T0801 Monitor Process State
Adversaries may gather information about the physical process state. This information may be used to gain more information about the process itself or used as a trigger for malicious actions. The sources of process state information may vary such as, OPC tags, historian data, specific PLC block information, or network traffic.
| Item | Value |
|---|---|
| ID | T0801 |
| Sub-techniques | |
| Tactics | TA0100 |
| Platforms | None |
| Version | 1.0 |
| Created | 21 May 2020 |
| Last Modified | 25 April 2025 |
Procedure Examples
| ID | Name | Description |
|---|---|---|
| S1165 | FrostyGoop | FrostyGoop can read data from holding registers via Modbus communication.2 |
| S0604 | Industroyer | Industroyer’s OPC and IEC 61850 protocol modules include the ability to send stVal requests to read the status of operational variables. 4 |
| S1072 | Industroyer2 | Industroyer2 uses a General Interrogation command to monitor the device’s Information Object Addresses (IOAs) and their IO state values.3 |
| S0603 | Stuxnet | Stuxnet examines fields recorded by the DP_RECV monitor to determine if the target system is in a particular state of operation. 1 |
Mitigations
| ID | Mitigation | Description |
|---|---|---|
| M0816 | Mitigation Limited or Not Effective | This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features. |
References
-
Nicolas Falliere, Liam O Murchu, Eric Chien 2011, February W32.Stuxnet Dossier (Version 1.4) Retrieved November 17, 2024. ↩
-
Mark Graham, Carolyn Ahlers, Kyle O’Meara; Dragos. (2024, July). Impact of FrostyGoop ICS Malware on Connected OT Systems. Retrieved November 20, 2024. ↩
-
Forescout. (2022, July 14). Industroyer2 and INCONTROLLER In-depth Technical Analysis of the Most Recent ICS-specific Malware. Retrieved March 30, 2023. ↩
-
Anton Cherepanov, ESET 2017, June 12 Win32/Industroyer: A new threat for industrial control systems Retrieved. 2017/09/15 ↩