Skip to content

T1213 Data from Information Repositories

Adversaries may leverage information repositories to mine valuable information. Information repositories are tools that allow for storage of information, typically to facilitate collaboration or information sharing between users, and can store a wide variety of data that may aid adversaries in further objectives, such as Credential Access, Lateral Movement, or Defense Evasion, or direct access to the target information. Adversaries may also abuse external sharing features to share sensitive documents with recipients outside of the organization (i.e., Transfer Data to Cloud Account).

The following is a brief list of example information that may hold potential value to an adversary and may also be found on an information repository:

  • Policies, procedures, and standards
  • Physical / logical network diagrams
  • System architecture diagrams
  • Technical system documentation
  • Testing / development credentials (i.e., Unsecured Credentials)
  • Work / project schedules
  • Source code snippets
  • Links to network shares and other internal resources
  • Contact or other sensitive information about business partners and customers, including personally identifiable information (PII)

Information stored in a repository may vary based on the specific instance or environment. Specific common information repositories include the following:

  • Storage services such as IaaS databases, enterprise databases, and more specialized platforms such as customer relationship management (CRM) databases
  • Collaboration platforms such as SharePoint, Confluence, and code repositories
  • Messaging platforms such as Slack and Microsoft Teams

In some cases, information repositories have been improperly secured, typically by unintentionally allowing for overly-broad access by all users or even public access to unauthenticated users. This is particularly common with cloud-native or cloud-hosted services, such as AWS Relational Database Service (RDS), Redis, or ElasticSearch.136

Item Value
ID T1213
Sub-techniques T1213.001, T1213.002, T1213.003, T1213.004, T1213.005, T1213.006
Tactics TA0009
Platforms IaaS, Linux, Office Suite, SaaS, Windows, macOS
Version 3.4
Created 18 April 2018
Last Modified 24 October 2025

Procedure Examples

ID Name Description
G0007 APT28 APT28 has collected files from various information repositories.12
S1148 Raccoon Stealer Raccoon Stealer gathers information from repositories associated with cryptocurrency wallets and the Telegram messaging service.9
C0024 SolarWinds Compromise During the SolarWinds Compromise, APT29 accessed victims’ internal knowledge repositories (wikis) to view sensitive corporate information on products, services, and internal business operations.13
S1196 Troll Stealer Troll Stealer gathers information from the Government Public Key Infrastructure (GPKI) folder, associated with South Korean government public key infrastructure, on infected systems.1011

Mitigations

ID Mitigation Description
M1047 Audit Consider periodic review of accounts and privileges for critical and sensitive repositories. Ensure that repositories such as cloud-hosted databases are not unintentionally exposed to the public, and that security groups assigned to them permit only necessary and authorized hosts.8
M1041 Encrypt Sensitive Information Encrypt data stored at rest in databases.
M1032 Multi-factor Authentication Use two or more pieces of evidence to authenticate to a system; such as username and password in addition to a token from a physical smart card or token generator.
M1060 Out-of-Band Communications Channel Create plans for leveraging a secure out-of-band communications channel, rather than existing in-network chat applications, in case of a security incident.7
M1054 Software Configuration Consider implementing data retention policies to automate periodically archiving and/or deleting data that is no longer needed.
M1018 User Account Management Enforce the principle of least-privilege. Consider implementing access control mechanisms that include both authentication and authorization.
M1017 User Training Develop and publish policies that define acceptable information to be stored in repositories.

References

  1. Ariel Szarf, Doron Karmi, and Lionel Saposnik. (n.d.). Oops, I Leaked It Again — How Mitiga Found PII in Exposed Amazon RDS Snapshots. Retrieved September 24, 2024. 

  2. Atlassian. (2018, January 9). How to Enable User Access Logging. Retrieved April 4, 2018. 

  3. David Fiser and Jaromir Horejsi. (2020, April 21). Exposed Redis Instances Abused for Remote Code Execution, Cryptocurrency Mining. Retrieved September 25, 2024. 

  4. Microsoft. (2017, July 19). Configure audit settings for a site collection. Retrieved April 4, 2018. 

  5. Microsoft. (n.d.). Sharepoint Sharing Events. Retrieved October 8, 2021. 

  6. Vilius Petkauskas . (2022, November 3). Thomson Reuters collected and leaked at least 3TB of sensitive data. Retrieved September 25, 2024. 

  7. Tyler Hudak. (2022, December 29). To OOB, or Not to OOB?: Why Out-of-Band Communications are Essential for Incident Response. Retrieved August 30, 2024. 

  8. AWS. (n.d.). Working with a DB instance in a VPC. Retrieved September 24, 2024. 

  9. Pierre Le Bourhis, Quentin Bourgue, & Sekoia TDR. (2022, June 29). Raccoon Stealer v2 - Part 2: In-depth analysis. Retrieved August 1, 2024. 

  10. Jiho Kim & Sebin Lee, S2W. (2024, February 7). Kimsuky disguised as a Korean company signed with a valid certificate to distribute Troll Stealer (English ver.). Retrieved January 17, 2025. 

  11. Symantec Threat Hunter Team. (2024, May 16). Springtail: New Linux Backdoor Added to Toolkit. Retrieved January 17, 2025. 

  12. NSA, CISA, FBI, NCSC. (2021, July). Russian GRU Conducting Global Brute Force Campaign to Compromise Enterprise and Cloud Environments. Retrieved July 26, 2021. 

  13. CrowdStrike. (2022, January 27). Early Bird Catches the Wormhole: Observations from the StellarParticle Campaign. Retrieved February 7, 2022.