1. Home
  2. Techniques
  3. Enterprise
  4. Data from Information Repositories
  5. Sharepoint

Data from Information Repositories: Sharepoint

ID Name
T1213.001 Confluence
T1213.002 Sharepoint
T1213.003 Code Repositories
T1213.004 Customer Relationship Management Software
T1213.005 Messaging Applications
T1213.006 Databases

Adversaries may leverage the SharePoint repository as a source to mine valuable information. SharePoint will often contain useful information for an adversary to learn about the structure and functionality of the internal network and systems. For example, the following is a list of example information that may hold potential value to an adversary and may also be found on SharePoint:

  • Policies, procedures, and standards
  • Physical / logical network diagrams
  • System architecture diagrams
  • Technical system documentation
  • Testing / development credentials (i.e., Unsecured Credentials)
  • Work / project schedules
  • Source code snippets
  • Links to network shares and other internal resources
ID: T1213.002
Sub-technique of:  T1213
Tactic: Collection
Platforms: Office Suite, Windows
Contributors: Arun Seelagan, CISA
Version: 1.1
Created: 14 February 2020
Last Modified: 24 October 2025
Version Permalink

Procedure Examples

ID Name Description
G1024 Akira

Akira has accessed and downloaded information stored in SharePoint instances as part of data gathering and exfiltration activity.[1]
G0007 APT28

APT28 has collected information from Microsoft SharePoint services within target networks.[2]
C0027 C0027

During C0027, Scattered Spider accessed victim SharePoint environments to search for VPN and MFA enrollment information, help desk instructions, and new hire guides.[3]
G0114 Chimera

Chimera has collected documents from the victim's SharePoint.[4]
G0125 HAFNIUM

HAFNIUM has abused compromised credentials to exfiltrate data from SharePoint.[5]
G0004 Ke3chang

Ke3chang used a SharePoint enumeration and data dumping tool known as spwebmember.[6]
G1004 LAPSUS$

LAPSUS$ has searched a victim's network for collaboration platforms like SharePoint to discover further high-privilege account credentials.[7][8]
S0227 spwebmember

spwebmember is used to enumerate and dump information from Microsoft SharePoint.[6]

Mitigations

ID Mitigation Description
M1047 Audit

Consider periodic review of accounts and privileges for critical and sensitive SharePoint repositories.
M1018 User Account Management

Enforce the principle of least-privilege. Consider implementing access control mechanisms that include both authentication and authorization.
M1017 User Training

Develop and publish policies that define acceptable information to be stored in SharePoint repositories.

Detection Strategy

ID Name Analytic ID Analytic Description
DET0500 Detecting Abnormal SharePoint Data Mining by Privileged or Rare Users AN1380

Privileged or rarely used accounts performing bulk access to SharePoint files or metadata over a short time window, indicating potential scripted collection of sensitive internal documents.

References

  1. Secureworks. (n.d.). GOLD SAHARA. Retrieved February 20, 2024.
  2. Maccaglia, S. (2015, November 4). Evolving Threats: dissection of a CyberEspionage attack. Retrieved April 4, 2018.
  3. Parisi, T. (2022, December 2). Not a SIMulation: CrowdStrike Investigations Reveal Intrusion Campaign Targeting Telco and BPO Companies. Retrieved June 30, 2023.
  4. Jansen, W . (2021, January 12). Abusing cloud services to fly under the radar. Retrieved September 12, 2024.
  1. Microsoft Threat Intelligence . (2025, March 5). Silk Typhoon targeting IT supply chain. Retrieved March 20, 2025.
  2. Smallridge, R. (2018, March 10). APT15 is alive and strong: An analysis of RoyalCli and RoyalDNS. Retrieved April 4, 2018.
  3. MSTIC, DART, M365 Defender. (2022, March 24). DEV-0537 Criminal Actor Targeting Organizations for Data Exfiltration and Destruction. Retrieved May 17, 2022.
  4. Brown, D., et al. (2022, April 28). LAPSUS$: Recent techniques, tactics and procedures. Retrieved December 22, 2022.