The Attenuator acts as an intelligent filter that can analyze security events detected by Jibril and provide additional context.
New Feature!
Jibril
Jibril eBPF and Security DiscordGarnet Labs🐈‍⬛
  • Jibril
    • Jibril
      • New Era
      • Theory Behind
      • Architecture
      • Agent Dashboard
      • Compare
    • Install and Run
      • Requirements
      • Systemd Service
      • Command Line
      • Docker Container
      • Kubernetes
        • Kubernetes Script
      • Configuration File
      • Network Policy File
      • Systemd Config
    • Components
      • Features
      • Extensions
      • Plugins
      • Printers
      • Events
      • Network Policy
      • Attenuator
    • Mechanisms
      • File Access
      • Execution
      • File Access And Execution
      • Network Peers
      • Network eBPF Logic
      • Probes and Traces
      • Bigger eBPF Logic
      • Loader Interception
    • Detections
      • File Access
        • Auth Logs Tamper
        • Binary Self Deletion
        • Capabilities Modification
        • Code Modification Through Procfs
        • Core Pattern Access
        • CPU Fingerprint
        • Credentials Files Access
        • Crypto Miner Files
        • Environment Read From ProcFS
        • File Example
        • Filesystem Fingerprint
        • Global Shlib Modification
        • Java Debug Lib Load
        • Java Instrument Lib Load
        • Machine Fingerprint
        • OS Fingerprint
        • OS Network Fingerprint
        • OS Status Fingerprint
        • Package Repo Config Modification
        • PAM Config Modification
        • Sched Debug Access
        • Shell Config Modification
        • SSL Certificate Access
        • Sudoers Modification
        • Sysrq Access
        • Unprivileged Bpf Config Access
      • Execution
        • Binary Executed By Loader
        • Code On The Fly
        • Crypto Miner Execution
        • Data Encoder Exec
        • Denial Of Service Tools
        • Exec Example
        • Exec From Unusual Dir
        • File Attribute Change
        • Hidden Elf Exec
        • Interpreter Shell Spawn
        • Net Filecopy Tool Exec
        • Net MitM Tool Exec
        • Net Scan Tool Exec
        • Net Sniff Tool Exec
        • Net Suspicious Tool Exec
        • Net Suspicious Tool Shell
        • Passwd Usage
        • Runc Suspicious Exec
        • Webserver Exec
        • Webserver Shell Exec
      • Network Peers
        • Adult Domain Access
        • Badware Domain Access
        • Dynamic DNS Domain Access
        • Fake Domain Access
        • Gambling Domain Access
        • Peer Example
        • Piracy Domain Access
        • Plaintext Communication
        • Threat Domain Access
        • Tracking Domain Access
        • VPN Domain Access
    • Bugs and Requests
    • Banner
    • License
  • MITRE
    • Techniques
      • Reconnaissance
        • Active Scanning
          • Scanning IP Blocks
          • Vulnerability Scanning
          • Wordlist Scanning
        • Gather Victim Host Information
          • Hardware
          • Software
          • Firmware
          • Client Configurations
        • Gather Victim Identity Information
          • Credentials
          • Email Addresses
          • Employee Names
        • Gather Victim Network Information
          • Domain Properties
          • DNS
          • Network Trust Dependencies
          • Network Topology
          • IP Addresses
          • Network Security Appliances
        • Gather Victim Org Information
          • Determine Physical Locations
          • Business Relationships
          • Identify Business Tempo
          • Identify Roles
        • Phishing for Information
          • Spearphishing Service
          • Spearphishing Attachment
          • Spearphishing Link
          • Spearphishing Voice
        • Search Closed Sources
          • Threat Intel Vendors
          • Purchase Technical Data
        • Search Open Technical Databases
          • DNS/Passive DNS
          • WHOIS
          • Digital Certificates
          • CDNs
          • Scan Databases
        • Search Open Websites/Domains
          • Social Media
          • Search Engines
          • Code Repositories
        • Search Victim-Owned Websites
      • Resource Development
        • Acquire Access
        • Acquire Infrastructure
          • Domains
          • DNS Server
          • Virtual Private Server
          • Server
          • Botnet
          • Web Services
          • Serverless
          • Malvertising
        • Compromise Accounts
          • Social Media Accounts
          • Email Accounts
          • Cloud Accounts
        • Compromise Infrastructure
          • Domains
          • DNS Server
          • Virtual Private Server
          • Server
          • Botnet
          • Web Services
