Monitor Process State

From attackics
Jump to navigation Jump to search
Monitor Process State
Technique
ID T0801
Tactic Collection
Data Sources Controller program, Network device logs, Host network interfaces, Process monitoring, Netflow/Enclave netflow
Asset Human-Machine Interface, Control Server, Data Historian, Field Controller/RTU/PLC/IED, Safety Instrumented System/Protection Relay

Description

Adversaries may gather information about the physical process state. This information may be used to gain more information about the process itself or used as a trigger for malicious actions. The sources of process state information may vary such as, OPC tags, historian data, specific PLC block information, or network traffic.


Procedure Examples

  • Stuxnet examines fields recorded by the DP_RECV monitor to determine if the target system is in a particular state of operation.1

Mitigations