1. Home
  2. Techniques
  3. Enterprise
  4. Data from Information Repositories

Data from Information Repositories

ID Name
T1213.001 Confluence
T1213.002 Sharepoint
T1213.003 Code Repositories
T1213.004 Customer Relationship Management Software
T1213.005 Messaging Applications

Adversaries may leverage information repositories to mine valuable information. Information repositories are tools that allow for storage of information, typically to facilitate collaboration or information sharing between users, and can store a wide variety of data that may aid adversaries in further objectives, such as Credential Access, Lateral Movement, or Defense Evasion, or direct access to the target information. Adversaries may also abuse external sharing features to share sensitive documents with recipients outside of the organization (i.e., Transfer Data to Cloud Account).

The following is a brief list of example information that may hold potential value to an adversary and may also be found on an information repository:

  • Policies, procedures, and standards
  • Physical / logical network diagrams
  • System architecture diagrams
  • Technical system documentation
  • Testing / development credentials (i.e., Unsecured Credentials)
  • Work / project schedules
  • Source code snippets
  • Links to network shares and other internal resources
  • Contact or other sensitive information about business partners and customers, including personally identifiable information (PII)

Information stored in a repository may vary based on the specific instance or environment. Specific common information repositories include the following:

  • Storage services such as IaaS databases, enterprise databases, and more specialized platforms such as customer relationship management (CRM) databases
  • Collaboration platforms such as SharePoint, Confluence, and code repositories
  • Messaging platforms such as Slack and Microsoft Teams

In some cases, information repositories have been improperly secured, typically by unintentionally allowing for overly-broad access by all users or even public access to unauthenticated users. This is particularly common with cloud-native or cloud-hosted services, such as AWS Relational Database Service (RDS), Redis, or ElasticSearch.[1][2][3]

ID: T1213
Sub-techniques:  T1213.001, T1213.002, T1213.003, T1213.004, T1213.005
Tactic: Collection
Platforms: IaaS, Linux, Office Suite, SaaS, Windows, macOS
Contributors: Isif Ibrahima, Mandiant; Milos Stojadinovic; Naveen Vijayaraghavan; Nilesh Dherange (Gurucul); Obsidian Security; Praetorian; Regina Elwell
Version: 3.4
Created: 18 April 2018
Last Modified: 28 October 2024
Version Permalink

Procedure Examples

ID Name Description
G0007 APT28

APT28 has collected files from various information repositories.[4]
C0040 APT41 DUST

APT41 DUST collected data from victim Oracle databases using SQLULDR2.[5]
G0037 FIN6

FIN6 has collected schemas and user accounts from systems running SQL Server.[6]
S1146 MgBot

MgBot includes a module capable of stealing content from the Tencent QQ database storing user QQ message history on infected devices.[7]
S0598 P.A.S. Webshell

P.A.S. Webshell has the ability to list and extract data from SQL databases.[8]
S1148 Raccoon Stealer

Raccoon Stealer gathers information from repositories associated with cryptocurrency wallets and the Telegram messaging service.[9]
G0034 Sandworm Team

Sandworm Team exfiltrates data of interest from enterprise databases using Adminer.[10]
C0024 SolarWinds Compromise

During the SolarWinds Compromise, APT29 accessed victims' internal knowledge repositories (wikis) to view sensitive corporate information on products, services, and internal business operations.[11]
G0010 Turla

Turla has used a custom .NET tool to collect documents from an organization's internal central database.[12]

Mitigations

ID Mitigation Description
M1047 Audit

Consider periodic review of accounts and privileges for critical and sensitive repositories. Ensure that repositories such as cloud-hosted databases are not unintentionally exposed to the public, and that security groups assigned to them permit only necessary and authorized hosts.[13]
M1041 Encrypt Sensitive Information

Encrypt data stored at rest in databases.

M1032 Multi-factor Authentication

Use two or more pieces of evidence to authenticate to a system; such as username and password in addition to a token from a physical smart card or token generator.
M1060 Out-of-Band Communications Channel

Create plans for leveraging a secure out-of-band communications channel, rather than existing in-network chat applications, in case of a security incident.[14]
M1054 Software Configuration

Consider implementing data retention policies to automate periodically archiving and/or deleting data that is no longer needed.

