This site has been deprecated in favor of https://attack.mitre.org and will remain in place until 11/1/22.
Monitor Process State
Jump to navigation
Jump to search
To visit this technique’s new page please go to and update your links to https://attack.mitre.org/techniques/T0801
Monitor Process State | |
---|---|
Technique | |
ID | T0801 |
Tactic | Collection |
Data Sources | Network Traffic: Network Traffic Content |
Asset | Human-Machine Interface, Control Server, Data Historian, Field Controller/RTU/PLC/IED, Safety Instrumented System/Protection Relay |
Description
Adversaries may gather information about the physical process state. This information may be used to gain more information about the process itself or used as a trigger for malicious actions. The sources of process state information may vary such as, OPC tags, historian data, specific PLC block information, or network traffic.
Procedure Examples
- Industroyer's OPC and IEC 61850 protocol modules include the ability to send "stVal" requests to read the status of operational variables.1
- Stuxnet examines fields recorded by the DP_RECV monitor to determine if the target system is in a particular state of operation.2
Mitigations
- Mitigation Limited or Not Effective - This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.
References
|