Adversaries may leverage the SharePoint repository as a source to mine valuable information. SharePoint will often contain useful information for an adversary to learn about the structure and functionality of the internal network and systems. For example, the following is a list of example information that may hold potential value to an adversary and may also be found on SharePoint:
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| AC-2 | Account Management | Protects | T1213.002 | Sharepoint | |
| AC-3 | Access Enforcement | Protects | T1213.002 | Sharepoint | |
| AC-5 | Separation of Duties | Protects | T1213.002 | Sharepoint | |
| AC-6 | Least Privilege | Protects | T1213.002 | Sharepoint | |
| CA-8 | Penetration Testing | Protects | T1213.002 | Sharepoint | |
| CM-5 | Access Restrictions for Change | Protects | T1213.002 | Sharepoint | |
| CM-6 | Configuration Settings | Protects | T1213.002 | Sharepoint | |
| CM-7 | Least Functionality | Protects | T1213.002 | Sharepoint | |
| IA-2 | Identification and Authentication (organizational Users) | Protects | T1213.002 | Sharepoint | |
| IA-4 | Identifier Management | Protects | T1213.002 | Sharepoint | |
| IA-8 | Identification and Authentication (non-organizational Users) | Protects | T1213.002 | Sharepoint | |
| RA-5 | Vulnerability Monitoring and Scanning | Protects | T1213.002 | Sharepoint | |
| SI-4 | System Monitoring | Protects | T1213.002 | Sharepoint |
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| azure_sentinel | Azure Sentinel | technique_scores | T1213.002 | Sharepoint |
Comments
The following Azure Sentinel Hunting queries can identify potentially malicious access to SharePoint: "SharePointFileOperation via clientIP with previously unseen user agents", "SharePointFileOperation via devices with previously unseen user agents", and "SharePointFileOperation via previously unseen IPs".
The Azure Sentinel Analytics "SharePointFileOperation via devices with previously unseen user agents" query can identify a high number of upload or download actions by an unknown and possible malicious actor.
References
|
| conditional_access | Conditional Access | technique_scores | T1213.002 | Sharepoint |
Comments
Conditional Access (CA), when granting (risky) users access to Office applications like SharePoint can restrict what they can do in these applications using its app-enforced restrictions. For example, it can enforce that users on unmanaged devices will have browser-only access to SharePoint with no ability to download, print, or sync files. Furthermore, with its integration with Microsoft Cloud App Security, it can even restrict cut, copy and paste operations. This can impede an adversary's ability to collect valuable information and/or files from the application. This protection is partial as it doesn't prohibit an adversary from potentially viewing sensitive information and manually collecting it, for example simply writing down information by hand.
References
|
| cloud_app_security_policies | Cloud App Security Policies | technique_scores | T1213.002 | Sharepoint |
Comments
This control may detect anomalous user behavior wrt information repositories such as Sharepoint or Confluence.
References
|
| cloud_app_security_policies | Cloud App Security Policies | technique_scores | T1213.002 | Sharepoint |
Comments
This control may detect anomalous user behavior wrt information repositories such as Sharepoint or Confluence.
References
|