S0227: spwebmember
spwebmember is a Microsoft SharePoint enumeration and data dumping tool written in .NET. [1]
Analyst context for executives and security teams
spwebmember matters because it targets SharePoint as a business knowledge store, not just as an IT system. The ATT&CK entry describes it as a Windows/.NET tool for SharePoint enumeration and data dumping, which means the business risk is exposure of internal documents, architecture details, policies, and other information that can support follow-on intrusion decisions. For leaders, the key question is whether SharePoint access, auditing, and incident response processes are strong enough to detect and investigate unusual discovery or bulk access to sensitive repositories.
Executive priority
Prioritize this as a collaboration-platform and information-governance risk. SharePoint often holds material that supports operations, audits, security architecture, and executive decision-making; unauthorized enumeration or dumping can weaken business resilience even before destructive activity occurs. Security leaders should ask whether SharePoint logging is retained, reviewed, and correlated with identity activity; whether sensitive sites have least-privilege access; and whether IR playbooks cover suspected data collection from Office Suite repositories.
Technical view
ATT&CK identifies spwebmember as a Microsoft SharePoint enumeration and data dumping tool written in .NET, on Windows, with a relationship to T1213.002 Sharepoint under the collection tactic. Because no official detection is provided, SOC and detection teams should validate coverage around SharePoint repository access patterns rather than tool-name matching alone. Useful validation areas include unusual SharePoint enumeration, abnormal volume of document access or downloads, access to sensitive architecture or policy repositories, Windows/.NET process activity on hosts interacting with SharePoint, and identity context such as unexpected accounts, locations, or session patterns. The relationship to Ke3chang is provided by ATT&CK, but local detections should remain behavior-focused unless separate threat intelligence justifies actor-specific handling.
Likely telemetry
- SharePoint audit logs for site, list, library, file, and permission enumeration activity
- SharePoint or Office Suite access logs showing document reads, exports, or high-volume downloads
- Identity and authentication logs for accounts accessing SharePoint, including unusual sign-in context
- Endpoint telemetry from Windows systems interacting with SharePoint, especially .NET process execution where available
- Network or proxy logs showing SharePoint access patterns from user workstations or servers
Detection direction
- Validate whether SharePoint audit events are enabled, retained, and searchable for enumeration and bulk-access investigations.
- Baseline normal SharePoint access by role, site, and business process so high-volume reads or unusual repository traversal can be triaged without excessive false positives.
- Correlate SharePoint activity with identity signals such as new locations, unusual devices, service-account misuse, or access outside normal working patterns.
- Avoid relying only on a specific tool name because the ATT&CK object provides no official detection logic and the relevant behavior is SharePoint collection.
- Review whether sensitive repositories such as policies, procedures, network diagrams, and architecture documents have monitoring distinct from general collaboration content.
Mitigation priorities
- Confirm least-privilege access for SharePoint sites and libraries that contain sensitive operational, architecture, policy, or security documentation.
- Enable and retain SharePoint and identity audit logs long enough to support incident response and compliance evidence needs.
- Apply access reviews and governance for privileged, stale, external, and service accounts with SharePoint access.
- Classify or otherwise identify high-value SharePoint content so monitoring and response can prioritize material repositories.
- Ensure IR playbooks include investigation steps for suspected SharePoint enumeration or data dumping, including identity review and scope determination.
Analyst notes and limits
The most decision-useful context is the relationship to ATT&CK technique T1213.002 Sharepoint, which frames this tool as collection from SharePoint repositories. The related Ke3chang relationship is part of the supplied ATT&CK context, but it should not be treated as proof of current activity or local exposure. For Glexia use cases, this object is most relevant to managed detection, incident response readiness, identity governance, cloud/collaboration security, compliance evidence, and protection of sensitive business documentation.
The ATT&CK object is sparse: it lists Windows as the platform, describes the tool as .NET-based SharePoint enumeration and data dumping software, and provides no official detection text, tactics on the tool object, aliases, or labels. Any specific detection rule, exploitation claim, actor attribution, or customer risk determination requires local telemetry and additional intelligence beyond the supplied fields.
spwebmember
spwebmember is a Microsoft SharePoint enumeration and data dumping tool written in .NET. [1]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1213.002 | Sharepoint Sub-technique | spwebmember is used to enumerate and dump information from Microsoft SharePoint.CitationNCC Group APT15 Alive and Strong |
Groups, software, and campaigns
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.1 | Current bundle | 976cea973036… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
NCC Group APT15 Alive and Strong
Smallridge, R. (2018, March 10). APT15 is alive and strong: An analysis of RoyalCli and RoyalDNS. Retrieved April 4, 2018.
Open source URL -
[2]
mitre-attack S0227Open source URL
-
[3]
spwebmember
(Citation: NCC Group APT15 Alive and Strong)
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.