| ID | Name |
|---|---|
| T1213.001 | Confluence |
| T1213.002 | Sharepoint |
| T1213.003 | Code Repositories |
| T1213.004 | Customer Relationship Management Software |
| T1213.005 | Messaging Applications |
Adversaries may leverage the SharePoint repository as a source to mine valuable information. SharePoint will often contain useful information for an adversary to learn about the structure and functionality of the internal network and systems. For example, the following is a list of example information that may hold potential value to an adversary and may also be found on SharePoint:
| ID | Name | Description |
|---|---|---|
| G1024 | Akira |
Akira has accessed and downloaded information stored in SharePoint instances as part of data gathering and exfiltration activity.[1] |
| G0007 | APT28 |
APT28 has collected information from Microsoft SharePoint services within target networks.[2] |
| C0027 | C0027 |
During C0027, Scattered Spider accessed victim SharePoint environments to search for VPN and MFA enrollment information, help desk instructions, and new hire guides.[3] |
| G0114 | Chimera |
Chimera has collected documents from the victim's SharePoint.[4] |
| G0004 | Ke3chang |
Ke3chang used a SharePoint enumeration and data dumping tool known as spwebmember.[5] |
| G1004 | LAPSUS$ |
LAPSUS$ has searched a victim's network for collaboration platforms like SharePoint to discover further high-privilege account credentials.[6][7] |
| S0227 | spwebmember |
spwebmember is used to enumerate and dump information from Microsoft SharePoint.[5] |
| ID | Mitigation | Description |
|---|---|---|
| M1047 | Audit |
Consider periodic review of accounts and privileges for critical and sensitive SharePoint repositories. |
| M1018 | User Account Management |
Enforce the principle of least-privilege. Consider implementing access control mechanisms that include both authentication and authorization. |
| M1017 | User Training |
Develop and publish policies that define acceptable information to be stored in SharePoint repositories. |
| ID | Data Source | Data Component | Detects |
|---|---|---|---|
| DS0015 | Application Log | Application Log Content |
Monitor for third-party application logging, messaging, and/or other artifacts that may leverage the SharePoint repository as a source to mine valuable information. Monitor access to Microsoft SharePoint repositories performed by privileged users (for example, Active Directory Domain, Enterprise, or Schema Administrators) should be closely monitored and alerted upon, as these types of accounts should generally not be used to access information repositories. If the capability exists, it may be of value to monitor and alert on users that are retrieving and viewing a large number of documents and pages; this behavior may be indicative of programmatic means being used to retrieve all data within the repository. In environments with high-maturity, it may be possible to leverage User-Behavioral Analytics (UBA) platforms to detect and alert on user based anomalies. |
| DS0025 | Cloud Service | Cloud Service Metadata |
Monitor M365 Audit logs for FileAccessed operations against Sharepoint workloads. Scrutinize event metadata such as client IP address, ObjectId, UserId, User Agent, and Authentication type. Analytic 1 - Unusual file access patterns by users, anomalous IP addresses, or suspicious User Agents
|
| DS0028 | Logon Session | Logon Session Creation |
Monitor for newly constructed logon behavior across Microsoft's SharePoint which can be configured to report access to certain pages and documents. [8] As information repositories generally have a considerably large user base, detection of malicious use can be non-trivial. Analytic 1 - Suspicious actor IPs, unusual user agents (e.g., malware, scripting interpreters like PowerShell, Python), anomalous login times
|