Adversaries may leverage information repositories to mine valuable information. Information repositories are tools that allow for storage of information, typically to facilitate collaboration or information sharing between users, and can store a wide variety of data that may aid adversaries in further objectives, or direct access to the target information. Adversaries may also abuse external sharing features to share sensitive documents with recipients outside of the organization.
The following is a brief list of example information that may hold potential value to an adversary and may also be found on an information repository:
Information stored in a repository may vary based on the specific instance or environment. Specific common information repositories include web-based platforms such as Sharepoint and Confluence, specific services such as Code Repositories, IaaS databases, enterprise databases, and other storage infrastructure such as SQL Server.
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| AC-16 | Security and Privacy Attributes | Protects | T1213 | Data from Information Repositories | |
| AC-17 | Remote Access | Protects | T1213 | Data from Information Repositories | |
| AC-02 | Account Management | Protects | T1213 | Data from Information Repositories | |
| AC-21 | Information Sharing | Protects | T1213 | Data from Information Repositories | |
| AC-23 | Data Mining Protection | Protects | T1213 | Data from Information Repositories | |
| AC-03 | Access Enforcement | Protects | T1213 | Data from Information Repositories | |
| AC-04 | Information Flow Enforcement | Protects | T1213 | Data from Information Repositories | |
| AC-05 | Separation of Duties | Protects | T1213 | Data from Information Repositories | |
| AC-06 | Least Privilege | Protects | T1213 | Data from Information Repositories | |
| CA-07 | Continuous Monitoring | Protects | T1213 | Data from Information Repositories | |
| CA-08 | Penetration Testing | Protects | T1213 | Data from Information Repositories | |
| CM-02 | Baseline Configuration | Protects | T1213 | Data from Information Repositories | |
| CM-03 | Configuration Change Control | Protects | T1213 | Data from Information Repositories | |
| CM-05 | Access Restrictions for Change | Protects | T1213 | Data from Information Repositories | |
| CM-06 | Configuration Settings | Protects | T1213 | Data from Information Repositories | |
| CM-07 | Least Functionality | Protects | T1213 | Data from Information Repositories | |
| CM-08 | System Component Inventory | Protects | T1213 | Data from Information Repositories | |
| IA-02 | Identification and Authentication (organizational Users) | Protects | T1213 | Data from Information Repositories | |
| IA-04 | Identifier Management | Protects | T1213 | Data from Information Repositories | |
| IA-08 | Identification and Authentication (non-organizational Users) | Protects | T1213 | Data from Information Repositories | |
| RA-05 | Vulnerability Monitoring and Scanning | Protects | T1213 | Data from Information Repositories | |
| SC-28 | Protection of Information at Rest | Protects | T1213 | Data from Information Repositories | |
| SI-04 | System Monitoring | Protects | T1213 | Data from Information Repositories | |
| SI-07 | Software, Firmware, and Information Integrity | Protects | T1213 | Data from Information Repositories | |
| PUR-AS-E5 | Audit Solutions | Technique Scores | T1213 | Data from Information Repositories |
Comments
Microsoft Purview auditing solutions provide an integrated solution to help organizations effectively respond to security events, forensic investigations, internal investigations, and compliance obligations. Thousands of user and admin operations performed in dozens of Microsoft 365 services and solutions are captured, recorded, and retained in your organization's unified audit log. Audit records for these events are searchable by security ops, IT admins, insider risk teams, and compliance and legal investigators in your organization. This capability provides visibility into the activities performed across your Microsoft 365 organization.
Microsoft's Audit Solutions protects from Data from Information Repository attacks due to Audit Solutions providing the visibility to allow admins to consider periodic review of accounts and privileges for critical and sensitive repositories.
License Requirements:
Microsoft 365 E3 and E5
References
|
| ME-RBAC-E3 | Role Based Access Control | Technique Scores | T1213 | Data from Information Repositories |
Comments
The RBAC control can generally be used to protect against and limit adversary access to valuable information repositories. Although it does not have full coverage of this technique's sub-techniques, it also helps protect against Procedure examples, resulting in an overall score of Partial.
