diff --git a/ics-groups_galaxy.json b/ics-groups_galaxy.json deleted file mode 100644 index e8850ac..0000000 --- a/ics-groups_galaxy.json +++ /dev/null @@ -1,9 +0,0 @@ -{ - "description": "ATT&CK for ICS Groups", - "icon": "skull-crossbones", - "name": "Groups", - "namespace": "mitre-attack-for-ics", - "type": "mitre-ics-groups", - "uuid": "abb28bd9-fa79-4815-b5b3-fb138f433e55", - "version": 1 -} diff --git a/ics_assets_cluster.json b/ics_assets_cluster.json deleted file mode 100644 index f6cb53d..0000000 --- a/ics_assets_cluster.json +++ /dev/null @@ -1,298 +0,0 @@ -{ - "author": [ - "Tony Williams" - ], - "category": "Assets", - "description": "A list of asset categories that are commonly found in industrial control systems.", - "name": "Assets", - "source": "https://collaborate.mitre.org/attackics/index.php/All_Assets", - "type": "mitre-ics-assets", - "uuid": "0594fbc2-6267-479b-85a3-c4be8e044454", - "values": [ - { - "description": "A device which acts as both a server and controller, that hosts the control software used in communicating with lower-level control devices in an ICS network (e.g. Remote Terminal Units (RTUs) and Programmable Logic Controllers (PLCs)).", - "meta": { - "References": [ - "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf" - ], - "Levels": [ - "Level 2 https://collaborate.mitre.org/attackics/index.php/Level_2" - ], - "Notes": [ - "A control server may also be referred to with these terms in a SCADA system: MTU, supervisory controller, or SCADA server." - ], - "Techniques That Apply": [ - "Automated Collection https://collaborate.mitre.org/attackics/index.php/Technique/T802", - "Brute Force I/O https://collaborate.mitre.org/attackics/index.php/Technique/T806", - "Commonly Used Port https://collaborate.mitre.org/attackics/index.php/Technique/T885", - "Data Destruction https://collaborate.mitre.org/attackics/index.php/Technique/T809", - "Data from Information Repositories https://collaborate.mitre.org/attackics/index.php/Technique/T811", - "Default Credentials https://collaborate.mitre.org/attackics/index.php/Technique/T812", - "External Remote Services https://collaborate.mitre.org/attackics/index.php/Technique/T822", - "Location Identification https://collaborate.mitre.org/attackics/index.php/Technique/T825", - "Man in the Middle https://collaborate.mitre.org/attackics/index.php/Technique/T830", - "Masquerading https://collaborate.mitre.org/attackics/index.php/Technique/T849", - "Modify Alarm Settings https://collaborate.mitre.org/attackics/index.php/Technique/T838", - "Modify Parameter https://collaborate.mitre.org/attackics/index.php/Technique/T836", - "Monitor Process State https://collaborate.mitre.org/attackics/index.php/Technique/T801 ", - "Point & Tag Identification https://collaborate.mitre.org/attackics/index.php/Technique/T861", - "Remote File Copy https://collaborate.mitre.org/attackics/index.php/Technique/T867", - "Remote System Discovery https://collaborate.mitre.org/attackics/index.php/Technique/T846", - "Replication Through Removable Media https://collaborate.mitre.org/attackics/index.php/Technique/T847", - "Rogue Master Device https://collaborate.mitre.org/attackics/index.php/Technique/T848", - "Role Identification https://collaborate.mitre.org/attackics/index.php/Technique/T850", - "Service Stop https://collaborate.mitre.org/attackics/index.php/Technique/T881", - "Spearphishing Attachment https://collaborate.mitre.org/attackics/index.php/Technique/T865", - "Spoof Reporting Message https://collaborate.mitre.org/attackics/index.php/Technique/T856", - "Standard Application Layer Protocol https://collaborate.mitre.org/attackics/index.php/Technique/T869", - "Valid Accounts https://collaborate.mitre.org/attackics/index.php/Technique/T859" - ] - }, - "uuid": "834fab50-be52-4611-95b6-6330d1db65c2", - "value": "Control Server" -}, - { - "description": "A centralized database located on a computer installed in the control system DMZ supporting external corporate user data access for archival and analysis using statistical process control and other techniques.", - "meta": { - "references": [ - "https://ics-cert.us-cert.gov/Secure-Architecture-Design-Definitions" - ], - "Levels": [ - "Level 2 https://collaborate.mitre.org/attackics/index.php/Level_2" - ], - "Techniques That Apply": [ - "Data Historian Compromise