Skip to content

T1213.001 Confluence

Adversaries may leverage Confluence repositories to mine valuable information. Often found in development environments alongside Atlassian JIRA, Confluence is generally used to store development-related documentation, however, in general may contain more diverse categories of useful information, such as:

  • Policies, procedures, and standards
  • Physical / logical network diagrams
  • System architecture diagrams
  • Technical system documentation
  • Testing / development credentials
  • Work / project schedules
  • Source code snippets
  • Links to network shares and other internal resources
Item Value
ID T1213.001
Sub-techniques T1213.001, T1213.002, T1213.003
Tactics TA0009
Platforms SaaS
Permissions required User
Version 1.0
Created 14 February 2020
Last Modified 08 June 2021

Procedure Examples

ID Name Description
G1004 LAPSUS$ LAPSUS$ has searched a victim’s network for collaboration platforms like Confluence and JIRA to discover further high-privilege account credentials.2

Mitigations

ID Mitigation Description
M1047 Audit Consider periodic review of accounts and privileges for critical and sensitive Confluence repositories.
M1018 User Account Management Enforce the principle of least-privilege. Consider implementing access control mechanisms that include both authentication and authorization.
M1017 User Training Develop and publish policies that define acceptable information to be stored in Confluence repositories.

Detection

ID Data Source Data Component
DS0015 Application Log Application Log Content
DS0028 Logon Session Logon Session Creation

References

  1. Atlassian. (2018, January 9). How to Enable User Access Logging. Retrieved April 4, 2018. 

  2. MSTIC, DART, M365 Defender. (2022, March 24). DEV-0537 Criminal Actor Targeting Organizations for Data Exfiltration and Destruction. Retrieved May 17, 2022.