T1213 Defined ATT&CK T1213 ↗

Data from Information Repositories

Process Read DocumentFile — Read attacker-relevant data from an organisational information repository not intended for the attacker's use.

Ontological Definition

ActorProcess

→

ActionRead

→

ArtifactDocumentFile

Detect

STP 5

The actor.user.name + file.path + Read activity_id triple is technique-defining and platform-agnostic. Rules detecting unusual read volume, off-hours access, or access to sensitive paths by unexpected users are STP 5.

Gate on

activity_id = Read

Generate org-specific sub-technique IDs using the EDE taxonomy (e.g. T1213.github, T1213.confluence). Baseline normal access patterns per user per repository type and alert on deviations.

Mitigate

STP 5

Least-privilege access controls operate at the artifact level — an attacker whose compromised account lacks read permission on a DocumentFile cannot perform the technique regardless of tool or Execution Medium.

Apply least-privilege access controls at the repository type level, enforced through your identity provider. Regular access reviews against the user's role are higher STP than reactive alerts.

Respond

Disclosed

The attacker received a copy — the original data remains on the victim system. Assess what was read and whether it includes credentials or PII. Notify affected parties as required.

Attacker foothold

Client Applicationactor.process

Compromised Accountactor.user

D3FEND response actions

d3f:ProcessTerminationd3f:AccountLockingd3f:CredentialRevokingd3f:NetworkIsolation

OCSF event model▼

Event class: File System Activity (1001) · activity_id: Read

attacker-controlledpost-successvictimtainted

%%{init: {"theme": "dark", "themeVariables": {"edgeLabelBackground": "#18181b", "lineColor": "#52525b"}}}%%
graph TD
  classDef attacker fill:#7c2d12,stroke:#ea580c,color:#fed7aa
  classDef victim fill:#1e3a5f,stroke:#3b82f6,color:#bfdbfe
  classDef postSuccess fill:#78350f,stroke:#d97706,color:#fde68a
  classDef tainted fill:#18181b,stroke:#52525b,color:#a1a1aa

  EVENT(["File System Activity\n· Read"])

  actor_process["Client Application\nactor.process\nd3f:Process"]:::attacker
  actor_user["Compromised Account\nactor.user\nd3f:UserAccount"]:::attacker
  document["Repository Document\nfile\nd3f:DocumentFile"]:::victim
  device["Host\ndevice\nd3f:Host\n⚠ tainted"]:::tainted

  EVENT --> actor_process
  actor_process --> actor_user
  EVENT --> document
  EVENT --> device

  actor_process -.->|"reads"| document

Client Application

actor.process·d3f:Process

attacker-controlled

actor.process.file.path attacker_controlled Client binary path — attacker-chosen, varies by tool preference

Countermeasures

d3f:ProcessTermination

Compromised Account

actor.user·d3f:UserAccount

attacker-controlled

actor.user.name attacker_controlled Compromised account name — attacker-chosen from available credentials, varies per campaign

Countermeasures

d3f:AccountLockingd3f:CredentialRevoking

Repository Document

file·d3f:DocumentFile

victim

`file.path`	variable	Path or resource identifier of the accessed document — victim-side, value varies per document
`file.hash`	variable	Document hash — victim-side, changes with edits

Host

device·d3f:Host

tainted

Countermeasures

d3f:NetworkIsolation

Definitional Sigma rule▼

Broad by design — defines the technique, not an operational alert. Gate on variable or attacker-controlled field conditions to narrow for production use.

title: Data from Information Repositories (T1213)
status: experimental
description: >
  Definitional rule — broad by design. Defines the technique independent of
  medium, tool, or attacker-controlled variables. Narrow with variable and
  attacker-controlled field conditions for operational use.
logsource:
  product: ocsf
  category: File System Activity (1001)
detection:
  selection:
    activity_id: 'Read'
  condition: selection

title: Data from Information Repositories (T1213) — native Sigma
status: experimental
description: >
  Generated from OCSF definitional rule. Broad by design — defines the technique,
  not an operational alert. Targets standard Windows/Sysmon telemetry.
logsource:
  product: windows
  category: file_access
detection:
  # file_access is not a standard Sysmon category. Use EDR file-read telemetry or application-level audit logs. Sysmon EventID 11 (file_event) captures creation, not reads.
  # All events of this logsource type match the technique definition.
  # Add variable or attacker-controlled field conditions to narrow for operational use.
  filter_all: '*'
  condition: filter_all

Environment-dependent entities▼

Generate org-specific sub-techniques using T1213.<platform>

Wiki

Organisational knowledge bases and wikis

ConfluenceNotionMediaWikiSharePoint WikiOutline

Code Repository

Source control and code hosting platforms

GitHubGitLabBitbucketAzure DevOpsPerforce

Productivity Suite

Document and file storage platforms

SharePointGoogle DriveOneDriveBoxDropbox

Ticketing System

Issue trackers and project management tools

JiraLinearGitHub IssuesServiceNow

Messaging Platform

Team communication platforms with persistent history

SlackMicrosoft TeamsDiscord

Seen in the wild2reports▼

The Case for GitHub Actions Security ↗

Datadog Security Labs·2026-06-05

Miasma supply chain attack poisoned GitHub Actions runner caches to extract OIDC tokens from CI/CD pipeline memory — a T1213.github EDE instance distinct from ATT&CK's T1213.003 (Code Repositories).

Three's a Crowd: TeamPCP Trojanizes LiteLLM ↗

Wiz Research·2026-05-15

TeamPCP node-ipc backdoor exfiltrates ~/.aws/credentials, .npmrc, ~/.kube/config, and SSH keys from developer machines — reading from development environment credential stores.