app

Sidestepping Detection While Exfiltrating SharePoint Data: Best Practices for Secure Information Transfer

As a security-conscious SharePoint user, it’s crucial to understand the latest vulnerabilities in the system. Two new techniques have been identified that allow stealthy data removal without triggering the usual detection mechanisms. One approach manipulates SharePoint’s “open in app” feature to download files discreetly, masking the activity as an innocent access event. The second strategy misrepresents file downloads as synchronization processes by exploiting the Microsoft SkyDriveSync User-Agent.

Despite their potential risks, these vulnerabilities have not been deemed critical enough for immediate patches. Microsoft’s decision to classify these security concerns as “moderate” and retain the functionality in question has sparked a strong reaction from cybersecurity professionals. To counter these threats, importance is placed on diligent monitoring of SharePoint and OneDrive audit logs for atypical patterns of access, volume, or origin, which could indicate unauthorized data access or extraction.

Key Takeaways

  • Stealth techniques in SharePoint can disguise data exfiltration as normal activities.
  • Microsoft has acknowledged but not prioritized immediate fixes for these methods.
  • Monitoring audit logs for abnormalities is essential for detecting unauthorized access.

SharePoint and OneDrive: Risks and Data Exfiltration

When utilizing SharePoint and OneDrive, the secure orchestration of file access permissions is critical. Incorrect permissions assignment can lead to unwarranted access, leaving an average of 10% of cloud-stored data vulnerable across all employees. Specific sectors, like manufacturing and finance, might see as many as 11 million files accessible to the entire workforce.

Focusing on the key exfiltration tactics from SharePoint and OneDrive, one method worth noting is:

  • Direct File Retrieval: This involves downloading items directly to a local machine.

Another strategy revolves around:

  • Permissioned Link Distribution: Through SharePoint functions, users can create links for external sharing, either anonymously or specifically designated.

Despite varied detection methods for the latter, our emphasis lies on direct file retrieval due to its potential for scale when automated, amplifying the threat of extensive data loss. Automation is feasible using tools such as Azure Applications or the Microsoft Graph API, which generate temporary download URLs for an hour. Despite being traceable via a spike in “FileDownloaded” audit logs, they present an efficient exfiltration route.

Here are some insights into how these activities are recorded:

  • Audit Signatures: Automated downloads and other activities leave discernible trails, typically in audit logs.
  • Disguising Activity: Savvier attackers have honed tactics to acquire data without initiating standard event logs, dodging typical security procedures.

Through meticulous analysis, it’s been revealed that certain actions performed within these environments can sidestep the usual detection by not triggering expected audit logs. This uncovers the gap in security where threat actors can operate discreetly, accessing data without the conspicuous footprint of mass downloads. Thus, while tools and APIs provide productivity advantages, they also introduce significant risks unless carefully monitored and appropriately secured.

Sidestepping SharePoint Security

Downloading Files and Folders in SharePoint

Transferring a file from SharePoint to your computer typically generates a “FileDownloaded” event within SharePoint’s audit log. This function aids security software in tracking unauthorized access or policy breaches.

However, the method of download impacts how the activity is recorded:

  • Through the Graphical User Interface (GUI): Your direct download actions are logged and traceable under “FileDownloaded”.
  • Using Browser User-Agent: If you download a single file, it uses the browser’s user agent. Conversely, when you download a folder that transfers as a zip file, a unique User Agent, “OneDriveMpc-Transform_Zip/1.0,” is used.
Download MethodUser-AgentAudit Log Event
Single FileBrowser’s own User-AgentFileDownloaded
Folder (as zip)OneDriveMpc-Transform_Zip/1.0FileDownloaded

Another approach to access files without making it evident in the audit log is to use the “open in app” function:

  • Open in App: By opening a file with an associated application directly, you can work with the data sans generating a distinguishable download event in the logs.

Remember, while opening a file in an application may not leave a typical download trace, the file is indeed downloaded to your local system. This distinction can be crucial in cybersecurity and information governance contexts.

