Microsoft SharePoint Server Elevation of Privilege

name: Microsoft SharePoint Server Elevation of Privilege
id: fcf4bd3f-a79f-4b7a-83bf-2692d60b859d
version: 8
date: '2026-03-27'
author: Michael Haag, Gowthamaraj Rajendran, Splunk
status: production
type: Anomaly
data_source:
    - Suricata
description: |-
    The following analytic detects potential exploitation attempts against Microsoft SharePoint Server vulnerability CVE-2023-29357.
    It leverages the Web datamodel to monitor for specific API calls and HTTP methods indicative of privilege escalation attempts.
    This activity is significant as it may indicate an attacker is trying to gain unauthorized privileged access to the SharePoint environment.
    If confirmed malicious, the impact could include unauthorized access to sensitive data, potential data theft, and further compromise of the SharePoint server, leading to a broader security breach.
search: |-
    | tstats `security_content_summariesonly`
      count min(_time) as firstTime
            max(_time) as lastTime

    FROM datamodel=Web WHERE

    Web.url IN (
        "*/_api/web/siteusers*",
        "*/_api/web/currentuser*"
    )
    Web.status=200
    Web.http_method="GET"

    BY Web.http_user_agent Web.status Web.http_method
       Web.url Web.url_length Web.src Web.dest

    | `drop_dm_object_name("Web")`
    | `security_content_ctime(firstTime)`
    | `security_content_ctime(lastTime)`
    | `microsoft_sharepoint_server_elevation_of_privilege_filter`
how_to_implement: This detection requires the Web datamodel to be populated from a supported Technology Add-On like Splunk for Microsoft SharePoint.
known_false_positives: False positives may occur if there are legitimate activities that mimic the exploitation pattern. It's recommended to review the context of the alerts and adjust the analytic parameters to better fit the specific environment.
references:
    - https://socradar.io/microsoft-sharepoint-server-elevation-of-privilege-vulnerability-exploit-cve-2023-29357/
    - https://github.com/LuemmelSec/CVE-2023-29357/blob/main/CVE-2023-29357/Program.cs
drilldown_searches:
    - name: View the detection results for - "$dest$"
      search: '%original_detection_search% | search  dest = "$dest$"'
      earliest_offset: $info_min_time$
      latest_offset: $info_max_time$
    - name: View risk events for the last 7 days for - "$dest$"
      search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168  | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
      earliest_offset: $info_min_time$
      latest_offset: $info_max_time$
rba:
    message: Possible exploitation of CVE-2023-29357 against $dest$ from $src$.
    risk_objects:
        - field: dest
          type: system
          score: 20
    threat_objects:
        - field: src
          type: ip_address
tags:
    cve:
        - CVE-2023-29357
    analytic_story:
        - Microsoft SharePoint Server Elevation of Privilege CVE-2023-29357
    asset_type: Web Server
    atomic_guid: []
    mitre_attack_id:
        - T1068
    product:
        - Splunk Enterprise
        - Splunk Enterprise Security
        - Splunk Cloud
    security_domain: network
tests:
    - name: True Positive Test
      attack_data:
        - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/sharepoint/sharepointeop.log
          source: not_applicable
          sourcetype: suricata