Adversaries may leverage information repositories to mine valuable information. Information repositories are tools that allow for storage of information, typically to facilitate collaboration or information sharing between users, and can store a wide variety of data that may aid adversaries in further objectives, such as Credential Access, Lateral Movement, or Defense Evasion, or direct access to the target information. Adversaries may also abuse external sharing features to share sensitive documents with recipients outside of the organization (i.e., Transfer Data to Cloud Account).
The following is a brief list of example information that may hold potential value to an adversary and may also be found on an information repository:
Information stored in a repository may vary based on the specific instance or environment. Specific common information repositories include the following:
In some cases, information repositories have been improperly secured, typically by unintentionally allowing for overly-broad access by all users or even public access to unauthenticated users. This is particularly common with cloud-native or cloud-hosted services, such as AWS Relational Database Service (RDS), Redis, or ElasticSearch.(Citation: Mitiga)(Citation: TrendMicro Exposed Redis 2020)(Citation: Cybernews Reuters Leak 2022)
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| PR.PS-01.01 | Configuration baselines | Mitigates | T1213 | Data from Information Repositories |
Comments
This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation.
References
|
| PR.PS-01.02 | Least functionality | Mitigates | T1213 | Data from Information Repositories |
Comments
This diagnostic statement provides for limiting unnecessary software, services, ports, protocols, etc. Ensuring systems only have installed and enabled what is essential for their operation reduces the attack surface and minimizes vulnerabilities, which mitigates a wide range of techniques.
References
|
| PR.AA-05.02 | Privileged system access | Mitigates | T1213 | Data from Information Repositories |
Comments
This diagnostic statement protects against Data from Information Repositories through the use of privileged account management and the use of multi-factor authentication.
References
|
| PR.AA-04.01 | Access control within and across security perimeters | Mitigates | T1213 | Data from Information Repositories |
Comments
This diagnostic statement provides protection from Data from Information Repositories through the implementation of privileged account management controls to limit credential access. Employing limitations to specific accounts, access control mechanisms, and auditing the attribution logs provides protection against adversaries attempting to access sensitive data in information repositories.
References
|
| PR.DS-01.01 | Data-at-rest protection | Mitigates | T1213 | Data from Information Repositories |
Comments
This diagnostic statement focuses on protecting data-at-rest by implementing encryption and other security measures such as sandboxing, authentication, segregation, masking, tokenization, and file integrity monitoring.
References
|
| PR.DS-10.01 | Data-in-use protection | Mitigates | T1213 | Data from Information Repositories |
Comments
This Diagnostic Statement describes mitigations related to protecting data-in-use, mentioning encryption, access control methods and authentication. Using encryption for data-in-use, alongside other safeguards such for restricting exfiltration of sensitive data aid with mitigating collection and exfiltration threats.
References
|
| PR.PS-01.06 | Encryption management practices | Mitigates | T1213 | Data from Information Repositories |
Comments
This diagnostic statement is associated with employing encryption methods to mitigate unauthorized access or theft of data that protect the confidentiality and integrity of data-at-rest, data-in-use, and data-in-transit. To address threats to data from information repositories, encrypt data stored at rest in databases.
References
|
| PR.PS-01.03 | Configuration deviation | Mitigates | T1213 | Data from Information Repositories |
Comments
This diagnostic statement provides protection from Data from Information Repositories through the implementation of security configuration baselines for OS, software, file integrity monitoring and imaging. Security baseline configurations that include data retention policies to periodically archive and/or delete data and integrity checking can help protect against adversaries attempting to leverage information repositories.
References
|
| PR.PS-01.07 | Cryptographic keys and certificates | Mitigates | T1213 | Data from Information Repositories |
Comments
This diagnostic statement protects against Code Repositories through the use of revocation of keys and key management. Employing key protection strategies such as removing keys from information repositories, limitations to specific accounts along with access control mechanisms provides protection against adversaries attempting to glean credentials from code repositories.
References
|
| PR.PS-01.09 | Virtualized end point protection | Mitigates | T1213 | Data from Information Repositories |
Comments
The diagnostic statement outlines several mechanisms that organizations can use to protect endpoint systems with virtualization technologies, focusing primarily on hypervisor hardening. By implementing hypervisor hardening measures—such as requiring multi-factor authentication to restrict access to resources and information stored in the cloud from various virtual machines, organizations may help prevent data leakage caused by adversaries exploiting VM instances.
References
|
| PR.AA-01.02 | Physical and logical access | Mitigates | T1213 | Data from Information Repositories |
Comments
This diagnostic statement describes how the organization ensures users are identified and authenticated before accessing systems, applications, and hardware, with logical access controls permitting access only to authorized individuals with legitimate business needs. Logical access controls in relation to systems can refer to the use of MFA, user account management, and other role-based access control mechanisms to enforce policies for authentication and authorization of user accounts.
