Outlook\Preferences\ShowReadingPane = 0.
▢[ ] Begin Secure Boot certificate rotation planning now. The June 2026 deadline leaves approximately 10 weeks. Test DB updates in a lab environment before broad deployment [6].

References

[1] https://www.bleepingcomputer.com/news/microsoft/microsoft-april-2026-patch-tuesday-fixes-167-flaws-2-zero-days/

[2] https://www.tenable.com/blog/microsofts-april-2026-patch-tuesday-addresses-163-cves-cve-2026-32201

[3] https://www.cisa.gov/news-events/alerts/2026/04/14/cisa-adds-two-known-exploited-vulnerabilities-catalog

[4] https://zecurit.com/endpoint-management/patch-tuesday/

[5] https://www.zerodayinitiative.com/blog/2026/4/14/the-april-2026-security-update-review

[6] https://www.microsoft.com/en-us/security/blog/2025/07/22/disrupting-active-exploitation-of-on-premises-sharepoint-vulnerabilities/

[7] https://www.cisa.gov/news-events/alerts/2025/07/20/update-microsoft-releases-guidance-exploitation-sharepoint-vulnerabilities

[8] https://msrc.microsoft.com/update-guide/releaseNote/2026-Apr

📊

Visual Intelligence

Timeline (3 events)

Apr 8, 2026

Report to review: Microsoft shipped 167 security fixes on April 8, 2026, making this the second-largest Patch Tuesday release, nearing the record set in October 2025 with 167 CVEs.

cyber

Microsoft

Apr 14, 2026

CISA added it to the KEV catalog on April 14, 2026, with a federal agency remediation deadline of April 28.

intelligence

CISA

Apr 28, 2026

Disable IPv6 as a temporary mitigation where operationally feasible.

cyber

CISA

Entity Graph (14 entities, 16 relationships)

organization cve country malware ip

Diamond Model

Adversary

Unknown

Capability

CVE-2026-33825 CVE-2026-33827 CVE-2026-32201 China Chopper

Infrastructure

65.38.121.198 131.226.2.6 134.199.202.205 104.238.159.149 188.130.206.168 107.191.58.76 96.9.125.147

Victim

Microsoft CISA

Relationships

capability → victim: affected_by (CVE-2026-33825, Microsoft)

---

Hunt Guide: Hunt Report: Microsoft April 2026 Critical Vulnerabilities - TCP/IP Worm and Active SharePoint Exploitation

Confidence: High | Priority: Critical

Scope

Networks: All Windows systems with IPv6/IPSec enabled, all SharePoint servers, all endpoints with Microsoft Defender
Timeframe: Initial sweep: 90 days historical. Ongoing: Real-time alerting
Priority Systems: Internet-facing Windows servers, SharePoint farms, VPN gateways, domain controllers

MITRE ATT&CK Techniques

T1190 — Exploit Public-Facing Application (Initial Access) [P1]

CVE-2026-33827 enables unauthenticated RCE on Windows systems with IPv6/IPSec enabled. CVE-2026-32201 SharePoint spoofing vulnerability actively exploited in the wild.

Splunk SPL:

index=windows EventCode IN (4625,4624) | where match(IpAddress, "(?:[0-9a-fA-F]{1,4}:){7}[0-9a-fA-F]{1,4}") | stats count by IpAddress, LogonType, TargetUserName | where count>50

Elastic KQL:

event.code:(4625 OR 4624) AND source.ip:*:* AND NOT source.ip:127.0.0.1 | stats count by source.ip, winlog.event_data.LogonType

Sigma Rule:

title: Suspicious IPv6 Authentication Attempts
id: 8b4d7e12-9c21-4a85-b9e7-1f4d8c9a2e3b
status: experimental
author: RedSheep Security/Stone
description: Detects multiple failed IPv6 authentication attempts that may indicate TCP/IP exploitation
references:
  - Internal research
logsource:
  product: windows
  service: security
detection:
  selection:
    EventID:
      - 4625
      - 4624
    IpAddress|contains: ':'
  filter:
    IpAddress:
      - '::1'
      - '127.0.0.1'
  timeframe: 5m
  condition: selection and not filter | count(IpAddress) by IpAddress > 20
falsepositives:
  - Legitimate IPv6 authentication
level: high

Focus on external IPv6 sources. Internal IPv6 may generate false positives during normal operations.

T1505.003 — Server Software Component: Web Shell (Persistence) [P1]

Chinese actors deploy web shells like China Chopper and spinstall0.aspx on compromised SharePoint servers for persistent access.

