adam/cti
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

ATT&CK v17.0 ICS

Browse Source
This commit is contained in:
Jared Ondricek
2025-04-21 21:46:27 -05:00
parent dc129e9e96
commit e2fa27e759
1651 changed files with 12968 additions and 13636 deletions
Download Patch File Download Diff File Expand all files Collapse all files
ics-attack/attack-pattern/attack-pattern--008b8f56-6107-48be-aa9f-746f927dbb61.json
+27 -27
View File
@@ -1,10 +1,35 @@
{
"type": "bundle",
"id": "bundle--4631c103-384a-4f5e-9f32-fafa7764a0eb",
"id": "bundle--a3d20708-6dd1-4ca9-bec9-18790d9d13d2",
"spec_version": "2.0",
"objects": [
{
"modified": "2023-10-13T17:56:58.380Z",
"type": "attack-pattern",
"id": "attack-pattern--008b8f56-6107-48be-aa9f-746f927dbb61",
"created": "2020-05-21T17:43:26.506Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T0803",
"external_id": "T0803"
},
{
"source_name": "Bonnie Zhu, Anthony Joseph, Shankar Sastry 2011",
"description": "Bonnie Zhu, Anthony Joseph, Shankar Sastry 2011 A Taxonomy of Cyber Attacks on SCADA Systems Retrieved. 2018/01/12 ",
"url": "http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6142258"
},
{
"source_name": "Electricity Information Sharing and Analysis Center; SANS Industrial Control Systems March 2016",
"description": "Electricity Information Sharing and Analysis Center; SANS Industrial Control Systems 2016, March 18 Analysis of the Cyber Attack on the Ukranian Power Grid: Defense Use Case Retrieved. 2018/03/27 ",
"url": "https://assets.contentstack.io/v3/assets/blt36c2e63521272fdc/blt6a77276749b76a40/607f235992f0063e5c070fff/E-ISAC_SANS_Ukraine_DUC_5%5b73%5d.pdf"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"modified": "2025-04-15T19:58:01.218Z",
"name": "Block Command Message",
"description": "Adversaries may block a command message from reaching its intended target to prevent command execution. In OT networks, command messages are sent to provide instructions to control system devices. A blocked command message can inhibit response functions from correcting a disruption or unsafe condition. (Citation: Bonnie Zhu, Anthony Joseph, Shankar Sastry 2011) (Citation: Electricity Information Sharing and Analysis Center; SANS Industrial Control Systems March 2016)",
"kill_chain_phases": [
@@ -31,31 +56,6 @@
"Application Log: Application Log Content",
"Network Traffic: Network Traffic Flow",
"Operational Databases: Process/Event Alarm"
],
"type": "attack-pattern",
"id": "attack-pattern--008b8f56-6107-48be-aa9f-746f927dbb61",
"created": "2020-05-21T17:43:26.506Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T0803",
"external_id": "T0803"
},
{
"source_name": "Bonnie Zhu, Anthony Joseph, Shankar Sastry 2011",
"description": "Bonnie Zhu, Anthony Joseph, Shankar Sastry 2011 A Taxonomy of Cyber Attacks on SCADA Systems Retrieved. 2018/01/12 ",
"url": "http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6142258"
},
{
"source_name": "Electricity Information Sharing and Analysis Center; SANS Industrial Control Systems March 2016",
"description": "Electricity Information Sharing and Analysis Center; SANS Industrial Control Systems 2016, March 18 Analysis of the Cyber Attack on the Ukranian Power Grid: Defense Use Case Retrieved. 2018/03/27 ",
"url": "https://assets.contentstack.io/v3/assets/blt36c2e63521272fdc/blt6a77276749b76a40/607f235992f0063e5c070fff/E-ISAC_SANS_Ukraine_DUC_5%5b73%5d.pdf"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
]
}
]
ics-attack/attack-pattern/attack-pattern--063b5b92-5361-481a-9c3f-95492ed9a2d8.json
+22 -22
View File
@@ -1,10 +1,30 @@
{
"type": "bundle",
"id": "bundle--dee09093-0370-43a0-b117-4732706f185f",
"id": "bundle--25229b6b-afba-4ce2-95cb-4abd18b04863",
"spec_version": "2.0",
"objects": [
{
"modified": "2023-10-13T17:56:58.586Z",
"type": "attack-pattern",
"id": "attack-pattern--063b5b92-5361-481a-9c3f-95492ed9a2d8",
"created": "2020-05-21T17:43:26.506Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T0881",
"external_id": "T0881"
},
{
"source_name": "Enterprise ATT&CK",
"description": "Enterprise ATT&CK Enterprise ATT&CK Service Stop Retrieved. 2019/10/29 Service Stop Retrieved. 2019/10/29 ",
"url": "https://attack.mitre.org/techniques/T1489/"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"modified": "2025-04-15T19:58:03.170Z",
"name": "Service Stop",
"description": "Adversaries may stop or disable services on a system to render those services unavailable to legitimate users. Stopping critical services can inhibit or stop response to an incident or aid in the adversary's overall objectives to cause damage to the environment. (Citation: Enterprise ATT&CK) Services may not allow for modification of their data stores while running. Adversaries may stop services in order to conduct Data Destruction. (Citation: Enterprise ATT&CK)",
"kill_chain_phases": [
@@ -33,26 +53,6 @@
"Service: Service Metadata",
"Windows Registry: Windows Registry Key Modification",
"Process: Process Creation"
],
"type": "attack-pattern",
"id": "attack-pattern--063b5b92-5361-481a-9c3f-95492ed9a2d8",
"created": "2020-05-21T17:43:26.506Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T0881",
"external_id": "T0881"
},
{
"source_name": "Enterprise ATT&CK",
"description": "Enterprise ATT&CK Enterprise ATT&CK Service Stop Retrieved. 2019/10/29 Service Stop Retrieved. 2019/10/29 ",
"url": "https://attack.mitre.org/techniques/T1489/"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
]
}
]
ics-attack/attack-pattern/attack-pattern--097924ce-a9a9-4039-8591-e0deedfb8722.json
+18 -18
View File
@@ -1,10 +1,25 @@
{
"type": "bundle",
"id": "bundle--105d38ee-81db-4e2f-ba57-80452a959f39",
"id": "bundle--db0639cd-32bb-4604-9c14-d16ed03910d9",
"spec_version": "2.0",
"objects": [
{
"modified": "2023-10-13T17:56:58.786Z",
"type": "attack-pattern",
"id": "attack-pattern--097924ce-a9a9-4039-8591-e0deedfb8722",
"created": "2020-05-21T17:43:26.506Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T0836",
"external_id": "T0836"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"modified": "2025-04-16T21:26:10.077Z",
"name": "Modify Parameter",
"description": "Adversaries may modify parameters used to instruct industrial control system devices. These devices operate via programs that dictate how and when to perform actions based on such parameters. Such parameters can determine the extent to which an action is performed and may specify additional options. For example, a program on a control system device dictating motor processes may take a parameter defining the total number of seconds to run that motor. \n\nAn adversary can potentially modify these parameters to produce an outcome outside of what was intended by the operators. By modifying system and process critical parameters, the adversary may cause [Impact](https://attack.mitre.org/tactics/TA0105) to equipment and/or control processes. Modified parameters may be turned into dangerous, out-of-bounds, or unexpected values from typical operations. For example, specifying that a process run for more or less time than it should, or dictating an unusually high, low, or invalid value as a parameter.",
"kill_chain_phases": [
@@ -13,7 +28,7 @@
"phase_name": "impair-process-control"
}
],
"x_mitre_attack_spec_version": "3.1.0",
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": false,
"x_mitre_detection": "",
"x_mitre_domains": [
@@ -30,21 +45,6 @@
"Application Log: Application Log Content",
"Operational Databases: Device Alarm",
"Network Traffic: Network Traffic Content"
],
"type": "attack-pattern",
"id": "attack-pattern--097924ce-a9a9-4039-8591-e0deedfb8722",
"created": "2020-05-21T17:43:26.506Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T0836",
"external_id": "T0836"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
]
}
]
ics-attack/attack-pattern/attack-pattern--09a61657-46e1-439e-b3ed-3e4556a78243.json
+27 -27
View File
@@ -1,35 +1,9 @@
{
"type": "bundle",
"id": "bundle--3024c052-2f10-45e2-a38f-79c2a0928672",
"id": "bundle--ab0efb01-4a64-4f2c-b605-535b55c0ba25",
"spec_version": "2.0",
"objects": [
{
"modified": "2023-10-13T17:56:58.991Z",
"name": "Modify Controller Tasking",
"description": "Adversaries may modify the tasking of a controller to allow for the execution of their own programs. This can allow an adversary to manipulate the execution flow and behavior of a controller. \n\nAccording to 61131-3, the association of a Task with a Program Organization Unit (POU) defines a task association. (Citation: IEC February 2013) An adversary may modify these associations or create new ones to manipulate the execution flow of a controller. Modification of controller tasking can be accomplished using a Program Download in addition to other types of program modification such as online edit and program append.\n\nTasks have properties, such as interval, frequency and priority to meet the requirements of program execution. Some controller vendors implement tasks with implicit, pre-defined properties whereas others allow for these properties to be formulated explicitly. An adversary may associate their program with tasks that have a higher priority or execute associated programs more frequently. For instance, to ensure cyclic execution of their program on a Siemens controller, an adversary may add their program to the task, Organization Block 1 (OB1).",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-ics-attack",
"phase_name": "execution"
}
],
"x_mitre_attack_spec_version": "3.1.0",
"x_mitre_deprecated": false,
"x_mitre_detection": "",
"x_mitre_domains": [
"ics-attack"
],
"x_mitre_is_subtechnique": false,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"None"
],
"x_mitre_version": "1.2",
"x_mitre_data_sources": [
"Application Log: Application Log Content",
"Operational Databases: Device Alarm",
"Asset: Software"
],
"type": "attack-pattern",
"id": "attack-pattern--09a61657-46e1-439e-b3ed-3e4556a78243",
"created": "2021-04-13T11:15:26.506Z",
@@ -49,6 +23,32 @@
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"modified": "2025-04-16T21:26:10.230Z",
"name": "Modify Controller Tasking",
"description": "Adversaries may modify the tasking of a controller to allow for the execution of their own programs. This can allow an adversary to manipulate the execution flow and behavior of a controller. \n\nAccording to 61131-3, the association of a Task with a Program Organization Unit (POU) defines a task association. (Citation: IEC February 2013) An adversary may modify these associations or create new ones to manipulate the execution flow of a controller. Modification of controller tasking can be accomplished using a Program Download in addition to other types of program modification such as online edit and program append.\n\nTasks have properties, such as interval, frequency and priority to meet the requirements of program execution. Some controller vendors implement tasks with implicit, pre-defined properties whereas others allow for these properties to be formulated explicitly. An adversary may associate their program with tasks that have a higher priority or execute associated programs more frequently. For instance, to ensure cyclic execution of their program on a Siemens controller, an adversary may add their program to the task, Organization Block 1 (OB1).",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-ics-attack",
"phase_name": "execution"
}
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": false,
"x_mitre_detection": "",
"x_mitre_domains": [
"ics-attack"
],
"x_mitre_is_subtechnique": false,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"None"
],
"x_mitre_version": "1.2",
"x_mitre_data_sources": [
"Application Log: Application Log Content",
"Operational Databases: Device Alarm",
"Asset: Software"
]
}
]
ics-attack/attack-pattern/attack-pattern--0fe075d5-beac-4d02-b93e-0f874997db72.json
+32 -32
View File
@@ -1,40 +1,9 @@
{
"type": "bundle",
"id": "bundle--539bd006-4958-4246-84a8-092df15411c3",
"id": "bundle--e26b2205-6066-434d-a5ac-ee3880830188",
"spec_version": "2.0",
"objects": [
{
"modified": "2023-10-13T17:56:59.193Z",
"name": "Wireless Sniffing",
"description": "Adversaries may seek to capture radio frequency (RF) communication used for remote control and reporting in distributed environments. RF communication frequencies vary between 3 kHz to 300 GHz, although are commonly between 300 MHz to 6 GHz. (Citation: Candell, R., Hany, M., Lee, K. B., Liu,Y., Quimby, J., Remley, K. April 2018) The wavelength and frequency of the signal affect how the signal propagates through open air, obstacles (e.g. walls and trees) and the type of radio required to capture them. These characteristics are often standardized in the protocol and hardware and may have an effect on how the signal is captured. Some examples of wireless protocols that may be found in cyber-physical environments are: WirelessHART, Zigbee, WIA-FA, and 700 MHz Public Safety Spectrum. \n\nAdversaries may capture RF communications by using specialized hardware, such as software defined radio (SDR), handheld radio, or a computer with radio demodulator tuned to the communication frequency. (Citation: Bastille April 2017) Information transmitted over a wireless medium may be captured in-transit whether the sniffing device is the intended destination or not. This technique may be particularly useful to an adversary when the communications are not encrypted. (Citation: Gallagher, S. April 2017) \n\nIn the 2017 Dallas Siren incident, it is suspected that adversaries likely captured wireless command message broadcasts on a 700 MHz frequency during a regular test of the system. These messages were later replayed to trigger the alarm systems. (Citation: Gallagher, S. April 2017)",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-ics-attack",
"phase_name": "discovery"
},
{
"kill_chain_name": "mitre-ics-attack",
"phase_name": "collection"
}
],
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_contributors": [
"ICSCoE Japan"
],
"x_mitre_deprecated": false,
"x_mitre_detection": "",
"x_mitre_domains": [
"ics-attack"
],
"x_mitre_is_subtechnique": false,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"None"
],
"x_mitre_version": "1.1",
"x_mitre_data_sources": [
"Network Traffic: Network Traffic Flow"
],
"type": "attack-pattern",
"id": "attack-pattern--0fe075d5-beac-4d02-b93e-0f874997db72",
"created": "2020-05-21T17:43:26.506Z",
@@ -64,6 +33,37 @@
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"modified": "2025-04-16T21:26:10.392Z",
"name": "Wireless Sniffing",
"description": "Adversaries may seek to capture radio frequency (RF) communication used for remote control and reporting in distributed environments. RF communication frequencies vary between 3 kHz to 300 GHz, although are commonly between 300 MHz to 6 GHz. (Citation: Candell, R., Hany, M., Lee, K. B., Liu,Y., Quimby, J., Remley, K. April 2018) The wavelength and frequency of the signal affect how the signal propagates through open air, obstacles (e.g. walls and trees) and the type of radio required to capture them. These characteristics are often standardized in the protocol and hardware and may have an effect on how the signal is captured. Some examples of wireless protocols that may be found in cyber-physical environments are: WirelessHART, Zigbee, WIA-FA, and 700 MHz Public Safety Spectrum. \n\nAdversaries may capture RF communications by using specialized hardware, such as software defined radio (SDR), handheld radio, or a computer with radio demodulator tuned to the communication frequency. (Citation: Bastille April 2017) Information transmitted over a wireless medium may be captured in-transit whether the sniffing device is the intended destination or not. This technique may be particularly useful to an adversary when the communications are not encrypted. (Citation: Gallagher, S. April 2017) \n\nIn the 2017 Dallas Siren incident, it is suspected that adversaries likely captured wireless command message broadcasts on a 700 MHz frequency during a regular test of the system. These messages were later replayed to trigger the alarm systems. (Citation: Gallagher, S. April 2017)",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-ics-attack",
"phase_name": "discovery"
},
{
"kill_chain_name": "mitre-ics-attack",
"phase_name": "collection"
}
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_contributors": [
"ICSCoE Japan"
],
"x_mitre_deprecated": false,
"x_mitre_detection": "",
"x_mitre_domains": [
"ics-attack"
],
"x_mitre_is_subtechnique": false,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"None"
],
"x_mitre_version": "1.1",
"x_mitre_data_sources": [
"Network Traffic: Network Traffic Flow"
]
}
]
ics-attack/attack-pattern/attack-pattern--138979ba-0430-4de6-a128-2fc0b056ba36.json
+25 -22
View File
@@ -1,31 +1,14 @@
{
"type": "bundle",
"id": "bundle--b44e9241-bcc6-4b8b-b01d-7e08f0462975",
"id": "bundle--fc5dd488-ddc9-45f6-bf2e-d8ffe711bcc4",
"spec_version": "2.0",
"objects": [
{
"modified": "2023-10-13T17:56:59.396Z",
"name": "Loss of View",
"description": "Adversaries may cause a sustained or permanent loss of view where the ICS equipment will require local, hands-on operator intervention; for instance, a restart or manual operation. By causing a sustained reporting or visibility loss, the adversary can effectively hide the present state of operations. This loss of view can occur without affecting the physical processes themselves. (Citation: Corero) (Citation: Michael J. Assante and Robert M. Lee) (Citation: Tyson Macaulay)",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-ics-attack",
"phase_name": "impact"
}
],
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"ics-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"None"
],
"x_mitre_version": "1.0",
"type": "attack-pattern",
"id": "attack-pattern--138979ba-0430-4de6-a128-2fc0b056ba36",
"created": "2020-05-21T17:43:26.506Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
@@ -39,8 +22,8 @@
},
{
"source_name": "Michael J. Assante and Robert M. Lee",
"description": "Michael J. Assante and Robert M. Lee Corero Industrial Control System (ICS) Security Retrieved. 2019/11/04 The Industrial Control System Cyber Kill Chain Retrieved. 2019/11/04 ",
"url": "https://www.sans.org/reading-room/whitepapers/ICS/industrial-control-system-cyber-kill-chain-36297"
"description": "Michael J. Assante and Robert M. Lee SANS Industrial Control System (ICS) Security; The Industrial Control System Cyber Kill Chain Retrieved 2024/11/25",
"url": "https://icscsi.org/library/Documents/White_Papers/SANS%20-%20ICS%20Cyber%20Kill%20Chain.pdf"
},
{
"source_name": "Tyson Macaulay",
@@ -51,7 +34,27 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_is_subtechnique": false
"modified": "2025-04-15T19:58:08.228Z",
"name": "Loss of View",
"description": "Adversaries may cause a sustained or permanent loss of view where the ICS equipment will require local, hands-on operator intervention; for instance, a restart or manual operation. By causing a sustained reporting or visibility loss, the adversary can effectively hide the present state of operations. This loss of view can occur without affecting the physical processes themselves. (Citation: Corero) (Citation: Michael J. Assante and Robert M. Lee) (Citation: Tyson Macaulay)",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-ics-attack",
"phase_name": "impact"
}
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": false,
"x_mitre_detection": "",
"x_mitre_domains": [
"ics-attack"
],
"x_mitre_is_subtechnique": false,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"None"
],
"x_mitre_version": "1.0"
}
]
}
ics-attack/attack-pattern/attack-pattern--19a71d1e-6334-4233-8260-b749cae37953.json
+28 -28
View File
@@ -1,35 +1,9 @@
{
"type": "bundle",
"id": "bundle--69e366dd-0c14-40d5-9f93-f2e8229dc0a7",
"id": "bundle--c1850b6d-f7d8-4b0f-ab9f-a53f6f21cf5c",
"spec_version": "2.0",
"objects": [
{
"modified": "2023-10-13T17:56:59.593Z",
"name": "Activate Firmware Update Mode",
"description": "Adversaries may activate firmware update mode on devices to prevent expected response functions from engaging in reaction to an emergency or process malfunction. For example, devices such as protection relays may have an operation mode designed for firmware installation. This mode may halt process monitoring and related functions to allow new firmware to be loaded. A device left in update mode may be placed in an inactive holding state if no firmware is provided to it. By entering and leaving a device in this mode, the adversary may deny its usual functionalities.",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-ics-attack",
"phase_name": "inhibit-response-function"
}
],
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_contributors": [
"Joe Slowik - Dragos"
],
"x_mitre_domains": [
"ics-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"None"
],
"x_mitre_version": "1.0",
"x_mitre_data_sources": [
"Network Traffic: Network Traffic Content",
"Operational Databases: Device Alarm",
"Application Log: Application Log Content"
],
"type": "attack-pattern",
"id": "attack-pattern--19a71d1e-6334-4233-8260-b749cae37953",
"created": "2020-05-21T17:43:26.506Z",
@@ -44,7 +18,33 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_is_subtechnique": false
"modified": "2025-04-16T21:26:10.552Z",
"name": "Activate Firmware Update Mode",
"description": "Adversaries may activate firmware update mode on devices to prevent expected response functions from engaging in reaction to an emergency or process malfunction. For example, devices such as protection relays may have an operation mode designed for firmware installation. This mode may halt process monitoring and related functions to allow new firmware to be loaded. A device left in update mode may be placed in an inactive holding state if no firmware is provided to it. By entering and leaving a device in this mode, the adversary may deny its usual functionalities.",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-ics-attack",
"phase_name": "inhibit-response-function"
}
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_contributors": [
"Joe Slowik - Dragos"
],
"x_mitre_domains": [
"ics-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"None"
],
"x_mitre_version": "1.0",
"x_mitre_is_subtechnique": false,
"x_mitre_data_sources": [
"Network Traffic: Network Traffic Content",
"Operational Databases: Device Alarm",
"Application Log: Application Log Content"
]
}
]
}
ics-attack/attack-pattern/attack-pattern--1af9e3fd-2bcc-414d-adbd-fe3b95c02ca1.json
+23 -23
View File
@@ -1,30 +1,9 @@
{
"type": "bundle",
"id": "bundle--bdae619c-cb18-413f-9fab-422334a358d8",
"id": "bundle--1602b749-db30-4bfb-9af4-9fb05604257b",
"spec_version": "2.0",
"objects": [
{
"modified": "2023-10-13T17:56:59.793Z",
"name": "Manipulation of Control",
"description": "Adversaries may manipulate physical process control within the industrial environment. Methods of manipulating control can include changes to set point values, tags, or other parameters. Adversaries may manipulate control systems devices or possibly leverage their own, to communicate with and command physical control processes. The duration of manipulation may be temporary or longer sustained, depending on operator detection. \n\nMethods of Manipulation of Control include: \n\n* Man-in-the-middle \n* Spoof command message \n* Changing setpoints \n\nA Polish student used a remote controller device to interface with the Lodz city tram system in Poland. (Citation: John Bill May 2017) (Citation: Shelley Smith February 2008) (Citation: Bruce Schneier January 2008) Using this remote, the student was able to capture and replay legitimate tram signals. As a consequence, four trams were derailed and twelve people injured due to resulting emergency stops. (Citation: Shelley Smith February 2008) The track controlling commands issued may have also resulted in tram collisions, a further risk to those on board and nearby the areas of impact. (Citation: Bruce Schneier January 2008)",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-ics-attack",
"phase_name": "impact"
}
],
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_deprecated": false,
"x_mitre_detection": "",
"x_mitre_domains": [
"ics-attack"
],
"x_mitre_is_subtechnique": false,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"None"
],
"x_mitre_version": "1.0",
"type": "attack-pattern",
"id": "attack-pattern--1af9e3fd-2bcc-414d-adbd-fe3b95c02ca1",
"created": "2020-05-21T17:43:26.506Z",
@@ -54,7 +33,28 @@
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
]
],
"modified": "2025-04-16T21:26:10.752Z",
"name": "Manipulation of Control",
"description": "Adversaries may manipulate physical process control within the industrial environment. Methods of manipulating control can include changes to set point values, tags, or other parameters. Adversaries may manipulate control systems devices or possibly leverage their own, to communicate with and command physical control processes. The duration of manipulation may be temporary or longer sustained, depending on operator detection. \n\nMethods of Manipulation of Control include: \n\n* Man-in-the-middle \n* Spoof command message \n* Changing setpoints \n\nA Polish student used a remote controller device to interface with the Lodz city tram system in Poland. (Citation: John Bill May 2017) (Citation: Shelley Smith February 2008) (Citation: Bruce Schneier January 2008) Using this remote, the student was able to capture and replay legitimate tram signals. As a consequence, four trams were derailed and twelve people injured due to resulting emergency stops. (Citation: Shelley Smith February 2008) The track controlling commands issued may have also resulted in tram collisions, a further risk to those on board and nearby the areas of impact. (Citation: Bruce Schneier January 2008)",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-ics-attack",
"phase_name": "impact"
}
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": false,
"x_mitre_detection": "",
"x_mitre_domains": [
"ics-attack"
],
"x_mitre_is_subtechnique": false,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"None"
],
"x_mitre_version": "1.0"
}
]
}
ics-attack/attack-pattern/attack-pattern--1b22b676-9347-4c55-9a35-ef0dc653db5b.json
+27 -27
View File
@@ -1,34 +1,9 @@
{
"type": "bundle",
"id": "bundle--dfdeca24-c300-421c-a76d-d6628ae827bc",
"id": "bundle--f69e8e0b-5c2f-44bf-bffb-d024f3f3057b",
"spec_version": "2.0",
"objects": [
{
"modified": "2024-10-14T19:00:55.006Z",
"name": "Denial of Service",
"description": "Adversaries may perform Denial-of-Service (DoS) attacks to disrupt expected device functionality. Examples of DoS attacks include overwhelming the target device with a high volume of requests in a short time period and sending the target device a request it does not know how to handle. Disrupting device state may temporarily render it unresponsive, possibly lasting until a reboot can occur. When placed in this state, devices may be unable to send and receive requests, and may not perform expected response functions in reaction to other events in the environment. \n\nSome ICS devices are particularly sensitive to DoS events, and may become unresponsive in reaction to even a simple ping sweep. Adversaries may also attempt to execute a Permanent Denial-of-Service (PDoS) against certain devices, such as in the case of the BrickerBot malware. (Citation: ICS-CERT April 2017) \n\nAdversaries may exploit a software vulnerability to cause a denial of service by taking advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Vulnerabilities may exist in software that can be used to cause a denial of service condition. \n\nAdversaries may have prior knowledge about industrial protocols or control devices used in the environment through [Remote System Information Discovery](https://attack.mitre.org/techniques/T0888). There are examples of adversaries remotely causing a [Device Restart/Shutdown](https://attack.mitre.org/techniques/T0816) by exploiting a vulnerability that induces uncontrolled resource consumption. (Citation: ICS-CERT August 2018) (Citation: Common Weakness Enumeration January 2019) (Citation: MITRE March 2018) ",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-ics-attack",
"phase_name": "inhibit-response-function"
}
],
"x_mitre_deprecated": false,
"x_mitre_detection": "",
"x_mitre_domains": [
"ics-attack"
],
"x_mitre_is_subtechnique": false,
"x_mitre_platforms": [
"None"
],
"x_mitre_version": "1.1",
"x_mitre_data_sources": [
"Network Traffic: Network Traffic Content",
"Network Traffic: Network Traffic Flow",
"Application Log: Application Log Content",
"Operational Databases: Process History/Live Data"
],
"type": "attack-pattern",
"id": "attack-pattern--1b22b676-9347-4c55-9a35-ef0dc653db5b",
"created": "2020-05-21T17:43:26.506Z",
@@ -64,8 +39,33 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"modified": "2025-04-15T19:58:10.656Z",
"name": "Denial of Service",
"description": "Adversaries may perform Denial-of-Service (DoS) attacks to disrupt expected device functionality. Examples of DoS attacks include overwhelming the target device with a high volume of requests in a short time period and sending the target device a request it does not know how to handle. Disrupting device state may temporarily render it unresponsive, possibly lasting until a reboot can occur. When placed in this state, devices may be unable to send and receive requests, and may not perform expected response functions in reaction to other events in the environment. \n\nSome ICS devices are particularly sensitive to DoS events, and may become unresponsive in reaction to even a simple ping sweep. Adversaries may also attempt to execute a Permanent Denial-of-Service (PDoS) against certain devices, such as in the case of the BrickerBot malware. (Citation: ICS-CERT April 2017) \n\nAdversaries may exploit a software vulnerability to cause a denial of service by taking advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Vulnerabilities may exist in software that can be used to cause a denial of service condition. \n\nAdversaries may have prior knowledge about industrial protocols or control devices used in the environment through [Remote System Information Discovery](https://attack.mitre.org/techniques/T0888). There are examples of adversaries remotely causing a [Device Restart/Shutdown](https://attack.mitre.org/techniques/T0816) by exploiting a vulnerability that induces uncontrolled resource consumption. (Citation: ICS-CERT August 2018) (Citation: Common Weakness Enumeration January 2019) (Citation: MITRE March 2018) ",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-ics-attack",
"phase_name": "inhibit-response-function"
}
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
"x_mitre_deprecated": false,
"x_mitre_detection": "",
"x_mitre_domains": [
"ics-attack"
],
"x_mitre_is_subtechnique": false,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"None"
],
"x_mitre_version": "1.1",
"x_mitre_data_sources": [
"Network Traffic: Network Traffic Content",
"Network Traffic: Network Traffic Flow",
"Application Log: Application Log Content",
"Operational Databases: Process History/Live Data"
]
}
]
}
ics-attack/attack-pattern/attack-pattern--1c478716-71d9-46a4-9a53-fa5d576adb60.json
+18 -18
View File
@@ -1,10 +1,25 @@
{
"type": "bundle",
"id": "bundle--79600bfc-10d7-46b4-8184-969e509e28e2",
"id": "bundle--501ea015-a615-41bf-a0aa-146b7633ceef",
"spec_version": "2.0",
"objects": [
{
"modified": "2023-10-13T17:57:00.184Z",
"type": "attack-pattern",
"id": "attack-pattern--1c478716-71d9-46a4-9a53-fa5d576adb60",
"created": "2020-05-21T17:43:26.506Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T0805",
"external_id": "T0805"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"modified": "2025-04-16T21:26:10.923Z",
"name": "Block Serial COM",
"description": "Adversaries may block access to serial COM to prevent instructions or configurations from reaching target devices. Serial Communication ports (COM) allow communication with control system devices. Devices can receive command and configuration messages over such serial COM. Devices also use serial COM to send command and reporting messages. Blocking device serial COM may also block command messages and block reporting messages. \n\nA serial to Ethernet converter is often connected to a serial COM to facilitate communication between serial and Ethernet devices. One approach to blocking a serial COM would be to create and hold open a TCP session with the Ethernet side of the converter. A serial to Ethernet converter may have a few ports open to facilitate multiple communications. For example, if there are three serial COM available -- 1, 2 and 3 --, the converter might be listening on the corresponding ports 20001, 20002, and 20003. If a TCP/IP connection is opened with one of these ports and held open, then the port will be unavailable for use by another party. One way the adversary could achieve this would be to initiate a TCP session with the serial to Ethernet converter at 10.0.0.1 via Telnet on serial port 1 with the following command: telnet 10.0.0.1 20001.",
"kill_chain_phases": [
@@ -13,7 +28,7 @@
"phase_name": "inhibit-response-function"
}
],
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": false,
"x_mitre_detection": "",
"x_mitre_domains": [
@@ -31,21 +46,6 @@
"Operational Databases: Process History/Live Data",
"Application Log: Application Log Content",
"Process: Process Termination"
],
"type": "attack-pattern",
"id": "attack-pattern--1c478716-71d9-46a4-9a53-fa5d576adb60",
"created": "2020-05-21T17:43:26.506Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T0805",
"external_id": "T0805"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
]
}
]
ics-attack/attack-pattern/attack-pattern--1c5cf58c-a34a-40d7-82f4-f987cdfc2b91.json
+26 -26
View File
@@ -1,33 +1,9 @@
{
"type": "bundle",
"id": "bundle--c287e357-55a9-4c4c-9cb3-6c918faf92e2",
"id": "bundle--5d784ea9-9a4d-4532-9d3a-ddff7bdb3425",
"spec_version": "2.0",
"objects": [
{
"modified": "2024-04-08T18:57:58.010Z",
"name": "System Binary Proxy Execution",
"description": "Adversaries may bypass process and/or signature-based defenses by proxying execution of malicious content with signed, or otherwise trusted, binaries. Binaries used in this technique are often Microsoft-signed files, indicating that they have been either downloaded from Microsoft or are already native in the operating system. (Citation: LOLBAS Project) Binaries signed with trusted digital certificates can typically execute on Windows systems protected by digital signature validation. Several Microsoft signed binaries that are default on Windows installations can be used to proxy execution of other files or commands. Similarly, on Linux systems adversaries may abuse trusted binaries such as split to proxy execution of malicious commands. (Citation: split man page)(Citation: GTFO split)\n\nAdversaries may abuse application binaries installed on a system for proxy execution of malicious code or domain-specific commands. These commands could be used to target local resources on the device or networked devices within the environment through defined APIs ([Execution through API](https://attack.mitre.org/techniques/T0871)) or application-specific programming languages (e.g., MicroSCADA SCIL). Application binaries may be signed by the developer or generally trusted by the operators, analysts, and monitoring tools accustomed to the environment. These applications may be developed and/or directly provided by the device vendor to enable configuration, management, and operation of their devices without many alternatives. \n\nAdversaries may seek to target these trusted application binaries to execute or send commands without the development of custom malware. For example, adversaries may target a SCADA server binary which has the existing ability to send commands to substation devices, such as through IEC 104 command messages. Proxy execution may still require the development of custom tools to hook into the application binary\u2019s execution.\n\n",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-ics-attack",
"phase_name": "evasion"
}
],
"x_mitre_deprecated": false,
"x_mitre_detection": "",
"x_mitre_domains": [
"ics-attack"
],
"x_mitre_is_subtechnique": false,
"x_mitre_platforms": [
"None"
],
"x_mitre_version": "1.0",
"x_mitre_data_sources": [
"Script: Script Execution",
"Command: Command Execution",
"Process: Process Creation"
],
"type": "attack-pattern",
"id": "attack-pattern--1c5cf58c-a34a-40d7-82f4-f987cdfc2b91",
"created": "2024-03-25T20:16:15.016Z",
@@ -58,8 +34,32 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"modified": "2025-04-15T19:58:11.559Z",
"name": "System Binary Proxy Execution",
"description": "Adversaries may bypass process and/or signature-based defenses by proxying execution of malicious content with signed, or otherwise trusted, binaries. Binaries used in this technique are often Microsoft-signed files, indicating that they have been either downloaded from Microsoft or are already native in the operating system. (Citation: LOLBAS Project) Binaries signed with trusted digital certificates can typically execute on Windows systems protected by digital signature validation. Several Microsoft signed binaries that are default on Windows installations can be used to proxy execution of other files or commands. Similarly, on Linux systems adversaries may abuse trusted binaries such as split to proxy execution of malicious commands. (Citation: split man page)(Citation: GTFO split)\n\nAdversaries may abuse application binaries installed on a system for proxy execution of malicious code or domain-specific commands. These commands could be used to target local resources on the device or networked devices within the environment through defined APIs ([Execution through API](https://attack.mitre.org/techniques/T0871)) or application-specific programming languages (e.g., MicroSCADA SCIL). Application binaries may be signed by the developer or generally trusted by the operators, analysts, and monitoring tools accustomed to the environment. These applications may be developed and/or directly provided by the device vendor to enable configuration, management, and operation of their devices without many alternatives. \n\nAdversaries may seek to target these trusted application binaries to execute or send commands without the development of custom malware. For example, adversaries may target a SCADA server binary which has the existing ability to send commands to substation devices, such as through IEC 104 command messages. Proxy execution may still require the development of custom tools to hook into the application binary\u2019s execution.\n\n",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-ics-attack",
"phase_name": "evasion"
}
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
"x_mitre_deprecated": false,
"x_mitre_detection": "",
"x_mitre_domains": [
"ics-attack"
],
"x_mitre_is_subtechnique": false,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"None"
],
"x_mitre_version": "1.0",
"x_mitre_data_sources": [
"Script: Script Execution",
"Command: Command Execution",
"Process: Process Creation"
]
}
]
}
ics-attack/attack-pattern/attack-pattern--23270e54-1d68-4c3b-b763-b25607bcef80.json
+24 -24
View File
@@ -1,32 +1,9 @@
{
"type": "bundle",
"id": "bundle--578194ed-1631-4afb-8387-b9e0a035c89c",
"id": "bundle--d7d381d2-5d20-445e-a858-86afe9161ef5",
"spec_version": "2.0",
"objects": [
{
"modified": "2023-05-08T20:13:24.241Z",
"name": "Role Identification",
"description": "Adversaries may perform role identification of devices involved with physical processes of interest in a target control system. Control systems devices often work in concert to control a physical process. Each device can have one or more roles that it performs within that control process. By collecting this role-based data, an adversary can construct a more targeted attack.\n\nFor example, a power generation plant may have unique devices such as one that monitors power output of a generator and another that controls the speed of a turbine. Examining devices roles allows the adversary to observe how the two devices work together to monitor and control a physical process. Understanding the role of a target device can inform the adversary's decision on what action to take, in order to cause Impact and influence or disrupt the integrity of operations. Furthermore, an adversary may be able to capture control system protocol traffic. By studying this traffic, the adversary may be able to determine which devices are outstations, and which are masters. Understanding of master devices and their role within control processes can enable the use of Rogue Master Device",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-ics-attack",
"phase_name": "collection"
}
],
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_deprecated": true,
"x_mitre_domains": [
"ics-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"Windows",
"Human-Machine Interface",
"Control Server",
"Data Historian",
"Field Controller/RTU/PLC/IED"
],
"x_mitre_version": "1.0",
"type": "attack-pattern",
"id": "attack-pattern--23270e54-1d68-4c3b-b763-b25607bcef80",
"created": "2020-05-21T17:43:26.506Z",
@@ -41,6 +18,29 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"modified": "2025-04-18T18:00:51.553Z",
"name": "Role Identification",
"description": "Adversaries may perform role identification of devices involved with physical processes of interest in a target control system. Control systems devices often work in concert to control a physical process. Each device can have one or more roles that it performs within that control process. By collecting this role-based data, an adversary can construct a more targeted attack.\n\nFor example, a power generation plant may have unique devices such as one that monitors power output of a generator and another that controls the speed of a turbine. Examining devices roles allows the adversary to observe how the two devices work together to monitor and control a physical process. Understanding the role of a target device can inform the adversary's decision on what action to take, in order to cause Impact and influence or disrupt the integrity of operations. Furthermore, an adversary may be able to capture control system protocol traffic. By studying this traffic, the adversary may be able to determine which devices are outstations, and which are masters. Understanding of master devices and their role within control processes can enable the use of Rogue Master Device",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-ics-attack",
