Monitor Process State

From attackics
Revision as of 15:41, 25 September 2020 by Jsteele (talk | contribs)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search
Monitor Process State
ID T0801
Tactic Collection
Data Sources Controller program, Network device logs, Host network interfaces, Process monitoring, Netflow/Enclave netflow
Asset Human-Machine Interface, Control Server, Data Historian, Field Controller/RTU/PLC/IED, Safety Instrumented System/Protection Relay


Adversaries may gather information about the physical process state. This information may be used to gain more information about the process itself or used as a trigger for malicious actions. The sources of process state information may vary such as, OPC tags, historian data, specific PLC block information, or network traffic.

Procedure Examples

  • Industroyer's OPC and IEC 61850 protocol modules include the ability to send "stVal" requests to read the status of operational variables.1
  • Stuxnet examines fields recorded by the DP_RECV monitor to determine if the target system is in a particular state of operation.2