Data from Information Repositories: Sharepoint

ID Name
T1213.001 Confluence
T1213.002 Sharepoint

Adversaries may leverage the SharePoint repository as a source to mine valuable information. SharePoint will often contain useful information for an adversary to learn about the structure and functionality of the internal network and systems. For example, the following is a list of example information that may hold potential value to an adversary and may also be found on SharePoint:

  • Policies, procedures, and standards
  • Physical / logical network diagrams
  • System architecture diagrams
  • Technical system documentation
  • Testing / development credentials
  • Work / project schedules
  • Source code snippets
  • Links to network shares and other internal resources
ID: T1213.002
Sub-technique of:  T1213
Tactic: Collection
Platforms: Office 365, Windows
Permissions Required: User
Data Sources: Application logs, Authentication logs, Office 365 audit logs
Version: 1.0
Created: 14 February 2020
Last Modified: 24 March 2020

Procedure Examples

Name Description
APT28

APT28 has collected information from Microsoft SharePoint services within target networks.[2]

Ke3chang

Ke3chang used a SharePoint enumeration and data dumping tool known as spwebmember.[1]

spwebmember

spwebmember is used to enumerate and dump information from Microsoft SharePoint.[1]

Mitigations

Mitigation Description
Audit

Consider periodic review of accounts and privileges for critical and sensitive SharePoint repositories.

User Account Management

Enforce the principle of least-privilege. Consider implementing access control mechanisms that include both authentication and authorization.

User Training

Develop and publish policies that define acceptable information to be stored in SharePoint repositories.

Detection

The user access logging within Microsoft's SharePoint can be configured to report access to certain pages and documents. [3]. As information repositories generally have a considerably large user base, detection of malicious use can be non-trivial. At minimum, access to information repositories performed by privileged users (for example, Active Directory Domain, Enterprise, or Schema Administrators) should be closely monitored and alerted upon, as these types of accounts should not generally used to access information repositories. If the capability exists, it may be of value to monitor and alert on users that are retrieving and viewing a large number of documents and pages; this behavior may be indicative of programmatic means being used to retrieve all data within the repository. In environments with high-maturity, it may be possible to leverage User-Behavioral Analytics (UBA) platforms to detect and alert on user based anomalies.

References