Detect Microsoft SharePoint Server Improper Input Validation (CVE-2026-32201) in Google Chronicle
Detects exploitation of CVE-2026-32201, an improper input validation vulnerability in Microsoft SharePoint Server. This vulnerability is actively exploited in the wild (CISA KEV) and allows attackers to send crafted HTTP requests to SharePoint endpoints to bypass input validation controls, potentially enabling unauthorized access, remote code execution, or data exfiltration. CWE-20 class vulnerabilities in SharePoint have historically been leveraged for initial access and lateral movement in enterprise environments.
MITRE ATT&CK
YARA-L Detection Query
rule cve_2026_32201_sharepoint_input_validation {
meta:
author = "df00tech Detection Engineering"
description = "Detects CVE-2026-32201 SharePoint improper input validation exploitation attempts"
severity = "CRITICAL"
priority = "HIGH"
reference = "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2026-32201"
cve = "CVE-2026-32201"
events:
$e.metadata.event_type = "NETWORK_HTTP"
$e.target.application = /(?i)sharepoint/
(
$e.target.url.path = /(?i)\/_layouts\// or
$e.target.url.path = /(?i)\/_api\// or
$e.target.url.path = /(?i)\/_vti_bin\// or
$e.target.url.path = /(?i)\/sites\//
)
(
(
$e.network.http.method = "POST" or
$e.network.http.method = "PUT" or
$e.network.http.method = "PATCH"
) and
(
$e.target.url.path = /(?i)(%2e%2e|\.\.\/|%00|javascript:|<script)/ or
$e.target.url.query = /(?i)(%2e%2e|\.\.\/|%00|javascript:|<script)/
)
) or
$e.network.http.response_code >= 500
$src_ip = $e.principal.ip
match:
$src_ip over 2m
condition:
#e >= 5
}Chronicle YARA-L2 rule detecting CVE-2026-32201 exploitation by matching HTTP events targeting SharePoint paths with encoded traversal sequences, null bytes, or script injection payloads in POST/PUT/PATCH requests, with frequency threshold over 2-minute windows.
Data Sources
Required Tables
False Positives & Tuning
- SharePoint mobile app clients that encode special characters in API requests
- Legitimate SharePoint REST API consumers using encoded query parameters
- Security scanning appliances performing scheduled SharePoint health checks
- SharePoint migration tools generating bulk encoded requests during data transfer
Other platforms for CVE-2026-32201
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1SharePoint Encoded Path Traversal Probe (CVE-2026-32201)
Expected signal: IIS W3C log entry with cs-uri-stem=/_layouts/15/start.aspx, cs-uri-query containing %2e%2e%2f, cs-method=POST, and HTTP status 400 or 500 (or 200 if vulnerable). Network connection event from test host to SharePoint server on TCP/80 or TCP/443.
- Test 2SharePoint REST API Null Byte Injection (CVE-2026-32201)
Expected signal: 10 IIS log entries to /_api/web/lists with POST method, JSON content-type, and null byte (%00) in request body. Windows Security Event 4688 should NOT appear unless RCE achieved. HTTP 400/401/403/500 expected in non-vulnerable or patched environments.
- Test 3SharePoint Webshell Drop via Exploited Upload Endpoint (CVE-2026-32201 Post-Exploitation Simulation)
Expected signal: Windows Security Event 4663 (File System Audit) for new .aspx file creation in SharePoint _layouts directory by process other than normal SharePoint setup. Sysmon Event ID 11 (FileCreate) with TargetFilename matching *.aspx in SharePoint web root paths. IIS log entry for GET request to /_layouts/15/detection_test_cve_2026_32201.aspx returning HTTP 200.
- Test 4High-Volume SharePoint Endpoint Fuzzing (CVE-2026-32201 Scanner Simulation)
Expected signal: 32+ IIS log entries across 4 SharePoint endpoints within ~7 seconds from single source IP. Encoded traversal sequences visible in cs-uri-query fields. Mix of HTTP 400, 403, 404, and 500 response codes expected.
Unlock Pro Content
Get the full detection package for CVE-2026-32201 including response playbook, investigation guide, and atomic red team tests.