https://collaborate.mitre.org/attackics/index.php/Technique/T810", - "Data from Information Repositories https://collaborate.mitre.org/attackics/index.php/Technique/T811", - "Exploitation of Remote Services https://collaborate.mitre.org/attackics/index.php/Technique/T866", - "Monitor Process State https://collaborate.mitre.org/attackics/index.php/Technique/T801", - "Point & Tag Identification https://collaborate.mitre.org/attackics/index.php/Technique/T861", - "Remote File Copy https://collaborate.mitre.org/attackics/index.php/Technique/T867", - "Remote System Discovery https://collaborate.mitre.org/attackics/index.php/Technique/T846", - "Replication Through Removable Media https://collaborate.mitre.org/attackics/index.php/Technique/T847", - "Role Identification https://collaborate.mitre.org/attackics/index.php/Technique/T850", - "Service Stop https://collaborate.mitre.org/attackics/index.php/Technique/T881", - "Spearphishing Attachment https://collaborate.mitre.org/attackics/index.php/Technique/T865", - "Standard Application Layer Protocol https://collaborate.mitre.org/attackics/index.php/Technique/T869", - "Valid Accounts https://collaborate.mitre.org/attackics/index.php/Technique/T859" - ] - }, - "uuid": "da06d4aa-2471-4582-aadf-e1653dd6575c", - "value": "Data Historian" -}, - { - "description": "The engineering workstation is usually a high-end very reliable computing platform designed for configuration, maintenance and diagnostics of the control system applications and other control system equipment. The system is usually made up of redundant hard disk drives, high speed network interface, reliable CPUs, performance graphics hardware, and applications that provide configuration and monitoring tools to perform control system application development, compilation and distribution of system modifications.", - "meta": { - "referencess": [ - "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf" - ], - "Levels": [ - "Level 0 https://collaborate.mitre.org/attackics/index.php/Level_0 ", - "Level 1 https://collaborate.mitre.org/attackics/index.php/Level_1", - "Level 2 https://collaborate.mitre.org/attackics/index.php/Level_2" - ], - "Notes": [ - "Many engineering workstations are laptops. Because of their mobile nature, lack of desktop standard, and frequent connection to control system devices and network, engineering workstations can serve as entry points for attacks." - ], - "Techniques That Apply": [ - "Commonly Used Port https://collaborate.mitre.org/attackics/index.php/Technique/T885", - "Data from Information Repositories https://collaborate.mitre.org/attackics/index.php/Technique/T811", - "Default Credentials https://collaborate.mitre.org/attackics/index.php/Technique/T812", - "Engineering Workstation Compromise https://collaborate.mitre.org/attackics/index.php/Technique/T818", - "Exploitation of Remote Services https://collaborate.mitre.org/attackics/index.php/Technique/T866", - "Hooking https://collaborate.mitre.org/attackics/index.php/Technique/T874 ", - "Loss of View https://collaborate.mitre.org/attackics/index.php/Technique/T829", - "Manipulation of View https://collaborate.mitre.org/attackics/index.php/Technique/T832", - "Project File Infection https://collaborate.mitre.org/attackics/index.php/Technique/T873", - "Rogue Master Device https://collaborate.mitre.org/attackics/index.php/Technique/T848", - "Scripting https://collaborate.mitre.org/attackics/index.php/Technique/T853", - "Service Stop https://collaborate.mitre.org/attackics/index.php/Technique/T881", - "Spearphishing Attachment https://collaborate.mitre.org/attackics/index.php/Technique/T865", - "Standard Application Layer Protocol https://collaborate.mitre.org/attackics/index.php/Technique/T869", - "User Execution https://collaborate.mitre.org/attackics/index.php/Technique/T863", - "Valid Accounts https://collaborate.mitre.org/attackics/index.php/Technique/T859" - ] - }, - "uuid": "b34cba3b-4294-4149-b119-214fadef0d01", - "value": "Engineering Workstation" -}, - { - "description": "Controller terminology depends on the type of system they are associated with. They provide typical processing capabilities. Controllers, sometimes referred to as Remote Terminal Units (RTU) and Programmable Logic Controllers (PLC), are computerized control units that are typically rack or panel mounted with modular processing