1. Home
  2. ATT&CK Techniques
  3. T1213 Data from Information Repositories

T1213 Data from Information Repositories Mappings

Adversaries may leverage information repositories to mine valuable information. Information repositories are tools that allow for storage of information, typically to facilitate collaboration or information sharing between users, and can store a wide variety of data that may aid adversaries in further objectives, such as Credential Access, Lateral Movement, or Defense Evasion, or direct access to the target information. Adversaries may also abuse external sharing features to share sensitive documents with recipients outside of the organization (i.e., Transfer Data to Cloud Account).

The following is a brief list of example information that may hold potential value to an adversary and may also be found on an information repository:

  • Policies, procedures, and standards
  • Physical / logical network diagrams
  • System architecture diagrams
  • Technical system documentation
  • Testing / development credentials (i.e., Unsecured Credentials)
  • Work / project schedules
  • Source code snippets
  • Links to network shares and other internal resources
  • Contact or other sensitive information about business partners and customers, including personally identifiable information (PII)

Information stored in a repository may vary based on the specific instance or environment. Specific common information repositories include the following:

  • Storage services such as IaaS databases, enterprise databases, and more specialized platforms such as customer relationship management (CRM) databases
  • Collaboration platforms such as SharePoint, Confluence, and code repositories
  • Messaging platforms such as Slack and Microsoft Teams

In some cases, information repositories have been improperly secured, typically by unintentionally allowing for overly-broad access by all users or even public access to unauthenticated users. This is particularly common with cloud-native or cloud-hosted services, such as AWS Relational Database Service (RDS), Redis, or ElasticSearch.(Citation: Mitiga)(Citation: TrendMicro Exposed Redis 2020)(Citation: Cybernews Reuters Leak 2022)

View in MITRE ATT&CK®

VERIS Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
action.hacking.variety.XML external entities XML external entities. Child of 'Exploit vuln'. related-to T1213 Data from Information Repository
action.malware.variety.Capture stored data Capture data stored on system disk related-to T1213 Data from Information Repository
attribute.confidentiality.data_disclosure None related-to T1213 Data from Information Repository

GCP Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
cloud_identity Cloud Identity technique_scores T1213 Data from Information Repositories
Comments
MFA and enforcing the principal of least privilege can be used to control adversaries and possibly hinder them from gaining access to a victim network or a private code repository.
References
  1. ['https://cloud.google.com/identity']

ATT&CK Subtechniques

Technique ID Technique Name Number of Mappings
T1213.002 Sharepoint 2
T1213.001 Confluence 2
T1213.004 Customer Relationship Management Software 2
T1213.003 Code Repositories 3
T1213.005 Messaging Applications 2