Skip to content

T1213.002 Sharepoint

Adversaries may leverage the SharePoint repository as a source to mine valuable information. SharePoint will often contain useful information for an adversary to learn about the structure and functionality of the internal network and systems. For example, the following is a list of example information that may hold potential value to an adversary and may also be found on SharePoint:

  • Policies, procedures, and standards
  • Physical / logical network diagrams
  • System architecture diagrams
  • Technical system documentation
  • Testing / development credentials (i.e., Unsecured Credentials)
  • Work / project schedules
  • Source code snippets
  • Links to network shares and other internal resources
Item Value
ID T1213.002
Sub-techniques T1213.001, T1213.002, T1213.003, T1213.004, T1213.005, T1213.006
Tactics TA0009
Platforms Office Suite, Windows
Version 1.1
Created 14 February 2020
Last Modified 24 October 2025

Procedure Examples

ID Name Description
G1024 Akira Akira has accessed and downloaded information stored in SharePoint instances as part of data gathering and exfiltration activity.3
G0007 APT28 APT28 has collected information from Microsoft SharePoint services within target networks.8
C0027 C0027 During C0027, Scattered Spider accessed victim SharePoint environments to search for VPN and MFA enrollment information, help desk instructions, and new hire guides.9
G0114 Chimera Chimera has collected documents from the victim’s SharePoint.7
G0125 HAFNIUM HAFNIUM has abused compromised credentials to exfiltrate data from SharePoint.4
G0004 Ke3chang Ke3chang used a SharePoint enumeration and data dumping tool known as spwebmember.2
G1004 LAPSUS$ LAPSUS$ has searched a victim’s network for collaboration platforms like SharePoint to discover further high-privilege account credentials.65
S0227 spwebmember spwebmember is used to enumerate and dump information from Microsoft SharePoint.2

Mitigations

ID Mitigation Description
M1047 Audit Consider periodic review of accounts and privileges for critical and sensitive SharePoint repositories.
M1018 User Account Management Enforce the principle of least-privilege. Consider implementing access control mechanisms that include both authentication and authorization.
M1017 User Training Develop and publish policies that define acceptable information to be stored in SharePoint repositories.

References

  1. Microsoft. (2017, July 19). Configure audit settings for a site collection. Retrieved April 4, 2018. 

  2. Smallridge, R. (2018, March 10). APT15 is alive and strong: An analysis of RoyalCli and RoyalDNS. Retrieved April 4, 2018. 

  3. Secureworks. (n.d.). GOLD SAHARA. Retrieved February 20, 2024. 

  4. Microsoft Threat Intelligence . (2025, March 5). Silk Typhoon targeting IT supply chain. Retrieved March 20, 2025. 

  5. Brown, D., et al. (2022, April 28). LAPSUS$: Recent techniques, tactics and procedures. Retrieved December 22, 2022. 

  6. MSTIC, DART, M365 Defender. (2022, March 24). DEV-0537 Criminal Actor Targeting Organizations for Data Exfiltration and Destruction. Retrieved May 17, 2022. 

  7. Jansen, W . (2021, January 12). Abusing cloud services to fly under the radar. Retrieved September 12, 2024. 

  8. Maccaglia, S. (2015, November 4). Evolving Threats: dissection of a CyberEspionage attack. Retrieved April 4, 2018. 

  9. Parisi, T. (2022, December 2). Not a SIMulation: CrowdStrike Investigations Reveal Intrusion Campaign Targeting Telco and BPO Companies. Retrieved June 30, 2023.