Exfiltrating Data in SharePoint

In SharePoint environments, unauthorized data can be retrieved using methods that subvert common audit processes. One method incorporates a combination of PowerShell and SharePoint’s client-side object model (CSOM), allowing for the automated retrieval of data from SharePoint, saving it to a local device while evading traditional download logs. Let’s examine how this can affect your data security:

  • Automated Scripts: Utilizing PowerShell, scripts can be constructed to automatically extract the contents of a SharePoint site, mirroring all the data onto a local device. Despite the extensive data movement, these scripts cleverly leave behind only access logs, not the typical download logs.
    ActivityLogs GeneratedVisible to Auditing Tools
    File AccessAccess logYes
    File DownloadNoneNo
  • The “Open in App” Feature: A network trace reveals a shell command when you open a SharePoint document in a local application. This command directs the local application to access and open the document using a provided URL. The generated URL can be copied and utilized outside of the SharePoint interface to directly engage with the document.
  • Persistency of URLs: These specific URLs, employed during the “open in app” action, are not time-limited, and using them bypasses the creation of “FileDownloaded” audit logs. However, interactions with these URLs do generate “FileAccessed” logs.

For effective monitoring, it is essential to be aware that although these methods are distinct, they similarly generate primarily access logs. When a user is not rapidly downloading numerous files, such actions may not trigger the usual download-focused detection mechanisms, making it crucial to consider these alternate audit trails in your security protocols.

Remember, your data is only as secure as your weakest link. Review your access log review procedures to ensure they cover various exfiltration methods, not just traditional downloads.

Data Exfiltration Through File Synchronization on SharePoint and OneDrive

When securing your data against unauthorized access, it’s crucial to recognize file synchronization as a potential avenue for data leakage. Typically, file synchronization with SharePoint is an automated process where any modifications to a document on SharePoint are mirrored on a local device, and vice versa, without direct user interaction. This convenience is particularly prevalent within organizations where OneDrive may be preset for synchronization.

Click the “Sync” option on a SharePoint site to initiate syncing from SharePoint to a local device. This task is managed by the OneDrive.exe application on the local computer, creating particular logs for the activities. The events “FileSyncUploadedFull” and “FileSyncDownloadedFull” represent uploads to and downloads from the cloud. Differing from these, the manual activities of uploading and downloading files are noted as “FileUploaded” and “FileDownloaded” events in SharePoint’s log.

Key Logging Differentiator: User-Agent
Every file upload or download event harbors information about the User-Agent, which is instrumental in classifying whether the action was a manual or synchronized operation. Synchronization events carry a unique User-Agent identifier, Microsoft SkyDriveSync, earmarking such events as synchronization activities in the logs.

Savvy individuals might manipulate their browser’s User Agent to alter the event classification. Even manual activities, like downloading a file through the interface, can be catalogued as synchronization actions by mimicking the SkyDriveSync User Agent string. Additionally, PowerShell scripts can be employed to automate this process.

  • Advantages of FileSync Over Manual Methods:
    • Does not generate conspicuous “access” logs.
    • Evades certain monitoring systems, particularly those configured to overlook sync events.
    • Presents activities in logs as benign synchronization rather than intentional downloads.

By masquerading conventional download actions as sync events, an individual might exploit this method to clandestinely obtain data — bypassing alarm systems designed to flag unauthorized file retrievals. The subtlety of the file sync method means it can be leveraged to exfiltrate data surreptitiously, a tactic that demands your vigilance in data protection strategies.

Monitoring for Unusual Activity

In cybersecurity, you must stay vigilant against methods attackers use to covertly extract data. Traditional logs that flag ‘FileDownloaded’ events may no longer suffice. Savvy individuals can manipulate event types to their advantage. You should expand the scope of monitoring to include what may initially appear benign access and synchronization events.

Be alert for a significant increase in access logs, indicating covert downloading activities rather than regular file viewing. Such suspicious patterns may also emerge from modifications in typical user behavior, including:

  • A noticeable surge in the amount of data being accessed which deviates from the user’s normal pattern.
  • Sync requests originating from new or unusual devices instead of those routinely used by the user.
  • Synchronization activities detected from unfamiliar geographical locations.
  • An unusual volume of data being synchronized, especially if it includes sensitive directories not typical for the user’s regular data exchanges.

Adjust your detection systems to discern malicious activities effectively. Scrutinize sync-related events as much as direct downloads. Pay close attention to anomalies in sync patterns and other behavioral indicators that could signal a data breach.

Tony Haskew

Project Engineer

Tony Haskew has 15+ years of experience in the IT field. He started working as a web developer in the 90’s and over the years migrated into the administration of systems and infrastructures of companies. 

Tony enjoys working on new technology and finding new ways to address old issues in the management of IT systems.

Outside of work, Tony is a 3D printing enthusiast, commission painter, and enjoys spending time with his family.