ATT&CK v19.0 ICS
This commit is contained in:
adpare
@@ -1,6 +1,6 @@
|
||||
{
|
||||
"type": "bundle",
|
||||
"id": "bundle--3b100192-8473-43da-9163-2af54ea28045",
|
||||
"id": "bundle--392b27e2-1426-462f-8af7-ef1842904984",
|
||||
"spec_version": "2.0",
|
||||
"objects": [
|
||||
{
|
||||
@@ -8,7 +8,7 @@
|
||||
"id": "attack-pattern--008b8f56-6107-48be-aa9f-746f927dbb61",
|
||||
"created": "2020-05-21T17:43:26.506Z",
|
||||
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
|
||||
"revoked": false,
|
||||
"revoked": true,
|
||||
"external_references": [
|
||||
{
|
||||
"source_name": "mitre-attack",
|
||||
@@ -29,7 +29,7 @@
|
||||
"object_marking_refs": [
|
||||
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
|
||||
],
|
||||
"modified": "2025-04-15T19:58:01.218Z",
|
||||
"modified": "2026-04-20T20:58:37.791Z",
|
||||
"name": "Block Command Message",
|
||||
"description": "Adversaries may block a command message from reaching its intended target to prevent command execution. In OT networks, command messages are sent to provide instructions to control system devices. A blocked command message can inhibit response functions from correcting a disruption or unsafe condition. (Citation: Bonnie Zhu, Anthony Joseph, Shankar Sastry 2011) (Citation: Electricity Information Sharing and Analysis Center; SANS Industrial Control Systems March 2016)",
|
||||
"kill_chain_phases": [
|
||||
@@ -40,7 +40,6 @@
|
||||
],
|
||||
"x_mitre_attack_spec_version": "3.2.0",
|
||||
"x_mitre_deprecated": false,
|
||||
"x_mitre_detection": "",
|
||||
"x_mitre_domains": [
|
||||
"ics-attack"
|
||||
],
|
||||
|
||||
@@ -1,6 +1,6 @@
|
||||
{
|
||||
"type": "bundle",
|
||||
"id": "bundle--db059f6e-c51e-4d30-a497-89dd97c63544",
|
||||
"id": "bundle--4420a5bb-5e76-45e8-92f3-f2d1d0fc7c7d",
|
||||
"spec_version": "2.0",
|
||||
"objects": [
|
||||
{
|
||||
@@ -35,7 +35,6 @@
|
||||
],
|
||||
"x_mitre_attack_spec_version": "3.2.0",
|
||||
"x_mitre_deprecated": false,
|
||||
"x_mitre_detection": "",
|
||||
"x_mitre_domains": [
|
||||
"ics-attack"
|
||||
],
|
||||
|
||||
@@ -1,6 +1,6 @@
|
||||
{
|
||||
"type": "bundle",
|
||||
"id": "bundle--511c1a9a-5d50-41f1-90f6-5484dd141e4c",
|
||||
"id": "bundle--3aff9d1a-cdcd-4e4c-b679-fbbacebb53c2",
|
||||
"spec_version": "2.0",
|
||||
"objects": [
|
||||
{
|
||||
@@ -30,7 +30,6 @@
|
||||
],
|
||||
"x_mitre_attack_spec_version": "3.2.0",
|
||||
"x_mitre_deprecated": false,
|
||||
"x_mitre_detection": "",
|
||||
"x_mitre_domains": [
|
||||
"ics-attack"
|
||||
],
|
||||
|
||||
@@ -1,6 +1,6 @@
|
||||
{
|
||||
"type": "bundle",
|
||||
"id": "bundle--a07fda33-be7f-4b0e-b471-5f9aa83d88df",
|
||||
"id": "bundle--e3868a29-3e0c-495b-98c8-e31d8c7d177a",
|
||||
"spec_version": "2.0",
|
||||
"objects": [
|
||||
{
|
||||
@@ -35,7 +35,6 @@
|
||||
],
|
||||
"x_mitre_attack_spec_version": "3.2.0",
|
||||
"x_mitre_deprecated": false,
|
||||
"x_mitre_detection": "",
|
||||
"x_mitre_domains": [
|
||||
"ics-attack"
|
||||
],
|
||||
|
||||
@@ -1,6 +1,6 @@
|
||||
{
|
||||
"type": "bundle",
|
||||
"id": "bundle--a1cc64ed-550c-4549-a810-bdd45171da08",
|
||||
"id": "bundle--fa655f76-185f-4850-9b61-5e2469106d64",
|
||||
"spec_version": "2.0",
|
||||
"objects": [
|
||||
{
|
||||
@@ -52,7 +52,6 @@
|
||||
"ICSCoE Japan"
|
||||
],
|
||||
"x_mitre_deprecated": false,
|
||||
"x_mitre_detection": "",
|
||||
"x_mitre_domains": [
|
||||
"ics-attack"
|
||||
],
|
||||
|
||||
@@ -1,6 +1,6 @@
|
||||
{
|
||||
"type": "bundle",
|
||||
"id": "bundle--5d1cd3e6-81ee-4517-a96d-9e47c5a5cb5f",
|
||||
"id": "bundle--8acf0b5f-6171-41fd-b5e2-dfc7c8de1da9",
|
||||
"spec_version": "2.0",
|
||||
"objects": [
|
||||
{
|
||||
@@ -45,7 +45,6 @@
|
||||
],
|
||||
"x_mitre_attack_spec_version": "3.2.0",
|
||||
"x_mitre_deprecated": false,
|
||||
"x_mitre_detection": "",
|
||||
"x_mitre_domains": [
|
||||
"ics-attack"
|
||||
],
|
||||
|
||||
@@ -0,0 +1,51 @@
|
||||
{
|
||||
"type": "bundle",
|
||||
"id": "bundle--e570e62d-359b-44f1-9a0c-d71a2b9ad4e3",
|
||||
"spec_version": "2.0",
|
||||
"objects": [
|
||||
{
|
||||
"type": "attack-pattern",
|
||||
"id": "attack-pattern--15ca2a99-2d3e-457f-b1d7-c52a1d5849c9",
|
||||
"created": "2026-04-20T20:54:16.029Z",
|
||||
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
|
||||
"revoked": false,
|
||||
"external_references": [
|
||||
{
|
||||
"source_name": "mitre-attack",
|
||||
"url": "https://attack.mitre.org/techniques/T1691/001",
|
||||
"external_id": "T1691.001"
|
||||
},
|
||||
{
|
||||
"source_name": "Bonnie Zhu, Anthony Joseph, Shankar Sastry 2011",
|
||||
"description": "Bonnie Zhu, Anthony Joseph, Shankar Sastry 2011 A Taxonomy of Cyber Attacks on SCADA Systems Retrieved. 2018/01/12 ",
|
||||
"url": "http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6142258"
|
||||
},
|
||||
{
|
||||
"source_name": "Electricity Information Sharing and Analysis Center; SANS Industrial Control Systems March 2016",
|
||||
"description": "Electricity Information Sharing and Analysis Center; SANS Industrial Control Systems 2016, March 18 Analysis of the Cyber Attack on the Ukranian Power Grid: Defense Use Case Retrieved. 2018/03/27 ",
|
||||
"url": "https://assets.contentstack.io/v3/assets/blt36c2e63521272fdc/blt6a77276749b76a40/607f235992f0063e5c070fff/E-ISAC_SANS_Ukraine_DUC_5%5b73%5d.pdf"
|
||||
}
|
||||
],
|
||||
"object_marking_refs": [
|
||||
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
|
||||
],
|
||||
"modified": "2026-04-23T18:50:42.389Z",
|
||||
"name": "Command Message",
|
||||
"description": "Adversaries may block a command message from reaching its intended target to prevent command execution. In OT networks, command messages are sent to provide instructions to control system devices. A blocked command message can inhibit response functions from correcting a disruption or unsafe condition.(Citation: Bonnie Zhu, Anthony Joseph, Shankar Sastry 2011)(Citation: Electricity Information Sharing and Analysis Center; SANS Industrial Control Systems March 2016)",
|
||||
"kill_chain_phases": [
|
||||
{
|
||||
"kill_chain_name": "mitre-ics-attack",
|
||||
"phase_name": "inhibit-response-function"
|
||||
}
|
||||
],
|
||||
"x_mitre_attack_spec_version": "3.3.0",
|
||||
"x_mitre_deprecated": false,
|
||||
"x_mitre_domains": [
|
||||
"ics-attack"
|
||||
],
|
||||
"x_mitre_is_subtechnique": true,
|
||||
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
|
||||
"x_mitre_version": "1.0"
|
||||
}
|
||||
]
|
||||
}
|
||||
@@ -1,6 +1,6 @@
|
||||
{
|
||||
"type": "bundle",
|
||||
"id": "bundle--a0edae38-b1be-49c1-aac0-e6203bac1275",
|
||||
"id": "bundle--cfbc79f6-8189-4439-bded-67a2266ca62b",
|
||||
"spec_version": "2.0",
|
||||
"objects": [
|
||||
{
|
||||
@@ -41,8 +41,7 @@
|
||||
"None"
|
||||
],
|
||||
"x_mitre_version": "1.0",
|
||||
"revoked": false,
|
||||
"x_mitre_detection": ""
|
||||
"revoked": false
|
||||
}
|
||||
]
|
||||
}
|
||||
@@ -1,6 +1,6 @@
|
||||
{
|
||||
"type": "bundle",
|
||||
"id": "bundle--b8c1ac95-32be-495e-8224-c779b3c6ac71",
|
||||
"id": "bundle--9e4a8729-3b57-4fd5-b835-d0e1eebfe882",
|
||||
"spec_version": "2.0",
|
||||
"objects": [
|
||||
{
|
||||
@@ -45,7 +45,6 @@
|
||||
],
|
||||
"x_mitre_attack_spec_version": "3.2.0",
|
||||
"x_mitre_deprecated": false,
|
||||
"x_mitre_detection": "",
|
||||
"x_mitre_domains": [
|
||||
"ics-attack"
|
||||
],
|
||||
|
||||
@@ -1,6 +1,6 @@
|
||||
{
|
||||
"type": "bundle",
|
||||
"id": "bundle--fd9dc067-3b38-4d3b-bd61-f56b6cc40d77",
|
||||
"id": "bundle--a438b9fc-6a06-4463-8d8e-f17a1703ad7d",
|
||||
"spec_version": "2.0",
|
||||
"objects": [
|
||||
{
|
||||
@@ -50,7 +50,6 @@
|
||||
],
|
||||
"x_mitre_attack_spec_version": "3.2.0",
|
||||
"x_mitre_deprecated": false,
|
||||
"x_mitre_detection": "",
|
||||
"x_mitre_domains": [
|
||||
"ics-attack"
|
||||
],
|
||||
|
||||
@@ -1,6 +1,6 @@
|
||||
{
|
||||
"type": "bundle",
|
||||
"id": "bundle--e0070a8a-84a7-4f53-ad09-3d3257d58503",
|
||||
"id": "bundle--fe8f8c52-2d90-4258-8301-012c9034f7ed",
|
||||
"spec_version": "2.0",
|
||||
"objects": [
|
||||
{
|
||||
@@ -8,7 +8,7 @@
|
||||
"id": "attack-pattern--1c478716-71d9-46a4-9a53-fa5d576adb60",
|
||||
"created": "2020-05-21T17:43:26.506Z",
|
||||
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
|
||||
"revoked": false,
|
||||
"revoked": true,
|
||||
"external_references": [
|
||||
{
|
||||
"source_name": "mitre-attack",
|
||||
@@ -19,7 +19,7 @@
|
||||
"object_marking_refs": [
|
||||
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
|
||||
],
|
||||
"modified": "2025-04-16T21:26:10.923Z",
|
||||
"modified": "2026-04-20T20:58:51.323Z",
|
||||
"name": "Block Serial COM",
|
||||
"description": "Adversaries may block access to serial COM to prevent instructions or configurations from reaching target devices. Serial Communication ports (COM) allow communication with control system devices. Devices can receive command and configuration messages over such serial COM. Devices also use serial COM to send command and reporting messages. Blocking device serial COM may also block command messages and block reporting messages. \n\nA serial to Ethernet converter is often connected to a serial COM to facilitate communication between serial and Ethernet devices. One approach to blocking a serial COM would be to create and hold open a TCP session with the Ethernet side of the converter. A serial to Ethernet converter may have a few ports open to facilitate multiple communications. For example, if there are three serial COM available -- 1, 2 and 3 --, the converter might be listening on the corresponding ports 20001, 20002, and 20003. If a TCP/IP connection is opened with one of these ports and held open, then the port will be unavailable for use by another party. One way the adversary could achieve this would be to initiate a TCP session with the serial to Ethernet converter at 10.0.0.1 via Telnet on serial port 1 with the following command: telnet 10.0.0.1 20001.",
|
||||
"kill_chain_phases": [
|
||||
@@ -30,7 +30,6 @@
|
||||
],
|
||||
"x_mitre_attack_spec_version": "3.2.0",
|
||||
"x_mitre_deprecated": false,
|
||||
"x_mitre_detection": "",
|
||||
"x_mitre_domains": [
|
||||
"ics-attack"
|
||||
],
|
||||
|
||||
@@ -1,6 +1,6 @@
|
||||
{
|
||||
"type": "bundle",
|
||||
"id": "bundle--3596db84-c907-4de0-ba4b-315df759ebe0",
|
||||
"id": "bundle--75c12133-ac56-4cf3-bb09-ef255f02bd49",
|
||||
"spec_version": "2.0",
|
||||
"objects": [
|
||||
{
|
||||
@@ -45,7 +45,6 @@
|
||||
],
|
||||
"x_mitre_attack_spec_version": "3.2.0",
|
||||
"x_mitre_deprecated": false,
|
||||
"x_mitre_detection": "",
|
||||
"x_mitre_domains": [
|
||||
"ics-attack"
|
||||
],
|
||||
|
||||
@@ -1,6 +1,6 @@
|
||||
{
|
||||
"type": "bundle",
|
||||
"id": "bundle--2b8ae6cd-3e96-4544-9f58-61fc162fef11",
|
||||
"id": "bundle--28b49a0f-7c68-4318-87ee-8b010f4611a2",
|
||||
"spec_version": "2.0",
|
||||
"objects": [
|
||||
{
|
||||
@@ -29,7 +29,6 @@
|
||||
],
|
||||
"x_mitre_attack_spec_version": "3.2.0",
|
||||
"x_mitre_deprecated": true,
|
||||
"x_mitre_detection": "",
|
||||
"x_mitre_domains": [
|
||||
"ics-attack"
|
||||
],
|
||||
|
||||
@@ -1,6 +1,6 @@
|
||||
{
|
||||
"type": "bundle",
|
||||
"id": "bundle--3c28048a-0464-476a-b722-165f7f608207",
|
||||
"id": "bundle--84df1df6-0102-40b1-8dc0-e3fec7d69926",
|
||||
"spec_version": "2.0",
|
||||
"objects": [
|
||||
{
|
||||
@@ -35,7 +35,6 @@
|
||||
],
|
||||
"x_mitre_attack_spec_version": "3.2.0",
|
||||
"x_mitre_deprecated": false,
|
||||
"x_mitre_detection": "",
|
||||
"x_mitre_domains": [
|
||||
"ics-attack"
|
||||
],
|
||||
|
||||
@@ -1,6 +1,6 @@
|
||||
{
|
||||
"type": "bundle",
|
||||
"id": "bundle--c4211b9b-9d62-4372-b938-4b7d9630a35b",
|
||||
"id": "bundle--d78cc6ea-97f3-44dd-ae29-df24d6d0cc08",
|
||||
"spec_version": "2.0",
|
||||
"objects": [
|
||||
{
|
||||
@@ -38,7 +38,6 @@
|
||||
"Jos Wetzels - Midnight Blue"
|
||||
],
|
||||
"x_mitre_deprecated": false,
|
||||
"x_mitre_detection": "",
|
||||
"x_mitre_domains": [
|
||||
"ics-attack"
|
||||
],
|
||||
|
||||
@@ -1,6 +1,6 @@
|
||||
{
|
||||
"type": "bundle",
|
||||
"id": "bundle--4355c76f-c13c-44c9-afe8-704e86945e02",
|
||||
"id": "bundle--e456cd6c-6144-4270-aafa-d0695c331b7a",
|
||||
"spec_version": "2.0",
|
||||
"objects": [
|
||||
{
|
||||
@@ -30,7 +30,6 @@
|
||||
],
|
||||
"x_mitre_attack_spec_version": "3.2.0",
|
||||
"x_mitre_deprecated": false,
|
||||
"x_mitre_detection": "",
|
||||
"x_mitre_domains": [
|
||||
"ics-attack"
|
||||
],
|
||||
|
||||
@@ -1,6 +1,6 @@
|
||||
{
|
||||
"type": "bundle",
|
||||
"id": "bundle--f71161c9-4dda-4109-b5d0-32649d23f9a3",
|
||||
"id": "bundle--852f2fa4-df16-4d17-8102-57091396464a",
|
||||
"spec_version": "2.0",
|
||||
"objects": [
|
||||
{
|
||||
@@ -45,7 +45,6 @@
|
||||
],
|
||||
"x_mitre_attack_spec_version": "3.2.0",
|
||||
"x_mitre_deprecated": false,
|
||||
"x_mitre_detection": "",
|
||||
"x_mitre_domains": [
|
||||
"ics-attack"
|
||||
],
|
||||
|
||||
@@ -1,6 +1,6 @@
|
||||
{
|
||||
"type": "bundle",