          • Serverless
          • Network Devices
        • Develop Capabilities
          • Malware
          • Code Signing Certificates
          • Digital Certificates
          • Exploits
        • Establish Accounts
          • Social Media Accounts
          • Email Accounts
          • Cloud Accounts
        • Obtain Capabilities
          • Malware
          • Tool
          • Code Signing Certificates
          • Digital Certificates
          • Exploits
          • Vulnerabilities
          • Artificial Intelligence
        • Stage Capabilities
          • Upload Malware
          • Upload Tool
          • Install Digital Certificate
          • Drive-by Target
          • Link Target
          • SEO Poisoning
      • Initial Access
        • Drive-by Compromise
        • Exploit Public-Facing Application
        • External Remote Services
        • Hardware Additions
        • Phishing
          • Spearphishing Attachment
          • Spearphishing Link
          • Spearphishing via Service
          • Spearphishing Voice
        • Replication Through Removable Media
        • Supply Chain Compromise
          • Compromise Software Dependencies and Development Tools
          • Compromise Software Supply Chain
          • Compromise Hardware Supply Chain
        • Trusted Relationship
        • Valid Accounts
          • Default Accounts
          • Domain Accounts
          • Local Accounts
          • Cloud Accounts
      • Execution
        • Cloud Administration Command
        • Command and Scripting Interpreter
          • PowerShell
          • AppleScript
          • Windows Command Shell
          • Unix Shell
          • Visual Basic
          • Python
          • JavaScript
          • Network Device CLI
          • Cloud API
          • AutoHotkey & AutoIt
          • Lua
        • Container Administration Command
          • Deploy Container
        • Exploitation for Client Execution
        • Inter-Process Communication
          • Component Object Model
          • Dynamic Data Exchange
          • XPC Services
        • Native API
        • Scheduled Task/Job
          • At
          • Cron
          • Scheduled Task
          • Systemd Timers
          • Container Orchestration Job
        • Serverless Execution
        • Shared Modules
        • Software Deployment Tools
        • System Services
          • Launchctl
          • Service Execution
        • User Execution
          • Malicious Link
          • Malicious File
          • Malicious Image
        • Windows Management Instrumentation
      • Persistence
        • Account Manipulation
          • Additional Cloud Credentials
          • Additional Email Delegate Permissions
          • Additional Cloud Roles
          • SSH Authorized Keys
          • Device Registration
          • Additional Container Cluster Roles
          • Additional Local or Domain Groups
        • BITS Jobs
        • Boot or Logon Autostart Execution
          • Registry Run Keys / Startup Folder
          • Authentication Package
          • Time Providers
          • Winlogon Helper DLL
          • Security Support Provider
          • Kernel Modules and Extensions
          • Re-opened Applications
          • LSASS Driver
          • Shortcut Modification
          • Port Monitors
          • Print Processors
          • XDG Autostart Entries
          • Active Setup
          • Login Items
        • Boot or Logon Initialization Scripts
          • Logon Script (Windows)
          • Login Hook
          • Network Logon Script
          • RC Scripts
          • Startup Items
        • Browser Extensions
        • Compromise Host Software Binary
        • Create Account
          • Local Account
          • Domain Account
          • Cloud Account
        • Create or Modify System Process
          • Launch Agent
          • Systemd Service
          • Windows Service
          • Launch Daemon
          • Container Service
        • Event Triggered Execution
          • Change Default File Association
          • Screensaver
          • Windows Management Instrumentation Event Subscription
          • Unix Shell Configuration Modification
          • Trap
          • LC_LOAD_DYLIB Addition
          • Netsh Helper DLL
          • Accessibility Features
          • AppCert DLLs
          • AppInit DLLs
          • Application Shimming
          • Image File Execution Options Injection
          • PowerShell Profile
          • Emond
          • Component Object Model Hijacking
          • Installer Packages
          • Udev Rules
        • External Remote Services
        • Hijack Execution Flow
          • DLL Search Order Hijacking
          • DLL Side-Loading
          • Dylib Hijacking
          • Executable Installer File Permissions Weakness