Splunk SPL:

index=iis cs_uri_stem IN ("*.aspx", "*.asmx") cs_method=POST sc_status=200 | regex cs_uri_stem="(spinstall|shell|cmd|upload|backdoor)" | stats count by c_ip, cs_uri_stem, cs_host

Elastic KQL:

event.dataset:iis.access AND http.request.method:POST AND url.path:(*.aspx OR *.asmx) AND http.response.status_code:200 AND url.path:(*spinstall* OR *shell* OR *cmd* OR *upload*)

Sigma Rule:

title: SharePoint Web Shell Detection
id: 7f5e3a32-4d89-4b72-9e81-2c4d7e8a9f5b
status: stable
author: Microsoft Threat Intelligence
description: Detects known web shell patterns on SharePoint servers
references:
  - https://www.microsoft.com/en-us/security/blog/2025/07/22/disrupting-active-exploitation-of-on-premises-sharepoint-vulnerabilities/
logsource:
  category: webserver
  product: iis
detection:
  selection:
    cs-method: 'POST'
    cs-uri-stem|contains:
      - 'spinstall'
      - '.aspx'
    sc-status: 200
  suspicious_patterns:
    cs-uri-stem|contains:
      - 'spinstall0.aspx'
      - 'shell.aspx'
      - 'cmd.aspx'
  condition: selection and suspicious_patterns
falsepositives:
  - Legitimate SharePoint administrative tools
level: high

Monitor for new ASPX files in SharePoint directories. Cross-reference with file creation events.

T1068 — Exploitation for Privilege Escalation (Privilege Escalation) [P1]

CVE-2026-33825 allows local attackers to escalate from standard user to SYSTEM via Microsoft Defender. Multiple other EoP vulnerabilities patched this cycle.

Splunk SPL:

index=sysmon EventCode=1 ParentImage="*\\MsMpEng.exe" IntegrityLevel=System | where User!="NT AUTHORITY\\SYSTEM" | stats count by Image, CommandLine, User

Elastic KQL:

event.code:1 AND process.parent.executable:*\\MsMpEng.exe AND winlog.event_data.IntegrityLevel:System AND NOT user.name:"NT AUTHORITY\\SYSTEM"

Sigma Rule:

title: Microsoft Defender Privilege Escalation
id: 9a8d5e21-7c34-4b92-8e71-3f5d9c7a1e2b
status: experimental
author: RedSheep Security/Stone
description: Detects suspicious SYSTEM process creation from Defender that may indicate CVE-2026-33825 exploitation
references:
  - CVE-2026-33825
logsource:
  product: windows
  category: process_creation
detection:
  selection:
    ParentImage|endswith: '\MsMpEng.exe'
    IntegrityLevel: 'System'
  filter:
    User: 'NT AUTHORITY\SYSTEM'
    Image|endswith:
      - '\MpCmdRun.exe'
      - '\MpSigStub.exe'
  condition: selection and not filter
falsepositives:
  - Legitimate Defender operations
level: high

Baseline normal Defender child processes. Alert on unusual SYSTEM processes spawned from MsMpEng.exe.

T1071.001 — Application Layer Protocol: Web Protocols (Command and Control) [P1]

Threat actors communicate with C2 infrastructure using typosquatted domains and known malicious IPs associated with SharePoint campaigns.

Splunk SPL:

index=dns query="*updatemicfosoft*" OR query IN ("65.38.121.198", "131.226.2.6", "134.199.202.205", "104.238.159.149", "188.130.206.168", "107.191.58.76", "96.9.125.147") | stats count by src_ip, query, answer

Elastic KQL:

dns.question.name:*updatemicfosoft* OR destination.ip:(65.38.121.198 OR 131.226.2.6 OR 134.199.202.205 OR 104.238.159.149 OR 188.130.206.168 OR 107.191.58.76 OR 96.9.125.147)

Sigma Rule:

title: SharePoint C2 Infrastructure Communication
id: 6b7d8e11-5a23-4c89-9f82-1e3d7b9a3f4c
status: stable
author: CISA
description: Detects communication with known SharePoint exploitation C2 infrastructure
references:
  - https://www.cisa.gov/news-events/alerts/2025/07/20/update-microsoft-releases-guidance-exploitation-sharepoint-vulnerabilities
logsource:
  category: dns
detection:
  selection_domain:
    query|contains: 'updatemicfosoft'
  selection_ip:
    answer:
      - '65.38.121.198'
      - '131.226.2.6'
      - '134.199.202.205'
      - '104.238.159.149'
      - '188.130.206.168'
      - '107.191.58.76'
      - '96.9.125.147'
  condition: 1 of selection_*
falsepositives:
  - Unlikely
level: critical

These IPs are confirmed malicious. Any connection should trigger immediate investigation.