|
||||
"id": "bundle--4a1385b1-475c-4963-a8fe-829b94439558",
|
||||
"id": "bundle--b58e6c3b-56d2-403a-bc54-f0de15f53a7b",
|
||||
"spec_version": "2.0",
|
||||
"objects": [
|
||||
{
|
||||
@@ -58,7 +58,6 @@
|
||||
"Scott Dougherty"
|
||||
],
|
||||
"x_mitre_deprecated": false,
|
||||
"x_mitre_detection": "",
|
||||
"x_mitre_domains": [
|
||||
"ics-attack"
|
||||
],
|
||||
|
||||
@@ -1,6 +1,6 @@
|
||||
{
|
||||
"type": "bundle",
|
||||
"id": "bundle--fd150993-1119-4b68-b871-8db6f239e52b",
|
||||
"id": "bundle--0bacf285-457b-4696-95d4-0c09bfd5f268",
|
||||
"spec_version": "2.0",
|
||||
"objects": [
|
||||
{
|
||||
@@ -54,7 +54,6 @@
|
||||
],
|
||||
"x_mitre_attack_spec_version": "3.2.0",
|
||||
"x_mitre_deprecated": false,
|
||||
"x_mitre_detection": "",
|
||||
"x_mitre_domains": [
|
||||
"ics-attack"
|
||||
],
|
||||
|
||||
@@ -1,6 +1,6 @@
|
||||
{
|
||||
"type": "bundle",
|
||||
"id": "bundle--e6091ad9-6da6-445f-9bdd-135514b4386a",
|
||||
"id": "bundle--ee4ab113-9a09-45fd-9949-93fc5c7874cb",
|
||||
"spec_version": "2.0",
|
||||
"objects": [
|
||||
{
|
||||
@@ -39,7 +39,6 @@
|
||||
"Jos Wetzels - Midnight Blue"
|
||||
],
|
||||
"x_mitre_deprecated": false,
|
||||
"x_mitre_detection": "",
|
||||
"x_mitre_domains": [
|
||||
"ics-attack"
|
||||
],
|
||||
|
||||
@@ -1,6 +1,6 @@
|
||||
{
|
||||
"type": "bundle",
|
||||
"id": "bundle--0498a7e3-24f2-435f-a022-2b981d0bc446",
|
||||
"id": "bundle--0834f6ea-1da7-43b2-acd6-678ec7dd773f",
|
||||
"spec_version": "2.0",
|
||||
"objects": [
|
||||
{
|
||||
@@ -50,7 +50,6 @@
|
||||
],
|
||||
"x_mitre_attack_spec_version": "3.2.0",
|
||||
"x_mitre_deprecated": false,
|
||||
"x_mitre_detection": "",
|
||||
"x_mitre_domains": [
|
||||
"ics-attack"
|
||||
],
|
||||
|
||||
@@ -1,6 +1,6 @@
|
||||
{
|
||||
"type": "bundle",
|
||||
"id": "bundle--df038f55-e85e-473b-a7c2-68bcdff5b42c",
|
||||
"id": "bundle--4c7c8e72-22ab-4b83-a8e2-6957aa52a8a2",
|
||||
"spec_version": "2.0",
|
||||
"objects": [
|
||||
{
|
||||
@@ -30,7 +30,6 @@
|
||||
],
|
||||
"x_mitre_attack_spec_version": "3.2.0",
|
||||
"x_mitre_deprecated": false,
|
||||
"x_mitre_detection": "",
|
||||
"x_mitre_domains": [
|
||||
"ics-attack"
|
||||
],
|
||||
|
||||
@@ -1,6 +1,6 @@
|
||||
{
|
||||
"type": "bundle",
|
||||
"id": "bundle--69924db1-013b-4768-93de-2f112bbfa657",
|
||||
"id": "bundle--714783b7-56ba-4f41-8ac1-60fb9dab09d8",
|
||||
"spec_version": "2.0",
|
||||
"objects": [
|
||||
{
|
||||
@@ -38,8 +38,7 @@
|
||||
"None"
|
||||
],
|
||||
"x_mitre_version": "1.0",
|
||||
"revoked": false,
|
||||
"x_mitre_detection": ""
|
||||
"revoked": false
|
||||
}
|
||||
]
|
||||
}
|
||||
@@ -1,6 +1,6 @@
|
||||
{
|
||||
"type": "bundle",
|
||||
"id": "bundle--fa6a6821-d172-4240-af82-652613ee9d2e",
|
||||
"id": "bundle--33d9b414-af0b-4dc0-b9dd-6a8c9beb3e4f",
|
||||
"spec_version": "2.0",
|
||||
"objects": [
|
||||
{
|
||||
@@ -30,7 +30,6 @@
|
||||
],
|
||||
"x_mitre_attack_spec_version": "3.2.0",
|
||||
"x_mitre_deprecated": false,
|
||||
"x_mitre_detection": "",
|
||||
"x_mitre_domains": [
|
||||
"ics-attack"
|
||||
],
|
||||
|
||||
@@ -1,6 +1,6 @@
|
||||
{
|
||||
"type": "bundle",
|
||||
"id": "bundle--70611865-6dd5-453d-96be-9e9f6bb43c10",
|
||||
"id": "bundle--598eb5ab-3867-4f3f-ab33-11dc1d602c3d",
|
||||
"spec_version": "2.0",
|
||||
"objects": [
|
||||
{
|
||||
@@ -30,7 +30,6 @@
|
||||
],
|
||||
"x_mitre_attack_spec_version": "3.2.0",
|
||||
"x_mitre_deprecated": false,
|
||||
"x_mitre_detection": "",
|
||||
"x_mitre_domains": [
|
||||
"ics-attack"
|
||||
],
|
||||
|
||||
@@ -1,6 +1,6 @@
|
||||
{
|
||||
"type": "bundle",
|
||||
"id": "bundle--febc1ad3-4c3f-4a9e-9087-ce284bc68fd0",
|
||||
"id": "bundle--c3270e3e-ef4b-4ee9-b826-70128660fee8",
|
||||
"spec_version": "2.0",
|
||||
"objects": [
|
||||
{
|
||||
@@ -38,8 +38,7 @@
|
||||
"None"
|
||||
],
|
||||
"x_mitre_version": "1.0",
|
||||
"revoked": false,
|
||||
"x_mitre_detection": ""
|
||||
"revoked": false
|
||||
}
|
||||
]
|
||||
}
|
||||
@@ -1,6 +1,6 @@
|
||||
{
|
||||
"type": "bundle",
|
||||
"id": "bundle--db3b07ef-145d-418e-8491-2b6a8e8706fb",
|
||||
"id": "bundle--d66c4692-4856-4adb-9bd9-4062bd99c25c",
|
||||
"spec_version": "2.0",
|
||||
"objects": [
|
||||
{
|
||||
@@ -30,7 +30,6 @@
|
||||
],
|
||||
"x_mitre_attack_spec_version": "3.2.0",
|
||||
"x_mitre_deprecated": false,
|
||||
"x_mitre_detection": "",
|
||||
"x_mitre_domains": [
|
||||
"ics-attack"
|
||||
],
|
||||
|
||||
@@ -0,0 +1,51 @@
|
||||
{
|
||||
"type": "bundle",
|
||||
"id": "bundle--70b6a9d3-e4e4-42b6-b5b7-7077463b7d12",
|
||||
"spec_version": "2.0",
|
||||
"objects": [
|
||||
{
|
||||
"type": "attack-pattern",
|
||||
"id": "attack-pattern--338f4364-2269-4f70-9079-b20384b16628",
|
||||
"created": "2026-04-20T20:50:34.107Z",
|
||||
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
|
||||
"revoked": false,
|
||||
"external_references": [
|
||||
{
|
||||
"source_name": "mitre-attack",
|
||||
"url": "https://attack.mitre.org/techniques/T1691",
|
||||
"external_id": "T1691"
|
||||
},
|
||||
{
|
||||
"source_name": "Bonnie Zhu, Anthony Joseph, Shankar Sastry 2011",
|
||||
"description": "Bonnie Zhu, Anthony Joseph, Shankar Sastry 2011 A Taxonomy of Cyber Attacks on SCADA Systems Retrieved. 2018/01/12 ",
|
||||
"url": "http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6142258"
|
||||
},
|
||||
{
|
||||
"source_name": "Electricity Information Sharing and Analysis Center; SANS Industrial Control Systems March 2016",
|
||||
"description": "Electricity Information Sharing and Analysis Center; SANS Industrial Control Systems 2016, March 18 Analysis of the Cyber Attack on the Ukranian Power Grid: Defense Use Case Retrieved. 2018/03/27 ",
|
||||
"url": "https://assets.contentstack.io/v3/assets/blt36c2e63521272fdc/blt6a77276749b76a40/607f235992f0063e5c070fff/E-ISAC_SANS_Ukraine_DUC_5%5b73%5d.pdf"
|
||||
}
|
||||
],
|
||||
"object_marking_refs": [
|
||||
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
|
||||
],
|
||||
"modified": "2026-04-23T18:49:15.673Z",
|
||||
"name": "Block Operational Technology Message",
|
||||
"description": "Adversaries may block messages between systems and devices in an OT/ICS environment to disrupt processes. Messages typically fall into two categories: (1) reporting messages that contain telemetry data about the current state of systems, devices, and processes and (2) command messages that contain instructions to control systems, devices, and processes. Both types of messages are critical for the proper functioning of industrial control processes and failure of the messages to reach their intended destinations could inhibit response functions or create an unsafe condition that could have physical impacts.(Citation: Bonnie Zhu, Anthony Joseph, Shankar Sastry 2011)(Citation: Electricity Information Sharing and Analysis Center; SANS Industrial Control Systems March 2016)\n\nAdversaries may block communications by either making modifications to software ([System Firmware](https://attack.mitre.org/techniques/T0857), [Module Firmware](https://attack.mitre.org/techniques/T0839), [Hooking](https://attack.mitre.org/techniques/T0874), and [Rootkit](https://attack.mitre.org/techniques/T0851)) and services ([Service Stop](https://attack.mitre.org/techniques/T0881), [Denial of Service](https://attack.mitre.org/techniques/T0814)) on systems and devices or by positioning themselves between systems and devices and intercepting and blocking the communications such as the case with an [Adversary-in-the-Middle](https://attack.mitre.org/techniques/T0830) attack.\n",
|
||||
"kill_chain_phases": [
|
||||
{
|
||||
"kill_chain_name": "mitre-ics-attack",
|
||||
"phase_name": "inhibit-response-function"
|
||||
}
|
||||
],
|
||||
"x_mitre_attack_spec_version": "3.3.0",
|
||||
"x_mitre_deprecated": false,
|
||||
"x_mitre_domains": [
|
||||
"ics-attack"
|
||||
],
|
||||
"x_mitre_is_subtechnique": false,
|
||||
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
|
||||
"x_mitre_version": "1.0"
|
||||
}
|
||||
]
|
||||
}
|
||||
@@ -1,6 +1,6 @@
|
||||
{
|
||||
"type": "bundle",
|
||||
"id": "bundle--c62976ab-05b7-405a-b1c7-98b5d306906c",
|
||||
"id": "bundle--fd148596-c2e3-4d3f-a25f-748d492deb90",
|
||||
"spec_version": "2.0",
|
||||
"objects": [
|
||||
{
|
||||
@@ -40,7 +40,6 @@
|
||||
],
|
||||
"x_mitre_attack_spec_version": "3.2.0",
|
||||
"x_mitre_deprecated": false,
|
||||
"x_mitre_detection": "",
|
||||
"x_mitre_domains": [
|
||||
"ics-attack"
|
||||
],
|
||||
|
||||
@@ -1,6 +1,6 @@
|
||||
{
|
||||
"type": "bundle",
|
||||
"id": "bundle--c27630a0-3951-4966-b06b-5ececdec77bf",
|
||||
"id": "bundle--4db59792-d1bd-41e5-85b4-05b39f0e30c1",
|
||||
"spec_version": "2.0",
|
||||
"objects": [
|
||||
{
|
||||
@@ -35,7 +35,6 @@
|
||||
],
|
||||
"x_mitre_attack_spec_version": "3.2.0",
|
||||
"x_mitre_deprecated": false,
|
||||
"x_mitre_detection": "",
|
||||
"x_mitre_domains": [
|
||||
"ics-attack"
|
||||
],
|
||||
|
||||
@@ -0,0 +1,46 @@
|
||||
{
|
||||
"type": "bundle",
|
||||
"id": "bundle--441858cb-28e7-4a75-b2eb-f862127c0dee",
|
||||
"spec_version": "2.0",
|
||||
"objects": [
|
||||
{
|
||||
"type": "attack-pattern",
|
||||
"id": "attack-pattern--354ca909-b54d-4c41-b597-9c296b344a43",
|
||||
"created": "2026-04-20T20:54:20.103Z",
|
||||
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
|
||||
"revoked": false,
|
||||
"external_references": [
|
||||
{
|
||||
"source_name": "mitre-attack",
|
||||
"url": "https://attack.mitre.org/techniques/T0873/001",
|
||||
"external_id": "T0873.001"
|
||||
},
|
||||
{
|
||||
"source_name": "Nicolas Falliere, Liam O Murchu, Eric Chien February 2011",
|
||||
"description": "Nicolas Falliere, Liam O Murchu, Eric Chien 2011, February W32.Stuxnet Dossier (Version 1.4) Retrieved November 17, 2024.",
|
||||
"url": "https://docs.broadcom.com/doc/security-response-w32-stuxnet-dossier-11-en"
|
||||
}
|
||||
],
|
||||
"object_marking_refs": [
|
||||
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
|
||||
],
|
||||
"modified": "2026-04-23T19:37:43.545Z",
|
||||
"name": "Siemens Project File Format",
|
||||
"description": "Adversaries may infect Siemens PLC project files (i.e., Step 7, WinCC, etc.) to achieve [Execution](https://attack.mitre.org/tactics/TA0104), [Persistence](https://attack.mitre.org/tactics/TA0110), and [Lateral Movement](https://attack.mitre.org/tactics/TA0109) objectives. Adversaries may modify an existing project file or bring their own project files into the environment.(Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011)\n\nThe ability for an adversary to deploy an infected project file relies on access to a workstation with Siemens PLC programming software installed on it from which a program download can be performed.\n",
|
||||
"kill_chain_phases": [
|
||||
{
|
||||
"kill_chain_name": "mitre-ics-attack",
|
||||
"phase_name": "persistence"
|
||||
}
|
||||
],
|
||||
"x_mitre_attack_spec_version": "3.3.0",
|
||||
"x_mitre_deprecated": false,
|
||||
"x_mitre_domains": [
|
||||
"ics-attack"
|
||||
],
|
||||
"x_mitre_is_subtechnique": true,
|
||||
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
|
||||
"x_mitre_version": "1.0"
|
||||
}
|
||||
]
|
||||
}
|
||||
@@ -1,6 +1,6 @@
|
||||
{
|
||||
"type": "bundle",
|
||||
"id": "bundle--1e5a73eb-a6d0-44d1-a958-5c1b1f93844f",
|
||||
"id": "bundle--b80d424e-1fc6-46fa-9202-699dd03c2693",
|
||||
"spec_version": "2.0",
|
||||
"objects": [
|
||||
{
|
||||
@@ -40,7 +40,6 @@
|
||||
],
|
||||
"x_mitre_attack_spec_version": "3.2.0",
|
||||
"x_mitre_deprecated": false,
|
||||
"x_mitre_detection": "",
|
||||
"x_mitre_domains": [
|
||||
"ics-attack"
|
||||
],
|
||||
|
||||
@@ -1,6 +1,6 @@
|
||||
{
|
||||
"type": "bundle",
|
||||
"id": "bundle--7bd2df7e-1010-430d-a5ba-8662043f507c",
|
||||
"id": "bundle--834fe68a-9efa-4f93-9ffa-18a8ca9f30bc",
|
||||
"spec_version": "2.0",
|
||||
"objects": [
|
||||
{
|
||||
@@ -35,7 +35,6 @@
|
||||
],
|
||||
"x_mitre_attack_spec_version": "3.2.0",
|
||||
"x_mitre_deprecated": false,
|
||||
"x_mitre_detection": "",
|
||||
"x_mitre_domains": [
|
||||
"ics-attack"
|
||||
],
|
||||
|
||||
@@ -1,6 +1,6 @@
|
||||
{
|
||||
"type": "bundle",
|
||||
"id": "bundle--e68a80c9-2dd6-430f-aa08-91d8704a5a20",
|
||||
"id": "bundle--d74c07d6-bd76-4adf-892c-830e0c1364da",
|
||||
"spec_version": "2.0",
|
||||
"objects": [
|
||||
{
|
||||
@@ -39,7 +39,6 @@
|
||||
],
|
||||
"x_mitre_attack_spec_version": "3.2.0",
|
||||
"x_mitre_deprecated": false,
|
||||
"x_mitre_detection": "",
|
||||
"x_mitre_domains": [
|
||||
"ics-attack"
|
||||
],
|
||||
|
||||
@@ -1,6 +1,6 @@
|
||||
{
|
||||
"type": "bundle",
|
||||
"id": "bundle--dc28f3d6-6282-4760-8c88-c64f6bdc778c",
|
||||
"id": "bundle--c93dabc5-6067-4048-bcfd-7bf2f6caa4e7",
|
||||
"spec_version": "2.0",
|
||||
"objects": [
|
||||
{
|
||||
@@ -30,7 +30,6 @@
|
||||
],
|
||||
"x_mitre_attack_spec_version": "3.2.0",
|
||||
"x_mitre_deprecated": false,
|
||||
"x_mitre_detection": "",
|
||||
"x_mitre_domains": [
