adpare
88 lines
6.4 KiB
JSON
88 lines
6.4 KiB
JSON
{
|
|
"type": "bundle",
|
|
"id": "bundle--7bdf5ae6-3ec0-41ce-8e6c-672d00c1ad21",
|
|
"spec_version": "2.0",
|
|
"objects": [
|
|
{
|
|
"type": "attack-pattern",
|
|
"id": "attack-pattern--d28ef391-8ed4-45dc-bc4a-2f43abf54416",
|
|
"created": "2018-04-18T17:59:24.739Z",
|
|
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
|
|
"revoked": false,
|
|
"external_references": [
|
|
{
|
|
"source_name": "mitre-attack",
|
|
"url": "https://attack.mitre.org/techniques/T1213",
|
|
"external_id": "T1213"
|
|
},
|
|
{
|
|
"source_name": "Mitiga",
|
|
"description": "Ariel Szarf, Doron Karmi, and Lionel Saposnik. (n.d.). Oops, I Leaked It Again \u2014 How Mitiga Found PII in Exposed Amazon RDS Snapshots. Retrieved September 24, 2024.",
|
|
"url": "https://www.mitiga.io/blog/how-mitiga-found-pii-in-exposed-amazon-rds-snapshots"
|
|
},
|
|
{
|
|
"source_name": "Atlassian Confluence Logging",
|
|
"description": "Atlassian. (2018, January 9). How to Enable User Access Logging. Retrieved April 4, 2018.",
|
|
"url": "https://confluence.atlassian.com/confkb/how-to-enable-user-access-logging-182943.html"
|
|
},
|
|
{
|
|
"source_name": "TrendMicro Exposed Redis 2020",
|
|
"description": "David Fiser and Jaromir Horejsi. (2020, April 21). Exposed Redis Instances Abused for Remote Code Execution, Cryptocurrency Mining. Retrieved September 25, 2024.",
|
|
"url": "https://www.trendmicro.com/en_us/research/20/d/exposed-redis-instances-abused-for-remote-code-execution-cryptocurrency-mining.html"
|
|
},
|
|
{
|
|
"source_name": "Microsoft SharePoint Logging",
|
|
"description": "Microsoft. (2017, July 19). Configure audit settings for a site collection. Retrieved April 4, 2018.",
|
|
"url": "https://support.office.com/en-us/article/configure-audit-settings-for-a-site-collection-a9920c97-38c0-44f2-8bcb-4cf1e2ae22d2"
|
|
},
|
|
{
|
|
"source_name": "Sharepoint Sharing Events",
|
|
"description": "Microsoft. (n.d.). Sharepoint Sharing Events. Retrieved October 8, 2021.",
|
|
"url": "https://docs.microsoft.com/en-us/microsoft-365/compliance/use-sharing-auditing?view=o365-worldwide#sharepoint-sharing-events"
|
|
},
|
|
{
|
|
"source_name": "Cybernews Reuters Leak 2022",
|
|
"description": "Vilius Petkauskas . (2022, November 3). Thomson Reuters collected and leaked at least 3TB of sensitive data. Retrieved September 25, 2024.",
|
|
"url": "https://cybernews.com/security/thomson-reuters-leaked-terabytes-sensitive-data/"
|
|
}
|
|
],
|
|
"object_marking_refs": [
|
|
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
|
|
],
|
|
"modified": "2025-10-24T17:49:26.262Z",
|
|
"name": "Data from Information Repositories",
|
|
"description": "Adversaries may leverage information repositories to mine valuable information. Information repositories are tools that allow for storage of information, typically to facilitate collaboration or information sharing between users, and can store a wide variety of data that may aid adversaries in further objectives, such as Credential Access, Lateral Movement, or Defense Evasion, or direct access to the target information. Adversaries may also abuse external sharing features to share sensitive documents with recipients outside of the organization (i.e., [Transfer Data to Cloud Account](https://attack.mitre.org/techniques/T1537)). \n\nThe following is a brief list of example information that may hold potential value to an adversary and may also be found on an information repository:\n\n* Policies, procedures, and standards\n* Physical / logical network diagrams\n* System architecture diagrams\n* Technical system documentation\n* Testing / development credentials (i.e., [Unsecured Credentials](https://attack.mitre.org/techniques/T1552)) \n* Work / project schedules\n* Source code snippets\n* Links to network shares and other internal resources\n* Contact or other sensitive information about business partners and customers, including personally identifiable information (PII) \n\nInformation stored in a repository may vary based on the specific instance or environment. Specific common information repositories include the following:\n\n* Storage services such as IaaS databases, enterprise databases, and more specialized platforms such as customer relationship management (CRM) databases \n* Collaboration platforms such as SharePoint, Confluence, and code repositories\n* Messaging platforms such as Slack and Microsoft Teams \n\nIn some cases, information repositories have been improperly secured, typically by unintentionally allowing for overly-broad access by all users or even public access to unauthenticated users. This is particularly common with cloud-native or cloud-hosted services, such as AWS Relational Database Service (RDS), Redis, or ElasticSearch.(Citation: Mitiga)(Citation: TrendMicro Exposed Redis 2020)(Citation: Cybernews Reuters Leak 2022)",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "mitre-attack",
|
|
"phase_name": "collection"
|
|
}
|
|
],
|
|
"x_mitre_attack_spec_version": "3.2.0",
|
|
"x_mitre_contributors": [
|
|
"Regina Elwell",
|
|
"Praetorian",
|
|
"Milos Stojadinovic",
|
|
"Isif Ibrahima, Mandiant",
|
|
"Obsidian Security",
|
|
"Naveen Vijayaraghavan",
|
|
"Nilesh Dherange (Gurucul)"
|
|
],
|
|
"x_mitre_deprecated": false,
|
|
"x_mitre_domains": [
|
|
"enterprise-attack"
|
|
],
|
|
"x_mitre_is_subtechnique": false,
|
|
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
|
|
"x_mitre_platforms": [
|
|
"Linux",
|
|
"Windows",
|
|
"macOS",
|
|
"SaaS",
|
|
"IaaS",
|
|
"Office Suite"
|
|
],
|
|
"x_mitre_version": "3.4"
|
|
}
|
|
]
|
|
} |