Microsoft SharePoint Server Elevation of Privilege

name: Microsoft SharePoint Server Elevation of Privilege
id: fcf4bd3f-a79f-4b7a-83bf-2692d60b859d
version: 10
creation_date: '2023-10-13'
modification_date: '2026-05-13'
author: Michael Haag, Gowthamaraj Rajendran, Splunk
status: production
type: Anomaly
description: |-
    The following analytic detects potential exploitation attempts against Microsoft SharePoint Server vulnerability CVE-2023-29357.
    It leverages the Web datamodel to monitor for specific API calls and HTTP methods indicative of privilege escalation attempts.
    This activity is significant as it may indicate an attacker is trying to gain unauthorized privileged access to the SharePoint environment.
    If confirmed malicious, the impact could include unauthorized access to sensitive data, potential data theft, and further compromise of the SharePoint server, leading to a broader security breach.
data_source:
    - Suricata
search: |-
    | tstats `security_content_summariesonly`
      count min(_time) as firstTime
            max(_time) as lastTime

    FROM datamodel=Web WHERE

    Web.url IN (
        "*/_api/web/siteusers*",
        "*/_api/web/currentuser*"
    )
    Web.status=200
    Web.http_method="GET"

    BY Web.http_user_agent Web.status Web.http_method
       Web.url Web.url_length Web.src Web.dest

    | `drop_dm_object_name("Web")`
    | `security_content_ctime(firstTime)`
    | `security_content_ctime(lastTime)`
    | `microsoft_sharepoint_server_elevation_of_privilege_filter`
how_to_implement: This detection requires the Web datamodel to be populated from a supported Technology Add-On like Splunk for Microsoft SharePoint.
known_false_positives: False positives may occur if there are legitimate activities that mimic the exploitation pattern. It's recommended to review the context of the alerts and adjust the analytic parameters to better fit the specific environment.
references:
    - https://socradar.io/microsoft-sharepoint-server-elevation-of-privilege-vulnerability-exploit-cve-2023-29357/
    - https://github.com/LuemmelSec/CVE-2023-29357/blob/main/CVE-2023-29357/Program.cs
drilldown_searches:
    - name: View the detection results for - "$dest$"
      search: '%original_detection_search% | search  dest = "$dest$"'
      earliest_offset: $info_min_time$
      latest_offset: $info_max_time$
    - name: View risk events for the last 7 days for - "$dest$"
      search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
      earliest_offset: 7d
      latest_offset: "0"
intermediate_findings:
    entities:
        - field: dest
          type: system
          score: 20
          message: Possible exploitation of CVE-2023-29357 against $dest$ from $src$.
threat_objects:
    - field: src
      type: ip_address
analytic_story:
    - Microsoft SharePoint Server Elevation of Privilege CVE-2023-29357
asset_type: Web Server
cve:
    - CVE-2023-29357
mitre_attack_id:
    - T1068
product:
    - Splunk Enterprise
    - Splunk Enterprise Security
    - Splunk Cloud
category: web
security_domain: network
tests:
    - name: True Positive Test
      attack_data:
        - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/sharepoint/sharepointeop.log
          source: not_applicable
          sourcetype: suricata
      test_type: unit