Monitor Process State

Monitor Process State
Technique
ID	T0801
Tactic	Collection
Data Sources	Controller program, Network device logs, Host network interfaces, Process monitoring, Netflow/Enclave netflow
Asset	Human-Machine Interface, Control Server, Data Historian, Field Controller/RTU/PLC/IED, Safety Instrumented System/Protection Relay

Description

Adversaries may gather information about the physical process state. This information may be used to gain more information about the process itself or used as a trigger for malicious actions. The sources of process state information may vary such as, OPC tags, historian data, specific PLC block information, or network traffic.

Procedure Examples

Stuxnet examines fields recorded by the DP_RECV monitor to determine if the target system is in a particular state of operation.1

Mitigations

Mitigation Limited or Not Effective - This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.

References

^ Nicolas Falliere, Liam O Murchu, Eric Chien. (2011, February). W32.Stuxnet Dossier (Version 1.4). Retrieved September 22, 2017.

v · d · e Adversary Techniques

Initial Access	Data Historian Compromise Drive-by Compromise Engineering Workstation Compromise Exploit Public-Facing Application External Remote Services Initial Access Internet Accessible Device Replication Through Removable Media Spearphishing Attachment Supply Chain Compromise Wireless Compromise

Execution	Change Program State Command-Line Interface Execution Execution through API Graphical User Interface Man in the Middle Program Organization Units Project File Infection Scripting User Execution

Persistence	Hooking Module Firmware Persistence Program Download Project File Infection System Firmware Valid Accounts

Evasion	Evasion Exploitation for Evasion Indicator Removal on Host Masquerading Rogue Master Device Rootkit Spoof Reporting Message Utilize/Change Operating Mode

Discovery	Control Device Identification Discovery I/O Module Discovery Network Connection Enumeration Network Service Scanning Network Sniffing Remote System Discovery Serial Connection Enumeration

Lateral Movement	Default Credentials Exploitation of Remote Services External Remote Services Lateral Movement Program Organization Units Remote File Copy Valid Accounts

Collection	Automated Collection Collection Data from Information Repositories Detect Operating Mode Detect Program State I/O Image Location Identification Monitor Process State Point & Tag Identification Program Upload Role Identification Screen Capture

Inhibit Response Function	Activate Firmware Update Mode Alarm Suppression Block Command Message Block Reporting Message Block Serial COM Data Destruction Denial of Service Device Restart/Shutdown Inhibit Response Function Manipulate I/O Image Modify Alarm Settings Modify Control Logic Program Download Rootkit System Firmware Utilize/Change Operating Mode

Impair Process Control	Brute Force I/O Change Program State Impair Process Control Masquerading Modify Control Logic Modify Parameter Module Firmware Program Download Rogue Master Device Service Stop Spoof Reporting Message Unauthorized Command Message

Impact	Damage to Property Denial of Control Denial of View Impact Loss of Availability Loss of Control Loss of Productivity and Revenue Loss of Safety Loss of View Manipulation of Control Manipulation of View Theft of Operational Information

Monitor Process State

Description

Procedure Examples

Mitigations

References

Navigation menu

Personal tools

Namespaces

Variants

Views

More

Search

ATT&CK™

Questions?

Tools