and interface cards. The units are collocated with the process equipment and interface through input and output modules to the various sensors and controlled devices. Most utilize a programmable logic-based application that provides scanning and writing of data to and from the IO interface modules and communicates with the control system network via various communications methods, including serial and network communications", - "meta": { - "referencess": [ - "https://ics-cert.us-cert.gov/Secure-Architecture-Design-Definitions", - "http://isa99.isa.org/ISA99%20Wiki/WP-2-1.aspx", - "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf" - ], - "Levels": [ - "Level 0 https://collaborate.mitre.org/attackics/index.php/Level_0", - "Level 1 https://collaborate.mitre.org/attackics/index.php/Level_1" - ], - "Notes": [ - "Typically programmed in an IEC 61131 programming language, a PLC is designed for real time use in rugged, industrial environments. Connected to sensors and actuators, PLCs are categorized by the number and type of I/O ports they provide and by their I/O scan rate. \nAn RTU is a special purpose field device that supports SCADA remote stations with both wired and wireless communication capabilities, in order to communicate with the supervisory controller. Wireless radio is leveraged in remote situations where wired communications are not available; typically with field equipment. This role may also be fulfilled by PLCs with radio communication capabilities. The PLC may still be referred to as an RTU in this case." - ], - "Techniques That Apply": [ - "Activate Firmware Update Mode https://collaborate.mitre.org/attackics/index.php/Technique/T800", - "Alarm Suppression https://collaborate.mitre.org/attackics/index.php/Technique/T878", - "Automated Collection https://collaborate.mitre.org/attackics/index.php/Technique/T802", - "Block Command Message https://collaborate.mitre.org/attackics/index.php/Technique/T803", - "Block Reporting Message https://collaborate.mitre.org/attackics/index.php/Technique/T804", - "Block Serial COM https://collaborate.mitre.org/attackics/index.php/Technique/T805 ", - "Brute Force I/O https://collaborate.mitre.org/attackics/index.php/Technique/T806", - "Change Program State https://collaborate.mitre.org/attackics/index.php/Technique/T875", - "Commonly Used Port https://collaborate.mitre.org/attackics/index.php/Technique/T885", - "Control Device Identification https://collaborate.mitre.org/attackics/index.php/Technique/T808", - "Data Destruction https://collaborate.mitre.org/attackics/index.php/Technique/T809", - "Default Credentials https://collaborate.mitre.org/attackics/index.php/Technique/T812", - "Denial of Service https://collaborate.mitre.org/attackics/index.php/Technique/T814", - "Detect Operating Mode https://collaborate.mitre.org/attackics/index.php/Technique/T868", - "Detect Program State https://collaborate.mitre.org/attackics/index.php/Technique/T870", - "Device Restart/Shutdown https://collaborate.mitre.org/attackics/index.php/Technique/T816", - "Execution through API https://collaborate.mitre.org/attackics/index.php/Technique/T871", - "Exploitation for Evasion https://collaborate.mitre.org/attackics/index.php/Technique/T820", - "I/O Image https://collaborate.mitre.org/attackics/index.php/Technique/T877", - "I/O Module Discovery https://collaborate.mitre.org/attackics/index.php/Technique/T824", - "Man in the Middle https://collaborate.mitre.org/attackics/index.php/Technique/T830", - "Manipulate I/O Image https://collaborate.mitre.org/attackics/index.php/Technique/T835", - "Modify Alarm Settings https://collaborate.mitre.org/attackics/index.php/Technique/T838 ", - "Modify Control Logic https://collaborate.mitre.org/attackics/index.php/Technique/T833", - "Modify Parameter https://collaborate.mitre.org/attackics/index.php/Technique/T836", - "Module Firmware https://collaborate.mitre.org/attackics/index.php/Technique/T839", - "Monitor Process State https://collaborate.mitre.org/attackics/index.php/Technique/T801", - "Network Service Scanning https://collaborate.mitre.org/attackics/index.php/Technique/T841", - "Network Sniffing https://collaborate.mitre.org/attackics/index.php/Technique/T842", - "Program Download https://collaborate.mitre.org/attackics/index.php/Technique/T843", - "Program Organisational Units