Change Program State

From attackics
Jump to navigation Jump to search
Change Program State
ID T875
Tactic Execution, Impair Process Control
Data Sources Alarm history, Sequential event recorder, Network protocol analysis, Packet capture
Asset Field Controller/RTU/PLC/IED


Adversaries may attempt to change the state of the current program on a control device. Program state changes may be used to allow for another program to take over control or be loaded onto the device.

Procedure Examples

  • After PLC-Blaster is transferred to a PLC, the PLC begins execution of PLC-Blaster.1
  • Stuxnet halts the original PLC code and the malicious PLC code begins sending frames of data based on the recorded values during the DP_RECV monitor phase.2
  • Triton has the ability to halt or run a program through the TriStation protocol. contains instances of halt and run functions being executed.3