"phase_name": "collection"
}
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": true,
"x_mitre_domains": [
"ics-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"Windows",
"Human-Machine Interface",
"Control Server",
"Data Historian",
"Field Controller/RTU/PLC/IED"
],
"x_mitre_version": "1.0",
"x_mitre_is_subtechnique": false
}
]
ics-attack/attack-pattern/attack-pattern--24a9253e-8948-4c98-b751-8e2aee53127c.json
+27 -27
View File
@@ -1,35 +1,9 @@
{
"type": "bundle",
"id": "bundle--0d48cec9-f168-4692-9889-563fc77f1c14",
"id": "bundle--7d4fc49a-aaaf-437c-8653-7f96561930f3",
"spec_version": "2.0",
"objects": [
{
"modified": "2023-10-13T17:57:00.378Z",
"name": "Command-Line Interface",
"description": "Adversaries may utilize command-line interfaces (CLIs) to interact with systems and execute commands. CLIs provide a means of interacting with computer systems and are a common feature across many types of platforms and devices within control systems environments. (Citation: Enterprise ATT&CK January 2018) Adversaries may also use CLIs to install and run new software, including malicious tools that may be installed over the course of an operation.\n\nCLIs are typically accessed locally, but can also be exposed via services, such as SSH, Telnet, and RDP. Commands that are executed in the CLI execute with the current permissions level of the process running the terminal emulator, unless the command specifies a change in permissions context. Many controllers have CLI interfaces for management purposes.",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-ics-attack",
"phase_name": "execution"
}
],
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_deprecated": false,
"x_mitre_detection": "",
"x_mitre_domains": [
"ics-attack"
],
"x_mitre_is_subtechnique": false,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"None"
],
"x_mitre_version": "1.1",
"x_mitre_data_sources": [
"Command: Command Execution",
"Application Log: Application Log Content",
"Process: Process Creation"
],
"type": "attack-pattern",
"id": "attack-pattern--24a9253e-8948-4c98-b751-8e2aee53127c",
"created": "2020-05-21T17:43:26.506Z",
@@ -49,6 +23,32 @@
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"modified": "2025-04-16T21:26:11.069Z",
"name": "Command-Line Interface",
"description": "Adversaries may utilize command-line interfaces (CLIs) to interact with systems and execute commands. CLIs provide a means of interacting with computer systems and are a common feature across many types of platforms and devices within control systems environments. (Citation: Enterprise ATT&CK January 2018) Adversaries may also use CLIs to install and run new software, including malicious tools that may be installed over the course of an operation.\n\nCLIs are typically accessed locally, but can also be exposed via services, such as SSH, Telnet, and RDP. Commands that are executed in the CLI execute with the current permissions level of the process running the terminal emulator, unless the command specifies a change in permissions context. Many controllers have CLI interfaces for management purposes.",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-ics-attack",
"phase_name": "execution"
}
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": false,
"x_mitre_detection": "",
"x_mitre_domains": [
"ics-attack"
],
"x_mitre_is_subtechnique": false,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"None"
],
"x_mitre_version": "1.1",
"x_mitre_data_sources": [
"Command: Command Execution",
"Application Log: Application Log Content",
"Process: Process Creation"
]
}
]
ics-attack/attack-pattern/attack-pattern--25852363-5968-4673-b81d-341d5ed90bd1.json
+29 -29
View File
@@ -1,37 +1,9 @@
{
"type": "bundle",
"id": "bundle--a0f5866c-0fa9-4107-b505-0b330d59f639",
"id": "bundle--ebe6e2e7-049d-42fd-9527-1717b953d6f5",
"spec_version": "2.0",
"objects": [
{
"modified": "2023-10-13T17:57:00.575Z",
"name": "Point & Tag Identification",
"description": "Adversaries may collect point and tag values to gain a more comprehensive understanding of the process environment. Points may be values such as inputs, memory locations, outputs or other process specific variables. (Citation: Dennis L. Sloatman September 2016) Tags are the identifiers given to points for operator convenience. \n\nCollecting such tags provides valuable context to environmental points and enables an adversary to map inputs, outputs, and other values to their control processes. Understanding the points being collected may inform an adversary on which processes and values to keep track of over the course of an operation.",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-ics-attack",
"phase_name": "collection"
}
],
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_contributors": [
"Jos Wetzels - Midnight Blue"
],
"x_mitre_deprecated": false,
"x_mitre_detection": "",
"x_mitre_domains": [
"ics-attack"
],
"x_mitre_is_subtechnique": false,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"None"
],
"x_mitre_version": "1.1",
"x_mitre_data_sources": [
"Network Traffic: Network Traffic Content",
"Application Log: Application Log Content"
],
"type": "attack-pattern",
"id": "attack-pattern--25852363-5968-4673-b81d-341d5ed90bd1",
"created": "2020-05-21T17:43:26.506Z",
@@ -51,6 +23,34 @@
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"modified": "2025-04-16T21:26:11.231Z",
"name": "Point & Tag Identification",
"description": "Adversaries may collect point and tag values to gain a more comprehensive understanding of the process environment. Points may be values such as inputs, memory locations, outputs or other process specific variables. (Citation: Dennis L. Sloatman September 2016) Tags are the identifiers given to points for operator convenience. \n\nCollecting such tags provides valuable context to environmental points and enables an adversary to map inputs, outputs, and other values to their control processes. Understanding the points being collected may inform an adversary on which processes and values to keep track of over the course of an operation.",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-ics-attack",
"phase_name": "collection"
}
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_contributors": [
"Jos Wetzels - Midnight Blue"
],
"x_mitre_deprecated": false,
"x_mitre_detection": "",
"x_mitre_domains": [
"ics-attack"
],
"x_mitre_is_subtechnique": false,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"None"
],
"x_mitre_version": "1.1",
"x_mitre_data_sources": [
"Network Traffic: Network Traffic Content",
"Application Log: Application Log Content"
]
}
]
ics-attack/attack-pattern/attack-pattern--25dfc8ad-bd73-4dfd-84a9-3c3d383f76e9.json
+18 -18
View File
@@ -1,10 +1,25 @@
{
"type": "bundle",
"id": "bundle--19e9d4e8-714c-42c4-b702-ea13e9b85e2a",
"id": "bundle--b1f2e0d8-910e-4237-87c7-24c4820939aa",
"spec_version": "2.0",
"objects": [
{
"modified": "2023-10-13T17:57:00.768Z",
"type": "attack-pattern",
"id": "attack-pattern--25dfc8ad-bd73-4dfd-84a9-3c3d383f76e9",
"created": "2020-05-21T17:43:26.506Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T0816",
"external_id": "T0816"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"modified": "2025-04-16T21:26:11.395Z",
"name": "Device Restart/Shutdown",
"description": "Adversaries may forcibly restart or shutdown a device in an ICS environment to disrupt and potentially negatively impact physical processes. Methods of device restart and shutdown exist in some devices as built-in, standard functionalities. These functionalities can be executed using interactive device web interfaces, CLIs, and network protocol commands.\n\nUnexpected restart or shutdown of control system devices may prevent expected response functions happening during critical states.\n\nA device restart can also be a sign of malicious device modifications, as many updates require a shutdown in order to take effect.",
"kill_chain_phases": [
@@ -13,7 +28,7 @@
"phase_name": "inhibit-response-function"
}
],
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": false,
"x_mitre_detection": "",
"x_mitre_domains": [
@@ -30,21 +45,6 @@
"Application Log: Application Log Content",
"Operational Databases: Device Alarm",
"Network Traffic: Network Traffic Content"
],
"type": "attack-pattern",
"id": "attack-pattern--25dfc8ad-bd73-4dfd-84a9-3c3d383f76e9",
"created": "2020-05-21T17:43:26.506Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T0816",
"external_id": "T0816"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
]
}
]
ics-attack/attack-pattern/attack-pattern--2736b752-4ec5-4421-a230-8977dea7649c.json
+33 -33
View File
@@ -1,10 +1,40 @@
{
"type": "bundle",
"id": "bundle--a9feec49-ebb1-4706-bd37-ace35ef0372b",
"id": "bundle--c6b16db3-c0c0-4485-ba54-4dd1fb2d5c23",
"spec_version": "2.0",
"objects": [
{
"modified": "2023-10-13T17:57:00.969Z",
"type": "attack-pattern",
"id": "attack-pattern--2736b752-4ec5-4421-a230-8977dea7649c",
"created": "2020-05-21T17:43:26.506Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T0863",
"external_id": "T0863"
},
{
"source_name": "Booz Allen Hamilton",
"description": "Booz Allen Hamilton. (2016). When The Lights Went Out. Retrieved December 18, 2024.",
"url": "https://www.boozallen.com/content/dam/boozallen/documents/2016/09/ukraine-report-when-the-lights-went-out.pdf"
},
{
"source_name": "Daavid Hentunen, Antti Tikkanen June 2014",
"description": "Daavid Hentunen, Antti Tikkanen 2014, June 23 Havex Hunts For ICS/SCADA Systems Retrieved. 2019/04/01 ",
"url": "https://www.f-secure.com/weblog/archives/00002718.html"
},
{
"source_name": "CISA AA21-201A Pipeline Intrusion July 2021",
"description": "Department of Justice (DOJ), DHS Cybersecurity & Infrastructure Security Agency (CISA) 2021, July 20 Chinese Gas Pipeline Intrusion Campaign, 2011 to 2013 Retrieved. 2021/10/08 ",
"url": "https://us-cert.cisa.gov/sites/default/files/publications/AA21-201A_Chinese_Gas_Pipeline_Intrusion_Campaign_2011_to_2013%20(1).pdf"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"modified": "2025-04-15T19:58:15.054Z",
"name": "User Execution",
"description": "Adversaries may rely on a targeted organizations user interaction for the execution of malicious code. User interaction may consist of installing applications, opening email attachments, or granting higher permissions to documents. \n\nAdversaries may embed malicious code or visual basic code into files such as Microsoft Word and Excel documents or software installers. (Citation: Booz Allen Hamilton) Execution of this code requires that the user enable scripting or write access within the document. Embedded code may not always be noticeable to the user especially in cases of trojanized software. (Citation: Daavid Hentunen, Antti Tikkanen June 2014) \n\nA Chinese spearphishing campaign running from December 9, 2011 through February 29, 2012 delivered malware through spearphishing attachments which required user action to achieve execution. (Citation: CISA AA21-201A Pipeline Intrusion July 2021)",
"kill_chain_phases": [
@@ -13,7 +43,7 @@
"phase_name": "execution"
}
],
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": false,
"x_mitre_detection": "",
"x_mitre_domains": [
@@ -32,36 +62,6 @@
"File: File Access",
"Process: Process Creation",
"Network Traffic: Network Traffic Content"
],
"type": "attack-pattern",
"id": "attack-pattern--2736b752-4ec5-4421-a230-8977dea7649c",
"created": "2020-05-21T17:43:26.506Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T0863",
"external_id": "T0863"
},
{
"source_name": "Booz Allen Hamilton",
"description": "Booz Allen Hamilton When The Lights Went Out Retrieved. 2019/10/22 ",
"url": "https://www.boozallen.com/content/dam/boozallen/documents/2016/09/ukraine-report-when-the-lights-went-out.pdf"
},
{
"source_name": "Daavid Hentunen, Antti Tikkanen June 2014",
"description": "Daavid Hentunen, Antti Tikkanen 2014, June 23 Havex Hunts For ICS/SCADA Systems Retrieved. 2019/04/01 ",
"url": "https://www.f-secure.com/weblog/archives/00002718.html"
},
{
"source_name": "CISA AA21-201A Pipeline Intrusion July 2021",
"description": "Department of Justice (DOJ), DHS Cybersecurity & Infrastructure Security Agency (CISA) 2021, July 20 Chinese Gas Pipeline Intrusion Campaign, 2011 to 2013 Retrieved. 2021/10/08 ",
"url": "https://us-cert.cisa.gov/sites/default/files/publications/AA21-201A_Chinese_Gas_Pipeline_Intrusion_Campaign_2011_to_2013%20(1).pdf"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
]
}
]
ics-attack/attack-pattern/attack-pattern--2877063e-1851-48d2-bcc6-bc1d2733157e.json
+32 -32
View File
@@ -1,38 +1,9 @@
{
"type": "bundle",
"id": "bundle--6cdfa18b-c898-4779-bf8a-b8cc2a87f145",
"id": "bundle--aba9fcdf-a1db-46b3-a26c-fbf7dba101d1",
"spec_version": "2.0",
"objects": [
{
"modified": "2023-10-13T17:57:01.165Z",
"name": "Wireless Compromise",
"description": "Adversaries may perform wireless compromise as a method of gaining communications and unauthorized access to a wireless network. Access to a wireless network may be gained through the compromise of a wireless device. (Citation: Alexander Bolshev, Gleb Cherbov July 2014) (Citation: Alexander Bolshev March 2014) Adversaries may also utilize radios and other wireless communication devices on the same frequency as the wireless network. Wireless compromise can be done as an initial access vector from a remote distance. \n\nA Polish student used a modified TV remote controller to gain access to and control over the Lodz city tram system in Poland. (Citation: John Bill May 2017) (Citation: Shelley Smith February 2008) The remote controller device allowed the student to interface with the trams network to modify track settings and override operator control. The adversary may have accomplished this by aligning the controller to the frequency and amplitude of IR control protocol signals. (Citation: Bruce Schneier January 2008) The controller then enabled initial access to the network, allowing the capture and replay of tram signals. (Citation: John Bill May 2017)",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-ics-attack",
"phase_name": "initial-access"
}
],
"x_mitre_attack_spec_version": "3.1.0",
"x_mitre_contributors": [
"Scott Dougherty"
],
"x_mitre_deprecated": false,
"x_mitre_detection": "",
"x_mitre_domains": [
"ics-attack"
],
"x_mitre_is_subtechnique": false,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"None"
],
"x_mitre_version": "1.2",
"x_mitre_data_sources": [
"Logon Session: Logon Session Creation",
"Application Log: Application Log Content",
"Network Traffic: Network Traffic Flow"
],
"type": "attack-pattern",
"id": "attack-pattern--2877063e-1851-48d2-bcc6-bc1d2733157e",
"created": "2020-05-21T17:43:26.506Z",
@@ -46,8 +17,8 @@
},
{
"source_name": "Alexander Bolshev March 2014",
"description": "Alexander Bolshev 2014, March 11 S4x14: HART As An Attack Vector Retrieved. 2020/01/05 ",
"url": "https://www.slideshare.net/dgpeters/17-bolshev-1-13"
"description": "Alexander Bolshev 2014, March 11 S4x14: HART As An Attack Vector Retrieved November 17, 2024. ",
"url": "https://www.slideshare.net/slideshow/17-bolshev-1-13/32178888"
},
{
"source_name": "Alexander Bolshev, Gleb Cherbov July 2014",
@@ -72,6 +43,35 @@
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"modified": "2025-04-15T19:58:15.610Z",
"name": "Wireless Compromise",
"description": "Adversaries may perform wireless compromise as a method of gaining communications and unauthorized access to a wireless network. Access to a wireless network may be gained through the compromise of a wireless device. (Citation: Alexander Bolshev, Gleb Cherbov July 2014) (Citation: Alexander Bolshev March 2014) Adversaries may also utilize radios and other wireless communication devices on the same frequency as the wireless network. Wireless compromise can be done as an initial access vector from a remote distance. \n\nA Polish student used a modified TV remote controller to gain access to and control over the Lodz city tram system in Poland. (Citation: John Bill May 2017) (Citation: Shelley Smith February 2008) The remote controller device allowed the student to interface with the trams network to modify track settings and override operator control. The adversary may have accomplished this by aligning the controller to the frequency and amplitude of IR control protocol signals. (Citation: Bruce Schneier January 2008) The controller then enabled initial access to the network, allowing the capture and replay of tram signals. (Citation: John Bill May 2017)",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-ics-attack",
"phase_name": "initial-access"
}
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_contributors": [
"Scott Dougherty"
],
"x_mitre_deprecated": false,
"x_mitre_detection": "",
"x_mitre_domains": [
"ics-attack"
],
"x_mitre_is_subtechnique": false,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"None"
],
"x_mitre_version": "1.2",
"x_mitre_data_sources": [
"Logon Session: Logon Session Creation",
"Application Log: Application Log Content",
"Network Traffic: Network Traffic Flow"
]
}
]
ics-attack/attack-pattern/attack-pattern--2883c520-7957-46ca-89bd-dab1ad53b601.json
+31 -31
View File
@@ -1,39 +1,9 @@
{
"type": "bundle",
"id": "bundle--cd91c1f3-1f88-46a7-be42-496f327149b6",
"id": "bundle--c0896d18-2c40-48d5-802d-e437df646cc4",
"spec_version": "2.0",
"objects": [
{
"modified": "2023-10-13T17:57:01.367Z",
"name": "Change Operating Mode",
"description": "Adversaries may change the operating mode of a controller to gain additional access to engineering functions such as Program Download. Programmable controllers typically have several modes of operation that control the state of the user program and control access to the controllers API. Operating modes can be physically selected using a key switch on the face of the controller but may also be selected with calls to the controllers API. Operating modes and the mechanisms by which they are selected often vary by vendor and product line. Some commonly implemented operating modes are described below: \n\n* Program - This mode must be enabled before changes can be made to a devices program. This allows program uploads and downloads between the device and an engineering workstation. Often the PLCs logic Is halted, and all outputs may be forced off. (Citation: N.A. October 2017) \n* Run - Execution of the devices program occurs in this mode. Input and output (values, points, tags, elements, etc.) are monitored and used according to the programs logic. [Program Upload](https://attack.mitre.org/techniques/T0845) and [Program Download](https://attack.mitre.org/techniques/T0843) are disabled while in this mode. (Citation: Omron) (Citation: Machine Information Systems 2007) (Citation: N.A. October 2017) (Citation: PLCgurus 2021) \n* Remote - Allows for remote changes to a PLCs operation mode. (Citation: PLCgurus 2021) \n* Stop - The PLC and program is stopped, while in this mode, outputs are forced off. (Citation: Machine Information Systems 2007) \n* Reset - Conditions on the PLC are reset to their original states. Warm resets may retain some memory while cold resets will reset all I/O and data registers. (Citation: Machine Information Systems 2007) \n* Test / Monitor mode - Similar to run mode, I/O is processed, although this mode allows for monitoring, force set, resets, and more generally tuning or debugging of the system. Often monitor mode may be used as a trial for initialization. (Citation: Omron)",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-ics-attack",
"phase_name": "execution"
},
{
"kill_chain_name": "mitre-ics-attack",
"phase_name": "evasion"
}
],
"x_mitre_attack_spec_version": "3.1.0",
"x_mitre_deprecated": false,
"x_mitre_detection": "",
"x_mitre_domains": [
"ics-attack"
],
"x_mitre_is_subtechnique": false,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"None"
],
"x_mitre_version": "1.0",
"x_mitre_data_sources": [
"Network Traffic: Network Traffic Content",
"Application Log: Application Log Content",
"Operational Databases: Device Alarm"
],
"type": "attack-pattern",
"id": "attack-pattern--2883c520-7957-46ca-89bd-dab1ad53b601",
"created": "2020-05-21T17:43:26.506Z",
@@ -68,6 +38,36 @@
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"modified": "2025-04-16T21:26:11.583Z",
"name": "Change Operating Mode",
"description": "Adversaries may change the operating mode of a controller to gain additional access to engineering functions such as Program Download. Programmable controllers typically have several modes of operation that control the state of the user program and control access to the controllers API. Operating modes can be physically selected using a key switch on the face of the controller but may also be selected with calls to the controllers API. Operating modes and the mechanisms by which they are selected often vary by vendor and product line. Some commonly implemented operating modes are described below: \n\n* Program - This mode must be enabled before changes can be made to a devices program. This allows program uploads and downloads between the device and an engineering workstation. Often the PLCs logic Is halted, and all outputs may be forced off. (Citation: N.A. October 2017) \n* Run - Execution of the devices program occurs in this mode. Input and output (values, points, tags, elements, etc.) are monitored and used according to the programs logic. [Program Upload](https://attack.mitre.org/techniques/T0845) and [Program Download](https://attack.mitre.org/techniques/T0843) are disabled while in this mode. (Citation: Omron) (Citation: Machine Information Systems 2007) (Citation: N.A. October 2017) (Citation: PLCgurus 2021) \n* Remote - Allows for remote changes to a PLCs operation mode. (Citation: PLCgurus 2021) \n* Stop - The PLC and program is stopped, while in this mode, outputs are forced off. (Citation: Machine Information Systems 2007) \n* Reset - Conditions on the PLC are reset to their original states. Warm resets may retain some memory while cold resets will reset all I/O and data registers. (Citation: Machine Information Systems 2007) \n* Test / Monitor mode - Similar to run mode, I/O is processed, although this mode allows for monitoring, force set, resets, and more generally tuning or debugging of the system. Often monitor mode may be used as a trial for initialization. (Citation: Omron)",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-ics-attack",
"phase_name": "execution"
},
{
"kill_chain_name": "mitre-ics-attack",
"phase_name": "evasion"
}
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": false,
"x_mitre_detection": "",
"x_mitre_domains": [
"ics-attack"
],
"x_mitre_is_subtechnique": false,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"None"
],
"x_mitre_version": "1.0",
"x_mitre_data_sources": [
"Network Traffic: Network Traffic Content",
"Application Log: Application Log Content",
"Operational Databases: Device Alarm"
]
}
]
ics-attack/attack-pattern/attack-pattern--2900bbd8-308a-4274-b074-5b8bde8347bc.json
+23 -23
View File
@@ -1,10 +1,30 @@
{
"type": "bundle",
"id": "bundle--bce5f51a-fa14-40f7-8210-e10fb1251a0c",
"id": "bundle--aa22e8ab-f486-4cfe-89ba-badd44bfba2f",
"spec_version": "2.0",
"objects": [
{
"modified": "2023-10-13T17:57:01.578Z",
"type": "attack-pattern",
"id": "attack-pattern--2900bbd8-308a-4274-b074-5b8bde8347bc",
"created": "2020-05-21T17:43:26.506Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T0878",
"external_id": "T0878"
},
{
"source_name": "Jos Wetzels, Marina Krotofil 2019",
"description": "Jos Wetzels, Marina Krotofil 2019 A Diet of Poisoned Fruit: Designing Implants & OT Payloads for ICS Embedded Devices Retrieved. 2019/11/01 ",
"url": "https://troopers.de/downloads/troopers19/TROOPERS19_NGI_IoT_diet_poisoned_fruit.pdf"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"modified": "2025-04-16T21:26:11.789Z",
"name": "Alarm Suppression",
"description": "Adversaries may target protection function alarms to prevent them from notifying operators of critical conditions. Alarm messages may be a part of an overall reporting system and of particular interest for adversaries. Disruption of the alarm system does not imply the disruption of the reporting system as a whole.\n\nA Secura presentation on targeting OT notes a dual fold goal for adversaries attempting alarm suppression: prevent outgoing alarms from being raised and prevent incoming alarms from being responded to. (Citation: Jos Wetzels, Marina Krotofil 2019) The method of suppression may greatly depend on the type of alarm in question: \n\n* An alarm raised by a protocol message \n* An alarm signaled with I/O \n* An alarm bit set in a flag (and read) \n\nIn ICS environments, the adversary may have to suppress or contend with multiple alarms and/or alarm propagation to achieve a specific goal to evade detection or prevent intended responses from occurring. (Citation: Jos Wetzels, Marina Krotofil 2019) Methods of suppression may involve tampering or altering device displays and logs, modifying in memory code to fixed values, or even tampering with assembly level instruction code.",
"kill_chain_phases": [
@@ -13,7 +33,7 @@
"phase_name": "inhibit-response-function"
}
],
"x_mitre_attack_spec_version": "3.1.0",
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_contributors": [
"Marina Krotofil",
"Jos Wetzels - Midnight Blue"
@@ -34,26 +54,6 @@
"Operational Databases: Process History/Live Data",
"Operational Databases: Device Alarm",
"Operational Databases: Process/Event Alarm"
],
"type": "attack-pattern",
"id": "attack-pattern--2900bbd8-308a-4274-b074-5b8bde8347bc",
"created": "2020-05-21T17:43:26.506Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T0878",
"external_id": "T0878"
},
{
"source_name": "Jos Wetzels, Marina Krotofil 2019",
"description": "Jos Wetzels, Marina Krotofil 2019 A Diet of Poisoned Fruit: Designing Implants & OT Payloads for ICS Embedded Devices Retrieved. 2019/11/01 ",
"url": "https://troopers.de/downloads/troopers19/TROOPERS19_NGI_IoT_diet_poisoned_fruit.pdf"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
]
}
]
ics-attack/attack-pattern/attack-pattern--2aa406ed-81c3-4c1d-ba83-cfbee5a2847a.json
+25 -25
View File
@@ -1,33 +1,9 @@
{
"type": "bundle",
"id": "bundle--720b4a11-226e-4b3c-a821-d8ca5c34328a",
"id": "bundle--12fdf5a9-8f66-469a-a4f7-5c1117f49fd6",
"spec_version": "2.0",
"objects": [
{
"modified": "2023-10-13T17:57:01.778Z",
"name": "Detect Operating Mode",
"description": "Adversaries may gather information about a PLCs or controllers current operating mode. Operating modes dictate what change or maintenance functions can be manipulated and are often controlled by a key switch on the PLC (e.g., run, prog [program], and remote). Knowledge of these states may be valuable to an adversary to determine if they are able to reprogram the PLC. Operating modes and the mechanisms by which they are selected often vary by vendor and product line. Some commonly implemented operating modes are described below: \n\n* Program - This mode must be enabled before changes can be made to a devices program. This allows program uploads and downloads between the device and an engineering workstation. Often the PLCs logic Is halted, and all outputs may be forced off. (Citation: N.A. October 2017) \n* Run - Execution of the devices program occurs in this mode. Input and output (values, points, tags, elements, etc.) are monitored and used according to the programs logic.[Program Upload](https://attack.mitre.org/techniques/T0845) and [Program Download](https://attack.mitre.org/techniques/T0843) are disabled while in this mode. (Citation: Omron) (Citation: Machine Information Systems 2007) (Citation: N.A. October 2017) (Citation: PLCgurus 2021) \n* Remote - Allows for remote changes to a PLCs operation mode. (Citation: PLCgurus 2021) \n* Stop - The PLC and program is stopped, while in this mode, outputs are forced off. (Citation: Machine Information Systems 2007) \n* Reset - Conditions on the PLC are reset to their original states. Warm resets may retain some memory while cold resets will reset all I/O and data registers. (Citation: Machine Information Systems 2007) \n* Test / Monitor mode - Similar to run mode, I/O is processed, although this mode allows for monitoring, force set, resets, and more generally tuning or debugging of the system. Often monitor mode may be used as a trial for initialization. (Citation: Omron)",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-ics-attack",
"phase_name": "collection"
}
],
"x_mitre_attack_spec_version": "3.1.0",
"x_mitre_deprecated": false,
"x_mitre_detection": "",
"x_mitre_domains": [
"ics-attack"
],
"x_mitre_is_subtechnique": false,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"None"
],
"x_mitre_version": "1.0",
"x_mitre_data_sources": [
"Network Traffic: Network Traffic Content"
],
"type": "attack-pattern",
"id": "attack-pattern--2aa406ed-81c3-4c1d-ba83-cfbee5a2847a",
"created": "2020-05-21T17:43:26.506Z",
@@ -62,6 +38,30 @@
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"modified": "2025-04-16T21:26:11.972Z",
"name": "Detect Operating Mode",
"description": "Adversaries may gather information about a PLCs or controllers current operating mode. Operating modes dictate what change or maintenance functions can be manipulated and are often controlled by a key switch on the PLC (e.g., run, prog [program], and remote). Knowledge of these states may be valuable to an adversary to determine if they are able to reprogram the PLC. Operating modes and the mechanisms by which they are selected often vary by vendor and product line. Some commonly implemented operating modes are described below: \n\n* Program - This mode must be enabled before changes can be made to a devices program. This allows program uploads and downloads between the device and an engineering workstation. Often the PLCs logic Is halted, and all outputs may be forced off. (Citation: N.A. October 2017) \n* Run - Execution of the devices program occurs in this mode. Input and output (values, points, tags, elements, etc.) are monitored and used according to the programs logic.[Program Upload](https://attack.mitre.org/techniques/T0845) and [Program Download](https://attack.mitre.org/techniques/T0843) are disabled while in this mode. (Citation: Omron) (Citation: Machine Information Systems 2007) (Citation: N.A. October 2017) (Citation: PLCgurus 2021) \n* Remote - Allows for remote changes to a PLCs operation mode. (Citation: PLCgurus 2021) \n* Stop - The PLC and program is stopped, while in this mode, outputs are forced off. (Citation: Machine Information Systems 2007) \n* Reset - Conditions on the PLC are reset to their original states. Warm resets may retain some memory while cold resets will reset all I/O and data registers. (Citation: Machine Information Systems 2007) \n* Test / Monitor mode - Similar to run mode, I/O is processed, although this mode allows for monitoring, force set, resets, and more generally tuning or debugging of the system. Often monitor mode may be used as a trial for initialization. (Citation: Omron)",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-ics-attack",
"phase_name": "collection"
}
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": false,
"x_mitre_detection": "",
"x_mitre_domains": [
"ics-attack"
],
"x_mitre_is_subtechnique": false,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"None"
],
"x_mitre_version": "1.0",
"x_mitre_data_sources": [
"Network Traffic: Network Traffic Content"
]
}
]
ics-attack/attack-pattern/attack-pattern--2bb4d762-bf4a-4bc3-9318-15cc6a354163.json
+23 -23
View File
@@ -1,30 +1,9 @@
{
"type": "bundle",
"id": "bundle--e75082f3-3499-4800-bbce-f00dcd69147a",
"id": "bundle--5daec61b-37d9-44f4-8d0a-ebff3e02503f",
"spec_version": "2.0",
"objects": [
{
"modified": "2023-10-13T17:57:01.994Z",
"name": "Loss of Protection",
"description": "Adversaries may compromise protective system functions designed to prevent the effects of faults and abnormal conditions. This can result in equipment damage, prolonged process disruptions and hazards to personnel. \n\nMany faults and abnormal conditions in process control happen too quickly for a human operator to react to. Speed is critical in correcting these conditions to limit serious impacts such as Loss of Control and Property Damage. \n\nAdversaries may target and disable protective system functions as a prerequisite to subsequent attack execution or to allow for future faults and abnormal conditions to go unchecked. Detection of a Loss of Protection by operators can result in the shutdown of a process due to strict policies regarding protection systems. This can cause a Loss of Productivity and Revenue and may meet the technical goals of adversaries seeking to cause process disruptions.",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-ics-attack",
"phase_name": "impact"
}
],
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_deprecated": false,
"x_mitre_detection": "",
"x_mitre_domains": [
"ics-attack"
],
"x_mitre_is_subtechnique": false,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"None"
],
"x_mitre_version": "1.0",
"type": "attack-pattern",
"id": "attack-pattern--2bb4d762-bf4a-4bc3-9318-15cc6a354163",
"created": "2021-04-12T07:57:26.506Z",
@@ -39,7 +18,28 @@
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
]
],
"modified": "2025-04-16T21:26:12.172Z",
"name": "Loss of Protection",
"description": "Adversaries may compromise protective system functions designed to prevent the effects of faults and abnormal conditions. This can result in equipment damage, prolonged process disruptions and hazards to personnel. \n\nMany faults and abnormal conditions in process control happen too quickly for a human operator to react to. Speed is critical in correcting these conditions to limit serious impacts such as Loss of Control and Property Damage. \n\nAdversaries may target and disable protective system functions as a prerequisite to subsequent attack execution or to allow for future faults and abnormal conditions to go unchecked. Detection of a Loss of Protection by operators can result in the shutdown of a process due to strict policies regarding protection systems. This can cause a Loss of Productivity and Revenue and may meet the technical goals of adversaries seeking to cause process disruptions.",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-ics-attack",
"phase_name": "impact"
}
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": false,
"x_mitre_detection": "",
"x_mitre_domains": [
"ics-attack"
],
"x_mitre_is_subtechnique": false,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"None"
],
"x_mitre_version": "1.0"
}
]
}
ics-attack/attack-pattern/attack-pattern--2d0d40ad-22fa-4cc8-b264-072557e1364b.json
+24 -24
View File
@@ -1,31 +1,9 @@
{
"type": "bundle",
"id": "bundle--dc8aabfd-619c-4893-9caf-45f896017c5c",
"id": "bundle--f2d0becc-0dfb-480d-b443-4403d5ac3663",
"spec_version": "2.0",
"objects": [
{
"modified": "2023-10-13T17:57:02.197Z",
"name": "Monitor Process State",
"description": "Adversaries may gather information about the physical process state. This information may be used to gain more information about the process itself or used as a trigger for malicious actions. The sources of process state information may vary such as, OPC tags, historian data, specific PLC block information, or network traffic.",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-ics-attack",
"phase_name": "collection"
}
],
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"ics-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"None"
],
"x_mitre_version": "1.0",
"x_mitre_data_sources": [
"Network Traffic: Network Traffic Content",
"Application Log: Application Log Content"
],
"type": "attack-pattern",
"id": "attack-pattern--2d0d40ad-22fa-4cc8-b264-072557e1364b",
"created": "2020-05-21T17:43:26.506Z",
@@ -40,7 +18,29 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_is_subtechnique": false
"modified": "2025-04-16T21:26:12.337Z",
"name": "Monitor Process State",
"description": "Adversaries may gather information about the physical process state. This information may be used to gain more information about the process itself or used as a trigger for malicious actions. The sources of process state information may vary such as, OPC tags, historian data, specific PLC block information, or network traffic.",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-ics-attack",
"phase_name": "collection"
}
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_domains": [
"ics-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"None"
],
"x_mitre_version": "1.0",
"x_mitre_is_subtechnique": false,
"x_mitre_data_sources": [
"Network Traffic: Network Traffic Content",
"Application Log: Application Log Content"
]
}
]
}
ics-attack/attack-pattern/attack-pattern--2dc2b567-8821-49f9-9045-8740f3d0b958.json
+18 -18
View File
@@ -1,10 +1,25 @@
{
"type": "bundle",
"id": "bundle--a2d15883-1d0f-4890-87c9-f859720708e2",
"id": "bundle--7154957a-a41f-4ba6-a0db-a8fe2b63c207",
"spec_version": "2.0",
"objects": [
{
"modified": "2023-10-13T17:57:02.398Z",
"type": "attack-pattern",
"id": "attack-pattern--2dc2b567-8821-49f9-9045-8740f3d0b958",
"created": "2020-05-21T17:43:26.506Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T0853",
"external_id": "T0853"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"modified": "2025-04-16T21:26:12.511Z",
"name": "Scripting",
"description": "Adversaries may use scripting languages to execute arbitrary code in the form of a pre-written script or in the form of user-supplied code to an interpreter. Scripting languages are programming languages that differ from compiled languages, in that scripting languages use an interpreter, instead of a compiler. These interpreters read and compile part of the source code just before it is executed, as opposed to compilers, which compile each and every line of code to an executable file. Scripting allows software developers to run their code on any system where the interpreter exists. This way, they can distribute one package, instead of precompiling executables for many different systems. Scripting languages, such as Python, have their interpreters shipped as a default with many Linux distributions. \n\nIn addition to being a useful tool for developers and administrators, scripting language interpreters may be abused by the adversary to execute code in the target environment. Due to the nature of scripting languages, this allows for weaponized code to be deployed to a target easily, and leaves open the possibility of on-the-fly scripting to perform a task.",
"kill_chain_phases": [
@@ -13,7 +28,7 @@
"phase_name": "execution"
}
],
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": false,
"x_mitre_detection": "",
"x_mitre_domains": [
@@ -31,21 +46,6 @@
"Process: Process Metadata",
"Module: Module Load",
"Script: Script Execution"
],
"type": "attack-pattern",
"id": "attack-pattern--2dc2b567-8821-49f9-9045-8740f3d0b958",
"created": "2020-05-21T17:43:26.506Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T0853",
"external_id": "T0853"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
]
}
]
ics-attack/attack-pattern/attack-pattern--2fedbe69-581f-447d-8a78-32ee7db939a9.json
+18 -18
View File
@@ -1,10 +1,25 @@
{
"type": "bundle",
"id": "bundle--ae9bc590-47b5-4aba-8450-812fa2ef3c20",
"id": "bundle--6f2b0fca-3d35-480d-bb56-900367da5e75",
"spec_version": "2.0",
"objects": [
{
"modified": "2023-10-13T17:57:02.595Z",
"type": "attack-pattern",
"id": "attack-pattern--2fedbe69-581f-447d-8a78-32ee7db939a9",
"created": "2021-04-13T12:45:26.506Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T0888",
"external_id": "T0888"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"modified": "2025-04-16T21:26:12.694Z",
"name": "Remote System Information Discovery",
"description": "An adversary may attempt to get detailed information about remote systems and their peripherals, such as make/model, role, and configuration. Adversaries may use information from Remote System Information Discovery to aid in targeting and shaping follow-on behaviors. For example, the system's operational role and model information can dictate whether it is a relevant target for the adversary's operational objectives. In addition, the system's configuration may be used to scope subsequent technique usage. \n\nRequests for system information are typically implemented using automation and management protocols and are often automatically requested by vendor software during normal operation. This information may be used to tailor management actions, such as program download and system or module firmware. An adversary may leverage this same information by issuing calls directly to the system's API.",
"kill_chain_phases": [
@@ -13,7 +28,7 @@
"phase_name": "discovery"
}
],
"x_mitre_attack_spec_version": "3.1.0",
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": false,
"x_mitre_detection": "",
"x_mitre_domains": [
@@ -30,21 +45,6 @@
"Network Traffic: Network Traffic Content",
"File: File Access",
"Process: Process Creation"
],
"type": "attack-pattern",
"id": "attack-pattern--2fedbe69-581f-447d-8a78-32ee7db939a9",
"created": "2021-04-13T12:45:26.506Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T0888",
"external_id": "T0888"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
]
}
]
ics-attack/attack-pattern/attack-pattern--3067b85e-271e-4bc5-81ad-ab1a81d411e3.json
+25 -25
View File
@@ -1,32 +1,9 @@
{
"type": "bundle",
"id": "bundle--1f6b3ec0-1d24-472f-b19e-2caf2cde31e8",
