Monitor Process State

From attackics
Jump to navigation Jump to search
Monitor Process State
ID T0801
Tactic Collection
Data Sources Controller program, Network device logs, Host network interfaces, Process monitoring, Netflow/Enclave netflow
Asset Human-Machine Interface, Control Server, Data Historian, Field Controller/RTU/PLC/IED, Safety Instrumented System/Protection Relay


Adversaries may gather information about the physical process state. This information may be used to gain more information about the process itself or used as a trigger for malicious actions. The sources of process state information may vary such as, OPC tags, historian data, specific PLC block information, or network traffic.

Procedure Examples

  • Industroyer's OPC and IEC 61850 protocol modules include the ability to send "stVal" requests to read the status of operational variables.1
  • Stuxnet examines fields recorded by the DP_RECV monitor to determine if the target system is in a particular state of operation.2