          • Dynamic Linker Hijacking
          • Path Interception by PATH Environment Variable
          • Path Interception by Search Order Hijacking
          • Path Interception by Unquoted Path
          • Services File Permissions Weakness
          • Services Registry Permissions Weakness
          • COR_PROFILER
          • KernelCallbackTable
          • AppDomainManager
        • Implant Internal Image
        • Modify Authentication Process
          • Domain Controller Authentication
          • Password Filter DLL
          • Pluggable Authentication Modules
          • Network Device Authentication
          • Reverse Encryption
          • Multi-Factor Authentication
          • Hybrid Identity
          • Network Provider DLL
          • Conditional Access Policies
        • Office Application Startup
          • Office Template Macros
          • Office Test
          • Outlook Forms
          • Outlook Home Page
          • Outlook Rules
          • Add-ins
        • Pre-OS Boot
          • System Firmware
          • Component Firmware
          • Bootkit
          • ROMMONkit
          • TFTP Boot
        • Scheduled Task/Job
        • Server Software Component
          • SQL Stored Procedures
          • Transport Agent
          • Web Shell
          • IIS Components
          • Terminal Services DLL
        • Traffic Signaling
          • Port Knocking
          • Socket Filters
        • Valid Accounts
      • Privilege Escalation
        • Abuse Elevation Control Mechanism
          • Setuid and Setgid
          • Bypass User Account Control
          • Sudo and Sudo Caching
          • Elevated Execution with Prompt
          • Temporary Elevated Cloud Access
          • TCC Manipulation
        • Access Token Manipulation
          • Token Impersonation/Theft
          • Create Process with Token
          • Make and Impersonate Token
          • Parent PID Spoofing
          • SID-History Injection
        • Account Manipulation
        • Boot or Logon Autostart Execution
        • Boot or Logon Initialization Scripts
        • Create or Modify System Process
        • Domain or Group Policy Modification
          • Group Policy Modification
          • Trust Modification
        • Escape to Host
        • Event Triggered Execution
        • Exploitation for Privilege Escalation
        • Hijack Execution Flow
        • Process Injection
          • Dynamic-link Library Injection
          • Portable Executable Injection
          • Thread Execution Hijacking
          • Asynchronous Procedure Call
          • Thread Local Storage
          • Ptrace System Calls
          • Proc Memory
          • Extra Window Memory Injection
          • Process Hollowing
          • Process Doppelgänging
          • VDSO Hijacking
          • ListPlanting
        • Scheduled Task/Job
        • Valid Accounts
      • Defense Evasion
        • Abuse Elevation Control Mechanism
        • Access Token Manipulation
        • BITS Jobs
        • Build Image on Host
        • Deobfuscate/Decode Files or Information
        • Direct Volume Access
        • Domain Policy Modification
        • Execution Guardrails
          • Environmental Keying
          • Geofencing
          • Time Based Evasion
        • Exploitation for Defense Evasion
        • File and Directory Permissions Modification
          • Windows File and Directory Permissions Modification
          • Linux and Mac File and Directory Permissions Modification
        • Hide Artifacts
          • Hidden Files and Directories
          • Hidden Users
          • Hidden Window
          • NTFS File Attributes
          • Hidden File System
        • Hijack Execution Flow
        • Impair Defenses
          • Disable or Modify Tools
          • Disable Windows Event Logging
          • Disable or Modify System Firewall
          • Disable or Modify Cloud Logs
        • Indicator Removal
          • Clear Windows Event Logs
          • Clear Command History
          • Clear Network Connection History and Logs
          • File Deletion
          • Timestomp
        • Indirect Command Execution
        • Masquerading
          • Match Legitimate Name or Location
          • Rename System Utilities
          • Masquerade Task or Service
          • Double File Extension
          • Right-to-Left Override
          • Space after Filename
          • Compiled HTML File
        • Modify Authentication Process
        • Modify Cloud Environment
          • Add Resources or Services
          • Modify Permissions
        • Modify Registry
        • Modify System Image
          • Patch System Image
          • Downgrade System Image
        • Network Boundary Bridging
          • Network Address Translation Traversal
        • Obfuscated Files or Information
          • Software Packing
