T1190 Exploit Public-Facing Application
T1068 Exploitation for Privilege Escalation
An external IP address 39.91.166.222, geolocated to China, initiated HTTP requests against the SharePoint server MS-SharePointServer (172.16.17.233).
The source IP sent crafted HTTP GET requests to SharePoint REST API endpoints including /_api/web/currentuser using a scripted user agent (python-requests/2.28.1). The request returned HTTP 200, indicating successful interaction with the API endpoint consistent with exploitation of CVE-2023-29357 authentication bypass.
Oct 06, 2023, 08:05 PM
Source IP: 39.91.166.222
Destination IP: 172.16.17.233
Hostname: MS-SharePointServer
Endpoint: /_api/web/currentuser
CVE-2023-29357 allows authentication bypass and privilege escalation in Microsoft SharePoint. The successful 200 response to a scripted API request suggests unauthorized access to SharePoint user information. The activity pattern and user agent indicate automated exploitation rather than legitimate user activity.
The alert was confirmed as a True Positive. Immediate containment actions were initiated, including isolating the affected server, reviewing authentication logs for unauthorized access, validating patch status, blocking the source IP, and escalating for deeper forensic analysis to determine scope of compromise.