Skip to content

T1213.002 Sharepoint

Adversaries may leverage the SharePoint repository as a source to mine valuable information. SharePoint will often contain useful information for an adversary to learn about the structure and functionality of the internal network and systems. For example, the following is a list of example information that may hold potential value to an adversary and may also be found on SharePoint:

  • Policies, procedures, and standards
  • Physical / logical network diagrams
  • System architecture diagrams
  • Technical system documentation
  • Testing / development credentials
  • Work / project schedules
  • Source code snippets
  • Links to network shares and other internal resources
Item Value
ID T1213.002
Sub-techniques T1213.001, T1213.002, T1213.003
Tactics TA0009
Platforms Office 365, Windows
Permissions required User
Version 1.0
Created 14 February 2020
Last Modified 08 June 2021

Procedure Examples

ID Name Description
G0007 APT28 APT28 has collected information from Microsoft SharePoint services within target networks.4
G0114 Chimera Chimera has collected documents from the victim’s SharePoint.3
G0004 Ke3chang Ke3chang used a SharePoint enumeration and data dumping tool known as spwebmember.2
G1004 LAPSUS$ LAPSUS$ has searched a victim’s network for collaboration platforms like SharePoint to discover further high-privilege account credentials.5
S0227 spwebmember spwebmember is used to enumerate and dump information from Microsoft SharePoint.2

Mitigations

ID Mitigation Description
M1047 Audit Consider periodic review of accounts and privileges for critical and sensitive SharePoint repositories.
M1018 User Account Management Enforce the principle of least-privilege. Consider implementing access control mechanisms that include both authentication and authorization.
M1017 User Training Develop and publish policies that define acceptable information to be stored in SharePoint repositories.

Detection

ID Data Source Data Component
DS0015 Application Log Application Log Content
DS0028 Logon Session Logon Session Creation

References