1. Home
  2. Techniques
  3. ICS
  4. Automated Collection

Automated Collection

Adversaries may automate collection of industrial environment information using tools or scripts. This automated collection may leverage native control protocols and tools available in the control systems environment. For example, the OPC protocol may be used to enumerate and gather information. Access to a system or interface with these native protocols may allow collection and enumeration of other attached, communicating servers and devices.

ID: T0802
Sub-techniques:  No sub-techniques
Tactic: Collection
Platforms: None
Version: 1.1
Created: 21 May 2020
Last Modified: 15 April 2025
Version Permalink

Procedure Examples

ID Name Description
S0093 Backdoor.Oldrea

Using OPC, a component of Backdoor.Oldrea gathers any details about connected devices and sends them back to the C2 for the attackers to analyze. [1]
S0604 Industroyer

Industroyer automatically collects protocol object data to learn about control devices in the environment. [2]
S1072 Industroyer2

Industroyer2 leverages a hardcoded list of remote-station IP addresses to iteratively initiate communications and collect information across multiple priority IEC-104 priority levels.[3]

Targeted Assets

ID Asset
A0007 Control Server
A0006 Data Historian
A0017 Distributed Control System (DCS) Controller
A0018 Programmable Automation Controller (PAC)
A0003 Programmable Logic Controller (PLC)

Mitigations

ID Mitigation Description
M0807 Network Allowlists

Utilize network allowlists to restrict unnecessary connections to network devices (e.g., comm servers, serial to ethernet converters) and services, especially in cases when devices have limits on the number of simultaneous sessions they support.
M0930 Network Segmentation

Prevent unauthorized systems from accessing control servers or field devices containing industrial information, especially services used for common automation protocols (e.g., DNP3, OPC).

Detection Strategy

ID Name Analytic ID Analytic Description
DET0734 Detection of Automated Collection AN1867

Monitor for any suspicious attempts to enable script execution on a system. If scripts are not commonly used on a system, but enabled, scripts running out of cycle from patching or other administrator functions are suspicious. Scripts should be captured from the file system when possible, to determine their actions and intent.
Monitor executed commands and arguments for actions that could be taken to collect internal data.
Monitor for unexpected files (e.g., .pdf, .docx, .jpg) viewed for collecting internal data.
Monitor for information collection on assets that may indicate deviations from standard operational tools. Examples include unexpected industrial automation protocol functions, new high volume communication sessions, or broad collection across many hosts within the network.

References

  1. Daavid Hentunen, Antti Tikkanen 2014, June 23 Havex Hunts For ICS/SCADA Systems Retrieved. 2019/04/01
  2. Anton Cherepanov, ESET 2017, June 12 Win32/Industroyer: A new threat for industrial control systems Retrieved. 2017/09/15
  1. Forescout. (2022, July 14). Industroyer2 and INCONTROLLER In-depth Technical Analysis of the Most Recent ICS-specific Malware. Retrieved March 30, 2023.