The analytic rule for detecting exploitation attempts against Microsoft SharePoint Server vulnerability CVE-2025-53770, nicknamed "ToolShell", focuses on monitoring POST requests targeting the ToolPane.aspx endpoint. The rule identifies these requests specifically when the DisplayMode parameter is set to 'Edit', which serves as a significant indicator of potential exploitation. The vulnerability under consideration permits unauthenticated remote code execution on SharePoint servers, posing severe risks such as unauthorized access to content, file systems, and internal configurations, as well as the execution of arbitrary code. Given the critical nature of the vulnerability, this detection rule is paramount in swiftly identifying and mitigating associated threats to SharePoint environments.