Description
Adversaries may leverage the SharePoint repository as a source to mine valuable information. SharePoint will often contain useful information for an adversary to learn about the structure and functionality of the internal network and systems. For example, the following is a list of example information that may hold potential value to an adversary and may also be found on SharePoint:
Policies, procedures, and standards Physical / logical network diagrams System architecture diagrams Technical system documentation Testing / development credentials (i.e., Unsecured Credentials) Work / project schedules Source code snippets Links to network shares and other internal resources
Platforms
Mitigations (3)
AuditM1047
Consider periodic review of accounts and privileges for critical and sensitive SharePoint repositories.
User Account ManagementM1018
Enforce the principle of least-privilege. Consider implementing access control mechanisms that include both authentication and authorization.
User TrainingM1017
Develop and publish policies that define acceptable information to be stored in SharePoint repositories.
Threat Groups (7)
| ID | Group | Context |
|---|---|---|
| G1024 | Akira | [Akira](https://attack.mitre.org/groups/G1024) has accessed and downloaded information stored in SharePoint instances as part of data gathering and ex... |
| G0125 | HAFNIUM | [HAFNIUM](https://attack.mitre.org/groups/G0125) has abused compromised credentials to exfiltrate data from SharePoint.(Citation: Microsoft Silk Typho... |
| G1004 | LAPSUS$ | [LAPSUS$](https://attack.mitre.org/groups/G1004) has searched a victim's network for collaboration platforms like SharePoint to discover further high-... |
| G0114 | Chimera | [Chimera](https://attack.mitre.org/groups/G0114) has collected documents from the victim's SharePoint.(Citation: NCC Group Chimera January 2021) |
| G0007 | APT28 | [APT28](https://attack.mitre.org/groups/G0007) has collected information from Microsoft SharePoint services within target networks.(Citation: RSAC 201... |
| G1055 | VOID MANTICORE | [VOID MANTICORE](https://attack.mitre.org/groups/G1055) has accessed victim’s public facing SharePoint servers and exfiltrated data.(Citation: DOJ FBI... |
| G0004 | Ke3chang | [Ke3chang](https://attack.mitre.org/groups/G0004) used a SharePoint enumeration and data dumping tool known as spwebmember.(Citation: NCC Group APT15 ... |
Associated Software (2)
| ID | Name | Type | Context |
|---|---|---|---|
| S9009 | TruffleHog | Tool | [TruffleHog](https://attack.mitre.org/software/S9009) has searched SharePoint for data and credentials.(Citation: Github TruffleSecurity Trufflehog Ap... |
| S0227 | spwebmember | Tool | [spwebmember](https://attack.mitre.org/software/S0227) is used to enumerate and dump information from Microsoft SharePoint.(Citation: NCC Group APT15 ... |
References
- Microsoft. (2017, July 19). Configure audit settings for a site collection. Retrieved April 4, 2018.
Frequently Asked Questions
What is T1213.002 (Sharepoint)?
T1213.002 is a MITRE ATT&CK technique named 'Sharepoint'. It belongs to the Collection tactic(s). Adversaries may leverage the SharePoint repository as a source to mine valuable information. SharePoint will often contain useful information for an adversary to learn about the structure and function...
How can T1213.002 be detected?
Detection of T1213.002 (Sharepoint) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1213.002?
There are 3 documented mitigations for T1213.002. Key mitigations include: Audit, User Account Management, User Training.
Which threat groups use T1213.002?
Known threat groups using T1213.002 include: Akira, HAFNIUM, LAPSUS$, Chimera, APT28, VOID MANTICORE, Ke3chang.