1. Home
  2. ATT&CK Techniques
  3. T1213 Data from Information Repositories

T1213 Data from Information Repositories Mappings

Adversaries may leverage information repositories to mine valuable information. Information repositories are tools that allow for storage of information, typically to facilitate collaboration or information sharing between users, and can store a wide variety of data that may aid adversaries in further objectives, or direct access to the target information. Adversaries may also abuse external sharing features to share sensitive documents with recipients outside of the organization.

The following is a brief list of example information that may hold potential value to an adversary and may also be found on an information repository:

  • Policies, procedures, and standards
  • Physical / logical network diagrams
  • System architecture diagrams
  • Technical system documentation
  • Testing / development credentials
  • Work / project schedules
  • Source code snippets
  • Links to network shares and other internal resources

Information stored in a repository may vary based on the specific instance or environment. Specific common information repositories include web-based platforms such as Sharepoint and Confluence, specific services such as Code Repositories, IaaS databases, enterprise databases, and other storage infrastructure such as SQL Server.

View in MITRE ATT&CK®

Known Exploited Vulnerabilities Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
CVE-2022-24086 Adobe Commerce and Magento Open Source Improper Input Validation Vulnerability secondary_impact T1213 Data from Information Repositories
Comments
This vulnerability can be exploited via a public-facing e-commerce application in order to achieve remote code execution. To evade detection, the exploit segment responsible for downloading and executing the remote malicious PHP code is obfuscated.
References
  1. https://www.akamai.com/blog/security-research/new-sophisticated-magento-campaign-xurum-webshell#:~:text=In%20early%202022%2C%20the%20CVE
  2. PHP%20code%20on%20susceptible%20targets.
  3. https://sansec.io/research/magento-2-cve-2022-24086
CVE-2023-35078 Ivanti Endpoint Manager Mobile Authentication Bypass Vulnerability primary_impact T1213 Data from Information Repositories
Comments
This vulnerability is exploited through an unauthenticated API access flaw in Ivanti EPMM. Attackers initiate this vulnerability by leveraging the default internet-facing API configuration, allowing them to access restricted functionalities without authentication. Reports state attackers who exploited this vulnerability gained access personally identifiable information (PII) and added an administrator account on the affected EPMM server, to allow for further system compromise.
References
  1. https://www.rapid7.com/blog/post/2023/07/26/etr-cve-2023-35078-critical-api-access-vulnerability-ivanti-in-endpoint-manager-mobile/
  2. https://forums.ivanti.com/s/article/CVE-2023-35078-Remote-unauthenticated-API-access-vulnerability?language=en_US
  3. https://unit42.paloaltonetworks.com/threat-brief-cve-2023-35078/