ID | Name |
---|---|
T1213.001 | Confluence |
T1213.002 | Sharepoint |
T1213.003 | Code Repositories |
T1213.004 | Customer Relationship Management Software |
T1213.005 | Messaging Applications |
Adversaries may leverage chat and messaging applications, such as Microsoft Teams, Google Chat, and Slack, to mine valuable information.
The following is a brief list of example information that may hold potential value to an adversary and may also be found on messaging applications:
In addition to exfiltrating data from messaging applications, adversaries may leverage data from chat messages in order to improve their targeting - for example, by learning more about an environment or evading ongoing incident response efforts.[4][5]
ID | Name | Description |
---|---|---|
G0117 | Fox Kitten |
Fox Kitten has accessed victim security and IT environments and Microsoft Teams to mine valuable information.[6] |
G1004 | LAPSUS$ |
LAPSUS$ has searched a victim's network for organization collaboration channels like MS Teams or Slack to discover further high-privilege account credentials.[7] |
G1015 | Scattered Spider |
Scattered Spider threat actors search the victim’s Slack and Microsoft Teams for conversations about the intrusion and incident response.[8] |
ID | Mitigation | Description |
---|---|---|
M1047 | Audit |
Preemptively search through communication services to find inappropriately shared data, and take actions to reduce exposure when found. |
M1060 | Out-of-Band Communications Channel |
Implement secure out-of-band communication channels to use as an alternative to in-network chat applications during a security incident. This ensures that critical communications remain secure even if primary messaging channels are compromised by adversaries.[9] |
M1017 | User Training |
Develop and publish policies that define acceptable information to be posted in chat applications. |
ID | Data Source | Data Component | Detects |
---|---|---|---|
DS0015 | Application Log | Application Log Content |
Monitor for third-party application logging, messaging, and/or other artifacts that may leverage code repositories to collect valuable information. Monitor access to messaging applications, especially performed by privileged users such as Active Directory Domain or Enterprise Administrators as these types of accounts should generally not be used to access messaging applications. In environments with high-maturity, it may be possible to leverage User-Behavioral Analytics (UBA) platforms to detect and alert on user-based anomalies. |