1. Home
  2. Techniques
  3. Enterprise
  4. 从信息存储库获取数据

从信息存储库获取数据

ID Name
T1213.001 合法凭证滥用隐蔽访问
T1213.002 API流量伪装分页爬取
T1213.003 数据碎片化时序检索
T1213.004 云存储同步隐匿下载

从信息存储库获取数据指攻击者通过访问企业数据库、协作平台等存储系统窃取敏感信息的行为,这些信息可为后续攻击提供关键情报。防御措施通常包括监控特权账户访问、检测异常文档检索模式(如短时间内大量下载)以及部署用户行为分析(UBA)系统识别非常规操作序列。
为规避传统检测机制,攻击者发展出多种隐蔽数据获取技术,通过身份伪装、协议仿真、流量稀释等策略,将恶意操作融入正常业务流程,形成"低特征、高持续"的新型数据窃取模式。
现有匿迹技术的核心在于多维度的合法化伪装与攻击痕迹稀释:合法凭证滥用通过身份信任机制绕过认证监控,使数据访问行为获得表面合法性;API流量伪装利用协议合规性掩盖自动化爬取特征,使恶意请求与正常业务交互难以区分;数据碎片化检索通过时空维度解构攻击行为,使单次操作特征低于检测阈值;云同步隐匿下载则借助企业基础设施的信任链,将数据泄露过程分解为多个合规操作环节。四类技术的共性是通过深度利用目标环境信任关系(身份、协议、业务流程),将攻击行为解构重组为系统认可的合法交互,迫使防御方必须实施跨系统日志关联、细粒度行为建模等高阶检测手段。
匿迹技术的演进导致传统基于单点日志分析与批量操作检测的防御体系逐渐失效,防御方需构建身份行为基线、API交互模式画像、数据访问上下文分析等能力,并整合云原生安全监控与本地日志审计数据,方能有效识别隐蔽的数据窃取行为。

ID: T1213
Sub-techniques:  T1213.001, T1213.002, T1213.003, T1213.004
Tactic: 信息收集
Platforms: IaaS, Linux, Office Suite, SaaS, Windows, macOS
Contributors: Isif Ibrahima, Mandiant; Milos Stojadinovic; Naveen Vijayaraghavan; Nilesh Dherange (Gurucul); Obsidian Security; Praetorian; Regina Elwell
Version: 3.4
Created: 18 April 2018
Last Modified: 28 October 2024

匿迹效应

效应类型 是否存在
特征伪装
行为透明
数据遮蔽
时空释痕

特征伪装

攻击者通过精确模拟合法API调用协议、使用合规同步客户端以及伪造设备指纹等手段,使恶意数据请求在协议特征、交互模式层面与正常业务流量完全一致。例如API流量伪装分页爬取技术严格遵循目标平台的OAuth认证流程和RESTful接口规范,实现协议层特征隐匿。

行为透明

利用零日漏洞或未公开的API接口缺陷实施数据窃取,例如通过逆向工程发现云存储服务的同步协议漏洞,直接绕过访问控制策略获取数据,传统基于已知漏洞特征的检测手段难以识别此类行为。

数据遮蔽

在云存储同步隐匿下载等子技术中,攻击者利用TLS加密通道传输敏感数据,使防御方无法通过流量内容分析发现数据泄露。部分高级变种还会对窃取数据进行客户端加密后再外传,实现双重数据遮蔽。

时空释痕

通过数据碎片化检索与长期凭证滥用策略,将集中式数据窃取行为分散至数周甚至数月完成,同时利用全球化云基础设施动态切换访问入口,使攻击痕迹被稀释在长周期、多地域的业务操作中,破坏防御方的时间序列分析与空间关联能力。

Procedure Examples

ID Name Description
G0007 APT28

APT28 has collected files from various information repositories.[1]
C0040 APT41 DUST

APT41 DUST collected data from victim Oracle databases using SQLULDR2.[2]
G0037 FIN6

FIN6 has collected schemas and user accounts from systems running SQL Server.[3]
S1146 MgBot

MgBot includes a module capable of stealing content from the Tencent QQ database storing user QQ message history on infected devices.[4]
S0598 P.A.S. Webshell

P.A.S. Webshell has the ability to list and extract data from SQL databases.[5]
S1148 Raccoon Stealer

Raccoon Stealer gathers information from repositories associated with cryptocurrency wallets and the Telegram messaging service.[6]
G0034 Sandworm Team

Sandworm Team exfiltrates data of interest from enterprise databases using Adminer.[7]
C0024 SolarWinds Compromise

During the SolarWinds Compromise, APT29 accessed victims' internal knowledge repositories (wikis) to view sensitive corporate information on products, services, and internal business operations.[8]
G0010 Turla

Turla has used a custom .NET tool to collect documents from an organization's internal central database.[9]

Mitigations

ID Mitigation Description
M1047 Audit

Consider periodic review of accounts and privileges for critical and sensitive repositories. Ensure that repositories such as cloud-hosted databases are not unintentionally exposed to the public, and that security groups assigned to them permit only necessary and authorized hosts.[10]
M1041 Encrypt Sensitive Information

Encrypt data stored at rest in databases.