https://collaborate.mitre.org/attackics/index.php/Technique/T844", - "Program Upload https://collaborate.mitre.org/attackics/index.php/Technique/T845", - "Remote System Discovery https://collaborate.mitre.org/attackics/index.php/Technique/T846", - "Role Identification https://collaborate.mitre.org/attackics/index.php/Technique/T850", - "Rootkit https://collaborate.mitre.org/attackics/index.php/Technique/T851", - "Serial Connection Enumeration https://collaborate.mitre.org/attackics/index.php/Technique/T854", - "System Firmware https://collaborate.mitre.org/attackics/index.php/Technique/T857", - "Unauthorised Command Message https://collaborate.mitre.org/attackics/index.php/Technique/T855", - "Utilize/Change Operating Mode https://collaborate.mitre.org/attackics/index.php/Technique/T858", - "Valid Accounts https://collaborate.mitre.org/attackics/index.php/Technique/T859" - ] - }, - "uuid": "1de9f3b2-07fc-4614-b07f-d5468e51770a", - "value": "Field Controller/RTU/PLC/IED" -}, - { - "description": "In computer science and human-computer interaction, the Human-Machine Interface (HMI) refers to the graphical, textual and auditory information the program presents to the user (operator) using computer monitors and audio subsystems, and the control sequences (such as keystrokes with the computer keyboard, movements of the computer mouse, and selections with the touchscreen) the user employs to control the program. Currently the following types of HMI are the most common: \nGraphical user interfaces(GUI) accept input via devices such as computer keyboard and mouse and provide articulated graphical output on the computer monitor. \nWeb-based user interfaces accept input and provide output by generating web pages which are transported via the network and viewed by the user using a web browser program. The operations user must be able to control the system and assess the state of the system. Each control system vendor provides a unique look-and-feel to their basic HMI applications. An older, not gender-neutral version of the term is man-machine interface (MMI). \nThe system may expose several user interfaces to serve different kinds of users. User interface screens may be optimized to provide the appropriate information and control interface to operations users, engineering users and management users.", - "meta": { - "referencess": [ - "https://ics-cert.us-cert.gov/Secure-Architecture-Design-Definitions", - "http://isa99.isa.org/ISA99%20Wiki/WP-2-1.aspx" - ], - "Levels": [ - "Level 1 https://collaborate.mitre.org/attackics/index.php/Level_1", - "Level 2 https://collaborate.mitre.org/attackics/index.php/Level_2" - ], - "Notes": [ - "In many cases, these involve video screens or computer terminals, push buttons, auditory feedback, flashing lights, etc. The human-machine interface provides means of: \nInput - allowing the users to control the machine \nOutput - allowing the machine to inform the users" - ], - "Techniques That Apply": [ - "Commonly Used Port https://collaborate.mitre.org/attackics/index.php/Technique/T885", - "Data Destruction https://collaborate.mitre.org/attackics/index.php/Technique/T809", - "Data from Information Repositories https://collaborate.mitre.org/attackics/index.php/Technique/T811", - "Default Credentials https://collaborate.mitre.org/attackics/index.php/Technique/T812", - "Exploit of Remote Services https://collaborate.mitre.org/attackics/index.php/Technique/T866", - "Graphical User Interface https://collaborate.mitre.org/attackics/index.php/Technique/T823", - "Indicator Removal on host https://collaborate.mitre.org/attackics/index.php/Technique/T872", - "Loss of View https://collaborate.mitre.org/attackics/index.php/Technique/T829", - "Man in the Middle https://collaborate.mitre.org/attackics/index.php/Technique/T830", - "Manipulation of View https://collaborate.mitre.org/attackics/index.php/Technique/T832", - "Masquerading https://collaborate.mitre.org/attackics/index.php/Technique/T849", - "Modify Alarm Settings https://collaborate.mitre.org/attackics/index.php/Technique/T838", - "Modify Parameter https://collaborate.mitre.org/attackics/index.php/Technique/T836", - "Monitor Process State https://collaborate.mitre.org/attackics/index.php/Technique/T801", - "Network Connection Enumeration https://collaborate.mitre.org/attackics/index.php/Technique/T840", - "Point