1. Home
  2. ATT&CK Techniques
  3. T1213.002 Sharepoint

T1213.002 Sharepoint

Adversaries may leverage the SharePoint repository as a source to mine valuable information. SharePoint will often contain useful information for an adversary to learn about the structure and functionality of the internal network and systems. For example, the following is a list of example information that may hold potential value to an adversary and may also be found on SharePoint:

  • Policies, procedures, and standards
  • Physical / logical network diagrams
  • System architecture diagrams
  • Technical system documentation
  • Testing / development credentials (i.e., Unsecured Credentials)
  • Work / project schedules
  • Source code snippets
  • Links to network shares and other internal resources
View in MITRE ATT&CK®

CRI Profile Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
PR.PS-01.01 Configuration baselines Mitigates T1213.002 Sharepoint
Comments
This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation.
References
    PR.PS-01.02 Least functionality Mitigates T1213.002 Sharepoint
    Comments
    This diagnostic statement provides for limiting unnecessary software, services, ports, protocols, etc. Ensuring systems only have installed and enabled what is essential for their operation reduces the attack surface and minimizes vulnerabilities, which mitigates a wide range of techniques.
    References
      PR.AA-01.01 Identity and credential management Mitigates T1213.002 Sharepoint
      Comments
      This diagnostic statement protects against Sharepoint through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.
      References

        NIST 800-53 Mappings

        Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
        CA-07 Continuous Monitoring mitigates T1213.002 Sharepoint
        CM-06 Configuration Settings mitigates T1213.002 Sharepoint
        CM-05 Access Restrictions for Change mitigates T1213.002 Sharepoint
        AC-17 Remote Access mitigates T1213.002 Sharepoint
        IA-08 Identification and Authentication (Non-Organizational Users) mitigates T1213.002 Sharepoint
        AC-21 Information Sharing mitigates T1213.002 Sharepoint
        AC-23 Data Mining Protection mitigates T1213.002 Sharepoint
        IA-04 Identifier Management mitigates T1213.002 Sharepoint
        SC-28 Protection of Information at Rest mitigates T1213.002 Sharepoint
        RA-05 Vulnerability Monitoring and Scanning mitigates T1213.002 Sharepoint
        CM-08 System Component Inventory mitigates T1213.002 Sharepoint
        SI-07 Software, Firmware, and Information Integrity mitigates T1213.002 Sharepoint
        AC-16 Security and Privacy Attributes mitigates T1213.002 Sharepoint
        CM-02 Baseline Configuration mitigates T1213.002 Sharepoint
        CM-02 Baseline Configuration mitigates T1213.002 Sharepoint
        IA-02 Identification and Authentication (Organizational Users) mitigates T1213.002 Sharepoint
        CM-07 Least Functionality mitigates T1213.002 Sharepoint
        SI-04 System Monitoring mitigates T1213.002 Sharepoint
        AC-02 Account Management mitigates T1213.002 Sharepoint
        AC-03 Access Enforcement mitigates T1213.002 Sharepoint
        AC-04 Information Flow Enforcement mitigates T1213.002 Sharepoint
        AC-05 Separation of Duties mitigates T1213.002 Sharepoint
        AC-06 Least Privilege mitigates T1213.002 Sharepoint
        CM-03 Configuration Change Control mitigates T1213.002 Sharepoint

        VERIS Mappings

        Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
        action.malware.variety.Capture stored data Capture data stored on system disk related-to T1213.002 Sharepoint
        attribute.confidentiality.data_disclosure None related-to T1213.002 Sharepoint

        Azure Mappings

        Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
        microsoft_sentinel Microsoft Sentinel technique_scores T1213.002 Sharepoint
        Comments
        The following Microsoft Sentinel Hunting queries can identify potentially malicious access to SharePoint: "SharePointFileOperation via clientIP with previously unseen user agents", "SharePointFileOperation via devices with previously unseen user agents", and "SharePointFileOperation via previously unseen IPs". The Microsoft Sentinel Analytics "SharePointFileOperation via devices with previously unseen user agents" query can identify a high number of upload or download actions by an unknown and possible malicious actor.
        References
        1. https://learn.microsoft.com/en-us/azure/sentinel/overview
        2. https://learn.microsoft.com/en-us/azure/sentinel/hunting