"id": "bundle--de95fb0a-d9ab-404e-b012-8646cfaedcb0",
"spec_version": "2.0",
"objects": [
{
"modified": "2023-10-13T17:57:02.785Z",
"name": "Program Upload",
"description": "Adversaries may attempt to upload a program from a PLC to gather information about an industrial process. Uploading a program may allow them to acquire and study the underlying logic. Methods of program upload include vendor software, which enables the user to upload and read a program running on a PLC. This software can be used to upload the target program to a workstation, jump box, or an interfacing device.",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-ics-attack",
"phase_name": "collection"
}
],
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"ics-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"None"
],
"x_mitre_version": "1.0",
"x_mitre_data_sources": [
"Network Traffic: Network Traffic Content",
"Network Traffic: Network Traffic Flow",
"Application Log: Application Log Content"
],
"type": "attack-pattern",
"id": "attack-pattern--3067b85e-271e-4bc5-81ad-ab1a81d411e3",
"created": "2020-05-21T17:43:26.506Z",
@@ -41,7 +18,30 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_is_subtechnique": false
"modified": "2025-04-16T21:26:12.867Z",
"name": "Program Upload",
"description": "Adversaries may attempt to upload a program from a PLC to gather information about an industrial process. Uploading a program may allow them to acquire and study the underlying logic. Methods of program upload include vendor software, which enables the user to upload and read a program running on a PLC. This software can be used to upload the target program to a workstation, jump box, or an interfacing device.",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-ics-attack",
"phase_name": "collection"
}
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_domains": [
"ics-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"None"
],
"x_mitre_version": "1.0",
"x_mitre_is_subtechnique": false,
"x_mitre_data_sources": [
"Network Traffic: Network Traffic Content",
"Network Traffic: Network Traffic Flow",
"Application Log: Application Log Content"
]
}
]
}
ics-attack/attack-pattern/attack-pattern--32632a95-6856-47b9-9ab7-fea5cd7dce00.json
+26 -26
View File
@@ -1,34 +1,9 @@
{
"type": "bundle",
"id": "bundle--b8ddf62e-57aa-4707-9e2c-d81b8d026c84",
"id": "bundle--0b64dfe0-5e4d-4c38-8da6-cd1c0f5be920",
"spec_version": "2.0",
"objects": [
{
"modified": "2023-10-13T17:57:02.990Z",
"name": "Exploit Public-Facing Application",
"description": "Adversaries may leverage weaknesses to exploit internet-facing software for initial access into an industrial network. Internet-facing software may be user applications, underlying networking implementations, an assets operating system, weak defenses, etc. Targets of this technique may be intentionally exposed for the purpose of remote management and visibility.\n\nAn adversary may seek to target public-facing applications as they may provide direct access into an ICS environment or the ability to move into the ICS network. Publicly exposed applications may be found through online tools that scan the internet for open ports and services. Version numbers for the exposed application may provide adversaries an ability to target specific known vulnerabilities. Exposed control protocol or remote access ports found in Commonly Used Port may be of interest by adversaries.",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-ics-attack",
"phase_name": "initial-access"
}
],
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_deprecated": false,
"x_mitre_detection": "",
"x_mitre_domains": [
"ics-attack"
],
"x_mitre_is_subtechnique": false,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"None"
],
"x_mitre_version": "1.0",
"x_mitre_data_sources": [
"Application Log: Application Log Content",
"Network Traffic: Network Traffic Content"
],
"type": "attack-pattern",
"id": "attack-pattern--32632a95-6856-47b9-9ab7-fea5cd7dce00",
"created": "2020-05-21T17:43:26.506Z",
@@ -43,6 +18,31 @@
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"modified": "2025-04-16T21:26:13.044Z",
"name": "Exploit Public-Facing Application",
"description": "Adversaries may leverage weaknesses to exploit internet-facing software for initial access into an industrial network. Internet-facing software may be user applications, underlying networking implementations, an assets operating system, weak defenses, etc. Targets of this technique may be intentionally exposed for the purpose of remote management and visibility.\n\nAn adversary may seek to target public-facing applications as they may provide direct access into an ICS environment or the ability to move into the ICS network. Publicly exposed applications may be found through online tools that scan the internet for open ports and services. Version numbers for the exposed application may provide adversaries an ability to target specific known vulnerabilities. Exposed control protocol or remote access ports found in Commonly Used Port may be of interest by adversaries.",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-ics-attack",
"phase_name": "initial-access"
}
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": false,
"x_mitre_detection": "",
"x_mitre_domains": [
"ics-attack"
],
"x_mitre_is_subtechnique": false,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"None"
],
"x_mitre_version": "1.0",
"x_mitre_data_sources": [
"Application Log: Application Log Content",
"Network Traffic: Network Traffic Content"
]
}
]
ics-attack/attack-pattern/attack-pattern--3405891b-16aa-4bd7-bd7c-733501f9b20f.json
+27 -27
View File
@@ -1,35 +1,9 @@
{
"type": "bundle",
"id": "bundle--635a831f-1e2c-4722-bdf7-359e141ec678",
"id": "bundle--291986f7-e770-44b4-b935-43d8525c550d",
"spec_version": "2.0",
"objects": [
{
"modified": "2023-10-13T17:57:03.187Z",
"name": "Data from Information Repositories",
"description": "Adversaries may target and collect data from information repositories. This can include sensitive data such as specifications, schematics, or diagrams of control system layouts, devices, and processes. Examples of information repositories include reference databases in the process environment, as well as databases in the corporate network that might contain information about the ICS.(Citation: Cybersecurity & Infrastructure Security Agency March 2018)\n\nInformation collected from these systems may provide the adversary with a better understanding of the operational environment, vendors used, processes, or procedures of the ICS.\n\nIn a campaign between 2011 and 2013 against ONG organizations, Chinese state-sponsored actors searched document repositories for specific information such as, system manuals, remote terminal unit (RTU) sites, personnel lists, documents that included the string SCAD*, user credentials, and remote dial-up access information. (Citation: CISA AA21-201A Pipeline Intrusion July 2021)",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-ics-attack",
"phase_name": "collection"
}
],
"x_mitre_attack_spec_version": "3.1.0",
"x_mitre_deprecated": false,
"x_mitre_detection": "",
"x_mitre_domains": [
"ics-attack"
],
"x_mitre_is_subtechnique": false,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"None"
],
"x_mitre_version": "1.2",
"x_mitre_data_sources": [
"Logon Session: Logon Session Creation",
"Network Share: Network Share Access",
"Application Log: Application Log Content"
],
"type": "attack-pattern",
"id": "attack-pattern--3405891b-16aa-4bd7-bd7c-733501f9b20f",
"created": "2020-05-21T17:43:26.506Z",
@@ -54,6 +28,32 @@
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"modified": "2025-04-16T21:26:13.205Z",
"name": "Data from Information Repositories",
"description": "Adversaries may target and collect data from information repositories. This can include sensitive data such as specifications, schematics, or diagrams of control system layouts, devices, and processes. Examples of information repositories include reference databases in the process environment, as well as databases in the corporate network that might contain information about the ICS.(Citation: Cybersecurity & Infrastructure Security Agency March 2018)\n\nInformation collected from these systems may provide the adversary with a better understanding of the operational environment, vendors used, processes, or procedures of the ICS.\n\nIn a campaign between 2011 and 2013 against ONG organizations, Chinese state-sponsored actors searched document repositories for specific information such as, system manuals, remote terminal unit (RTU) sites, personnel lists, documents that included the string SCAD*, user credentials, and remote dial-up access information. (Citation: CISA AA21-201A Pipeline Intrusion July 2021)",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-ics-attack",
"phase_name": "collection"
}
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": false,
"x_mitre_detection": "",
"x_mitre_domains": [
"ics-attack"
],
"x_mitre_is_subtechnique": false,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"None"
],
"x_mitre_version": "1.2",
"x_mitre_data_sources": [
"Logon Session: Logon Session Creation",
"Network Share: Network Share Access",
"Application Log: Application Log Content"
]
}
]
ics-attack/attack-pattern/attack-pattern--35392fb4-a31d-4c6a-b9f2-1c65b7f5e6b9.json
+22 -22
View File
@@ -1,10 +1,30 @@
{
"type": "bundle",
"id": "bundle--706a3313-4d82-4731-af3d-c35de8bc256b",
"id": "bundle--852854f4-1065-422e-a52b-ecf07d60ee4b",
"spec_version": "2.0",
"objects": [
{
"modified": "2023-10-13T17:57:03.395Z",
"type": "attack-pattern",
"id": "attack-pattern--35392fb4-a31d-4c6a-b9f2-1c65b7f5e6b9",
"created": "2021-10-14T15:25:32.143Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T0864",
"external_id": "T0864"
},
{
"source_name": "North American Electric Reliability Corporation June 2021",
"description": "North American Electric Reliability Corporation 2021, June 28 Glossary of Terms Used in NERC Reliability Standards Retrieved. 2021/10/11 ",
"url": "https://www.nerc.com/pa/Stand/Glossary%20of%20Terms/Glossary_of_Terms.pdf"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"modified": "2025-04-15T19:58:21.226Z",
"name": "Transient Cyber Asset",
"description": "Adversaries may target devices that are transient across ICS networks and external networks. Normally, transient assets are brought into an environment by authorized personnel and do not remain in that environment on a permanent basis. (Citation: North American Electric Reliability Corporation June 2021) Transient assets are commonly needed to support management functions and may be more common in systems where a remotely managed asset is not feasible, external connections for remote access do not exist, or 3rd party contractor/vendor access is required. \n\nAdversaries may take advantage of transient assets in different ways. For instance, adversaries may target a transient asset when it is connected to an external network and then leverage its trusted access in another environment to launch an attack. They may also take advantage of installed applications and libraries that are used by legitimate end-users to interact with control system devices. \n\nTransient assets, in some cases, may not be deployed with a secure configuration leading to weaknesses that could allow an adversary to propagate malicious executable code, e.g., the transient asset may be infected by malware and when connected to an ICS environment the malware propagates onto other systems. ",
"kill_chain_phases": [
@@ -28,26 +48,6 @@
"x_mitre_data_sources": [
"Network Traffic: Network Traffic Flow",
"Application Log: Application Log Content"
],
"type": "attack-pattern",
"id": "attack-pattern--35392fb4-a31d-4c6a-b9f2-1c65b7f5e6b9",
"created": "2021-10-14T15:25:32.143Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T0864",
"external_id": "T0864"
},
{
"source_name": "North American Electric Reliability Corporation June 2021",
"description": "North American Electric Reliability Corporation 2021, June 28 Glossary of Terms Used in NERC Reliability Standards Retrieved. 2021/10/11 ",
"url": "https://www.nerc.com/pa/Stand/Glossary%20of%20Terms/Glossary_of_Terms.pdf"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
]
}
]
ics-attack/attack-pattern/attack-pattern--36e9f5bc-ac13-4da4-a2f4-01f4877d9004.json
+27 -27
View File
@@ -1,33 +1,9 @@
{
"type": "bundle",
"id": "bundle--553287a0-f0a8-4d61-8481-09b99b9fb68a",
"id": "bundle--43977e83-ee05-4237-9322-4f8241b4de8e",
"spec_version": "2.0",
"objects": [
{
"modified": "2023-10-13T17:57:03.589Z",
"name": "Manipulate I/O Image",
"description": "Adversaries may manipulate the I/O image of PLCs through various means to prevent them from functioning as expected. Methods of I/O image manipulation may include overriding the I/O table via direct memory manipulation or using the override function used for testing PLC programs. (Citation: Dr. Kelvin T. Erickson December 2010) During the scan cycle, a PLC reads the status of all inputs and stores them in an image table. (Citation: Nanjundaiah, Vaidyanath) The image table is the PLCs internal storage location where values of inputs/outputs for one scan are stored while it executes the user program. After the PLC has solved the entire logic program, it updates the output image table. The contents of this output image table are written to the corresponding output points in I/O Modules. \n\nOne of the unique characteristics of PLCs is their ability to override the status of a physical discrete input or to override the logic driving a physical output coil and force the output to a desired status.",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-ics-attack",
"phase_name": "inhibit-response-function"
}
],
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_deprecated": false,
"x_mitre_detection": "",
"x_mitre_domains": [
"ics-attack"
],
"x_mitre_is_subtechnique": false,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"None"
],
"x_mitre_version": "1.1",
"x_mitre_data_sources": [
"Asset: Software"
],
"type": "attack-pattern",
"id": "attack-pattern--36e9f5bc-ac13-4da4-a2f4-01f4877d9004",
"created": "2020-05-21T17:43:26.506Z",
@@ -41,8 +17,8 @@
},
{
"source_name": "Dr. Kelvin T. Erickson December 2010",
"description": "Dr. Kelvin T. Erickson 2010, December Programmable logic controller hardware Retrieved. 2018/03/29 ",
"url": "https://www.isa.org/standards-and-publications/isa-publications/intech/2010/december/programmable-logic-controller-hardware/"
"description": "Dr. Kelvin T. Erickson 2010, December Programmable logic controller hardware Retrieved November 17, 2024.",
"url": "https://www.scribd.com/document/458637574/Programmable-Logic-Controllers"
},
{
"source_name": "Nanjundaiah, Vaidyanath",
@@ -52,6 +28,30 @@
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"modified": "2025-04-15T19:58:22.225Z",
"name": "Manipulate I/O Image",
"description": "Adversaries may manipulate the I/O image of PLCs through various means to prevent them from functioning as expected. Methods of I/O image manipulation may include overriding the I/O table via direct memory manipulation or using the override function used for testing PLC programs. (Citation: Dr. Kelvin T. Erickson December 2010) During the scan cycle, a PLC reads the status of all inputs and stores them in an image table. (Citation: Nanjundaiah, Vaidyanath) The image table is the PLCs internal storage location where values of inputs/outputs for one scan are stored while it executes the user program. After the PLC has solved the entire logic program, it updates the output image table. The contents of this output image table are written to the corresponding output points in I/O Modules. \n\nOne of the unique characteristics of PLCs is their ability to override the status of a physical discrete input or to override the logic driving a physical output coil and force the output to a desired status.",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-ics-attack",
"phase_name": "inhibit-response-function"
}
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": false,
"x_mitre_detection": "",
"x_mitre_domains": [
"ics-attack"
],
"x_mitre_is_subtechnique": false,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"None"
],
"x_mitre_version": "1.1",
"x_mitre_data_sources": [
"Asset: Software"
]
}
]
ics-attack/attack-pattern/attack-pattern--38213338-1aab-479d-949b-c81b66ccca5c.json
+26 -26
View File
@@ -1,34 +1,9 @@
{
"type": "bundle",
"id": "bundle--79752e46-017e-4c27-997e-0790f802dd84",
"id": "bundle--a25b7d42-ebb5-4cbc-a4ed-a8228a3c473f",
"spec_version": "2.0",
"objects": [
{
"modified": "2023-10-13T17:57:03.783Z",
"name": "Network Sniffing",
"description": "Network sniffing is the practice of using a network interface on a computer system to monitor or capture information (Citation: Enterprise ATT&CK January 2018) regardless of whether it is the specified destination for the information. \n\nAn adversary may attempt to sniff the traffic to gain information about the target. This information can vary in the level of importance. Relatively unimportant information is general communications to and from machines. Relatively important information would be login information. User credentials may be sent over an unencrypted protocol, such as Telnet, that can be captured and obtained through network packet analysis. \n\nIn addition, ARP and Domain Name Service (DNS) poisoning can be used to capture credentials to websites, proxies, and internal systems by redirecting traffic to an adversary.",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-ics-attack",
"phase_name": "discovery"
}
],
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_deprecated": false,
"x_mitre_detection": "",
"x_mitre_domains": [
"ics-attack"
],
"x_mitre_is_subtechnique": false,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"None"
],
"x_mitre_version": "1.0",
"x_mitre_data_sources": [
"Process: Process Creation",
"Command: Command Execution"
],
"type": "attack-pattern",
"id": "attack-pattern--38213338-1aab-479d-949b-c81b66ccca5c",
"created": "2020-05-21T17:43:26.506Z",
@@ -48,6 +23,31 @@
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"modified": "2025-04-16T21:26:13.380Z",
"name": "Network Sniffing",
"description": "Network sniffing is the practice of using a network interface on a computer system to monitor or capture information (Citation: Enterprise ATT&CK January 2018) regardless of whether it is the specified destination for the information. \n\nAn adversary may attempt to sniff the traffic to gain information about the target. This information can vary in the level of importance. Relatively unimportant information is general communications to and from machines. Relatively important information would be login information. User credentials may be sent over an unencrypted protocol, such as Telnet, that can be captured and obtained through network packet analysis. \n\nIn addition, ARP and Domain Name Service (DNS) poisoning can be used to capture credentials to websites, proxies, and internal systems by redirecting traffic to an adversary.",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-ics-attack",
"phase_name": "discovery"
}
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": false,
"x_mitre_detection": "",
"x_mitre_domains": [
"ics-attack"
],
"x_mitre_is_subtechnique": false,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"None"
],
"x_mitre_version": "1.0",
"x_mitre_data_sources": [
"Process: Process Creation",
"Command: Command Execution"
]
}
]
ics-attack/attack-pattern/attack-pattern--3b6b9246-43f8-4c69-ad7a-2b11cfe0a0d9.json
+29 -29
View File
@@ -1,37 +1,9 @@
{
"type": "bundle",
"id": "bundle--1f332081-fd16-4521-b9a8-9f3dfd729531",
"id": "bundle--a6c6ff04-05f5-4e38-b9c6-172c772de1ca",
"spec_version": "2.0",
"objects": [
{
"modified": "2023-10-13T17:57:03.989Z",
"name": "Rootkit",
"description": "Adversaries may deploy rootkits to hide the presence of programs, files, network connections, services, drivers, and other system components. Rootkits are programs that hide the existence of malware by intercepting and modifying operating-system API calls that supply system information. Rootkits or rootkit-enabling functionality may reside at the user or kernel level in the operating system, or lower. (Citation: Enterprise ATT&CK January 2018) \n\nFirmware rootkits that affect the operating system yield nearly full control of the system. While firmware rootkits are normally developed for the main processing board, they can also be developed for the I/O that is attached to an asset. Compromise of this firmware allows the modification of all of the process variables and functions the module engages in. This may result in commands being disregarded and false information being fed to the main device. By tampering with device processes, an adversary may inhibit its expected response functions and possibly enable [Impact](https://attack.mitre.org/tactics/TA0105).",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-ics-attack",
"phase_name": "evasion"
},
{
"kill_chain_name": "mitre-ics-attack",
"phase_name": "inhibit-response-function"
}
],
"x_mitre_attack_spec_version": "3.1.0",
"x_mitre_deprecated": false,
"x_mitre_detection": "",
"x_mitre_domains": [
"ics-attack"
],
"x_mitre_is_subtechnique": false,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"None"
],
"x_mitre_version": "1.1",
"x_mitre_data_sources": [
"Firmware: Firmware Modification"
],
"type": "attack-pattern",
"id": "attack-pattern--3b6b9246-43f8-4c69-ad7a-2b11cfe0a0d9",
"created": "2020-05-21T17:43:26.506Z",
@@ -51,6 +23,34 @@
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"modified": "2025-04-16T21:26:13.542Z",
"name": "Rootkit",
"description": "Adversaries may deploy rootkits to hide the presence of programs, files, network connections, services, drivers, and other system components. Rootkits are programs that hide the existence of malware by intercepting and modifying operating-system API calls that supply system information. Rootkits or rootkit-enabling functionality may reside at the user or kernel level in the operating system, or lower. (Citation: Enterprise ATT&CK January 2018) \n\nFirmware rootkits that affect the operating system yield nearly full control of the system. While firmware rootkits are normally developed for the main processing board, they can also be developed for the I/O that is attached to an asset. Compromise of this firmware allows the modification of all of the process variables and functions the module engages in. This may result in commands being disregarded and false information being fed to the main device. By tampering with device processes, an adversary may inhibit its expected response functions and possibly enable [Impact](https://attack.mitre.org/tactics/TA0105).",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-ics-attack",
"phase_name": "evasion"
},
{
"kill_chain_name": "mitre-ics-attack",
"phase_name": "inhibit-response-function"
}
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": false,
"x_mitre_detection": "",
"x_mitre_domains": [
"ics-attack"
],
"x_mitre_is_subtechnique": false,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"None"
],
"x_mitre_version": "1.1",
"x_mitre_data_sources": [
"Firmware: Firmware Modification"
]
}
]
ics-attack/attack-pattern/attack-pattern--3de230d4-3e42-4041-b089-17e1128feded.json
+27 -27
View File
@@ -1,34 +1,9 @@
{
"type": "bundle",
"id": "bundle--a39c0736-3814-493d-8ee9-59671932bca0",
"id": "bundle--cad665a0-d7fd-49c0-8417-2558d53d1721",
"spec_version": "2.0",
"objects": [
{
"modified": "2024-04-05T16:34:58.587Z",
"name": "Automated Collection",
"description": "Adversaries may automate collection of industrial environment information using tools or scripts. This automated collection may leverage native control protocols and tools available in the control systems environment. For example, the OPC protocol may be used to enumerate and gather information. Access to a system or interface with these native protocols may allow collection and enumeration of other attached, communicating servers and devices.",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-ics-attack",
"phase_name": "collection"
}
],
"x_mitre_deprecated": false,
"x_mitre_detection": "",
"x_mitre_domains": [
"ics-attack"
],
"x_mitre_is_subtechnique": false,
"x_mitre_platforms": [
"None"
],
"x_mitre_version": "1.1",
"x_mitre_data_sources": [
"Script: Script Execution",
"Command: Command Execution",
"File: File Access",
"Network Traffic: Network Traffic Content"
],
"type": "attack-pattern",
"id": "attack-pattern--3de230d4-3e42-4041-b089-17e1128feded",
"created": "2020-05-21T17:43:26.506Z",
@@ -44,8 +19,33 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"modified": "2025-04-15T19:58:24.843Z",
"name": "Automated Collection",
"description": "Adversaries may automate collection of industrial environment information using tools or scripts. This automated collection may leverage native control protocols and tools available in the control systems environment. For example, the OPC protocol may be used to enumerate and gather information. Access to a system or interface with these native protocols may allow collection and enumeration of other attached, communicating servers and devices.",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-ics-attack",
"phase_name": "collection"
}
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
"x_mitre_deprecated": false,
"x_mitre_detection": "",
"x_mitre_domains": [
"ics-attack"
],
"x_mitre_is_subtechnique": false,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"None"
],
"x_mitre_version": "1.1",
"x_mitre_data_sources": [
"Script: Script Execution",
"Command: Command Execution",
"File: File Access",
"Network Traffic: Network Traffic Content"
]
}
]
}
ics-attack/attack-pattern/attack-pattern--3f1f4ccb-9be2-4ff8-8f69-dd972221169b.json
+29 -29
View File
@@ -1,37 +1,9 @@
{
"type": "bundle",
"id": "bundle--57aeafde-021f-4a0d-9d40-72f950dd57f5",
"id": "bundle--f9573cc1-e0f6-409c-962e-573df978f272",
"spec_version": "2.0",
"objects": [
{
"modified": "2023-10-13T17:57:04.376Z",
"name": "Block Reporting Message",
"description": "Adversaries may block or prevent a reporting message from reaching its intended target. In control systems, reporting messages contain telemetry data (e.g., I/O values) pertaining to the current state of equipment and the industrial process. By blocking these reporting messages, an adversary can potentially hide their actions from an operator.\n\nBlocking reporting messages in control systems that manage physical processes may contribute to system impact, causing inhibition of a response function. A control system may not be able to respond in a proper or timely manner to an event, such as a dangerous fault, if its corresponding reporting message is blocked. (Citation: Bonnie Zhu, Anthony Joseph, Shankar Sastry 2011) (Citation: Electricity Information Sharing and Analysis Center; SANS Industrial Control Systems March 2016)",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-ics-attack",
"phase_name": "inhibit-response-function"
}
],
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_deprecated": false,
"x_mitre_detection": "",
"x_mitre_domains": [
"ics-attack"
],
"x_mitre_is_subtechnique": false,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"None"
],
"x_mitre_version": "1.0",
"x_mitre_data_sources": [
"Operational Databases: Process/Event Alarm",
"Process: Process Termination",
"Application Log: Application Log Content",
"Network Traffic: Network Traffic Flow",
"Operational Databases: Process History/Live Data"
],
"type": "attack-pattern",
"id": "attack-pattern--3f1f4ccb-9be2-4ff8-8f69-dd972221169b",
"created": "2020-05-21T17:43:26.506Z",
@@ -56,6 +28,34 @@
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"modified": "2025-04-16T21:26:13.771Z",
"name": "Block Reporting Message",
"description": "Adversaries may block or prevent a reporting message from reaching its intended target. In control systems, reporting messages contain telemetry data (e.g., I/O values) pertaining to the current state of equipment and the industrial process. By blocking these reporting messages, an adversary can potentially hide their actions from an operator.\n\nBlocking reporting messages in control systems that manage physical processes may contribute to system impact, causing inhibition of a response function. A control system may not be able to respond in a proper or timely manner to an event, such as a dangerous fault, if its corresponding reporting message is blocked. (Citation: Bonnie Zhu, Anthony Joseph, Shankar Sastry 2011) (Citation: Electricity Information Sharing and Analysis Center; SANS Industrial Control Systems March 2016)",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-ics-attack",
"phase_name": "inhibit-response-function"
}
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": false,
"x_mitre_detection": "",
"x_mitre_domains": [
"ics-attack"
],
"x_mitre_is_subtechnique": false,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"None"
],
"x_mitre_version": "1.0",
"x_mitre_data_sources": [
"Operational Databases: Process/Event Alarm",
"Process: Process Termination",
"Application Log: Application Log Content",
"Network Traffic: Network Traffic Flow",
"Operational Databases: Process History/Live Data"
]
}
]
ics-attack/attack-pattern/attack-pattern--40b300ba-f553-48bf-862e-9471b220d455.json
+29 -29
View File
@@ -1,37 +1,9 @@
{
"type": "bundle",
"id": "bundle--533244eb-f45e-46c7-9cf1-4c272d6a9500",
"id": "bundle--6df02c62-8cf5-4939-8b69-18997fb3d249",
"spec_version": "2.0",
"objects": [
{
"modified": "2023-10-13T17:57:04.582Z",
"name": "Unauthorized Command Message",
"description": "Adversaries may send unauthorized command messages to instruct control system assets to perform actions outside of their intended functionality, or without the logical preconditions to trigger their expected function. Command messages are used in ICS networks to give direct instructions to control systems devices. If an adversary can send an unauthorized command message to a control system, then it can instruct the control systems device to perform an action outside the normal bounds of the device's actions. An adversary could potentially instruct a control systems device to perform an action that will cause an [Impact](https://attack.mitre.org/tactics/TA0105). (Citation: Bonnie Zhu, Anthony Joseph, Shankar Sastry 2011)\n\nIn the Dallas Siren incident, adversaries were able to send command messages to activate tornado alarm systems across the city without an impending tornado or other disaster. (Citation: Zack Whittaker April 2017) (Citation: Benjamin Freed March 2019)",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-ics-attack",
"phase_name": "impair-process-control"
}
],
"x_mitre_attack_spec_version": "3.1.0",
"x_mitre_deprecated": false,
"x_mitre_detection": "",
"x_mitre_domains": [
"ics-attack"
],
"x_mitre_is_subtechnique": false,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"None"
],
"x_mitre_version": "1.2",
"x_mitre_data_sources": [
"Operational Databases: Process History/Live Data",
"Application Log: Application Log Content",
"Network Traffic: Network Traffic Flow",
"Operational Databases: Process/Event Alarm",
"Network Traffic: Network Traffic Content"
],
"type": "attack-pattern",
"id": "attack-pattern--40b300ba-f553-48bf-862e-9471b220d455",
"created": "2020-05-21T17:43:26.506Z",
@@ -61,6 +33,34 @@
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"modified": "2025-04-16T21:26:13.939Z",
"name": "Unauthorized Command Message",
"description": "Adversaries may send unauthorized command messages to instruct control system assets to perform actions outside of their intended functionality, or without the logical preconditions to trigger their expected function. Command messages are used in ICS networks to give direct instructions to control systems devices. If an adversary can send an unauthorized command message to a control system, then it can instruct the control systems device to perform an action outside the normal bounds of the device's actions. An adversary could potentially instruct a control systems device to perform an action that will cause an [Impact](https://attack.mitre.org/tactics/TA0105). (Citation: Bonnie Zhu, Anthony Joseph, Shankar Sastry 2011)\n\nIn the Dallas Siren incident, adversaries were able to send command messages to activate tornado alarm systems across the city without an impending tornado or other disaster. (Citation: Zack Whittaker April 2017) (Citation: Benjamin Freed March 2019)",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-ics-attack",
"phase_name": "impair-process-control"
}
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": false,
"x_mitre_detection": "",
"x_mitre_domains": [
"ics-attack"
],
"x_mitre_is_subtechnique": false,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"None"
],
"x_mitre_version": "1.2",
"x_mitre_data_sources": [
"Operational Databases: Process History/Live Data",
"Application Log: Application Log Content",
"Network Traffic: Network Traffic Flow",
"Operational Databases: Process/Event Alarm",
"Network Traffic: Network Traffic Content"
]
}
]
ics-attack/attack-pattern/attack-pattern--493832d9-cea6-4b63-abe7-9a65a6473675.json
+31 -31
View File
@@ -1,39 +1,9 @@
{
"type": "bundle",
"id": "bundle--1bdc3edd-17bd-43d4-83d8-daf594aa742e",
"id": "bundle--4fa08406-2946-4697-9bba-8f2d88527e94",
"spec_version": "2.0",
"objects": [
{
"modified": "2023-10-13T17:57:04.784Z",
"name": "Data Destruction",
"description": "Adversaries may perform data destruction over the course of an operation. The adversary may drop or create malware, tools, or other non-native files on a target system to accomplish this, potentially leaving behind traces of malicious activities. Such non-native files and other data may be removed over the course of an intrusion to maintain a small footprint or as a standard part of the post-intrusion cleanup process. (Citation: Enterprise ATT&CK January 2018)\n\nData destruction may also be used to render operator interfaces unable to respond and to disrupt response functions from occurring as expected. An adversary may also destroy data backups that are vital to recovery after an incident.\n\nStandard file deletion commands are available on most operating system and device interfaces to perform cleanup, but adversaries may use other tools as well. Two examples are Windows Sysinternals SDelete and Active@ Killdisk.",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-ics-attack",
"phase_name": "inhibit-response-function"
}
],
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_contributors": [
"Matan Dobrushin - Otorio"
],
"x_mitre_deprecated": false,
"x_mitre_detection": "",
"x_mitre_domains": [
"ics-attack"
],
"x_mitre_is_subtechnique": false,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"None"
],
"x_mitre_version": "1.0",
"x_mitre_data_sources": [
"File: File Modification",
"Process: Process Creation",
"File: File Deletion",
"Command: Command Execution"
],
"type": "attack-pattern",
"id": "attack-pattern--493832d9-cea6-4b63-abe7-9a65a6473675",
"created": "2020-05-21T17:43:26.506Z",
@@ -53,6 +23,36 @@
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"modified": "2025-04-16T21:26:14.108Z",
"name": "Data Destruction",
"description": "Adversaries may perform data destruction over the course of an operation. The adversary may drop or create malware, tools, or other non-native files on a target system to accomplish this, potentially leaving behind traces of malicious activities. Such non-native files and other data may be removed over the course of an intrusion to maintain a small footprint or as a standard part of the post-intrusion cleanup process. (Citation: Enterprise ATT&CK January 2018)\n\nData destruction may also be used to render operator interfaces unable to respond and to disrupt response functions from occurring as expected. An adversary may also destroy data backups that are vital to recovery after an incident.\n\nStandard file deletion commands are available on most operating system and device interfaces to perform cleanup, but adversaries may use other tools as well. Two examples are Windows Sysinternals SDelete and Active@ Killdisk.",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-ics-attack",
"phase_name": "inhibit-response-function"
}
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_contributors": [
"Matan Dobrushin - Otorio"
],
"x_mitre_deprecated": false,
"x_mitre_detection": "",
"x_mitre_domains": [
"ics-attack"
],
"x_mitre_is_subtechnique": false,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"None"
],
"x_mitre_version": "1.0",
"x_mitre_data_sources": [
"File: File Modification",
"Process: Process Creation",
"File: File Deletion",
"Command: Command Execution"
]
}
]
ics-attack/attack-pattern/attack-pattern--4c2e1408-9d68-4187-8e6b-a77bc52700ec.json
+25 -25
View File
@@ -1,30 +1,9 @@
{
"type": "bundle",
"id": "bundle--5c4da42c-f734-42b6-b5db-2285d7bdee96",
"id": "bundle--cdcb11fc-3cb4-47e4-bfd8-ecee63541d46",
"spec_version": "2.0",
"objects": [
{
"modified": "2023-10-13T17:57:04.993Z",
"name": "Manipulation of View",
"description": "Adversaries may attempt to manipulate the information reported back to operators or controllers. This manipulation may be short term or sustained. During this time the process itself could be in a much different state than what is reported. (Citation: Corero) (Citation: Michael J. Assante and Robert M. Lee) (Citation: Tyson Macaulay) \n\nOperators may be fooled into doing something that is harmful to the system in a loss of view situation. With a manipulated view into the systems, operators may issue inappropriate control sequences that introduce faults or catastrophic failures into the system. Business analysis systems can also be provided with inaccurate data leading to bad management decisions.",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-ics-attack",
"phase_name": "impact"
}
],
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_deprecated": false,
"x_mitre_detection": "",
"x_mitre_domains": [
"ics-attack"
],
"x_mitre_is_subtechnique": false,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"None"
],
"x_mitre_version": "1.0",
"type": "attack-pattern",
"id": "attack-pattern--4c2e1408-9d68-4187-8e6b-a77bc52700ec",
"created": "2020-05-21T17:43:26.506Z",
@@ -43,8 +22,8 @@
},
{
"source_name": "Michael J. Assante and Robert M. Lee",
"description": "Michael J. Assante and Robert M. Lee Corero Industrial Control System (ICS) Security Retrieved. 2019/11/04 The Industrial Control System Cyber Kill Chain Retrieved. 2019/11/04 ",
"url": "https://www.sans.org/reading-room/whitepapers/ICS/industrial-control-system-cyber-kill-chain-36297"
"description": "Michael J. Assante and Robert M. Lee SANS Industrial Control System (ICS) Security; The Industrial Control System Cyber Kill Chain Retrieved 2024/11/25",
"url": "https://icscsi.org/library/Documents/White_Papers/SANS%20-%20ICS%20Cyber%20Kill%20Chain.pdf"
},
{
"source_name": "Tyson Macaulay",
@@ -54,7 +33,28 @@
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
]
],
"modified": "2025-04-15T19:58:29.210Z",
"name": "Manipulation of View",
"description": "Adversaries may attempt to manipulate the information reported back to operators or controllers. This manipulation may be short term or sustained. During this time the process itself could be in a much different state than what is reported. (Citation: Corero) (Citation: Michael J. Assante and Robert M. Lee) (Citation: Tyson Macaulay) \n\nOperators may be fooled into doing something that is harmful to the system in a loss of view situation. With a manipulated view into the systems, operators may issue inappropriate control sequences that introduce faults or catastrophic failures into the system. Business analysis systems can also be provided with inaccurate data leading to bad management decisions.",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-ics-attack",
"phase_name": "impact"
}
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": false,
"x_mitre_detection": "",
"x_mitre_domains": [
"ics-attack"
],
"x_mitre_is_subtechnique": false,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"None"
],
"x_mitre_version": "1.0"
}
]
}
ics-attack/attack-pattern/attack-pattern--50d3222f-7550-4a3c-94e1-78cb6c81d064.json
+23 -26
View File
@@ -1,34 +1,9 @@
{
"type": "bundle",
"id": "bundle--3b005c8d-61dc-4d46-a0d6-157d5d939213",
"id": "bundle--f39bd2f2-9db6-414c-a880-1b3a3777a97b",
"spec_version": "2.0",
"objects": [
{
"modified": "2023-05-08T20:13:24.241Z",
"name": "Data Historian Compromise",
"description": "Adversaries may compromise and gain control of a data historian to gain a foothold into the control system environment. Access to a data historian may be used to learn stored database archival and analysis information on the control system. A dual-homed data historian may provide adversaries an interface from the IT environment to the OT environment. \n\nDragos has released an updated analysis on CrashOverride that outlines the attack from the ICS network breach to payload delivery and execution. (Citation: Industroyer - Dragos - 201810) The report summarized that CrashOverride represents a new application of malware, but relied on standard intrusion techniques. In particular, new artifacts include references to a Microsoft Windows Server 2003 host, with a SQL Server. Within the ICS environment, such a database server can act as a data historian. Dragos noted a device with this role should be \"expected to have extensive connections\" within the ICS environment. Adversary activity leveraged database capabilities to perform reconnaissance, including directory queries and network connectivity checks.\n\nPermissions Required: Administrator\n\nContributors: Joe Slowik - Dragos",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-ics-attack",
"phase_name": "initial-access"
}
],
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_contributors": [
"Joe Slowik - Dragos"
