Signature
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Microsoft Office SharePoint malicious serialized viewstate evaluation attempt"; flow:to_server,established; content:"/_layouts/viewlists.aspx?"; fast_pattern:only; http_uri; content:"BaseType=0"; nocase; http_uri; content:"__VIEWSTATE="; nocase; http_uri; base64_decode:bytes 150,offset 17,relative; base64_data; content:"System.IO.FileInfo|02 00 00 00 0C|OriginalPath|08|FullPath"; nocase; content:"|5C 5C|"; distance:0; nocase; content:"|5C 5C|"; distance:0; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2013-1330; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-067; classtype:attempted-admin; sid:27823; rev:3;)
Recommendations/Investigative actions
It is recommended to ensure that the SharePoint server is up-to-date with the latest security patches to mitigate known vulnerabilities. Inspect logs to determine if the attempted exploitation was successful. Look for signs of unauthorized access or further exploitation attempts. If possible, block communication Attempts from external networks, or enable access from specific external devices only.