| /Pages/Search.aspx | Usual search function available on most SharePoint pages | |
| /_layouts/15/osssearchresults.aspx | Hidden search function that appears to return the same results as the SharePoint Search API | |
| /_api/search/query?QueryTemplatePropertiesUrl=%27spfile://webroot/queryparametertemplate.xml%27&rowlimit=500&querytext=%27txt%27 | Access to SharePoint Search API Get more results by adjusting row limit number | |
| /_vti_bin/client.svc/ProcessQuery | Unusual method for searching with XML | |
| /_layouts/15/devdash.aspx | Developer dashboard | |
| /_api/contextinfo | Accepts POST request only. Shows the SharePoint patch level | |
| /_layouts/15/searchresults.aspx | Access to an error message, potentially showing inner SharePoint sites | |
| /_layouts/viewlsts.aspx | Site Contents page | |
| /<library>/_layouts/15/PickerTreeView.aspx | View site content page in a tree view format | |
| /_layouts/15/RecycleBin.aspx | View recycle bin of a SharePoint library |
Tag Archives: SharePoint
Linking Malware In SharePoint
SharePoint crawler service may pull out files into a temporary folder that are uploaded to SharePoint. AV scan on the temporary folder may reveal malware.
Note on SharePoint 2013 Database
1) AllDocs/Docs table contains metadata of uploaded files, including time created, site location, name of file e.g.
2) DocStreams table contains actual content of uploaded files, encoded in Hex
3) AllDocs/Docs Id column is linked to DocStreams DocId column
Identifying Malware Based on Crawler / IIS Logs
1) Crawls on SharePoint will show up in IIS logs with a User-Agent containing “MS+Search+6.0+Robot”. Note that User Agent might change depending on version of SharePoint or settings configured
2) Filter IIS logs based on the specific User-Agent, then zoom in to the time that AV flagged the malware, plus/minus a few seconds. Note the name of the potentially malicious file, and the URL, and tie it back to your SharePoint site where possible.
3) Try searching for the file name in SharePoint, then delete it.
4) Alternatively, if you can’t find it in SharePoint search, have to search in database. See next section.
5) Decrypt the quarantined file using Dexray (https://benleeyr.wordpress.com/2020/04/23/dexray/) to verify that it’s the same file as what you see in the SharePoint database!
If you have the file name, but can’t find it in SharePoint, search the database!
1) Consider loading the SharePoint database files into a Hex editor, then search for the file name to pinpoint the specific database file you need to zoom into
2) Or search each SharePoint site database for the malware’s file name in the Docs table, under the LeafName column (e.g. SELECT * FROM Docs WHERE LeafName LIKE ‘%maliciousfilename%’). This should also reveal the location of the file under the DirName column. You can navigate there to delete the file.
3) If the DirName is blank, look at the Id column of the malicious file. Copy the Id of the row where the malicious file resides.
4) Search the DocStreams table for contents of the malware file, filtering by the DocId. (e.g. SELECT * FROM DocStreams WHERE DocId LIKE ‘<Id from Docs table>’). Note that AllDocs/Docs Id column is linked to the DocStreams DocId column.
5) Contents of the file is in the Content column, encoded in Hex. Can decode using Burp Suite Decoder, or CyberChef
6) Decode the hex and verify if it’s malicious. If malicious, can choose to delete the row.
If you have the contents of the file, but can’t find it in SharePoint, search the database!
1) There may be situations you are looking for contents of the file, but don’t have file name (e.g. looking for publicly available malicious code)
2) Convert a unique section of the file to Hex, or use a hex viewer to do that
3) Go to the DocStreams table and use the following SELECT command to find
SELECT * FROM DocStreams
WHERE CONVERT(varchar(max), Content,2) LIKE ‘%<insert hex here without the <> symbol>%’
References
Ben's IR Notes 