          • Steganography
          • Compile After Delivery
          • Binary Padding
          • HTML Smuggling
        • Pre-OS Boot
        • Process Injection
        • Reflective Code Loading
        • Rogue Domain Controller
        • Rootkit
        • Subvert Trust Controls
          • Mark-of-the-Web Bypass
          • SIP and Trust Provider Hijacking
          • Code Signing
          • Install Root Certificate
          • Gatekeeper Bypass
        • System Binary Proxy Execution
          • Compiled HTML File
          • Control Panel
          • CMSTP
          • InstallUtil
          • Mshta
          • Msiexec
          • Odbcconf
          • Regsvcs/Regasm
          • Regsvr32
          • Rundll32
          • Verclsid
          • Mavinject
          • MMC
        • System Script Proxy Execution
          • PubPrn
        • Template Injection
        • Traffic Signaling
        • Use Alternate Authentication Material
          • Application Access Token
          • Pass the Hash
          • Pass the Ticket
          • Web Session Cookie
        • Valid Accounts
        • Virtualization/Sandbox Evasion
          • System Checks
          • User Activity Based Checks
          • Time Based Evasion
        • Weaken Encryption
          • Reduce Key Space
          • Disable or Remove Encryption
        • XSL Script Processing
        • Credential Access
          • Adversary-in-the-Middle
            • LLMNR/NBT-NS Poisoning and SMB Relay
            • ARP Cache Poisoning
            • DHCP Spoofing
            • Evil Twin
          • Brute Force
            • Password Guessing
            • Password Cracking
            • Password Spraying
            • Credential Stuffing
          • Credentials from Password Stores
            • Credentials from Web Browsers
            • Windows Credential Manager
            • Credentials from Password Managers
          • Exploitation for Credential Access
          • Forced Authentication
          • Forge Web Credentials
            • Web Cookies
            • SAML Tokens
          • Input Capture
            • Keylogging
            • GUI Input Capture
            • Web Portal Capture
          • Modify Authentication Process
          • Multi-Factor Authentication Interception
          • Multi-Factor Authentication Request Generation
          • Network Sniffing
          • OS Credential Dumping
            • LSASS Memory
            • Security Account Manager
            • NTDS
            • LSA Secrets
            • Cached Domain Credentials
            • DCSync
            • Proc Filesystem
          • Steal Application Access Token
          • Steal or Forge Authentication Certificates
          • Steal or Forge Kerberos Tickets
            • Golden Ticket
            • Silver Ticket
            • Kerberoasting
          • Steal Web Session Cookie
          • Unsecured Credentials
            • Credentials in Files
            • Credentials in Registry
            • Bash History
            • Credentials in Configuration Files
        • Discovery
          • Account Discovery
            • Local Account
            • Domain Account
            • Cloud Account
          • Application Window Discovery
          • Browser Bookmark Discovery
          • Cloud Infrastructure Discovery
            • Cloud Storage Object Discovery
          • Cloud Service Dashboard
          • Cloud Service Discovery
          • Container and Resource Discovery
          • Domain Trust Discovery
          • File and Directory Discovery
          • Group Policy Discovery
          • Network Service Discovery
          • Network Share Discovery
          • Network Sniffing
          • Password Policy Discovery
          • Peripheral Device Discovery
          • Permission Groups Discovery
            • Local Groups
            • Domain Groups
            • Cloud Groups
          • Process Discovery
          • Query Registry
          • Remote System Discovery
          • Software Discovery
            • Security Software Discovery
            • Installed Services Discovery
          • System Information Discovery
          • System Location Discovery
            • System Language Discovery
          • System Network Configuration Discovery
            • Internet Connection Discovery
            • Domain Generation Algorithm Discovery
          • System Network Connections Discovery
          • System Owner/User Discovery
          • System Service Discovery
          • System Time Discovery
          • Virtualization/Sandbox Evasion
          • Wireless Network Discovery
        • Lateral Movement
          • Exploitation of Remote Services
          • Internal Spearphishing
          • Lateral Tool Transfer
          • Remote Service Session Hijacking
            • RDP Hijacking
          • Remote Services
