Think you have a false positive on this rule?

Sid 1-51474

Message

FILE-OTHER Microsoft SharePoint deserialization attempt

Summary

This event is generated when an attempt is made to perform an unsafe deserialization function against a Microsoft SharePoint application.

Impact

Remote Code Execution

Detailed information

Microsoft SharePoint suffers from an unsafe deserialization vulnerability that could allow malicious users the ability run unauthorized code on a server. To take advantage of this vulnerability the malicious user must have credentials to the system that allow them the ability to make changes and upload BCD model files on the system.

Affected systems

  • Microsoft SharePoint 2016

Ease of attack

Simple

False positives

False negatives

Corrective action

Apply recommended patches and/or updates to the system.

Contributors

  • Cisco Talos Intelligence Group

Additional References

  • CVE-2019-1257
  • portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2019-1257