Home
ATT&CK Techniques
T1213 Data from Information Repositories

T1213 Data from Information Repositories Mappings

Adversaries may leverage information repositories to mine valuable information. Information repositories are tools that allow for storage of information, typically to facilitate collaboration or information sharing between users, and can store a wide variety of data that may aid adversaries in further objectives, such as Credential Access, Lateral Movement, or Defense Evasion, or direct access to the target information. Adversaries may also abuse external sharing features to share sensitive documents with recipients outside of the organization (i.e., Transfer Data to Cloud Account).

The following is a brief list of example information that may hold potential value to an adversary and may also be found on an information repository:

Policies, procedures, and standards
Physical / logical network diagrams
System architecture diagrams
Technical system documentation
Testing / development credentials (i.e., Unsecured Credentials)
Work / project schedules
Source code snippets
Links to network shares and other internal resources
Contact or other sensitive information about business partners and customers, including personally identifiable information (PII)

Information stored in a repository may vary based on the specific instance or environment. Specific common information repositories include the following:

Storage services such as IaaS databases, enterprise databases, and more specialized platforms such as customer relationship management (CRM) databases
Collaboration platforms such as SharePoint, Confluence, and code repositories
Messaging platforms such as Slack and Microsoft Teams

In some cases, information repositories have been improperly secured, typically by unintentionally allowing for overly-broad access by all users or even public access to unauthenticated users. This is particularly common with cloud-native or cloud-hosted services, such as AWS Relational Database Service (RDS), Redis, or ElasticSearch.(Citation: Mitiga)(Citation: TrendMicro Exposed Redis 2020)(Citation: Cybernews Reuters Leak 2022)

View in MITRE ATT&CK®

NIST 800-53 Mappings

Capability ID	Capability Description	Mapping Type	ATT&CK ID	ATT&CK Name
CA-07	Continuous Monitoring	mitigates	T1213	Data from Information Repositories
CM-06	Configuration Settings	mitigates	T1213	Data from Information Repositories
CM-05	Access Restrictions for Change	mitigates	T1213	Data from Information Repositories
AC-17	Remote Access	mitigates	T1213	Data from Information Repositories
IA-08	Identification and Authentication (Non-Organizational Users)	mitigates	T1213	Data from Information Repositories
AC-21	Information Sharing	mitigates	T1213	Data from Information Repositories
SC-37	Out-of-band Channels	mitigates	T1213	Data from Information Repositories
AC-23	Data Mining Protection	mitigates	T1213	Data from Information Repositories
IA-04	Identifier Management	mitigates	T1213	Data from Information Repositories
SC-28	Protection of Information at Rest	mitigates	T1213	Data from Information Repositories
RA-05	Vulnerability Monitoring and Scanning	mitigates	T1213	Data from Information Repositories
CM-08	System Component Inventory	mitigates	T1213	Data from Information Repositories
SI-07	Software, Firmware, and Information Integrity	mitigates	T1213	Data from Information Repositories
AC-16	Security and Privacy Attributes	mitigates	T1213	Data from Information Repositories
CM-02	Baseline Configuration	mitigates	T1213	Data from Information Repositories
CM-02	Baseline Configuration	mitigates	T1213	Data from Information Repositories
IA-02	Identification and Authentication (Organizational Users)	mitigates	T1213	Data from Information Repositories
CM-07	Least Functionality	mitigates	T1213	Data from Information Repositories
SI-04	System Monitoring	mitigates	T1213	Data from Information Repositories
AC-02	Account Management	mitigates	T1213	Data from Information Repositories
AC-03	Access Enforcement	mitigates	T1213	Data from Information Repositories
AC-04	Information Flow Enforcement	mitigates	T1213	Data from Information Repositories
AC-05	Separation of Duties	mitigates	T1213	Data from Information Repositories
AC-06	Least Privilege	mitigates	T1213	Data from Information Repositories
CM-03	Configuration Change Control	mitigates	T1213	Data from Information Repositories

VERIS Mappings

Capability ID	Capability Description	Mapping Type	ATT&CK ID	ATT&CK Name	Notes
action.malware.variety.Capture stored data	Capture data stored on system disk	related-to	T1213	Data from Information Repositories
attribute.confidentiality.data_disclosure	None	related-to	T1213	Data from Information Repositories

GCP Mappings

Capability ID	Capability Description	Mapping Type	ATT&CK ID	ATT&CK Name	Notes
cloud_identity	Cloud Identity	technique_scores	T1213	Data from Information Repositories	Comments MFA and enforcing the principal of least privilege can be used to control adversaries and possibly hinder them from gaining access to a victim network or a private code repository. References ['https://cloud.google.com/identity']

ATT&CK Subtechniques

Technique ID	Technique Name	Number of Mappings
T1213.002	Sharepoint	26
T1213.001	Confluence	26
T1213.004	Customer Relationship Management Software	20
T1213.003	Code Repositories	17
T1213.005	Messaging Applications	27