This session unpacks the SharePoint Toolshell campaign as a case study in modern 0-day exploitation, walking through the tactics, techniques, and procedures observed in a real incident. From there, we broaden the lens: what does Toolshell teach us about responding to campaigns in the first 72 hours when activity is “unknown”? Attendees will leave with an overview of interesting tradecraft like EDR killers and sophisticated access, practical lessons for incident responders hunting novel threats and network owners hardening environments against the next inevitable 0-day.
