Researchers have discovered two techniques employed in SharePoint that allow users to circumvent audit logs and avoid triggering download events while exfiltrating files.
“These techniques can bypass the detection and enforcement policies of traditional tools, such as cloud access security brokers, data loss prevention, and SIEMs, by hiding downloads as less suspicious access and sync events,” according to a report by security firm Varonis.
Stealing sensitive data is one of the most common activities that threat actors engage in once they break into enterprise networks. SharePoint servers are a common target as the central point for document management and file storage.
Data exfiltration can be difficult to detect if attackers are downloading files using legitimate accounts that have been compromised, so companies often build detection rules that analyze audit logs to find suspicious patterns, but researchers warn there are ways to hide download events.
The techniques have been reported to Microsoft, but since they are considered to be moderate in severity the company might take some time to fix them. Until that happens, the researchers advise companies to also monitor for unusual file access and file sync activities, not just file downloads, in their SharePoint and OneDrive logs. SharePoint servers also host OneDrive for Business, a solution that enables file sharing and syncing.
Attackers can use Sharepoint’s ‘Open in Desktop App’ feature
Users, and therefore attackers with access to compromised accounts, can directly download files or entire folders through the SharePoint web interface. However, such operations can also be automated in various ways via Azure applications or through the MSGraph API.
In both cases, these actions will create “FileDownloaded” entries in the SharePoint audit log so any security solution that monitors those can potentially detect suspicious behavior, like an unusually large number of files being downloaded over a short time, or from a new device or from a new location.
“As part of our research, we aimed to determine which user actions generated what type of events, either security alerts or file events (e.g., open, closed, downloaded, etc.),” the Varonis researchers said. “As we developed specific attack scripts, we identified techniques that could be used to download files without triggering standard events and circumvent audit logs.”
One of those techniques is using an option in SharePoint for files that’s called “Open in Desktop App” which downloads the file to the local machine and opens it in a desktop application. This is done through a shell command that opens the file by accessing a direct link to it and launches the application associated with the file extension. If the user would copy that link and open it directly in their browser they would get the option to download it.
However, it turns out that for links generated and accessed in this manner, the event recorded in the SharePoint audit log is “FileAccessed” and not file “FileDownloaded”.
The researchers managed to automate this by writing a PowerShell script that uses the SharePoint client object model (CSOM) to fetch files without leaving download footprints on the server.
“However, unless a user downloads large volumes of files quickly, these methods will likely create only conspicuous amounts of access logs, allowing such activities to go relatively unnoticed by detection rules focused on download logs,” the researchers said.
FileSync with OneDrive can also be abused by attackers
Another technique is to replicate the behavior of the local OneDrive client when it syncs files from a SharePoint server. This feature is used to keep server and local copies of the same files in sync and replicate changes and SharePoint has separate entries in its audit logs for these actions called “FileSyncUploadedFull” and “FileSyncDownloadedFull.” If someone monitors only for typical “FileUploaded” and “FileDownloaded” logs, they will miss these Sync events.
It turns out that the server determines whether an operation is flagged as sync or as a regular download by looking at the user-agent of the application making the request. The OneDrive client performs these requests with the “Microsoft SkyDriveSync” user agent name.
In practice this means that if an attacker modifies their browser’s user agent name to Microsoft SkyDriveSync they can download files using any of the regular methods, including through the SharePoint web interface and those events will be recorded as sync instead of download entries in the log.
This can also be automated through a PowerShell script and this technique doesn’t create FileAccessed events either. If someone happens to monitor for FileAccessed events to handle the other technique, it will need additional monitoring specifically for sync events too.
Unusually large access or abnormal audit logs can be a sign of intrusion
“Evading the ‘FileDownloaded’ log will create an access log instead,” the researchers said. “This means that large amounts of access or abnormal access audit logs could signal unauthorized downloads and possible data exfiltration. If existing detection systems are configured to overlook sync events, new detection rules must incorporate sync events into their monitoring to detect disguised downloads.”
Of course, the simple presence of file sync events is not suspicious on its own and needs to be coupled with behavioral patterns such as changes in the typical frequency and volume of a user’s sync activity, the usual devices used for sync operations, sync events from a new geolocation, or changes to the folders typically synchronized to a user’s account.
“By analyzing these behavioral parameters, you can detect anomalies that suggest someone is manipulating sync events,” the researchers said. “For instance, an unexpected spike in sync activity from a device not commonly used or synchronization of unusually large amounts of sensitive folders that are not part of the user’s normal workflow could be red flags.”