],
"x_mitre_deprecated": true,
"x_mitre_domains": [
"ics-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"Windows"
],
"x_mitre_version": "1.0",
"x_mitre_permissions_required": [
"Administrator"
],
"type": "attack-pattern",
"id": "attack-pattern--50d3222f-7550-4a3c-94e1-78cb6c81d064",
"created": "2020-05-21T17:43:26.506Z",
@@ -48,6 +23,28 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"modified": "2025-04-18T18:00:51.727Z",
"name": "Data Historian Compromise",
"description": "Adversaries may compromise and gain control of a data historian to gain a foothold into the control system environment. Access to a data historian may be used to learn stored database archival and analysis information on the control system. A dual-homed data historian may provide adversaries an interface from the IT environment to the OT environment. \n\nDragos has released an updated analysis on CrashOverride that outlines the attack from the ICS network breach to payload delivery and execution. (Citation: Industroyer - Dragos - 201810) The report summarized that CrashOverride represents a new application of malware, but relied on standard intrusion techniques. In particular, new artifacts include references to a Microsoft Windows Server 2003 host, with a SQL Server. Within the ICS environment, such a database server can act as a data historian. Dragos noted a device with this role should be \"expected to have extensive connections\" within the ICS environment. Adversary activity leveraged database capabilities to perform reconnaissance, including directory queries and network connectivity checks.\n\nPermissions Required: Administrator\n\nContributors: Joe Slowik - Dragos",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-ics-attack",
"phase_name": "initial-access"
}
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_contributors": [
"Joe Slowik - Dragos"
],
"x_mitre_deprecated": true,
"x_mitre_domains": [
"ics-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"Windows"
],
"x_mitre_version": "1.0",
"x_mitre_is_subtechnique": false
}
]
ics-attack/attack-pattern/attack-pattern--539d0484-fe95-485a-b654-86991c0d0d00.json
+21 -21
View File
@@ -1,29 +1,9 @@
{
"type": "bundle",
"id": "bundle--27b1a151-53d0-4567-8eeb-76c6c036c5ae",
"id": "bundle--85da482c-b831-4051-b333-486ead28f76f",
"spec_version": "2.0",
"objects": [
{
"modified": "2023-05-08T20:13:24.241Z",
"name": "Network Service Scanning",
"description": "Network Service Scanning is the process of discovering services on networked systems. This can be achieved through a technique called port scanning or probing. Port scanning interacts with the TCP/IP ports on a target system to determine whether ports are open, closed, or filtered by a firewall. This does not reveal the service that is running behind the port, but since many common services are run on [https://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.xhtml specific port numbers], the type of service can be assumed. More in-depth testing includes interaction with the actual service to determine the service type and specific version. One of the most-popular tools to use for Network Service Scanning is [https://nmap.org/ Nmap].\n\nAn adversary may attempt to gain information about a target device and its role on the network via Network Service Scanning techniques, such as port scanning. Network Service Scanning is useful for determining potential vulnerabilities in services on target devices. Network Service Scanning is closely tied to .\n\nScanning ports can be noisy on a network. In some attacks, adversaries probe for specific ports using custom tools. This was specifically seen in the Triton and PLC-Blaster attacks.",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-ics-attack",
"phase_name": "discovery"
}
],
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_deprecated": true,
"x_mitre_domains": [
"ics-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"Windows",
"Field Controller/RTU/PLC/IED"
],
"x_mitre_version": "1.0",
"type": "attack-pattern",
"id": "attack-pattern--539d0484-fe95-485a-b654-86991c0d0d00",
"created": "2020-05-21T17:43:26.506Z",
@@ -38,6 +18,26 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"modified": "2025-04-18T18:00:51.904Z",
"name": "Network Service Scanning",
"description": "Network Service Scanning is the process of discovering services on networked systems. This can be achieved through a technique called port scanning or probing. Port scanning interacts with the TCP/IP ports on a target system to determine whether ports are open, closed, or filtered by a firewall. This does not reveal the service that is running behind the port, but since many common services are run on [https://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.xhtml specific port numbers], the type of service can be assumed. More in-depth testing includes interaction with the actual service to determine the service type and specific version. One of the most-popular tools to use for Network Service Scanning is [https://nmap.org/ Nmap].\n\nAn adversary may attempt to gain information about a target device and its role on the network via Network Service Scanning techniques, such as port scanning. Network Service Scanning is useful for determining potential vulnerabilities in services on target devices. Network Service Scanning is closely tied to .\n\nScanning ports can be noisy on a network. In some attacks, adversaries probe for specific ports using custom tools. This was specifically seen in the Triton and PLC-Blaster attacks.",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-ics-attack",
"phase_name": "discovery"
}
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": true,
"x_mitre_domains": [
"ics-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"Windows",
"Field Controller/RTU/PLC/IED"
],
"x_mitre_version": "1.0",
"x_mitre_is_subtechnique": false
}
]
ics-attack/attack-pattern/attack-pattern--53a26eee-1080-4d17-9762-2027d5a1b805.json
+30 -30
View File
@@ -1,37 +1,9 @@
{
"type": "bundle",
"id": "bundle--b8192762-5f51-40fa-a5cd-bc6c258fe194",
"id": "bundle--86199163-b93e-466a-b9a2-5e1d09373077",
"spec_version": "2.0",
"objects": [
{
"modified": "2023-10-13T17:57:05.190Z",
"name": "Indicator Removal on Host",
"description": "Adversaries may attempt to remove indicators of their presence on a system in an effort to cover their tracks. In cases where an adversary may feel detection is imminent, they may try to overwrite, delete, or cover up changes they have made to the device.",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-ics-attack",
"phase_name": "evasion"
}
],
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"ics-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"None"
],
"x_mitre_version": "1.0",
"x_mitre_data_sources": [
"Command: Command Execution",
"Process: OS API Execution",
"Windows Registry: Windows Registry Key Modification",
"File: File Metadata",
"Windows Registry: Windows Registry Key Deletion",
"File: File Deletion",
"File: File Modification",
"Process: Process Creation"
],
"type": "attack-pattern",
"id": "attack-pattern--53a26eee-1080-4d17-9762-2027d5a1b805",
"created": "2020-05-21T17:43:26.506Z",
@@ -46,7 +18,35 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_is_subtechnique": false
"modified": "2025-04-16T21:26:14.295Z",
"name": "Indicator Removal on Host",
"description": "Adversaries may attempt to remove indicators of their presence on a system in an effort to cover their tracks. In cases where an adversary may feel detection is imminent, they may try to overwrite, delete, or cover up changes they have made to the device.",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-ics-attack",
"phase_name": "evasion"
}
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_domains": [
"ics-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"None"
],
"x_mitre_version": "1.0",
"x_mitre_is_subtechnique": false,
"x_mitre_data_sources": [
"Command: Command Execution",
"Process: OS API Execution",
"Windows Registry: Windows Registry Key Modification",
"File: File Metadata",
"Windows Registry: Windows Registry Key Deletion",
"File: File Deletion",
"File: File Modification",
"Process: Process Creation"
]
}
]
}
ics-attack/attack-pattern/attack-pattern--53a48c74-0025-45f4-b04a-baa853df8204.json
+25 -25
View File
@@ -1,33 +1,9 @@
{
"type": "bundle",
"id": "bundle--faa10d6c-6bd5-4a61-a008-889e57071231",
"id": "bundle--a3ca25ad-ced3-4a57-a5e0-bed2cdb947db",
"spec_version": "2.0",
"objects": [
{
"modified": "2023-10-13T17:57:05.375Z",
"name": "I/O Image",
"description": "Adversaries may seek to capture process values related to the inputs and outputs of a PLC. During the scan cycle, a PLC reads the status of all inputs and stores them in an image table. (Citation: Nanjundaiah, Vaidyanath) The image table is the PLCs internal storage location where values of inputs/outputs for one scan are stored while it executes the user program. After the PLC has solved the entire logic program, it updates the output image table. The contents of this output image table are written to the corresponding output points in I/O Modules.\n\nThe Input and Output Image tables described above make up the I/O Image on a PLC. This image is used by the user program instead of directly interacting with physical I/O. (Citation: Spenneberg, Ralf 2016) \n\nAdversaries may collect the I/O Image state of a PLC by utilizing a devices [Native API](https://attack.mitre.org/techniques/T0834) to access the memory regions directly. The collection of the PLCs I/O state could be used to replace values or inform future stages of an attack.",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-ics-attack",
"phase_name": "collection"
}
],
"x_mitre_attack_spec_version": "3.1.0",
"x_mitre_deprecated": false,
"x_mitre_detection": "",
"x_mitre_domains": [
"ics-attack"
],
"x_mitre_is_subtechnique": false,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"None"
],
"x_mitre_version": "1.1",
"x_mitre_data_sources": [
"Asset: Software"
],
"type": "attack-pattern",
"id": "attack-pattern--53a48c74-0025-45f4-b04a-baa853df8204",
"created": "2020-05-21T17:43:26.506Z",
@@ -52,6 +28,30 @@
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"modified": "2025-04-16T21:26:14.462Z",
"name": "I/O Image",
"description": "Adversaries may seek to capture process values related to the inputs and outputs of a PLC. During the scan cycle, a PLC reads the status of all inputs and stores them in an image table. (Citation: Nanjundaiah, Vaidyanath) The image table is the PLCs internal storage location where values of inputs/outputs for one scan are stored while it executes the user program. After the PLC has solved the entire logic program, it updates the output image table. The contents of this output image table are written to the corresponding output points in I/O Modules.\n\nThe Input and Output Image tables described above make up the I/O Image on a PLC. This image is used by the user program instead of directly interacting with physical I/O. (Citation: Spenneberg, Ralf 2016) \n\nAdversaries may collect the I/O Image state of a PLC by utilizing a devices [Native API](https://attack.mitre.org/techniques/T0834) to access the memory regions directly. The collection of the PLCs I/O state could be used to replace values or inform future stages of an attack.",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-ics-attack",
"phase_name": "collection"
}
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": false,
"x_mitre_detection": "",
"x_mitre_domains": [
"ics-attack"
],
"x_mitre_is_subtechnique": false,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"None"
],
"x_mitre_version": "1.1",
"x_mitre_data_sources": [
"Asset: Software"
]
}
]
ics-attack/attack-pattern/attack-pattern--56ddc820-6cfb-407f-850b-52c035d123ac.json
+25 -25
View File
@@ -1,30 +1,9 @@
{
"type": "bundle",
"id": "bundle--96dc18b5-f6f5-4720-89e3-f8dbda8499a9",
"id": "bundle--d59e3a0c-1396-490f-ab55-0ecdec418a30",
"spec_version": "2.0",
"objects": [
{
"modified": "2023-10-13T17:57:05.576Z",
"name": "Denial of View",
"description": "Adversaries may cause a denial of view in attempt to disrupt and prevent operator oversight on the status of an ICS environment. This may manifest itself as a temporary communication failure between a device and its control source, where the interface recovers and becomes available once the interference ceases. (Citation: Corero) (Citation: Michael J. Assante and Robert M. Lee) (Citation: Tyson Macaulay) \n\nAn adversary may attempt to deny operator visibility by preventing them from receiving status and reporting messages. Denying this view may temporarily block and prevent operators from noticing a change in state or anomalous behavior. The environment's data and processes may still be operational, but functioning in an unintended or adversarial manner. ",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-ics-attack",
"phase_name": "impact"
}
],
"x_mitre_attack_spec_version": "3.1.0",
"x_mitre_deprecated": false,
"x_mitre_detection": "",
"x_mitre_domains": [
"ics-attack"
],
"x_mitre_is_subtechnique": false,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"None"
],
"x_mitre_version": "1.1",
"type": "attack-pattern",
"id": "attack-pattern--56ddc820-6cfb-407f-850b-52c035d123ac",
"created": "2020-05-21T17:43:26.506Z",
@@ -43,8 +22,8 @@
},
{
"source_name": "Michael J. Assante and Robert M. Lee",
"description": "Michael J. Assante and Robert M. Lee Corero Industrial Control System (ICS) Security Retrieved. 2019/11/04 The Industrial Control System Cyber Kill Chain Retrieved. 2019/11/04 ",
"url": "https://www.sans.org/reading-room/whitepapers/ICS/industrial-control-system-cyber-kill-chain-36297"
"description": "Michael J. Assante and Robert M. Lee SANS Industrial Control System (ICS) Security; The Industrial Control System Cyber Kill Chain Retrieved 2024/11/25",
"url": "https://icscsi.org/library/Documents/White_Papers/SANS%20-%20ICS%20Cyber%20Kill%20Chain.pdf"
},
{
"source_name": "Tyson Macaulay",
@@ -54,7 +33,28 @@
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
]
],
"modified": "2025-04-15T19:58:33.142Z",
"name": "Denial of View",
"description": "Adversaries may cause a denial of view in attempt to disrupt and prevent operator oversight on the status of an ICS environment. This may manifest itself as a temporary communication failure between a device and its control source, where the interface recovers and becomes available once the interference ceases. (Citation: Corero) (Citation: Michael J. Assante and Robert M. Lee) (Citation: Tyson Macaulay) \n\nAn adversary may attempt to deny operator visibility by preventing them from receiving status and reporting messages. Denying this view may temporarily block and prevent operators from noticing a change in state or anomalous behavior. The environment's data and processes may still be operational, but functioning in an unintended or adversarial manner. ",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-ics-attack",
"phase_name": "impact"
}
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": false,
"x_mitre_detection": "",
"x_mitre_domains": [
"ics-attack"
],
"x_mitre_is_subtechnique": false,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"None"
],
"x_mitre_version": "1.1"
}
]
}
ics-attack/attack-pattern/attack-pattern--5a2610f6-9fff-41e1-bc27-575ca20383d4.json
+25 -25
View File
@@ -1,33 +1,9 @@
{
"type": "bundle",
"id": "bundle--69e547b8-a453-4f69-8080-b3ae4892938c",
"id": "bundle--889e1502-c9d0-4104-ad6c-f4ff6ec5e672",
"spec_version": "2.0",
"objects": [
{
"modified": "2023-10-13T17:57:05.776Z",
"name": "Execution through API",
"description": "Adversaries may attempt to leverage Application Program Interfaces (APIs) used for communication between control software and the hardware. Specific functionality is often coded into APIs which can be called by software to engage specific functions on a device or other software.",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-ics-attack",
"phase_name": "execution"
}
],
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_deprecated": false,
"x_mitre_detection": "",
"x_mitre_domains": [
"ics-attack"
],
"x_mitre_is_subtechnique": false,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"None"
],
"x_mitre_version": "1.1",
"x_mitre_data_sources": [
"Process: OS API Execution"
],
"type": "attack-pattern",
"id": "attack-pattern--5a2610f6-9fff-41e1-bc27-575ca20383d4",
"created": "2020-05-21T17:43:26.506Z",
@@ -42,6 +18,30 @@
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"modified": "2025-04-16T21:26:14.643Z",
"name": "Execution through API",
"description": "Adversaries may attempt to leverage Application Program Interfaces (APIs) used for communication between control software and the hardware. Specific functionality is often coded into APIs which can be called by software to engage specific functions on a device or other software.",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-ics-attack",
"phase_name": "execution"
}
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": false,
"x_mitre_detection": "",
"x_mitre_domains": [
"ics-attack"
],
"x_mitre_is_subtechnique": false,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"None"
],
"x_mitre_version": "1.1",
"x_mitre_data_sources": [
"Process: OS API Execution"
]
}
]
ics-attack/attack-pattern/attack-pattern--5e0f75da-e108-4688-a6de-a4f07cc2cbe3.json
+25 -25
View File
@@ -1,33 +1,9 @@
{
"type": "bundle",
"id": "bundle--097b7c03-fddb-4a38-b5c9-29f34aff6f0f",
"id": "bundle--ab94c0aa-e315-4ed7-a8df-6a86222d8ecc",
"spec_version": "2.0",
"objects": [
{
"modified": "2023-10-13T17:57:05.975Z",
"name": "Supply Chain Compromise",
"description": "Adversaries may perform supply chain compromise to gain control systems environment access by means of infected products, software, and workflows. Supply chain compromise is the manipulation of products, such as devices or software, or their delivery mechanisms before receipt by the end consumer. Adversary compromise of these products and mechanisms is done for the goal of data or system compromise, once infected products are introduced to the target environment. \n\nSupply chain compromise can occur at all stages of the supply chain, from manipulation of development tools and environments to manipulation of developed products and tools distribution mechanisms. This may involve the compromise and replacement of legitimate software and patches, such as on third party or vendor websites. Targeting of supply chain compromise can be done in attempts to infiltrate the environments of a specific audience. In control systems environments with assets in both the IT and OT networks, it is possible a supply chain compromise affecting the IT environment could enable further access to the OT environment. \n\nCounterfeit devices may be introduced to the global supply chain posing safety and cyber risks to asset owners and operators. These devices may not meet the safety, engineering and manufacturing requirements of regulatory bodies but may feature tagging indicating conformance with industry standards. Due to the lack of adherence to standards and overall lesser quality, the counterfeit products may pose a serious safety and operational risk. (Citation: Control Global May 2019) \n\nYokogawa identified instances in which their customers received counterfeit differential pressure transmitters using the Yokogawa logo. The counterfeit transmitters were nearly indistinguishable with a semblance of functionality and interface that mimics the genuine product. (Citation: Control Global May 2019) \n\nF-Secure Labs analyzed the approach the adversary used to compromise victim systems with Havex. (Citation: Daavid Hentunen, Antti Tikkanen June 2014) The adversary planted trojanized software installers available on legitimate ICS/SCADA vendor websites. After being downloaded, this software infected the host computer with a Remote Access Trojan (RAT).",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-ics-attack",
"phase_name": "initial-access"
}
],
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_deprecated": false,
"x_mitre_detection": "",
"x_mitre_domains": [
"ics-attack"
],
"x_mitre_is_subtechnique": false,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"None"
],
"x_mitre_version": "1.1",
"x_mitre_data_sources": [
"File: File Metadata"
],
"type": "attack-pattern",
"id": "attack-pattern--5e0f75da-e108-4688-a6de-a4f07cc2cbe3",
"created": "2020-05-21T17:43:26.506Z",
@@ -52,6 +28,30 @@
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"modified": "2025-04-16T21:26:14.822Z",
"name": "Supply Chain Compromise",
"description": "Adversaries may perform supply chain compromise to gain control systems environment access by means of infected products, software, and workflows. Supply chain compromise is the manipulation of products, such as devices or software, or their delivery mechanisms before receipt by the end consumer. Adversary compromise of these products and mechanisms is done for the goal of data or system compromise, once infected products are introduced to the target environment. \n\nSupply chain compromise can occur at all stages of the supply chain, from manipulation of development tools and environments to manipulation of developed products and tools distribution mechanisms. This may involve the compromise and replacement of legitimate software and patches, such as on third party or vendor websites. Targeting of supply chain compromise can be done in attempts to infiltrate the environments of a specific audience. In control systems environments with assets in both the IT and OT networks, it is possible a supply chain compromise affecting the IT environment could enable further access to the OT environment. \n\nCounterfeit devices may be introduced to the global supply chain posing safety and cyber risks to asset owners and operators. These devices may not meet the safety, engineering and manufacturing requirements of regulatory bodies but may feature tagging indicating conformance with industry standards. Due to the lack of adherence to standards and overall lesser quality, the counterfeit products may pose a serious safety and operational risk. (Citation: Control Global May 2019) \n\nYokogawa identified instances in which their customers received counterfeit differential pressure transmitters using the Yokogawa logo. The counterfeit transmitters were nearly indistinguishable with a semblance of functionality and interface that mimics the genuine product. (Citation: Control Global May 2019) \n\nF-Secure Labs analyzed the approach the adversary used to compromise victim systems with Havex. (Citation: Daavid Hentunen, Antti Tikkanen June 2014) The adversary planted trojanized software installers available on legitimate ICS/SCADA vendor websites. After being downloaded, this software infected the host computer with a Remote Access Trojan (RAT).",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-ics-attack",
"phase_name": "initial-access"
}
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": false,
"x_mitre_detection": "",
"x_mitre_domains": [
"ics-attack"
],
"x_mitre_is_subtechnique": false,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"None"
],
"x_mitre_version": "1.1",
"x_mitre_data_sources": [
"File: File Metadata"
]
}
]
ics-attack/attack-pattern/attack-pattern--5f3da2f3-91c8-4d8b-a02f-bf43a11def55.json
+22 -22
View File
@@ -1,30 +1,9 @@
{
"type": "bundle",
"id": "bundle--3461b521-8496-4888-8d37-2dd83eb2db82",
"id": "bundle--9255b87a-2a15-4e5a-83e5-5773ac59a8e4",
"spec_version": "2.0",
"objects": [
{
"modified": "2023-05-08T20:13:24.241Z",
"name": "Serial Connection Enumeration",
"description": "Adversaries may perform serial connection enumeration to gather situational awareness after gaining access to devices in the OT network. Control systems devices often communicate to each other via various types of serial communication mediums. These serial communications are used to facilitate informational communication, as well as commands. Serial Connection Enumeration differs from I/O Module Discovery, as I/O modules are auxiliary systems to the main system, and devices that are connected via serial connection are normally discrete systems.\n\nWhile IT and OT networks may work in tandem, the exact structure of the OT network may not be discernible from the IT network alone. After gaining access to a device on the OT network, an adversary may be able to enumerate the serial connections. From this perspective, the adversary can see the specific physical devices to which the compromised device is connected to. This gives the adversary greater situational awareness and can influence the actions that the adversary can take in an attack.",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-ics-attack",
"phase_name": "discovery"
}
],
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_deprecated": true,
"x_mitre_domains": [
"ics-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"Windows",
"Input/Output Server",
"Field Controller/RTU/PLC/IED"
],
"x_mitre_version": "1.0",
"type": "attack-pattern",
"id": "attack-pattern--5f3da2f3-91c8-4d8b-a02f-bf43a11def55",
"created": "2020-05-21T17:43:26.506Z",
@@ -39,6 +18,27 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"modified": "2025-04-18T18:00:52.087Z",
"name": "Serial Connection Enumeration",
"description": "Adversaries may perform serial connection enumeration to gather situational awareness after gaining access to devices in the OT network. Control systems devices often communicate to each other via various types of serial communication mediums. These serial communications are used to facilitate informational communication, as well as commands. Serial Connection Enumeration differs from I/O Module Discovery, as I/O modules are auxiliary systems to the main system, and devices that are connected via serial connection are normally discrete systems.\n\nWhile IT and OT networks may work in tandem, the exact structure of the OT network may not be discernible from the IT network alone. After gaining access to a device on the OT network, an adversary may be able to enumerate the serial connections. From this perspective, the adversary can see the specific physical devices to which the compromised device is connected to. This gives the adversary greater situational awareness and can influence the actions that the adversary can take in an attack.",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-ics-attack",
"phase_name": "discovery"
}
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": true,
"x_mitre_domains": [
"ics-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"Windows",
"Input/Output Server",
"Field Controller/RTU/PLC/IED"
],
"x_mitre_version": "1.0",
"x_mitre_is_subtechnique": false
}
]
ics-attack/attack-pattern/attack-pattern--5fa00fdd-4a55-4191-94a0-564181d7fec2.json
+23 -23
View File
@@ -1,30 +1,9 @@
{
"type": "bundle",
"id": "bundle--eb38914c-283d-43c9-bdb9-cfb535fb24e0",
"id": "bundle--f01dc995-36c5-41e6-a524-19a8122a3262",
"spec_version": "2.0",
"objects": [
{
"modified": "2023-10-13T17:57:06.171Z",
"name": "Loss of Safety",
"description": "Adversaries may compromise safety system functions designed to maintain safe operation of a process when unacceptable or dangerous conditions occur. Safety systems are often composed of the same elements as control systems but have the sole purpose of ensuring the process fails in a predetermined safe manner. \n\nMany unsafe conditions in process control happen too quickly for a human operator to react to. Speed is critical in correcting these conditions to limit serious impacts such as Loss of Control and Property Damage. \n\nAdversaries may target and disable safety system functions as a prerequisite to subsequent attack execution or to allow for future unsafe conditionals to go unchecked. Detection of a Loss of Safety by operators can result in the shutdown of a process due to strict policies regarding safety systems. This can cause a Loss of Productivity and Revenue and may meet the technical goals of adversaries seeking to cause process disruptions.",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-ics-attack",
"phase_name": "impact"
}
],
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_deprecated": false,
"x_mitre_detection": "",
"x_mitre_domains": [
"ics-attack"
],
"x_mitre_is_subtechnique": false,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"None"
],
"x_mitre_version": "1.0",
"type": "attack-pattern",
"id": "attack-pattern--5fa00fdd-4a55-4191-94a0-564181d7fec2",
"created": "2020-05-21T17:43:26.506Z",
@@ -39,7 +18,28 @@
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
]
],
"modified": "2025-04-16T21:26:14.990Z",
"name": "Loss of Safety",
"description": "Adversaries may compromise safety system functions designed to maintain safe operation of a process when unacceptable or dangerous conditions occur. Safety systems are often composed of the same elements as control systems but have the sole purpose of ensuring the process fails in a predetermined safe manner. \n\nMany unsafe conditions in process control happen too quickly for a human operator to react to. Speed is critical in correcting these conditions to limit serious impacts such as Loss of Control and Property Damage. \n\nAdversaries may target and disable safety system functions as a prerequisite to subsequent attack execution or to allow for future unsafe conditionals to go unchecked. Detection of a Loss of Safety by operators can result in the shutdown of a process due to strict policies regarding safety systems. This can cause a Loss of Productivity and Revenue and may meet the technical goals of adversaries seeking to cause process disruptions.",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-ics-attack",
"phase_name": "impact"
}
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": false,
"x_mitre_detection": "",
"x_mitre_domains": [
"ics-attack"
],
"x_mitre_is_subtechnique": false,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"None"
],
"x_mitre_version": "1.0"
}
]
}
ics-attack/attack-pattern/attack-pattern--63b6942d-8359-4506-bfb3-cf87aa8120ee.json
+23 -23
View File
@@ -1,30 +1,9 @@
{
"type": "bundle",
"id": "bundle--7ba93ba2-f891-411c-9c94-235052400dfd",
"id": "bundle--f2f5b59a-e53f-4acb-ac38-9238729b0fa3",
"spec_version": "2.0",
"objects": [
{
"modified": "2023-10-13T17:57:06.362Z",
"name": "Loss of Productivity and Revenue",
"description": "Adversaries may cause loss of productivity and revenue through disruption and even damage to the availability and integrity of control system operations, devices, and related processes. This technique may manifest as a direct effect of an ICS-targeting attack or tangentially, due to an IT-targeting attack against non-segregated environments. \n\nIn cases where these operations or services are brought to a halt, the loss of productivity may eventually present an impact for the end-users or consumers of products and services. The disrupted supply-chain may result in supply shortages and increased prices, among other consequences. \n\nA ransomware attack on an Australian beverage company resulted in the shutdown of some manufacturing sites, including precautionary halts to protect key systems. (Citation: Paganini, Pierluigi June 2020) The company announced the potential for temporary shortages of their products following the attack. (Citation: Paganini, Pierluigi June 2020) (Citation: Lion Corporation June 2020) \n\nIn the 2021 Colonial Pipeline ransomware incident, the pipeline was unable to transport approximately 2.5 million barrels of fuel per day to the East Coast. (Citation: Colonial Pipeline Company May 2021)",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-ics-attack",
"phase_name": "impact"
}
],
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_deprecated": false,
"x_mitre_detection": "",
"x_mitre_domains": [
"ics-attack"
],
"x_mitre_is_subtechnique": false,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"None"
],
"x_mitre_version": "1.0",
"type": "attack-pattern",
"id": "attack-pattern--63b6942d-8359-4506-bfb3-cf87aa8120ee",
"created": "2020-05-21T17:43:26.506Z",
@@ -54,7 +33,28 @@
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
]
],
"modified": "2025-04-16T21:26:15.157Z",
"name": "Loss of Productivity and Revenue",
"description": "Adversaries may cause loss of productivity and revenue through disruption and even damage to the availability and integrity of control system operations, devices, and related processes. This technique may manifest as a direct effect of an ICS-targeting attack or tangentially, due to an IT-targeting attack against non-segregated environments. \n\nIn cases where these operations or services are brought to a halt, the loss of productivity may eventually present an impact for the end-users or consumers of products and services. The disrupted supply-chain may result in supply shortages and increased prices, among other consequences. \n\nA ransomware attack on an Australian beverage company resulted in the shutdown of some manufacturing sites, including precautionary halts to protect key systems. (Citation: Paganini, Pierluigi June 2020) The company announced the potential for temporary shortages of their products following the attack. (Citation: Paganini, Pierluigi June 2020) (Citation: Lion Corporation June 2020) \n\nIn the 2021 Colonial Pipeline ransomware incident, the pipeline was unable to transport approximately 2.5 million barrels of fuel per day to the East Coast. (Citation: Colonial Pipeline Company May 2021)",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-ics-attack",
"phase_name": "impact"
}
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": false,
"x_mitre_detection": "",
"x_mitre_domains": [
"ics-attack"
],
"x_mitre_is_subtechnique": false,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"None"
],
"x_mitre_version": "1.0"
}
]
}
ics-attack/attack-pattern/attack-pattern--648f995e-9c3a-41e4-aeee-98bb41037426.json
+28 -28
View File
@@ -1,36 +1,9 @@
{
"type": "bundle",
"id": "bundle--b0ce9c57-5635-4dff-ae3f-8ab72b0f09c0",
"id": "bundle--133a6d06-ef69-4f88-974b-2bf7e5688bc1",
"spec_version": "2.0",
"objects": [
{
"modified": "2023-10-13T17:57:06.577Z",
"name": "Spearphishing Attachment",
"description": "Adversaries may use a spearphishing attachment, a variant of spearphishing, as a form of a social engineering attack against specific targets. Spearphishing attachments are different from other forms of spearphishing in that they employ malware attached to an email. All forms of spearphishing are electronically delivered and target a specific individual, company, or industry. In this scenario, adversaries attach a file to the spearphishing email and usually rely upon [User Execution](https://attack.mitre.org/techniques/T0863) to gain execution and access. (Citation: Enterprise ATT&CK October 2019) \n\nA Chinese spearphishing campaign running from December 9, 2011 through February 29, 2012, targeted ONG organizations and their employees. The emails were constructed with a high level of sophistication to convince employees to open the malicious file attachments. (Citation: CISA AA21-201A Pipeline Intrusion July 2021)",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-ics-attack",
"phase_name": "initial-access"
}
],
"x_mitre_attack_spec_version": "3.1.0",
"x_mitre_deprecated": false,
"x_mitre_detection": "",
"x_mitre_domains": [
"ics-attack"
],
"x_mitre_is_subtechnique": false,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"None"
],
"x_mitre_version": "1.1",
"x_mitre_data_sources": [
"Process: Process Creation",
"File: File Creation",
"Network Traffic: Network Traffic Content",
"Application Log: Application Log Content"
],
"type": "attack-pattern",
"id": "attack-pattern--648f995e-9c3a-41e4-aeee-98bb41037426",
"created": "2020-05-21T17:43:26.506Z",
@@ -55,6 +28,33 @@
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"modified": "2025-04-16T21:26:15.346Z",
"name": "Spearphishing Attachment",
"description": "Adversaries may use a spearphishing attachment, a variant of spearphishing, as a form of a social engineering attack against specific targets. Spearphishing attachments are different from other forms of spearphishing in that they employ malware attached to an email. All forms of spearphishing are electronically delivered and target a specific individual, company, or industry. In this scenario, adversaries attach a file to the spearphishing email and usually rely upon [User Execution](https://attack.mitre.org/techniques/T0863) to gain execution and access. (Citation: Enterprise ATT&CK October 2019) \n\nA Chinese spearphishing campaign running from December 9, 2011 through February 29, 2012, targeted ONG organizations and their employees. The emails were constructed with a high level of sophistication to convince employees to open the malicious file attachments. (Citation: CISA AA21-201A Pipeline Intrusion July 2021)",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-ics-attack",
"phase_name": "initial-access"
}
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": false,
"x_mitre_detection": "",
"x_mitre_domains": [
"ics-attack"
],
"x_mitre_is_subtechnique": false,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"None"
],
"x_mitre_version": "1.1",
"x_mitre_data_sources": [
"Process: Process Creation",
"File: File Creation",
"Network Traffic: Network Traffic Content",
"Application Log: Application Log Content"
]
}
]
ics-attack/attack-pattern/attack-pattern--7374ab87-0782-41f8-b415-678c0950bb2a.json
+21 -21
View File
@@ -1,29 +1,9 @@
{
"type": "bundle",
"id": "bundle--c75b9124-9865-4a99-ba8a-2dab9ab6df16",
"id": "bundle--22469621-9b58-4ec6-9d66-d52cef9d56fc",
"spec_version": "2.0",
"objects": [
{
"modified": "2023-05-08T20:13:24.241Z",
"name": "Location Identification",
"description": "Adversaries may perform location identification using device data to inform operations and targeted impact for attacks. Location identification data can come in a number of forms, including geographic location, location relative to other control system devices, time zone, and current time. An adversary may use an embedded global positioning system (GPS) module in a device to figure out the physical coordinates of a device. NIST SP800-82 recommends that devices utilize GPS or another location determining mechanism to attach appropriate timestamps to log entries (Citation: Guidance - NIST SP800-82). While this assists in logging and event tracking, an adversary could use the underlying positioning mechanism to determine the general location of a device. An adversary can also infer the physical location of serially connected devices by using serial connection enumeration. \n\nAn adversary attempt to attack and cause Impact could potentially affect other control system devices in close proximity. Device local-time and time-zone settings can also provide adversaries a rough indicator of device location, when specific geographic identifiers cannot be determined from the system.",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-ics-attack",
"phase_name": "collection"
}
],
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_deprecated": true,
"x_mitre_domains": [
"ics-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"Windows",
"Control Server"
],
"x_mitre_version": "1.0",
"type": "attack-pattern",
"id": "attack-pattern--7374ab87-0782-41f8-b415-678c0950bb2a",
"created": "2020-05-21T17:43:26.506Z",
@@ -43,6 +23,26 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"modified": "2025-04-18T18:00:52.279Z",
"name": "Location Identification",
"description": "Adversaries may perform location identification using device data to inform operations and targeted impact for attacks. Location identification data can come in a number of forms, including geographic location, location relative to other control system devices, time zone, and current time. An adversary may use an embedded global positioning system (GPS) module in a device to figure out the physical coordinates of a device. NIST SP800-82 recommends that devices utilize GPS or another location determining mechanism to attach appropriate timestamps to log entries (Citation: Guidance - NIST SP800-82). While this assists in logging and event tracking, an adversary could use the underlying positioning mechanism to determine the general location of a device. An adversary can also infer the physical location of serially connected devices by using serial connection enumeration. \n\nAn adversary attempt to attack and cause Impact could potentially affect other control system devices in close proximity. Device local-time and time-zone settings can also provide adversaries a rough indicator of device location, when specific geographic identifiers cannot be determined from the system.",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-ics-attack",
"phase_name": "collection"
}
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": true,
"x_mitre_domains": [
"ics-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"Windows",
"Control Server"
],
"x_mitre_version": "1.0",
"x_mitre_is_subtechnique": false
}
]
ics-attack/attack-pattern/attack-pattern--77d9c726-b53e-481d-8bcc-1068aebfbb9d.json
+22 -22
View File
@@ -1,29 +1,9 @@
{
"type": "bundle",
"id": "bundle--41a7a6c0-6d76-407a-be72-2471f5b0d58f",
"id": "bundle--b4f560a0-3610-4229-9998-094af21dcb03",
"spec_version": "2.0",
"objects": [
{
"modified": "2024-04-08T18:54:40.925Z",
"name": "Autorun Image",
