A0007: Control Server
Control servers are typically a software platform that runs on a modern server operating system (e.g., MS Windows Server). The server typically uses one or more automation protocols (e.g., Modbus, DNP3) to communicate with the various low-level control devices such as Remote Terminal Units (RTUs) and Programmable Logic Controllers (PLCs). The control server also usually provides an interface/network service to connect with an HMI.
Analyst context for executives and security teams
A control server is a central ICS system that runs control software on server operating systems and communicates with PLCs, RTUs, and HMIs using automation protocols such as Modbus or DNP3. Its business significance is that it sits close to physical operations: compromise, misuse, outage, or loss of visibility here can affect process monitoring, operator control, and incident decision-making.
Executive priority
Treat control servers as high-value operational resilience assets. Leaders should ask whether these systems are inventoried, segmented, monitored, backed up, and included in incident response and recovery plans. Because ATT&CK relationships show many techniques targeting this asset class, including discovery, collection, valid accounts, rogue master behavior, denial of service, restart/shutdown, and data destruction, priority should focus on protecting availability, trusted operator access, and evidence needed to prove control effectiveness for audit and response.
Technical view
SOC, OT security, and IR teams should validate monitoring around control server host activity, control protocol communications, HMI connectivity, and interactions with PLCs/RTUs. Relationship context indicates defenders should look for abnormal process-state monitoring, automated enumeration or collection, command-line or GUI access, scripting, network sniffing, port/broadcast/multicast discovery, suspicious use of valid accounts, rogue master-like communications, unexpected restart/shutdown activity, and destructive file or data activity. Platforms are Embedded, Linux, and Windows, so coverage should be checked per deployed OS and control software role.
Likely telemetry
- Asset inventory identifying control servers, operating systems, control applications, HMI services, and connected PLC/RTU relationships
- Network traffic for automation protocols such as Modbus and DNP3, plus other native control-system protocols in use
- HMI-to-control-server and control-server-to-field-device communication records
- Windows, Linux, or embedded host logs where available, including process execution, service changes, authentication, and command-line activity
- Remote GUI or CLI access records, including administrative sessions
Detection direction
- Start with asset role baselining: expected HMIs, PLCs/RTUs, protocols, ports, users, services, and maintenance windows must be known before anomaly detection is meaningful.
- Tune for deviations in control-server communications, including new peers, unusual protocol volume, unexpected broadcast or multicast discovery, and traffic patterns consistent with enumeration or sniffing preparation.
- Correlate valid account use with OT context: logons outside normal operator/engineering workflows, unusual GUI/CLI access, and account use followed by scripting, file changes, or network discovery should receive higher priority.
- Watch for rogue master indicators by validating that only authorized control server functions communicate with outstations or low-level control devices.
- Include host and network evidence because official ATT&CK detection guidance is not provided for this asset; relying only on endpoint logs may miss protocol misuse, while relying only on network monitoring may miss local CLI, GUI, scripting, or data destruction activity.
Mitigation priorities
- Prioritize accurate inventory, ownership, and criticality classification for each control server and its dependent HMIs, PLCs, RTUs, repositories, and protocols.
- Restrict and review interactive access, service accounts, and default or shared credentials associated with control server operations.
- Segment control server communications so only required HMIs, engineering systems, and field devices can communicate over approved protocols and paths.
- Harden Windows, Linux, or embedded configurations according to the actual platform, minimizing unnecessary services, remote access paths, scripting exposure, and removable media use.
- Maintain tested backups and recovery procedures for control server software, configuration, project files, and related repositories to support recovery from destruction, outage, or unauthorized change.
Analyst notes and limits
This take is based on MITRE ATT&CK asset A0007 and the supplied relationships showing techniques that target control servers. The strongest decision value is not a single detection rule but ensuring the organization can identify authorized control-server behavior and rapidly investigate deviations affecting physical process visibility or control.
MITRE does not provide official detection text or tactics for this asset in the supplied fields. The relationship descriptions are technique-level context and do not prove any specific environment is exposed or compromised. Local architecture, vendor software, protocol use, logging availability, and operational procedures are required to turn this into validated detections or control requirements.
