Home
ATT&CK Techniques
T1602 Data from Configuration Repository

T1602 Data from Configuration Repository

Adversaries may collect data related to managed devices from configuration repositories. Configuration repositories are used by management systems in order to configure, manage, and control data on remote systems. Configuration repositories may also facilitate remote access and administration of devices.

Adversaries may target these repositories in order to collect large quantities of sensitive system administration data. Data from configuration repositories may be exposed by various protocols and software and can store a wide variety of data, much of which may align with adversary Discovery objectives.(Citation: US-CERT-TA18-106A)(Citation: US-CERT TA17-156A SNMP Abuse 2017)

View in MITRE ATT&CK®

CRI Profile Mappings

Capability ID	Capability Description	Mapping Type	ATT&CK ID	ATT&CK Name	Notes
DE.AE-02.01	Event analysis and detection	Mitigates	T1602	Data from Configuration Repository	Comments This diagnostic statement provides for implementation of methods to block similar future attacks via security tools such as antivirus and IDS/IPS to provide protection against threats and exploitation attempts. References
PR.PS-01.01	Configuration baselines	Mitigates	T1602	Data from Configuration Repository	Comments This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation. References
PR.PS-01.02	Least functionality	Mitigates	T1602	Data from Configuration Repository	Comments This diagnostic statement provides for limiting unnecessary software, services, ports, protocols, etc. Ensuring systems only have installed and enabled what is essential for their operation reduces the attack surface and minimizes vulnerabilities, which mitigates a wide range of techniques. References
PR.DS-10.01	Data-in-use protection	Mitigates	T1602	Data from Configuration Repository	Comments This Diagnostic Statement describes mitigations related to protecting data-in-use, mentioning encryption, access control methods and authentication. Using encryption for data-in-use, alongside other safeguards such for restricting exfiltration of sensitive data aid with mitigating collection and exfiltration threats. References
PR.PS-02.01	Patch identification and application	Mitigates	T1602	Data from Configuration Repository	Comments This diagnostic statement is related to the implementation of a patch management program. Applying patches and upgrades for products and systems provided by vendors mitigates the risk of adversaries exploiting known vulnerabilities. For example, keeping system images and software updated can help prevent adversaries from collecting data related to managed devices from configuration repositories. References
PR.PS-01.06	Encryption management practices	Mitigates	T1602	Data from Configuration Repository	Comments This diagnostic statement is associated with employing encryption methods to mitigate unauthorized access or theft of data that protect the confidentiality and integrity of data-at-rest, data-in-use, and data-in-transit. To address threats of data collection from configuration repository, configure SNMPv3 to use the highest level of security (authPriv) available. References
PR.PS-01.03	Configuration deviation	Mitigates	T1602	Data from Configuration Repository	Comments This diagnostic statement provides protection from Data from Information Repositories: Data from Configuration Repository through the implementation of security configuration baselines for OS, software, file integrity monitoring and imaging. Security baseline configurations that include data retention policies to periodically archive and/or delete data and integrity checking can help protect against adversaries attempting to leverage information repositories. References
PR.PS-01.07	Cryptographic keys and certificates	Mitigates	T1602	Data from Configuration Repository	Comments This diagnostic statement protects against Data from Configuration Repository through the use of revocation of keys and key management. Employing key protection strategies for key material used in identity management and authentication processes over networks, limitations to specific accounts along with access control mechanisms provides protection against data from configuration repository. References
PR.IR-01.01	Network segmentation	Mitigates	T1602	Data from Configuration Repository	Comments This diagnostic statement is for the implementation of network segmentation which helps prevent access to critical systems and sensitive information. Employ network segmentation to segregate traffic to provide protection against adversaries attempting to obtain data from configuration repositories. References
PR.IR-04.01	Utilization monitoring	Mitigates	T1602	Data from Configuration Repository	Comments This diagnostic statement describes how the organization establishes and manages baseline measures of network activity. Supported by network monitoring tools and other controls to detect events and identify incidents. Mitigating mechanisms may include: Data Loss Prevention (DLP); Filtering Network Traffic; Limit Network Traffic; Network Intrusion Prevention Systems (NIPS); and Network Segmentation for these type of network-based techniques. References
PR.IR-01.02	Network device configurations	Mitigates	T1602	Data from Configuration Repository	Comments This diagnostic statement provides protection through secure network device configurations (e.g., firewall rules, ports, protocols) aligned to security baselines. Employing extended ACLs to block unauthorized protocols can mitigate adversary access to data in configuration repositories. References
PR.IR-01.03	Network communications integrity and availability	Mitigates	T1602	Data from Configuration Repository	Comments This diagnostic statement protects against Data from Configuration Repository through the use of secure network configurations, architecture, implementations of zero trust architecture, and segmentation. References
PR.IR-01.06	Production environment segregation	Mitigates	T1602	Data from Configuration Repository	Comments This diagnostic statement provides protections for production environments. Measures such as network segmentation and access control reduce the attack surface, restrict movement by adversaries, and protect critical assets and data from compromise. References
PR.PS-01.05	Encryption standards	Mitigates	T1602	Data from Configuration Repository	Comments This diagnostic statement is associated with employing strong encryption methods to mitigate unauthorized access or theft of data that protect the confidentiality and integrity of data-at-rest, data-in-use, and data-in-transit. To address threats of data collection from configuration repository, configure SNMPv3 to use the highest level of security (authPriv) available. References
PR.PS-01.08	End-user device protection	Mitigates	T1602	Data from Configuration Repository	Comments This diagnostic statement protects against Data from Configuration Repository through the use of limiting access to resources to only authorized devices, management of personal computing devices, network intrusion prevention, and the use of antimalware. References

