Detect Program State

From attackics
Jump to navigation Jump to search
Detect Program State
Technique
ID T870
Tactic Collection
Data Sources Network protocol analysis, Packet capture
Asset Field Controller/RTU/PLC/IED

Description

Adversaries may seek to gather information about the current state of a program on a PLC. State information reveals information about the program, including whether it's running, halted, stopped, or has generated an exception. This information may be leveraged as a verification of malicious program execution or to determine if a PLC is ready to download a new program.


Procedure Examples

  • Triton contains a file named TS_cnames.py which contains default definitions for program state (TS_progstate). Program state is referenced in TsHi.py.1