|
||||
"ics-attack"
|
||||
],
|
||||
|
||||
@@ -0,0 +1,60 @@
|
||||
{
|
||||
"type": "bundle",
|
||||
"id": "bundle--ee85cb25-1aee-42b2-8301-37db0d2efcca",
|
||||
"spec_version": "2.0",
|
||||
"objects": [
|
||||
{
|
||||
"type": "attack-pattern",
|
||||
"id": "attack-pattern--3e9b182e-e493-49e1-9a9b-bd0dfcd34a7c",
|
||||
"created": "2026-04-20T20:50:35.222Z",
|
||||
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
|
||||
"revoked": false,
|
||||
"external_references": [
|
||||
{
|
||||
"source_name": "mitre-attack",
|
||||
"url": "https://attack.mitre.org/techniques/T1694",
|
||||
"external_id": "T1694"
|
||||
},
|
||||
{
|
||||
"source_name": "ICS-ALERT-13-164-01",
|
||||
"description": "Cybersecurity and Infrastructure Security Agency (CISA). (2013, October 29). Medical Devices Hard-Coded Passwords. Retrieved April 23, 2026.",
|
||||
"url": "https://www.cisa.gov/news-events/ics-alerts/ics-alert-13-164-01"
|
||||
},
|
||||
{
|
||||
"source_name": "OT IceFall",
|
||||
"description": "Forescout Vedere Labs. (2022, June). OT: IceFall Report. Retrieved April 23, 2026.",
|
||||
"url": "https://www.forescout.com/resources/ot-icefall-report/"
|
||||
},
|
||||
{
|
||||
"source_name": "NIST SP 800-82r3",
|
||||
"description": "Keith Stouffer. (2023, September). Guide to Operational Technology (OT) Security. Retrieved April 22, 2026.",
|
||||
"url": "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r3.pdf"
|
||||
}
|
||||
],
|
||||
"object_marking_refs": [
|
||||
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
|
||||
],
|
||||
"modified": "2026-04-23T19:29:41.601Z",
|
||||
"name": "Insecure Credentials",
|
||||
"description": "Adversaries may target insecure credentials as a means to persist on a system or device or move laterally from one system or device to another. Insecure credentials may appear as default credentials which are pre-configured credentials on a system, device, or software that are well-known in documentation or hard-coded credentials which are built into the system, device, or software that cannot be changed or not easily changed because of the impact on control processes.(Citation: NIST SP 800-82r3)(Citation: ICS-ALERT-13-164-01)(Citation: OT IceFall)\n Adversaries often times use insecure credentials to evade detection as they are typically forgotten about by system and device owners.",
|
||||
"kill_chain_phases": [
|
||||
{
|
||||
"kill_chain_name": "mitre-ics-attack",
|
||||
"phase_name": "persistence"
|
||||
},
|
||||
{
|
||||
"kill_chain_name": "mitre-ics-attack",
|
||||
"phase_name": "lateral-movement"
|
||||
}
|
||||
],
|
||||
"x_mitre_attack_spec_version": "3.3.0",
|
||||
"x_mitre_deprecated": false,
|
||||
"x_mitre_domains": [
|
||||
"ics-attack"
|
||||
],
|
||||
"x_mitre_is_subtechnique": false,
|
||||
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
|
||||
"x_mitre_version": "1.0"
|
||||
}
|
||||
]
|
||||
}
|
||||
@@ -1,6 +1,6 @@
|
||||
{
|
||||
"type": "bundle",
|
||||
"id": "bundle--330d4b77-e0dd-4fa8-8b57-f6818f2e8b6d",
|
||||
"id": "bundle--1767dd12-2335-4865-9b1c-f9bed5970270",
|
||||
"spec_version": "2.0",
|
||||
"objects": [
|
||||
{
|
||||
@@ -8,7 +8,7 @@
|
||||
"id": "attack-pattern--3f1f4ccb-9be2-4ff8-8f69-dd972221169b",
|
||||
"created": "2020-05-21T17:43:26.506Z",
|
||||
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
|
||||
"revoked": false,
|
||||
"revoked": true,
|
||||
"external_references": [
|
||||
{
|
||||
"source_name": "mitre-attack",
|
||||
@@ -29,7 +29,7 @@
|
||||
"object_marking_refs": [
|
||||
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
|
||||
],
|
||||
"modified": "2025-04-16T21:26:13.771Z",
|
||||
"modified": "2026-04-20T20:58:39.117Z",
|
||||
"name": "Block Reporting Message",
|
||||
"description": "Adversaries may block or prevent a reporting message from reaching its intended target. In control systems, reporting messages contain telemetry data (e.g., I/O values) pertaining to the current state of equipment and the industrial process. By blocking these reporting messages, an adversary can potentially hide their actions from an operator.\n\nBlocking reporting messages in control systems that manage physical processes may contribute to system impact, causing inhibition of a response function. A control system may not be able to respond in a proper or timely manner to an event, such as a dangerous fault, if its corresponding reporting message is blocked. (Citation: Bonnie Zhu, Anthony Joseph, Shankar Sastry 2011) (Citation: Electricity Information Sharing and Analysis Center; SANS Industrial Control Systems March 2016)",
|
||||
"kill_chain_phases": [
|
||||
@@ -40,7 +40,6 @@
|
||||
],
|
||||
"x_mitre_attack_spec_version": "3.2.0",
|
||||
"x_mitre_deprecated": false,
|
||||
"x_mitre_detection": "",
|
||||
"x_mitre_domains": [
|
||||
"ics-attack"
|
||||
],
|
||||
|
||||
@@ -1,6 +1,6 @@
|
||||
{
|
||||
"type": "bundle",
|
||||
"id": "bundle--cf3f15d0-ab9f-4211-ba99-9b5bd4459464",
|
||||
"id": "bundle--2db993f5-8647-4185-b519-a9427ce44198",
|
||||
"spec_version": "2.0",
|
||||
"objects": [
|
||||
{
|
||||
@@ -8,7 +8,7 @@
|
||||
"id": "attack-pattern--40b300ba-f553-48bf-862e-9471b220d455",
|
||||
"created": "2020-05-21T17:43:26.506Z",
|
||||
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
|
||||
"revoked": false,
|
||||
"revoked": true,
|
||||
"external_references": [
|
||||
{
|
||||
"source_name": "mitre-attack",
|
||||
@@ -34,7 +34,7 @@
|
||||
"object_marking_refs": [
|
||||
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
|
||||
],
|
||||
"modified": "2025-04-16T21:26:13.939Z",
|
||||
"modified": "2026-04-20T20:58:41.104Z",
|
||||
"name": "Unauthorized Command Message",
|
||||
"description": "Adversaries may send unauthorized command messages to instruct control system assets to perform actions outside of their intended functionality, or without the logical preconditions to trigger their expected function. Command messages are used in ICS networks to give direct instructions to control systems devices. If an adversary can send an unauthorized command message to a control system, then it can instruct the control systems device to perform an action outside the normal bounds of the device's actions. An adversary could potentially instruct a control systems device to perform an action that will cause an [Impact](https://attack.mitre.org/tactics/TA0105). (Citation: Bonnie Zhu, Anthony Joseph, Shankar Sastry 2011)\n\nIn the Dallas Siren incident, adversaries were able to send command messages to activate tornado alarm systems across the city without an impending tornado or other disaster. (Citation: Zack Whittaker April 2017) (Citation: Benjamin Freed March 2019)",
|
||||
"kill_chain_phases": [
|
||||
@@ -45,7 +45,6 @@
|
||||
],
|
||||
"x_mitre_attack_spec_version": "3.2.0",
|
||||
"x_mitre_deprecated": false,
|
||||
"x_mitre_detection": "",
|
||||
"x_mitre_domains": [
|
||||
"ics-attack"
|
||||
],
|
||||
|
||||
@@ -0,0 +1,60 @@
|
||||
{
|
||||
"type": "bundle",
|
||||
"id": "bundle--47023bdb-fafe-4853-a942-77922bc6044c",
|
||||
"spec_version": "2.0",
|
||||
"objects": [
|
||||
{
|
||||
"type": "attack-pattern",
|
||||
"id": "attack-pattern--4344d1b8-968b-4697-9ab9-f9abe5f52265",
|
||||
"created": "2026-04-20T20:54:17.053Z",
|
||||
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
|
||||
"revoked": false,
|
||||
"external_references": [
|
||||
{
|
||||
"source_name": "mitre-attack",
|
||||
"url": "https://attack.mitre.org/techniques/T1692/001",
|
||||
"external_id": "T1692.001"
|
||||
},
|
||||
{
|
||||
"source_name": "Benjamin Freed March 2019",
|
||||
"description": "Benjamin Freed 2019, March 13 Tornado sirens in Dallas suburbs deactivated after being hacked and set off Retrieved. 2020/11/06 ",
|
||||
"url": "https://statescoop.com/tornado-sirens-in-dallas-suburbs-deactivated-after-being-hacked-and-set-off/"
|
||||
},
|
||||
{
|
||||
"source_name": "Bonnie Zhu, Anthony Joseph, Shankar Sastry 2011",
|
||||
"description": "Bonnie Zhu, Anthony Joseph, Shankar Sastry 2011 A Taxonomy of Cyber Attacks on SCADA Systems Retrieved. 2018/01/12 ",
|
||||
"url": "http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6142258"
|
||||
},
|
||||
{
|
||||
"source_name": "Zack Whittaker April 2017",
|
||||
"description": "Zack Whittaker 2017, April 12 Dallas' emergency sirens were hacked with a rogue radio signal Retrieved. 2020/11/06 ",
|
||||
"url": "https://www.zdnet.com/article/experts-think-they-know-how-dallas-emergency-sirens-were-hacked/"
|
||||
}
|
||||
],
|
||||
"object_marking_refs": [
|
||||
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
|
||||
],
|
||||
"modified": "2026-04-23T18:59:19.225Z",
|
||||
"name": "Command Message",
|
||||
"description": "Adversaries may send unauthorized command messages to instruct control system assets to perform actions outside of their intended functionality, or without the logical preconditions to trigger their expected function. Command messages are used in ICS networks to give direct instructions to control systems devices. If an adversary can send an unauthorized command message to a control system, then it can instruct the control systems device to perform an action outside the normal bounds of the device's actions. An adversary could potentially instruct a control systems device to perform an action that will cause an [Impact](https://attack.mitre.org/tactics/TA0105).(Citation: Bonnie Zhu, Anthony Joseph, Shankar Sastry 2011)\n\nIn the Dallas Siren incident, adversaries were able to send command messages to activate tornado alarm systems across the city without an impending tornado or other disaster.(Citation: Zack Whittaker April 2017)(Citation: Benjamin Freed March 2019)",
|
||||
"kill_chain_phases": [
|
||||
{
|
||||
"kill_chain_name": "mitre-ics-attack",
|
||||
"phase_name": "evasion"
|
||||
},
|
||||
{
|
||||
"kill_chain_name": "mitre-ics-attack",
|
||||
"phase_name": "impair-process-control"
|
||||
}
|
||||
],
|
||||
"x_mitre_attack_spec_version": "3.3.0",
|
||||
"x_mitre_deprecated": false,
|
||||
"x_mitre_domains": [
|
||||
"ics-attack"
|
||||
],
|
||||
"x_mitre_is_subtechnique": true,
|
||||
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
|
||||
"x_mitre_version": "1.0"
|
||||
}
|
||||
]
|
||||
}
|
||||
@@ -1,6 +1,6 @@
|
||||
{
|
||||
"type": "bundle",
|
||||
"id": "bundle--c82abc7c-6a29-4d08-bbfc-4a98d0b4474b",
|
||||
"id": "bundle--e6f7c299-6fb2-47fe-b781-73037c978396",
|
||||
"spec_version": "2.0",
|
||||
"objects": [
|
||||
{
|
||||
@@ -38,7 +38,6 @@
|
||||
"Matan Dobrushin - Otorio"
|
||||
],
|
||||
"x_mitre_deprecated": false,
|
||||
"x_mitre_detection": "",
|
||||
"x_mitre_domains": [
|
||||
"ics-attack"
|
||||
],
|
||||
|
||||
@@ -1,6 +1,6 @@
|
||||
{
|
||||
"type": "bundle",
|
||||
"id": "bundle--3eaa75c9-7feb-421c-a64b-e708387e29cb",
|
||||
"id": "bundle--cac96d5e-0458-4ecd-b28b-4bb49314bb92",
|
||||
"spec_version": "2.0",
|
||||
"objects": [
|
||||
{
|
||||
@@ -45,7 +45,6 @@
|
||||
],
|
||||
"x_mitre_attack_spec_version": "3.2.0",
|
||||
"x_mitre_deprecated": false,
|
||||
"x_mitre_detection": "",
|
||||
"x_mitre_domains": [
|
||||
"ics-attack"
|
||||
],
|
||||
|
||||
@@ -1,6 +1,6 @@
|
||||
{
|
||||
"type": "bundle",
|
||||
"id": "bundle--65ed6754-8448-4256-927f-04c59fda1504",
|
||||
"id": "bundle--a64ab4ef-5074-46a9-9b71-0d65515ebb03",
|
||||
"spec_version": "2.0",
|
||||
"objects": [
|
||||
{
|
||||
@@ -37,7 +37,6 @@
|
||||
"Joe Slowik - Dragos"
|
||||
],
|
||||
"x_mitre_deprecated": true,
|
||||
"x_mitre_detection": "",
|
||||
"x_mitre_domains": [
|
||||
"ics-attack"
|
||||
],
|
||||
|
||||
@@ -0,0 +1,50 @@
|
||||
{
|
||||
"type": "bundle",
|
||||
"id": "bundle--47ca67e0-c242-4840-a173-ea85f6e61942",
|
||||
"spec_version": "2.0",
|
||||
"objects": [
|
||||
{
|
||||
"type": "attack-pattern",
|
||||
"id": "attack-pattern--527106b3-95a2-4ed2-bf89-db7f0e4d0da0",
|
||||
"created": "2026-04-20T20:54:17.539Z",
|
||||
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
|
||||
"revoked": false,
|
||||
"external_references": [
|
||||
{
|
||||
"source_name": "mitre-attack",
|
||||
"url": "https://attack.mitre.org/techniques/T1692/002",
|
||||
"external_id": "T1692.002"
|
||||
},
|
||||
{
|
||||
"source_name": "Bonnie Zhu, Anthony Joseph, Shankar Sastry 2011",
|
||||
"description": "Bonnie Zhu, Anthony Joseph, Shankar Sastry 2011 A Taxonomy of Cyber Attacks on SCADA Systems Retrieved. 2018/01/12 ",
|
||||
"url": "http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6142258"
|
||||
}
|
||||
],
|
||||
"object_marking_refs": [
|
||||
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
|
||||
],
|
||||
"modified": "2026-04-23T19:01:42.644Z",
|
||||
"name": "Reporting Message",
|
||||