T1210 — Exploitation of Remote Services (Lateral Movement) [P2]

CVE-2026-33827 TCP/IP and CVE-2026-33824 IKE Extension vulnerabilities enable remote exploitation without authentication on IPSec-enabled systems.

Splunk SPL:

index=windows EventCode=5156 Direction=Inbound Protocol=50 | where NOT cidrmatch("10.0.0.0/8", SourceAddress) AND NOT cidrmatch("172.16.0.0/12", SourceAddress) AND NOT cidrmatch("192.168.0.0/16", SourceAddress) | stats count by SourceAddress, DestAddress, DestPort

Elastic KQL:

event.code:5156 AND network.direction:inbound AND network.protocol:50 AND NOT source.ip:(10.0.0.0/8 OR 172.16.0.0/12 OR 192.168.0.0/16)

Sigma Rule:

title: Suspicious IPSec Traffic from External Sources
id: 4c9d7f22-8b31-4a75-9e62-2d4c8f7b2e1a
status: experimental
author: RedSheep Security/Stone
description: Detects unusual IPSec ESP traffic from external sources that may indicate CVE-2026-33827 exploitation
references:
  - CVE-2026-33827
logsource:
  product: windows
  service: security
detection:
  selection:
    EventID: 5156
    Direction: '%%14592'  # Inbound
    Protocol: '50'  # ESP
  filter:
    SourceAddress|cidr:
      - '10.0.0.0/8'
      - '172.16.0.0/12'
      - '192.168.0.0/16'
  condition: selection and not filter
falsepositives:
  - Legitimate VPN connections
level: high

Baseline normal IPSec sources. New external IPSec connections warrant investigation.

Indicators of Compromise

Type	Value	Context
ip	`65.38.121.198`	C2 infrastructure used in SharePoint exploitation campaigns by Chinese state actors
ip	`131.226.2.6`	SharePoint exploitation activity infrastructure
ip	`134.199.202.205`	SharePoint attack infrastructure
ip	`104.238.159.149`	C2 server for SharePoint exploitation
ip	`188.130.206.168`	Attack infrastructure
ip	`107.191.58.76`	Scanning and exploitation activity since July 2025
ip	`96.9.125.147`	Scanning and exploitation activity
domain	`update.updatemicfosoft.com`	Typosquatted C2 domain used in SharePoint campaigns
filename	`spinstall0.aspx`	Web shell deployed on compromised SharePoint servers

IOC Sweep Queries (Splunk):

index=* dest_ip="65.38.121.198" OR src_ip="65.38.121.198" | stats count by index, sourcetype, src_ip, dest_ip, dest_port

index=* dest_ip="131.226.2.6" OR src_ip="131.226.2.6" | stats count by index, sourcetype, src_ip, dest_ip, dest_port

index=* dest_ip="134.199.202.205" OR src_ip="134.199.202.205" | stats count by index, sourcetype, src_ip, dest_ip, dest_port

index=* dest_ip="104.238.159.149" OR src_ip="104.238.159.149" | stats count by index, sourcetype, src_ip, dest_ip, dest_port

index=* dest_ip="188.130.206.168" OR src_ip="188.130.206.168" | stats count by index, sourcetype, src_ip, dest_ip, dest_port

index=* dest_ip="107.191.58.76" OR src_ip="107.191.58.76" | stats count by index, sourcetype, src_ip, dest_ip, dest_port

index=* dest_ip="96.9.125.147" OR src_ip="96.9.125.147" | stats count by index, sourcetype, src_ip, dest_ip, dest_port

index=dns query="*updatemicfosoft*" OR index=proxy url="*updatemicfosoft*" | stats count by src_ip, query, url

index=* "spinstall0.aspx" | stats count by index, sourcetype, src_ip, dest_ip, host

YARA Rules

SharePoint_WebShell_Indicators — Detects China Chopper variants and SharePoint-specific web shells

rule SharePoint_WebShell_Indicators
{
    meta:
        description = "Detects China Chopper variants and SharePoint web shells"
        author = "Microsoft Threat Intelligence"
        reference = "https://www.microsoft.com/en-us/security/blog/2025/07/22/disrupting-active-exploitation-of-on-premises-sharepoint-vulnerabilities/"
        date = "2026-04-08"
        severity = "critical"

    strings:
        $a1 = "spinstall0.aspx" ascii nocase
        $a2 = "eval(Request.Item[" ascii
        $a3 = "eval(Request[" ascii
        $a4 = "System.Reflection.Assembly.Load" ascii
        $a5 = "Response.Write(Server.MapPath" ascii
        $b1 = {65 76 61 6C 28 52 65 71 75 65 73 74}
        $b2 = "unsafe" ascii
        $b3 = "ProcessStartInfo" ascii
        $c1 = "China Chopper" ascii nocase
        $c2 = "z1" ascii
        $c3 = "z2" ascii