and Tag Identification https://collaborate.mitre.org/attackics/index.php/Technique/T861", - "Project File Infection https://collaborate.mitre.org/attackics/index.php/Technique/T873", - "Remote File Copy https://collaborate.mitre.org/attackics/index.php/Technique/T867", - "Remote System Discovery https://collaborate.mitre.org/attackics/index.php/Technique/T846", - "Replication Through Removable Media https://collaborate.mitre.org/attackics/index.php/Technique/T847", - "Rogue Master Device https://collaborate.mitre.org/attackics/index.php/Technique/T848", - "Role Identification https://collaborate.mitre.org/attackics/index.php/Technique/T850", - "Screen Capture https://collaborate.mitre.org/attackics/index.php/Technique/T852", - "Service Stop https://collaborate.mitre.org/attackics/index.php/Technique/T881", - "Spearphishing Attachment https://collaborate.mitre.org/attackics/index.php/Technique/T865", - "Standard Application Layer Protocol https://collaborate.mitre.org/attackics/index.php/Technique/T869", - "User Execution https://collaborate.mitre.org/attackics/index.php/Technique/T863", - "Valid Accounts https://collaborate.mitre.org/attackics/index.php/Technique/T859" - ] - }, - "uuid": "3894cc68-79e0-4673-8548-c6e1b57a93e2", - "value": "Human-Machine Interface" -}, - { - "description": "The Input/Output (I/O) server provides the interface between the control system LAN applications and the field equipment monitored and controlled by the control system applications. The I/O server, sometimes referred to as a Front-End Processor (FEP) or Data Acquisition Server (DAS), converts the control system application data into packets that are transmitted over various types of communications media to the end device locations. The I/O server also converts data received from the various end devices over different communications mediums into data formatted to communicate with the control system networked applications.", - "meta": { - "referencess": [ - "https://ics-cert.us-cert.gov/Secure-Architecture-Design-Definitions" - ], - "Levels": [ - "Level 2 https://collaborate.mitre.org/attackics/index.php/Level_2" - ], - "Techniques That Apply": [ - "Blocking Reporting Message https://collaborate.mitre.org/attackics/index.php/Technique/T804", - "Block Serial COM https://collaborate.mitre.org/attackics/index.php/Technique/T805", - "External Remote Services https://collaborate.mitre.org/attackics/index.php/Technique/T822", - "Serial Connection Enumeration https://collaborate.mitre.org/attackics/index.php/Technique/T854", - "System Firmware https://collaborate.mitre.org/attackics/index.php/Technique/T857", - "Valid Accounts https://collaborate.mitre.org/attackics/index.php/Technique/T859" - ] - }, - "uuid": "c98dda59-afe3-4154-b672-96f18cb5991b", - "value": "Input/Output Server" -}, - { - "description": "A safety instrumented system (SIS) takes automated action to keep a plant in a safe state, or to put it into a safe state, when abnormal conditions are present. The SIS may implement a single function or multiple functions to protect against various process hazards in your plant. The function of protective relaying is to cause the prompt removal from service of an element of a power system when it suffers a short circuit or when it starts to operate in any abnormal manner that might cause damage or otherwise interfere with the effective operation of the rest of the system.", - "meta": { - "referencess": [ - "http://sache.org/beacon/files/2009/07/en/read/2009-07-Beacon-s.pdf", - "http://www.gegridsolutions.com/multilin/notes/artsci/artsci.pdf" - ], - "Levels": [ - "Level 0 https://collaborate.mitre.org/attackics/index.php/Level_0", - "Level 1 https://collaborate.mitre.org/attackics/index.php/Level_1" - ], - "Techniques That Apply": [ - "Activate Firmware Update Mode https://collaborate.mitre.org/attackics/index.php/Technique/T800", - "Alarm Suppression https://collaborate.mitre.org/attackics/index.php/Technique/T878", - "Automated Collection https://collaborate.mitre.org/attackics/index.php/Technique/T802", - "Commonly Used Port https://collaborate.mitre.org/attackics/index.php/Technique/T885 ", - "Default Credentials https://collaborate.mitre.org/attackics/index.php/Technique/T812", - "Denial of Service https://collaborate.mitre.org/attackics/index.php/Technique/T814", - "Exploitation