Point & Tag Identification

From attackics
Jump to navigation Jump to search
Point & Tag Identification
ID T861
Tactic Collection
Data Sources Network protocol analysis, Packet capture, Netflow/Enclave netflow
External Contributors Jos Wetzels - Midnight Blue
Asset Data Historian, Control Server, Human-Machine Interface


Adversaries may collect point and tag values to gain a more comprehensive understanding of the process environment. Points may be values such as inputs, memory locations, outputs or other process specific variables.1 Tags are the identifiers given to points for operator convenience.

Collecting such tags provides valuable context to environmental points and enables an adversary to map inputs, outputs, and other values to their control processes. Understanding the points being collected may inform an adversary on which processes and values to keep track of over the course of an operation.

Procedure Examples

  • Backdoor.Oldrea enumerates all OPC tags and queries for specific fields such as server state, tag name, type, access, and id.2