This detection rule focuses on identifying the creation or modification of a webshell file named 'spinstall0.aspx' within Microsoft SharePoint directories. The presence of this file is associated with the exploitation of a vulnerability identified as CVE-2025-53770, which is characterized as the ToolShell vulnerability. Attackers can exploit this vulnerability to deploy webshells that facilitate continuous access to compromised SharePoint servers, enabling them to run arbitrary commands and potentially access sensitive information or propagate further within the network. The detection mechanism relies primarily on Sysmon Event ID 11, which logs file creation events. Given that 'spinstall0.aspx' is not a legitimate component of SharePoint, the rule is designed to minimize false positives but acknowledges that rare authentic processes may inadvertently create files with similar names during maintenance or updates. Hence, careful verification of file creation sources is necessary to affirm malicious intent.