In each circumstances, these actions will create “FileDownloaded” entries within the SharePoint audit log so any security answer that displays these can doubtlessly detect suspicious habits, like an unusually giant variety of information being downloaded over a short while, or from a brand new system or from a brand new location.
“As a part of our analysis, we aimed to find out which person actions generated what sort of occasions, both security alerts or file occasions (e.g., open, closed, downloaded, and many others.),” the Varonis researchers stated. “As we developed particular assault scripts, we recognized methods that might be used to obtain information with out triggering commonplace occasions and circumvent audit logs.”
A type of methods is utilizing an choice in SharePoint for information that’s known as “Open in Desktop App” which downloads the file to the native machine and opens it in a desktop software. That is carried out via a shell command that opens the file by accessing a direct hyperlink to it and launches the appliance related to the file extension. If the person would copy that hyperlink and open it immediately of their browser they’d get the choice to obtain it.
Nevertheless, it seems that for hyperlinks generated and accessed on this method, the occasion recorded within the SharePoint audit log is “FileAccessed” and never file “FileDownloaded”.
The researchers managed to automate this by writing a PowerShell script that makes use of the SharePoint consumer object mannequin (CSOM) to fetch information with out leaving obtain footprints on the server.
“Nevertheless, except a person downloads giant volumes of information rapidly, these strategies will probably create solely conspicuous quantities of entry logs, permitting such actions to go comparatively unnoticed by detection guidelines centered on obtain logs,” the researchers stated.