License Requirements:
ME-ID Built-in Roles (Free)
References
|
| DEF-SecScore-E3 | Secure Score | Technique Scores | T1213 | Data from Information Repositories |
Comments
Microsoft Secure Score is a measurement of an organization's security posture, with a higher number indicating more recommended actions taken. It can be found at Microsoft Secure Score in the Microsoft Defender portal.
Following the Secure Score recommendations can protect your organization from threats. From a centralized dashboard in the Microsoft Defender portal, organizations can monitor and work on the security of their Microsoft 365 identities, apps, and devices. Your score is updated in real time to reflect the information presented in the visualizations and recommended action pages. Secure Score also syncs daily to receive system data about your achieved points for each action.
To help you find the information you need more quickly, Microsoft recommended actions are organized into groups:
Identity (Microsoft Entra accounts & roles)
Device (Microsoft Defender for Endpoint, known as Microsoft Secure Score for Devices)
Apps (email and cloud apps, including Office 365 and Microsoft Defender for Cloud Apps)
Data (through Microsoft Information Protection)
References
|
| DEF-Quarantine-E3 | Quarantine Policies | Technique Scores | T1213 | Data from Information Repositories |
Comments
In Exchange Online Protection (EOP) and Microsoft Defender for Office 365, quarantine policies allow admins to define the user experience for quarantined messages.
Traditionally, users have been allowed or denied levels of interactivity with quarantine messages based on why the message was quarantined. For example, users can view and release messages that were quarantined as spam or bulk, but they can't view or release messages that were quarantined as high confidence phishing or malware.
The following M365 features are supported by quarantine policies, “Response” to Anti-malware and Anti-Phishing tagged items. Files that are quarantined as malware by Safe Attachments for SharePoint, OneDrive, and Microsoft Teams.
License requirements: M365 E3 (or Defender for Office plan 1)
References
|
| DEF-IR-E5 | Incident Response | Technique Scores | T1213 | Data from Information Repositories |
Comments
An incident in Microsoft Defender XDR is a collection of correlated alerts and associated data that make up the story of an attack. Microsoft 365 services and apps create alerts when they detect a suspicious or malicious event or activity. Individual alerts provide valuable clues about a completed or ongoing attack. Attacks typically employ various techniques against different types of entities, such as devices, users, and mailboxes. The result of this is multiple alerts for multiple entities in your tenant. Piecing the individual alerts together to gain insight into an attack can be challenging and time-consuming, Microsoft Defender XDR automatically aggregates the alerts and their associated information into an incident. A typical Incident Response workflow in Microsoft Defender XDR begins with a triage action, next is the investigate action, and finally is the response action.
Microsoft 365 Defender Incident Response responds to Data from Information Repository attacks due to Incident Response being able to monitor for newly constructed logon behavior within Microsoft SharePoint.
License Requirements:
Microsoft Defender XDR
References
|
| PUR-PAM-E5 | Privileged Access Management | Technique Scores | T1213 | Data from Information Repositories |
Comments
Microsoft Purview Privileged Access Management allows granular access control over privileged admin tasks in Office 365. It can help protect your organization from breaches that use existing privileged admin accounts with standing access to sensitive data or access to critical configuration settings. Privileged access management requires users to request just-in-time access to complete elevated and privileged tasks through a highly scoped and time-bounded approval workflow. This configuration gives users just-enough-access to perform the task at hand, without risking exposure of sensitive data or critical configuration settings. Microsoft 365 configuration settings. When used with Microsoft Entra Privileged Identity Management, these two features provide access control with just-in-time access at different scopes. (e.g., Encryption, RBAC, Conditional Access, JIT, Just Enough Access (with Approval).
License requirements: M365 E5 customers.
References
|
| Technique ID | Technique Name | Number of Mappings |
|---|---|---|
| T1213.002 | Sharepoint | 31 |
| T1213.001 | Confluence | 24 |
| T1213.003 | Code Repositories | 14 |