security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

[New Rule] SharePoint Malware File Upload (#1691)

Browse Source 
* "SharePoint Malware File Upload" Initial Rule

* s/onedrive/sharepoint

* bump severity
This commit is contained in:
Jonhnathan
2022-01-27 16:12:17 -03:00
committed by GitHub
parent 26fb8e83a5
commit 1676844640
1 changed files with 51 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/integrations/o365/lateral_movement_malware_uploaded_sharepoint.toml
+51
View File
@@ -0,0 +1,51 @@
[metadata]
creation_date = "2022/01/10"
integration = "o365"
maturity = "production"
updated_date = "2022/01/10"
[rule]
author = ["Elastic"]
description = """
Identifies the occurence of files uploaded to SharePoint being detected as Malware by the file scanning engine. Attackers
can use File Sharing and Organization Repositories to spread laterally within the company and amplify their access.
Users can inadvertently share these files without knowing their maliciousness, giving adversaries opportunity to gain
initial access to other endpoints in the environment.
"""
false_positives = ["Benign files can trigger signatures in the built-in virus protection"]
from = "now-30m"
index = ["filebeat-*", "logs-o365*"]
language = "kuery"
license = "Elastic License v2"
name = "SharePoint Malware File Upload"
note = """## Config
The Microsoft 365 Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
references = [
"https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/virus-detection-in-spo?view=o365-worldwide",
]
risk_score = 73
rule_id = "0e52157a-8e96-4a95-a6e3-5faae5081a74"
severity = "high"
tags = ["Elastic", "Cloud", "Microsoft 365", "Continuous Monitoring", "SecOps", "Lateral Movement"]
timestamp_override = "event.ingested"
type = "query"
query = '''
event.dataset:o365.audit and event.provider:SharePoint and event.code:SharePointFileOperation and event.action:FileMalwareDetected
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
reference = "https://attack.mitre.org/techniques/T1080/"
id = "T1080"
name = "Taint Shared Content"
[rule.threat.tactic]
reference = "https://attack.mitre.org/tactics/TA0008/"
id = "TA0008"
name = "Lateral Movement"