cti/ics-attack/attack-pattern/attack-pattern--ae62fe1a-ea1a-479b-8dc0-65d250bd8bc7.json

{
    "type": "bundle",
    "id": "bundle--ee61e090-d199-47ba-9ebf-d1738686a4da",
    "spec_version": "2.0",
    "objects": [
        {
            "type": "attack-pattern",
            "id": "attack-pattern--ae62fe1a-ea1a-479b-8dc0-65d250bd8bc7",
            "created": "2020-05-21T17:43:26.506Z",
            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
            "external_references": [
                {
                    "source_name": "mitre-ics-attack",
                    "url": "https://attack.mitre.org/techniques/T0844",
                    "external_id": "T0844"
                },
                {
                    "source_name": "Guidance - IEC61131",
                    "description": "John Karl-Heinz. (n.d.). Programming Industrial Automation Systems. Retrieved October 22, 2019.",
                    "url": "http://www.dee.ufrj.br/controle%20automatico/cursos/IEC61131-3%20Programming%20Industrial%20Automation%20Systems.pdf"
                },
                {
                    "source_name": "PLCBlaster - Spenneberg",
                    "description": "Spenneberg, Ralf, Maik Br\u00fcggemann, and Hendrik Schwartke. (2016, March 31). Plc-blaster: A worm living solely in the plc.. Retrieved September 19, 2017.",
                    "url": "https://www.blackhat.com/docs/asia-16/materials/asia-16-Spenneberg-PLC-Blaster-A-Worm-Living-Solely-In-The-PLC-wp.pdf"
                },
                {
                    "source_name": "Stuxnet - Symantec - 201102",
                    "description": "Nicolas Falliere, Liam O Murchu, Eric Chien. (2011, February). W32.Stuxnet Dossier (Version 1.4). Retrieved September 22, 2017.",
                    "url": "https://www.symantec.com/content/en/us/enterprise/media/security%20response/whitepapers/w32%20stuxnet%20dossier.pdf"
                }
            ],
            "object_marking_refs": [
                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
            ],
            "modified": "2025-10-24T17:49:13.466Z",
            "name": "Program Organization Units",
            "description": "Program Organizational Units (POUs) are block structures used within PLC programming to create programs and projects. (Citation: Guidance - IEC61131) POUs can be used to hold user programs written in IEC 61131-3 languages: Structured text, Instruction list, Function block, and Ladder logic. (Citation: Guidance - IEC61131) Application - 201203 They can also provide additional functionality, such as establishing connections between the PLC and other devices using TCON. (Citation: PLCBlaster - Spenneberg)\n  \nStuxnet uses a simple code-prepending infection technique to infect Organization Blocks (OB). For example, the following sequence of actions is performed when OB1 is infected  (Citation: Stuxnet - Symantec - 201102):\n*Increase the size of the original block.\n*Write malicious code to the beginning of the block.\n*Insert the original OB1 code after the malicious code.",
            "kill_chain_phases": [
                {
                    "kill_chain_name": "mitre-ics-attack",
                    "phase_name": "lateral-movement"
                },
                {
                    "kill_chain_name": "mitre-ics-attack",
                    "phase_name": "execution"
                }
            ],
            "x_mitre_attack_spec_version": "3.2.0",
            "x_mitre_deprecated": true,
            "x_mitre_domains": [
                "ics-attack"
            ],
            "x_mitre_is_subtechnique": false,
            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
            "x_mitre_platforms": [
                "Windows",
                "Safety Instrumented System/Protection Relay",
                "Field Controller/RTU/PLC/IED"
            ],
            "x_mitre_version": "1.0"
        }
    ]
}