M1032 Multi-factor Authentication

Use two or more pieces of evidence to authenticate to a system; such as username and password in addition to a token from a physical smart card or token generator.
M1060 Out-of-Band Communications Channel

Create plans for leveraging a secure out-of-band communications channel, rather than existing in-network chat applications, in case of a security incident.[11]
M1054 Software Configuration

Consider implementing data retention policies to automate periodically archiving and/or deleting data that is no longer needed.

M1018 User Account Management

Enforce the principle of least-privilege. Consider implementing access control mechanisms that include both authentication and authorization.
M1017 User Training

Develop and publish policies that define acceptable information to be stored in repositories.

Detection

ID Data Source Data Component Detects
DS0015 Application Log Application Log Content

Monitor for third-party application logging, messaging, and/or other artifacts that may leverage information repositories to mine valuable information. Information repositories generally have a considerably large user base, detection of malicious use can be non-trivial. At minimum, access to information repositories performed by privileged users (for example, Active Directory Domain, Enterprise, or Schema Administrators) should be closely monitored and alerted upon, as these types of accounts should generally not be used to access information repositories. If the capability exists, it may be of value to monitor and alert on users that are retrieving and viewing a large number of documents and pages; this behavior may be indicative of programmatic means being used to retrieve all data within the repository. In environments with high-maturity, it may be possible to leverage User-Behavioral Analytics (UBA) platforms to detect and alert on user based anomalies.
DS0028 Logon Session Logon Session Creation

Monitor for newly constructed logon behavior within Microsoft's SharePoint can be configured to report access to certain pages and documents. [12] Sharepoint audit logging can also be configured to report when a user shares a resource. [13] The user access logging within Atlassian's Confluence can also be configured to report access to certain pages and documents through AccessLogFilter. [14] In AWS environments, GuardDuty can be configured to report suspicious login activity in services such as RDS.[15] Additional log storage and analysis infrastructure will likely be required for more robust detection capabilities.

References

  1. NSA, CISA, FBI, NCSC. (2021, July). Russian GRU Conducting Global Brute Force Campaign to Compromise Enterprise and Cloud Environments. Retrieved July 26, 2021.
  2. Mike Stokkel et al. (2024, July 18). APT41 Has Arisen From the DUST. Retrieved September 16, 2024.
  3. Visa Public. (2019, February). FIN6 Cybercrime Group Expands Threat to eCommerce Merchants. Retrieved September 16, 2019.
  4. Facundo Muñoz. (2023, April 26). Evasive Panda APT group delivers malware via updates for popular Chinese software. Retrieved July 25, 2024.
  5. ANSSI. (2021, January 27). SANDWORM INTRUSION SET CAMPAIGN TARGETING CENTREON SYSTEMS. Retrieved March 30, 2021.
  6. Pierre Le Bourhis, Quentin Bourgue, & Sekoia TDR. (2022, June 29). Raccoon Stealer v2 - Part 2: In-depth analysis. Retrieved August 1, 2024.
  7. Billy Leonard. (2023, April 19). Ukraine remains Russia’s biggest cyber focus in 2023. Retrieved March 1, 2024.
  8. CrowdStrike. (2022, January 27). Early Bird Catches the Wormhole: Observations from the StellarParticle Campaign. Retrieved February 7, 2022.
  1. Faou, M. (2020, May). From Agent.btz to ComRAT v4: A ten-year journey. Retrieved June 15, 2020.
  2. AWS. (n.d.). Working with a DB instance in a VPC. Retrieved September 24, 2024.
  3. Tyler Hudak. (2022, December 29). To OOB, or Not to OOB?: Why Out-of-Band Communications are Essential for Incident Response. Retrieved August 30, 2024.
  4. Microsoft. (2017, July 19). Configure audit settings for a site collection. Retrieved April 4, 2018.
  5. Microsoft. (n.d.). Sharepoint Sharing Events. Retrieved October 8, 2021.
  6. Atlassian. (2018, January 9). How to Enable User Access Logging. Retrieved April 4, 2018.
  7. AWS. (n.d.). GuardDuty RDS Protection. Retrieved September 24, 2024.