This detection rule targets the exploitation of a vulnerability in Microsoft SharePoint, specifically CVE-2025-53770, which allows attackers to deploy a webshell named 'spinstall0.aspx' to the SharePoint layouts directory. The rule identifies GET requests directed at this webshell, which indicates potential post-exploitation activities including command execution, data exfiltration, and sensitive information extraction. The detection leverages the Web datamodel in Suricata to monitor for these unauthorized accesses, providing insights into the successful abuse of the compromised SharePoint server. Implementing this detection can enhance proactive defense measures against exploitation of SharePoint vulnerabilities by allowing security teams to respond to anomalies promptly and investigate any suspicious activity.