M1018 User Account Management

Enforce the principle of least-privilege. Consider implementing access control mechanisms that include both authentication and authorization.
M1017 User Training

Develop and publish policies that define acceptable information to be stored in repositories.

Detection

ID Data Source Data Component Detects
DS0015 Application Log Application Log Content

Monitor for third-party application logging, messaging, and/or other artifacts that may leverage information repositories to mine valuable information. Information repositories generally have a considerably large user base, detection of malicious use can be non-trivial. At minimum, access to information repositories performed by privileged users (for example, Active Directory Domain, Enterprise, or Schema Administrators) should be closely monitored and alerted upon, as these types of accounts should generally not be used to access information repositories. If the capability exists, it may be of value to monitor and alert on users that are retrieving and viewing a large number of documents and pages; this behavior may be indicative of programmatic means being used to retrieve all data within the repository. In environments with high-maturity, it may be possible to leverage User-Behavioral Analytics (UBA) platforms to detect and alert on user based anomalies.
DS0028 Logon Session Logon Session Creation

Monitor for newly constructed logon behavior within Microsoft's SharePoint can be configured to report access to certain pages and documents. [15] Sharepoint audit logging can also be configured to report when a user shares a resource. [16] The user access logging within Atlassian's Confluence can also be configured to report access to certain pages and documents through AccessLogFilter. [17] In AWS environments, GuardDuty can be configured to report suspicious login activity in services such as RDS.[18] Additional log storage and analysis infrastructure will likely be required for more robust detection capabilities.

References

  1. Ariel Szarf, Doron Karmi, and Lionel Saposnik. (n.d.). Oops, I Leaked It Again — How Mitiga Found PII in Exposed Amazon RDS Snapshots. Retrieved September 24, 2024.
  2. David Fiser and Jaromir Horejsi. (2020, April 21). Exposed Redis Instances Abused for Remote Code Execution, Cryptocurrency Mining. Retrieved September 25, 2024.
  3. Vilius Petkauskas . (2022, November 3). Thomson Reuters collected and leaked at least 3TB of sensitive data. Retrieved September 25, 2024.
  4. NSA, CISA, FBI, NCSC. (2021, July). Russian GRU Conducting Global Brute Force Campaign to Compromise Enterprise and Cloud Environments. Retrieved July 26, 2021.
  5. Mike Stokkel et al. (2024, July 18). APT41 Has Arisen From the DUST. Retrieved September 16, 2024.
  6. Visa Public. (2019, February). FIN6 Cybercrime Group Expands Threat to eCommerce Merchants. Retrieved September 16, 2019.
  7. Facundo Muñoz. (2023, April 26). Evasive Panda APT group delivers malware via updates for popular Chinese software. Retrieved July 25, 2024.
  8. ANSSI. (2021, January 27). SANDWORM INTRUSION SET CAMPAIGN TARGETING CENTREON SYSTEMS. Retrieved March 30, 2021.
  9. Pierre Le Bourhis, Quentin Bourgue, & Sekoia TDR. (2022, June 29). Raccoon Stealer v2 - Part 2: In-depth analysis. Retrieved August 1, 2024.
  1. Billy Leonard. (2023, April 19). Ukraine remains Russia’s biggest cyber focus in 2023. Retrieved March 1, 2024.
  2. CrowdStrike. (2022, January 27). Early Bird Catches the Wormhole: Observations from the StellarParticle Campaign. Retrieved February 7, 2022.
  3. Faou, M. (2020, May). From Agent.btz to ComRAT v4: A ten-year journey. Retrieved June 15, 2020.
  4. AWS. (n.d.). Working with a DB instance in a VPC. Retrieved September 24, 2024.
  5. Tyler Hudak. (2022, December 29). To OOB, or Not to OOB?: Why Out-of-Band Communications are Essential for Incident Response. Retrieved August 30, 2024.
  6. Microsoft. (2017, July 19). Configure audit settings for a site collection. Retrieved April 4, 2018.
  7. Microsoft. (n.d.). Sharepoint Sharing Events. Retrieved October 8, 2021.
  8. Atlassian. (2018, January 9). How to Enable User Access Logging. Retrieved April 4, 2018.
  9. AWS. (n.d.). GuardDuty RDS Protection. Retrieved September 24, 2024.