Difference between revisions of "Technique/T0802"

From attackics
Jump to navigation Jump to search
m (Text replacement - "File:" to "[https://github.com/mitre-attack/attack-datasources/blob/main/contribution-ics/file.yml File]:")
m (Text replacement - "Script:" to "[https://github.com/mitre-attack/attack-datasources/blob/main/contribution-ics/script.yml Script]:")
 
Line 2: Line 2:
 
|Name=Automated Collection
 
|Name=Automated Collection
 
|Category=Collection
 
|Category=Collection
|Data Sources=[https://github.com/mitre-attack/attack-datasources/blob/main/contribution-ics/command.yml Command]: Command Execution, [https://github.com/mitre-attack/attack-datasources/blob/main/contribution-ics/file.yml File]: File Access, Script: Script Execution, [https://github.com/mitre-attack/attack-datasources/blob/main/contribution-ics/network_traffic.yml Network Traffic]: Network Traffic Content  
+
|Data Sources=[https://github.com/mitre-attack/attack-datasources/blob/main/contribution-ics/command.yml Command]: Command Execution, [https://github.com/mitre-attack/attack-datasources/blob/main/contribution-ics/file.yml File]: File Access, [https://github.com/mitre-attack/attack-datasources/blob/main/contribution-ics/script.yml Script]: Script Execution, [https://github.com/mitre-attack/attack-datasources/blob/main/contribution-ics/network_traffic.yml Network Traffic]: Network Traffic Content  
 
|Technical Description=Adversaries may automate collection of industrial environment information using tools or scripts. This automated collection may leverage native control protocols and tools available in the control systems environment. For example, the OPC protocol may be used to enumerate and gather information. Access to a system or interface with these native protocols may allow collection and enumeration of other attached, communicating servers and devices.
 
|Technical Description=Adversaries may automate collection of industrial environment information using tools or scripts. This automated collection may leverage native control protocols and tools available in the control systems environment. For example, the OPC protocol may be used to enumerate and gather information. Access to a system or interface with these native protocols may allow collection and enumeration of other attached, communicating servers and devices.
 
|Assets=Field Controller/RTU/PLC/IED,Safety Instrumented System/Protection Relay,Control Server
 
|Assets=Field Controller/RTU/PLC/IED,Safety Instrumented System/Protection Relay,Control Server

Latest revision as of 17:35, 20 October 2021

Automated Collection
Technique
ID T0802
Tactic Collection
Data Sources Command: Command Execution, File: File Access, Script: Script Execution, Network Traffic: Network Traffic Content
Asset Field Controller/RTU/PLC/IED, Safety Instrumented System/Protection Relay, Control Server

Description

Adversaries may automate collection of industrial environment information using tools or scripts. This automated collection may leverage native control protocols and tools available in the control systems environment. For example, the OPC protocol may be used to enumerate and gather information. Access to a system or interface with these native protocols may allow collection and enumeration of other attached, communicating servers and devices.


Procedure Examples

  • Using OPC, a component of Backdoor.Oldrea gathers any details about connected devices and sends them back to the C2 for the attackers to analyze.1
  • Industroyer automatically collects protocol object data to learn about control devices in the environment.2

Mitigations

  • Network Allowlists - Utilize network allowlists to restrict unnecessary connections to network devices (e.g., comm servers, serial to ethernet converters) and services, especially in cases when devices have limits on the number of simultaneous sessions they support.
  • Network Segmentation - Prevent unauthorized systems from accessing control servers or field devices containing industrial information, especially services used for common automation protocols (e.g., DNP3, OPC).