This site has been deprecated in favor of and will remain in place until 11/1/22.

Monitor Process State

From attackics
Jump to navigation Jump to search

To visit this technique’s new page please go to and update your links to

Monitor Process State
ID T0801
Tactic Collection
Data Sources Network Traffic: Network Traffic Content 
Asset Human-Machine Interface, Control Server, Data Historian, Field Controller/RTU/PLC/IED, Safety Instrumented System/Protection Relay


Adversaries may gather information about the physical process state. This information may be used to gain more information about the process itself or used as a trigger for malicious actions. The sources of process state information may vary such as, OPC tags, historian data, specific PLC block information, or network traffic.

Procedure Examples

  • Industroyer's OPC and IEC 61850 protocol modules include the ability to send "stVal" requests to read the status of operational variables.1
  • Stuxnet examines fields recorded by the DP_RECV monitor to determine if the target system is in a particular state of operation.2