| ID | Name |
|---|---|
| T1213.001 | Confluence |
| T1213.002 | Sharepoint |
| T1213.003 | Code Repositories |
| T1213.004 | Customer Relationship Management Software |
| T1213.005 | Messaging Applications |
| T1213.006 | Databases |
Adversaries may leverage Confluence repositories to mine valuable information. Often found in development environments alongside Atlassian JIRA, Confluence is generally used to store development-related documentation, however, in general may contain more diverse categories of useful information, such as:
| ID | Name | Description |
|---|---|---|
| G1004 | LAPSUS$ |
LAPSUS$ has searched a victim's network for collaboration platforms like Confluence and JIRA to discover further high-privilege account credentials.[1] |
| ID | Mitigation | Description |
|---|---|---|
| M1047 | Audit |
Consider periodic review of accounts and privileges for critical and sensitive Confluence repositories. |
| M1018 | User Account Management |
Enforce the principle of least-privilege. Consider implementing access control mechanisms that include both authentication and authorization. |
| M1017 | User Training |
Develop and publish policies that define acceptable information to be stored in Confluence repositories. |
| ID | Name | Analytic ID | Analytic Description |
|---|---|---|---|
| DET0358 | Programmatic and Excessive Access to Confluence Documentation | AN1019 |
Detection of excessive or programmatic access to Confluence spaces or pages, particularly by privileged users, through a combination of access logs, API usage, and identity context. Correlates logon sessions, user roles, and abnormal document viewing or export behavior. Identifies burst access patterns and tools/scripts abusing the Confluence API for mass enumeration or data scraping. |