T1213: Data from Information Repositories
| View on MITRE ATT&CK | T1213 |
|---|---|
| Tactic(s) | Collection |
| Associated CAPEC Patterns | Collect Data from Common Resource Locations (CAPEC-150) |
Data from MITRE ATT&CK®:
Adversaries may leverage information repositories to mine valuable information. Information repositories are tools that allow for storage of information, typically to facilitate collaboration or information sharing between users, and can store a wide variety of data that may aid adversaries in further objectives, or direct access to the target information. Adversaries may also abuse external sharing features to share sensitive documents with recipients outside of the organization.
The following is a brief list of example information that may hold potential value to an adversary and may also be found on an information repository:
- Policies, procedures, and standards
- Physical / logical network diagrams
- System architecture diagrams
- Technical system documentation
- Testing / development credentials
- Work / project schedules
- Source code snippets
- Links to network shares and other internal resources
Information stored in a repository may vary based on the specific instance or environment. Specific common information repositories include web-based platforms such as Sharepoint and Confluence, specific services such as Code Repositories, IaaS databases, enterprise databases, and other storage infrastructure such as SQL Server.
© 2024 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation.
Cyber Threat Graph Context
Explore how this ATT&CK Technique relates to the wider threat graph
Reporting on this Technique
APT40 Advisory - PRC MSS tradecraft in action
This advisory, authored by the Australian Cyber Security Centre and multiple other international cybersecurity agencies, outlines the threat posed ...
Mitigations for this technique
MITRE ATT&CK Mitigations
User Training
Train users to be aware of access or manipulation attempts by an adversary to reduce the risk of successful spearphishing, social engineering, and other techniques that involve user interaction.User Account Management
Manage the creation, modification, use, and permissions associated to user accounts.Audit
Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.How to detect this technique
MITRE ATT&CK Data Components
Logon Session Creation (Logon Session)
Initial construction of a successful new user logon following an authentication attempt. (e.g. Windows EID 4624, /var/log/utmp, or /var/log/wmtp)Application Log Content (Application Log)
Logging, messaging, and other artifacts provided by third-party services (ex: metrics, errors, and/or alerts from mail/web applications)Sigma Detections for this Technique
OpenCanary - REDIS Action Command Attempt
Bitbucket User Permissions Export Attempt
OpenCanary - GIT Clone Request
OpenCanary - MySQL Login Attempt
OpenCanary - MSSQL Login Attempt Via Windows Authentication
Bitbucket User Details Export Attempt Detected
OpenCanary - MSSQL Login Attempt Via SQLAuth
SP800-53 Controls
See which controls can help protect against this MITRE ATT&CK technique. This is based on mappings to associated SP800-53 controls produced by the MITRE Engenuity Center for Threat-Informed Defense.