# MAAD-AF Sharepoint Exfil This module allows an attacker to exploit SharePoint sites by gathering information and exfiltrating data out of specified SharePoint sites. This module has several sub-modules giving granular control over the actions that can be performed, such as gaining access to a previously restricted site, searching files within a site, etc. ## Module Overview - DRAFT **NOTE TO ENABLEMENT TEAM:** We may need to find a more sustainable example to use for lab users and adjust the verbiage below accordingly. 1. From the main Attack Arsenal menu, enter `13` for `Exploit Sharepoint`. Read through the MITRE information, and press `` to continue. 2. Use sub-module `2: List all sites in the tenant`. Note available Sharepoint sites. 3. Use sub-module `3: Explore a sharepoint site` to attempt to explore the `Accounting` site. Enter the number that is associated with the `Accounting` SharePoint site. If the `Accounting` site is restricted, the attacker can leverage sub-module `4: Gain rights to a sharepoint site` to attempt to gain access to the restricted site by leveraging the permissions of the compromised account in use. Once access is granted, leveraging sub-module `3` again would produce a list of the files contained within the Sharepoint site. 4. After accessing the Accounting site, MAAD-AF will display additional sub- modules with more actions which can be executed against the site the attacker now has access to. Use sub-module `3.6: Dump all files from site` to dump all the data from the `Accounting` Sharepoint site. 5. Downloading contents of an entire SharePoint Site may take a while. A progress bar should appear near the top of your PowerShell terminal, similar to the below: ![MAAD Sharepoint Exfil](images/maad_sharepoint_exfil_file_dump.png) Dumped data will appear under the `Outputs` folder in the same directory which MAAD-AF is running from. ## Validation - DRAFT How many total files were downloaded from the `Accounting` SharePoint site?