T1213.002 Sharepoint
Adversaries may leverage the SharePoint repository as a source to mine valuable information. SharePoint will often contain useful information for an adversary to learn about the structure and functionality of the internal network and systems. For example, the following is a list of example information that may hold potential value to an adversary and may also be found on SharePoint:
- Policies, procedures, and standards
- Physical / logical network diagrams
- System architecture diagrams
- Technical system documentation
- Testing / development credentials
- Work / project schedules
- Source code snippets
- Links to network shares and other internal resources
| Item | Value |
|---|---|
| ID | T1213.002 |
| Sub-techniques | T1213.001, T1213.002, T1213.003 |
| Tactics | TA0009 |
| Platforms | Office 365, Windows |
| Permissions required | User |
| Version | 1.0 |
| Created | 14 February 2020 |
| Last Modified | 08 June 2021 |
Procedure Examples
| ID | Name | Description |
|---|---|---|
| G0007 | APT28 | APT28 has collected information from Microsoft SharePoint services within target networks.4 |
| G0114 | Chimera | Chimera has collected documents from the victim’s SharePoint.3 |
| G0004 | Ke3chang | Ke3chang used a SharePoint enumeration and data dumping tool known as spwebmember.2 |
| S0227 | spwebmember | spwebmember is used to enumerate and dump information from Microsoft SharePoint.2 |
Mitigations
| ID | Mitigation | Description |
|---|---|---|
| M1047 | Audit | Consider periodic review of accounts and privileges for critical and sensitive SharePoint repositories. |
| M1018 | User Account Management | Enforce the principle of least-privilege. Consider implementing access control mechanisms that include both authentication and authorization. |
| M1017 | User Training | Develop and publish policies that define acceptable information to be stored in SharePoint repositories. |
Detection
| ID | Data Source | Data Component |
|---|---|---|
| DS0015 | Application Log | Application Log Content |
| DS0028 | Logon Session | Logon Session Creation |
References
-
Smallridge, R. (2018, March 10). APT15 is alive and strong: An analysis of RoyalCli and RoyalDNS. Retrieved April 4, 2018. ↩↩
-
Jansen, W . (2021, January 12). Abusing cloud services to fly under the radar. Retrieved January 19, 2021. ↩
-
Maccaglia, S. (2015, November 4). Evolving Threats: dissection of a CyberEspionage attack. Retrieved April 4, 2018. ↩