Control Server
Control servers are typically a software platform that runs on a modern server operating system (e.g., MS Windows Server). The server typically uses one or more automation protocols (e.g., Modbus, DNP3) to communicate with the various low-level control devices such as Remote Terminal Units (RTUs) and Programmable Logic Controllers (PLCs). The control server also usually provides an interface/network service to connect with an HMI.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| ICS | T1695.001 | Serial COM Sub-technique | Serial COM targets this object. |
| ICS | T1695.002 | Ethernet Sub-technique | Ethernet targets this object. |
| ICS | T0842 | Network Sniffing | Network Sniffing targets this object. |
| ICS | T0872 | Indicator Removal on Host | Indicator Removal on Host targets this object. |
| ICS | T0849 | Masquerading | Masquerading targets this object. |
| ICS | T0890 | Exploitation for Privilege Escalation | Exploitation for Privilege Escalation targets this object. |
| ICS | T0809 | Data Destruction | Data Destruction targets this object. |
| ICS | T0846 | Remote System Discovery | Remote System Discovery targets this object. |
| ICS | T0892 | Change Credential | Change Credential targets this object. |
| ICS | T0807 | Command-Line Interface | Command-Line Interface targets this object. |
| ICS | T1692.002 | Reporting Message Sub-technique | Reporting Message targets this object. |
| ICS | T0878 | Alarm Suppression | Alarm Suppression targets this object. |
| ICS | T0834 | Native API | Native API targets this object. |
| ICS | T0867 | Lateral Tool Transfer | Lateral Tool Transfer targets this object. |
| ICS | T0874 | Hooking | Hooking targets this object. |
| ICS | T1691.001 | Command Message Sub-technique | Command Message targets this object. |
| ICS | T0886 | Remote Services | Remote Services targets this object. |
| ICS | T0862 | Supply Chain Compromise | Supply Chain Compromise targets this object. |
| ICS | T1691 | Block Operational Technology Message | Block Operational Technology Message targets this object. |
| ICS | T0894 | System Binary Proxy Execution | System Binary Proxy Execution targets this object. |
| ICS | T0893 | Data from Local System | Data from Local System targets this object. |
| ICS | T0869 | Standard Application Layer Protocol | Standard Application Layer Protocol targets this object. |
| ICS | T1695 | Block Communications | Block Communications targets this object. |
| ICS | T0802 | Automated Collection | Automated Collection targets this object. |
| ICS | T0846.001 | Port Scan Sub-technique | Port Scan targets this object. |
| ICS | T0846.003 | Multicast Discovery Sub-technique | Multicast Discovery targets this object. |
| ICS | T1692 | Unauthorized Message | Unauthorized Message targets this object. |
| ICS | T0801 | Monitor Process State | Monitor Process State targets this object. |
| ICS | T0881 | Service Stop | Service Stop targets this object. |
| ICS | T0851 | Rootkit | Rootkit targets this object. |
| ICS | T0823 | Graphical User Interface | Graphical User Interface targets this object. |
| ICS | T0811 | Data from Information Repositories | Data from Information Repositories targets this object. |
| ICS | T1694 | Insecure Credentials | Insecure Credentials targets this object. |
| ICS | T1692.001 | Command Message Sub-technique | Command Message targets this object. |
| ICS | T1694.001 | Default Credentials Sub-technique | Default Credentials targets this object. |
| ICS | T0820 | Exploitation for Evasion | Exploitation for Evasion targets this object. |
| ICS | T0848 | Rogue Master | Rogue Master targets this object. |
| ICS | T0866 | Exploitation of Remote Services | Exploitation of Remote Services targets this object. |
| ICS | T0884 | Connection Proxy | Connection Proxy targets this object. |
| ICS | T0853 | Scripting | Scripting targets this object. |
| ICS | T0859 | Valid Accounts | Valid Accounts targets this object. |
| ICS | T0840 | Network Connection Enumeration | Network Connection Enumeration targets this object. |
| ICS | T0806 | Brute Force I/O | Brute Force I/O targets this object. |
| ICS | T0888 | Remote System Information Discovery | Remote System Information Discovery targets this object. |
| ICS | T1691.002 | Reporting Message Sub-technique | Reporting Message targets this object. |
| ICS | T1695.003 | Wi-Fi Sub-technique | Wi-Fi targets this object. |
| ICS | T0861 | Point & Tag Identification | Point & Tag Identification targets this object. |
| ICS | T0830 | Adversary-in-the-Middle | Adversary-in-the-Middle targets this object. |
| ICS | T0847 | Replication Through Removable Media | Replication Through Removable Media targets this object. |
| ICS | T0816 | Device Restart/Shutdown | Device Restart/Shutdown targets this object. |
| ICS | T0814 | Denial of Service | Denial of Service targets this object. |
| ICS | T0846.002 | Broadcast Discovery Sub-technique | Broadcast Discovery targets this object. |
| ICS | T0895 | Autorun Image | Autorun Image targets this object. |
| ICS | T0885 | Commonly Used Port | Commonly Used Port targets this object. |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 2.1 | Current bundle | f6bef8db32ae… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Guidance - NIST SP800-82
Keith Stouffer. (2015, May). Guide to Industrial Control Systems (ICS) Security. Retrieved March 28, 2018.
Open source URL -
[2]
mitre-attack A0007Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.