LoFP / false positives may occur if there are legitimate activities that mimic the exploitation pattern. it's recommended to review the context of the alerts and adjust the analytic parameters to better fit the specific environment.

Techniques

• T1068

Sample rules

Microsoft SharePoint Server Elevation of Privilege

• source: splunk
• technicques:
  • T1068

Description

The following analytic detects potential exploitation attempts against Microsoft SharePoint Server vulnerability CVE-2023-29357. It leverages the Web datamodel to monitor for specific API calls and HTTP methods indicative of privilege escalation attempts. This activity is significant as it may indicate an attacker is trying to gain unauthorized privileged access to the SharePoint environment. If confirmed malicious, the impact could include unauthorized access to sensitive data, potential data theft, and further compromise of the SharePoint server, leading to a broader security breach.

Detection logic

| tstats `security_content_summariesonly`
  count min(_time) as firstTime
        max(_time) as lastTime

FROM datamodel=Web WHERE

Web.url IN (
    "*/_api/web/siteusers*",
    "*/_api/web/currentuser*"
)
Web.status=200
Web.http_method="GET"

BY Web.http_user_agent Web.status Web.http_method
   Web.url Web.url_length Web.src Web.dest


| `drop_dm_object_name("Web")`

| `security_content_ctime(firstTime)`

| `security_content_ctime(lastTime)`

| `microsoft_sharepoint_server_elevation_of_privilege_filter`