"description": "Adversaries may leverage AutoRun functionality or scripts to execute malicious code. Devices configured to enable AutoRun functionality or legacy operating systems may be susceptible to abuse of these features to run malicious code stored on various forms of removeable media (i.e., USB, Disk Images [.ISO]). Commonly, AutoRun or AutoPlay are disabled in many operating systems configurations to mitigate against this technique. If a device is configured to enable AutoRun or AutoPlay, adversaries may execute code on the device by mounting the removable media to the device, either through physical or virtual means. This may be especially relevant for virtual machine environments where disk images may be dynamically mapped to a guest system on a hypervisor. \n\nAn example could include an adversary gaining access to a hypervisor through the management interface to modify a virtual machine\u2019s hardware configuration. They could then deploy an iso image with a malicious AutoRun script to cause the virtual machine to automatically execute the code contained on the disk image. This would enable the execution of malicious code within a virtual machine without needing any prior remote access to that system.\n",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-ics-attack",
"phase_name": "execution"
}
],
"x_mitre_deprecated": false,
"x_mitre_detection": "",
"x_mitre_domains": [
"ics-attack"
],
"x_mitre_is_subtechnique": false,
"x_mitre_version": "1.0",
"x_mitre_data_sources": [
"Drive: Drive Creation",
"Process: Process Creation"
],
"type": "attack-pattern",
"id": "attack-pattern--77d9c726-b53e-481d-8bcc-1068aebfbb9d",
"created": "2024-03-26T15:39:19.473Z",
@@ -39,8 +19,28 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"modified": "2025-04-15T19:58:42.824Z",
"name": "Autorun Image",
"description": "Adversaries may leverage AutoRun functionality or scripts to execute malicious code. Devices configured to enable AutoRun functionality or legacy operating systems may be susceptible to abuse of these features to run malicious code stored on various forms of removeable media (i.e., USB, Disk Images [.ISO]). Commonly, AutoRun or AutoPlay are disabled in many operating systems configurations to mitigate against this technique. If a device is configured to enable AutoRun or AutoPlay, adversaries may execute code on the device by mounting the removable media to the device, either through physical or virtual means. This may be especially relevant for virtual machine environments where disk images may be dynamically mapped to a guest system on a hypervisor. \n\nAn example could include an adversary gaining access to a hypervisor through the management interface to modify a virtual machine\u2019s hardware configuration. They could then deploy an iso image with a malicious AutoRun script to cause the virtual machine to automatically execute the code contained on the disk image. This would enable the execution of malicious code within a virtual machine without needing any prior remote access to that system.\n",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-ics-attack",
"phase_name": "execution"
}
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
"x_mitre_deprecated": false,
"x_mitre_detection": "",
"x_mitre_domains": [
"ics-attack"
],
"x_mitre_is_subtechnique": false,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0",
"x_mitre_data_sources": [
"Drive: Drive Creation",
"Process: Process Creation"
]
}
]
}
ics-attack/attack-pattern/attack-pattern--7830cfcf-b268-4ac0-a69e-73c6affbae9a.json
+29 -29
View File
@@ -1,37 +1,9 @@
{
"type": "bundle",
"id": "bundle--c963a2d1-8b04-47db-bccc-324b0b9e0aa3",
"id": "bundle--2e5acb2b-5a1a-443e-8afd-d5550bf0408b",
"spec_version": "2.0",
"objects": [
{
"modified": "2023-10-13T17:57:06.780Z",
"name": "Drive-by Compromise",
"description": "Adversaries may gain access to a system during a drive-by compromise, when a user visits a website as part of a regular browsing session. With this technique, the user's web browser is targeted and exploited simply by visiting the compromised website. \n\nThe adversary may target a specific community, such as trusted third party suppliers or other industry specific groups, which often visit the target website. This kind of targeted attack relies on a common interest, and is known as a strategic web compromise or watering hole attack. \n\nThe National Cyber Awareness System (NCAS) has issued a Technical Alert (TA) regarding Russian government cyber activity targeting critical infrastructure sectors. (Citation: Cybersecurity & Infrastructure Security Agency March 2018) Analysis by DHS and FBI has noted two distinct categories of victims in the Dragonfly campaign on the Western energy sector: staging and intended targets. The adversary targeted the less secure networks of staging targets, including trusted third-party suppliers and related peripheral organizations. Initial access to the intended targets used watering hole attacks to target process control, ICS, and critical infrastructure related trade publications and informational websites.",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-ics-attack",
"phase_name": "initial-access"
}
],
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_deprecated": false,
"x_mitre_detection": "",
"x_mitre_domains": [
"ics-attack"
],
"x_mitre_is_subtechnique": false,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"None"
],
"x_mitre_version": "1.0",
"x_mitre_data_sources": [
"Network Traffic: Network Traffic Content",
"Application Log: Application Log Content",
"Process: Process Creation",
"File: File Creation",
"Network Traffic: Network Connection Creation"
],
"type": "attack-pattern",
"id": "attack-pattern--7830cfcf-b268-4ac0-a69e-73c6affbae9a",
"created": "2020-05-21T17:43:26.506Z",
@@ -51,6 +23,34 @@
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"modified": "2025-04-16T21:26:15.525Z",
"name": "Drive-by Compromise",
"description": "Adversaries may gain access to a system during a drive-by compromise, when a user visits a website as part of a regular browsing session. With this technique, the user's web browser is targeted and exploited simply by visiting the compromised website. \n\nThe adversary may target a specific community, such as trusted third party suppliers or other industry specific groups, which often visit the target website. This kind of targeted attack relies on a common interest, and is known as a strategic web compromise or watering hole attack. \n\nThe National Cyber Awareness System (NCAS) has issued a Technical Alert (TA) regarding Russian government cyber activity targeting critical infrastructure sectors. (Citation: Cybersecurity & Infrastructure Security Agency March 2018) Analysis by DHS and FBI has noted two distinct categories of victims in the Dragonfly campaign on the Western energy sector: staging and intended targets. The adversary targeted the less secure networks of staging targets, including trusted third-party suppliers and related peripheral organizations. Initial access to the intended targets used watering hole attacks to target process control, ICS, and critical infrastructure related trade publications and informational websites.",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-ics-attack",
"phase_name": "initial-access"
}
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": false,
"x_mitre_detection": "",
"x_mitre_domains": [
"ics-attack"
],
"x_mitre_is_subtechnique": false,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"None"
],
"x_mitre_version": "1.0",
"x_mitre_data_sources": [
"Network Traffic: Network Traffic Content",
"Application Log: Application Log Content",
"Process: Process Creation",
"File: File Creation",
"Network Traffic: Network Connection Creation"
]
}
]
ics-attack/attack-pattern/attack-pattern--83ebd22f-b401-4d59-8219-2294172cf916.json
+23 -23
View File
@@ -1,30 +1,9 @@
{
"type": "bundle",
"id": "bundle--71ddb84b-37fe-4c91-a30c-b701ce0a19b5",
"id": "bundle--f9ac335c-7037-4da7-ba5b-851549cc9d88",
"spec_version": "2.0",
"objects": [
{
"modified": "2023-10-13T17:57:06.993Z",
"name": "Damage to Property",
"description": "Adversaries may cause damage and destruction of property to infrastructure, equipment, and the surrounding environment when attacking control systems. This technique may result in device and operational equipment breakdown, or represent tangential damage from other techniques used in an attack. Depending on the severity of physical damage and disruption caused to control processes and systems, this technique may result in [Loss of Safety](https://attack.mitre.org/techniques/T0880). Operations that result in [Loss of Control](https://attack.mitre.org/techniques/T0827) may also cause damage to property, which may be directly or indirectly motivated by an adversary seeking to cause impact in the form of [Loss of Productivity and Revenue](https://attack.mitre.org/techniques/T0828). \n\n\nThe German Federal Office for Information Security (BSI) reported a targeted attack on a steel mill under an incidents affecting business section of its 2014 IT Security Report. (Citation: BSI State of IT Security 2014) These targeted attacks affected industrial operations and resulted in breakdowns of control system components and even entire installations. As a result of these breakdowns, massive impact and damage resulted from the uncontrolled shutdown of a blast furnace. \n\nA Polish student used a remote controller device to interface with the Lodz city tram system in Poland. (Citation: John Bill May 2017) (Citation: Shelley Smith February 2008) (Citation: Bruce Schneier January 2008) Using this remote, the student was able to capture and replay legitimate tram signals. This resulted in damage to impacted trams, people, and the surrounding property. Reportedly, four trams were derailed and were forced to make emergency stops. (Citation: Shelley Smith February 2008) Commands issued by the student may have also resulted in tram collisions, causing harm to those on board and the environment outside. (Citation: Bruce Schneier January 2008)",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-ics-attack",
"phase_name": "impact"
}
],
"x_mitre_attack_spec_version": "3.1.0",
"x_mitre_deprecated": false,
"x_mitre_detection": "",
"x_mitre_domains": [
"ics-attack"
],
"x_mitre_is_subtechnique": false,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"None"
],
"x_mitre_version": "1.1",
"type": "attack-pattern",
"id": "attack-pattern--83ebd22f-b401-4d59-8219-2294172cf916",
"created": "2020-05-21T17:43:26.506Z",
@@ -59,7 +38,28 @@
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
]
],
"modified": "2025-04-16T21:26:15.731Z",
"name": "Damage to Property",
"description": "Adversaries may cause damage and destruction of property to infrastructure, equipment, and the surrounding environment when attacking control systems. This technique may result in device and operational equipment breakdown, or represent tangential damage from other techniques used in an attack. Depending on the severity of physical damage and disruption caused to control processes and systems, this technique may result in [Loss of Safety](https://attack.mitre.org/techniques/T0880). Operations that result in [Loss of Control](https://attack.mitre.org/techniques/T0827) may also cause damage to property, which may be directly or indirectly motivated by an adversary seeking to cause impact in the form of [Loss of Productivity and Revenue](https://attack.mitre.org/techniques/T0828). \n\n\nThe German Federal Office for Information Security (BSI) reported a targeted attack on a steel mill under an incidents affecting business section of its 2014 IT Security Report. (Citation: BSI State of IT Security 2014) These targeted attacks affected industrial operations and resulted in breakdowns of control system components and even entire installations. As a result of these breakdowns, massive impact and damage resulted from the uncontrolled shutdown of a blast furnace. \n\nA Polish student used a remote controller device to interface with the Lodz city tram system in Poland. (Citation: John Bill May 2017) (Citation: Shelley Smith February 2008) (Citation: Bruce Schneier January 2008) Using this remote, the student was able to capture and replay legitimate tram signals. This resulted in damage to impacted trams, people, and the surrounding property. Reportedly, four trams were derailed and were forced to make emergency stops. (Citation: Shelley Smith February 2008) Commands issued by the student may have also resulted in tram collisions, causing harm to those on board and the environment outside. (Citation: Bruce Schneier January 2008)",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-ics-attack",
"phase_name": "impact"
}
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": false,
"x_mitre_detection": "",
"x_mitre_domains": [
"ics-attack"
],
"x_mitre_is_subtechnique": false,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"None"
],
"x_mitre_version": "1.1"
}
]
}
ics-attack/attack-pattern/attack-pattern--8535b71e-3c12-4258-a4ab-40257a1becc4.json
+32 -32
View File
@@ -1,40 +1,9 @@
{
"type": "bundle",
"id": "bundle--9778118e-2f53-43ff-9aab-2381e6a13a6b",
"id": "bundle--09810e3d-9321-4126-8d77-fd62c6af61b3",
"spec_version": "2.0",
"objects": [
{
"modified": "2023-10-13T17:57:07.260Z",
"name": "Spoof Reporting Message",
"description": "Adversaries may spoof reporting messages in control system environments for evasion and to impair process control. In control systems, reporting messages contain telemetry data (e.g., I/O values) pertaining to the current state of equipment and the industrial process. Reporting messages are important for monitoring the normal operation of a system or identifying important events such as deviations from expected values. \n\nIf an adversary has the ability to Spoof Reporting Messages, they can impact the control system in many ways. The adversary can Spoof Reporting Messages that state that the process is operating normally, as a form of evasion. The adversary could also Spoof Reporting Messages to make the defenders and operators think that other errors are occurring in order to distract them from the actual source of a problem. (Citation: Bonnie Zhu, Anthony Joseph, Shankar Sastry 2011) ",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-ics-attack",
"phase_name": "evasion"
},
{
"kill_chain_name": "mitre-ics-attack",
"phase_name": "impair-process-control"
}
],
"x_mitre_attack_spec_version": "3.1.0",
"x_mitre_deprecated": false,
"x_mitre_detection": "",
"x_mitre_domains": [
"ics-attack"
],
"x_mitre_is_subtechnique": false,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"None"
],
"x_mitre_version": "1.2",
"x_mitre_data_sources": [
"Network Traffic: Network Traffic Flow",
"Operational Databases: Device Alarm",
"Windows Registry: Windows Registry Key Modification",
"Network Traffic: Network Traffic Content"
],
"type": "attack-pattern",
"id": "attack-pattern--8535b71e-3c12-4258-a4ab-40257a1becc4",
"created": "2020-05-21T17:43:26.506Z",
@@ -54,6 +23,37 @@
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"modified": "2025-04-16T21:26:15.909Z",
"name": "Spoof Reporting Message",
"description": "Adversaries may spoof reporting messages in control system environments for evasion and to impair process control. In control systems, reporting messages contain telemetry data (e.g., I/O values) pertaining to the current state of equipment and the industrial process. Reporting messages are important for monitoring the normal operation of a system or identifying important events such as deviations from expected values. \n\nIf an adversary has the ability to Spoof Reporting Messages, they can impact the control system in many ways. The adversary can Spoof Reporting Messages that state that the process is operating normally, as a form of evasion. The adversary could also Spoof Reporting Messages to make the defenders and operators think that other errors are occurring in order to distract them from the actual source of a problem. (Citation: Bonnie Zhu, Anthony Joseph, Shankar Sastry 2011) ",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-ics-attack",
"phase_name": "evasion"
},
{
"kill_chain_name": "mitre-ics-attack",
"phase_name": "impair-process-control"
}
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": false,
"x_mitre_detection": "",
"x_mitre_domains": [
"ics-attack"
],
"x_mitre_is_subtechnique": false,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"None"
],
"x_mitre_version": "1.2",
"x_mitre_data_sources": [
"Network Traffic: Network Traffic Flow",
"Operational Databases: Device Alarm",
"Windows Registry: Windows Registry Key Modification",
"Network Traffic: Network Traffic Content"
]
}
]
ics-attack/attack-pattern/attack-pattern--85a45294-08f1-4539-bf00-7da08aa7b0ee.json
+30 -30
View File
@@ -1,38 +1,9 @@
{
"type": "bundle",
"id": "bundle--0eb75fb4-a17a-4c56-a8bf-55a615252a32",
"id": "bundle--5a6e7c21-f5c0-4446-871b-68e8a846db0d",
"spec_version": "2.0",
"objects": [
{
"modified": "2023-10-13T17:57:07.457Z",
"name": "Exploitation of Remote Services",
"description": "Adversaries may exploit a software vulnerability to take advantage of a programming error in a program, service, or within the operating system software or kernel itself to enable remote service abuse. A common goal for post-compromise exploitation of remote services is for initial access into and lateral movement throughout the ICS environment to enable access to targeted systems. (Citation: Enterprise ATT&CK)\n\nICS asset owners and operators have been affected by ransomware (or disruptive malware masquerading as ransomware) migrating from enterprise IT to ICS environments: WannaCry, NotPetya, and BadRabbit. In each of these cases, self-propagating (wormable) malware initially infected IT networks, but through exploit (particularly the SMBv1-targeting MS17-010 vulnerability) spread to industrial networks, producing significant impacts. (Citation: Joe Slowik April 2019)",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-ics-attack",
"phase_name": "initial-access"
},
{
"kill_chain_name": "mitre-ics-attack",
"phase_name": "lateral-movement"
}
],
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_deprecated": false,
"x_mitre_detection": "",
"x_mitre_domains": [
"ics-attack"
],
"x_mitre_is_subtechnique": false,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"None"
],
"x_mitre_version": "1.0",
"x_mitre_data_sources": [
"Application Log: Application Log Content",
"Network Traffic: Network Traffic Content"
],
"type": "attack-pattern",
"id": "attack-pattern--85a45294-08f1-4539-bf00-7da08aa7b0ee",
"created": "2020-05-21T17:43:26.506Z",
@@ -57,6 +28,35 @@
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"modified": "2025-04-16T21:26:16.054Z",
"name": "Exploitation of Remote Services",
"description": "Adversaries may exploit a software vulnerability to take advantage of a programming error in a program, service, or within the operating system software or kernel itself to enable remote service abuse. A common goal for post-compromise exploitation of remote services is for initial access into and lateral movement throughout the ICS environment to enable access to targeted systems. (Citation: Enterprise ATT&CK)\n\nICS asset owners and operators have been affected by ransomware (or disruptive malware masquerading as ransomware) migrating from enterprise IT to ICS environments: WannaCry, NotPetya, and BadRabbit. In each of these cases, self-propagating (wormable) malware initially infected IT networks, but through exploit (particularly the SMBv1-targeting MS17-010 vulnerability) spread to industrial networks, producing significant impacts. (Citation: Joe Slowik April 2019)",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-ics-attack",
"phase_name": "initial-access"
},
{
"kill_chain_name": "mitre-ics-attack",
"phase_name": "lateral-movement"
}
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": false,
"x_mitre_detection": "",
"x_mitre_domains": [
"ics-attack"
],
"x_mitre_is_subtechnique": false,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"None"
],
"x_mitre_version": "1.0",
"x_mitre_data_sources": [
"Application Log: Application Log Content",
"Network Traffic: Network Traffic Content"
]
}
]
ics-attack/attack-pattern/attack-pattern--8bb4538f-f16f-49f0-a431-70b5444c7349.json
+26 -26
View File
@@ -1,34 +1,9 @@
{
"type": "bundle",
"id": "bundle--ef7d5cac-fb78-49be-8f04-577bc15d4227",
"id": "bundle--06e4dd29-284c-4335-9a90-75e2ede9d0cc",
"spec_version": "2.0",
"objects": [
{
"modified": "2023-10-13T17:57:07.653Z",
"name": "Default Credentials",
"description": "Adversaries may leverage manufacturer or supplier set default credentials on control system devices. These default credentials may have administrative permissions and may be necessary for initial configuration of the device. It is general best practice to change the passwords for these accounts as soon as possible, but some manufacturers may have devices that have passwords or usernames that cannot be changed. (Citation: Keith Stouffer May 2015)\n\nDefault credentials are normally documented in an instruction manual that is either packaged with the device, published online through official means, or published online through unofficial means. Adversaries may leverage default credentials that have not been properly modified or disabled.",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-ics-attack",
"phase_name": "lateral-movement"
}
],
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_deprecated": false,
"x_mitre_detection": "",
"x_mitre_domains": [
"ics-attack"
],
"x_mitre_is_subtechnique": false,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"None"
],
"x_mitre_version": "1.0",
"x_mitre_data_sources": [
"Network Traffic: Network Traffic Content",
"Logon Session: Logon Session Creation"
],
"type": "attack-pattern",
"id": "attack-pattern--8bb4538f-f16f-49f0-a431-70b5444c7349",
"created": "2020-05-21T17:43:26.506Z",
@@ -48,6 +23,31 @@
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"modified": "2025-04-16T21:26:16.206Z",
"name": "Default Credentials",
"description": "Adversaries may leverage manufacturer or supplier set default credentials on control system devices. These default credentials may have administrative permissions and may be necessary for initial configuration of the device. It is general best practice to change the passwords for these accounts as soon as possible, but some manufacturers may have devices that have passwords or usernames that cannot be changed. (Citation: Keith Stouffer May 2015)\n\nDefault credentials are normally documented in an instruction manual that is either packaged with the device, published online through official means, or published online through unofficial means. Adversaries may leverage default credentials that have not been properly modified or disabled.",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-ics-attack",
"phase_name": "lateral-movement"
}
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": false,
"x_mitre_detection": "",
"x_mitre_domains": [
"ics-attack"
],
"x_mitre_is_subtechnique": false,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"None"
],
"x_mitre_version": "1.0",
"x_mitre_data_sources": [
"Network Traffic: Network Traffic Content",
"Logon Session: Logon Session Creation"
]
}
]
ics-attack/attack-pattern/attack-pattern--8d2f3bab-507c-4424-b58b-edc977bd215c.json
+27 -27
View File
@@ -1,35 +1,9 @@
{
"type": "bundle",
"id": "bundle--4457a531-7d9f-4cf5-b8cd-e3c450cafaf5",
"id": "bundle--2f4dddd5-c441-43da-807b-553123e760f2",
"spec_version": "2.0",
"objects": [
{
"modified": "2023-10-13T17:57:07.840Z",
"name": "External Remote Services",
"description": "Adversaries may leverage external remote services as a point of initial access into your network. These services allow users to connect to internal network resources from external locations. Examples are VPNs, Citrix, and other access mechanisms. Remote service gateways often manage connections and credential authentication for these services. (Citation: Daniel Oakley, Travis Smith, Tripwire)\n\nExternal remote services allow administration of a control system from outside the system. Often, vendors and internal engineering groups have access to external remote services to control system networks via the corporate network. In some cases, this access is enabled directly from the internet. While remote access enables ease of maintenance when a control system is in a remote area, compromise of remote access solutions is a liability. The adversary may use these services to gain access to and execute attacks against a control system network. Access to valid accounts is often a requirement. \n\nAs they look for an entry point into the control system network, adversaries may begin searching for existing point-to-point VPN implementations at trusted third party networks or through remote support employee connections where split tunneling is enabled. (Citation: Electricity Information Sharing and Analysis Center; SANS Industrial Control Systems March 2016)\n",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-ics-attack",
"phase_name": "initial-access"
}
],
"x_mitre_attack_spec_version": "3.1.0",
"x_mitre_deprecated": false,
"x_mitre_detection": "",
"x_mitre_domains": [
"ics-attack"
],
"x_mitre_is_subtechnique": false,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"None"
],
"x_mitre_version": "1.1",
"x_mitre_data_sources": [
"Network Traffic: Network Traffic Flow",
"Logon Session: Logon Session Metadata",
"Application Log: Application Log Content"
],
"type": "attack-pattern",
"id": "attack-pattern--8d2f3bab-507c-4424-b58b-edc977bd215c",
"created": "2020-05-21T17:43:26.506Z",
@@ -54,6 +28,32 @@
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"modified": "2025-04-16T21:26:16.385Z",
"name": "External Remote Services",
"description": "Adversaries may leverage external remote services as a point of initial access into your network. These services allow users to connect to internal network resources from external locations. Examples are VPNs, Citrix, and other access mechanisms. Remote service gateways often manage connections and credential authentication for these services. (Citation: Daniel Oakley, Travis Smith, Tripwire)\n\nExternal remote services allow administration of a control system from outside the system. Often, vendors and internal engineering groups have access to external remote services to control system networks via the corporate network. In some cases, this access is enabled directly from the internet. While remote access enables ease of maintenance when a control system is in a remote area, compromise of remote access solutions is a liability. The adversary may use these services to gain access to and execute attacks against a control system network. Access to valid accounts is often a requirement. \n\nAs they look for an entry point into the control system network, adversaries may begin searching for existing point-to-point VPN implementations at trusted third party networks or through remote support employee connections where split tunneling is enabled. (Citation: Electricity Information Sharing and Analysis Center; SANS Industrial Control Systems March 2016)\n",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-ics-attack",
"phase_name": "initial-access"
}
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": false,
"x_mitre_detection": "",
"x_mitre_domains": [
"ics-attack"
],
"x_mitre_is_subtechnique": false,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"None"
],
"x_mitre_version": "1.1",
"x_mitre_data_sources": [
"Network Traffic: Network Traffic Flow",
"Logon Session: Logon Session Metadata",
"Application Log: Application Log Content"
]
}
]
ics-attack/attack-pattern/attack-pattern--8e7089d3-fba2-44f8-94a8-9a79c53920c4.json
+18 -18
View File
@@ -1,10 +1,25 @@
{
"type": "bundle",
"id": "bundle--acaaabcd-008e-487b-8a1a-a831f833ee6f",
"id": "bundle--a5553ade-d94c-4347-a66d-d34d4cb5fd1c",
"spec_version": "2.0",
"objects": [
{
"modified": "2023-10-13T17:57:08.037Z",
"type": "attack-pattern",
"id": "attack-pattern--8e7089d3-fba2-44f8-94a8-9a79c53920c4",
"created": "2020-05-21T17:43:26.506Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T0806",
"external_id": "T0806"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"modified": "2025-04-16T21:26:16.573Z",
"name": "Brute Force I/O",
"description": "Adversaries may repetitively or successively change I/O point values to perform an action. Brute Force I/O may be achieved by changing either a range of I/O point values or a single point value repeatedly to manipulate a process function. The adversary's goal and the information they have about the target environment will influence which of the options they choose. In the case of brute forcing a range of point values, the adversary may be able to achieve an impact without targeting a specific point. In the case where a single point is targeted, the adversary may be able to generate instability on the process function associated with that particular point. \n\nAdversaries may use Brute Force I/O to cause failures within various industrial processes. These failures could be the result of wear on equipment or damage to downstream equipment.",
"kill_chain_phases": [
@@ -13,7 +28,7 @@
"phase_name": "impair-process-control"
}
],
"x_mitre_attack_spec_version": "3.1.0",
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": false,
"x_mitre_detection": "",
"x_mitre_domains": [
@@ -29,21 +44,6 @@
"Operational Databases: Process History/Live Data",
"Application Log: Application Log Content",
"Network Traffic: Network Traffic Content"
],
"type": "attack-pattern",
"id": "attack-pattern--8e7089d3-fba2-44f8-94a8-9a79c53920c4",
"created": "2020-05-21T17:43:26.506Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T0806",
"external_id": "T0806"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
]
}
]
ics-attack/attack-pattern/attack-pattern--94f042ae-3033-4a8d-9ec3-26396533a541.json
+21 -21
View File
@@ -1,29 +1,9 @@
{
"type": "bundle",
"id": "bundle--836f70fb-3693-45e5-bd37-ee84259490e6",
"id": "bundle--a068261e-2bcd-4b59-bb4f-c77aff423c2d",
"spec_version": "2.0",
"objects": [
{
"modified": "2023-05-08T20:13:24.241Z",
"name": "Detect Program State",
"description": "Adversaries may seek to gather information about the current state of a program on a PLC. State information reveals information about the program, including whether it's running, halted, stopped, or has generated an exception. This information may be leveraged as a verification of malicious program execution or to determine if a PLC is ready to download a new program.",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-ics-attack",
"phase_name": "collection"
}
],
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_deprecated": true,
"x_mitre_domains": [
"ics-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"Windows",
"Field Controller/RTU/PLC/IED"
],
"x_mitre_version": "1.0",
"type": "attack-pattern",
"id": "attack-pattern--94f042ae-3033-4a8d-9ec3-26396533a541",
"created": "2020-05-21T17:43:26.506Z",
@@ -38,6 +18,26 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"modified": "2025-04-18T18:00:52.452Z",
"name": "Detect Program State",
"description": "Adversaries may seek to gather information about the current state of a program on a PLC. State information reveals information about the program, including whether it's running, halted, stopped, or has generated an exception. This information may be leveraged as a verification of malicious program execution or to determine if a PLC is ready to download a new program.",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-ics-attack",
"phase_name": "collection"
}
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": true,
"x_mitre_domains": [
"ics-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"Windows",
"Field Controller/RTU/PLC/IED"
],
"x_mitre_version": "1.0",
"x_mitre_is_subtechnique": false
}
]
ics-attack/attack-pattern/attack-pattern--9a505987-ab05-4f46-a9a6-6441442eec3b.json
+33 -33
View File
@@ -1,41 +1,9 @@
{
"type": "bundle",
"id": "bundle--9cc252d5-879d-4c78-821a-5a4b1217fd0a",
"id": "bundle--1275136c-cc4a-4c29-a4c7-4d26173d592e",
"spec_version": "2.0",
"objects": [
{
"modified": "2023-10-13T17:57:08.233Z",
"name": "Adversary-in-the-Middle",
"description": "Adversaries with privileged network access may seek to modify network traffic in real time using adversary-in-the-middle (AiTM) attacks. (Citation: Gabriel Sanchez October 2017) This type of attack allows the adversary to intercept traffic to and/or from a particular device on the network. If a AiTM attack is established, then the adversary has the ability to block, log, modify, or inject traffic into the communication stream. There are several ways to accomplish this attack, but some of the most-common are Address Resolution Protocol (ARP) poisoning and the use of a proxy. (Citation: Bonnie Zhu, Anthony Joseph, Shankar Sastry 2011) \n\nAn AiTM attack may allow an adversary to perform the following attacks: \n[Block Reporting Message](https://attack.mitre.org/techniques/T0804), [Spoof Reporting Message](https://attack.mitre.org/techniques/T0856), [Modify Parameter](https://attack.mitre.org/techniques/T0836), [Unauthorized Command Message](https://attack.mitre.org/techniques/T0855)",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-ics-attack",
"phase_name": "collection"
}
],
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_contributors": [
"Conrad Layne - GE Digital"
],
"x_mitre_deprecated": false,
"x_mitre_detection": "",
"x_mitre_domains": [
"ics-attack"
],
"x_mitre_is_subtechnique": false,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"None"
],
"x_mitre_version": "2.0",
"x_mitre_data_sources": [
"Windows Registry: Windows Registry Key Modification",
"Process: Process Creation",
"Network Traffic: Network Traffic Flow",
"Service: Service Creation",
"Network Traffic: Network Traffic Content",
"Application Log: Application Log Content"
],
"type": "attack-pattern",
"id": "attack-pattern--9a505987-ab05-4f46-a9a6-6441442eec3b",
"created": "2020-05-21T17:43:26.506Z",
@@ -60,6 +28,38 @@
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"modified": "2025-04-16T21:26:16.777Z",
"name": "Adversary-in-the-Middle",
"description": "Adversaries with privileged network access may seek to modify network traffic in real time using adversary-in-the-middle (AiTM) attacks. (Citation: Gabriel Sanchez October 2017) This type of attack allows the adversary to intercept traffic to and/or from a particular device on the network. If a AiTM attack is established, then the adversary has the ability to block, log, modify, or inject traffic into the communication stream. There are several ways to accomplish this attack, but some of the most-common are Address Resolution Protocol (ARP) poisoning and the use of a proxy. (Citation: Bonnie Zhu, Anthony Joseph, Shankar Sastry 2011) \n\nAn AiTM attack may allow an adversary to perform the following attacks: \n[Block Reporting Message](https://attack.mitre.org/techniques/T0804), [Spoof Reporting Message](https://attack.mitre.org/techniques/T0856), [Modify Parameter](https://attack.mitre.org/techniques/T0836), [Unauthorized Command Message](https://attack.mitre.org/techniques/T0855)",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-ics-attack",
"phase_name": "collection"
}
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_contributors": [
"Conrad Layne - GE Digital"
],
"x_mitre_deprecated": false,
"x_mitre_detection": "",
"x_mitre_domains": [
"ics-attack"
],
"x_mitre_is_subtechnique": false,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"None"
],
"x_mitre_version": "2.0",
"x_mitre_data_sources": [
"Windows Registry: Windows Registry Key Modification",
"Process: Process Creation",
"Network Traffic: Network Traffic Flow",
"Service: Service Creation",
"Network Traffic: Network Traffic Content",
"Application Log: Application Log Content"
]
}
]
ics-attack/attack-pattern/attack-pattern--9f947a1c-3860-48a8-8af0-a2dfa3efde03.json
+25 -25
View File
@@ -1,33 +1,9 @@
{
"type": "bundle",
"id": "bundle--1be9e353-003b-4ebd-aaa0-dd2a964831a1",
"id": "bundle--93700baa-0b76-4e23-bccc-1674d1d3ef78",
"spec_version": "2.0",
"objects": [
{
"modified": "2023-10-13T17:57:08.425Z",
"name": "Exploitation for Evasion",
"description": "Adversaries may exploit a software vulnerability to take advantage of a programming error in a program, service, or within the operating system software or kernel itself to evade detection. Vulnerabilities may exist in software that can be used to disable or circumvent security features. \n\nAdversaries may have prior knowledge through [Remote System Information Discovery](https://attack.mitre.org/techniques/T0888) about security features implemented on control devices. These device security features will likely be targeted directly for exploitation. There are examples of firmware RAM/ROM consistency checks on control devices being targeted by adversaries to enable the installation of malicious [System Firmware](https://attack.mitre.org/techniques/T0857).",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-ics-attack",
"phase_name": "evasion"
}
],
"x_mitre_attack_spec_version": "3.1.0",
"x_mitre_deprecated": false,
"x_mitre_detection": "",
"x_mitre_domains": [
"ics-attack"
],
"x_mitre_is_subtechnique": false,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"None"
],
"x_mitre_version": "1.1",
"x_mitre_data_sources": [
"Application Log: Application Log Content"
],
"type": "attack-pattern",
"id": "attack-pattern--9f947a1c-3860-48a8-8af0-a2dfa3efde03",
"created": "2020-05-21T17:43:26.506Z",
@@ -42,6 +18,30 @@
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"modified": "2025-04-16T21:26:16.960Z",
"name": "Exploitation for Evasion",
"description": "Adversaries may exploit a software vulnerability to take advantage of a programming error in a program, service, or within the operating system software or kernel itself to evade detection. Vulnerabilities may exist in software that can be used to disable or circumvent security features. \n\nAdversaries may have prior knowledge through [Remote System Information Discovery](https://attack.mitre.org/techniques/T0888) about security features implemented on control devices. These device security features will likely be targeted directly for exploitation. There are examples of firmware RAM/ROM consistency checks on control devices being targeted by adversaries to enable the installation of malicious [System Firmware](https://attack.mitre.org/techniques/T0857).",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-ics-attack",
"phase_name": "evasion"
}
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": false,
"x_mitre_detection": "",
"x_mitre_domains": [
"ics-attack"
],
"x_mitre_is_subtechnique": false,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"None"
],
"x_mitre_version": "1.1",
"x_mitre_data_sources": [
"Application Log: Application Log Content"
]
}
]
ics-attack/attack-pattern/attack-pattern--a81696ef-c106-482c-8f80-59c30f2569fb.json
+28 -28
View File
@@ -1,33 +1,9 @@
{
"type": "bundle",
"id": "bundle--d62a83c9-711a-4a21-b1c7-fa75765acd3d",
"id": "bundle--aeaf45e6-04a8-44e3-a5ef-eca159afc5d3",
"spec_version": "2.0",
"objects": [
{
"modified": "2023-10-13T17:57:08.613Z",
"name": "Loss of Control",
"description": "Adversaries may seek to achieve a sustained loss of control or a runaway condition in which operators cannot issue any commands even if the malicious interference has subsided. (Citation: Corero) (Citation: Michael J. Assante and Robert M. Lee) (Citation: Tyson Macaulay)\n\nThe German Federal Office for Information Security (BSI) reported a targeted attack on a steel mill in its 2014 IT Security Report.(Citation: BSI State of IT Security 2014) These targeted attacks affected industrial operations and resulted in breakdowns of control system components and even entire installations. As a result of these breakdowns, massive impact resulted in damage and unsafe conditions from the uncontrolled shutdown of a blast furnace.",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-ics-attack",
"phase_name": "impact"
}
],
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_contributors": [
"Dragos Threat Intelligence"
],
"x_mitre_deprecated": false,
"x_mitre_detection": "",
"x_mitre_domains": [
"ics-attack"
],
"x_mitre_is_subtechnique": false,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"None"
],
"x_mitre_version": "1.0",
"type": "attack-pattern",
"id": "attack-pattern--a81696ef-c106-482c-8f80-59c30f2569fb",
"created": "2020-05-21T17:43:26.506Z",
@@ -51,8 +27,8 @@
},
{
"source_name": "Michael J. Assante and Robert M. Lee",
"description": "Michael J. Assante and Robert M. Lee Corero Industrial Control System (ICS) Security Retrieved. 2019/11/04 The Industrial Control System Cyber Kill Chain Retrieved. 2019/11/04 ",
"url": "https://www.sans.org/reading-room/whitepapers/ICS/industrial-control-system-cyber-kill-chain-36297"
"description": "Michael J. Assante and Robert M. Lee SANS Industrial Control System (ICS) Security; The Industrial Control System Cyber Kill Chain Retrieved 2024/11/25",
"url": "https://icscsi.org/library/Documents/White_Papers/SANS%20-%20ICS%20Cyber%20Kill%20Chain.pdf"
},
{
"source_name": "Tyson Macaulay",
@@ -62,7 +38,31 @@
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
]
],
"modified": "2025-04-15T19:58:56.356Z",
"name": "Loss of Control",
"description": "Adversaries may seek to achieve a sustained loss of control or a runaway condition in which operators cannot issue any commands even if the malicious interference has subsided. (Citation: Corero) (Citation: Michael J. Assante and Robert M. Lee) (Citation: Tyson Macaulay)\n\nThe German Federal Office for Information Security (BSI) reported a targeted attack on a steel mill in its 2014 IT Security Report.(Citation: BSI State of IT Security 2014) These targeted attacks affected industrial operations and resulted in breakdowns of control system components and even entire installations. As a result of these breakdowns, massive impact resulted in damage and unsafe conditions from the uncontrolled shutdown of a blast furnace.",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-ics-attack",
"phase_name": "impact"
}
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_contributors": [
"Dragos Threat Intelligence"
],
"x_mitre_deprecated": false,
"x_mitre_detection": "",
"x_mitre_domains": [
"ics-attack"
],
"x_mitre_is_subtechnique": false,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"None"
