Home/ATT&CK Technique/Monitor Process State
ICS ATT&CK

Monitor Process State

T0801 · collection

Adversaries may gather information about the physical process state. This information may be used to gain more information about the process itself or used as a trigger for malicious actions. The sources of process state information may vary such as, OPC tags, historian data, specific PLC block information, or network traffic.

None

Actors Using This

3
iran_linked_dragos_tracked_ics_activity_group_cyberav3ngers_persona_2024_disclosedBAUXITE
russia_consistent_state_actor_per_mandiant_dragos_high_confidence_no_specific_nation_attributionCHERNOVITE (PIPEDREAM / INCONTROLLER)
dragos_tracked_ics_activity_group_unc2630_apt5_significant_overlap_stage_2_capableKOSTOVITE

Likely Attack Path

Techniques the same actors pair with this one distinctively - those showing up among actors who use this technique noticeably more than across all actors (lift > 1.15), grouped by kill-chain phase. The × is that lift multiplier; the shared-actor count is in the tooltip. A near-universal technique pairs with everything at baseline, so its list is short by design.
resource-development earlier
T1588.006 · Vulnerabilities ×4.76T1587.004 · Exploits ×4.49
initial-access earlier
T0866 · Exploitation of Remote Services ×19.83
persistence earlier
T0859 · Valid Accounts ×19.83T1037 · Boot or Logon Initialization Scripts ×3.66
privilege-escalation earlier
T1055.001 · Dynamic-link Library Injection ×5.06
discovery earlier
T1046 · Network Service Discovery ×3.97
impact later
T0813 · Denial of Control ×59.50T0831 · Manipulation of Control ×39.67T0827 · Loss of Control ×34.00T0832 · Manipulation of View ×34.00T0815 · Denial of View ×29.75T0826 · Loss of Availability ×18.31
other same
T0814 · Denial of Service ×23.80T1553.002 · Code Signing ×5.80

Detection Coverage

0/6 layers
Coverage across standard detection surfaces. Rows marked none have no rule of that type mapped. Some are real blind spots worth closing; others are simply not applicable to this technique (e.g. YARA matches malware files, not network behaviour).
Behavioral / log (Sigma) none
Analytics (MITRE CAR) none
Runtime / container (Falco) none
File / malware (YARA) none
Network (Suricata/Snort) none
Vuln scan (Nuclei) none
Intelligence Graph · click any node to traverse
CVETechnique ActorTool Family
drag to reposition · click any node to traverse · button top-right enlarges
External lookups - second-class, for what we don’t hold ourselves
MITRE ATT&CKAtomic Red Teamcar (MITRE)
Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities
Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs
Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures
Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1
About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service
threatengine.sh  ·  Open-source threat intelligence platform  ·  100+ authoritative sources  ·  Every fact traces to its origin