"description": "Adversaries may spoof reporting messages in control system environments for evasion and to impair process control. In control systems, reporting messages contain telemetry data (e.g., I/O values) pertaining to the current state of equipment and the industrial process. Reporting messages are important for monitoring the normal operation of a system or identifying important events such as deviations from expected values.\n\nIf an adversary has the ability to Spoof Reporting Messages, they can impact the control system in many ways. The adversary can Spoof Reporting Messages that state that the process is operating normally, as a form of evasion. The adversary could also Spoof Reporting Messages to make the defenders and operators think that other errors are occurring in order to distract them from the actual source of a problem.(Citation: Bonnie Zhu, Anthony Joseph, Shankar Sastry 2011)",
|
||||
"kill_chain_phases": [
|
||||
{
|
||||
"kill_chain_name": "mitre-ics-attack",
|
||||
"phase_name": "evasion"
|
||||
},
|
||||
{
|
||||
"kill_chain_name": "mitre-ics-attack",
|
||||
"phase_name": "impair-process-control"
|
||||
}
|
||||
],
|
||||
"x_mitre_attack_spec_version": "3.3.0",
|
||||
"x_mitre_deprecated": false,
|
||||
"x_mitre_domains": [
|
||||
"ics-attack"
|
||||
],
|
||||
"x_mitre_is_subtechnique": true,
|
||||
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
|
||||
"x_mitre_version": "1.0"
|
||||
}
|
||||
]
|
||||
}
|
||||
@@ -1,6 +1,6 @@
|
||||
{
|
||||
"type": "bundle",
|
||||
"id": "bundle--a0c04a36-060d-4737-a49a-e6de944ef14c",
|
||||
"id": "bundle--4de04e1c-ba2d-48ac-a5fc-236e43ff5271",
|
||||
"spec_version": "2.0",
|
||||
"objects": [
|
||||
{
|
||||
@@ -29,7 +29,6 @@
|
||||
],
|
||||
"x_mitre_attack_spec_version": "3.2.0",
|
||||
"x_mitre_deprecated": true,
|
||||
"x_mitre_detection": "",
|
||||
"x_mitre_domains": [
|
||||
"ics-attack"
|
||||
],
|
||||
|
||||
@@ -1,6 +1,6 @@
|
||||
{
|
||||
"type": "bundle",
|
||||
"id": "bundle--abbe2adb-04d3-4d5b-b656-aca94d021363",
|
||||
"id": "bundle--208fe93a-cfbd-452f-8b89-4bdd452d3b10",
|
||||
"spec_version": "2.0",
|
||||
"objects": [
|
||||
{
|
||||
@@ -38,8 +38,7 @@
|
||||
"None"
|
||||
],
|
||||
"x_mitre_version": "1.0",
|
||||
"revoked": false,
|
||||
"x_mitre_detection": ""
|
||||
"revoked": false
|
||||
}
|
||||
]
|
||||
}
|
||||
@@ -1,6 +1,6 @@
|
||||
{
|
||||
"type": "bundle",
|
||||
"id": "bundle--ec07abd0-a6b3-411d-99b8-c22f445eacce",
|
||||
"id": "bundle--9bd2839f-5974-4913-a1f0-ae44088acce9",
|
||||
"spec_version": "2.0",
|
||||
"objects": [
|
||||
{
|
||||
@@ -40,7 +40,6 @@
|
||||
],
|
||||
"x_mitre_attack_spec_version": "3.2.0",
|
||||
"x_mitre_deprecated": false,
|
||||
"x_mitre_detection": "",
|
||||
"x_mitre_domains": [
|
||||
"ics-attack"
|
||||
],
|
||||
|
||||
@@ -0,0 +1,41 @@
|
||||
{
|
||||
"type": "bundle",
|
||||
"id": "bundle--d279e9da-a2c7-4759-8812-7a99403174a1",
|
||||
"spec_version": "2.0",
|
||||
"objects": [
|
||||
{
|
||||
"type": "attack-pattern",
|
||||
"id": "attack-pattern--55e7e5c1-3760-4451-bae0-e79b29f452c5",
|
||||
"created": "2026-04-20T20:54:22.399Z",
|
||||
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
|
||||
"revoked": false,
|
||||
"external_references": [
|
||||
{
|
||||
"source_name": "mitre-attack",
|
||||
"url": "https://attack.mitre.org/techniques/T1695/001",
|
||||
"external_id": "T1695.001"
|
||||
}
|
||||
],
|
||||
"object_marking_refs": [
|
||||
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
|
||||
],
|
||||
"modified": "2026-04-23T19:59:10.079Z",
|
||||
"name": "Serial COM",
|
||||
"description": "Adversaries may block access to serial COM to prevent instructions or configurations from reaching target devices. Serial Communication ports (COM) allow communication with control system devices. Devices can receive command and configuration messages over such serial COM. Devices also use serial COM to send command and reporting messages. Blocking device serial COM may also block command messages and block reporting messages.\n\nA serial to Ethernet converter is often connected to a serial COM to facilitate communication between serial and Ethernet devices. One approach to blocking a serial COM would be to create and hold open a TCP session with the Ethernet side of the converter. A serial to Ethernet converter may have a few ports open to facilitate multiple communications. For example, if there are three serial COM available -- 1, 2 and 3 --, the converter might be listening on the corresponding ports 20001, 20002, and 20003. If a TCP/IP connection is opened with one of these ports and held open, then the port will be unavailable for use by another party. One way the adversary could achieve this would be to initiate a TCP session with the serial to Ethernet converter at 10.0.0.1 via Telnet on serial port 1 with the following command: telnet 10.0.0.1 20001.",
|
||||
"kill_chain_phases": [
|
||||
{
|
||||
"kill_chain_name": "mitre-ics-attack",
|
||||
"phase_name": "inhibit-response-function"
|
||||
}
|
||||
],
|
||||
"x_mitre_attack_spec_version": "3.3.0",
|
||||
"x_mitre_deprecated": false,
|
||||
"x_mitre_domains": [
|
||||
"ics-attack"
|
||||
],
|
||||
"x_mitre_is_subtechnique": true,
|
||||
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
|
||||
"x_mitre_version": "1.0"
|
||||
}
|
||||
]
|
||||
}
|
||||
@@ -0,0 +1,50 @@
|
||||
{
|
||||
"type": "bundle",
|
||||
"id": "bundle--16d068bb-eed3-490d-9370-547dd254c675",
|
||||
"spec_version": "2.0",
|
||||
"objects": [
|
||||
{
|
||||
"type": "attack-pattern",
|
||||
"id": "attack-pattern--5658ad88-7510-490e-a351-95d50b1bcd91",
|
||||
"created": "2026-04-20T20:54:19.020Z",
|
||||
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
|
||||
"revoked": false,
|
||||
"external_references": [
|
||||
{
|
||||
"source_name": "mitre-attack",
|
||||
"url": "https://attack.mitre.org/techniques/T1694/001",
|
||||
"external_id": "T1694.001"
|
||||
},
|
||||
{
|
||||
"source_name": "Keith Stouffer May 2015",
|
||||
"description": "Keith Stouffer 2015, May Guide to Industrial Control Systems (ICS) Security Retrieved. 2018/03/28 ",
|
||||
"url": "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf"
|
||||
}
|
||||
],
|
||||
"object_marking_refs": [
|
||||
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
|
||||
],
|
||||
"modified": "2026-04-23T19:30:36.158Z",
|
||||
"name": "Default Credentials",
|
||||
"description": "Adversaries may leverage manufacturer or supplier set default credentials on control system devices. These default credentials may have administrative permissions and may be necessary for initial configuration of the device. It is general best practice to change the passwords for these accounts as soon as possible, but some manufacturers may have devices that have passwords or usernames that cannot be changed.(Citation: Keith Stouffer May 2015)\n\nDefault credentials are normally documented in an instruction manual that is either packaged with the device, published online through official means, or published online through unofficial means. Adversaries may leverage default credentials that have not been properly modified or disabled.",
|
||||
"kill_chain_phases": [
|
||||
{
|
||||
"kill_chain_name": "mitre-ics-attack",
|
||||
"phase_name": "persistence"
|
||||
},
|
||||
{
|
||||
"kill_chain_name": "mitre-ics-attack",
|
||||
"phase_name": "lateral-movement"
|
||||
}
|
||||
],
|
||||
"x_mitre_attack_spec_version": "3.3.0",
|
||||
"x_mitre_deprecated": false,
|
||||
"x_mitre_domains": [
|
||||
"ics-attack"
|
||||
],
|
||||
"x_mitre_is_subtechnique": true,
|
||||
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
|
||||
"x_mitre_version": "1.0"
|
||||
}
|
||||
]
|
||||
}
|
||||
@@ -1,6 +1,6 @@
|
||||
{
|
||||
"type": "bundle",
|
||||
"id": "bundle--0bcd5ff5-98f5-4521-8a5c-63f795d5a7a4",
|
||||
"id": "bundle--249ae70f-8ccf-44bc-af69-a59815cd9845",
|
||||
"spec_version": "2.0",
|
||||
"objects": [
|
||||
{
|
||||
@@ -45,7 +45,6 @@
|
||||
],
|
||||
"x_mitre_attack_spec_version": "3.2.0",
|
||||
"x_mitre_deprecated": false,
|
||||
"x_mitre_detection": "",
|
||||
"x_mitre_domains": [
|
||||
"ics-attack"
|
||||
],
|
||||
|
||||
@@ -0,0 +1,41 @@
|
||||
{
|
||||
"type": "bundle",
|
||||
"id": "bundle--7fb56028-5e94-4881-835e-8128cfd9c4b1",
|
||||
"spec_version": "2.0",
|
||||
"objects": [
|
||||
{
|
||||
"type": "attack-pattern",
|
||||
"id": "attack-pattern--574d5bfb-9a7a-4b28-ab5c-743ac704c135",
|
||||
"created": "2026-04-20T20:54:25.997Z",
|
||||
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
|
||||
"revoked": false,
|
||||
"external_references": [
|
||||
{
|
||||
"source_name": "mitre-attack",
|
||||
"url": "https://attack.mitre.org/techniques/T0843/003",
|
||||
"external_id": "T0843.003"
|
||||
}
|
||||
],
|
||||
"object_marking_refs": [
|
||||
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
|
||||
],
|
||||
"modified": "2026-04-23T00:18:49.737Z",
|
||||
"name": "Program Append",
|
||||
"description": "Adversaries may execute a program append to a PLC to update parts of an existing program. It may or may not require stopping the PLC which may allow it to continue running during transfer and reconfiguration without interruption to process control. Adversaries may leverage this approach to minimize downtime and evade detection. \n\nThe ability to perform a program append to the PLC typically relies on access to a workstation with the vendor-specific PLC programming software installed.\n",
|
||||
"kill_chain_phases": [
|
||||
{
|
||||
"kill_chain_name": "mitre-ics-attack",
|
||||
"phase_name": "lateral-movement"
|
||||
}
|
||||
],
|
||||
"x_mitre_attack_spec_version": "3.3.0",
|
||||
"x_mitre_deprecated": false,
|
||||
"x_mitre_domains": [
|
||||
"ics-attack"
|
||||
],
|
||||
"x_mitre_is_subtechnique": true,
|
||||
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
|
||||
"x_mitre_version": "1.0"
|
||||
}
|
||||
]
|
||||
}
|
||||
@@ -1,6 +1,6 @@
|
||||
{
|
||||
"type": "bundle",
|
||||
"id": "bundle--9b6ff557-b990-4c5a-9070-7455ad62dbd7",
|
||||
"id": "bundle--f3e32bae-af54-4b57-940e-008c778978a0",
|
||||
"spec_version": "2.0",
|
||||
"objects": [
|
||||
{
|
||||
@@ -30,7 +30,6 @@
|
||||
],
|
||||
"x_mitre_attack_spec_version": "3.2.0",
|
||||
"x_mitre_deprecated": false,
|
||||
"x_mitre_detection": "",
|
||||
"x_mitre_domains": [
|
||||
"ics-attack"
|
||||
],
|
||||
|
||||
@@ -0,0 +1,46 @@
|
||||
{
|
||||
"type": "bundle",
|
||||
"id": "bundle--6c66f19b-3e5d-4e66-98e0-6837f8837986",
|
||||
"spec_version": "2.0",
|
||||
"objects": [
|
||||
{
|
||||
"type": "attack-pattern",
|
||||
"id": "attack-pattern--5d24bb1d-4487-4923-ae3a-8e679092ac7a",
|
||||
"created": "2026-04-20T20:54:20.714Z",
|
||||
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
|
||||
"revoked": false,
|
||||
"external_references": [
|
||||
{
|
||||
"source_name": "mitre-attack",
|
||||
"url": "https://attack.mitre.org/techniques/T0846/001",
|
||||
"external_id": "T0846.001"
|
||||
},
|
||||
{
|
||||
"source_name": "NIST SP 800-82r3",
|
||||
"description": "Keith Stouffer. (2023, September). Guide to Operational Technology (OT) Security. Retrieved April 22, 2026.",
|
||||
"url": "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r3.pdf"
|
||||
}
|
||||
],
|
||||
"object_marking_refs": [
|
||||
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
|
||||
],
|
||||
"modified": "2026-04-23T19:41:07.822Z",
|
||||
"name": "Port Scan",
|
||||
"description": "Adversaries may perform a port scan on a system, device, or network to identify live hosts, enumerate open ports and running services, identify operating systems, and map out the network.(Citation: NIST SP 800-82r3) The results of a port scan may inform adversary [Discovery](https://attack.mitre.org/tactics/TA0102), [Lateral Movement](https://attack.mitre.org/tactics/TA0109), and vulnerability exploitation decisions ([Exploitation for Evasion](https://attack.mitre.org/techniques/T0820), [Exploitation for Privilege Escalation](https://attack.mitre.org/techniques/T0890), [Exploitation of Remote Services](https://attack.mitre.org/techniques/T0866)). \n\nSome common tools for executing a port scan include `nmap`, `netcat`, and the Advanced Port Scanner.\n",
|
||||
"kill_chain_phases": [
|
||||
{
|
||||
"kill_chain_name": "mitre-ics-attack",
|
||||
"phase_name": "discovery"
|
||||
}
|
||||
],
|
||||
"x_mitre_attack_spec_version": "3.3.0",
|
||||
"x_mitre_deprecated": false,
|
||||
"x_mitre_domains": [
|
||||
"ics-attack"
|
||||
],
|
||||
"x_mitre_is_subtechnique": true,
|
||||
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
|
||||
"x_mitre_version": "1.0"
|
||||
}
|
||||
]
|
||||
}
|
||||
@@ -1,6 +1,6 @@
|
||||
{
|
||||
"type": "bundle",
|
||||
"id": "bundle--50d28dbe-6280-42e1-9c34-c3c9ad8a04eb",
|
||||
"id": "bundle--143d540e-6378-4eae-85ff-188c15341c31",
|
||||
"spec_version": "2.0",
|
||||
"objects": [
|
||||
{
|
||||
@@ -40,7 +40,6 @@
|
||||
],
|
||||
"x_mitre_attack_spec_version": "3.2.0",
|
||||
"x_mitre_deprecated": false,
|
||||
"x_mitre_detection": "",
|
||||
"x_mitre_domains": [
|
||||
"ics-attack"
|
||||
],
|
||||
|
||||