NIST 800-53 Mappings

Capability ID	Capability Description	Mapping Type	ATT&CK ID	ATT&CK Name
CA-07	Continuous Monitoring	mitigates	T1602	Data from Configuration Repository
CM-06	Configuration Settings	mitigates	T1602	Data from Configuration Repository
AC-17	Remote Access	mitigates	T1602	Data from Configuration Repository
AC-19	Access Control for Mobile Devices	mitigates	T1602	Data from Configuration Repository
IA-04	Identifier Management	mitigates	T1602	Data from Configuration Repository
SC-28	Protection of Information at Rest	mitigates	T1602	Data from Configuration Repository
SC-04	Information in Shared System Resources	mitigates	T1602	Data from Configuration Repository
SI-12	Information Management and Retention	mitigates	T1602	Data from Configuration Repository
SC-03	Security Function Isolation	mitigates	T1602	Data from Configuration Repository
IA-03	Device Identification and Authentication	mitigates	T1602	Data from Configuration Repository
CM-08	System Component Inventory	mitigates	T1602	Data from Configuration Repository
SC-08	Transmission Confidentiality and Integrity	mitigates	T1602	Data from Configuration Repository
SI-10	Information Input Validation	mitigates	T1602	Data from Configuration Repository
SI-15	Information Output Filtering	mitigates	T1602	Data from Configuration Repository
SI-03	Malicious Code Protection	mitigates	T1602	Data from Configuration Repository
SI-07	Software, Firmware, and Information Integrity	mitigates	T1602	Data from Configuration Repository
AC-16	Security and Privacy Attributes	mitigates	T1602	Data from Configuration Repository
AC-18	Wireless Access	mitigates	T1602	Data from Configuration Repository
AC-20	Use of External Systems	mitigates	T1602	Data from Configuration Repository
CM-02	Baseline Configuration	mitigates	T1602	Data from Configuration Repository
CM-07	Least Functionality	mitigates	T1602	Data from Configuration Repository
SI-04	System Monitoring	mitigates	T1602	Data from Configuration Repository
AC-03	Access Enforcement	mitigates	T1602	Data from Configuration Repository
AC-04	Information Flow Enforcement	mitigates	T1602	Data from Configuration Repository
SC-07	Boundary Protection	mitigates	T1602	Data from Configuration Repository

VERIS Mappings

Capability ID	Capability Description	Mapping Type	ATT&CK ID	ATT&CK Name
action.hacking.variety.Scan network	Enumerating the state of the network	related-to	T1602	Data from Configuration Repository
action.malware.variety.Capture stored data	Capture data stored on system disk	related-to	T1602	Data from Configuration Repository
attribute.confidentiality.data_disclosure	None	related-to	T1602	Data from Configuration Repository

Azure Mappings

Capability ID	Capability Description	Mapping Type	ATT&CK ID	ATT&CK Name	Notes
azure_network_security_groups	Azure Network Security Groups	technique_scores	T1602	Data from Configuration Repository	Comments This control can limit attackers access to configuration repositories such as SNMP management stations, or to dumps of client configurations from common management ports. References https://learn.microsoft.com/en-us/azure/virtual-network/network-security-groups-overview https://learn.microsoft.com/en-us/azure/virtual-network/network-security-group-how-it-works https://learn.microsoft.com/en-us/azure/defender-for-cloud/prepare-deprecation-log-analytics-mma-agent#feature-functionality
azure_network_watcher_traffic_analytics	Azure Network Watcher: Traffic Analytics	technique_scores	T1602	Data from Configuration Repository	Comments This control can identify anomalous traffic with respect to configuration repositories or identified configuration management ports. References https://learn.microsoft.com/en-us/azure/network-watcher/traffic-analytics

GCP Mappings

Capability ID	Capability Description	Mapping Type	ATT&CK ID	ATT&CK Name	Notes
vpc_service_controls	VPC Service Controls	technique_scores	T1602	Data from Configuration Repository	Comments VPC security perimeters can isolate resources and limit the impact from lateral movement techniques used to access sensitive data. References ['https://cloud.google.com/vpc-service-controls/docs']

AWS Mappings

Capability ID	Capability Description	Mapping Type	ATT&CK ID	ATT&CK Name	Notes
amazon_virtual_private_cloud	Amazon Virtual Private Cloud	technique_scores	T1602	Data from Configuration Repository	Comments VPC security groups and network access control lists (NACLs) can limit attackers' access to configuration repositories such as SNMP management stations, or to dumps of client configurations from common management ports. References https://docs.aws.amazon.com/vpc/latest/userguide/security.html

ATT&CK Subtechniques

Technique ID	Technique Name	Number of Mappings
T1602.002	Network Device Configuration Dump	44
T1602.001	SNMP (MIB Dump)	44