Monitor Process State

From attackics
Jump to navigation Jump to search
Monitor Process State
Technique
ID T0801
Tactic Collection
Data Sources Network Traffic: Network Traffic Content 
Asset Human-Machine Interface, Control Server, Data Historian, Field Controller/RTU/PLC/IED, Safety Instrumented System/Protection Relay

Description

Adversaries may gather information about the physical process state. This information may be used to gain more information about the process itself or used as a trigger for malicious actions. The sources of process state information may vary such as, OPC tags, historian data, specific PLC block information, or network traffic.


Procedure Examples

  • Industroyer's OPC and IEC 61850 protocol modules include the ability to send "stVal" requests to read the status of operational variables.1
  • Stuxnet examines fields recorded by the DP_RECV monitor to determine if the target system is in a particular state of operation.2

Mitigations


References

  1. ^  Anton Cherepanov, ESET. (2017, June 12). Win32/Industroyer: A new threat for industrial control systems. Retrieved September 15, 2017.
  1. ^  Nicolas Falliere, Liam O Murchu, Eric Chien. (2011, February). W32.Stuxnet Dossier (Version 1.4). Retrieved September 22, 2017.



v · d · e
Adversary Techniques
Initial Access
Execution
Persistence
Evasion
Discovery
Lateral Movement
Collection
Inhibit Response Function
Impair Process Control
Impact


Retrieved from "https://collaborate.mitre.org/attackics/index.php?title=Technique/T0801&oldid=9734"