@@ -1,6 +1,6 @@
|
||||
{
|
||||
"type": "bundle",
|
||||
"id": "bundle--297aa1f1-4793-439f-9c4e-daf8df6c3704",
|
||||
"id": "bundle--4f200f39-6c87-44f8-96c1-393200355611",
|
||||
"spec_version": "2.0",
|
||||
"objects": [
|
||||
{
|
||||
@@ -29,7 +29,6 @@
|
||||
],
|
||||
"x_mitre_attack_spec_version": "3.2.0",
|
||||
"x_mitre_deprecated": true,
|
||||
"x_mitre_detection": "",
|
||||
"x_mitre_domains": [
|
||||
"ics-attack"
|
||||
],
|
||||
|
||||
@@ -1,6 +1,6 @@
|
||||
{
|
||||
"type": "bundle",
|
||||
"id": "bundle--3ae2f509-ee82-4b2d-b085-c1d8cd3c5e13",
|
||||
"id": "bundle--67d80985-10a5-46f8-b1de-c3fb821752da",
|
||||
"spec_version": "2.0",
|
||||
"objects": [
|
||||
{
|
||||
@@ -30,7 +30,6 @@
|
||||
],
|
||||
"x_mitre_attack_spec_version": "3.2.0",
|
||||
"x_mitre_deprecated": false,
|
||||
"x_mitre_detection": "",
|
||||
"x_mitre_domains": [
|
||||
"ics-attack"
|
||||
],
|
||||
|
||||
@@ -0,0 +1,46 @@
|
||||
{
|
||||
"type": "bundle",
|
||||
"id": "bundle--c92be924-948e-46e4-8250-78bc668c377b",
|
||||
"spec_version": "2.0",
|
||||
"objects": [
|
||||
{
|
||||
"type": "attack-pattern",
|
||||
"id": "attack-pattern--6008c1f0-1b68-4614-8f5b-a547436b8855",
|
||||
"created": "2026-04-20T20:54:22.891Z",
|
||||
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
|
||||
"revoked": false,
|
||||
"external_references": [
|
||||
{
|
||||
"source_name": "mitre-attack",
|
||||
"url": "https://attack.mitre.org/techniques/T1695/002",
|
||||
"external_id": "T1695.002"
|
||||
},
|
||||
{
|
||||
"source_name": "Bonnie Zhu, Anthony Joseph, Shankar Sastry 2011",
|
||||
"description": "Bonnie Zhu, Anthony Joseph, Shankar Sastry 2011 A Taxonomy of Cyber Attacks on SCADA Systems Retrieved. 2018/01/12 ",
|
||||
"url": "http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6142258"
|
||||
}
|
||||
],
|
||||
"object_marking_refs": [
|
||||
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
|
||||
],
|
||||
"modified": "2026-04-23T19:57:13.444Z",
|
||||
"name": "Ethernet",
|
||||
"description": "Adversaries may block access to Ethernet communications to prevent instructions or configurations messages from reaching target systems and devices. Ethernet connections allow for communications between IT and OT systems and devices. Blocking Ethernet communications may also block command and reporting messages.(Citation: Bonnie Zhu, Anthony Joseph, Shankar Sastry 2011)\n\nAn adversary may block Ethernet communications by disabling network interfaces, [Service Stop](https://attack.mitre.org/techniques/T0881), or conducting an [Adversary-in-the-Middle](https://attack.mitre.org/techniques/T0830) attack and dropping the network traffic.\n",
|
||||
"kill_chain_phases": [
|
||||
{
|
||||
"kill_chain_name": "mitre-ics-attack",
|
||||
"phase_name": "inhibit-response-function"
|
||||
}
|
||||
],
|
||||
"x_mitre_attack_spec_version": "3.3.0",
|
||||
"x_mitre_deprecated": false,
|
||||
"x_mitre_domains": [
|
||||
"ics-attack"
|
||||
],
|
||||
"x_mitre_is_subtechnique": true,
|
||||
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
|
||||
"x_mitre_version": "1.0"
|
||||
}
|
||||
]
|
||||
}
|
||||
@@ -1,6 +1,6 @@
|
||||
{
|
||||
"type": "bundle",
|
||||
"id": "bundle--9fb8957d-65e3-4322-84fd-a24d2158ab09",
|
||||
"id": "bundle--c3d050da-6f25-48f7-857a-774c6d606ea7",
|
||||
"spec_version": "2.0",
|
||||
"objects": [
|
||||
{
|
||||
@@ -45,7 +45,6 @@
|
||||
],
|
||||
"x_mitre_attack_spec_version": "3.2.0",
|
||||
"x_mitre_deprecated": false,
|
||||
"x_mitre_detection": "",
|
||||
"x_mitre_domains": [
|
||||
"ics-attack"
|
||||
],
|
||||
|
||||
@@ -1,6 +1,6 @@
|
||||
{
|
||||
"type": "bundle",
|
||||
"id": "bundle--e035272a-c229-49da-94f7-d09da79bfa38",
|
||||
"id": "bundle--89dd5eab-e806-41c1-ac07-481716e1017c",
|
||||
"spec_version": "2.0",
|
||||
"objects": [
|
||||
{
|
||||
@@ -40,7 +40,6 @@
|
||||
],
|
||||
"x_mitre_attack_spec_version": "3.2.0",
|
||||
"x_mitre_deprecated": false,
|
||||
"x_mitre_detection": "",
|
||||
"x_mitre_domains": [
|
||||
"ics-attack"
|
||||
],
|
||||
|
||||
@@ -0,0 +1,46 @@
|
||||
{
|
||||
"type": "bundle",
|
||||
"id": "bundle--681ae092-7bfa-43f8-8fd4-778fef201378",
|
||||
"spec_version": "2.0",
|
||||
"objects": [
|
||||
{
|
||||
"type": "attack-pattern",
|
||||
"id": "attack-pattern--64bbc1b2-101f-4322-af1d-0c9cc25cef91",
|
||||
"created": "2026-04-20T20:54:21.726Z",
|
||||
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
|
||||
"revoked": false,
|
||||
"external_references": [
|
||||
{
|
||||
"source_name": "mitre-attack",
|
||||
"url": "https://attack.mitre.org/techniques/T0846/003",
|
||||
"external_id": "T0846.003"
|
||||
},
|
||||
{
|
||||
"source_name": "Cisco Active Discovery",
|
||||
"description": "Cisco Systems, Inc.. (2024, March 5). Cisco Cyber Vision Active Discovery Configuration Guide, Release 4.3.0. Retrieved April 23, 2026.",
|
||||
"url": "https://www.cisco.com/c/en/us/td/docs/security/cyber_vision/publications/Active-Discovery/Release-4-3-0/b_Cisco_Cyber_Vision_Active_Discovery_Configuration_Guide.pdf"
|
||||
}
|
||||
],
|
||||
"object_marking_refs": [
|
||||
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
|
||||
],
|
||||
"modified": "2026-04-23T19:45:38.166Z",
|
||||
"name": "Multicast Discovery",
|
||||
"description": "Adversaries may perform multicast discovery requests which is when one system or device sends messages to all systems and devices in a pre-defined group on a network (or subnet) and then waits for a response. If a response is received that means the system or device that responded is live and can communicate over that protocol. Multicast discovery tends to be stealthier than broadcast discovery because every system or device on the network (or subnet) is not being messaged. \n\nOne common OT protocol that has a multicast discovery mechanism is the Process Field Network (PROFINET) Discovery and Configuration Protocol (DCP) with its Identify All requests.(Citation: Cisco Active Discovery)\n",
|
||||
"kill_chain_phases": [
|
||||
{
|
||||
"kill_chain_name": "mitre-ics-attack",
|
||||
"phase_name": "discovery"
|
||||
}
|
||||
],
|
||||
"x_mitre_attack_spec_version": "3.3.0",
|
||||
"x_mitre_deprecated": false,
|
||||
"x_mitre_domains": [
|
||||
"ics-attack"
|
||||
],
|
||||
"x_mitre_is_subtechnique": true,
|
||||
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
|
||||
"x_mitre_version": "1.0"
|
||||
}
|
||||
]
|
||||
}
|
||||
@@ -0,0 +1,54 @@
|
||||
{
|
||||
"type": "bundle",
|
||||
"id": "bundle--43981976-b03b-4309-b095-8a53c8911cc7",
|
||||
"spec_version": "2.0",
|
||||
"objects": [
|
||||
{
|
||||
"type": "attack-pattern",
|
||||
"id": "attack-pattern--68a9324d-a524-4766-a899-a026f68a33df",
|
||||
"created": "2026-04-20T20:54:18.031Z",
|
||||
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
|
||||
"revoked": false,
|
||||
"external_references": [
|
||||
{
|
||||
"source_name": "mitre-attack",
|
||||
"url": "https://attack.mitre.org/techniques/T1693/001",
|
||||
"external_id": "T1693.001"
|
||||
},
|
||||
{
|
||||
"source_name": "Basnight, Zachry, et al.",
|
||||
"description": "Basnight, Zachry, et al. 2013 Retrieved. 2017/10/17 ",
|
||||
"url": "http://www.sciencedirect.com/science/article/pii/S1874548213000231"
|
||||
}
|
||||
],
|
||||
"object_marking_refs": [
|
||||
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
|
||||
],
|
||||
"modified": "2026-04-23T19:10:31.871Z",
|
||||
"name": "System Firmware",
|
||||
"description": "System firmware on modern assets is often designed with an update feature. Older device firmware may be factory installed and require special reprograming equipment. When available, the firmware update feature enables vendors to remotely patch bugs and perform upgrades. Device firmware updates are often delegated to the user and may be done using a software update package. It may also be possible to perform this task over the network.\n\nAn adversary may exploit the firmware update feature on accessible devices to upload malicious or out-of-date firmware. Malicious modification of device firmware may provide an adversary with root access to a device, given firmware is one of the lowest programming abstraction layers.(Citation: Basnight, Zachry, et al.)",
|
||||
"kill_chain_phases": [
|
||||
{
|
||||
"kill_chain_name": "mitre-ics-attack",
|
||||
"phase_name": "persistence"
|
||||
},
|
||||
{
|
||||
"kill_chain_name": "mitre-ics-attack",
|
||||
"phase_name": "inhibit-response-function"
|
||||
},
|
||||
{
|
||||
"kill_chain_name": "mitre-ics-attack",
|
||||
"phase_name": "impair-process-control"
|
||||
}
|
||||
],
|
||||
"x_mitre_attack_spec_version": "3.3.0",
|
||||
"x_mitre_deprecated": false,
|
||||
"x_mitre_domains": [
|
||||
"ics-attack"
|
||||
],
|
||||
"x_mitre_is_subtechnique": true,
|
||||
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
|
||||
"x_mitre_version": "1.0"
|
||||
}
|
||||
]
|
||||
}
|
||||
@@ -0,0 +1,55 @@
|
||||
{
|
||||
"type": "bundle",
|
||||
"id": "bundle--a3f35792-5ac9-41a4-afcb-2e2734a8c24a",
|
||||
"spec_version": "2.0",
|
||||
"objects": [
|
||||
{
|
||||
"type": "attack-pattern",
|
||||
"id": "attack-pattern--6b335943-c3af-430e-a135-ab09623bdc20",
|
||||
"created": "2026-04-20T20:54:19.528Z",
|
||||
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
|
||||
"revoked": false,
|
||||
"external_references": [
|
||||
{
|
||||
"source_name": "mitre-attack",
|
||||
"url": "https://attack.mitre.org/techniques/T1694/002",
|
||||
"external_id": "T1694.002"
|
||||
},
|
||||
{
|
||||
"source_name": "ICS-ALERT-13-164-01",
|
||||
"description": "Cybersecurity and Infrastructure Security Agency (CISA). (2013, October 29). Medical Devices Hard-Coded Passwords. Retrieved April 23, 2026.",
|
||||
"url": "https://www.cisa.gov/news-events/ics-alerts/ics-alert-13-164-01"
|
||||
},
|
||||
{
|
||||
"source_name": "OT IceFall",
|
||||
"description": "Forescout Vedere Labs. (2022, June). OT: IceFall Report. Retrieved April 23, 2026.",
|
||||
"url": "https://www.forescout.com/resources/ot-icefall-report/"
|
||||
}
|
||||
],
|
||||
"object_marking_refs": [
|
||||
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
|
||||
],
|
||||
"modified": "2026-04-23T19:32:38.851Z",
|
||||
"name": "Hardcoded Credentials",
|
||||
"description": "Adversaries may leverage credentials that are hardcoded in software or firmware to gain an unauthorized interactive user session to an asset. Examples credentials that may be hardcoded in an asset include:\n\n* Username/Passwords\n* Cryptographic keys/Certificates\n* API tokens\n\nUnlike [Default Credentials](https://attack.mitre.org/techniques/T0812), these credentials are built into the system in a way that they either cannot be changed by the asset owner, or may be infeasible to change because of the impact it would cause to the control system operation. These credentials may be reused across whole product lines or device models and are often not published or known to the owner and operators of the asset.(Citation: ICS-ALERT-13-164-01)(Citation: OT IceFall)\n\nAdversaries may utilize these hardcoded credentials to move throughout the control system environment or provide reliable access for their tools to interact with industrial assets.",
|
||||
"kill_chain_phases": [
|
||||
{
|
||||
"kill_chain_name": "mitre-ics-attack",
|
||||
"phase_name": "persistence"
|
||||
},
|
||||
{
|
||||
"kill_chain_name": "mitre-ics-attack",
|
||||
"phase_name": "lateral-movement"
|
||||
}
|
||||
],
|
||||
"x_mitre_attack_spec_version": "3.3.0",
|
||||
"x_mitre_deprecated": false,
|
||||
"x_mitre_domains": [
|
||||
"ics-attack"
|
||||
],
|
||||
"x_mitre_is_subtechnique": true,
|
||||
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
|
||||
"x_mitre_version": "1.0"
|
||||
}
|
||||
]
|
||||
}
|
||||
@@ -0,0 +1,46 @@
|
||||
{
|
||||
"type": "bundle",
|
||||
"id": "bundle--c2b6b159-a963-467b-93de-f44d6c8258ea",
|
||||
"spec_version": "2.0",
|
||||
"objects": [
|
||||
{
|
||||
"type": "attack-pattern",
|
||||
"id": "attack-pattern--71f2d49e-65dd-4fb6-a4cc-0d2b19d427fa",
|
||||
"created": "2026-04-20T20:54:23.383Z",
|
||||
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
|
||||
"revoked": false,
|
||||
"external_references": [
|
||||
{
|
||||
"source_name": "mitre-attack",
|
||||
"url": "https://attack.mitre.org/techniques/T1695/003",
|
||||
"external_id": "T1695.003"
|
||||
},
|
||||
{
|
||||
"source_name": "Bonnie Zhu, Anthony Joseph, Shankar Sastry 2011",
|
||||
"description": "Bonnie Zhu, Anthony Joseph, Shankar Sastry 2011 A Taxonomy of Cyber Attacks on SCADA Systems Retrieved. 2018/01/12 ",
|
||||
"url": "http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6142258"
|
||||
}
|
||||
],
|
||||
"object_marking_refs": [
|
||||
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
|
||||
],
|
||||
"modified": "2026-04-23T19:59:42.404Z",
|
||||
"name": "Wi-Fi",
|
||||
