Sidestepping Detection While Exfiltrating SharePoint Data: Best Practices for Secure Information Transfer As a security-conscious SharePoint user, it’s crucial to understand the latest vulnerabilities in the system. Two new techniques have been identified that allow stealthy data removal without triggering the usual detection mechanisms. One approach manipulates SharePoint’s “open in app” feature to download files […]
As a security-conscious SharePoint user, it’s crucial to understand the latest vulnerabilities in the system. Two new techniques have been identified that allow stealthy data removal without triggering the usual detection mechanisms. One approach manipulates SharePoint’s “open in app” feature to download files discreetly, masking the activity as an innocent access event. The second strategy misrepresents file downloads as synchronization processes by exploiting the Microsoft SkyDriveSync User-Agent.
Despite their potential risks, these vulnerabilities have not been deemed critical enough for immediate patches. Microsoft’s decision to classify these security concerns as “moderate” and retain the functionality in question has sparked a strong reaction from cybersecurity professionals. To counter these threats, importance is placed on diligent monitoring of SharePoint and OneDrive audit logs for atypical patterns of access, volume, or origin, which could indicate unauthorized data access or extraction.
When utilizing SharePoint and OneDrive, the secure orchestration of file access permissions is critical. Incorrect permissions assignment can lead to unwarranted access, leaving an average of 10% of cloud-stored data vulnerable across all employees. Specific sectors, like manufacturing and finance, might see as many as 11 million files accessible to the entire workforce.
Focusing on the key exfiltration tactics from SharePoint and OneDrive, one method worth noting is:
Another strategy revolves around:
Despite varied detection methods for the latter, our emphasis lies on direct file retrieval due to its potential for scale when automated, amplifying the threat of extensive data loss. Automation is feasible using tools such as Azure Applications or the Microsoft Graph API, which generate temporary download URLs for an hour. Despite being traceable via a spike in “FileDownloaded” audit logs, they present an efficient exfiltration route.
Here are some insights into how these activities are recorded:
Through meticulous analysis, it’s been revealed that certain actions performed within these environments can sidestep the usual detection by not triggering expected audit logs. This uncovers the gap in security where threat actors can operate discreetly, accessing data without the conspicuous footprint of mass downloads. Thus, while tools and APIs provide productivity advantages, they also introduce significant risks unless carefully monitored and appropriately secured.
Transferring a file from SharePoint to your computer typically generates a “FileDownloaded” event within SharePoint’s audit log. This function aids security software in tracking unauthorized access or policy breaches.
However, the method of download impacts how the activity is recorded:
Download Method | User-Agent | Audit Log Event |
---|---|---|
Single File | Browser’s own User-Agent | FileDownloaded |
Folder (as zip) | OneDriveMpc-Transform_Zip/1.0 | FileDownloaded |
Another approach to access files without making it evident in the audit log is to use the “open in app” function:
Remember, while opening a file in an application may not leave a typical download trace, the file is indeed downloaded to your local system. This distinction can be crucial in cybersecurity and information governance contexts.
In SharePoint environments, unauthorized data can be retrieved using methods that subvert common audit processes. One method incorporates a combination of PowerShell and SharePoint’s client-side object model (CSOM), allowing for the automated retrieval of data from SharePoint, saving it to a local device while evading traditional download logs. Let’s examine how this can affect your data security:
Activity | Logs Generated | Visible to Auditing Tools |
---|---|---|
File Access | Access log | Yes |
File Download | None | No |
For effective monitoring, it is essential to be aware that although these methods are distinct, they similarly generate primarily access logs. When a user is not rapidly downloading numerous files, such actions may not trigger the usual download-focused detection mechanisms, making it crucial to consider these alternate audit trails in your security protocols.
Remember, your data is only as secure as your weakest link. Review your access log review procedures to ensure they cover various exfiltration methods, not just traditional downloads.
When securing your data against unauthorized access, it’s crucial to recognize file synchronization as a potential avenue for data leakage. Typically, file synchronization with SharePoint is an automated process where any modifications to a document on SharePoint are mirrored on a local device, and vice versa, without direct user interaction. This convenience is particularly prevalent within organizations where OneDrive may be preset for synchronization.
Click the “Sync” option on a SharePoint site to initiate syncing from SharePoint to a local device. This task is managed by the OneDrive.exe application on the local computer, creating particular logs for the activities. The events “FileSyncUploadedFull” and “FileSyncDownloadedFull” represent uploads to and downloads from the cloud. Differing from these, the manual activities of uploading and downloading files are noted as “FileUploaded” and “FileDownloaded” events in SharePoint’s log.
Key Logging Differentiator: User-Agent
Every file upload or download event harbors information about the User-Agent, which is instrumental in classifying whether the action was a manual or synchronized operation. Synchronization events carry a unique User-Agent identifier, Microsoft SkyDriveSync, earmarking such events as synchronization activities in the logs.
Savvy individuals might manipulate their browser’s User Agent to alter the event classification. Even manual activities, like downloading a file through the interface, can be catalogued as synchronization actions by mimicking the SkyDriveSync User Agent string. Additionally, PowerShell scripts can be employed to automate this process.
By masquerading conventional download actions as sync events, an individual might exploit this method to clandestinely obtain data — bypassing alarm systems designed to flag unauthorized file retrievals. The subtlety of the file sync method means it can be leveraged to exfiltrate data surreptitiously, a tactic that demands your vigilance in data protection strategies.
In cybersecurity, you must stay vigilant against methods attackers use to covertly extract data. Traditional logs that flag ‘FileDownloaded’ events may no longer suffice. Savvy individuals can manipulate event types to their advantage. You should expand the scope of monitoring to include what may initially appear benign access and synchronization events.
Be alert for a significant increase in access logs, indicating covert downloading activities rather than regular file viewing. Such suspicious patterns may also emerge from modifications in typical user behavior, including:
Adjust your detection systems to discern malicious activities effectively. Scrutinize sync-related events as much as direct downloads. Pay close attention to anomalies in sync patterns and other behavioral indicators that could signal a data breach.
Contents