Automated Collection

Adversaries may automate collection of industrial environment information using tools or scripts. This automated collection may leverage native control protocols and tools available in the control systems environment. For example, the OPC protocol may be used to enumerate and gather information. Access to a system or interface with these native protocols may allow collection and enumeration of other attached, communicating servers and devices.

ID: T0802
Sub-techniques:  No sub-techniques
Tactic: Collection
Platforms: Control Server, Field Controller/RTU/PLC/IED, Safety Instrumented System/Protection Relay
Version: 1.0
Created: 21 May 2020
Last Modified: 24 October 2022

Procedure Examples

ID Name Description
S0093 Backdoor.Oldrea

Using OPC, a component of Backdoor.Oldrea gathers any details about connected devices and sends them back to the C2 for the attackers to analyze. [1]

S0604 Industroyer

Industroyer automatically collects protocol object data to learn about control devices in the environment. [2]


ID Mitigation Description
M0807 Network Allowlists

Utilize network allowlists to restrict unnecessary connections to network devices (e.g., comm servers, serial to ethernet converters) and services, especially in cases when devices have limits on the number of simultaneous sessions they support.

M0930 Network Segmentation

Prevent unauthorized systems from accessing control servers or field devices containing industrial information, especially services used for common automation protocols (e.g., DNP3, OPC).


ID Data Source Data Component Detects
DS0017 Command Command Execution

Monitor executed commands and arguments for actions that could be taken to collect internal data.

DS0022 File File Access

Monitor for unexpected files (e.g., .pdf, .docx, .jpg) viewed for collecting internal data.

DS0029 Network Traffic Network Traffic Content

Monitor for information collection on assets that may indicate deviations from standard operational tools. Examples include unexpected industrial automation protocol functions, new high volume communication sessions, or broad collection across many hosts within the network.

DS0012 Script Script Execution

Monitor for any attempts to enable scripts running on a system would be considered suspicious. If scripts are not commonly used on a system, but enabled, scripts running out of cycle from patching or other administrator functions are suspicious. Scripts should be captured from the file system when possible, to determine their actions and intent.