],
"x_mitre_version": "1.0"
}
]
}
ics-attack/attack-pattern/attack-pattern--a8cfd474-9358-464f-a169-9c6f099a8e8a.json
+24 -24
View File
@@ -1,32 +1,9 @@
{
"type": "bundle",
"id": "bundle--5e9fb575-f0b6-4cfe-8b9f-5fb3ddc21d73",
"id": "bundle--be6a2f77-2ba2-4e09-8b5b-9a4070996566",
"spec_version": "2.0",
"objects": [
{
"modified": "2023-05-08T20:13:24.241Z",
"name": "Change Program State",
"description": "Adversaries may attempt to change the state of the current program on a control device. Program state changes may be used to allow for another program to take over control or be loaded onto the device.",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-ics-attack",
"phase_name": "execution"
},
{
"kill_chain_name": "mitre-ics-attack",
"phase_name": "impair-process-control"
}
],
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_deprecated": true,
"x_mitre_domains": [
"ics-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"Field Controller/RTU/PLC/IED"
],
"x_mitre_version": "1.0",
"type": "attack-pattern",
"id": "attack-pattern--a8cfd474-9358-464f-a169-9c6f099a8e8a",
"created": "2020-05-21T17:43:26.506Z",
@@ -41,6 +18,29 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"modified": "2025-04-18T18:00:52.634Z",
"name": "Change Program State",
"description": "Adversaries may attempt to change the state of the current program on a control device. Program state changes may be used to allow for another program to take over control or be loaded onto the device.",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-ics-attack",
"phase_name": "execution"
},
{
"kill_chain_name": "mitre-ics-attack",
"phase_name": "impair-process-control"
}
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": true,
"x_mitre_domains": [
"ics-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"Field Controller/RTU/PLC/IED"
],
"x_mitre_version": "1.0",
"x_mitre_is_subtechnique": false
}
]
ics-attack/attack-pattern/attack-pattern--ab390887-afc0-4715-826d-b1b167d522ae.json
+32 -32
View File
@@ -1,38 +1,9 @@
{
"type": "bundle",
"id": "bundle--ba34e62b-16a5-495f-8e36-e8964fc532e1",
"id": "bundle--fcf7814d-9410-4862-b7f3-14423fe847e0",
"spec_version": "2.0",
"objects": [
{
"modified": "2023-10-13T17:57:08.803Z",
"name": "Hooking",
"description": "Adversaries may hook into application programming interface (API) functions used by processes to redirect calls for execution and privilege escalation means. Windows processes often leverage these API functions to perform tasks that require reusable system resources. Windows API functions are typically stored in dynamic-link libraries (DLLs) as exported functions. (Citation: Enterprise ATT&CK)\n\nOne type of hooking seen in ICS involves redirecting calls to these functions via import address table (IAT) hooking. IAT hooking uses modifications to a process IAT, where pointers to imported API functions are stored. (Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011)",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-ics-attack",
"phase_name": "execution"
},
{
"kill_chain_name": "mitre-ics-attack",
"phase_name": "privilege-escalation"
}
],
"x_mitre_attack_spec_version": "3.1.0",
"x_mitre_deprecated": false,
"x_mitre_detection": "",
"x_mitre_domains": [
"ics-attack"
],
"x_mitre_is_subtechnique": false,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"None"
],
"x_mitre_version": "1.2",
"x_mitre_data_sources": [
"Process: OS API Execution",
"Process: Process Metadata"
],
"type": "attack-pattern",
"id": "attack-pattern--ab390887-afc0-4715-826d-b1b167d522ae",
"created": "2020-05-21T17:43:26.506Z",
@@ -51,12 +22,41 @@
},
{
"source_name": "Nicolas Falliere, Liam O Murchu, Eric Chien February 2011",
"description": "Nicolas Falliere, Liam O Murchu, Eric Chien 2011, February W32.Stuxnet Dossier (Version 1.4) Retrieved. 2017/09/22 ",
"url": "https://www.wired.com/images_blogs/threatlevel/2011/02/Symantec-Stuxnet-Update-Feb-2011.pdf"
"description": "Nicolas Falliere, Liam O Murchu, Eric Chien 2011, February W32.Stuxnet Dossier (Version 1.4) Retrieved November 17, 2024.",
"url": "https://docs.broadcom.com/doc/security-response-w32-stuxnet-dossier-11-en"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"modified": "2025-04-15T19:58:56.978Z",
"name": "Hooking",
"description": "Adversaries may hook into application programming interface (API) functions used by processes to redirect calls for execution and privilege escalation means. Windows processes often leverage these API functions to perform tasks that require reusable system resources. Windows API functions are typically stored in dynamic-link libraries (DLLs) as exported functions. (Citation: Enterprise ATT&CK)\n\nOne type of hooking seen in ICS involves redirecting calls to these functions via import address table (IAT) hooking. IAT hooking uses modifications to a process IAT, where pointers to imported API functions are stored. (Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011)",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-ics-attack",
"phase_name": "execution"
},
{
"kill_chain_name": "mitre-ics-attack",
"phase_name": "privilege-escalation"
}
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": false,
"x_mitre_detection": "",
"x_mitre_domains": [
"ics-attack"
],
"x_mitre_is_subtechnique": false,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"None"
],
"x_mitre_version": "1.2",
"x_mitre_data_sources": [
"Process: OS API Execution",
"Process: Process Metadata"
]
}
]
ics-attack/attack-pattern/attack-pattern--abb0a255-eb9c-48d0-8f5c-874bb84c0e45.json
+21 -21
View File
@@ -1,29 +1,9 @@
{
"type": "bundle",
"id": "bundle--5976f235-f6c2-4317-9336-c9f82cbf1ee0",
"id": "bundle--19a2cab1-f790-4aab-b40e-9512a3e31248",
"spec_version": "2.0",
"objects": [
{
"modified": "2023-05-08T20:13:24.241Z",
"name": "Control Device Identification",
"description": "Adversaries may perform control device identification to determine the make and model of a target device. Management software and device APIs may be utilized by the adversary to gain this information. By identifying and obtaining device specifics, the adversary may be able to determine device vulnerabilities. This device information can also be used to understand device functionality and inform the decision to target the environment.",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-ics-attack",
"phase_name": "discovery"
}
],
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_deprecated": true,
"x_mitre_domains": [
"ics-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"Windows",
"Field Controller/RTU/PLC/IED"
],
"x_mitre_version": "1.0",
"type": "attack-pattern",
"id": "attack-pattern--abb0a255-eb9c-48d0-8f5c-874bb84c0e45",
"created": "2020-05-21T17:43:26.506Z",
@@ -38,6 +18,26 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"modified": "2025-04-18T18:00:52.814Z",
"name": "Control Device Identification",
"description": "Adversaries may perform control device identification to determine the make and model of a target device. Management software and device APIs may be utilized by the adversary to gain this information. By identifying and obtaining device specifics, the adversary may be able to determine device vulnerabilities. This device information can also be used to understand device functionality and inform the decision to target the environment.",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-ics-attack",
"phase_name": "discovery"
}
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": true,
"x_mitre_domains": [
"ics-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"Windows",
"Field Controller/RTU/PLC/IED"
],
"x_mitre_version": "1.0",
"x_mitre_is_subtechnique": false
}
]
ics-attack/attack-pattern/attack-pattern--ae62fe1a-ea1a-479b-8dc0-65d250bd8bc7.json
+26 -26
View File
@@ -1,34 +1,9 @@
{
"type": "bundle",
"id": "bundle--1378f390-6553-47b7-ad1b-f1004f132303",
"id": "bundle--ea243e47-3870-44e7-8203-1014dac65620",
"spec_version": "2.0",
"objects": [
{
"modified": "2023-05-08T20:13:24.241Z",
"name": "Program Organization Units",
"description": "Program Organizational Units (POUs) are block structures used within PLC programming to create programs and projects. (Citation: Guidance - IEC61131) POUs can be used to hold user programs written in IEC 61131-3 languages: Structured text, Instruction list, Function block, and Ladder logic. (Citation: Guidance - IEC61131) Application - 201203 They can also provide additional functionality, such as establishing connections between the PLC and other devices using TCON. (Citation: PLCBlaster - Spenneberg)\n \nStuxnet uses a simple code-prepending infection technique to infect Organization Blocks (OB). For example, the following sequence of actions is performed when OB1 is infected (Citation: Stuxnet - Symantec - 201102):\n*Increase the size of the original block.\n*Write malicious code to the beginning of the block.\n*Insert the original OB1 code after the malicious code.",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-ics-attack",
"phase_name": "lateral-movement"
},
{
"kill_chain_name": "mitre-ics-attack",
"phase_name": "execution"
}
],
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_deprecated": true,
"x_mitre_domains": [
"ics-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"Windows",
"Safety Instrumented System/Protection Relay",
"Field Controller/RTU/PLC/IED"
],
"x_mitre_version": "1.0",
"type": "attack-pattern",
"id": "attack-pattern--ae62fe1a-ea1a-479b-8dc0-65d250bd8bc7",
"created": "2020-05-21T17:43:26.506Z",
@@ -58,6 +33,31 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"modified": "2025-04-18T18:00:53.005Z",
"name": "Program Organization Units",
"description": "Program Organizational Units (POUs) are block structures used within PLC programming to create programs and projects. (Citation: Guidance - IEC61131) POUs can be used to hold user programs written in IEC 61131-3 languages: Structured text, Instruction list, Function block, and Ladder logic. (Citation: Guidance - IEC61131) Application - 201203 They can also provide additional functionality, such as establishing connections between the PLC and other devices using TCON. (Citation: PLCBlaster - Spenneberg)\n \nStuxnet uses a simple code-prepending infection technique to infect Organization Blocks (OB). For example, the following sequence of actions is performed when OB1 is infected (Citation: Stuxnet - Symantec - 201102):\n*Increase the size of the original block.\n*Write malicious code to the beginning of the block.\n*Insert the original OB1 code after the malicious code.",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-ics-attack",
"phase_name": "lateral-movement"
},
{
"kill_chain_name": "mitre-ics-attack",
"phase_name": "execution"
}
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": true,
"x_mitre_domains": [
"ics-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"Windows",
"Safety Instrumented System/Protection Relay",
"Field Controller/RTU/PLC/IED"
],
"x_mitre_version": "1.0",
"x_mitre_is_subtechnique": false
}
]
ics-attack/attack-pattern/attack-pattern--b0628bfc-5376-4a38-9182-f324501cb4cf.json
+18 -18
View File
@@ -1,10 +1,25 @@
{
"type": "bundle",
"id": "bundle--23145bc2-d7b8-4bc8-a10c-63caf3bfba5e",
"id": "bundle--b4150f22-af9d-4a46-95e1-39a1e1f6f15a",
"spec_version": "2.0",
"objects": [
{
"modified": "2023-10-13T17:57:08.992Z",
"type": "attack-pattern",
"id": "attack-pattern--b0628bfc-5376-4a38-9182-f324501cb4cf",
"created": "2020-05-21T17:43:26.506Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T0823",
"external_id": "T0823"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"modified": "2025-04-16T21:26:17.144Z",
"name": "Graphical User Interface",
"description": "Adversaries may attempt to gain access to a machine via a Graphical User Interface (GUI) to enhance execution capabilities. Access to a GUI allows a user to interact with a computer in a more visual manner than a CLI. A GUI allows users to move a cursor and click on interface objects, with a mouse and keyboard as the main input devices, as opposed to just using the keyboard.\n\nIf physical access is not an option, then access might be possible via protocols such as VNC on Linux-based and Unix-based operating systems, and RDP on Windows operating systems. An adversary can use this access to execute programs and applications on the target machine.",
"kill_chain_phases": [
@@ -13,7 +28,7 @@
"phase_name": "execution"
}
],
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": false,
"x_mitre_detection": "",
"x_mitre_domains": [
@@ -30,21 +45,6 @@
"Command: Command Execution",
"Module: Module Load",
"Logon Session: Logon Session Creation"
],
"type": "attack-pattern",
"id": "attack-pattern--b0628bfc-5376-4a38-9182-f324501cb4cf",
"created": "2020-05-21T17:43:26.506Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T0823",
"external_id": "T0823"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
]
}
]
ics-attack/attack-pattern/attack-pattern--b14395bd-5419-4ef4-9bd8-696936f509bb.json
+29 -29
View File
@@ -1,37 +1,9 @@
{
"type": "bundle",
"id": "bundle--b632423d-92b3-497a-8aa2-629d6c076f3c",
"id": "bundle--d8908504-795d-44b3-bf0d-aa620b946956",
"spec_version": "2.0",
"objects": [
{
"modified": "2023-10-13T17:57:09.193Z",
"name": "Rogue Master",
"description": "Adversaries may setup a rogue master to leverage control server functions to communicate with outstations. A rogue master can be used to send legitimate control messages to other control system devices, affecting processes in unintended ways. It may also be used to disrupt network communications by capturing and receiving the network traffic meant for the actual master. Impersonating a master may also allow an adversary to avoid detection. \n\nIn the case of the 2017 Dallas Siren incident, adversaries used a rogue master to send command messages to the 156 distributed sirens across the city, either through a single rogue transmitter with a strong signal, or using many distributed repeaters. (Citation: Bastille April 2017) (Citation: Zack Whittaker April 2017)",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-ics-attack",
"phase_name": "initial-access"
}
],
"x_mitre_attack_spec_version": "3.1.0",
"x_mitre_deprecated": false,
"x_mitre_detection": "",
"x_mitre_domains": [
"ics-attack"
],
"x_mitre_is_subtechnique": false,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"None"
],
"x_mitre_version": "1.2",
"x_mitre_data_sources": [
"Asset: Asset Inventory",
"Network Traffic: Network Traffic Flow",
"Operational Databases: Device Alarm",
"Network Traffic: Network Traffic Content",
"Application Log: Application Log Content"
],
"type": "attack-pattern",
"id": "attack-pattern--b14395bd-5419-4ef4-9bd8-696936f509bb",
"created": "2020-05-21T17:43:26.506Z",
@@ -56,6 +28,34 @@
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"modified": "2025-04-16T21:26:17.326Z",
"name": "Rogue Master",
"description": "Adversaries may setup a rogue master to leverage control server functions to communicate with outstations. A rogue master can be used to send legitimate control messages to other control system devices, affecting processes in unintended ways. It may also be used to disrupt network communications by capturing and receiving the network traffic meant for the actual master. Impersonating a master may also allow an adversary to avoid detection. \n\nIn the case of the 2017 Dallas Siren incident, adversaries used a rogue master to send command messages to the 156 distributed sirens across the city, either through a single rogue transmitter with a strong signal, or using many distributed repeaters. (Citation: Bastille April 2017) (Citation: Zack Whittaker April 2017)",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-ics-attack",
"phase_name": "initial-access"
}
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": false,
"x_mitre_detection": "",
"x_mitre_domains": [
"ics-attack"
],
"x_mitre_is_subtechnique": false,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"None"
],
"x_mitre_version": "1.2",
"x_mitre_data_sources": [
"Asset: Asset Inventory",
"Network Traffic: Network Traffic Flow",
"Operational Databases: Device Alarm",
"Network Traffic: Network Traffic Content",
"Application Log: Application Log Content"
]
}
]
ics-attack/attack-pattern/attack-pattern--b52870cc-83f3-473c-b895-72d91751030b.json
+25 -25
View File
@@ -1,33 +1,9 @@
{
"type": "bundle",
"id": "bundle--4972b7e0-c17d-4a0f-af4c-a7aaa5ad26af",
"id": "bundle--48d4bf79-47bc-46e7-ab38-be3dd6aa9f07",
"spec_version": "2.0",
"objects": [
{
"modified": "2023-10-13T17:57:09.388Z",
"name": "Native API",
"description": "Adversaries may directly interact with the native OS application programming interface (API) to access system functions. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes. (Citation: The MITRE Corporation May 2017) These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations. \n\nFunctionality provided by native APIs are often also exposed to user-mode applications via interfaces and libraries. For example, functions such as memcpy and direct operations on memory registers can be used to modify user and system memory space.",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-ics-attack",
"phase_name": "execution"
}
],
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_deprecated": false,
"x_mitre_detection": "",
"x_mitre_domains": [
"ics-attack"
],
"x_mitre_is_subtechnique": false,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"None"
],
"x_mitre_version": "1.0",
"x_mitre_data_sources": [
"Process: OS API Execution"
],
"type": "attack-pattern",
"id": "attack-pattern--b52870cc-83f3-473c-b895-72d91751030b",
"created": "2021-04-13T12:36:26.506Z",
@@ -47,6 +23,30 @@
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"modified": "2025-04-16T21:26:17.499Z",
"name": "Native API",
"description": "Adversaries may directly interact with the native OS application programming interface (API) to access system functions. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes. (Citation: The MITRE Corporation May 2017) These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations. \n\nFunctionality provided by native APIs are often also exposed to user-mode applications via interfaces and libraries. For example, functions such as memcpy and direct operations on memory registers can be used to modify user and system memory space.",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-ics-attack",
"phase_name": "execution"
}
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": false,
"x_mitre_detection": "",
"x_mitre_domains": [
"ics-attack"
],
"x_mitre_is_subtechnique": false,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"None"
],
"x_mitre_version": "1.0",
"x_mitre_data_sources": [
"Process: OS API Execution"
]
}
]
ics-attack/attack-pattern/attack-pattern--b5b9bacb-97f2-4249-b804-47fd44de1f95.json
+25 -25
View File
@@ -1,30 +1,9 @@
{
"type": "bundle",
"id": "bundle--2fa63742-4411-4571-8bed-28bca022962b",
"id": "bundle--5f9329b1-46b1-4ba0-9b56-90b3135a2fa7",
"spec_version": "2.0",
"objects": [
{
"modified": "2023-10-13T17:57:09.581Z",
"name": "Loss of Availability",
"description": "Adversaries may attempt to disrupt essential components or systems to prevent owner and operator from delivering products or services. (Citation: Corero) (Citation: Michael J. Assante and Robert M. Lee) (Citation: Tyson Macaulay) \n\nAdversaries may leverage malware to delete or encrypt critical data on HMIs, workstations, or databases.\n\nIn the 2021 Colonial Pipeline ransomware incident, pipeline operations were temporally halted on May 7th and were not fully restarted until May 12th. (Citation: Colonial Pipeline Company May 2021)",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-ics-attack",
"phase_name": "impact"
}
],
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_deprecated": false,
"x_mitre_detection": "",
"x_mitre_domains": [
"ics-attack"
],
"x_mitre_is_subtechnique": false,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"None"
],
"x_mitre_version": "1.0",
"type": "attack-pattern",
"id": "attack-pattern--b5b9bacb-97f2-4249-b804-47fd44de1f95",
"created": "2020-05-21T17:43:26.506Z",
@@ -48,8 +27,8 @@
},
{
"source_name": "Michael J. Assante and Robert M. Lee",
"description": "Michael J. Assante and Robert M. Lee Corero Industrial Control System (ICS) Security Retrieved. 2019/11/04 The Industrial Control System Cyber Kill Chain Retrieved. 2019/11/04 ",
"url": "https://www.sans.org/reading-room/whitepapers/ICS/industrial-control-system-cyber-kill-chain-36297"
"description": "Michael J. Assante and Robert M. Lee SANS Industrial Control System (ICS) Security; The Industrial Control System Cyber Kill Chain Retrieved 2024/11/25",
"url": "https://icscsi.org/library/Documents/White_Papers/SANS%20-%20ICS%20Cyber%20Kill%20Chain.pdf"
},
{
"source_name": "Tyson Macaulay",
@@ -59,7 +38,28 @@
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
]
],
"modified": "2025-04-15T19:59:00.088Z",
"name": "Loss of Availability",
"description": "Adversaries may attempt to disrupt essential components or systems to prevent owner and operator from delivering products or services. (Citation: Corero) (Citation: Michael J. Assante and Robert M. Lee) (Citation: Tyson Macaulay) \n\nAdversaries may leverage malware to delete or encrypt critical data on HMIs, workstations, or databases.\n\nIn the 2021 Colonial Pipeline ransomware incident, pipeline operations were temporally halted on May 7th and were not fully restarted until May 12th. (Citation: Colonial Pipeline Company May 2021)",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-ics-attack",
"phase_name": "impact"
}
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": false,
"x_mitre_detection": "",
"x_mitre_domains": [
"ics-attack"
],
"x_mitre_is_subtechnique": false,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"None"
],
"x_mitre_version": "1.0"
}
]
}
ics-attack/attack-pattern/attack-pattern--b7e13ee8-182c-4f19-92a4-a88d7d855d54.json
+19 -19
View File
@@ -1,27 +1,9 @@
{
"type": "bundle",
"id": "bundle--ffb06f32-b4e5-4077-8c43-a7600cd41892",
"id": "bundle--ae21e6de-3a21-4dfb-ba97-5818b2e38425",
"spec_version": "2.0",
"objects": [
{
"modified": "2023-10-13T17:57:09.780Z",
"name": "Theft of Operational Information",
"description": "Adversaries may steal operational information on a production environment as a direct mission outcome for personal gain or to inform future operations. This information may include design documents, schedules, rotational data, or similar artifacts that provide insight on operations. In the Bowman Dam incident, adversaries probed systems for operational data. (Citation: Mark Thompson March 2016) (Citation: Danny Yadron December 2015)",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-ics-attack",
"phase_name": "impact"
}
],
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"ics-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"None"
],
"x_mitre_version": "1.0",
"type": "attack-pattern",
"id": "attack-pattern--b7e13ee8-182c-4f19-92a4-a88d7d855d54",
"created": "2020-05-21T17:43:26.506Z",
@@ -46,6 +28,24 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"modified": "2025-04-16T21:26:17.698Z",
"name": "Theft of Operational Information",
"description": "Adversaries may steal operational information on a production environment as a direct mission outcome for personal gain or to inform future operations. This information may include design documents, schedules, rotational data, or similar artifacts that provide insight on operations. In the Bowman Dam incident, adversaries probed systems for operational data. (Citation: Mark Thompson March 2016) (Citation: Danny Yadron December 2015)",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-ics-attack",
"phase_name": "impact"
}
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_domains": [
"ics-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"None"
],
"x_mitre_version": "1.0",
"x_mitre_is_subtechnique": false
}
]
ics-attack/attack-pattern/attack-pattern--b9160e77-ea9e-4ba9-b1c8-53a3c466b13d.json
+32 -32
View File
@@ -1,40 +1,9 @@
{
"type": "bundle",
"id": "bundle--f2d4acb1-93ef-4dd4-891c-78bfedc23a1f",
"id": "bundle--32ab5228-b389-4925-b7f1-4dd98e2cba1c",
"spec_version": "2.0",
"objects": [
{
"modified": "2023-10-13T17:57:09.988Z",
"name": "System Firmware",
"description": "System firmware on modern assets is often designed with an update feature. Older device firmware may be factory installed and require special reprograming equipment. When available, the firmware update feature enables vendors to remotely patch bugs and perform upgrades. Device firmware updates are often delegated to the user and may be done using a software update package. It may also be possible to perform this task over the network. \n\nAn adversary may exploit the firmware update feature on accessible devices to upload malicious or out-of-date firmware. Malicious modification of device firmware may provide an adversary with root access to a device, given firmware is one of the lowest programming abstraction layers. (Citation: Basnight, Zachry, et al.)",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-ics-attack",
"phase_name": "persistence"
},
{
"kill_chain_name": "mitre-ics-attack",
"phase_name": "inhibit-response-function"
}
],
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_deprecated": false,
"x_mitre_detection": "",
"x_mitre_domains": [
"ics-attack"
],
"x_mitre_is_subtechnique": false,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"None"
],
"x_mitre_version": "1.1",
"x_mitre_data_sources": [
"Operational Databases: Device Alarm",
"Application Log: Application Log Content",
"Firmware: Firmware Modification",
"Network Traffic: Network Traffic Content"
],
"type": "attack-pattern",
"id": "attack-pattern--b9160e77-ea9e-4ba9-b1c8-53a3c466b13d",
"created": "2020-05-21T17:43:26.506Z",
@@ -54,6 +23,37 @@
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"modified": "2025-04-16T21:26:17.862Z",
"name": "System Firmware",
"description": "System firmware on modern assets is often designed with an update feature. Older device firmware may be factory installed and require special reprograming equipment. When available, the firmware update feature enables vendors to remotely patch bugs and perform upgrades. Device firmware updates are often delegated to the user and may be done using a software update package. It may also be possible to perform this task over the network. \n\nAn adversary may exploit the firmware update feature on accessible devices to upload malicious or out-of-date firmware. Malicious modification of device firmware may provide an adversary with root access to a device, given firmware is one of the lowest programming abstraction layers. (Citation: Basnight, Zachry, et al.)",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-ics-attack",
"phase_name": "persistence"
},
{
"kill_chain_name": "mitre-ics-attack",
"phase_name": "inhibit-response-function"
}
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": false,
"x_mitre_detection": "",
"x_mitre_domains": [
"ics-attack"
],
"x_mitre_is_subtechnique": false,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"None"
],
"x_mitre_version": "1.1",
"x_mitre_data_sources": [
"Operational Databases: Device Alarm",
"Application Log: Application Log Content",
"Firmware: Firmware Modification",
"Network Traffic: Network Traffic Content"
]
}
]
ics-attack/attack-pattern/attack-pattern--ba203963-3182-41ac-af14-7e7ebc83cd61.json
+18 -18
View File
@@ -1,10 +1,25 @@
{
"type": "bundle",
"id": "bundle--83486cc8-a5fa-4057-aca0-3a32c79d44b7",
"id": "bundle--e8170aeb-4be4-440b-bb34-82b9535b4139",
"spec_version": "2.0",
"objects": [
{
"modified": "2023-10-13T17:57:10.181Z",
"type": "attack-pattern",
"id": "attack-pattern--ba203963-3182-41ac-af14-7e7ebc83cd61",
"created": "2020-05-21T17:43:26.506Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T0849",
"external_id": "T0849"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"modified": "2025-04-16T21:26:18.036Z",
"name": "Masquerading",
"description": "Adversaries may use masquerading to disguise a malicious application or executable as another file, to avoid operator and engineer suspicion. Possible disguises of these masquerading files can include commonly found programs, expected vendor executables and configuration files, and other commonplace application and naming conventions. By impersonating expected and vendor-relevant files and applications, operators and engineers may not notice the presence of the underlying malicious content and possibly end up running those masquerading as legitimate functions. \n\nApplications and other files commonly found on Windows systems or in engineering workstations have been impersonated before. This can be as simple as renaming a file to effectively disguise it in the ICS environment.",
"kill_chain_phases": [
@@ -13,7 +28,7 @@
"phase_name": "evasion"
}
],
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": false,
"x_mitre_detection": "",
"x_mitre_domains": [
@@ -34,21 +49,6 @@
"Service: Service Modification",
"File: File Metadata",
"Scheduled Job: Scheduled Job Creation"
],
"type": "attack-pattern",
"id": "attack-pattern--ba203963-3182-41ac-af14-7e7ebc83cd61",
"created": "2020-05-21T17:43:26.506Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T0849",
"external_id": "T0849"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
]
}
]
ics-attack/attack-pattern/attack-pattern--be69c571-d746-4b1f-bdd0-c0c9817e9068.json
+18 -18
View File
@@ -1,10 +1,25 @@
{
"type": "bundle",
"id": "bundle--5c1cc0ff-bdfd-4d8e-b01a-eae1f7e66076",
"id": "bundle--2614ea9c-4934-4cbf-8be3-1c13bf46f055",
"spec_version": "2.0",
"objects": [
{
"modified": "2023-10-13T17:57:10.374Z",
"type": "attack-pattern",
"id": "attack-pattern--be69c571-d746-4b1f-bdd0-c0c9817e9068",
"created": "2020-05-21T17:43:26.506Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T0843",
"external_id": "T0843"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"modified": "2025-04-16T21:26:18.212Z",
"name": "Program Download",
"description": "Adversaries may perform a program download to transfer a user program to a controller. \n\nVariations of program download, such as online edit and program append, allow a controller to continue running during the transfer and reconfiguration process without interruption to process control. However, before starting a full program download (i.e., download all) a controller may need to go into a stop state. This can have negative consequences on the physical process, especially if the controller is not able to fulfill a time-sensitive action. Adversaries may choose to avoid a download all in favor of an online edit or program append to avoid disrupting the physical process. An adversary may need to use the technique Detect Operating Mode or Change Operating Mode to make sure the controller is in the proper mode to accept a program download.\n\nThe granularity of control to transfer a user program in whole or parts is dictated by the management protocol (e.g., S7CommPlus, TriStation) and underlying controller API. Thus, program download is a high-level term for the suite of vendor-specific API calls used to configure a controllers user program memory space. \n\n[Modify Controller Tasking](https://attack.mitre.org/techniques/T0821) and [Modify Program](https://attack.mitre.org/techniques/T0889) represent the configuration changes that are transferred to a controller via a program download.",
"kill_chain_phases": [
@@ -13,7 +28,7 @@
"phase_name": "lateral-movement"
}
],
"x_mitre_attack_spec_version": "3.1.0",
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": false,
"x_mitre_detection": "",
"x_mitre_domains": [
@@ -30,21 +45,6 @@
"Network Traffic: Network Traffic Content",
"Asset: Asset Inventory",
"Application Log: Application Log Content"
],
"type": "attack-pattern",
"id": "attack-pattern--be69c571-d746-4b1f-bdd0-c0c9817e9068",
"created": "2020-05-21T17:43:26.506Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T0843",
"external_id": "T0843"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
]
}
]
ics-attack/attack-pattern/attack-pattern--c267bbee-bb59-47fe-85e0-3ed210337c21.json
+30 -30
View File
@@ -1,36 +1,9 @@
{
"type": "bundle",
"id": "bundle--44ed6ffd-b66f-4bc1-8505-1f8a96211f29",
"id": "bundle--b5c26b72-55cc-4f16-8c39-e118dbdd9223",
"spec_version": "2.0",
"objects": [
{
"modified": "2023-10-13T17:57:10.581Z",
"name": "Replication Through Removable Media",
"description": "Adversaries may move onto systems, such as those separated from the enterprise network, by copying malware to removable media which is inserted into the control systems environment. The adversary may rely on unknowing trusted third parties, such as suppliers or contractors with access privileges, to introduce the removable media. This technique enables initial access to target devices that never connect to untrusted networks, but are physically accessible. \n\nOperators of the German nuclear power plant, Gundremmingen, discovered malware on a facility computer not connected to the internet. (Citation: Kernkraftwerk Gundremmingen April 2016) (Citation: Trend Micro April 2016) The malware included Conficker and W32.Ramnit, which were also found on eighteen removable disk drives in the facility. (Citation: Christoph Steitz, Eric Auchard April 2016) (Citation: Catalin Cimpanu April 2016) (Citation: Peter Dockrill April 2016) (Citation: Lee Mathews April 2016) (Citation: Sean Gallagher April 2016) (Citation: Dark Reading Staff April 2016) The plant has since checked for infection and cleaned up more than 1,000 computers. (Citation: BBC April 2016) An ESET researcher commented that internet disconnection does not guarantee system safety from infection or payload execution. (Citation: ESET April 2016)",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-ics-attack",
"phase_name": "initial-access"
}
],
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_deprecated": false,
"x_mitre_detection": "",
"x_mitre_domains": [
"ics-attack"
],
"x_mitre_is_subtechnique": false,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"None"
],
"x_mitre_version": "1.0",
"x_mitre_data_sources": [
"Process: Process Creation",
"File: File Creation",
"Drive: Drive Creation",
"File: File Access"
],
"type": "attack-pattern",
"id": "attack-pattern--c267bbee-bb59-47fe-85e0-3ed210337c21",
"created": "2020-05-21T17:43:26.506Z",
@@ -74,8 +47,8 @@
},
{
"source_name": "Lee Mathews April 2016",
"description": "Lee Mathews 2016, April 27 German nuclear plant found riddled with Conficker, other viruses Retrieved. 2019/10/14 ",
"url": "https://www.geek.com/apps/german-nuclear-plant-found-riddled-with-conficker-other-viruses-1653415/"
"description": "Lee Mathews 2016, April 27 German nuclear plant found riddled with Conficker, other viruses. Retrieved November 17, 2024. ",
"url": "https://web.archive.org/web/20160430041256/https://www.geek.com/apps/german-nuclear-plant-found-riddled-with-conficker-other-viruses-1653415/"
},
{
"source_name": "Peter Dockrill April 2016",
@@ -95,6 +68,33 @@
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"modified": "2025-04-15T19:59:04.946Z",
"name": "Replication Through Removable Media",
"description": "Adversaries may move onto systems, such as those separated from the enterprise network, by copying malware to removable media which is inserted into the control systems environment. The adversary may rely on unknowing trusted third parties, such as suppliers or contractors with access privileges, to introduce the removable media. This technique enables initial access to target devices that never connect to untrusted networks, but are physically accessible. \n\nOperators of the German nuclear power plant, Gundremmingen, discovered malware on a facility computer not connected to the internet. (Citation: Kernkraftwerk Gundremmingen April 2016) (Citation: Trend Micro April 2016) The malware included Conficker and W32.Ramnit, which were also found on eighteen removable disk drives in the facility. (Citation: Christoph Steitz, Eric Auchard April 2016) (Citation: Catalin Cimpanu April 2016) (Citation: Peter Dockrill April 2016) (Citation: Lee Mathews April 2016) (Citation: Sean Gallagher April 2016) (Citation: Dark Reading Staff April 2016) The plant has since checked for infection and cleaned up more than 1,000 computers. (Citation: BBC April 2016) An ESET researcher commented that internet disconnection does not guarantee system safety from infection or payload execution. (Citation: ESET April 2016)",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-ics-attack",
"phase_name": "initial-access"
}
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": false,
"x_mitre_detection": "",
"x_mitre_domains": [
"ics-attack"
],
"x_mitre_is_subtechnique": false,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"None"
],
"x_mitre_version": "1.0",
"x_mitre_data_sources": [
"Process: Process Creation",
"File: File Creation",
"Drive: Drive Creation",
"File: File Access"
]
}
]
ics-attack/attack-pattern/attack-pattern--c5e3cdbc-0387-4be9-8f83-ff5c0865f377.json
+24 -24
View File
@@ -1,31 +1,9 @@
{
"type": "bundle",
"id": "bundle--a570b71e-8b82-4865-a1f4-cc6f1a1e5173",
"id": "bundle--6c373f47-49c5-4f8e-b889-3e4f980fada6",
"spec_version": "2.0",
"objects": [
{
"modified": "2023-10-13T17:57:10.768Z",
"name": "Screen Capture",
"description": "Adversaries may attempt to perform screen capture of devices in the control system environment. Screenshots may be taken of workstations, HMIs, or other devices that display environment-relevant process, device, reporting, alarm, or related data. These device displays may reveal information regarding the ICS process, layout, control, and related schematics. In particular, an HMI can provide a lot of important industrial process information. (Citation: ICS-CERT October 2017) Analysis of screen captures may provide the adversary with an understanding of intended operations and interactions between critical devices.",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-ics-attack",
"phase_name": "collection"
}
],
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"ics-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"None"
],
"x_mitre_version": "1.0",
"x_mitre_data_sources": [
"Command: Command Execution",
"Process: OS API Execution"
],
"type": "attack-pattern",
"id": "attack-pattern--c5e3cdbc-0387-4be9-8f83-ff5c0865f377",
"created": "2020-05-21T17:43:26.506Z",
@@ -45,7 +23,29 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_is_subtechnique": false
"modified": "2025-04-16T21:26:18.404Z",
"name": "Screen Capture",
"description": "Adversaries may attempt to perform screen capture of devices in the control system environment. Screenshots may be taken of workstations, HMIs, or other devices that display environment-relevant process, device, reporting, alarm, or related data. These device displays may reveal information regarding the ICS process, layout, control, and related schematics. In particular, an HMI can provide a lot of important industrial process information. (Citation: ICS-CERT October 2017) Analysis of screen captures may provide the adversary with an understanding of intended operations and interactions between critical devices.",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-ics-attack",
"phase_name": "collection"
}
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_domains": [
"ics-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"None"
],
"x_mitre_version": "1.0",
"x_mitre_is_subtechnique": false,
"x_mitre_data_sources": [
"Command: Command Execution",
"Process: OS API Execution"
]
}
]
}
ics-attack/attack-pattern/attack-pattern--c9a8d958-fcdb-40d2-af4c-461c8031651a.json
+18 -18
View File
@@ -1,10 +1,25 @@
{
"type": "bundle",
"id": "bundle--02b8f3c5-2a3a-4352-9a3b-33aaa84273f8",
"id": "bundle--00ddd774-5dc8-4b38-8a17-e8b6bbd5c699",
"spec_version": "2.0",
"objects": [
{
"modified": "2023-10-13T17:57:10.962Z",
"type": "attack-pattern",
"id": "attack-pattern--c9a8d958-fcdb-40d2-af4c-461c8031651a",
"created": "2022-09-29T13:35:38.589Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T0891",
"external_id": "T0891"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"modified": "2025-04-16T21:26:18.583Z",
"name": "Hardcoded Credentials",
"description": "Adversaries may leverage credentials that are hardcoded in software or firmware to gain an unauthorized interactive user session to an asset. Examples credentials that may be hardcoded in an asset include:\n\n* Username/Passwords\n* Cryptographic keys/Certificates\n* API tokens\n\nUnlike [Default Credentials](https://attack.mitre.org/techniques/T0812), these credentials are built into the system in a way that they either cannot be changed by the asset owner, or may be infeasible to change because of the impact it would cause to the control system operation. These credentials may be reused across whole product lines or device models and are often not published or known to the owner and operators of the asset. \n\nAdversaries may utilize these hardcoded credentials to move throughout the control system environment or provide reliable access for their tools to interact with industrial assets. \n",
"kill_chain_phases": [
@@ -17,7 +32,7 @@
"phase_name": "persistence"
}
],
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_contributors": [
"Aagam Shah, @neutrinoguy, ABB"
],
@@ -35,21 +50,6 @@
"x_mitre_data_sources": [
"Network Traffic: Network Traffic Content",
"Logon Session: Logon Session Creation"
],
"type": "attack-pattern",
"id": "attack-pattern--c9a8d958-fcdb-40d2-af4c-461c8031651a",
"created": "2022-09-29T13:35:38.589Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T0891",
"external_id": "T0891"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
]
}
]
ics-attack/attack-pattern/attack-pattern--cd2c76a4-5e23-4ca5-9c40-d5e0604f7101.json
+23 -23
View File
@@ -1,10 +1,30 @@
{
"type": "bundle",
"id": "bundle--166ab5b2-be5f-4c56-8151-2918c3ba7586",
"id": "bundle--40df16fb-ef03-4283-a207-a5b7d9b7b671",