"description": "Adversaries may block access to Wi-Fi communications to prevent messages from reaching target systems and devices. Wi-Fi connections allow for communications between IT and OT systems and devices. Blocking Wi-Fi communications may also block command and reporting messages.(Citation: Bonnie Zhu, Anthony Joseph, Shankar Sastry 2011)\n\nAn adversary may block Wi-Fi communications by disabling network interfaces, [Service Stop](https://attack.mitre.org/techniques/T0881), conducting an [Adversary-in-the-Middle](https://attack.mitre.org/techniques/T0830) attack and dropping the network traffic, or by jamming the Wi-Fi signal.\n",
|
||||
"kill_chain_phases": [
|
||||
{
|
||||
"kill_chain_name": "mitre-ics-attack",
|
||||
"phase_name": "inhibit-response-function"
|
||||
}
|
||||
],
|
||||
"x_mitre_attack_spec_version": "3.3.0",
|
||||
"x_mitre_deprecated": false,
|
||||
"x_mitre_domains": [
|
||||
"ics-attack"
|
||||
],
|
||||
"x_mitre_is_subtechnique": true,
|
||||
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
|
||||
"x_mitre_version": "1.0"
|
||||
}
|
||||
]
|
||||
}
|
||||
@@ -1,6 +1,6 @@
|
||||
{
|
||||
"type": "bundle",
|
||||
"id": "bundle--dda22b2e-b820-4269-8315-a60f91f8d53e",
|
||||
"id": "bundle--32cbfeef-b59f-4e70-b8ae-0a29df205297",
|
||||
"spec_version": "2.0",
|
||||
"objects": [
|
||||
{
|
||||
@@ -34,7 +34,6 @@
|
||||
],
|
||||
"x_mitre_attack_spec_version": "3.2.0",
|
||||
"x_mitre_deprecated": true,
|
||||
"x_mitre_detection": "",
|
||||
"x_mitre_domains": [
|
||||
"ics-attack"
|
||||
],
|
||||
|
||||
@@ -0,0 +1,54 @@
|
||||
{
|
||||
"type": "bundle",
|
||||
"id": "bundle--4458c619-373a-40a3-b188-d6007c9ad55e",
|
||||
"spec_version": "2.0",
|
||||
"objects": [
|
||||
{
|
||||
"type": "attack-pattern",
|
||||
"id": "attack-pattern--75587e49-ab7e-44df-9549-faeb1da57f39",
|
||||
"created": "2026-04-20T20:54:18.535Z",
|
||||
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
|
||||
"revoked": false,
|
||||
"external_references": [
|
||||
{
|
||||
"source_name": "mitre-attack",
|
||||
"url": "https://attack.mitre.org/techniques/T1693/002",
|
||||
"external_id": "T1693.002"
|
||||
},
|
||||
{
|
||||
"source_name": "Daniel Peck, Dale Peterson January 2009",
|
||||
"description": "Daniel Peck, Dale Peterson 2009, January 28 Leveraging Ethernet Card Vulnerabilities in Field Devices Retrieved. 2017/12/19 ",
|
||||
"url": "https://www.researchgate.net/publication/228849043_Leveraging_ethernet_card_vulnerabilities_in_field_devices"
|
||||
}
|
||||
],
|
||||
"object_marking_refs": [
|
||||
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
|
||||
],
|
||||
"modified": "2026-04-23T19:15:57.683Z",
|
||||
"name": "Module Firmware",
|
||||
"description": "Adversaries may install malicious or vulnerable firmware onto modular hardware devices. Control system devices often contain modular hardware devices. These devices may have their own set of firmware that is separate from the firmware of the main control system equipment.\n\nThis technique is similar to System Firmware, but is conducted on other system components that may not have the same capabilities or level of integrity checking. Although it results in a device re-image, malicious device firmware may provide persistent access to remaining devices.(Citation: Daniel Peck, Dale Peterson January 2009)\n\nAn easy point of access for an adversary is the Ethernet card, which may have its own CPU, RAM, and operating system. The adversary may attack and likely exploit the computer on an Ethernet card. Exploitation of the Ethernet card computer may enable the adversary to accomplish additional attacks, such as the following:(Citation: Daniel Peck, Dale Peterson January 2009)\n\n* Delayed Attack - The adversary may stage an attack in advance and choose when to launch it, such as at a particularly damaging time.\n* Brick the Ethernet Card - Malicious firmware may be programmed to result in an Ethernet card failure, requiring a factory return.\n* Random Attack or Failure - The adversary may load malicious firmware onto multiple field devices. Execution of an attack and the time it occurs is generated by a pseudo-random number generator.\n* A Field Device Worm - The adversary may choose to identify all field devices of the same model, with the end goal of performing a device-wide compromise.\n* Attack Other Cards on the Field Device - Although it is not the most important module in a field device, the Ethernet card is most accessible to the adversary and malware. Compromise of the Ethernet card may provide a more direct route to compromising other modules, such as the CPU module.",
|
||||
"kill_chain_phases": [
|
||||
{
|
||||
"kill_chain_name": "mitre-ics-attack",
|
||||
"phase_name": "persistence"
|
||||
},
|
||||
{
|
||||
"kill_chain_name": "mitre-ics-attack",
|
||||
"phase_name": "inhibit-response-function"
|
||||
},
|
||||
{
|
||||
"kill_chain_name": "mitre-ics-attack",
|
||||
"phase_name": "impair-process-control"
|
||||
}
|
||||
],
|
||||
"x_mitre_attack_spec_version": "3.3.0",
|
||||
"x_mitre_deprecated": false,
|
||||
"x_mitre_domains": [
|
||||
"ics-attack"
|
||||
],
|
||||
"x_mitre_is_subtechnique": true,
|
||||
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
|
||||
"x_mitre_version": "1.0"
|
||||
}
|
||||
]
|
||||
}
|
||||
@@ -0,0 +1,41 @@
|
||||
{
|
||||
"type": "bundle",
|
||||
"id": "bundle--e0518f7e-8f7f-4a15-b6d3-9637664dd0a5",
|
||||
"spec_version": "2.0",
|
||||
"objects": [
|
||||
{
|
||||
"type": "attack-pattern",
|
||||
"id": "attack-pattern--77015a55-eef8-4f71-a071-b152f82ec1ef",
|
||||
"created": "2026-04-20T20:54:23.982Z",
|
||||
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
|
||||
"revoked": false,
|
||||
"external_references": [
|
||||
{
|
||||
"source_name": "mitre-attack",
|
||||
"url": "https://attack.mitre.org/techniques/T0843/001",
|
||||
"external_id": "T0843.001"
|
||||
}
|
||||
],
|
||||
"object_marking_refs": [
|
||||
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
|
||||
],
|
||||
"modified": "2026-04-23T00:01:28.898Z",
|
||||
"name": "Download All",
|
||||
"description": "Adversaries may execute a full program download to a PLC to overwrite the entire PLC program and configuration to deploy a new project or make major changes. This typically requires stopping the PLC and adversely impacting control processes.\n\nThe ability to perform a full program download to the PLC typically relies on access to a workstation with the vendor-specific PLC programming software installed.\n",
|
||||
"kill_chain_phases": [
|
||||
{
|
||||
"kill_chain_name": "mitre-ics-attack",
|
||||
"phase_name": "lateral-movement"
|
||||
}
|
||||
],
|
||||
"x_mitre_attack_spec_version": "3.3.0",
|
||||
"x_mitre_deprecated": false,
|
||||
"x_mitre_domains": [
|
||||
"ics-attack"
|
||||
],
|
||||
"x_mitre_is_subtechnique": true,
|
||||
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
|
||||
"x_mitre_version": "1.0"
|
||||
}
|
||||
]
|
||||
}
|
||||
@@ -1,6 +1,6 @@
|
||||
{
|
||||
"type": "bundle",
|
||||
"id": "bundle--28dcf06f-fab4-4532-a6c2-d9487dfea006",
|
||||
"id": "bundle--8d059ac8-57f6-4b6f-8f3d-dcc6d3ac4e43",
|
||||
"spec_version": "2.0",
|
||||
"objects": [
|
||||
{
|
||||
@@ -30,7 +30,6 @@
|
||||
],
|
||||
"x_mitre_attack_spec_version": "3.2.0",
|
||||
"x_mitre_deprecated": false,
|
||||
"x_mitre_detection": "",
|
||||
"x_mitre_domains": [
|
||||
"ics-attack"
|
||||
],
|
||||
|
||||
@@ -1,6 +1,6 @@
|
||||
{
|
||||
"type": "bundle",
|
||||
"id": "bundle--e72f73ff-1c62-4867-971d-1f677e9e7c9e",
|
||||
"id": "bundle--1254b065-d409-4215-b398-8f100e54394d",
|
||||
"spec_version": "2.0",
|
||||
"objects": [
|
||||
{
|
||||
@@ -35,7 +35,6 @@
|
||||
],
|
||||
"x_mitre_attack_spec_version": "3.2.0",
|
||||
"x_mitre_deprecated": false,
|
||||
"x_mitre_detection": "",
|
||||
"x_mitre_domains": [
|
||||
"ics-attack"
|
||||
],
|
||||
|
||||
@@ -0,0 +1,51 @@
|
||||
{
|
||||
"type": "bundle",
|
||||
"id": "bundle--01fedaa5-4dda-4e59-9661-106e9248b227",
|
||||
"spec_version": "2.0",
|
||||
"objects": [
|
||||
{
|
||||
"type": "attack-pattern",
|
||||
"id": "attack-pattern--7866bb5f-98ee-45c2-984c-8a328c5176b2",
|
||||
"created": "2026-04-20T20:54:16.584Z",
|
||||
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
|
||||
"revoked": false,
|
||||
"external_references": [
|
||||
{
|
||||
"source_name": "mitre-attack",
|
||||
"url": "https://attack.mitre.org/techniques/T1691/002",
|
||||
"external_id": "T1691.002"
|
||||
},
|
||||
{
|
||||
"source_name": "Bonnie Zhu, Anthony Joseph, Shankar Sastry 2011",
|
||||
"description": "Bonnie Zhu, Anthony Joseph, Shankar Sastry 2011 A Taxonomy of Cyber Attacks on SCADA Systems Retrieved. 2018/01/12 ",
|
||||
"url": "http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6142258"
|
||||
},
|
||||
{
|
||||
"source_name": "Electricity Information Sharing and Analysis Center; SANS Industrial Control Systems March 2016",
|
||||
"description": "Electricity Information Sharing and Analysis Center; SANS Industrial Control Systems 2016, March 18 Analysis of the Cyber Attack on the Ukranian Power Grid: Defense Use Case Retrieved. 2018/03/27 ",
|
||||
"url": "https://assets.contentstack.io/v3/assets/blt36c2e63521272fdc/blt6a77276749b76a40/607f235992f0063e5c070fff/E-ISAC_SANS_Ukraine_DUC_5%5b73%5d.pdf"
|
||||
}
|
||||
],
|
||||
"object_marking_refs": [
|
||||
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
|
||||
],
|
||||
"modified": "2026-04-23T18:52:34.062Z",
|
||||
"name": "Reporting Message",
|
||||
"description": "Adversaries may block or prevent a reporting message from reaching its intended target. In control systems, reporting messages contain telemetry data (e.g., I/O values) pertaining to the current state of equipment and the industrial process. By blocking these reporting messages, an adversary can potentially hide their actions from an operator.\n\nBlocking reporting messages in control systems that manage physical processes may contribute to system impact, causing inhibition of a response function. A control system may not be able to respond in a proper or timely manner to an event, such as a dangerous fault, if its corresponding reporting message is blocked.(Citation: Bonnie Zhu, Anthony Joseph, Shankar Sastry 2011)(Citation: Electricity Information Sharing and Analysis Center; SANS Industrial Control Systems March 2016)",
|
||||
"kill_chain_phases": [
|
||||
{
|
||||
"kill_chain_name": "mitre-ics-attack",
|
||||
"phase_name": "inhibit-response-function"
|
||||
}
|
||||
],
|
||||
"x_mitre_attack_spec_version": "3.3.0",
|
||||
"x_mitre_deprecated": false,
|
||||
"x_mitre_domains": [
|
||||
"ics-attack"
|
||||
],
|
||||
"x_mitre_is_subtechnique": true,
|
||||
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
|
||||
"x_mitre_version": "1.0"
|
||||
}
|
||||
]
|
||||
}
|
||||
@@ -0,0 +1,54 @@
|
||||
{
|
||||
"type": "bundle",
|
||||
"id": "bundle--a13962b8-0ce0-493f-be5c-e5460b1a4c08",
|
||||
"spec_version": "2.0",
|
||||
"objects": [
|
||||
{
|
||||
"type": "attack-pattern",
|
||||
"id": "attack-pattern--7b4c0e19-a9b0-4a74-a196-b38c07b79f20",
|
||||
"created": "2026-04-20T20:50:34.850Z",
|
||||
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
|
||||
"revoked": false,
|
||||
"external_references": [
|
||||
{
|
||||
"source_name": "mitre-attack",
|
||||
"url": "https://attack.mitre.org/techniques/T1693",
|
||||
"external_id": "T1693"
|
||||
},
|
||||
{
|
||||
"source_name": "Basnight, Zachry, et al.",
|
||||
"description": "Basnight, Zachry, et al. 2013 Retrieved. 2017/10/17 ",
|
||||
"url": "http://www.sciencedirect.com/science/article/pii/S1874548213000231"
|
||||
}
|
||||
],
|
||||
"object_marking_refs": [
|
||||
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
|
||||
],
|
||||
"modified": "2026-04-23T19:06:21.253Z",
|
||||
"name": "Modify Firmware",
|
||||
"description": "Firmware is low-level software embedded in hardware that enables systems and devices to function properly and is commonly found in ICS environments. Adversaries may modify firmware on a system or device by installing malicious or vulnerable versions that enable them to achieve objectives such as [Persistence](https://attack.mitre.org/tactics/TA0110), [Impair Process Control](https://attack.mitre.org/tactics/TA0106), and [Inhibit Response Function](https://attack.mitre.org/tactics/TA0107). \n\nAdversaries may modify system and device firmware by using the built-in firmware update functionality which may support local or remote installation. The malicious or vulnerable firmware may be delivered via [Replication Through Removable Media](https://attack.mitre.org/techniques/T0847), [Supply Chain Compromise](https://attack.mitre.org/techniques/T0862), or [Remote Services](https://attack.mitre.org/techniques/T0886). Once installed, the malicious or vulnerable firmware could be used to provide [Rootkit](https://attack.mitre.org/techniques/T0851) and [Hooking](https://attack.mitre.org/techniques/T0874) functionality, [Exploitation for Privilege Escalation](https://attack.mitre.org/techniques/T0890), or [Denial of Service](https://attack.mitre.org/techniques/T0814).(Citation: Basnight, Zachry, et al.)\n",
