Skip to content

DET0413 Abuse of Information Repositories for Data Collection

Item Value
ID DET0413
Version 1.0
Created 21 October 2025
Last Modified 21 October 2025

Technique Detected: T1213 (Data from Information Repositories)

Analytics

Windows

AN1160

Programmatic or excessive access to file shares, SharePoint, or database repositories by users not typically interacting with them. This includes abnormal access by privileged accounts, enumeration of large numbers of files, or downloads of sensitive content in bursts.

Log Sources
Data Component Name Channel
Network Share Access (DC0102) WinEventLog:Security EventCode=5145
Cloud Storage Access (DC0025) m365:unified Accessed SharePoint files or pages
Mutable Elements
Field Description
UserContext Privileged users may be excluded if they routinely perform admin actions on SharePoint or file shares.
AccessVolumeThreshold The number of files accessed or pages retrieved in a short window to flag as abnormal.
TimeWindow The time range (e.g., 5 minutes, 1 hour) in which burst access patterns are considered anomalous.

Linux

AN1161

Command-line tools (e.g., curl, rsync, wget, or custom Python scripts) used to scrape documentation systems or internal REST APIs. Unusual access patterns to knowledge base folders or shared team drives.

Log Sources
Data Component Name Channel
Command Execution (DC0064) auditd:SYSCALL execve of curl, rsync, wget with internal knowledge base or IPs
Network Connection Creation (DC0082) linux:Sysmon EventCode=3, 22
Mutable Elements
Field Description
CommandRegex Regex matching internal doc servers, knowledge base paths, or IP patterns.
TimeWindow Burst access of repositories over a short time window.

SaaS

AN1162

Abuse of SaaS platforms such as Confluence, GitHub, SharePoint Online, or Slack to access excessive internal documentation or export source code/data. Includes use of tokens or browser automation from unapproved IPs.

Log Sources
Data Component Name Channel
Application Log Content (DC0038) saas:confluence access.content
Cloud Service Modification (DC0069) saas:slack Exported file or accessed admin API
Mutable Elements
Field Description
APIUsageThreshold Number of API calls or files accessed before triggering detection.
KnownSafeIPs Whitelist of internal IPs/users that may be excluded from detection.

macOS

AN1163

Access of mounted cloud shares or document repositories via browser, terminal, or Finder by users not typically interacting with those resources. Includes script-based enumeration or mass download.

Log Sources
Data Component Name Channel
File Access (DC0055) macos:unifiedlog access to /Volumes/SharePoint or network mount
Process Creation (DC0032) macos:osquery curl, python scripts, rsync with internal share URLs
Mutable Elements
Field Description
AccessedMountPath Paths to sensitive volumes may differ based on org setup.
UserGroup Expected user groups that typically access shared data.