    condition:
        (any of ($a*) and any of ($b*)) or all of ($c*)
}

Defender_Privilege_Escalation_Exploit — Detects potential exploitation of CVE-2026-33825 Defender LPE

rule Defender_Privilege_Escalation_Exploit
{
    meta:
        description = "Detects exploitation attempts against Microsoft Defender CVE-2026-33825"
        author = "RedSheep Security/Stone"
        date = "2026-04-08"
        reference = "CVE-2026-33825"
        severity = "high"

    strings:
        $a1 = "MsMpEng.exe" ascii wide
        $a2 = "MpCmdRun.exe" ascii wide
        $a3 = "NtSetInformationProcess" ascii
        $a4 = "SeDebugPrivilege" ascii
        $b1 = {4D 73 4D 70 45 6E 67 2E 65 78 65}
        $b2 = {53 65 44 65 62 75 67 50 72 69 76 69 6C 65 67 65}
        $c1 = "TOKEN_PRIVILEGES" ascii
        $c2 = "AdjustTokenPrivileges" ascii

    condition:
        2 of ($a*) and 1 of ($b*) and 1 of ($c*)
}

Suricata Rules

SID 2026040801 — ET EXPLOIT Microsoft SharePoint CVE-2026-32201 Exploitation Attempt

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Microsoft SharePoint CVE-2026-32201 Exploitation Attempt"; flow:to_server,established; content:"POST"; http_method; content:"/_layouts/"; http_uri; content:".aspx"; http_uri; pcre:"/\/_layouts\/[^\s]*(?:spinstall|shell|cmd)[^\s]*\.aspx/i"; reference:cve,2026-32201; classtype:attempted-admin; sid:2026040801; rev:1;)

SID 2026040802 — ET MALWARE China Chopper Web Shell Communication

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE China Chopper Web Shell Communication"; flow:to_server,established; content:"z1="; http_client_body; content:"z2="; http_client_body; distance:0; content:"eval"; http_client_body; reference:url,www.microsoft.com/en-us/security/blog/2025/07/22/disrupting-active-exploitation-of-on-premises-sharepoint-vulnerabilities/; classtype:trojan-activity; sid:2026040802; rev:1;)

SID 2026040803 — ET POLICY Suspicious Typosquatted Microsoft Domain

alert dns $HOME_NET any -> any any (msg:"ET POLICY Suspicious Typosquatted Microsoft Domain"; dns.query; content:"updatemicfosoft"; nocase; reference:url,www.cisa.gov/news-events/alerts/2025/07/20/update-microsoft-releases-guidance-exploitation-sharepoint-vulnerabilities; classtype:policy-violation; sid:2026040803; rev:1;)

SID 2026040804 — ET EXPLOIT Possible CVE-2026-33827 TCP/IP RCE Attempt

alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible CVE-2026-33827 TCP/IP RCE Attempt"; ip_proto:50; content:"|00 00 00 00|"; offset:0; depth:4; byte_test:2,>,1500,20; reference:cve,2026-33827; classtype:attempted-admin; sid:2026040804; rev:1;)

Data Source Requirements

Source	Required For	Notes
Windows Security Event Log	T1190, T1068, T1210	EventID 4624/4625 for auth, 4688 for process creation, 5156 for network connections
Sysmon	T1068, T1505.003	EventID 1 for process creation with command line, EventID 10 for process access
IIS Logs	T1190, T1505.003	W3C extended format required. Must log cs-uri-stem, cs-method, sc-status, c-ip
SharePoint ULS Logs	T1190, T1505.003	Verbose logging recommended for authentication and runtime events
DNS Logs	T1071.001	Query logging required. Windows DNS debug logs or Sysmon EventID 22
Network Traffic Flow	T1190, T1210, T1071.001	NetFlow v5/v9 or equivalent. Zeek logs preferred for protocol analysis
Proxy Logs	T1071.001	Full URL logging including user agent strings

Sources

Found this useful?

Related Reports

Threat IntelApril 16, 2026

Iran's Cyber War Goes Operational: PLC Attacks, Wiper Campaigns, and the Shift to Sustained Targeting of US Infrastructure

tacticalIran APT

Threat IntelApril 13, 2026

Stop Overthinking OT Security: Three Steps That Actually Work

operational technologyindustrial cybersecurity

Threat IntelApril 13, 2026

APT35 Had the Map All Along: How Iran's Cyber Reconnaissance Built the Targeting Package for Operation Epic Fury

tacticalAPT35

← All Reports