|
||||
"kill_chain_phases": [
|
||||
{
|
||||
"kill_chain_name": "mitre-ics-attack",
|
||||
"phase_name": "persistence"
|
||||
},
|
||||
{
|
||||
"kill_chain_name": "mitre-ics-attack",
|
||||
"phase_name": "inhibit-response-function"
|
||||
},
|
||||
{
|
||||
"kill_chain_name": "mitre-ics-attack",
|
||||
"phase_name": "impair-process-control"
|
||||
}
|
||||
],
|
||||
"x_mitre_attack_spec_version": "3.3.0",
|
||||
"x_mitre_deprecated": false,
|
||||
"x_mitre_domains": [
|
||||
"ics-attack"
|
||||
],
|
||||
"x_mitre_is_subtechnique": false,
|
||||
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
|
||||
"x_mitre_version": "1.0"
|
||||
}
|
||||
]
|
||||
}
|
||||
@@ -1,6 +1,6 @@
|
||||
{
|
||||
"type": "bundle",
|
||||
"id": "bundle--70c39f4c-ce77-4969-a37a-f1bd0f4f2b1d",
|
||||
"id": "bundle--712f3e2d-a550-4ebc-8cd5-514b91bcac16",
|
||||
"spec_version": "2.0",
|
||||
"objects": [
|
||||
{
|
||||
@@ -50,7 +50,6 @@
|
||||
],
|
||||
"x_mitre_attack_spec_version": "3.2.0",
|
||||
"x_mitre_deprecated": false,
|
||||
"x_mitre_detection": "",
|
||||
"x_mitre_domains": [
|
||||
"ics-attack"
|
||||
],
|
||||
|
||||
@@ -1,6 +1,6 @@
|
||||
{
|
||||
"type": "bundle",
|
||||
"id": "bundle--62d079d1-d907-47e2-ae72-72bc493c45eb",
|
||||
"id": "bundle--54ab144a-a6a3-4515-b8a4-24a0c8fd0958",
|
||||
"spec_version": "2.0",
|
||||
"objects": [
|
||||
{
|
||||
@@ -8,7 +8,7 @@
|
||||
"id": "attack-pattern--8535b71e-3c12-4258-a4ab-40257a1becc4",
|
||||
"created": "2020-05-21T17:43:26.506Z",
|
||||
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
|
||||
"revoked": false,
|
||||
"revoked": true,
|
||||
"external_references": [
|
||||
{
|
||||
"source_name": "mitre-attack",
|
||||
@@ -24,7 +24,7 @@
|
||||
"object_marking_refs": [
|
||||
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
|
||||
],
|
||||
"modified": "2025-04-16T21:26:15.909Z",
|
||||
"modified": "2026-04-20T20:58:43.011Z",
|
||||
"name": "Spoof Reporting Message",
|
||||
"description": "Adversaries may spoof reporting messages in control system environments for evasion and to impair process control. In control systems, reporting messages contain telemetry data (e.g., I/O values) pertaining to the current state of equipment and the industrial process. Reporting messages are important for monitoring the normal operation of a system or identifying important events such as deviations from expected values. \n\nIf an adversary has the ability to Spoof Reporting Messages, they can impact the control system in many ways. The adversary can Spoof Reporting Messages that state that the process is operating normally, as a form of evasion. The adversary could also Spoof Reporting Messages to make the defenders and operators think that other errors are occurring in order to distract them from the actual source of a problem. (Citation: Bonnie Zhu, Anthony Joseph, Shankar Sastry 2011) ",
|
||||
"kill_chain_phases": [
|
||||
@@ -39,7 +39,6 @@
|
||||
],
|
||||
"x_mitre_attack_spec_version": "3.2.0",
|
||||
"x_mitre_deprecated": false,
|
||||
"x_mitre_detection": "",
|
||||
"x_mitre_domains": [
|
||||
"ics-attack"
|
||||
],
|
||||
|
||||
@@ -1,6 +1,6 @@
|
||||
{
|
||||
"type": "bundle",
|
||||
"id": "bundle--4e247916-4c7a-47f9-a078-c933e63a1a4b",
|
||||
"id": "bundle--6fd2b4b0-bdcf-4c0b-9926-43ebe0cd610e",
|
||||
"spec_version": "2.0",
|
||||
"objects": [
|
||||
{
|
||||
@@ -44,7 +44,6 @@
|
||||
],
|
||||
"x_mitre_attack_spec_version": "3.2.0",
|
||||
"x_mitre_deprecated": false,
|
||||
"x_mitre_detection": "",
|
||||
"x_mitre_domains": [
|
||||
"ics-attack"
|
||||
],
|
||||
|
||||
@@ -1,6 +1,6 @@
|
||||
{
|
||||
"type": "bundle",
|
||||
"id": "bundle--d161ae4c-3b2a-4844-8dd8-2920f7e72a1c",
|
||||
"id": "bundle--83403d79-8636-49d4-804f-95c5e985f1bb",
|
||||
"spec_version": "2.0",
|
||||
"objects": [
|
||||
{
|
||||
@@ -8,7 +8,7 @@
|
||||
"id": "attack-pattern--8bb4538f-f16f-49f0-a431-70b5444c7349",
|
||||
"created": "2020-05-21T17:43:26.506Z",
|
||||
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
|
||||
"revoked": false,
|
||||
"revoked": true,
|
||||
"external_references": [
|
||||
{
|
||||
"source_name": "mitre-attack",
|
||||
@@ -24,7 +24,7 @@
|
||||
"object_marking_refs": [
|
||||
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
|
||||
],
|
||||
"modified": "2025-04-16T21:26:16.206Z",
|
||||
"modified": "2026-04-20T20:58:48.356Z",
|
||||
"name": "Default Credentials",
|
||||
"description": "Adversaries may leverage manufacturer or supplier set default credentials on control system devices. These default credentials may have administrative permissions and may be necessary for initial configuration of the device. It is general best practice to change the passwords for these accounts as soon as possible, but some manufacturers may have devices that have passwords or usernames that cannot be changed. (Citation: Keith Stouffer May 2015)\n\nDefault credentials are normally documented in an instruction manual that is either packaged with the device, published online through official means, or published online through unofficial means. Adversaries may leverage default credentials that have not been properly modified or disabled.",
|
||||
"kill_chain_phases": [
|
||||
@@ -35,7 +35,6 @@
|
||||
],
|
||||
"x_mitre_attack_spec_version": "3.2.0",
|
||||
"x_mitre_deprecated": false,
|
||||
"x_mitre_detection": "",
|
||||
"x_mitre_domains": [
|
||||
"ics-attack"
|
||||
],
|
||||
|
||||
@@ -1,6 +1,6 @@
|
||||
{
|
||||
"type": "bundle",
|
||||
"id": "bundle--18e639e2-20c0-4fd2-b20c-4bd47304d927",
|
||||
"id": "bundle--f15379a2-50ab-45a6-899e-e0f986460123",
|
||||
"spec_version": "2.0",
|
||||
"objects": [
|
||||
{
|
||||
@@ -40,7 +40,6 @@
|
||||
],
|
||||
"x_mitre_attack_spec_version": "3.2.0",
|
||||
"x_mitre_deprecated": false,
|
||||
"x_mitre_detection": "",
|
||||
"x_mitre_domains": [
|
||||
"ics-attack"
|
||||
],
|
||||
|
||||
@@ -1,6 +1,6 @@
|
||||
{
|
||||
"type": "bundle",
|
||||
"id": "bundle--4d3f05be-a222-42f9-b7c7-0de6ae133c9a",
|
||||
"id": "bundle--8b941290-9863-44c1-9e12-a9181f6ff1f1",
|
||||
"spec_version": "2.0",
|
||||
"objects": [
|
||||
{
|
||||
@@ -30,7 +30,6 @@
|
||||
],
|
||||
"x_mitre_attack_spec_version": "3.2.0",
|
||||
"x_mitre_deprecated": false,
|
||||
"x_mitre_detection": "",
|
||||
"x_mitre_domains": [
|
||||
"ics-attack"
|
||||
],
|
||||
|
||||
@@ -1,6 +1,6 @@
|
||||
{
|
||||
"type": "bundle",
|
||||
"id": "bundle--ed4db855-fe90-4a83-af52-7a2b4c30bc2e",
|
||||
"id": "bundle--04f13b2b-02b6-43da-a87e-346ee1d89873",
|
||||
"spec_version": "2.0",
|
||||
"objects": [
|
||||
{
|
||||
@@ -29,7 +29,6 @@
|
||||
],
|
||||
"x_mitre_attack_spec_version": "3.2.0",
|
||||
"x_mitre_deprecated": true,
|
||||
"x_mitre_detection": "",
|
||||
"x_mitre_domains": [
|
||||
"ics-attack"
|
||||
],
|
||||
|
||||
@@ -1,6 +1,6 @@
|
||||
{
|
||||
"type": "bundle",
|
||||
"id": "bundle--6a7a9518-efcd-46e4-bf8e-aecefddae594",
|
||||
"id": "bundle--02f22982-8c28-47c2-bff2-242313d9d727",
|
||||
"spec_version": "2.0",
|
||||
"objects": [
|
||||
{
|
||||
@@ -43,7 +43,6 @@
|
||||
"Conrad Layne - GE Digital"
|
||||
],
|
||||
"x_mitre_deprecated": false,
|
||||
"x_mitre_detection": "",
|
||||
"x_mitre_domains": [
|
||||
"ics-attack"
|
||||
],
|
||||
|
||||
@@ -1,6 +1,6 @@
|
||||
{
|
||||
"type": "bundle",
|
||||
"id": "bundle--f3fb2ba6-70f7-445b-8a9d-544580de21ad",
|
||||
"id": "bundle--7bab2ec8-14f1-4e82-8312-383ddc89208a",
|
||||
"spec_version": "2.0",
|
||||
"objects": [
|
||||
{
|
||||
@@ -30,7 +30,6 @@
|
||||
],
|
||||
"x_mitre_attack_spec_version": "3.2.0",
|
||||
"x_mitre_deprecated": false,
|
||||
"x_mitre_detection": "",
|
||||
"x_mitre_domains": [
|
||||
"ics-attack"
|
||||
],
|
||||
|
||||
@@ -1,6 +1,6 @@
|
||||
{
|
||||
"type": "bundle",
|
||||
"id": "bundle--81156dad-7a4c-4cbb-af90-9d83c028ca57",
|
||||
"id": "bundle--6088beec-503f-4ddb-b681-048d1ab3dba9",
|
||||
"spec_version": "2.0",
|
||||
"objects": [
|
||||
{
|
||||
@@ -53,7 +53,6 @@
|
||||
"Dragos Threat Intelligence"
|
||||
],
|
||||
"x_mitre_deprecated": false,
|
||||
"x_mitre_detection": "",
|
||||
"x_mitre_domains": [
|
||||
"ics-attack"
|
||||
],
|
||||
|
||||
@@ -1,6 +1,6 @@
|
||||
{
|
||||
"type": "bundle",
|
||||
"id": "bundle--92830f4b-1936-45f4-aae3-4f43db2ae538",
|
||||
"id": "bundle--a1d04228-fe01-49d5-9944-f616fe650aa0",
|
||||
"spec_version": "2.0",
|
||||
"objects": [
|
||||
{
|
||||
@@ -33,7 +33,6 @@
|
||||
],
|
||||
"x_mitre_attack_spec_version": "3.2.0",
|
||||
"x_mitre_deprecated": true,
|
||||
"x_mitre_detection": "",
|
||||
"x_mitre_domains": [
|
||||
"ics-attack"
|
||||
],
|
||||
|
||||
@@ -1,6 +1,6 @@
|
||||
{
|
||||
"type": "bundle",
|
||||
"id": "bundle--1f2a2994-3c64-4959-81a2-bbf006f34189",
|
||||
"id": "bundle--183cb50a-eebd-42be-b4a4-8c0fc1577d51",
|
||||
"spec_version": "2.0",
|
||||
"objects": [
|
||||
{
|
||||
@@ -44,7 +44,6 @@
|
||||
],
|
||||
"x_mitre_attack_spec_version": "3.2.0",
|
||||
"x_mitre_deprecated": false,
|
||||
"x_mitre_detection": "",
|
||||
"x_mitre_domains": [
|
||||
"ics-attack"
|
||||
],
|
||||
|
||||
@@ -1,6 +1,6 @@
|
||||
{
|
||||
"type": "bundle",
|
||||
"id": "bundle--b28fff3d-b7a3-4731-a6c7-b91be857d913",
|
||||
"id": "bundle--5cd57575-4616-469e-b051-82818c91cb6f",
|
||||
"spec_version": "2.0",
|
||||
"objects": [
|
||||
{
|
||||
@@ -29,7 +29,6 @@
|
||||
],
|
||||
"x_mitre_attack_spec_version": "3.2.0",
|
||||
"x_mitre_deprecated": true,
|
||||
"x_mitre_detection": "",
|
||||
"x_mitre_domains": [
|
||||
"ics-attack"
|
||||
],
|
||||
|
||||
@@ -1,6 +1,6 @@
|
||||
{
|
||||
"type": "bundle",
|
||||
"id": "bundle--525aa6cc-94d1-4360-81ee-5ca0cf865e56",
|
||||
"id": "bundle--ee61e090-d199-47ba-9ebf-d1738686a4da",
|
||||
"spec_version": "2.0",
|
||||
"objects": [
|
||||
{
|
||||
@@ -48,7 +48,6 @@
|
||||
],
|
||||
"x_mitre_attack_spec_version": "3.2.0",
|
||||
"x_mitre_deprecated": true,
|
||||
"x_mitre_detection": "",
|
||||
"x_mitre_domains": [
|
||||
"ics-attack"
|
||||
],
|
||||
|
||||
@@ -1,6 +1,6 @@
|
||||
{
|
||||
"type": "bundle",
|
||||
"id": "bundle--bc8ef874-f9a8-4a66-aecc-eb6b9f66b904",
|
||||
"id": "bundle--ff9a4641-b68a-459a-b12e-219b6fca1764",
|
||||
"spec_version": "2.0",
|
||||
"objects": [
|
||||
{
|
||||
@@ -30,7 +30,6 @@
|
||||
],
|
||||
"x_mitre_attack_spec_version": "3.2.0",
|
||||
"x_mitre_deprecated": false,
|
||||
"x_mitre_detection": "",
|
||||
"x_mitre_domains": [
|
||||
"ics-attack"
|
||||
],
|
||||
|
||||
@@ -1,6 +1,6 @@
|
||||
{
|
||||
"type": "bundle",
|
||||
"id": "bundle--403f6934-2d0c-4dcc-a314-e0cc737193c4",
|
||||
"id": "bundle--74d3ec7b-61b1-4c36-9a96-02246fb60519",
|
||||
"spec_version": "2.0",
|
||||
"objects": [
|
||||
{
|
||||
@@ -40,7 +40,6 @@
|
||||
],
|
||||
"x_mitre_attack_spec_version": "3.2.0",
|
||||
"x_mitre_deprecated": false,
|
||||
"x_mitre_detection": "",
|
||||
"x_mitre_domains": [
|
||||
"ics-attack"
|
||||
],
|
||||
|
||||
@@ -1,6 +1,6 @@
|
||||
{
|
||||
"type": "bundle",
|
||||
"id": "bundle--4d681ec1-2d34-433e-85d0-4025c30c8eb6",
|
||||
"id": "bundle--e4f13e9a-9a7f-4704-82f9-dd39d25e1e52",
|
||||
"spec_version": "2.0",
|
||||
"objects": [
|
||||
{
|
||||
@@ -35,7 +35,6 @@
|
||||
],
|
||||
"x_mitre_attack_spec_version": "3.2.0",
|
||||
"x_mitre_deprecated": false,
|
||||
"x_mitre_detection": "",
|
||||
"x_mitre_domains": [
|
||||
"ics-attack"
|
||||
],
|
||||
|
||||
@@ -1,6 +1,6 @@
|
||||
{
|
||||
"type": "bundle",
|
||||
"id": "bundle--8a6c7d39-d3c6-4a90-b7cf-984cb590f215",
|
||||
"id": "bundle--4b7b77e8-f60f-4b1b-abb0-612834e7378b",
|
||||
"spec_version": "2.0",
|
||||
"objects": [
|
||||
{
|
||||
@@ -50,7 +50,6 @@
|
||||
],
|
||||
"x_mitre_attack_spec_version": "3.2.0",
|
||||
"x_mitre_deprecated": false,
|
||||
"x_mitre_detection": "",
|
||||
"x_mitre_domains": [
|
||||
"ics-attack"
|
||||
],
|
||||
|
||||
@@ -1,6 +1,6 @@
|
||||
{
|
||||
"type": "bundle",
|
||||
"id": "bundle--f6babf4b-fd82-4f7a-8257-e690075ce5a8",
|
||||
"id": "bundle--1d33b8f6-7062-4a1f-9c7c-920e1b088cf9",
|
||||
"spec_version": "2.0",
|
||||
"objects": [
|
||||
{
|
||||
@@ -14,15 +14,15 @@
|
||||
"url": "https://attack.mitre.org/techniques/T0882",
|
||||
"external_id": "T0882"
|
||||
},
|
||||
{
|
||||
"source_name": "Mark Thompson March 2016",
|
||||
"description": "Mark Thompson 2016, March 24 Iranian Cyber Attack on New York Dam Shows Future of War Retrieved. 2019/11/07 ",
|
||||
"url": "https://time.com/4270728/iran-cyber-attack-dam-fbi/"
|
||||
},
|
||||
{
|
||||
"source_name": "Danny Yadron December 2015",
|
||||
"description": "Danny Yadron 2015, December 20 Iranian Hackers Infiltrated New York Dam in 2013 Retrieved. 2019/11/07 ",
|
||||
"url": "https://www.wsj.com/articles/iranian-hackers-infiltrated-new-york-dam-in-2013-1450662559"
|
||||
},
|
||||
{
|
||||
"source_name": "Mark Thompson March 2016",
