Skip to content

T0802 Automated Collection

Adversaries may automate collection of industrial environment information using tools or scripts. This automated collection may leverage native control protocols and tools available in the control systems environment. For example, the OPC protocol may be used to enumerate and gather information. Access to a system or interface with these native protocols may allow collection and enumeration of other attached, communicating servers and devices.

Item Value
ID T0802
Tactics TA0100
Platforms Control Server, Field Controller/RTU/PLC/IED, Safety Instrumented System/Protection Relay
Version 1.0
Created 21 May 2020
Last Modified 09 March 2023

Procedure Examples

ID Name Description
S0093 Backdoor.Oldrea Using OPC, a component of Backdoor.Oldrea gathers any details about connected devices and sends them back to the C2 for the attackers to analyze. 2
S0604 Industroyer Industroyer automatically collects protocol object data to learn about control devices in the environment. 3
S1072 Industroyer2 Industroyer2 leverages a hardcoded list of remote-station IP addresses to iteratively initiate communications and collect information across multiple priority IEC-104 priority levels.1


ID Mitigation Description
M0807 Network Allowlists Utilize network allowlists to restrict unnecessary connections to network devices (e.g., comm servers, serial to ethernet converters) and services, especially in cases when devices have limits on the number of simultaneous sessions they support.
M0930 Network Segmentation Prevent unauthorized systems from accessing control servers or field devices containing industrial information, especially services used for common automation protocols (e.g., DNP3, OPC).


ID Data Source Data Component
DS0017 Command Command Execution
DS0022 File File Access
DS0029 Network Traffic Network Traffic Content
DS0012 Script Script Execution