SharePoint Malware File Upload
Identifies the occurence of files uploaded to SharePoint being detected as Malware by the file scanning engine. Attackers can use File Sharing and Organization Repositories to spread laterally within the company and amplify their access. Users can inadvertently share these files without knowing their maliciousness, giving adversaries opportunities to gain initial access to other endpoints in the environment.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2022/01/10"
3integration = ["o365"]
4maturity = "production"
5min_stack_comments = "Breaking change at 8.8.0 for Microsoft 365 Integration."
6min_stack_version = "8.8.0"
7updated_date = "2024/04/02"
8
9[rule]
10author = ["Elastic"]
11description = """
12Identifies the occurence of files uploaded to SharePoint being detected as Malware by the file scanning engine.
13Attackers can use File Sharing and Organization Repositories to spread laterally within the company and amplify their
14access. Users can inadvertently share these files without knowing their maliciousness, giving adversaries opportunities
15to gain initial access to other endpoints in the environment.
16"""
17false_positives = ["Benign files can trigger signatures in the built-in virus protection"]
18from = "now-30m"
19index = ["filebeat-*", "logs-o365*"]
20language = "kuery"
21license = "Elastic License v2"
22name = "SharePoint Malware File Upload"
23note = """## Setup
24
25The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
26references = [
27 "https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/virus-detection-in-spo?view=o365-worldwide",
28]
29risk_score = 73
30rule_id = "0e52157a-8e96-4a95-a6e3-5faae5081a74"
31severity = "high"
32tags = ["Domain: Cloud", "Data Source: Microsoft 365", "Tactic: Lateral Movement"]
33timestamp_override = "event.ingested"
34type = "query"
35
36query = '''
37event.dataset:o365.audit and event.provider:SharePoint and event.code:SharePointFileOperation and event.action:FileMalwareDetected
38'''
39
40
41[[rule.threat]]
42framework = "MITRE ATT&CK"
43[[rule.threat.technique]]
44id = "T1080"
45name = "Taint Shared Content"
46reference = "https://attack.mitre.org/techniques/T1080/"
47
48
49[rule.threat.tactic]
50id = "TA0008"
51name = "Lateral Movement"
52reference = "https://attack.mitre.org/tactics/TA0008/"
Setup
The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.
References
Related rules
- OneDrive Malware File Upload
- Attempts to Brute Force a Microsoft 365 User Account
- Microsoft 365 Exchange Anti-Phish Policy Deletion
- Microsoft 365 Exchange Anti-Phish Rule Modification
- Microsoft 365 Exchange DKIM Signing Configuration Disabled