In each circumstances, these actions will create “FileDownloaded” entries within the SharePoint audit log so any safety answer that displays these can doubtlessly detect suspicious habits, like an unusually massive variety of information being downloaded over a short while, or from a brand new gadget or from a brand new location.
“As a part of our analysis, we aimed to find out which consumer actions generated what sort of occasions, both safety alerts or file occasions (e.g., open, closed, downloaded, and so forth.),” the Varonis researchers stated. “As we developed particular assault scripts, we recognized methods that might be used to obtain information with out triggering commonplace occasions and circumvent audit logs.”
A kind of methods is utilizing an possibility in SharePoint for information that’s known as “Open in Desktop App” which downloads the file to the native machine and opens it in a desktop software. That is executed by a shell command that opens the file by accessing a direct hyperlink to it and launches the applying related to the file extension. If the consumer would copy that hyperlink and open it straight of their browser they might get the choice to obtain it.
Nevertheless, it seems that for hyperlinks generated and accessed on this method, the occasion recorded within the SharePoint audit log is “FileAccessed” and never file “FileDownloaded”.
The researchers managed to automate this by writing a PowerShell script that makes use of the SharePoint consumer object mannequin (CSOM) to fetch information with out leaving obtain footprints on the server.
“Nevertheless, until a consumer downloads massive volumes of information rapidly, these strategies will probably create solely conspicuous quantities of entry logs, permitting such actions to go comparatively unnoticed by detection guidelines targeted on obtain logs,” the researchers stated.
