SERVER-WEBAPP Microsoft Office SharePoint malicious serialized viewstate evaluation attempt

This alert is triggered when an adversary is attempting to exploit the CVE-2013-1330 a vulnerability in Microsoft Office SharePoint by sending malicious serialized viewstate data for evaluation. This vulnerability allows an attacker to execute arbitrary code. SharePoint is a web-based collaboration platform that integrates with Microsoft Office.

ID Number

27823

Signature

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Microsoft Office SharePoint malicious serialized viewstate evaluation attempt"; flow:to_server,established; content:"/_layouts/viewlists.aspx?"; fast_pattern:only; http_uri; content:"BaseType=0"; nocase; http_uri; content:"__VIEWSTATE="; nocase; http_uri; base64_decode:bytes 150,offset 17,relative; base64_data; content:"System.IO.FileInfo|02 00 00 00 0C|OriginalPath|08|FullPath"; nocase; content:"|5C 5C|"; distance:0; nocase; content:"|5C 5C|"; distance:0; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2013-1330; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-067; classtype:attempted-admin; sid:27823; rev:3;)

MITRE ATT&CK Technique

-

Severity

High

Recommendations/Investigative actions

It is recommended to ensure that the SharePoint server is up-to-date with the latest security patches to mitigate known vulnerabilities. Inspect logs to determine if the attempted exploitation was successful. Look for signs of unauthorized access or further exploitation attempts. If possible, block communication Attempts from external networks, or enable access from specific external devices only.