Microsoft SharePoint Server Improper Input Validation (CVE-2026-32201)

union W3CIISLog, AzureDiagnostics
| where TimeGenerated >= ago(7d)
| where (csUriStem has_any ("/_layouts/", "/_api/", "/sites/", "/_vti_bin/") or ResourceType =~ "MICROSOFT.SHAREPOINT")
| where (
    (csMethod in~ ("POST", "PUT", "PATCH") and (csUriQuery contains "..%2F" or csUriQuery contains "%00" or csUriQuery contains "<script" or csUriQuery contains "javascript:"))
    or (scStatus in (400, 500, 502, 503) and scBytes > 5000)
    or csUriStem matches regex @"(?i)(/\.\./)|(;.*\.aspx)|(%2e%2e)|(//\w+)")
| extend ClientIP = coalesce(cIP, CallerIPAddress), UserAgent = coalesce(csUserAgent, "unknown")
| summarize RequestCount = count(), UniqueURIs = dcount(csUriStem), StatusCodes = make_set(scStatus), UserAgents = make_set(UserAgent) by ClientIP, bin(TimeGenerated, 5m)
| where RequestCount > 20 or UniqueURIs > 10
| project TimeGenerated, ClientIP, RequestCount, UniqueURIs, StatusCodes, UserAgents

index=iis OR index=sharepoint sourcetype=iis OR sourcetype=ms:sharepoint:audit
| where (uri_path IN ("/_layouts/", "/_api/", "/sites/", "/_vti_bin/") OR match(uri_path, "(?i)/_layouts|/_api|/_vti_bin|/sites/"))
| eval is_suspicious=if(
    (method IN ("POST", "PUT", "PATCH") AND (match(uri_query, "(?i)(\.\./|%2e%2e|%00|<script|javascript:)")))
    OR (status >= 500)
    OR match(uri_path, "(?i)(%2e%2e|;.*\.aspx|/\.\./)"), 1, 0)
| stats count AS total_requests, dc(uri_path) AS unique_paths, values(status) AS status_codes, values(method) AS methods, sum(is_suspicious) AS suspicious_count BY src_ip, span(1m, _time)
| where total_requests > 30 OR suspicious_count > 5
| eval risk_score=case(suspicious_count > 10, "critical", suspicious_count > 5, "high", total_requests > 100, "medium", true(), "low")
| table _time, src_ip, total_requests, unique_paths, suspicious_count, status_codes, methods, risk_score
| sort -suspicious_count

sequence by source.ip with maxspan=2m
  [network where event.dataset == "iis.access" and
   url.path : ("*/_layouts/*", "*/_api/*", "*/_vti_bin/*", "*/sites/*") and
   http.request.method in ("POST", "PUT", "PATCH") and
   (
     url.query : ("*%2e%2e*", "*%00*", "*<script*", "*javascript:*", "*../*") or
     url.path : ("*%2e%2e*", "*;*.aspx*", "*/../*")
   )] with runs=3
  [network where event.dataset == "iis.access" and
   http.response.status_code >= 500 and
   url.path : ("*/_layouts/*", "*/_api/*", "*/_vti_bin/*")] with runs=2

SELECT sourceip, URL, username, "HTTPRequestMethod", "HTTPStatusCode", QIDNAME(qid) AS EventName, COUNT(*) AS EventCount
FROM events
WHERE LOGSOURCETYPENAME(devicetype) IN ('Microsoft IIS', 'Microsoft SharePoint')
AND (URL ILIKE '%/_layouts/%' OR URL ILIKE '%/_api/%' OR URL ILIKE '%/_vti_bin/%' OR URL ILIKE '%/sites/%')
AND (
  ("HTTPRequestMethod" IN ('POST', 'PUT', 'PATCH') AND (
    URL ILIKE '%../%' OR URL ILIKE '%%2e%2e%' OR URL ILIKE '%%00%'
    OR URL ILIKE '%<script%' OR URL ILIKE '%javascript:%'
  ))
  OR "HTTPStatusCode" >= 500
)
AND DATEFORMAT(starttime, 'yyyy-MM-dd HH:mm:ss') > DATEADD('hour', -24, NOW())
GROUP BY sourceip, URL, username, "HTTPRequestMethod", "HTTPStatusCode", qid
HAVING COUNT(*) > 5
ORDER BY EventCount DESC
LIMIT 1000