            • Remote Desktop Protocol
            • Windows Admin Shares
            • Distributed Component Object Model
            • SSH
            • VNC
            • Apple Remote Desktop
            • Cloud Services
          • Replication Through Removable Media
          • Software Deployment Tools
          • Taint Shared Content
          • Use Alternate Authentication Material
        • Collection
          • Adversary-in-the-Middle
          • Archive Collected Data
            • Archive via Utility
            • Archive via Library
            • Archive via Custom Method
          • Audio Capture
          • Automated Collection
          • Browser Session Hijacking
          • Clipboard Data
          • Data from Cloud Storage
            • Cloud Storage Object
          • Data from Configuration Repository
            • SNMP MIB Dump
            • Network Device Configuration Dump
          • Data from Information Repositories
            • SharePoint
            • Code Repositories
            • Customer Relationship Management Software
            • Messaging Applications
          • Data from Local System
          • Data from Network Shared Drive
          • Data from Removable Media
          • Data Staged
            • Local Data Staging
            • Remote Data Staging
          • Email Collection
            • Local Email Collection
            • Remote Email Collection
            • Email Forwarding Rule
          • Input Capture
          • Screen Capture
          • Video Capture
        • Command and Control
          • Application Layer Protocol
            • Web Protocols
            • File Transfer Protocols
            • Mail Protocols
            • DNS
          • Communication Through Removable Media
          • Data Encoding
            • Standard Encoding
            • Non-Standard Encoding
          • Data Obfuscation
            • Junk Data
            • Steganography
            • Protocol Impersonation
          • Dynamic Resolution
            • Fast Flux DNS
            • Domain Generation Algorithms
            • DNS Calculation
          • Encrypted Channel
            • Symmetric Cryptography
            • Asymmetric Cryptography
          • Fallback Channels
          • Ingress Tool Transfer
          • Multi-Stage Channels
          • Non-Application Layer Protocol
          • Non-Standard Port
          • Protocol Tunneling
          • Proxy
            • Internal Proxy
            • External Proxy
            • Multi-hop Proxy
            • Domain Fronting
          • Remote Access Software
          • Traffic Signaling
          • Web Service
            • Dead Drop Resolver
            • Bidirectional Communication
            • One-Way Communication
        • Exfiltration
          • Automated Exfiltration
            • Traffic Duplication
          • Data Transfer Size Limits
          • Exfiltration Over Alternative Protocol
            • Exfiltration Over Symmetric Encrypted Non-C2 Protocol
            • Exfiltration Over Asymmetric Encrypted Non-C2 Protocol
            • Exfiltration Over Unencrypted Non-C2 Protocol
          • Exfiltration Over C2 Channel
          • Exfiltration Over Other Network Medium
            • Exfiltration Over Bluetooth
          • Exfiltration Over Physical Medium
            • Exfiltration over USB
          • Exfiltration Over Web Service
            • Exfiltration to Cloud Storage
            • Exfiltration to Code Repository
            • Exfiltration to Text Storage Sites
            • Exfiltration Over Webhook
          • Scheduled Transfer
        • Impact
          • Account Access Removal
          • Data Destruction
            • Lifecycle/Trigger Deletion
          • Data Encrypted for Impact
          • Data Manipulation
            • Stored Data Manipulation
            • Transmitted Data Manipulation
            • Runtime Data Manipulation
          • Defacement
            • Internal Defacement
            • External Defacement
          • Disk Wipe
            • Disk Structure Wipe
            • Disk Content Wipe
          • Endpoint Denial of Service
            • OS Exhaustion Flood
            • Service Exhaustion Flood
            • Application Exhaustion Flood
            • Application or System Exploitation
          • Firmware Corruption
          • Inhibit System Recovery
          • Network Denial of Service
            • Direct Network Flood
            • Reflection Amplification
          • Resource Hijacking
            • SMS Pumping
          • Service Stop
          • System Shutdown/Reboot
  • Knowledge
    • eBPF
      • eBPF Helpers
        • map_xxx_elem (v3.19)
        • get_prandom_u32 (v4.1)
        • get_smp_processor_id (v4.1)
  • Research
    • Runtime Security
      • Valkyrie Response
Powered by GitBook