"spec_version": "2.0",
"objects": [
{
"modified": "2023-10-13T17:57:11.152Z",
"type": "attack-pattern",
"id": "attack-pattern--cd2c76a4-5e23-4ca5-9c40-d5e0604f7101",
"created": "2020-05-21T17:43:26.506Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T0859",
"external_id": "T0859"
},
{
"source_name": "Booz Allen Hamilton",
"description": "Booz Allen Hamilton. (2016). When The Lights Went Out. Retrieved December 18, 2024.",
"url": "https://www.boozallen.com/content/dam/boozallen/documents/2016/09/ukraine-report-when-the-lights-went-out.pdf"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"modified": "2025-04-15T19:59:08.866Z",
"name": "Valid Accounts",
"description": "Adversaries may steal the credentials of a specific user or service account using credential access techniques. In some cases, default credentials for control system devices may be publicly available. Compromised credentials may be used to bypass access controls placed on various resources on hosts and within the network, and may even be used for persistent access to remote systems. Compromised and default credentials may also grant an adversary increased privilege to specific systems and devices or access to restricted areas of the network. Adversaries may choose not to use malware or tools, in conjunction with the legitimate access those credentials provide, to make it harder to detect their presence or to control devices and send legitimate commands in an unintended way. \n\nAdversaries may also create accounts, sometimes using predefined account names and passwords, to provide a means of backup access for persistence. (Citation: Booz Allen Hamilton) \n\nThe overlap of credentials and permissions across a network of systems is of concern because the adversary may be able to pivot across accounts and systems to reach a high level of access (i.e., domain or enterprise administrator) and possibly between the enterprise and operational technology environments. Adversaries may be able to leverage valid credentials from one system to gain access to another system.",
"kill_chain_phases": [
@@ -17,7 +37,7 @@
"phase_name": "lateral-movement"
}
],
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": false,
"x_mitre_detection": "",
"x_mitre_domains": [
@@ -33,26 +53,6 @@
"User Account: User Account Authentication",
"Logon Session: Logon Session Creation",
"Logon Session: Logon Session Metadata"
],
"type": "attack-pattern",
"id": "attack-pattern--cd2c76a4-5e23-4ca5-9c40-d5e0604f7101",
"created": "2020-05-21T17:43:26.506Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T0859",
"external_id": "T0859"
},
{
"source_name": "Booz Allen Hamilton",
"description": "Booz Allen Hamilton When The Lights Went Out Retrieved. 2019/10/22 ",
"url": "https://www.boozallen.com/content/dam/boozallen/documents/2016/09/ukraine-report-when-the-lights-went-out.pdf"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
]
}
]
ics-attack/attack-pattern/attack-pattern--cfe68e93-ce94-4c0f-a57d-3aa72cedd618.json
+25 -25
View File
@@ -1,33 +1,9 @@
{
"type": "bundle",
"id": "bundle--f3afcc6e-b21d-48d8-bdc8-cddc2211fb60",
"id": "bundle--a3b0d9d7-ae47-400e-8ee1-77e5365758b2",
"spec_version": "2.0",
"objects": [
{
"modified": "2023-10-13T17:57:11.342Z",
"name": "Exploitation for Privilege Escalation",
"description": "Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions. (Citation: The MITRE Corporation) \n\nWhen initially gaining access to a system, an adversary may be operating within a lower privileged process which will prevent them from accessing certain resources on the system. Vulnerabilities may exist, usually in operating system components and software commonly running at higher permissions, that can be exploited to gain higher levels of access on the system. This could enable someone to move from unprivileged or user level permissions to SYSTEM or root permissions depending on the component that is vulnerable. This may be a necessary step for an adversary compromising an endpoint system that has been properly configured and limits other privilege escalation methods. (Citation: The MITRE Corporation)",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-ics-attack",
"phase_name": "privilege-escalation"
}
],
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_deprecated": false,
"x_mitre_detection": "",
"x_mitre_domains": [
"ics-attack"
],
"x_mitre_is_subtechnique": false,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"None"
],
"x_mitre_version": "1.1",
"x_mitre_data_sources": [
"Application Log: Application Log Content"
],
"type": "attack-pattern",
"id": "attack-pattern--cfe68e93-ce94-4c0f-a57d-3aa72cedd618",
"created": "2021-04-13T12:08:26.506Z",
@@ -47,6 +23,30 @@
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"modified": "2025-04-16T21:26:18.792Z",
"name": "Exploitation for Privilege Escalation",
"description": "Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions. (Citation: The MITRE Corporation) \n\nWhen initially gaining access to a system, an adversary may be operating within a lower privileged process which will prevent them from accessing certain resources on the system. Vulnerabilities may exist, usually in operating system components and software commonly running at higher permissions, that can be exploited to gain higher levels of access on the system. This could enable someone to move from unprivileged or user level permissions to SYSTEM or root permissions depending on the component that is vulnerable. This may be a necessary step for an adversary compromising an endpoint system that has been properly configured and limits other privilege escalation methods. (Citation: The MITRE Corporation)",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-ics-attack",
"phase_name": "privilege-escalation"
}
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": false,
"x_mitre_detection": "",
"x_mitre_domains": [
"ics-attack"
],
"x_mitre_is_subtechnique": false,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"None"
],
"x_mitre_version": "1.1",
"x_mitre_data_sources": [
"Application Log: Application Log Content"
]
}
]
ics-attack/attack-pattern/attack-pattern--d5a69cfb-fc2a-46cb-99eb-74b236db5061.json
+28 -28
View File
@@ -1,36 +1,9 @@
{
"type": "bundle",
"id": "bundle--24adbeb1-e300-473e-88e7-6aadcb9a249b",
"id": "bundle--2bd4cef1-641a-4722-887d-f261b9efc449",
"spec_version": "2.0",
"objects": [
{
"modified": "2023-10-13T17:57:11.536Z",
"name": "Remote System Discovery",
"description": "Adversaries may attempt to get a listing of other systems by IP address, hostname, or other logical identifier on a network that may be used for subsequent Lateral Movement or Discovery techniques. Functionality could exist within adversary tools to enable this, but utilities available on the operating system or vendor software could also be used. (Citation: Enterprise ATT&CK January 2018)",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-ics-attack",
"phase_name": "discovery"
}
],
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_deprecated": false,
"x_mitre_detection": "",
"x_mitre_domains": [
"ics-attack"
],
"x_mitre_is_subtechnique": false,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"None"
],
"x_mitre_version": "1.1",
"x_mitre_data_sources": [
"File: File Access",
"Process: Process Creation",
"Network Traffic: Network Traffic Content",
"Network Traffic: Network Traffic Flow"
],
"type": "attack-pattern",
"id": "attack-pattern--d5a69cfb-fc2a-46cb-99eb-74b236db5061",
"created": "2020-05-21T17:43:26.506Z",
@@ -50,6 +23,33 @@
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"modified": "2025-04-16T21:26:18.958Z",
"name": "Remote System Discovery",
"description": "Adversaries may attempt to get a listing of other systems by IP address, hostname, or other logical identifier on a network that may be used for subsequent Lateral Movement or Discovery techniques. Functionality could exist within adversary tools to enable this, but utilities available on the operating system or vendor software could also be used. (Citation: Enterprise ATT&CK January 2018)",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-ics-attack",
"phase_name": "discovery"
}
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": false,
"x_mitre_detection": "",
"x_mitre_domains": [
"ics-attack"
],
"x_mitre_is_subtechnique": false,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"None"
],
"x_mitre_version": "1.1",
"x_mitre_data_sources": [
"File: File Access",
"Process: Process Creation",
"Network Traffic: Network Traffic Content",
"Network Traffic: Network Traffic Flow"
]
}
]
ics-attack/attack-pattern/attack-pattern--d614a9cf-18eb-4800-81e4-ab8ddf0baa73.json
+23 -23
View File
@@ -1,31 +1,9 @@
{
"type": "bundle",
"id": "bundle--555c450b-727a-4e31-aa9c-067499ffdd4f",
"id": "bundle--a8c31a6a-a4f4-4ba3-b2e6-2527461702d5",
"spec_version": "2.0",
"objects": [
{
"modified": "2023-05-08T20:13:24.241Z",
"name": "Engineering Workstation Compromise",
"description": "Adversaries will compromise and gain control of an engineering workstation for Initial Access into the control system environment. Access to an engineering workstation may occur through or physical means, such as a Valid Accounts with privileged access or infection by removable media. A dual-homed engineering workstation may allow the adversary access into multiple networks. For example, unsegregated process control, safety system, or information system networks. An Engineering Workstation is designed as a reliable computing platform that configures, maintains, and diagnoses control system equipment and applications. Compromise of an engineering workstation may provide access to, and control of, other control system applications and equipment. In the Maroochy attack, the adversary utilized a computer, possibly stolen, with proprietary engineering software to communicate with a wastewater system.",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-ics-attack",
"phase_name": "initial-access"
}
],
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_contributors": [
"Joe Slowik - Dragos"
],
"x_mitre_deprecated": true,
"x_mitre_domains": [
"ics-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"Engineering Workstation"
],
"x_mitre_version": "1.0",
"type": "attack-pattern",
"id": "attack-pattern--d614a9cf-18eb-4800-81e4-ab8ddf0baa73",
"created": "2020-05-21T17:43:26.506Z",
@@ -40,6 +18,28 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"modified": "2025-04-18T18:00:53.188Z",
"name": "Engineering Workstation Compromise",
"description": "Adversaries will compromise and gain control of an engineering workstation for Initial Access into the control system environment. Access to an engineering workstation may occur through or physical means, such as a Valid Accounts with privileged access or infection by removable media. A dual-homed engineering workstation may allow the adversary access into multiple networks. For example, unsegregated process control, safety system, or information system networks. An Engineering Workstation is designed as a reliable computing platform that configures, maintains, and diagnoses control system equipment and applications. Compromise of an engineering workstation may provide access to, and control of, other control system applications and equipment. In the Maroochy attack, the adversary utilized a computer, possibly stolen, with proprietary engineering software to communicate with a wastewater system.",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-ics-attack",
"phase_name": "initial-access"
}
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_contributors": [
"Joe Slowik - Dragos"
],
"x_mitre_deprecated": true,
"x_mitre_domains": [
"ics-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"Engineering Workstation"
],
"x_mitre_version": "1.0",
"x_mitre_is_subtechnique": false
}
]
ics-attack/attack-pattern/attack-pattern--d67adac8-e3b9-44f9-9e6d-6c2a7d69dbe4.json
+26 -26
View File
@@ -1,34 +1,9 @@
{
"type": "bundle",
"id": "bundle--23de2ce1-2cf0-4574-a9bd-68236905a71f",
"id": "bundle--5e811156-2755-4ff1-a0c7-20301dd4df2a",
"spec_version": "2.0",
"objects": [
{
"modified": "2023-10-13T17:57:11.730Z",
"name": "Connection Proxy",
"description": "Adversaries may use a connection proxy to direct network traffic between systems or act as an intermediary for network communications.\n\nThe definition of a proxy can also be expanded to encompass trust relationships between networks in peer-to-peer, mesh, or trusted connections between networks consisting of hosts or systems that regularly communicate with each other.\n\nThe network may be within a single organization or across multiple organizations with trust relationships. Adversaries could use these types of relationships to manage command and control communications, to reduce the number of simultaneous outbound network connections, to provide resiliency in the face of connection loss, or to ride over existing trusted communications paths between victims to avoid suspicion. (Citation: Enterprise ATT&CK January 2018)",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-ics-attack",
"phase_name": "command-and-control"
}
],
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_deprecated": false,
"x_mitre_detection": "",
"x_mitre_domains": [
"ics-attack"
],
"x_mitre_is_subtechnique": false,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"None"
],
"x_mitre_version": "1.1",
"x_mitre_data_sources": [
"Network Traffic: Network Traffic Content",
"Network Traffic: Network Traffic Flow"
],
"type": "attack-pattern",
"id": "attack-pattern--d67adac8-e3b9-44f9-9e6d-6c2a7d69dbe4",
"created": "2020-05-21T17:43:26.506Z",
@@ -48,6 +23,31 @@
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"modified": "2025-04-16T21:26:19.127Z",
"name": "Connection Proxy",
"description": "Adversaries may use a connection proxy to direct network traffic between systems or act as an intermediary for network communications.\n\nThe definition of a proxy can also be expanded to encompass trust relationships between networks in peer-to-peer, mesh, or trusted connections between networks consisting of hosts or systems that regularly communicate with each other.\n\nThe network may be within a single organization or across multiple organizations with trust relationships. Adversaries could use these types of relationships to manage command and control communications, to reduce the number of simultaneous outbound network connections, to provide resiliency in the face of connection loss, or to ride over existing trusted communications paths between victims to avoid suspicion. (Citation: Enterprise ATT&CK January 2018)",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-ics-attack",
"phase_name": "command-and-control"
}
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": false,
"x_mitre_detection": "",
"x_mitre_domains": [
"ics-attack"
],
"x_mitre_is_subtechnique": false,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"None"
],
"x_mitre_version": "1.1",
"x_mitre_data_sources": [
"Network Traffic: Network Traffic Content",
"Network Traffic: Network Traffic Flow"
]
}
]
ics-attack/attack-pattern/attack-pattern--e076cca8-2f08-45c9-aff7-ea5ac798b387.json
+24 -24
View File
@@ -1,31 +1,9 @@
{
"type": "bundle",
"id": "bundle--97265cde-e124-4fab-9c18-10f26de60ea4",
"id": "bundle--6267d0ac-b0a0-4180-8621-08100653ac52",
"spec_version": "2.0",
"objects": [
{
"modified": "2023-10-13T17:57:11.924Z",
"name": "Standard Application Layer Protocol",
"description": "Adversaries may establish command and control capabilities over commonly used application layer protocols such as HTTP(S), OPC, RDP, telnet, DNP3, and modbus. These protocols may be used to disguise adversary actions as benign network traffic. Standard protocols may be seen on their associated port or in some cases over a non-standard port. Adversaries may use these protocols to reach out of the network for command and control, or in some cases to other infected devices within the network.",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-ics-attack",
"phase_name": "command-and-control"
}
],
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"ics-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"None"
],
"x_mitre_version": "1.0",
"x_mitre_data_sources": [
"Network Traffic: Network Traffic Flow",
"Network Traffic: Network Traffic Content"
],
"type": "attack-pattern",
"id": "attack-pattern--e076cca8-2f08-45c9-aff7-ea5ac798b387",
"created": "2020-05-21T17:43:26.506Z",
@@ -40,7 +18,29 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_is_subtechnique": false
"modified": "2025-04-16T21:26:19.328Z",
"name": "Standard Application Layer Protocol",
"description": "Adversaries may establish command and control capabilities over commonly used application layer protocols such as HTTP(S), OPC, RDP, telnet, DNP3, and modbus. These protocols may be used to disguise adversary actions as benign network traffic. Standard protocols may be seen on their associated port or in some cases over a non-standard port. Adversaries may use these protocols to reach out of the network for command and control, or in some cases to other infected devices within the network.",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-ics-attack",
"phase_name": "command-and-control"
}
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_domains": [
"ics-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"None"
],
"x_mitre_version": "1.0",
"x_mitre_is_subtechnique": false,
"x_mitre_data_sources": [
"Network Traffic: Network Traffic Flow",
"Network Traffic: Network Traffic Content"
]
}
]
}
ics-attack/attack-pattern/attack-pattern--e0d74479-86d2-465d-bf36-903ebecef43e.json
+26 -26
View File
@@ -1,36 +1,13 @@
{
"type": "bundle",
"id": "bundle--adb91bed-2695-436a-9cb2-446823316620",
"id": "bundle--9182bcd0-390c-4b43-bf01-5cf9ad28e4c9",
"spec_version": "2.0",
"objects": [
{
"x_mitre_platforms": [
"Safety Instrumented System/Protection Relay",
"Field Controller/RTU/PLC/IED"
],
"x_mitre_domains": [
"ics-attack"
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"type": "attack-pattern",
"id": "attack-pattern--e0d74479-86d2-465d-bf36-903ebecef43e",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2020-05-21T17:43:26.506Z",
"modified": "2022-05-06T17:47:24.401Z",
"name": "Modify Control Logic",
"description": "Adversaries may place malicious code in a system, which can cause the system to malfunction by modifying its control logic. Control system devices use programming languages (e.g. relay ladder logic) to control physical processes by affecting actuators, which cause machines to operate, based on environment sensor readings. These devices often include the ability to perform remote control logic updates. \n\nProgram code is normally edited in a vendor-specific Integrated Development Environment (IDE) that relies on proprietary tools and features. These IDEs allow an engineer to perform host target development and may have the ability to run the code on the machine it is programmed for. The IDE will transmit the control logic to the testing device, and will perform the required device-specific functions to apply the changes and make them active.\n\nAn adversary may attempt to use this host target IDE to modify device control logic. Even though proprietary tools are often used to edit and update control logic, the process can usually be reverse-engineered and reproduced with open-source tools.\n\nAn adversary can de-calibrate a sensor by removing functions in control logic that account for sensor error. This can be used to change a control process without actually spoofing command messages to a controller or device. \n\nIt is believed this process happened in the lesser known over-pressurizer attacks build into Stuxnet. Pressure sensors are not perfect at translating pressure into an analog output signal, but their errors can be corrected by calibration. The pressure controller can be told what the \u201creal\u201d pressure is for given analog signals and then automatically linearize the measurement to what would be the \u201creal\u201d pressure. If the linearization is overwritten by malicious code on the S7-417 controller, analog pressure readings will be \u201ccorrected\u201d during the attack by the pressure controller, which then interprets all analog pressure readings as perfectly normal pressure no matter how high or low their analog values are. The pressure controller then acts accordingly by never opening the stage exhaust valves. In the meantime, actual pressure keeps rising. (Citation: Stuxnet - Langner - 201311)\n\nIn the Maroochy Attack, Vitek Boden gained remote computer access to the control system and altered data so that whatever function should have occurred at affected pumping stations did not occur or occurred in a different way. The software program installed in the laptop was one developed by Hunter Watertech for its use in changing configurations in the PDS computers. This ultimately led to 800,000 liters of raw sewage being spilled out into the community. (Citation: Maroochy - MITRE - 200808)",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-ics-attack",
"phase_name": "impair-process-control"
},
{
"kill_chain_name": "mitre-ics-attack",
"phase_name": "inhibit-response-function"
}
],
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"external_references": [
{
"source_name": "mitre-ics-attack",
@@ -48,9 +25,32 @@
"url": "https://www.mitre.org/sites/default/files/pdf/08%201145.pdf"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"modified": "2025-04-18T18:00:53.367Z",
"name": "Modify Control Logic",
"description": "Adversaries may place malicious code in a system, which can cause the system to malfunction by modifying its control logic. Control system devices use programming languages (e.g. relay ladder logic) to control physical processes by affecting actuators, which cause machines to operate, based on environment sensor readings. These devices often include the ability to perform remote control logic updates. \n\nProgram code is normally edited in a vendor-specific Integrated Development Environment (IDE) that relies on proprietary tools and features. These IDEs allow an engineer to perform host target development and may have the ability to run the code on the machine it is programmed for. The IDE will transmit the control logic to the testing device, and will perform the required device-specific functions to apply the changes and make them active.\n\nAn adversary may attempt to use this host target IDE to modify device control logic. Even though proprietary tools are often used to edit and update control logic, the process can usually be reverse-engineered and reproduced with open-source tools.\n\nAn adversary can de-calibrate a sensor by removing functions in control logic that account for sensor error. This can be used to change a control process without actually spoofing command messages to a controller or device. \n\nIt is believed this process happened in the lesser known over-pressurizer attacks build into Stuxnet. Pressure sensors are not perfect at translating pressure into an analog output signal, but their errors can be corrected by calibration. The pressure controller can be told what the \u201creal\u201d pressure is for given analog signals and then automatically linearize the measurement to what would be the \u201creal\u201d pressure. If the linearization is overwritten by malicious code on the S7-417 controller, analog pressure readings will be \u201ccorrected\u201d during the attack by the pressure controller, which then interprets all analog pressure readings as perfectly normal pressure no matter how high or low their analog values are. The pressure controller then acts accordingly by never opening the stage exhaust valves. In the meantime, actual pressure keeps rising. (Citation: Stuxnet - Langner - 201311)\n\nIn the Maroochy Attack, Vitek Boden gained remote computer access to the control system and altered data so that whatever function should have occurred at affected pumping stations did not occur or occurred in a different way. The software program installed in the laptop was one developed by Hunter Watertech for its use in changing configurations in the PDS computers. This ultimately led to 800,000 liters of raw sewage being spilled out into the community. (Citation: Maroochy - MITRE - 200808)",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-ics-attack",
"phase_name": "impair-process-control"
},
{
"kill_chain_name": "mitre-ics-attack",
"phase_name": "inhibit-response-function"
}
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": true,
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"ics-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"Safety Instrumented System/Protection Relay",
"Field Controller/RTU/PLC/IED"
],
"x_mitre_version": "1.0",
"x_mitre_is_subtechnique": false
}
ics-attack/attack-pattern/attack-pattern--e1f9cdd2-9511-4fca-90d7-f3e92cfdd0bf.json
+38 -38
View File
@@ -1,46 +1,9 @@
{
"type": "bundle",
"id": "bundle--966d9296-9c5a-451d-8873-b85f04581261",
"id": "bundle--d02b7fc2-e53a-4dfe-a822-0d6f1e6de02c",
"spec_version": "2.0",
"objects": [
{
"modified": "2023-10-13T17:57:12.125Z",
"name": "Remote Services",
"description": "Adversaries may leverage remote services to move between assets and network segments. These services are often used to allow operators to interact with systems remotely within the network, some examples are RDP, SMB, SSH, and other similar mechanisms. (Citation: Blake Johnson, Dan Caban, Marina Krotofil, Dan Scali, Nathan Brubaker, Christopher Glyer December 2017) (Citation: Dragos December 2017) (Citation: Joe Slowik April 2019) \n\nRemote services could be used to support remote access, data transmission, authentication, name resolution, and other remote functions. Further, remote services may be necessary to allow operators and administrators to configure systems within the network from their engineering or management workstations. An adversary may use this technique to access devices which may be dual-homed (Citation: Blake Johnson, Dan Caban, Marina Krotofil, Dan Scali, Nathan Brubaker, Christopher Glyer December 2017) to multiple network segments, and can be used for [Program Download](https://attack.mitre.org/techniques/T0843) or to execute attacks on control devices directly through [Valid Accounts](https://attack.mitre.org/techniques/T0859).\n\nSpecific remote services (RDP & VNC) may be a precursor to enable [Graphical User Interface](https://attack.mitre.org/techniques/T0823) execution on devices such as HMIs or engineering workstation software.\n\nBased on incident data, CISA and FBI assessed that Chinese state-sponsored actors also compromised various authorized remote access channels, including systems designed to transfer data and/or allow access between corporate and ICS networks. (Citation: CISA AA21-201A Pipeline Intrusion July 2021)",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-ics-attack",
"phase_name": "initial-access"
},
{
"kill_chain_name": "mitre-ics-attack",
"phase_name": "lateral-movement"
}
],
"x_mitre_attack_spec_version": "3.1.0",
"x_mitre_contributors": [
"Daisuke Suzuki"
],
"x_mitre_deprecated": false,
"x_mitre_detection": "",
"x_mitre_domains": [
"ics-attack"
],
"x_mitre_is_subtechnique": false,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"None"
],
"x_mitre_version": "1.1",
"x_mitre_data_sources": [
"Network Traffic: Network Traffic Flow",
"Module: Module Load",
"Logon Session: Logon Session Creation",
"Process: Process Creation",
"Command: Command Execution",
"Network Traffic: Network Connection Creation",
"Network Share: Network Share Access"
],
"type": "attack-pattern",
"id": "attack-pattern--e1f9cdd2-9511-4fca-90d7-f3e92cfdd0bf",
"created": "2021-04-12T19:26:26.506Z",
@@ -75,6 +38,43 @@
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"modified": "2025-04-16T21:26:19.525Z",
"name": "Remote Services",
"description": "Adversaries may leverage remote services to move between assets and network segments. These services are often used to allow operators to interact with systems remotely within the network, some examples are RDP, SMB, SSH, and other similar mechanisms. (Citation: Blake Johnson, Dan Caban, Marina Krotofil, Dan Scali, Nathan Brubaker, Christopher Glyer December 2017) (Citation: Dragos December 2017) (Citation: Joe Slowik April 2019) \n\nRemote services could be used to support remote access, data transmission, authentication, name resolution, and other remote functions. Further, remote services may be necessary to allow operators and administrators to configure systems within the network from their engineering or management workstations. An adversary may use this technique to access devices which may be dual-homed (Citation: Blake Johnson, Dan Caban, Marina Krotofil, Dan Scali, Nathan Brubaker, Christopher Glyer December 2017) to multiple network segments, and can be used for [Program Download](https://attack.mitre.org/techniques/T0843) or to execute attacks on control devices directly through [Valid Accounts](https://attack.mitre.org/techniques/T0859).\n\nSpecific remote services (RDP & VNC) may be a precursor to enable [Graphical User Interface](https://attack.mitre.org/techniques/T0823) execution on devices such as HMIs or engineering workstation software.\n\nBased on incident data, CISA and FBI assessed that Chinese state-sponsored actors also compromised various authorized remote access channels, including systems designed to transfer data and/or allow access between corporate and ICS networks. (Citation: CISA AA21-201A Pipeline Intrusion July 2021)",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-ics-attack",
"phase_name": "initial-access"
},
{
"kill_chain_name": "mitre-ics-attack",
"phase_name": "lateral-movement"
}
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_contributors": [
"Daisuke Suzuki"
],
"x_mitre_deprecated": false,
"x_mitre_detection": "",
"x_mitre_domains": [
"ics-attack"
],
"x_mitre_is_subtechnique": false,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"None"
],
"x_mitre_version": "1.1",
"x_mitre_data_sources": [
"Network Traffic: Network Traffic Flow",
"Module: Module Load",
"Logon Session: Logon Session Creation",
"Process: Process Creation",
"Command: Command Execution",
"Network Traffic: Network Connection Creation",
"Network Share: Network Share Access"
]
}
]
ics-attack/attack-pattern/attack-pattern--e2994b6a-122b-4043-b654-7411c5198ec0.json
+21 -21
View File
@@ -1,29 +1,9 @@
{
"type": "bundle",
"id": "bundle--452eff69-a3dd-4813-ab68-8f16df66d525",
"id": "bundle--16384a5e-c608-483d-8945-fee73c89453e",
"spec_version": "2.0",
"objects": [
{
"modified": "2023-05-08T20:13:24.241Z",
"name": "I/O Module Discovery",
"description": "Adversaries may use input/output (I/O) module discovery to gather key information about a control system device. An I/O module is a device that allows the control system device to either receive or send signals to other devices. These signals can be analog or digital, and may support a number of different protocols. Devices are often able to use attachable I/O modules to increase the number of inputs and outputs that it can utilize. An adversary with access to a device can use native device functions to enumerate I/O modules that are connected to the device. Information regarding the I/O modules can aid the adversary in understanding related control processes.",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-ics-attack",
"phase_name": "discovery"
}
],
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_deprecated": true,
"x_mitre_domains": [
"ics-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"Windows",
"Field Controller/RTU/PLC/IED"
],
"x_mitre_version": "1.0",
"type": "attack-pattern",
"id": "attack-pattern--e2994b6a-122b-4043-b654-7411c5198ec0",
"created": "2020-05-21T17:43:26.506Z",
@@ -38,6 +18,26 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"modified": "2025-04-18T18:00:53.554Z",
"name": "I/O Module Discovery",
"description": "Adversaries may use input/output (I/O) module discovery to gather key information about a control system device. An I/O module is a device that allows the control system device to either receive or send signals to other devices. These signals can be analog or digital, and may support a number of different protocols. Devices are often able to use attachable I/O modules to increase the number of inputs and outputs that it can utilize. An adversary with access to a device can use native device functions to enumerate I/O modules that are connected to the device. Information regarding the I/O modules can aid the adversary in understanding related control processes.",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-ics-attack",
"phase_name": "discovery"
}
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": true,
"x_mitre_domains": [
"ics-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"Windows",
"Field Controller/RTU/PLC/IED"
],
"x_mitre_version": "1.0",
"x_mitre_is_subtechnique": false
}
]
ics-attack/attack-pattern/attack-pattern--e33c7ecc-5a38-497f-beb2-a9a2049a4c20.json
+25 -25
View File
@@ -1,30 +1,9 @@
{
"type": "bundle",
"id": "bundle--a54bc8a8-7290-438a-a71e-e18f723f0d41",
"id": "bundle--3e8d3a44-7298-4347-b309-f6a56d02b730",
"spec_version": "2.0",
"objects": [
{
"modified": "2023-10-13T17:57:12.329Z",
"name": "Denial of Control",
"description": "Adversaries may cause a denial of control to temporarily prevent operators and engineers from interacting with process controls. An adversary may attempt to deny process control access to cause a temporary loss of communication with the control device or to prevent operator adjustment of process controls. An affected process may still be operating during the period of control loss, but not necessarily in a desired state. (Citation: Corero) (Citation: Michael J. Assante and Robert M. Lee) (Citation: Tyson Macaulay)\n\nIn the 2017 Dallas Siren incident operators were unable to disable the false alarms from the Office of Emergency Management headquarters. (Citation: Mark Loveless April 2017)",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-ics-attack",
"phase_name": "impact"
}
],
"x_mitre_attack_spec_version": "3.1.0",
"x_mitre_deprecated": false,
"x_mitre_detection": "",
"x_mitre_domains": [
"ics-attack"
],
"x_mitre_is_subtechnique": false,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"None"
],
"x_mitre_version": "1.1",
"type": "attack-pattern",
"id": "attack-pattern--e33c7ecc-5a38-497f-beb2-a9a2049a4c20",
"created": "2020-05-21T17:43:26.506Z",
@@ -48,8 +27,8 @@
},
{
"source_name": "Michael J. Assante and Robert M. Lee",
"description": "Michael J. Assante and Robert M. Lee Corero Industrial Control System (ICS) Security Retrieved. 2019/11/04 The Industrial Control System Cyber Kill Chain Retrieved. 2019/11/04 ",
"url": "https://www.sans.org/reading-room/whitepapers/ICS/industrial-control-system-cyber-kill-chain-36297"
"description": "Michael J. Assante and Robert M. Lee SANS Industrial Control System (ICS) Security; The Industrial Control System Cyber Kill Chain Retrieved 2024/11/25",
"url": "https://icscsi.org/library/Documents/White_Papers/SANS%20-%20ICS%20Cyber%20Kill%20Chain.pdf"
},
{
"source_name": "Tyson Macaulay",
@@ -59,7 +38,28 @@
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
]
],
"modified": "2025-04-15T19:59:15.775Z",
"name": "Denial of Control",
"description": "Adversaries may cause a denial of control to temporarily prevent operators and engineers from interacting with process controls. An adversary may attempt to deny process control access to cause a temporary loss of communication with the control device or to prevent operator adjustment of process controls. An affected process may still be operating during the period of control loss, but not necessarily in a desired state. (Citation: Corero) (Citation: Michael J. Assante and Robert M. Lee) (Citation: Tyson Macaulay)\n\nIn the 2017 Dallas Siren incident operators were unable to disable the false alarms from the Office of Emergency Management headquarters. (Citation: Mark Loveless April 2017)",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-ics-attack",
"phase_name": "impact"
}
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": false,
"x_mitre_detection": "",
"x_mitre_domains": [
"ics-attack"
],
"x_mitre_is_subtechnique": false,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"None"
],
"x_mitre_version": "1.1"
}
]
}
ics-attack/attack-pattern/attack-pattern--e5de767e-f513-41cd-aa15-33f6ce5fbf92.json
+28 -28
View File
@@ -1,36 +1,9 @@
{
"type": "bundle",
"id": "bundle--d4f180ed-1af2-4742-8c59-2f9e9f1e2bcd",
"id": "bundle--da4bd50d-62c9-4e65-83be-449e9f641570",
"spec_version": "2.0",
"objects": [
{
"modified": "2023-10-13T17:57:12.528Z",
"name": "Modify Alarm Settings",
"description": "Adversaries may modify alarm settings to prevent alerts that may inform operators of their presence or to prevent responses to dangerous and unintended scenarios. Reporting messages are a standard part of data acquisition in control systems. Reporting messages are used as a way to transmit system state information and acknowledgements that specific actions have occurred. These messages provide vital information for the management of a physical process, and keep operators, engineers, and administrators aware of the state of system devices and physical processes. \n\nIf an adversary is able to change the reporting settings, certain events could be prevented from being reported. This type of modification can also prevent operators or devices from performing actions to keep the system in a safe state. If critical reporting messages cannot trigger these actions then a [Impact](https://attack.mitre.org/tactics/TA0105) could occur. \n\nIn ICS environments, the adversary may have to use [Alarm Suppression](https://attack.mitre.org/techniques/T0878) or contend with multiple alarms and/or alarm propagation to achieve a specific goal to evade detection or prevent intended responses from occurring. (Citation: Jos Wetzels, Marina Krotofil 2019) Methods of suppression often rely on modification of alarm settings, such as modifying in memory code to fixed values or tampering with assembly level instruction code. ",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-ics-attack",
"phase_name": "inhibit-response-function"
}
],
"x_mitre_attack_spec_version": "3.1.0",
"x_mitre_deprecated": false,
"x_mitre_detection": "",
"x_mitre_domains": [
"ics-attack"
],
"x_mitre_is_subtechnique": false,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"None"
],
"x_mitre_version": "1.2",
"x_mitre_data_sources": [
"Application Log: Application Log Content",
"Asset: Asset Inventory",
"Operational Databases: Process History/Live Data",
"Network Traffic: Network Traffic Content"
],
"type": "attack-pattern",
"id": "attack-pattern--e5de767e-f513-41cd-aa15-33f6ce5fbf92",
"created": "2020-05-21T17:43:26.506Z",
@@ -50,6 +23,33 @@
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"modified": "2025-04-16T21:26:19.764Z",
"name": "Modify Alarm Settings",
"description": "Adversaries may modify alarm settings to prevent alerts that may inform operators of their presence or to prevent responses to dangerous and unintended scenarios. Reporting messages are a standard part of data acquisition in control systems. Reporting messages are used as a way to transmit system state information and acknowledgements that specific actions have occurred. These messages provide vital information for the management of a physical process, and keep operators, engineers, and administrators aware of the state of system devices and physical processes. \n\nIf an adversary is able to change the reporting settings, certain events could be prevented from being reported. This type of modification can also prevent operators or devices from performing actions to keep the system in a safe state. If critical reporting messages cannot trigger these actions then a [Impact](https://attack.mitre.org/tactics/TA0105) could occur. \n\nIn ICS environments, the adversary may have to use [Alarm Suppression](https://attack.mitre.org/techniques/T0878) or contend with multiple alarms and/or alarm propagation to achieve a specific goal to evade detection or prevent intended responses from occurring. (Citation: Jos Wetzels, Marina Krotofil 2019) Methods of suppression often rely on modification of alarm settings, such as modifying in memory code to fixed values or tampering with assembly level instruction code. ",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-ics-attack",
"phase_name": "inhibit-response-function"
}
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": false,
"x_mitre_detection": "",
"x_mitre_domains": [
"ics-attack"
],
"x_mitre_is_subtechnique": false,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"None"
],
"x_mitre_version": "1.2",
"x_mitre_data_sources": [
"Application Log: Application Log Content",
"Asset: Asset Inventory",
"Operational Databases: Process History/Live Data",
"Network Traffic: Network Traffic Content"
]
}
]
ics-attack/attack-pattern/attack-pattern--e6c31185-8040-4267-83d3-b217b8a92f07.json
+18 -18
View File
@@ -1,10 +1,25 @@
{
"type": "bundle",
"id": "bundle--59cd50f4-f39a-433d-b7a7-3b0f18de048d",
"id": "bundle--bbf7acf4-4e05-46ca-8348-6e832f0904fe",
"spec_version": "2.0",
"objects": [
{
"modified": "2023-10-13T17:57:12.723Z",
"type": "attack-pattern",
"id": "attack-pattern--e6c31185-8040-4267-83d3-b217b8a92f07",
"created": "2020-05-21T17:43:26.506Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T0885",
"external_id": "T0885"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"modified": "2025-04-16T21:26:19.961Z",
"name": "Commonly Used Port",
"description": "Adversaries may communicate over a commonly used port to bypass firewalls or network detection systems and to blend in with normal network activity, to avoid more detailed inspection. They may use the protocol associated with the port, or a completely different protocol. They may use commonly open ports, such as the examples provided below. \n \n * TCP:80 (HTTP) \n * TCP:443 (HTTPS) \n * TCP/UDP:53 (DNS) \n * TCP:1024-4999 (OPC on XP/Win2k3) \n * TCP:49152-65535 (OPC on Vista and later) \n * TCP:23 (TELNET) \n * UDP:161 (SNMP) \n * TCP:502 (MODBUS) \n * TCP:102 (S7comm/ISO-TSAP) \n * TCP:20000 (DNP3) \n * TCP:44818 (Ethernet/IP)",
