- Tactics
- Collection
- Platforms
- Linux, Windows, macOS, SaaS, IaaS, Office Suite
- Reference
- attack.mitre.org/techniques/T1213
Description
Adversaries may leverage information repositories to mine valuable information. Information repositories are tools that allow for storage of information, typically to facilitate collaboration or information sharing between users, and can store a wide variety of data that may aid adversaries in further objectives, such as Credential Access, Lateral Movement, or Defense Evasion, or direct access to the target information. Adversaries may also abuse external sharing features to share sensitive documents with recipients outside of the organization (i.e., Transfer Data to Cloud Account).
The following is a brief list of example information that may hold potential value to an adversary and may also be found on an information repository:
- Policies, procedures, and standards
- Physical / logical network diagrams
- System architecture diagrams
- Technical system documentation
- Testing / development credentials (i.e., Unsecured Credentials)
- Work / project schedules
- Source code snippets
- Links to network shares and other internal resources
- Contact or other sensitive information about business partners and customers, including personally identifiable information (PII)
Information stored in a repository may vary based on the specific instance or environment. Specific common information repositories include the following:
- Storage services such as IaaS databases, enterprise databases, and more specialized platforms such as customer relationship management (CRM) databases
- Collaboration platforms such as SharePoint, Confluence, and code repositories
- Messaging platforms such as Slack and Microsoft Teams
In some cases, information repositories have been improperly secured, typically by unintentionally allowing for overly-broad access by all users or even public access to unauthenticated users. This is particularly common with cloud-native or cloud-hosted services, such as AWS Relational Database Service (RDS), Redis, or ElasticSearch.(Citation: Mitiga)(Citation: TrendMicro Exposed Redis 2020)(Citation: Cybernews Reuters Leak 2022)
Sub-techniques
How GTK Cyber trains on this
GTK Cyber's Threat Hunting with Data Science course teaches you to build machine-learning detections for techniques like this across the MITRE ATT&CK framework, including the Collection tactic this technique falls under. Practitioner-led, focused on real detections, not memorizing technique IDs.
Related techniques
- T1005 — Data from Local System
- T1025 — Data from Removable Media
- T1039 — Data from Network Shared Drive
- T1056 — Input Capture
- T1074 — Data Staged
- T1113 — Screen Capture
- T1114 — Email Collection
- T1115 — Clipboard Data
- T1119 — Automated Collection
- T1123 — Audio Capture
- T1125 — Video Capture
- T1185 — Browser Session Hijacking