T1213 Data from Information Repositories
Adversaries may leverage information repositories to mine valuable information. Information repositories are tools that allow for storage of information, typically to facilitate collaboration or information sharing between users, and can store a wide variety of data that may aid adversaries in further objectives, or direct access to the target information. Adversaries may also abuse external sharing features to share sensitive documents with recipients outside of the organization.
The following is a brief list of example information that may hold potential value to an adversary and may also be found on an information repository:
- Policies, procedures, and standards
- Physical / logical network diagrams
- System architecture diagrams
- Technical system documentation
- Testing / development credentials
- Work / project schedules
- Source code snippets
- Links to network shares and other internal resources
Information stored in a repository may vary based on the specific instance or environment. Specific common information repositories include web-based platforms such as Sharepoint and Confluence, specific services such as Code Repositories, IaaS databases, enterprise databases, and other storage infrastructure such as SQL Server.
|T1213.001, T1213.002, T1213.003
|Google Workspace, IaaS, Linux, Office 365, SaaS, Windows, macOS
|18 April 2018
|11 April 2022
|APT28 has collected files from various information repositories.
|FIN6 has collected schemas and user accounts from systems running SQL Server.
|Fox Kitten has accessed victim security and IT environments and Microsoft Teams to mine valuable information.
|LAPSUS$ has searched a victim’s network for organization collaboration channels like MS Teams or Slack to discover further high-privilege account credentials.
|P.A.S. Webshell has the ability to list and extract data from SQL databases.
|During the SolarWinds Compromise, APT29 accessed victims’ internal knowledge repositories (wikis) to view sensitive corporate information on products, services, and internal business operations.
|Turla has used a custom .NET tool to collect documents from an organization’s internal central database.
|Consider periodic review of accounts and privileges for critical and sensitive repositories.
|User Account Management
|Enforce the principle of least-privilege. Consider implementing access control mechanisms that include both authentication and authorization.
|Develop and publish policies that define acceptable information to be stored in repositories.