MAAD-AF Sharepoint Exfil

This module allows an attacker to exploit SharePoint sites by gathering information and exfiltrating data out of specified SharePoint sites. This module has several sub-modules giving granular control over the actions that can be performed, such as gaining access to a previously restricted site, searching files within a site, etc.

Module Overview - DRAFT

NOTE TO ENABLEMENT TEAM: We may need to find a more sustainable example to use for lab users and adjust the verbiage below accordingly.

  1. From the main Attack Arsenal menu, enter 13 for Exploit Sharepoint. Read through the MITRE information, and press <Enter> to continue.

  2. Use sub-module 2: List all sites in the tenant. Note available Sharepoint sites.

  3. Use sub-module 3: Explore a sharepoint site to attempt to explore the Accounting site. Enter the number that is associated with the Accounting SharePoint site.

    If the Accounting site is restricted, the attacker can leverage sub-module 4: Gain rights to a sharepoint site to attempt to gain access to the restricted site by leveraging the permissions of the compromised account in use.

    Once access is granted, leveraging sub-module 3 again would produce a list of the files contained within the Sharepoint site.

  4. After accessing the Accounting site, MAAD-AF will display additional sub- modules with more actions which can be executed against the site the attacker now has access to.

    Use sub-module 3.6: Dump all files from site to dump all the data from the Accounting Sharepoint site.

  5. Downloading contents of an entire SharePoint Site may take a while. A progress bar should appear near the top of your PowerShell terminal, similar to the below:

    MAAD Sharepoint Exfil

    Dumped data will appear under the Outputs folder in the same directory which MAAD-AF is running from.

Validation - DRAFT

How many total files were downloaded from the Accounting SharePoint site?