References
|
| PR.AA-03.01 | Authentication requirements | Mitigates | T1213 | Data from Information Repositories |
Comments
This diagnostic statement describes how the organization implement appropriate authentication requirements, including selecting mechanisms based on risk, utilizing multi-factor authentication where necessary, and safeguarding the storage of authenticators like pins and passwords to protect sensitive access credentials.
References
|
| PR.AA-01.01 | Identity and credential management | Mitigates | T1213 | Data from Information Repositories |
Comments
This diagnostic statement protects against Data from Information Repositories through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.
References
|
| PR.PS-01.05 | Encryption standards | Mitigates | T1213 | Data from Information Repositories |
Comments
This diagnostic statement is associated with employing strong encryption methods to mitigate unauthorized access or theft of data that protect the confidentiality and integrity of data-at-rest, data-in-use, and data-in-transit. To address threats to data from information repositories, encrypt data stored at rest in databases.
References
|
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| action.malware.variety.Capture stored data | Capture data stored on system disk | related-to | T1213 | Data from Information Repositories | |
| attribute.confidentiality.data_disclosure | None | related-to | T1213 | Data from Information Repositories |
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| microsoft_sentinel | Microsoft Sentinel | technique_scores | T1213 | Data from Information Repositories |
Comments
This control provides partial detection coverage for only this technique's SharePoint sub-technique.
The Microsoft Sentinel Hunting "Cross workspace query anomaly" query can identify potential adversary information collection (in this case from Azure ML workspaces), but does not map directly to any sub-techniques.
References
|
| advanced_threat_protection_for_azure_sql_database | Advanced Threat Protection for Azure SQL Database | technique_scores | T1213 | Data from Information Repositories |
Comments
This control may alert on extraction of a large amount of data to an unusual location. No documentation is provided on the logic for determining an unusual location.
References
|
| alerts_for_azure_cosmos_db | Alerts for Azure Cosmos DB | technique_scores | T1213 | Data from Information Repositories |
Comments
This control triggers an alert when an unusually large amount of data is extracted from/by an account compared to recent activity. False positives are fairly likely and extraction in quantities below the control's threshold is not detected, so score is Minimal. Neither of the sub-techniques are relevant in this context, since they are repository-specific. Relevant alert is "Unusual amount of data extracted from a Cosmos DB account"
References
|
| defender_for_open_source_databases | Microsoft Defender for Open-Source Relational Databases | technique_scores | T1213 | Data from Information Repositories |
Comments
This control can detect suspicious login activity.
References
|
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| cloud_identity | Cloud Identity | technique_scores | T1213 | Data from Information Repositories |
Comments
MFA and enforcing the principal of least privilege can be used to control adversaries and possibly hinder them from gaining access to a victim network or a private code repository.
References
|
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| EID-CA-E3 | Conditional Access | Technique Scores | T1213 | Data from Information Repositories |
Comments
This control only provides the ability to restrict an adversary from collecting valuable information for a limited set of applications (SharePoint, Exchange, OneDrive) and therefore its overall Coverage score is minimal.
References
|
| EID-CA-E3 | Conditional Access | Technique Scores | T1213 | Data from Information Repositories |
Comments
This control only provides the ability to restrict an adversary from collecting valuable information for a limited set of applications (SharePoint, Exchange, OneDrive) and therefore its overall Coverage score is minimal.
References
|
| PUR-AUS-E5 | Audit Solutions | Technique Scores | T1213 | Data from Information Repositories |
Comments
Microsoft Purview auditing solutions provide an integrated solution to help organizations effectively respond to security events, forensic investigations, internal investigations, and compliance obligations. Thousands of user and admin operations performed in dozens of Microsoft 365 services and solutions are captured, recorded, and retained in your organization's unified audit log. Audit records for these events are searchable by security ops, IT admins, insider risk teams, and compliance and legal investigators in your organization. This capability provides visibility into the activities performed across your Microsoft 365 organization.
Microsoft's Audit Solutions protects from Data from Information Repository attacks due to Audit Solutions providing the visibility to allow admins to consider periodic review of accounts and privileges for critical and sensitive repositories.
License Requirements:
Microsoft 365 E3 and E5
References
|
| DEF-CAPP-E5 | Defender for Cloud Apps | Technique Scores | T1213 | Data from Information Repositories |
Comments
This control can provide fine-grained access control to information sharing repositories such as Sharepoint or Confluence. Due to this capability being limited to these services, it has been scored as Partial coverage resulting in a Partial score.
