Data from Information Repositories

Adversaries may target and collect data from information repositories. This can include sensitive data such as specifications, schematics, or diagrams of control system layouts, devices, and processes. Examples of information repositories include reference databases or local machines in the process environment, as well as workstations and databases in the corporate network that might contain information about the ICS. [1] Information collected from these systems may provide the adversary with a better understanding of the operational environment, vendors used, processes, or procedures of the ICS. In a campaign between 2011 and 2013 against ONG organizations, Chinese state-sponsored actors searched document repositories for specific information such as, system manuals, remote terminal unit (RTU) sites, personnel lists, documents that included the string SCAD*, user credentials, and remote dial-up access information. [2]

ID: T0811
Sub-techniques:  No sub-techniques
Tactic: Collection
Platforms: Control Server, Data Historian, Engineering Workstation, Human-Machine Interface
Version: 1.0
Created: 21 May 2020
Last Modified: 06 May 2022

Procedure Examples

ID Name Description
S1000 ACAD/Medre.A

ACAD/Medre.A collects information related to the AutoCAD application. The worm collects AutoCAD (*.dwg) files with drawings from information repositories. [3]

S0038 Duqu

Duqu downloads additional modules for the collection of data in information repositories. The modules are named: infostealer 1, infostealer 2 and reconnaissance. [4]

S0143 Flame

Flame has built-in modules to gather information from compromised computers. [5]


ID Mitigation Description
M0947 Audit

Consider periodic reviews of accounts and privileges for critical and sensitive repositories.

M0941 Encrypt Sensitive Information

Information which is sensitive to the operation and architecture of the process environment may be encrypted to ensure confidentiality and restrict access to only those who need to know. [6] [7]

M0926 Privileged Account Management

Minimize permissions and access for service accounts to limit the information that may be exposed or collected by malicious users or software. [7]

M0922 Restrict File and Directory Permissions

Protect files stored locally with proper permissions to limit opportunities for adversaries to interact and collect information from databases. [6] [7]

M0918 User Account Management

Ensure users and user groups have appropriate permissions for their roles through Identity and Access Management (IAM) controls to prevent misuse. Implement user accounts for each individual that may access the repositories for role enforcement and non-repudiation of actions.

M0917 User Training

Develop and publish policies that define acceptable information to be stored in repositories.


ID Data Source Data Component
DS0015 Application Log Application Log Content
DS0022 File File Access
DS0028 Logon Session Logon Session Creation