1. Home
  2. ATT&CK Techniques
  3. T1602 Data from Configuration Repository

T1602 Data from Configuration Repository

Adversaries may collect data related to managed devices from configuration repositories. Configuration repositories are used by management systems in order to configure, manage, and control data on remote systems. Configuration repositories may also facilitate remote access and administration of devices.

Adversaries may target these repositories in order to collect large quantities of sensitive system administration data. Data from configuration repositories may be exposed by various protocols and software and can store a wide variety of data, much of which may align with adversary Discovery objectives.(Citation: US-CERT-TA18-106A)(Citation: US-CERT TA17-156A SNMP Abuse 2017)

View in MITRE ATT&CK®

NIST 800-53 Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
CA-07 Continuous Monitoring mitigates T1602 Data from Configuration Repository
CM-06 Configuration Settings mitigates T1602 Data from Configuration Repository
AC-17 Remote Access mitigates T1602 Data from Configuration Repository
AC-19 Access Control for Mobile Devices mitigates T1602 Data from Configuration Repository
IA-04 Identifier Management mitigates T1602 Data from Configuration Repository
SC-28 Protection of Information at Rest mitigates T1602 Data from Configuration Repository
SC-04 Information in Shared System Resources mitigates T1602 Data from Configuration Repository
SI-12 Information Management and Retention mitigates T1602 Data from Configuration Repository
SC-03 Security Function Isolation mitigates T1602 Data from Configuration Repository
IA-03 Device Identification and Authentication mitigates T1602 Data from Configuration Repository
CM-08 System Component Inventory mitigates T1602 Data from Configuration Repository
SC-08 Transmission Confidentiality and Integrity mitigates T1602 Data from Configuration Repository
SI-10 Information Input Validation mitigates T1602 Data from Configuration Repository
SI-15 Information Output Filtering mitigates T1602 Data from Configuration Repository
SI-03 Malicious Code Protection mitigates T1602 Data from Configuration Repository
SI-07 Software, Firmware, and Information Integrity mitigates T1602 Data from Configuration Repository
AC-16 Security and Privacy Attributes mitigates T1602 Data from Configuration Repository
AC-18 Wireless Access mitigates T1602 Data from Configuration Repository
AC-20 Use of External Systems mitigates T1602 Data from Configuration Repository
CM-02 Baseline Configuration mitigates T1602 Data from Configuration Repository
CM-07 Least Functionality mitigates T1602 Data from Configuration Repository
SI-04 System Monitoring mitigates T1602 Data from Configuration Repository
AC-03 Access Enforcement mitigates T1602 Data from Configuration Repository
AC-04 Information Flow Enforcement mitigates T1602 Data from Configuration Repository
SC-07 Boundary Protection mitigates T1602 Data from Configuration Repository

VERIS Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
action.hacking.variety.Scan network Enumerating the state of the network related-to T1602 Data from Configuration Repository
action.malware.variety.Capture stored data Capture data stored on system disk related-to T1602 Data from Configuration Repository
attribute.confidentiality.data_disclosure None related-to T1602 Data from Configuration Repository

Azure Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
azure_network_security_groups Azure Network Security Groups technique_scores T1602 Data from Configuration Repository
Comments
This control can limit attackers access to configuration repositories such as SNMP management stations, or to dumps of client configurations from common management ports.
References
  1. https://learn.microsoft.com/en-us/azure/virtual-network/network-security-groups-overview
  2. https://learn.microsoft.com/en-us/azure/virtual-network/network-security-group-how-it-works
  3. https://learn.microsoft.com/en-us/azure/defender-for-cloud/prepare-deprecation-log-analytics-mma-agent#feature-functionality
azure_network_watcher_traffic_analytics Azure Network Watcher: Traffic Analytics technique_scores T1602 Data from Configuration Repository
Comments
This control can identify anomalous traffic with respect to configuration repositories or identified configuration management ports.
References
  1. https://learn.microsoft.com/en-us/azure/network-watcher/traffic-analytics

GCP Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
vpc_service_controls VPC Service Controls technique_scores T1602 Data from Configuration Repository
Comments
VPC security perimeters can isolate resources and limit the impact from lateral movement techniques used to access sensitive data.
References
  1. ['https://cloud.google.com/vpc-service-controls/docs']

AWS Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
amazon_virtual_private_cloud Amazon Virtual Private Cloud technique_scores T1602 Data from Configuration Repository
Comments
VPC security groups and network access control lists (NACLs) can limit attackers' access to configuration repositories such as SNMP management stations, or to dumps of client configurations from common management ports.
References
  1. https://docs.aws.amazon.com/vpc/latest/userguide/security.html

ATT&CK Subtechniques

Technique ID Technique Name Number of Mappings
T1602.002 Network Device Configuration Dump 30
T1602.001 SNMP (MIB Dump) 31