catalog logoThe IAM Privilege Catalog

risks / Data exfiltration

Description

Allows an attacker to export sensitive data from a system. Often combined with data-collection exploits (see `collection:data`).

Risk: CRITICAL

Exploited in isolation, this risk has the potential to disrupt central organizational operations, destroy trust, or create significant liability. Alternatively, this risk gives attackers access to broadly provisioned identities that enable the above impacts (such as root privilege escalation risks).

Mitigations

  1. Filter network traffic

Links

  1. https:/​/​attack.mitre.org/​techniques/​T1537/​

Affected Privileges

An attacker may be able to exploit this risk if they gain any of the following privileges:

Amazon Web Services

aoss:APIAccessAll
aoss:DashboardsAccessAll
appsync:GetDataSource
appsync:GetFunction
athena:GetQueryExecution
athena:GetQueryResults
athena:GetQueryResultsStream
cassandra:Select
chatbot:DescribeSlackChannels
chatbot:DescribeSlackUserIdentities
chatbot:ListMicrosoftTeamsConfiguredTeams
chatbot:ListMicrosoftTeamsUserIdentities
chime:GetAttendee
chime:GetChannelMessage
chime:GetMeeting
chime:GetMeetingDetail
chime:GetRoom
chime:GetUser
chime:GetUserActivityReportData
chime:GetUserByEmail
chime:GetUserSettings
chime:ListAttendees
chime:ListMeetingEvents
chime:ListMeetings
chime:ListUsers
cleanrooms:GetProtectedQuery
cloudformation:GetTemplate
cloudfront:GetFunction
cloudtrail:GetQueryResults
cloudtrail:LookupEvents
codeartifact:GetPackageVersionAsset
codeartifact:GetPackageVersionReadme
codeartifact:ReadFromRepository
codebuild:BatchGetReportGroups
codebuild:BatchGetReports
codecommit:BatchGetCommits
codecommit:BatchGetPullRequests
codecommit:BatchGetRepositories
codecommit:DescribeMergeConflicts
codecommit:DescribePullRequestEvents
codecommit:GetApprovalRuleTemplate
codecommit:GetBlob
codecommit:GetBranch
codecommit:GetComment
codecommit:GetCommentReactions
codecommit:GetCommentsForComparedCommit
codecommit:GetCommentsForPullRequest
codecommit:GetCommit
codecommit:GetCommitHistory
codecommit:GetCommitsFromMergeBase
codecommit:GetDifferences
codecommit:GetFile
codecommit:GetFolder
codecommit:GetMergeCommit
codecommit:GetMergeConflicts
codecommit:GetMergeOptions
codecommit:GetObjectIdentifier
codecommit:GetPullRequest
codecommit:GetPullRequestApprovalStates
codecommit:GetPullRequestOverrideState
codecommit:GetReferences
codecommit:GetTree
codecommit:GitPull
codeguru-profiler:GetRecommendations
codeguru-reviewer:DescribeCodeReview
codeguru-reviewer:DescribeRecommendationFeedback
codepipeline:GetPipelineExecution
cognito-identity:LookupDeveloperIdentity
cognito-idp:AdminGetDevice
cognito-idp:AdminGetUser
cognito-idp:AdminListDevices
cognito-idp:AdminListGroupsForUser
cognito-idp:AdminListUserAuthEvents
cognito-idp:GetDevice
cognito-idp:GetGroup
cognito-idp:GetUser
cognito-idp:ListDevices
cognito-idp:ListGroups
cognito-idp:ListUsers
cognito-sync:ListRecords
cognito-sync:QueryRecords
connect:ListUsers
datapipeline:QueryObjects
dax:BatchGetItem
dax:GetItem
dax:Query
dax:Scan
dynamodb:BatchGetItem
dynamodb:GetItem
dynamodb:GetRecords
dynamodb:Query
dynamodb:Scan
ecr:GetDownloadUrlForLayer
es:ESHttpDelete
es:ESHttpGet
es:ESHttpHead
es:ESHttpPatch
es:ESHttpPost
es:ESHttpPut
gamelift:GetInstanceAccess
healthlake:ReadResource
healthlake:SearchWithGet
healthlake:SearchWithPost
kendra:Query
kinesis:GetRecords
kinesisvideo:GetImages
kinesisvideo:GetMedia
lambda:GetFunction
lambda:GetLayerVersion
lightsail:GetContainerImages
logs:GetLogEvents
logs:GetLogRecord
logs:GetQueryResults
logs:Unmask
macie2:GetFindings
mediastore:GetObject
qldb:GetBlock
rds:DownloadCompleteDBLogFile
rds:DownloadDBLogFilePortion
robomaker:GetWorldTemplateBody
s3-object-lambda:GetObject
s3-object-lambda:GetObjectVersion
s3-object-lambda:ListBucket
s3:GetObject
s3:GetObjectVersion
sagemaker:Search
sdb:Select
serverlessrepo:GetApplication
serverlessrepo:GetCloudFormationTemplate
sqs:ReceiveMessage
ssm:GetDocument
ssm:GetParameter
ssm:GetParameterHistory
ssm:GetParameters
ssm:GetParametersByPath
sso-directory:DescribeGroup
sso-directory:DescribeUser
sso-directory:SearchGroups
sso-directory:SearchUsers
sso:SearchGroups
sso:SearchUsers
support:DescribeAttachment
support:DescribeCommunications
workdocs:GetDocument
workdocs:GetDocumentPath
workdocs:GetDocumentVersion
workmail:ListGroupMembers
workmail:ListGroups
workmail:ListUsers

Google Cloud Platform

appengine.instances.enableDebug
appengine.memcache.get
appengine.memcache.getKey
appengine.memcache.list
bigquery.connections.use
bigquery.models.export
bigquery.models.getData
bigquery.rowAccessPolicies.getFilteredData
bigquery.rowAccessPolicies.overrideTimeTravelRestrictions
bigquery.tables.export
bigquery.tables.getData
cloudfunctions.functions.call
cloudfunctions.functions.invoke
cloudkms.cryptoKeyVersions.useToDecrypt
cloudkms.cryptoKeyVersions.useToDecryptViaDelegation
cloudsql.instances.export
cloudsql.users.create
cloudsql.users.update
compute.images.create
compute.instances.getGuestAttributes
compute.instances.getScreenshot
compute.instances.getSerialPortOutput
compute.instances.osAdminLogin
compute.instances.osLogin
container.deployments.create
container.deployments.update
container.jobs.create
container.jobs.update
container.pods.create
container.replicaSets.create
container.replicaSets.update
container.secrets.get
container.secrets.list
container.services.proxy
container.statefulSets.create
container.statefulSets.update
datastore.entities.get
pubsub.snapshots.seek
pubsub.subscriptions.consume
pubsub.topics.attachSubscription
run.jobs.runWithOverrides
run.jobs.update
run.services.update
secretmanager.versions.access
storage.objects.get

Kubernetes

apps/deployments.create
apps/deployments.update
apps/replicasets.create
apps/replicasets.update
apps/statefulsets.create
apps/statefulsets.update
batch/jobs.create
batch/jobs.update
core/pods.create
core/secrets.get
core/secrets.list
core/services.proxy

Google Workspace

USERS_RETRIEVE
© 2023–present P0 Security and contributors to the IAM Privilege Catalog