© 2025 • Jibril • by Garnet Labs

On this page
  • Information
  • Introduction
  • Deep Dive Into Technique
  • When this Technique is Usually Used
  • How this Technique is Usually Detected
  • Why it is Important to Detect This Technique
  • Examples
  1. MITRE
  2. Techniques
  3. Defense Evasion
  4. Collection

Data from Configuration Repository

Data from Configuration Repository [T1602]

Last updated 1 month ago

Information

  • Name: Data from Configuration Repository

  • ID: T1602

  • Tactics:

  • Sub-Technique: ,

Introduction

Data from Configuration Repository is a technique categorized under MITRE ATT&CK's tactic of Credential Access (T1552.002). Attackers leverage this method to extract sensitive information, such as credentials, keys, tokens, or other valuable configuration data, from repositories or files that store configuration data. Configuration repositories can include files, registries, databases, configuration management systems, or cloud storage systems. Adversaries target these repositories to gain unauthorized access, escalate privileges, or facilitate lateral movement within compromised environments.

Deep Dive Into Technique

Attackers exploiting Data from Configuration Repository typically focus on extracting sensitive or privileged information stored within configuration files or repositories. These repositories can exist in various forms, including:

  • Plaintext configuration files (.ini, .xml, .json, .yaml, .conf files)

  • Configuration management databases (CMDBs)

  • Cloud storage buckets (AWS S3, Azure Blob Storage, Google Cloud Storage)

  • System registries (Windows Registry)

  • Infrastructure-as-code repositories (Terraform, Ansible, Chef, Puppet)

Attackers may employ various execution methods to access these repositories, such as:

  • Direct file access and parsing configuration files stored on compromised endpoints or servers.

  • Utilizing operating system commands or scripts (PowerShell, Bash, Python) to automate extraction and parsing.

  • Exploiting misconfigured cloud storage buckets or repositories with weak authentication controls.

  • Leveraging compromised administrative credentials or tokens to access configuration management systems or databases.

  • Accessing registry keys containing sensitive data in Windows environments.

Common mechanisms attackers use include:

  • Automated scripts or tools to scan and parse configuration files for credentials or sensitive data.

  • Exploiting weak file permissions or configuration errors to access sensitive repositories.

  • Utilizing stolen or compromised administrator accounts to access and extract sensitive data.

  • Leveraging publicly exposed configuration files or repositories due to misconfigurations.

Real-world procedures often involve:

  • Retrieving API keys, database credentials, or authentication tokens from configuration files.

  • Extracting credentials from Windows registry keys used by services or applications.

  • Accessing cloud storage buckets or configuration databases due to misconfigured access controls.

  • Leveraging leaked or exposed configuration repositories from public repositories or code-sharing platforms.

When this Technique is Usually Used

Attackers can leverage Data from Configuration Repository across various attack scenarios and stages, including:

  • Initial Access Stage: Attackers may exploit publicly exposed configuration repositories or cloud storage buckets to obtain initial foothold credentials or sensitive data.

  • Credential Access Stage: Extracting credentials or sensitive tokens from configuration files or registries to escalate privileges or facilitate lateral movement.

  • Privilege Escalation Stage: Utilizing sensitive configuration data (e.g., administrative credentials, API keys) to escalate privileges within the compromised environment.

  • Lateral Movement Stage: Leveraging extracted credentials or tokens to move laterally across network segments, systems, or cloud environments.

  • Persistence Stage: Using configuration data to establish persistent access through legitimate administrative accounts or API tokens.

  • Exfiltration Stage: Extracting sensitive configuration data for external use, sale, or further exploitation.

How this Technique is Usually Detected

Detection methods for Data from Configuration Repository include:

  • File Integrity Monitoring (FIM):

    • Monitoring configuration files for unauthorized access or modification.

    • Alerting on unexpected file reads or unusual file access patterns.

  • Endpoint Detection and Response (EDR):

    • Detecting suspicious scripts or processes accessing sensitive configuration files or repositories.

