Technique on mitre.org

T1602: Data from Configuration Repository

Adversaries may collect data related to managed devices from configuration repositories. Configuration repositories are used by management systems in order to configure, manage, and control data on remote systems. Configuration repositories may also facilitate remote access and administration of devices.

Adversaries may target these repositories in order to collect large quantities of sensitive system administration data. Data from configuration repositories may be exposed by various protocols and software and can store a wide variety of data, much of which may align with adversary Discovery objectives.

Positive Technologies products that cover the technique

MaxPatrol SIEM knowledge base

Subtechniques

T1602.002 Network Device Configuration Dump

Detection

ID	DS0029	Data source and component	Network Traffic: Network Traffic Content	Description	Monitor and analyze traffic patterns and packet inspection associated to protocol(s) that do not follow the expected protocol standards and traffic flows (e.g. unauthorized, gratuitous, or anomalous traffic patterns attempting to access configuration content)

ID	DS0029	Data source and component	Network Traffic: Network Connection Creation	Description	Monitor for newly constructed network connections that are sent or received by untrusted hosts or uncommon data flows. Consider analyzing packet contents to detect application layer protocols, leveraging SSL/TLS inspection for encrypted traffic, that do not follow the expected protocol standards and traffic flows (e.g. unauthorized, gratuitous, or anomalous traffic patterns attempting to access configuration content)

ID	Data source and component	Description
DS0029	Network Traffic: Network Traffic Content	Monitor and analyze traffic patterns and packet inspection associated to protocol(s) that do not follow the expected protocol standards and traffic flows (e.g. unauthorized, gratuitous, or anomalous traffic patterns attempting to access configuration content)
DS0029	Network Traffic: Network Connection Creation	Monitor for newly constructed network connections that are sent or received by untrusted hosts or uncommon data flows. Consider analyzing packet contents to detect application layer protocols, leveraging SSL/TLS inspection for encrypted traffic, that do not follow the expected protocol standards and traffic flows (e.g. unauthorized, gratuitous, or anomalous traffic patterns attempting to access configuration content)

Mitigation

ID	M1030	Name	Network Segmentation	Description	Segregate SNMP traffic on a separate management network.

ID	M1031	Name	Network Intrusion Prevention	Description	Configure intrusion prevention devices to detect SNMP queries and commands from unauthorized sources.

ID	M1037	Name	Filter Network Traffic	Description	Apply extended ACLs to block unauthorized protocols outside the trusted network.

ID	M1041	Name	Encrypt Sensitive Information	Description	Configure SNMPv3 to use the highest level of security (authPriv) available.

ID	M1051	Name	Update Software	Description	Keep system images and software updated and migrate to SNMPv3.

ID	M1054	Name	Software Configuration	Description	Allowlist MIB objects and implement SNMP views.

ID	Name	Description
M1030	Network Segmentation	Segregate SNMP traffic on a separate management network.
M1031	Network Intrusion Prevention	Configure intrusion prevention devices to detect SNMP queries and commands from unauthorized sources.
M1037	Filter Network Traffic	Apply extended ACLs to block unauthorized protocols outside the trusted network.
M1041	Encrypt Sensitive Information	Configure SNMPv3 to use the highest level of security (authPriv) available.
M1051	Update Software	Keep system images and software updated and migrate to SNMPv3.
M1054	Software Configuration	Allowlist MIB objects and implement SNMP views.