Skip to content

T1213 Data from Information Repositories

Adversaries may leverage information repositories to mine valuable information. Information repositories are tools that allow for storage of information, typically to facilitate collaboration or information sharing between users, and can store a wide variety of data that may aid adversaries in further objectives, or direct access to the target information. Adversaries may also abuse external sharing features to share sensitive documents with recipients outside of the organization.

The following is a brief list of example information that may hold potential value to an adversary and may also be found on an information repository:

  • Policies, procedures, and standards
  • Physical / logical network diagrams
  • System architecture diagrams
  • Technical system documentation
  • Testing / development credentials
  • Work / project schedules
  • Source code snippets
  • Links to network shares and other internal resources

Information stored in a repository may vary based on the specific instance or environment. Specific common information repositories include web-based platforms such as Sharepoint and Confluence, specific services such as Code Repositories, IaaS databases, enterprise databases, and other storage infrastructure such as SQL Server.

Item Value
ID T1213
Sub-techniques T1213.001, T1213.002, T1213.003
Tactics TA0009
Platforms Google Workspace, IaaS, Linux, Office 365, SaaS, Windows, macOS
Version 3.2
Created 18 April 2018
Last Modified 11 April 2022

Procedure Examples

ID Name Description
G0007 APT28 APT28 has collected files from various information repositories.8
G0037 FIN6 FIN6 has collected schemas and user accounts from systems running SQL Server.7
G0117 Fox Kitten Fox Kitten has accessed victim security and IT environments and Microsoft Teams to mine valuable information.9
G1004 LAPSUS$ LAPSUS$ has searched a victim’s network for organization collaboration channels like MS Teams or Slack to discover further high-privilege account credentials.5
S0598 P.A.S. Webshell P.A.S. Webshell has the ability to list and extract data from SQL databases.4
C0024 SolarWinds Compromise During the SolarWinds Compromise, APT29 accessed victims’ internal knowledge repositories (wikis) to view sensitive corporate information on products, services, and internal business operations.10
G0010 Turla Turla has used a custom .NET tool to collect documents from an organization’s internal central database.6

Mitigations

ID Mitigation Description
M1047 Audit Consider periodic review of accounts and privileges for critical and sensitive repositories.
M1018 User Account Management Enforce the principle of least-privilege. Consider implementing access control mechanisms that include both authentication and authorization.
M1017 User Training Develop and publish policies that define acceptable information to be stored in repositories.

Detection

ID Data Source Data Component
DS0015 Application Log Application Log Content
DS0028 Logon Session Logon Session Creation

References

  1. Atlassian. (2018, January 9). How to Enable User Access Logging. Retrieved April 4, 2018. 

  2. Microsoft. (2017, July 19). Configure audit settings for a site collection. Retrieved April 4, 2018. 

  3. Microsoft. (n.d.). Sharepoint Sharing Events. Retrieved October 8, 2021. 

  4. ANSSI. (2021, January 27). SANDWORM INTRUSION SET CAMPAIGN TARGETING CENTREON SYSTEMS. Retrieved March 30, 2021. 

  5. MSTIC, DART, M365 Defender. (2022, March 24). DEV-0537 Criminal Actor Targeting Organizations for Data Exfiltration and Destruction. Retrieved May 17, 2022. 

  6. Faou, M. (2020, May). From Agent.btz to ComRAT v4: A ten-year journey. Retrieved June 15, 2020. 

  7. Visa Public. (2019, February). FIN6 Cybercrime Group Expands Threat to eCommerce Merchants. Retrieved September 16, 2019. 

  8. NSA, CISA, FBI, NCSC. (2021, July). Russian GRU Conducting Global Brute Force Campaign to Compromise Enterprise and Cloud Environments. Retrieved July 26, 2021. 

  9. CISA. (2020, September 15). Iran-Based Threat Actor Exploits VPN Vulnerabilities. Retrieved December 21, 2020. 

  10. CrowdStrike. (2022, January 27). Early Bird Catches the Wormhole: Observations from the StellarParticle Campaign. Retrieved February 7, 2022.