    • Identifying abnormal process behavior or command-line arguments associated with data extraction.

  • Security Information and Event Management (SIEM):

    • Correlating logs from file access events, registry access, or cloud storage access events.

    • Identifying unusual patterns or spikes in configuration file access.

  • Cloud Security Posture Management (CSPM):

    • Detecting misconfigured cloud storage buckets or repositories that expose sensitive configuration data.

    • Alerting on unauthorized access attempts or data extraction from cloud configuration repositories.

  • Behavioral Analytics:

    • Monitoring user and service account behavior for deviations from normal configuration access patterns.

    • Detecting unusual access times, locations, or frequency of sensitive configuration repository interactions.

Indicators of Compromise (IoCs) associated with this technique include:

  • Unusual access or modification timestamps on sensitive configuration files.

  • Suspicious scripts or executables accessing configuration files or registries.

  • Unexpected API calls or access attempts to configuration storage services.

  • Configuration files or registry keys accessed by unauthorized or unexpected user accounts.

  • Presence of configuration files or sensitive data in unauthorized locations or external systems.

Why it is Important to Detect This Technique

Early detection of Data from Configuration Repository is critical due to the potential severe impacts on systems, networks, and organizations, including:

  • Credential Compromise:

    • Attackers obtaining administrative credentials, API keys, or authentication tokens that grant high-level access to critical systems and services.

  • Privilege Escalation:

    • Using extracted configuration data to escalate privileges and gain administrative or root-level access, significantly increasing attacker capabilities.

  • Lateral Movement:

    • Leveraging credentials or tokens found in configuration repositories to move laterally across network segments, increasing the scope and severity of compromise.

  • Data Exfiltration:

    • Extracting sensitive configuration information (credentials, encryption keys, proprietary information) to external locations, leading to data breaches and compliance violations.

  • Operational Disruption:

    • Attackers altering or corrupting configuration data, causing service outages, downtime, or degraded system performance.

  • Compliance and Regulatory Impact:

    • Exposure or breach of sensitive configuration data may lead to regulatory penalties, fines, loss of trust, and reputational damage.

Detecting and responding to this technique promptly limits attacker capabilities, mitigates potential damage, and reduces the risk of broader compromise or operational impact.

Examples

Real-world examples demonstrating the use of Data from Configuration Repository include:

  • Uber Data Breach (2022):

    • Attackers accessed internal configuration repositories containing administrative credentials and API keys.

    • Leveraged extracted credentials to escalate privileges and move laterally within Uber's internal systems.

    • Impact included unauthorized access to sensitive customer and employee data and significant reputational damage.

  • Capital One Breach (2019):

    • Attacker exploited misconfigured AWS S3 buckets that stored sensitive configuration data and credentials.

    • Accessed sensitive customer data, including personal information, financial records, and account details.

    • Resulted in regulatory fines, legal actions, and significant reputational harm.

  • Imperva Data Breach (2019):

    • Attackers accessed cloud configuration repositories containing API keys and administrative credentials.

    • Enabled unauthorized access to Imperva's cloud database services, exposing customer data and API keys.

    • Resulted in service disruptions, customer notifications, and reputational damage.

  • Codecov Supply Chain Attack (2021):

    • Attackers compromised Codecov's Bash Uploader script, enabling access to customers' configuration data (API keys, credentials, tokens).

    • Attackers leveraged stolen credentials to access sensitive customer repositories and systems.

    • Impact included widespread compromise of customer environments and significant remediation efforts.

Tools commonly used by attackers in these scenarios include:

  • Custom scripts (Python, PowerShell, Bash) for automated extraction and parsing of configuration data.

  • Cloud enumeration and exploitation tools (Scout Suite, CloudSploit, Pacu) to identify and exploit misconfigured cloud repositories.

  • Credential extraction frameworks (Mimikatz, LaZagne) to retrieve sensitive data from configuration files or registries.

Impacts observed in these examples include:

  • Unauthorized access to sensitive data and intellectual property.

  • Significant financial losses due to remediation, legal fees, and fines.

  • Reputational damage leading to decreased customer trust and business impact.

  • Operational disruptions and downtime affecting business continuity.

TA0009
T1602.002
T1602.001