References
|
| DEF-CAPP-E5 | Defender for Cloud Apps | Technique Scores | T1213 | Data from Information Repositories |
Comments
This control may detect anomalous user behavior wrt information repositories such as Sharepoint or Confluence. Due to this capability being limited to these services, it has been scored as Partial coverage resulting in a Partial score.
References
|
| DEF-SSCO-E3 | Secure Score | Technique Scores | T1213 | Data from Information Repositories |
Comments
Microsoft Secure Score is a measurement of an organization's security posture, with a higher number indicating more recommended actions taken. It can be found at Microsoft Secure Score in the Microsoft Defender portal.
Following the Secure Score recommendations can protect your organization from threats. From a centralized dashboard in the Microsoft Defender portal, organizations can monitor and work on the security of their Microsoft 365 identities, apps, and devices. Your score is updated in real time to reflect the information presented in the visualizations and recommended action pages. Secure Score also syncs daily to receive system data about your achieved points for each action.
To help you find the information you need more quickly, Microsoft recommended actions are organized into groups:
Identity (Microsoft Entra accounts & roles)
Device (Microsoft Defender for Endpoint, known as Microsoft Secure Score for Devices)
Apps (email and cloud apps, including Office 365 and Microsoft Defender for Cloud Apps)
Data (through Microsoft Information Protection)
References
|
| DEF-QUAR-E3 | Quarantine Policies | Technique Scores | T1213 | Data from Information Repositories |
Comments
In Exchange Online Protection (EOP) and Microsoft Defender for Office 365, quarantine policies allow admins to define the user experience for quarantined messages.
Traditionally, users have been allowed or denied levels of interactivity with quarantine messages based on why the message was quarantined. For example, users can view and release messages that were quarantined as spam or bulk, but they can't view or release messages that were quarantined as high confidence phishing or malware.
The following M365 features are supported by quarantine policies, “Response” to Anti-malware and Anti-Phishing tagged items. Files that are quarantined as malware by Safe Attachments for SharePoint, OneDrive, and Microsoft Teams.
License requirements: M365 E3 (or Defender for Office plan 1)
References
|
| DEF-IR-E5 | Incident Response | Technique Scores | T1213 | Data from Information Repositories |
Comments
An incident in Microsoft Defender XDR is a collection of correlated alerts and associated data that make up the story of an attack. Microsoft 365 services and apps create alerts when they detect a suspicious or malicious event or activity. Individual alerts provide valuable clues about a completed or ongoing attack. Attacks typically employ various techniques against different types of entities, such as devices, users, and mailboxes. The result of this is multiple alerts for multiple entities in your tenant. Piecing the individual alerts together to gain insight into an attack can be challenging and time-consuming, Microsoft Defender XDR automatically aggregates the alerts and their associated information into an incident. A typical Incident Response workflow in Microsoft Defender XDR begins with a triage action, next is the investigate action, and finally is the response action.
Microsoft 365 Defender Incident Response responds to Data from Information Repository attacks due to Incident Response being able to monitor for newly constructed logon behavior within Microsoft SharePoint.
License Requirements:
Microsoft Defender XDR
References
|
| PUR-PAM-E5 | Privileged Access Management | Technique Scores | T1213 | Data from Information Repositories |
Comments
Microsoft Purview Privileged Access Management allows granular access control over privileged admin tasks in Office 365. It can help protect your organization from breaches that use existing privileged admin accounts with standing access to sensitive data or access to critical configuration settings. Privileged access management requires users to request just-in-time access to complete elevated and privileged tasks through a highly scoped and time-bounded approval workflow. This configuration gives users just-enough-access to perform the task at hand, without risking exposure of sensitive data or critical configuration settings. Microsoft 365 configuration settings. When used with Microsoft Entra Privileged Identity Management, these two features provide access control with just-in-time access at different scopes. (e.g., Encryption, RBAC, Conditional Access, JIT, Just Enough Access (with Approval).
License requirements: M365 E5 customers.
References
|
| EID-RBAC-E3 | Role Based Access Control | Technique Scores | T1213 | Data from Information Repositories |
Comments
The RBAC control can generally be used to protect against and limit adversary access to valuable information repositories. Although it does not have full coverage of this technique's sub-techniques, it also helps protect against Procedure examples, resulting in an overall score of Partial.
License Requirements:
ME-ID Built-in Roles (Free)
References
|
| Technique ID | Technique Name | Number of Mappings |
|---|---|---|
| T1213.002 | Sharepoint | 41 |
| T1213.001 | Confluence | 31 |
| T1213.004 | Customer Relationship Management Software | 29 |
| T1213.003 | Code Repositories | 24 |
| T1213.005 | Messaging Applications | 30 |