1. Home
  2. Techniques
  3. Enterprise
  4. Data from Information Repositories
  5. Confluence

Data from Information Repositories: Confluence

ID Name
T1213.001 Confluence
T1213.002 Sharepoint
T1213.003 Code Repositories
T1213.004 Customer Relationship Management Software
T1213.005 Messaging Applications

Adversaries may leverage Confluence repositories to mine valuable information. Often found in development environments alongside Atlassian JIRA, Confluence is generally used to store development-related documentation, however, in general may contain more diverse categories of useful information, such as:

  • Policies, procedures, and standards
  • Physical / logical network diagrams
  • System architecture diagrams
  • Technical system documentation
  • Testing / development credentials (i.e., Unsecured Credentials)
  • Work / project schedules
  • Source code snippets
  • Links to network shares and other internal resources
ID: T1213.001
Sub-technique of:  T1213
Tactic: Collection
Platforms: SaaS
Version: 1.1
Created: 14 February 2020
Last Modified: 30 August 2024
Version Permalink

Procedure Examples

ID Name Description
G1004 LAPSUS$

LAPSUS$ has searched a victim's network for collaboration platforms like Confluence and JIRA to discover further high-privilege account credentials.[1]

Mitigations

ID Mitigation Description
M1047 Audit

Consider periodic review of accounts and privileges for critical and sensitive Confluence repositories.
M1018 User Account Management

Enforce the principle of least-privilege. Consider implementing access control mechanisms that include both authentication and authorization.
M1017 User Training

Develop and publish policies that define acceptable information to be stored in Confluence repositories.

Detection

ID Data Source Data Component Detects
DS0015 Application Log Application Log Content

Monitor for third-party application logging, messaging, and/or other artifacts that may leverage Confluence repositories to mine valuable information. Watch for access to Confluence repositories performed by privileged users (for example, Active Directory Domain, Enterprise, or Schema Administrators) as these types of accounts should generally not be used to access information repositories. If the capability exists, it may be of value to monitor and alert on users that are retrieving and viewing a large number of documents and pages; this behavior may be indicative of programmatic means being used to retrieve all data within the repository. In environments with high-maturity, it may be possible to leverage User-Behavioral Analytics (UBA) platforms to detect and alert on user based anomalies.
DS0028 Logon Session Logon Session Creation

Monitor for newly constructed logon behavior across Atlassian's Confluence which can be configured to report access to certain pages and documents through AccessLogFilter. [2] Additional log storage and analysis infrastructure will likely be required for more robust detection capabilities.

References

  1. MSTIC, DART, M365 Defender. (2022, March 24). DEV-0537 Criminal Actor Targeting Organizations for Data Exfiltration and Destruction. Retrieved May 17, 2022.
  1. Atlassian. (2018, January 9). How to Enable User Access Logging. Retrieved April 4, 2018.