title: Sharepoint (T1213.002)
id: df00tech-t1213-002
status: experimental
description: "Adversaries may leverage SharePoint repositories as a source to mine valuable organizational information. SharePoint frequently contains policies, physical and logical network diagrams, system architecture documentation, testing credentials embedded in documents, source code snippets, and links to internal resources. Threat actors including Akira, HAFNIUM, LAPSUS$, APT28, and Chimera have used compromised credentials to bulk-access SharePoint sites during the collection phase, often prior to exfiltration. Specialized tooling such as spwebmember (used by APT15/Ke3chang) automates enumeration and bulk dumping of SharePoint document libraries."
references:
  - https://attack.mitre.org/techniques/T1213/002/
  - https://df00tech.com/detections/T1213.002
author: df00tech
date: 2026/03/12
tags:
  - attack.t1213.002
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: network_connection
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - SharePoint site migrations or bulk content audits performed by IT administrators accessing large numbers of files in a short window
  - "Automated backup or archiving tools (e.g., AvePoint, ShareGate, Veeam for Microsoft 365) that enumerate and download SharePoint content on a schedule"
  - "SharePoint crawlers and search indexers used by enterprise search products (Coveo, Microsoft Search, Elastic Workplace Search) that systematically access all content"
  - "Legal hold or eDiscovery processing tools (Purview, Nuix, Exterro) that access large document sets during compliance reviews"
  - Power Automate flows or Logic Apps that process SharePoint file libraries at high volume for business automation workflows
level: high