1. Home
  2. ATT&CK Techniques
  3. T1213 Data from Information Repositories

T1213 Data from Information Repositories Mappings

Adversaries may leverage information repositories to mine valuable information. Information repositories are tools that allow for storage of information, typically to facilitate collaboration or information sharing between users, and can store a wide variety of data that may aid adversaries in further objectives, or direct access to the target information.

The following is a brief list of example information that may hold potential value to an adversary and may also be found on an information repository:

  • Policies, procedures, and standards
  • Physical / logical network diagrams
  • System architecture diagrams
  • Technical system documentation
  • Testing / development credentials
  • Work / project schedules
  • Source code snippets
  • Links to network shares and other internal resources

Information stored in a repository may vary based on the specific instance or environment. Specific common information repositories include Sharepoint, Confluence, and enterprise databases such as SQL Server.

View in MITRE ATT&CK®

Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
AC-2 Account Management Protects T1213 Data from Information Repositories
AC-3 Access Enforcement Protects T1213 Data from Information Repositories
AC-5 Separation of Duties Protects T1213 Data from Information Repositories
AC-6 Least Privilege Protects T1213 Data from Information Repositories
CA-8 Penetration Testing Protects T1213 Data from Information Repositories
CM-5 Access Restrictions for Change Protects T1213 Data from Information Repositories
CM-6 Configuration Settings Protects T1213 Data from Information Repositories
CM-7 Least Functionality Protects T1213 Data from Information Repositories
IA-2 Identification and Authentication (organizational Users) Protects T1213 Data from Information Repositories
IA-4 Identifier Management Protects T1213 Data from Information Repositories
IA-8 Identification and Authentication (non-organizational Users) Protects T1213 Data from Information Repositories
RA-5 Vulnerability Monitoring and Scanning Protects T1213 Data from Information Repositories
SI-4 System Monitoring Protects T1213 Data from Information Repositories
azure_sentinel Azure Sentinel technique_scores T1213 Data from Information Repositories
Comments
This control provides partial detection coverage for only this technique's SharePoint sub-technique. The Azure Sentinel Hunting "Cross workspace query anomaly" query can identify potential adversary information collection (in this case from Azure ML workspaces), but does not map directly to any sub-techniques.
References
  1. https://docs.microsoft.com/en-us/azure/sentinel/overview
  2. https://docs.microsoft.com/en-us/azure/sentinel/hunting
alerts_for_azure_cosmos_db Alerts for Azure Cosmos DB technique_scores T1213 Data from Information Repositories
Comments
This control triggers an alert when an unusually large amount of data is extracted from/by an account compared to recent activity. False positives are fairly likely and extraction in quantities below the control's threshold is not detected, so score is Minimal. Neither of the sub-techniques are relevant in this context, since they are repository-specific. Relevant alert is "Unusual amount of data extracted from a Cosmos DB account"
References
  1. https://docs.microsoft.com/en-us/azure/security-center/alerts-reference
  2. https://docs.microsoft.com/en-us/azure/security-center/other-threat-protections
  3. https://docs.microsoft.com/en-us/azure/cosmos-db/cosmos-db-advanced-threat-protection
advanced_threat_protection_for_azure_sql_database Advanced Threat Protection for Azure SQL Database technique_scores T1213 Data from Information Repositories
Comments
This control may alert on extraction of a large amount of data to an unusual location. No documentation is provided on the logic for determining an unusual location.
References
  1. https://docs.microsoft.com/en-us/azure/azure-sql/database/threat-detection-overview
  2. https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-sql-db-and-warehouse
conditional_access Conditional Access technique_scores T1213 Data from Information Repositories
Comments
This control only provides the ability to restrict an adversary from collecting valuable information for a limited set of applications (SharePoint, Exchange, OneDrive) and therefore its overall Coverage score is minimal.
References
  1. https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/overview
cloud_app_security_policies Cloud App Security Policies technique_scores T1213 Data from Information Repositories
Comments
This control can provide fine-grained access control to information sharing repositories such as Sharepoint or Confluence. Due to this capability being limited to these services, it has been scored as Partial coverage resulting in a Partial score.
References
  1. https://docs.microsoft.com/en-us/cloud-app-security/policies-cloud-discovery
  2. https://docs.microsoft.com/en-us/cloud-app-security/policies-information-protection
  3. https://docs.microsoft.com/en-us/cloud-app-security/investigate-anomaly-alerts
cloud_app_security_policies Cloud App Security Policies technique_scores T1213 Data from Information Repositories
Comments
This control may detect anomalous user behavior wrt information repositories such as Sharepoint or Confluence. Due to this capability being limited to these services, it has been scored as Partial coverage resulting in a Partial score.
References
  1. https://docs.microsoft.com/en-us/cloud-app-security/policies-cloud-discovery
  2. https://docs.microsoft.com/en-us/cloud-app-security/policies-information-protection
  3. https://docs.microsoft.com/en-us/cloud-app-security/investigate-anomaly-alerts

ATT&CK Subtechniques

Technique ID Technique Name Number of Mappings
T1213.001 Confluence 15
T1213.002 Sharepoint 17