|
||||
"description": "Mark Thompson 2016, March 24 Iranian Cyber Attack on New York Dam Shows Future of War Retrieved. 2019/11/07 ",
|
||||
"url": "https://time.com/4270728/iran-cyber-attack-dam-fbi/"
|
||||
}
|
||||
],
|
||||
"object_marking_refs": [
|
||||
@@ -39,7 +39,6 @@
|
||||
],
|
||||
"x_mitre_attack_spec_version": "3.2.0",
|
||||
"x_mitre_deprecated": false,
|
||||
"x_mitre_detection": "",
|
||||
"x_mitre_domains": [
|
||||
"ics-attack"
|
||||
],
|
||||
@@ -48,7 +47,8 @@
|
||||
"x_mitre_platforms": [
|
||||
"None"
|
||||
],
|
||||
"x_mitre_version": "1.0"
|
||||
"x_mitre_version": "1.0",
|
||||
"revoked": false
|
||||
}
|
||||
]
|
||||
}
|
||||
@@ -1,6 +1,6 @@
|
||||
{
|
||||
"type": "bundle",
|
||||
"id": "bundle--ecf2b1ed-bc3a-4ae1-8562-b349b0215042",
|
||||
"id": "bundle--05d454e7-61d7-4c5c-a2b2-9f9dc1c4b43a",
|
||||
"spec_version": "2.0",
|
||||
"objects": [
|
||||
{
|
||||
@@ -8,7 +8,7 @@
|
||||
"id": "attack-pattern--b9160e77-ea9e-4ba9-b1c8-53a3c466b13d",
|
||||
"created": "2020-05-21T17:43:26.506Z",
|
||||
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
|
||||
"revoked": false,
|
||||
"revoked": true,
|
||||
"external_references": [
|
||||
{
|
||||
"source_name": "mitre-attack",
|
||||
@@ -24,7 +24,7 @@
|
||||
"object_marking_refs": [
|
||||
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
|
||||
],
|
||||
"modified": "2025-04-16T21:26:17.862Z",
|
||||
"modified": "2026-04-20T20:58:44.575Z",
|
||||
"name": "System Firmware",
|
||||
"description": "System firmware on modern assets is often designed with an update feature. Older device firmware may be factory installed and require special reprograming equipment. When available, the firmware update feature enables vendors to remotely patch bugs and perform upgrades. Device firmware updates are often delegated to the user and may be done using a software update package. It may also be possible to perform this task over the network. \n\nAn adversary may exploit the firmware update feature on accessible devices to upload malicious or out-of-date firmware. Malicious modification of device firmware may provide an adversary with root access to a device, given firmware is one of the lowest programming abstraction layers. (Citation: Basnight, Zachry, et al.)",
|
||||
"kill_chain_phases": [
|
||||
@@ -39,7 +39,6 @@
|
||||
],
|
||||
"x_mitre_attack_spec_version": "3.2.0",
|
||||
"x_mitre_deprecated": false,
|
||||
"x_mitre_detection": "",
|
||||
"x_mitre_domains": [
|
||||
"ics-attack"
|
||||
],
|
||||
|
||||
@@ -1,6 +1,6 @@
|
||||
{
|
||||
"type": "bundle",
|
||||
"id": "bundle--d0055f44-6363-4c48-ab53-28189c7f0bd1",
|
||||
"id": "bundle--97bc61c4-54bf-4c75-95fd-a4690e5ca36c",
|
||||
"spec_version": "2.0",
|
||||
"objects": [
|
||||
{
|
||||
@@ -30,7 +30,6 @@
|
||||
],
|
||||
"x_mitre_attack_spec_version": "3.2.0",
|
||||
"x_mitre_deprecated": false,
|
||||
"x_mitre_detection": "",
|
||||
"x_mitre_domains": [
|
||||
"ics-attack"
|
||||
],
|
||||
|
||||
@@ -1,6 +1,6 @@
|
||||
{
|
||||
"type": "bundle",
|
||||
"id": "bundle--aeaac56f-b169-4c38-96cc-f2e25b4c1e3c",
|
||||
"id": "bundle--ee33b0fa-67ba-4f92-925d-b3d7e2a3ad32",
|
||||
"spec_version": "2.0",
|
||||
"objects": [
|
||||
{
|
||||
@@ -30,7 +30,6 @@
|
||||
],
|
||||
"x_mitre_attack_spec_version": "3.2.0",
|
||||
"x_mitre_deprecated": false,
|
||||
"x_mitre_detection": "",
|
||||
"x_mitre_domains": [
|
||||
"ics-attack"
|
||||
],
|
||||
|
||||
@@ -1,6 +1,6 @@
|
||||
{
|
||||
"type": "bundle",
|
||||
"id": "bundle--3e477aaf-2764-4e5f-92ca-f3f655c157cd",
|
||||
"id": "bundle--c83fbb57-2353-4af9-a649-9786ad5a778f",
|
||||
"spec_version": "2.0",
|
||||
"objects": [
|
||||
{
|
||||
@@ -80,7 +80,6 @@
|
||||
],
|
||||
"x_mitre_attack_spec_version": "3.2.0",
|
||||
"x_mitre_deprecated": false,
|
||||
"x_mitre_detection": "",
|
||||
"x_mitre_domains": [
|
||||
"ics-attack"
|
||||
],
|
||||
|
||||
@@ -0,0 +1,51 @@
|
||||
{
|
||||
"type": "bundle",
|
||||
"id": "bundle--fca90697-58b8-4189-afce-57e54c0ca29f",
|
||||
"spec_version": "2.0",
|
||||
"objects": [
|
||||
{
|
||||
"type": "attack-pattern",
|
||||
"id": "attack-pattern--c55f0be5-044e-4577-8095-65b37680d28c",
|
||||
"created": "2026-04-20T20:54:21.227Z",
|
||||
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
|
||||
"revoked": false,
|
||||
"external_references": [
|
||||
{
|
||||
"source_name": "mitre-attack",
|
||||
"url": "https://attack.mitre.org/techniques/T0846/002",
|
||||
"external_id": "T0846.002"
|
||||
},
|
||||
{
|
||||
"source_name": "Cisco Active Discovery",
|
||||
"description": "Cisco Systems, Inc.. (2024, March 5). Cisco Cyber Vision Active Discovery Configuration Guide, Release 4.3.0. Retrieved April 23, 2026.",
|
||||
"url": "https://www.cisco.com/c/en/us/td/docs/security/cyber_vision/publications/Active-Discovery/Release-4-3-0/b_Cisco_Cyber_Vision_Active_Discovery_Configuration_Guide.pdf"
|
||||
},
|
||||
{
|
||||
"source_name": "Broadcasting BACnet",
|
||||
"description": "H. Michael Newman. (2010, November). Broadcasting BACnet\u00ae. Retrieved April 23, 2026.",
|
||||
"url": "https://bacnet.org/wp-content/uploads/sites/4/2022/06/Newman_2010.pdf"
|
||||
}
|
||||
],
|
||||
"object_marking_refs": [
|
||||
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
|
||||
],
|
||||
"modified": "2026-04-23T19:43:10.464Z",
|
||||
"name": "Broadcast Discovery",
|
||||
"description": "Adversaries may perform broadcast discovery requests to enumerate systems and devices on a network. Broadcast discovery works by one system or device sending messages to all systems and devices on a network (or subnet) and then waiting for a response. If a response is received that means the system or device that responded is live and can communicate over that protocol. Adversaries may leverage different protocols supported on the network for sending broadcast messages. \n\nSome common OT protocols that have broadcast discovery mechanisms are Building Automation and Control Network (BACNet) Who-Is requests, Common Industrial Protocol (CIP) List Identity User Datagram Protocol (UDP) broadcast requests, and Siemens S7 broadcast identification requests.(Citation: Broadcasting BACnet)(Citation: Cisco Active Discovery)\n",
|
||||
"kill_chain_phases": [
|
||||
{
|
||||
"kill_chain_name": "mitre-ics-attack",
|
||||
"phase_name": "discovery"
|
||||
}
|
||||
],
|
||||
"x_mitre_attack_spec_version": "3.3.0",
|
||||
"x_mitre_deprecated": false,
|
||||
"x_mitre_domains": [
|
||||
"ics-attack"
|
||||
],
|
||||
"x_mitre_is_subtechnique": true,
|
||||
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
|
||||
"x_mitre_version": "1.0"
|
||||
}
|
||||
]
|
||||
}
|
||||
@@ -1,6 +1,6 @@
|
||||
{
|
||||
"type": "bundle",
|
||||
"id": "bundle--5935c0ef-91fd-49e5-b93f-b8781197d288",
|
||||
"id": "bundle--dc26490f-b6d5-4745-af32-7136fd5b10be",
|
||||
"spec_version": "2.0",
|
||||
"objects": [
|
||||
{
|
||||
@@ -34,7 +34,6 @@
|
||||
],
|
||||
"x_mitre_attack_spec_version": "3.2.0",
|
||||
"x_mitre_deprecated": false,
|
||||
"x_mitre_detection": "",
|
||||
"x_mitre_domains": [
|
||||
"ics-attack"
|
||||
],
|
||||
@@ -43,7 +42,8 @@
|
||||
"x_mitre_platforms": [
|
||||
"None"
|
||||
],
|
||||
"x_mitre_version": "1.0"
|
||||
"x_mitre_version": "1.0",
|
||||
"revoked": false
|
||||
}
|
||||
]
|
||||
}
|
||||
@@ -1,6 +1,6 @@
|
||||
{
|
||||
"type": "bundle",
|
||||
"id": "bundle--6ec2befa-1a18-48af-acdf-b10876c56a30",
|
||||
"id": "bundle--a5a70199-acd3-42be-a320-4254bcb2637d",
|
||||
"spec_version": "2.0",
|
||||
"objects": [
|
||||
{
|
||||
@@ -8,7 +8,7 @@
|
||||
"id": "attack-pattern--c9a8d958-fcdb-40d2-af4c-461c8031651a",
|
||||
"created": "2022-09-29T13:35:38.589Z",
|
||||
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
|
||||
"revoked": false,
|
||||
"revoked": true,
|
||||
"external_references": [
|
||||
{
|
||||
"source_name": "mitre-attack",
|
||||
@@ -19,7 +19,7 @@
|
||||
"object_marking_refs": [
|
||||
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
|
||||
],
|
||||
"modified": "2025-04-16T21:26:18.583Z",
|
||||
"modified": "2026-04-20T20:58:49.917Z",
|
||||
"name": "Hardcoded Credentials",
|
||||
"description": "Adversaries may leverage credentials that are hardcoded in software or firmware to gain an unauthorized interactive user session to an asset. Examples credentials that may be hardcoded in an asset include:\n\n* Username/Passwords\n* Cryptographic keys/Certificates\n* API tokens\n\nUnlike [Default Credentials](https://attack.mitre.org/techniques/T0812), these credentials are built into the system in a way that they either cannot be changed by the asset owner, or may be infeasible to change because of the impact it would cause to the control system operation. These credentials may be reused across whole product lines or device models and are often not published or known to the owner and operators of the asset. \n\nAdversaries may utilize these hardcoded credentials to move throughout the control system environment or provide reliable access for their tools to interact with industrial assets. \n",
|
||||
"kill_chain_phases": [
|
||||
@@ -37,7 +37,6 @@
|
||||
"Aagam Shah, @neutrinoguy, ABB"
|
||||
],
|
||||
"x_mitre_deprecated": false,
|
||||
"x_mitre_detection": "",
|
||||
"x_mitre_domains": [
|
||||
"ics-attack"
|
||||
],
|
||||
|
||||
@@ -1,6 +1,6 @@
|
||||
{
|
||||
"type": "bundle",
|
||||
"id": "bundle--a16909ae-d643-41a5-9831-c33c0070fecf",
|
||||
"id": "bundle--29d69d37-0e45-46c4-8f7b-b2077cc3b09a",
|
||||
"spec_version": "2.0",
|
||||
"objects": [
|
||||
{
|
||||
@@ -39,7 +39,6 @@
|
||||
],
|
||||
"x_mitre_attack_spec_version": "3.2.0",
|
||||
"x_mitre_deprecated": false,
|
||||
"x_mitre_detection": "",
|
||||
"x_mitre_domains": [
|
||||
"ics-attack"
|
||||
],
|
||||
|
||||
@@ -1,6 +1,6 @@
|
||||
{
|
||||
"type": "bundle",
|
||||
"id": "bundle--4707cdb8-4cf9-406b-b41b-383ff1bea475",
|
||||
"id": "bundle--3c29d3b1-f2d2-41cd-a7e2-1b978132b7f3",
|
||||
"spec_version": "2.0",
|
||||
"objects": [
|
||||
{
|
||||
@@ -35,7 +35,6 @@
|
||||
],
|
||||
"x_mitre_attack_spec_version": "3.2.0",
|
||||
"x_mitre_deprecated": false,
|
||||
"x_mitre_detection": "",
|
||||
"x_mitre_domains": [
|
||||
"ics-attack"
|
||||
],
|
||||
|
||||
@@ -1,6 +1,6 @@
|
||||
{
|
||||
"type": "bundle",
|
||||
"id": "bundle--a03048d0-dd03-4153-9291-b3662df50cbc",
|
||||
"id": "bundle--892125fa-fcb5-4de1-bf67-5c703adb3721",
|
||||
"spec_version": "2.0",
|
||||
"objects": [
|
||||
{
|
||||
@@ -24,18 +24,17 @@
|
||||
"object_marking_refs": [
|
||||
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
|
||||
],
|
||||
"modified": "2025-04-16T21:26:18.958Z",
|
||||
"modified": "2026-04-23T19:39:03.420Z",
|
||||
"name": "Remote System Discovery",
|
||||
"description": "Adversaries may attempt to get a listing of other systems by IP address, hostname, or other logical identifier on a network that may be used for subsequent Lateral Movement or Discovery techniques. Functionality could exist within adversary tools to enable this, but utilities available on the operating system or vendor software could also be used. (Citation: Enterprise ATT&CK January 2018)",
|
||||
"description": "Adversaries may attempt to get a listing of other systems by IP address, hostname, or other logical identifier on a network that may be used for subsequent Lateral Movement or Discovery techniques. Functionality could exist within adversary tools to enable this, but utilities available on the operating system or vendor software could also be used.(Citation: Enterprise ATT&CK January 2018)",
|
||||
"kill_chain_phases": [
|
||||
{
|
||||
"kill_chain_name": "mitre-ics-attack",
|
||||
"phase_name": "discovery"
|
||||
}
|
||||
],
|
||||
"x_mitre_attack_spec_version": "3.2.0",
|
||||
"x_mitre_attack_spec_version": "3.3.0",
|
||||
"x_mitre_deprecated": false,
|
||||
"x_mitre_detection": "",
|
||||
"x_mitre_domains": [
|
||||
"ics-attack"
|
||||
],
|
||||
|
||||
@@ -1,6 +1,6 @@
|
||||
{
|
||||
"type": "bundle",
|
||||
"id": "bundle--73ead825-1127-485d-9b56-852023008a63",
|
||||
"id": "bundle--bb016cfd-364b-4139-b6dc-9d40b6ebcb01",
|
||||
"spec_version": "2.0",
|
||||
"objects": [
|
||||
{
|
||||
@@ -32,7 +32,6 @@
|
||||
"Joe Slowik - Dragos"
|
||||
],
|
||||
"x_mitre_deprecated": true,
|
||||
"x_mitre_detection": "",
|
||||
"x_mitre_domains": [
|
||||
"ics-attack"
|
||||
],
|
||||
|
||||
@@ -1,6 +1,6 @@
|
||||
{
|
||||
"type": "bundle",
|
||||
"id": "bundle--06e7d5cc-d7e9-4228-87b8-c7e19b45a603",
|
||||
"id": "bundle--742f2e95-c4cd-4eba-8df1-5c9393ba9c61",
|
||||
"spec_version": "2.0",
|
||||
"objects": [
|
||||
{
|
||||
@@ -35,7 +35,6 @@
|
||||
],
|
||||
"x_mitre_attack_spec_version": "3.2.0",
|
||||
"x_mitre_deprecated": false,
|
||||
"x_mitre_detection": "",
|
||||
"x_mitre_domains": [
|
||||
"ics-attack"
|
||||
],
|
||||
|
||||
Some files were not shown because too many files have changed in this diff Show More
Reference in New Issue
Block a user