Data from Information Repositories

Adversaries may leverage information repositories to mine valuable information. Information repositories are tools that allow for storage of information, typically to facilitate collaboration or information sharing between users, and can store a wide variety of data that may aid adversaries in further objectives, or direct access to the target information. Adversaries may also abuse external sharing features to share sensitive documents with recipients outside of the organization.

The following is a brief list of example information that may hold potential value to an adversary and may also be found on an information repository:

  • Policies, procedures, and standards
  • Physical / logical network diagrams
  • System architecture diagrams
  • Technical system documentation
  • Testing / development credentials
  • Work / project schedules
  • Source code snippets
  • Links to network shares and other internal resources

Information stored in a repository may vary based on the specific instance or environment. Specific common information repositories include web-based platforms such as Sharepoint and Confluence, specific services such as Code Repositories, IaaS databases, enterprise databases, and other storage infrastructure such as SQL Server.

ID: T1213
Sub-techniques:  T1213.001, T1213.002, T1213.003
Tactic: Collection
Platforms: Google Workspace, IaaS, Linux, Office 365, SaaS, Windows, macOS
Contributors: Isif Ibrahima, Mandiant; Milos Stojadinovic; Naveen Vijayaraghavan, Nilesh Dherange (Gurucul); Praetorian; Regina Elwell
Version: 3.2
Created: 18 April 2018
Last Modified: 11 April 2022

Procedure Examples

ID Name Description
G0007 APT28

APT28 has collected files from various information repositories.[1]

G0037 FIN6

FIN6 has collected schemas and user accounts from systems running SQL Server.[2]

G0117 Fox Kitten

Fox Kitten has accessed victim security and IT environments and Microsoft Teams to mine valuable information.[3]

G1004 LAPSUS$

LAPSUS$ has searched a victim's network for organization collaboration channels like MS Teams or Slack to discover further high-privilege account credentials.[4]

S0598 P.A.S. Webshell

P.A.S. Webshell has the ability to list and extract data from SQL databases.[5]

C0024 SolarWinds Compromise

During the SolarWinds Compromise, APT29 accessed victims' internal knowledge repositories (wikis) to view sensitive corporate information on products, services, and internal business operations.[6]

G0010 Turla

Turla has used a custom .NET tool to collect documents from an organization's internal central database.[7]

Mitigations

ID Mitigation Description
M1047 Audit

Consider periodic review of accounts and privileges for critical and sensitive repositories.

M1018 User Account Management

Enforce the principle of least-privilege. Consider implementing access control mechanisms that include both authentication and authorization.

M1017 User Training

Develop and publish policies that define acceptable information to be stored in repositories.

Detection

ID Data Source Data Component Detects
DS0015 Application Log Application Log Content

Monitor for third-party application logging, messaging, and/or other artifacts that may leverage information repositories to mine valuable information. Information repositories generally have a considerably large user base, detection of malicious use can be non-trivial. At minimum, access to information repositories performed by privileged users (for example, Active Directory Domain, Enterprise, or Schema Administrators) should be closely monitored and alerted upon, as these types of accounts should generally not be used to access information repositories. If the capability exists, it may be of value to monitor and alert on users that are retrieving and viewing a large number of documents and pages; this behavior may be indicative of programmatic means being used to retrieve all data within the repository. In environments with high-maturity, it may be possible to leverage User-Behavioral Analytics (UBA) platforms to detect and alert on user based anomalies.

DS0028 Logon Session Logon Session Creation

Monitor for newly constructed logon behavior within Microsoft's SharePoint can be configured to report access to certain pages and documents. [8] Sharepoint audit logging can also be configured to report when a user shares a resource. [9]The user access logging within Atlassian's Confluence can also be configured to report access to certain pages and documents through AccessLogFilter. [10] Additional log storage and analysis infrastructure will likely be required for more robust detection capabilities.

References