Detect Program State

From attackics
Jump to navigation Jump to search
Detect Program State
ID T870
Tactic Collection
Data Sources Network protocol analysis, Packet capture
Asset Field Controller/RTU/PLC/IED


Adversaries may seek to gather information about the current state of a program on a PLC. State information reveals information about the program, including whether it's running, halted, stopped, or has generated an exception. This information may be leveraged as a verification of malicious program execution or to determine if a PLC is ready to download a new program.

Procedure Examples

  • Triton contains a file named which contains default definitions for program state (TS_progstate). Program state is referenced in