Name:Microsoft SharePoint Server Elevation of Privilege id:fcf4bd3f-a79f-4b7a-83bf-2692d60b859d version:8 date:2026-03-27 author:Michael Haag, Gowthamaraj Rajendran, Splunk status:production type:Anomaly Description:The following analytic detects potential exploitation attempts against Microsoft SharePoint Server vulnerability CVE-2023-29357.
It leverages the Web datamodel to monitor for specific API calls and HTTP methods indicative of privilege escalation attempts.
This activity is significant as it may indicate an attacker is trying to gain unauthorized privileged access to the SharePoint environment.
If confirmed malicious, the impact could include unauthorized access to sensitive data, potential data theft, and further compromise of the SharePoint server, leading to a broader security breach. Data_source:
-Suricata
search:| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime
FROM datamodel=Web WHERE
Web.url IN ( "*/_api/web/siteusers*", "*/_api/web/currentuser*" ) Web.status=200 Web.http_method="GET"
BY Web.http_user_agent Web.status Web.http_method Web.url Web.url_length Web.src Web.dest
how_to_implement:This detection requires the Web datamodel to be populated from a supported Technology Add-On like Splunk for Microsoft SharePoint. known_false_positives:False positives may occur if there are legitimate activities that mimic the exploitation pattern. It's recommended to review the context of the alerts and adjust the analytic parameters to better fit the specific environment. References: -https://socradar.io/microsoft-sharepoint-server-elevation-of-privilege-vulnerability-exploit-cve-2023-29357/ -https://github.com/LuemmelSec/CVE-2023-29357/blob/main/CVE-2023-29357/Program.cs drilldown_searches: name:'View the detection results for - "$dest$"' search:'%original_detection_search% | search dest = "$dest$"' earliest_offset:'$info_min_time$' latest_offset:'$info_max_time$' name:'View risk events for the last 7 days for - "$dest$"' search:'| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset:'$info_min_time$' latest_offset:'$info_max_time$' tags: cve: - 'CVE-2023-29357' analytic_story: - 'Microsoft SharePoint Server Elevation of Privilege CVE-2023-29357' asset_type:Web Server atomic_guid: mitre_attack_id: - 'T1068' product: - 'Splunk Enterprise' - 'Splunk Enterprise Security' - 'Splunk Cloud' security_domain:network
