1. Home
  2. ATT&CK Techniques
  3. T1213
  4. T1213.001
Collection

T1213.001: Confluence

Adversaries may leverage Confluence repositories to mine valuable information. Often found in development environments alongside Atlassian JIRA, Confluence is generally used to store development-rela...

T1213.001 · Sub-technique ·1 platforms ·1 groups

Description

Adversaries may leverage Confluence repositories to mine valuable information. Often found in development environments alongside Atlassian JIRA, Confluence is generally used to store development-related documentation, however, in general may contain more diverse categories of useful information, such as:

Policies, procedures, and standards Physical / logical network diagrams System architecture diagrams Technical system documentation Testing / development credentials (i.e., Unsecured Credentials) Work / project schedules Source code snippets Links to network shares and other internal resources

Platforms

SaaS

Mitigations (3)

User TrainingM1017

Develop and publish policies that define acceptable information to be stored in Confluence repositories.

AuditM1047

Consider periodic review of accounts and privileges for critical and sensitive Confluence repositories.

User Account ManagementM1018

Enforce the principle of least-privilege. Consider implementing access control mechanisms that include both authentication and authorization.

Threat Groups (1)

IDGroupContext
G1004LAPSUS$[LAPSUS$](https://attack.mitre.org/groups/G1004) has searched a victim's network for collaboration platforms like Confluence and JIRA to discover furt...

Associated Software (1)

IDNameTypeContext
S9009TruffleHogTool[TruffleHog](https://attack.mitre.org/software/S9009) has collected credentials and data associated with Confluence.(Citation: Github TruffleSecurity ...

References

Frequently Asked Questions

What is T1213.001 (Confluence)?

T1213.001 is a MITRE ATT&CK technique named 'Confluence'. It belongs to the Collection tactic(s). Adversaries may leverage Confluence repositories to mine valuable information. Often found in development environments alongside Atlassian JIRA, Confluence is generally used to store development-rela...

How can T1213.001 be detected?

Detection of T1213.001 (Confluence) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.

What mitigations exist for T1213.001?

There are 3 documented mitigations for T1213.001. Key mitigations include: User Training, Audit, User Account Management.

Which threat groups use T1213.001?

Known threat groups using T1213.001 include: LAPSUS$.