SharePoint Malware File Upload

 1[metadata]
 2creation_date = "2022/01/10"
 3integration = ["o365"]
 4maturity = "production"
 5updated_date = "2025/01/15"
 6
 7[rule]
 8author = ["Elastic"]
 9description = """
10Identifies the occurence of files uploaded to SharePoint being detected as Malware by the file scanning engine.
11Attackers can use File Sharing and Organization Repositories to spread laterally within the company and amplify their
12access. Users can inadvertently share these files without knowing their maliciousness, giving adversaries opportunities
13to gain initial access to other endpoints in the environment.
14"""
15false_positives = ["Benign files can trigger signatures in the built-in virus protection"]
16from = "now-30m"
17index = ["filebeat-*", "logs-o365*"]
18language = "kuery"
19license = "Elastic License v2"
20name = "SharePoint Malware File Upload"
21note = """## Triage and analysis
22
23> **Disclaimer**:
24> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
25
26### Investigating SharePoint Malware File Upload
27
28SharePoint, a collaborative platform, facilitates file sharing and storage within organizations. Adversaries exploit this by uploading malware, leveraging the platform's sharing capabilities to propagate threats laterally. The detection rule identifies when SharePoint's file scanning engine flags an upload as malicious, focusing on specific audit events to alert security teams of potential lateral movement threats.
29
30### Possible investigation steps
31
32- Review the specific event details in the alert, focusing on the event.dataset, event.provider, event.code, and event.action fields to confirm the alert is related to a SharePoint file upload flagged as malware.
33- Identify the user account associated with the file upload by examining the audit logs and determine if the account has a history of suspicious activity or if it has been compromised.
34- Analyze the file metadata, including the file name, type, and size, to gather more context about the nature of the uploaded file and assess its potential impact.
35- Check the file's sharing permissions and access history to identify other users or systems that may have interacted with the file, assessing the risk of lateral movement.
36- Investigate the source of the file upload, such as the originating IP address or device, to determine if it aligns with known malicious activity or if it is an anomaly for the user.
37- Coordinate with the IT team to isolate affected systems or accounts if necessary, and initiate a response plan to mitigate any potential spread of the malware within the organization.
38
39### False positive analysis
40
41- Legitimate software updates or patches uploaded to SharePoint may be flagged as malware. To handle this, create exceptions for known update files by verifying their source and hash.
42- Internal security tools or scripts used for testing purposes might trigger false positives. Maintain a list of these tools and exclude them from alerts after confirming their legitimacy.
43- Files with encrypted content, such as password-protected documents, can be mistakenly identified as malicious. Implement a process to review and whitelist these files if they are from trusted sources.
44- Large batch uploads from trusted departments, like IT or HR, may occasionally be flagged. Establish a review protocol for these uploads and whitelist them if they are verified as safe.
45- Files with macros or executable content used in legitimate business processes might be detected. Work with relevant departments to identify and exclude these files from alerts after thorough validation.
46
47### Response and remediation
48
49- Immediately isolate the affected SharePoint site or library to prevent further access and sharing of the malicious file. This can be done by restricting permissions or temporarily disabling access to the site.
50- Notify the security operations team and relevant stakeholders about the detected malware to ensure awareness and initiate a coordinated response.
51- Quarantine the identified malicious file to prevent it from being accessed or executed by users. Use SharePoint's built-in capabilities or integrated security tools to move the file to a secure location.
52- Conduct a thorough scan of the affected SharePoint site and connected systems to identify any additional malicious files or indicators of compromise. Use advanced threat detection tools to ensure comprehensive coverage.
53- Review and revoke any unauthorized access or sharing permissions that may have been granted to the malicious file, ensuring that only legitimate users have access to sensitive data.
54- Escalate the incident to the incident response team if there are signs of lateral movement or if the malware has spread to other parts of the network, following the organization's escalation protocols.
55- Implement enhanced monitoring and logging for SharePoint and related services to detect any future attempts to upload or share malicious files, leveraging the specific query fields used in the detection rule.
56
57## Setup
58
59The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
60references = [
61    "https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/virus-detection-in-spo?view=o365-worldwide",
62]
63risk_score = 73
64rule_id = "0e52157a-8e96-4a95-a6e3-5faae5081a74"
65severity = "high"
66tags = ["Domain: Cloud", "Data Source: Microsoft 365", "Tactic: Lateral Movement", "Resources: Investigation Guide"]
67timestamp_override = "event.ingested"
68type = "query"
69
70query = '''
71event.dataset:o365.audit and event.provider:SharePoint and event.code:SharePointFileOperation and event.action:FileMalwareDetected
72'''
73
74
75[[rule.threat]]
76framework = "MITRE ATT&CK"
77[[rule.threat.technique]]
78id = "T1080"
79name = "Taint Shared Content"
80reference = "https://attack.mitre.org/techniques/T1080/"
81
82
83[rule.threat.tactic]
84id = "TA0008"
85name = "Lateral Movement"
86reference = "https://attack.mitre.org/tactics/TA0008/"