_sourceCategory=iis OR _sourceCategory=sharepoint/audit
| parse regex "(?P<src_ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}) \S+ \S+ \[(?P<timestamp>[^\]]+)\] \"(?P<method>\S+) (?P<uri>\S+) HTTP/[\d.]+\" (?P<status>\d{3}) (?P<bytes>\d+)"
| where uri matches "*/_layouts/*" or uri matches "*/_api/*" or uri matches "*/_vti_bin/*" or uri matches "*/sites/*"
| eval suspicious = if(method in ("POST","PUT","PATCH") and (uri matches "*%2e%2e*" or uri matches "*%00*" or uri matches "*../*" or uri matches "*<script*"), 1, 0)
| eval server_error = if(status >= "500", 1, 0)
| timeslice 5m
| stats sum(suspicious) as suspicious_count, sum(server_error) as error_count, count as total_requests, values(uri) as uris by src_ip, _timeslice
| where suspicious_count > 3 or (error_count > 5 and total_requests > 20)
| sort by suspicious_count desc

rule cve_2026_32201_sharepoint_input_validation {
  meta:
    author = "df00tech Detection Engineering"
    description = "Detects CVE-2026-32201 SharePoint improper input validation exploitation attempts"
    severity = "CRITICAL"
    priority = "HIGH"
    reference = "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2026-32201"
    cve = "CVE-2026-32201"

  events:
    $e.metadata.event_type = "NETWORK_HTTP"
    $e.target.application = /(?i)sharepoint/
    (
      $e.target.url.path = /(?i)\/_layouts\// or
      $e.target.url.path = /(?i)\/_api\// or
      $e.target.url.path = /(?i)\/_vti_bin\// or
      $e.target.url.path = /(?i)\/sites\//
    )
    (
      (
        $e.network.http.method = "POST" or
        $e.network.http.method = "PUT" or
        $e.network.http.method = "PATCH"
      ) and
      (
        $e.target.url.path = /(?i)(%2e%2e|\.\.\/|%00|javascript:|<script)/ or
        $e.target.url.query = /(?i)(%2e%2e|\.\.\/|%00|javascript:|<script)/
      )
    ) or
    $e.network.http.response_code >= 500

    $src_ip = $e.principal.ip

  match:
    $src_ip over 2m

  condition:
    #e >= 5
}

event_simpleName IN ("NetworkReceiveAccept", "NetworkConnectIP4", "HttpRequest")
| filter TargetApplicationName matches "(?i)sharepoint|iis"
| filter HttpPath matches "(?i)/_layouts/|/_api/|/_vti_bin/|/sites/"
| filter (
    (HttpMethod IN ("POST", "PUT", "PATCH") AND (
      HttpPath matches "(?i)(%2e%2e|%00|\.\./|javascript:|<script)" OR
      HttpQueryString matches "(?i)(%2e%2e|%00|\.\./|javascript:|<script)"
    ))
    OR HttpStatusCode >= 500
  )
| eval risk = case(
    HttpPath matches "(?i)(%2e%2e|%00)" AND HttpMethod IN ("POST","PUT"), "critical",
    HttpStatusCode >= 500, "high",
    true(), "medium"
  )
| stats count() AS attempt_count, values(HttpPath) AS paths, values(HttpStatusCode) AS status_codes, values(risk) AS risk_levels BY RemoteAddressIP4, aid, ComputerName
| filter attempt_count >= 3
| sort -attempt_count