IMPORTANT: No additional bug fixes or documentation updates will be released for this version. For the latest information, see the current release documentation.

« Setuid / Setgid Bit Set via chmod Shared Object Created or Changed by Previously Unknown Process »

› › ›

SharePoint Malware File Upload

edit

SharePoint Malware File Upload

edit

Identifies the occurence of files uploaded to SharePoint being detected as Malware by the file scanning engine. Attackers can use File Sharing and Organization Repositories to spread laterally within the company and amplify their access. Users can inadvertently share these files without knowing their maliciousness, giving adversaries opportunities to gain initial access to other endpoints in the environment.

Rule type: query

Rule indices:

filebeat-*
logs-o365*

Severity: high

Risk score: 73

Runs every: 5m

Searches indices from: now-30m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/virus-detection-in-spo?view=o365-worldwide

Tags:

Domain: Cloud
Data Source: Microsoft 365
Tactic: Lateral Movement

Version: 102

Rule authors:

Elastic

Rule license: Elastic License v2

Investigation guide

edit

Rule query

edit

event.dataset:o365.audit and event.provider:SharePoint and event.code:SharePointFileOperation and event.action:FileMalwareDetected

Framework: MITRE ATT&CK^TM

Tactic:
- Name: Lateral Movement
- ID: TA0008
- Reference URL: https://attack.mitre.org/tactics/TA0008/
Technique:
- Name: Taint Shared Content
- ID: T1080
- Reference URL: https://attack.mitre.org/techniques/T1080/

« Setuid / Setgid Bit Set via chmod Shared Object Created or Changed by Previously Unknown Process »