"kill_chain_phases": [
@@ -13,7 +28,7 @@
"phase_name": "command-and-control"
}
],
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_contributors": [
"Matan Dobrushin - Otorio"
],
@@ -31,21 +46,6 @@
"x_mitre_data_sources": [
"Network Traffic: Network Traffic Flow",
"Network Traffic: Network Traffic Content"
],
"type": "attack-pattern",
"id": "attack-pattern--e6c31185-8040-4267-83d3-b217b8a92f07",
"created": "2020-05-21T17:43:26.506Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T0885",
"external_id": "T0885"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
]
}
]
ics-attack/attack-pattern/attack-pattern--e72425f8-9ae6-41d3-bfdb-e1b865e60722.json
+27 -27
View File
@@ -1,33 +1,9 @@
{
"type": "bundle",
"id": "bundle--0eb13c33-0c38-4e28-8fef-7257613d9ee9",
"id": "bundle--5fca1011-d9c9-4e7d-85f7-7ef7142b72fa",
"spec_version": "2.0",
"objects": [
{
"modified": "2023-10-13T17:57:12.926Z",
"name": "Project File Infection",
"description": "Adversaries may attempt to infect project files with malicious code. These project files may consist of objects, program organization units, variables such as tags, documentation, and other configurations needed for PLC programs to function. (Citation: Beckhoff) Using built in functions of the engineering software, adversaries may be able to download an infected program to a PLC in the operating environment enabling further [Execution](https://attack.mitre.org/tactics/TA0104) and [Persistence](https://attack.mitre.org/tactics/TA0110) techniques. (Citation: PLCdev) \n\nAdversaries may export their own code into project files with conditions to execute at specific intervals. (Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011) Malicious programs allow adversaries control of all aspects of the process enabled by the PLC. Once the project file is downloaded to a PLC the workstation device may be disconnected with the infected project file still executing. (Citation: PLCdev)",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-ics-attack",
"phase_name": "persistence"
}
],
"x_mitre_attack_spec_version": "3.1.0",
"x_mitre_deprecated": false,
"x_mitre_detection": "",
"x_mitre_domains": [
"ics-attack"
],
"x_mitre_is_subtechnique": false,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"None"
],
"x_mitre_version": "1.0",
"x_mitre_data_sources": [
"File: File Modification"
],
"type": "attack-pattern",
"id": "attack-pattern--e72425f8-9ae6-41d3-bfdb-e1b865e60722",
"created": "2020-05-21T17:43:26.506Z",
@@ -46,8 +22,8 @@
},
{
"source_name": "Nicolas Falliere, Liam O Murchu, Eric Chien February 2011",
"description": "Nicolas Falliere, Liam O Murchu, Eric Chien 2011, February W32.Stuxnet Dossier (Version 1.4) Retrieved. 2017/09/22 ",
"url": "https://www.wired.com/images_blogs/threatlevel/2011/02/Symantec-Stuxnet-Update-Feb-2011.pdf"
"description": "Nicolas Falliere, Liam O Murchu, Eric Chien 2011, February W32.Stuxnet Dossier (Version 1.4) Retrieved November 17, 2024.",
"url": "https://docs.broadcom.com/doc/security-response-w32-stuxnet-dossier-11-en"
},
{
"source_name": "PLCdev",
@@ -57,6 +33,30 @@
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"modified": "2025-04-15T19:59:17.481Z",
"name": "Project File Infection",
"description": "Adversaries may attempt to infect project files with malicious code. These project files may consist of objects, program organization units, variables such as tags, documentation, and other configurations needed for PLC programs to function. (Citation: Beckhoff) Using built in functions of the engineering software, adversaries may be able to download an infected program to a PLC in the operating environment enabling further [Execution](https://attack.mitre.org/tactics/TA0104) and [Persistence](https://attack.mitre.org/tactics/TA0110) techniques. (Citation: PLCdev) \n\nAdversaries may export their own code into project files with conditions to execute at specific intervals. (Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011) Malicious programs allow adversaries control of all aspects of the process enabled by the PLC. Once the project file is downloaded to a PLC the workstation device may be disconnected with the infected project file still executing. (Citation: PLCdev)",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-ics-attack",
"phase_name": "persistence"
}
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": false,
"x_mitre_detection": "",
"x_mitre_domains": [
"ics-attack"
],
"x_mitre_is_subtechnique": false,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"None"
],
"x_mitre_version": "1.0",
"x_mitre_data_sources": [
"File: File Modification"
]
}
]
ics-attack/attack-pattern/attack-pattern--ea0c980c-5cf0-43a7-a049-59c4c207566e.json
+27 -27
View File
@@ -1,34 +1,9 @@
{
"type": "bundle",
"id": "bundle--7b43c432-d90d-40a8-b589-4a18eae6c9fb",
"id": "bundle--913cdc43-a299-4e78-8ea1-65125c1ecea6",
"spec_version": "2.0",
"objects": [
{
"modified": "2024-03-29T14:04:50.569Z",
"name": "Network Connection Enumeration",
"description": "Adversaries may perform network connection enumeration to discover information about device communication patterns. If an adversary can inspect the state of a network connection with tools, such as Netstat(Citation: Netstat), in conjunction with [System Firmware](https://attack.mitre.org/techniques/T0857), then they can determine the role of certain devices on the network (Citation: MITRE). The adversary can also use [Network Sniffing](https://attack.mitre.org/techniques/T0842) to watch network traffic for details about the source, destination, protocol, and content.",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-ics-attack",
"phase_name": "discovery"
}
],
"x_mitre_deprecated": false,
"x_mitre_detection": "",
"x_mitre_domains": [
"ics-attack"
],
"x_mitre_is_subtechnique": false,
"x_mitre_platforms": [
"None"
],
"x_mitre_version": "1.2",
"x_mitre_data_sources": [
"Command: Command Execution",
"Process: Process Creation",
"Script: Script Execution",
"Process: OS API Execution"
],
"type": "attack-pattern",
"id": "attack-pattern--ea0c980c-5cf0-43a7-a049-59c4c207566e",
"created": "2020-05-21T17:43:26.506Z",
@@ -54,8 +29,33 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"modified": "2025-04-15T19:59:18.381Z",
"name": "Network Connection Enumeration",
"description": "Adversaries may perform network connection enumeration to discover information about device communication patterns. If an adversary can inspect the state of a network connection with tools, such as Netstat(Citation: Netstat), in conjunction with [System Firmware](https://attack.mitre.org/techniques/T0857), then they can determine the role of certain devices on the network (Citation: MITRE). The adversary can also use [Network Sniffing](https://attack.mitre.org/techniques/T0842) to watch network traffic for details about the source, destination, protocol, and content.",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-ics-attack",
"phase_name": "discovery"
}
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
"x_mitre_deprecated": false,
"x_mitre_detection": "",
"x_mitre_domains": [
"ics-attack"
],
"x_mitre_is_subtechnique": false,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"None"
],
"x_mitre_version": "1.2",
"x_mitre_data_sources": [
"Command: Command Execution",
"Process: Process Creation",
"Script: Script Execution",
"Process: OS API Execution"
]
}
]
}
ics-attack/attack-pattern/attack-pattern--ead7bd34-186e-4c79-9a4d-b65bcce6ed9d.json
+31 -31
View File
@@ -1,39 +1,9 @@
{
"type": "bundle",
"id": "bundle--c00d0028-fb42-4009-b6da-f49897efd700",
"id": "bundle--9c78e2ed-cea3-4706-8cc5-f43f01585186",
"spec_version": "2.0",
"objects": [
{
"modified": "2023-10-13T17:57:13.327Z",
"name": "Lateral Tool Transfer",
"description": "Adversaries may transfer tools or other files from one system to another to stage adversary tools or other files over the course of an operation. (Citation: Enterprise ATT&CK) Copying of files may also be performed laterally between internal victim systems to support Lateral Movement with remote Execution using inherent file sharing protocols such as file sharing over SMB to connected network shares. (Citation: Enterprise ATT&CK)\n\nIn control systems environments, malware may use SMB and other file sharing protocols to move laterally through industrial networks.",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-ics-attack",
"phase_name": "lateral-movement"
}
],
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_deprecated": false,
"x_mitre_detection": "",
"x_mitre_domains": [
"ics-attack"
],
"x_mitre_is_subtechnique": false,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"None"
],
"x_mitre_version": "1.1",
"x_mitre_data_sources": [
"Network Share: Network Share Access",
"File: File Metadata",
"File: File Creation",
"Network Traffic: Network Traffic Content",
"Command: Command Execution",
"Process: Process Creation",
"Network Traffic: Network Traffic Flow"
],
"type": "attack-pattern",
"id": "attack-pattern--ead7bd34-186e-4c79-9a4d-b65bcce6ed9d",
"created": "2020-05-21T17:43:26.506Z",
@@ -53,6 +23,36 @@
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"modified": "2025-04-16T21:26:20.126Z",
"name": "Lateral Tool Transfer",
"description": "Adversaries may transfer tools or other files from one system to another to stage adversary tools or other files over the course of an operation. (Citation: Enterprise ATT&CK) Copying of files may also be performed laterally between internal victim systems to support Lateral Movement with remote Execution using inherent file sharing protocols such as file sharing over SMB to connected network shares. (Citation: Enterprise ATT&CK)\n\nIn control systems environments, malware may use SMB and other file sharing protocols to move laterally through industrial networks.",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-ics-attack",
"phase_name": "lateral-movement"
}
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": false,
"x_mitre_detection": "",
"x_mitre_domains": [
"ics-attack"
],
"x_mitre_is_subtechnique": false,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"None"
],
"x_mitre_version": "1.1",
"x_mitre_data_sources": [
"Network Share: Network Share Access",
"File: File Metadata",
"File: File Creation",
"Network Traffic: Network Traffic Content",
"Command: Command Execution",
"Process: Process Creation",
"Network Traffic: Network Traffic Flow"
]
}
]
ics-attack/attack-pattern/attack-pattern--efbf7888-f61b-4572-9c80-7e2965c60707.json
+32 -32
View File
@@ -1,40 +1,9 @@
{
"type": "bundle",
"id": "bundle--82211195-2ecb-4dcc-89d6-e940caa02156",
"id": "bundle--9e770362-e228-4724-a48c-638d81f5ae74",
"spec_version": "2.0",
"objects": [
{
"modified": "2023-10-13T17:57:13.531Z",
"name": "Module Firmware",
"description": "Adversaries may install malicious or vulnerable firmware onto modular hardware devices. Control system devices often contain modular hardware devices. These devices may have their own set of firmware that is separate from the firmware of the main control system equipment. \n\nThis technique is similar to [System Firmware](https://attack.mitre.org/techniques/T0857), but is conducted on other system components that may not have the same capabilities or level of integrity checking. Although it results in a device re-image, malicious device firmware may provide persistent access to remaining devices. (Citation: Daniel Peck, Dale Peterson January 2009) \n\nAn easy point of access for an adversary is the Ethernet card, which may have its own CPU, RAM, and operating system. The adversary may attack and likely exploit the computer on an Ethernet card. Exploitation of the Ethernet card computer may enable the adversary to accomplish additional attacks, such as the following: (Citation: Daniel Peck, Dale Peterson January 2009) \n\n* Delayed Attack - The adversary may stage an attack in advance and choose when to launch it, such as at a particularly damaging time. \n* Brick the Ethernet Card - Malicious firmware may be programmed to result in an Ethernet card failure, requiring a factory return. \n* Random Attack or Failure - The adversary may load malicious firmware onto multiple field devices. Execution of an attack and the time it occurs is generated by a pseudo-random number generator. \n* A Field Device Worm - The adversary may choose to identify all field devices of the same model, with the end goal of performing a device-wide compromise. \n* Attack Other Cards on the Field Device - Although it is not the most important module in a field device, the Ethernet card is most accessible to the adversary and malware. Compromise of the Ethernet card may provide a more direct route to compromising other modules, such as the CPU module.",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-ics-attack",
"phase_name": "persistence"
},
{
"kill_chain_name": "mitre-ics-attack",
"phase_name": "impair-process-control"
}
],
"x_mitre_attack_spec_version": "3.1.0",
"x_mitre_deprecated": false,
"x_mitre_detection": "",
"x_mitre_domains": [
"ics-attack"
],
"x_mitre_is_subtechnique": false,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"None"
],
"x_mitre_version": "1.1",
"x_mitre_data_sources": [
"Operational Databases: Device Alarm",
"Application Log: Application Log Content",
"Network Traffic: Network Traffic Content",
"Firmware: Firmware Modification"
],
"type": "attack-pattern",
"id": "attack-pattern--efbf7888-f61b-4572-9c80-7e2965c60707",
"created": "2020-05-21T17:43:26.506Z",
@@ -54,6 +23,37 @@
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"modified": "2025-04-16T21:26:20.310Z",
"name": "Module Firmware",
"description": "Adversaries may install malicious or vulnerable firmware onto modular hardware devices. Control system devices often contain modular hardware devices. These devices may have their own set of firmware that is separate from the firmware of the main control system equipment. \n\nThis technique is similar to [System Firmware](https://attack.mitre.org/techniques/T0857), but is conducted on other system components that may not have the same capabilities or level of integrity checking. Although it results in a device re-image, malicious device firmware may provide persistent access to remaining devices. (Citation: Daniel Peck, Dale Peterson January 2009) \n\nAn easy point of access for an adversary is the Ethernet card, which may have its own CPU, RAM, and operating system. The adversary may attack and likely exploit the computer on an Ethernet card. Exploitation of the Ethernet card computer may enable the adversary to accomplish additional attacks, such as the following: (Citation: Daniel Peck, Dale Peterson January 2009) \n\n* Delayed Attack - The adversary may stage an attack in advance and choose when to launch it, such as at a particularly damaging time. \n* Brick the Ethernet Card - Malicious firmware may be programmed to result in an Ethernet card failure, requiring a factory return. \n* Random Attack or Failure - The adversary may load malicious firmware onto multiple field devices. Execution of an attack and the time it occurs is generated by a pseudo-random number generator. \n* A Field Device Worm - The adversary may choose to identify all field devices of the same model, with the end goal of performing a device-wide compromise. \n* Attack Other Cards on the Field Device - Although it is not the most important module in a field device, the Ethernet card is most accessible to the adversary and malware. Compromise of the Ethernet card may provide a more direct route to compromising other modules, such as the CPU module.",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-ics-attack",
"phase_name": "persistence"
},
{
"kill_chain_name": "mitre-ics-attack",
"phase_name": "impair-process-control"
}
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": false,
"x_mitre_detection": "",
"x_mitre_domains": [
"ics-attack"
],
"x_mitre_is_subtechnique": false,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"None"
],
"x_mitre_version": "1.1",
"x_mitre_data_sources": [
"Operational Databases: Device Alarm",
"Application Log: Application Log Content",
"Network Traffic: Network Traffic Content",
"Firmware: Firmware Modification"
]
}
]
ics-attack/attack-pattern/attack-pattern--f8df6b57-14bc-425f-9a91-6f59f6799307.json
+27 -27
View File
@@ -1,35 +1,9 @@
{
"type": "bundle",
"id": "bundle--e762995a-be87-46f4-a74d-c4f4cfaacaf6",
"id": "bundle--9fe116f9-d262-4b75-923a-440298604451",
"spec_version": "2.0",
"objects": [
{
"modified": "2023-10-13T17:57:13.719Z",
"name": "Internet Accessible Device",
"description": "Adversaries may gain access into industrial environments through systems exposed directly to the internet for remote access rather than through [External Remote Services](https://attack.mitre.org/techniques/T0822). Internet Accessible Devices are exposed to the internet unintentionally or intentionally without adequate protections. This may allow for adversaries to move directly into the control system network. Access onto these devices is accomplished without the use of exploits, these would be represented within the [Exploit Public-Facing Application](https://attack.mitre.org/techniques/T0819) technique.\n\nAdversaries may leverage built in functions for remote access which may not be protected or utilize minimal legacy protections that may be targeted. (Citation: NCCIC January 2014) These services may be discoverable through the use of online scanning tools. \n\nIn the case of the Bowman dam incident, adversaries leveraged access to the dam control network through a cellular modem. Access to the device was protected by password authentication, although the application was vulnerable to brute forcing. (Citation: NCCIC January 2014) (Citation: Danny Yadron December 2015) (Citation: Mark Thompson March 2016)\n\nIn Trend Micros manufacturing deception operations adversaries were detected leveraging direct internet access to an ICS environment through the exposure of operational protocols such as Siemens S7, Omron FINS, and EtherNet/IP, in addition to misconfigured VNC access. (Citation: Stephen Hilt, Federico Maggi, Charles Perine, Lord Remorin, Martin Rsler, and Rainer Vosseler)",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-ics-attack",
"phase_name": "initial-access"
}
],
"x_mitre_attack_spec_version": "3.1.0",
"x_mitre_deprecated": false,
"x_mitre_detection": "",
"x_mitre_domains": [
"ics-attack"
],
"x_mitre_is_subtechnique": false,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"None"
],
"x_mitre_version": "1.0",
"x_mitre_data_sources": [
"Logon Session: Logon Session Metadata",
"Network Traffic: Network Traffic Flow",
"Network Traffic: Network Traffic Content"
],
"type": "attack-pattern",
"id": "attack-pattern--f8df6b57-14bc-425f-9a91-6f59f6799307",
"created": "2020-05-21T17:43:26.506Z",
@@ -64,6 +38,32 @@
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"modified": "2025-04-16T21:26:20.494Z",
"name": "Internet Accessible Device",
"description": "Adversaries may gain access into industrial environments through systems exposed directly to the internet for remote access rather than through [External Remote Services](https://attack.mitre.org/techniques/T0822). Internet Accessible Devices are exposed to the internet unintentionally or intentionally without adequate protections. This may allow for adversaries to move directly into the control system network. Access onto these devices is accomplished without the use of exploits, these would be represented within the [Exploit Public-Facing Application](https://attack.mitre.org/techniques/T0819) technique.\n\nAdversaries may leverage built in functions for remote access which may not be protected or utilize minimal legacy protections that may be targeted. (Citation: NCCIC January 2014) These services may be discoverable through the use of online scanning tools. \n\nIn the case of the Bowman dam incident, adversaries leveraged access to the dam control network through a cellular modem. Access to the device was protected by password authentication, although the application was vulnerable to brute forcing. (Citation: NCCIC January 2014) (Citation: Danny Yadron December 2015) (Citation: Mark Thompson March 2016)\n\nIn Trend Micros manufacturing deception operations adversaries were detected leveraging direct internet access to an ICS environment through the exposure of operational protocols such as Siemens S7, Omron FINS, and EtherNet/IP, in addition to misconfigured VNC access. (Citation: Stephen Hilt, Federico Maggi, Charles Perine, Lord Remorin, Martin Rsler, and Rainer Vosseler)",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-ics-attack",
"phase_name": "initial-access"
}
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": false,
"x_mitre_detection": "",
"x_mitre_domains": [
"ics-attack"
],
"x_mitre_is_subtechnique": false,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"None"
],
"x_mitre_version": "1.0",
"x_mitre_data_sources": [
"Logon Session: Logon Session Metadata",
"Network Traffic: Network Traffic Flow",
"Network Traffic: Network Traffic Content"
]
}
]
ics-attack/attack-pattern/attack-pattern--fa3aa267-da22-4bdd-961f-03223322a8d5.json
+28 -28
View File
@@ -1,35 +1,9 @@
{
"type": "bundle",
"id": "bundle--3ad49b55-2e6e-49ba-8c41-b12d9b73b8fe",
"id": "bundle--510a7e3d-301a-49ce-b257-aa3db1b447f1",
"spec_version": "2.0",
"objects": [
{
"modified": "2024-04-09T20:51:03.049Z",
"name": "Data from Local System",
"description": "Adversaries may target and collect data from local system sources, such as file systems, configuration files, or local databases. This can include sensitive data such as specifications, schematics, or diagrams of control system layouts, devices, and processes.\n\nAdversaries may do this using [Command-Line Interface](https://attack.mitre.org/techniques/T0807) or [Scripting](https://attack.mitre.org/techniques/T0853) techniques to interact with the file system to gather information. Adversaries may also use [Automated Collection](https://attack.mitre.org/techniques/T0802) on the local system. ",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-ics-attack",
"phase_name": "collection"
}
],
"x_mitre_deprecated": false,
"x_mitre_detection": "",
"x_mitre_domains": [
"ics-attack"
],
"x_mitre_is_subtechnique": false,
"x_mitre_platforms": [
"None"
],
"x_mitre_version": "1.0",
"x_mitre_data_sources": [
"File: File Access",
"Process: Process Creation",
"Script: Script Execution",
"Process: OS API Execution",
"Command: Command Execution"
],
"type": "attack-pattern",
"id": "attack-pattern--fa3aa267-da22-4bdd-961f-03223322a8d5",
"created": "2023-03-30T18:56:02.424Z",
@@ -45,8 +19,34 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"modified": "2025-04-15T19:59:23.577Z",
"name": "Data from Local System",
"description": "Adversaries may target and collect data from local system sources, such as file systems, configuration files, or local databases. This can include sensitive data such as specifications, schematics, or diagrams of control system layouts, devices, and processes.\n\nAdversaries may do this using [Command-Line Interface](https://attack.mitre.org/techniques/T0807) or [Scripting](https://attack.mitre.org/techniques/T0853) techniques to interact with the file system to gather information. Adversaries may also use [Automated Collection](https://attack.mitre.org/techniques/T0802) on the local system. ",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-ics-attack",
"phase_name": "collection"
}
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
"x_mitre_deprecated": false,
"x_mitre_detection": "",
"x_mitre_domains": [
"ics-attack"
],
"x_mitre_is_subtechnique": false,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"None"
],
"x_mitre_version": "1.0",
"x_mitre_data_sources": [
"File: File Access",
"Process: Process Creation",
"Script: Script Execution",
"Process: OS API Execution",
"Command: Command Execution"
]
}
]
}
ics-attack/attack-pattern/attack-pattern--fab8fc7d-f27f-4fbb-9de6-44740aade05f.json
+29 -29
View File
@@ -1,37 +1,9 @@
{
"type": "bundle",
"id": "bundle--5e3112d8-ae6b-4375-9c52-d7ffd3a4d628",
"id": "bundle--7d9f23e6-5d81-41de-9f2b-31759b393997",
"spec_version": "2.0",
"objects": [
{
"modified": "2023-10-13T17:57:14.123Z",
"name": "Change Credential",
"description": "Adversaries may modify software and device credentials to prevent operator and responder access. Depending on the device, the modification or addition of this password could prevent any device configuration actions from being accomplished and may require a factory reset or replacement of hardware. These credentials are often built-in features provided by the device vendors as a means to restrict access to management interfaces.\n\nAn adversary with access to valid or hardcoded credentials could change the credential to prevent future authorized device access. Change Credential may be especially damaging when paired with other techniques such as Modify Program, Data Destruction, or Modify Controller Tasking. In these cases, a device\u2019s configuration may be destroyed or include malicious actions for the process environment, which cannot not be removed through normal device configuration actions. \n\nAdditionally, recovery of the device and original configuration may be difficult depending on the features provided by the device. In some cases, these passwords cannot be removed onsite and may require that the device be sent back to the vendor for additional recovery steps.\n\n\nA chain of incidents occurred in Germany, where adversaries locked operators out of their building automation system (BAS) controllers by enabling a previously unset BCU key. (Citation: German BAS Lockout Dec 2021) \n",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-ics-attack",
"phase_name": "inhibit-response-function"
}
],
"x_mitre_attack_spec_version": "3.1.0",
"x_mitre_contributors": [
"Felix Eberstaller"
],
"x_mitre_deprecated": false,
"x_mitre_detection": "",
"x_mitre_domains": [
"ics-attack"
],
"x_mitre_is_subtechnique": false,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"None"
],
"x_mitre_version": "1.0",
"x_mitre_data_sources": [
"Operational Databases: Device Alarm",
"Network Traffic: Network Traffic Content"
],
"type": "attack-pattern",
"id": "attack-pattern--fab8fc7d-f27f-4fbb-9de6-44740aade05f",
"created": "2023-03-30T14:04:17.023Z",
@@ -51,6 +23,34 @@
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"modified": "2025-04-16T21:26:20.690Z",
"name": "Change Credential",
"description": "Adversaries may modify software and device credentials to prevent operator and responder access. Depending on the device, the modification or addition of this password could prevent any device configuration actions from being accomplished and may require a factory reset or replacement of hardware. These credentials are often built-in features provided by the device vendors as a means to restrict access to management interfaces.\n\nAn adversary with access to valid or hardcoded credentials could change the credential to prevent future authorized device access. Change Credential may be especially damaging when paired with other techniques such as Modify Program, Data Destruction, or Modify Controller Tasking. In these cases, a device\u2019s configuration may be destroyed or include malicious actions for the process environment, which cannot not be removed through normal device configuration actions. \n\nAdditionally, recovery of the device and original configuration may be difficult depending on the features provided by the device. In some cases, these passwords cannot be removed onsite and may require that the device be sent back to the vendor for additional recovery steps.\n\n\nA chain of incidents occurred in Germany, where adversaries locked operators out of their building automation system (BAS) controllers by enabling a previously unset BCU key. (Citation: German BAS Lockout Dec 2021) \n",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-ics-attack",
"phase_name": "inhibit-response-function"
}
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_contributors": [
"Felix Eberstaller"
],
"x_mitre_deprecated": false,
"x_mitre_detection": "",
"x_mitre_domains": [
"ics-attack"
],
"x_mitre_is_subtechnique": false,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"None"
],
"x_mitre_version": "1.0",
"x_mitre_data_sources": [
"Operational Databases: Device Alarm",
"Network Traffic: Network Traffic Content"
]
}
]
ics-attack/attack-pattern/attack-pattern--fc5fda7e-6b2c-4457-b036-759896a2efa2.json
+27 -27
View File
@@ -1,34 +1,9 @@
{
"type": "bundle",
"id": "bundle--8f2ae4b7-530b-4504-b2b5-50b41bbb5109",
"id": "bundle--637b5a60-80a2-47e9-a0f3-47f36f8583f8",
"spec_version": "2.0",
"objects": [
{
"modified": "2023-10-20T17:01:10.138Z",
"name": "Modify Program",
"description": "Adversaries may modify or add a program on a controller to affect how it interacts with the physical process, peripheral devices and other hosts on the network. Modification to controller programs can be accomplished using a Program Download in addition to other types of program modification such as online edit and program append. \n\nProgram modification encompasses the addition and modification of instructions and logic contained in Program Organization Units (POU) (Citation: IEC February 2013) and similar programming elements found on controllers. This can include, for example, adding new functions to a controller, modifying the logic in existing functions and making new calls from one function to another. \n\nSome programs may allow an adversary to interact directly with the native API of the controller to take advantage of obscure features or vulnerabilities.",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-ics-attack",
"phase_name": "persistence"
}
],
"x_mitre_deprecated": false,
"x_mitre_detection": "",
"x_mitre_domains": [
"ics-attack"
],
"x_mitre_is_subtechnique": false,
"x_mitre_platforms": [
"None"
],
"x_mitre_version": "1.2",
"x_mitre_data_sources": [
"Network Traffic: Network Traffic Content",
"Operational Databases: Device Alarm",
"Asset: Software",
"Application Log: Application Log Content"
],
"type": "attack-pattern",
"id": "attack-pattern--fc5fda7e-6b2c-4457-b036-759896a2efa2",
"created": "2021-04-13T11:15:26.506Z",
@@ -49,8 +24,33 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"modified": "2025-04-15T19:59:24.213Z",
"name": "Modify Program",
"description": "Adversaries may modify or add a program on a controller to affect how it interacts with the physical process, peripheral devices and other hosts on the network. Modification to controller programs can be accomplished using a Program Download in addition to other types of program modification such as online edit and program append. \n\nProgram modification encompasses the addition and modification of instructions and logic contained in Program Organization Units (POU) (Citation: IEC February 2013) and similar programming elements found on controllers. This can include, for example, adding new functions to a controller, modifying the logic in existing functions and making new calls from one function to another. \n\nSome programs may allow an adversary to interact directly with the native API of the controller to take advantage of obscure features or vulnerabilities.",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-ics-attack",
"phase_name": "persistence"
}
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
"x_mitre_deprecated": false,
"x_mitre_detection": "",
"x_mitre_domains": [
"ics-attack"
],
"x_mitre_is_subtechnique": false,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"None"
],
"x_mitre_version": "1.2",
"x_mitre_data_sources": [
"Network Traffic: Network Traffic Content",
"Operational Databases: Device Alarm",
"Asset: Software",
"Application Log: Application Log Content"
]
}
]
}
ics-attack/campaign/campaign--1169ff24-b35f-4d8d-8cf3-643a2834227f.json
+52
View File
@@ -0,0 +1,52 @@
{
"type": "bundle",
"id": "bundle--ef9a9aae-cb5e-4b18-aa5e-fe68c792d982",
"spec_version": "2.0",
"objects": [
{
"modified": "2025-03-05T22:12:26.131Z",
"name": "FrostyGoop Incident",
"description": "[FrostyGoop Incident](https://attack.mitre.org/campaigns/C0041) took place in January 2024 against a municipal district heating company in Ukraine. Following initial access via likely exploitation of external facing services, [FrostyGoop](https://attack.mitre.org/software/S1165) was used to manipulate ENCO control systems via legitimate Modbus commands to impact the delivery of heating services to Ukrainian civilians.(Citation: Dragos FROSTYGOOP 2024)(Citation: Nozomi BUSTLEBERM 2024)",
"aliases": [
"FrostyGoop Incident"
],
"first_seen": "2024-01-01T07:00:00.000Z",
"last_seen": "2024-01-01T07:00:00.000Z",
"x_mitre_first_seen_citation": "(Citation: Dragos FROSTYGOOP 2024)",
"x_mitre_last_seen_citation": "(Citation: Dragos FROSTYGOOP 2024)",
"x_mitre_deprecated": false,
"x_mitre_version": "1.0",
"type": "campaign",
"id": "campaign--1169ff24-b35f-4d8d-8cf3-643a2834227f",
"created": "2024-11-20T23:15:36.728Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/campaigns/C0041",
"external_id": "C0041"
},
{
"source_name": "Dragos FROSTYGOOP 2024",
"description": "Mark Graham, Carolyn Ahlers, Kyle O'Meara; Dragos. (2024, July). Impact of FrostyGoop ICS Malware on Connected OT Systems. Retrieved November 20, 2024.",
"url": "https://hub.dragos.com/hubfs/Reports/Dragos-FrostyGoop-ICS-Malware-Intel-Brief-0724_r2.pdf"
},
{
"source_name": "Nozomi BUSTLEBERM 2024",
"description": "Nozomi Networks Labs. (2024, July 24). Cyberwarfare Targeting OT: Protecting Against FrostyGoop/BUSTLEBERM Malware. Retrieved November 20, 2024.",
"url": "https://www.nozominetworks.com/blog/protecting-against-frostygoop-bustleberm-malware"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_domains": [
"ics-attack",
"enterprise-attack"
]
}
]
}
ics-attack/campaign/campaign--45a98f02-852f-49b2-94c0-c63207bebbbf.json
+4 -4
View File
@@ -1,10 +1,10 @@
{
"type": "bundle",
"id": "bundle--5dd7c7e9-b7dd-43be-b8a6-ce16e9bdd2ea",
"id": "bundle--ce7b0aa1-40fe-4f95-8dc0-0d1e46438f1c",
"spec_version": "2.0",
"objects": [
{
"modified": "2024-04-17T16:17:07.038Z",
"modified": "2024-11-17T16:15:02.223Z",
"name": "Triton Safety Instrumented System Attack",
"description": "[Triton Safety Instrumented System Attack](https://attack.mitre.org/campaigns/C0030) was a campaign employed by [TEMP.Veles](https://attack.mitre.org/groups/G0088) which leveraged the [Triton](https://attack.mitre.org/software/S1009) malware framework against a petrochemical organization.(Citation: Triton-EENews-2017) The malware and techniques used within this campaign targeted specific Triconex [Safety Controller](https://attack.mitre.org/assets/A0010)s within the environment.(Citation: FireEye TRITON 2018) The incident was eventually discovered due to a safety trip that occurred as a result of an issue in the malware.(Citation: FireEye TRITON 2017)\n",
"aliases": [
@@ -39,8 +39,8 @@
},
{
"source_name": "FireEye TRITON 2018",
"description": "Miller, S. Reese, E. (2018, June 7). A Totally Tubular Treatise on TRITON and TriStation. Retrieved January 6, 2021.",
"url": "https://www.fireeye.com/blog/threat-research/2018/06/totally-tubular-treatise-on-TRITON-and-tristation.html"
"description": "Miller, S. Reese, E. (2018, June 7). A Totally Tubular Treatise on TRITON and TriStation. Retrieved November 17, 2024.",
"url": "https://web.archive.org/web/20200618231942/https://www.fireeye.com/blog/threat-research/2018/06/totally-tubular-treatise-on-triton-and-tristation.html"
}
],
"object_marking_refs": [
ics-attack/campaign/campaign--46421788-b6e1-4256-b351-f8beffd1afba.json
+3 -3
View File
@@ -1,10 +1,10 @@
{
"type": "bundle",
"id": "bundle--85bb0799-72d7-4482-80c0-fd3ea684e94e",
"id": "bundle--2709cbca-b601-4852-83b6-69e48f6aedd9",
"spec_version": "2.0",
"objects": [
{
"modified": "2023-10-06T14:05:01.054Z",
"modified": "2024-12-18T18:59:44.199Z",
"name": "2015 Ukraine Electric Power Attack",
"description": "[2015 Ukraine Electric Power Attack](https://attack.mitre.org/campaigns/C0028) was a [Sandworm Team](https://attack.mitre.org/groups/G0034) campaign during which they used [BlackEnergy](https://attack.mitre.org/software/S0089) (specifically BlackEnergy3) and [KillDisk](https://attack.mitre.org/software/S0607) to target and disrupt transmission and distribution substations within the Ukrainian power grid. This campaign was the first major public attack conducted against the Ukrainian power grid by Sandworm Team.",
"aliases": [
@@ -29,7 +29,7 @@
},
{
"source_name": "Booz Allen Hamilton",
"description": "Booz Allen Hamilton When The Lights Went Out Retrieved. 2019/10/22 ",
"description": "Booz Allen Hamilton. (2016). When The Lights Went Out. Retrieved December 18, 2024.",
"url": "https://www.boozallen.com/content/dam/boozallen/documents/2016/09/ukraine-report-when-the-lights-went-out.pdf"
}
],
ics-attack/campaign/campaign--65281d3e-b03c-46b8-8cd8-716363ac3cb2.json
+14 -14
View File
@@ -1,21 +1,9 @@
{
"type": "bundle",
"id": "bundle--c472ba63-5b0e-427a-876a-de185da70cb6",
"id": "bundle--1b9e4f7d-f588-42af-87f0-84235e07e0ee",
"spec_version": "2.0",
"objects": [
{
"modified": "2023-09-20T22:40:13.147Z",
"name": "Oldsmar Treatment Plant Intrusion",
"description": "[Oldsmar Treatment Plant Intrusion](https://attack.mitre.org/campaigns/C0009) was a cyber incident involving a water treatment facility in Florida. During this incident, unidentified threat actors leveraged features of the system to access and modify setpoints for a specific chemical required in the treatment process. The incident was detected immediately and prevented before it could cause any harm to the public.(Citation: Pinellas County Sheriffs Office February 2021)(Citation: CISA AA21-042A Water Treatment Intrusion Feb 2021)(Citation: Dragos Oldsmar Feb 2021)",
"aliases": [
"Oldsmar Treatment Plant Intrusion"
],
"first_seen": "2021-02-01T05:00:00.000Z",
"last_seen": "2021-02-01T05:00:00.000Z",
"x_mitre_first_seen_citation": "(Citation: Pinellas County Sheriffs Office February 2021)",
"x_mitre_last_seen_citation": "(Citation: Pinellas County Sheriffs Office February 2021)",
"x_mitre_deprecated": true,
"x_mitre_version": "1.0",
"type": "campaign",
"id": "campaign--65281d3e-b03c-46b8-8cd8-716363ac3cb2",
"created": "2022-09-20T20:53:14.373Z",
@@ -46,8 +34,20 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_attack_spec_version": "3.1.0",
"modified": "2025-04-18T18:00:54.375Z",
"name": "Oldsmar Treatment Plant Intrusion",
"description": "[Oldsmar Treatment Plant Intrusion](https://attack.mitre.org/campaigns/C0009) was a cyber incident involving a water treatment facility in Florida. During this incident, unidentified threat actors leveraged features of the system to access and modify setpoints for a specific chemical required in the treatment process. The incident was detected immediately and prevented before it could cause any harm to the public.(Citation: Pinellas County Sheriffs Office February 2021)(Citation: CISA AA21-042A Water Treatment Intrusion Feb 2021)(Citation: Dragos Oldsmar Feb 2021)",
"aliases": [
"Oldsmar Treatment Plant Intrusion"
],
"first_seen": "2021-02-01T05:00:00.000Z",
"last_seen": "2021-02-01T05:00:00.000Z",
"x_mitre_first_seen_citation": "(Citation: Pinellas County Sheriffs Office February 2021)",
"x_mitre_last_seen_citation": "(Citation: Pinellas County Sheriffs Office February 2021)",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": true,
"x_mitre_version": "1.0",
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_domains": [
"ics-attack"
]
ics-attack/campaign/campaign--70cab19e-1745-425e-b3db-c02cd5ff157a.json
+14 -14
View File
@@ -1,21 +1,9 @@
{
"type": "bundle",
"id": "bundle--ca8409de-8fbf-46ab-86c4-f4938393f64b",
"id": "bundle--14914036-831d-49d2-b2f1-6028dfbec3cd",
"spec_version": "2.0",
"objects": [
{
"modified": "2023-04-05T22:00:43.353Z",
"name": "Maroochy Water Breach",
"description": "[Maroochy Water Breach](https://attack.mitre.org/campaigns/C0020) was an incident in 2000 where an adversary leveraged the local government\u2019s wastewater control system and stolen engineering equipment to disrupt and eventually release 800,000 liters of raw sewage into the local community.(Citation: Marshall Abrams July 2008)",
"aliases": [
"Maroochy Water Breach"
],
"first_seen": "2000-02-01T05:00:00.000Z",
"last_seen": "2000-04-01T05:00:00.000Z",
"x_mitre_first_seen_citation": "(Citation: Marshall Abrams July 2008)",
"x_mitre_last_seen_citation": "(Citation: Marshall Abrams July 2008)",
"x_mitre_deprecated": false,
"x_mitre_version": "1.0",
"type": "campaign",
"id": "campaign--70cab19e-1745-425e-b3db-c02cd5ff157a",
"created": "2023-03-10T20:01:08.133Z",
@@ -36,8 +24,20 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_attack_spec_version": "3.1.0",
"modified": "2025-04-16T21:26:23.900Z",
"name": "Maroochy Water Breach",
"description": "[Maroochy Water Breach](https://attack.mitre.org/campaigns/C0020) was an incident in 2000 where an adversary leveraged the local government\u2019s wastewater control system and stolen engineering equipment to disrupt and eventually release 800,000 liters of raw sewage into the local community.(Citation: Marshall Abrams July 2008)",
"aliases": [
"Maroochy Water Breach"
],
"first_seen": "2000-02-01T05:00:00.000Z",
"last_seen": "2000-04-01T05:00:00.000Z",
"x_mitre_first_seen_citation": "(Citation: Marshall Abrams July 2008)",
"x_mitre_last_seen_citation": "(Citation: Marshall Abrams July 2008)",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
"x_mitre_version": "1.0",
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_domains": [
"ics-attack"
]

Some files were not shown because too many files have changed in this diff Show More