for Evasion https://collaborate.mitre.org/attackics/index.php/Technique/T820", - "Indicator Removal on host https://collaborate.mitre.org/attackics/index.php/Technique/T872", - "Modify Alarm Settings https://collaborate.mitre.org/attackics/index.php/Technique/T838", - "Modify Control Logic https://collaborate.mitre.org/attackics/index.php/Technique/T833", - "Modify Parameter https://collaborate.mitre.org/attackics/index.php/Technique/T836", - "Module Firmware https://collaborate.mitre.org/attackics/index.php/Technique/T839 ", - "Monitor Process State https://collaborate.mitre.org/attackics/index.php/Technique/T801", - "Program Download https://collaborate.mitre.org/attackics/index.php/Technique/T843", - "Program Organisation Units https://collaborate.mitre.org/attackics/index.php/Technique/T844", - "Program Upload https://collaborate.mitre.org/attackics/index.php/Technique/T845", - "Remote System Discovery https://collaborate.mitre.org/attackics/index.php/Technique/T846", - "System Firmware https://collaborate.mitre.org/attackics/index.php/Technique/T857", - "Utilize/Change Operating Mode https://collaborate.mitre.org/attackics/index.php/Technique/T858", - "Valid Accounts https://collaborate.mitre.org/attackics/index.php/Technique/T859 " - ] - }, - "uuid": "01ce6089-11cb-422f-ab05-ffe61ee4b21c", - "value": "Safety Instrumented System/Protection Relay" -} - ], - "version": 1 -} - - - - - - - - - - - diff --git a/ics_assets_galaxy.json b/ics_assets_galaxy.json deleted file mode 100644 index 511803b..0000000 --- a/ics_assets_galaxy.json +++ /dev/null @@ -1,10 +0,0 @@ -{ - "description": "ATT&CK for ICS Assets", - "icon": "certificate", - "name": "Assets", - "namespace": "mitre-attack-for-ics", - "type": "mitre-ics-assets", - "uuid": "86b19468-784e-4ec9-9af9-f069aa4cf70d", - "version": 1 -} - diff --git a/ics_groups_cluster.json b/ics_groups_cluster.json deleted file mode 100644 index 193d5e3..0000000 --- a/ics_groups_cluster.json +++ /dev/null @@ -1,270 +0,0 @@ -{ - "author": [ - "Tony Williams" - ], - "category": "Groups", - "description": "Groups are sets of related intrusion activity that are tracked by a common name in the security community. Groups are also sometimes referred to as campaigns or intrusion sets. Some groups have multiple names associated with the same set of activities due to various organizations tracking the same set of activities by different names. Groups are mapped to publicly reported technique use and referenced in the ATT&CK for ICS knowledge base. Groups are also mapped to reported software used during intrusions.", - "name": "Groups", - "source": "https://collaborate.mitre.org/attackics/index.php/Groups", - "type": "mitre-ics-groups", - "uuid": "8fb1c036-8904-4d4b-82d5-0286da77eb7e", - "values": [ - { - "description": "ALLANITE is a suspected Russian cyber espionage group, that has primarily targeted the electric utility sector within the United States and United Kingdom. The group's tactics and techniques are reportedly similar to Dragonfly / Dragonfly 2.0, although ALLANITE’s technical capabilities have not exhibited disruptive or destructive abilities. It has been suggested that the group maintains a presence in ICS for the purpose of gaining understanding of processes and to maintain persistence.", - "meta": { - "Associated Group Descriptions": [ - "ALLANITE", - "Palmetto Fusion" - ], - "Techniques Used": [ - "Screen Capture - ALLANITE has been identified to collect and distribute screenshots of ICS systems such as HMIs https://collaborate.mitre.org/attackics/index.php/Technique/T852", - "Drive-by Compromise - ALLANITE leverages watering hole attacks to gain access into electric utilities https://collaborate.mitre.org/attackics/index.php/Technique/T817", - "Valid Accounts - ALLANITE utilized credentials collected through phishing and watering hole attacks https://collaborate.mitre.org/attackics/index.php/Technique/T859", - "Spearphishing Attachment - ALLANITE utilized spear phishing to gain access into energy sector environments" - ], - "References": [ - "https://dragos.com/resource/allanite/", - "https://www.us-cert.gov/ncas/alerts/TA17-293A", - "https://www.securityweek.com/allanite-group-targets-ics-networks-electric-utilities-us-uk", - "https://www.eisac.com/public-news-detail?id=115909" - ] - }, - "uuid": "fd28d200-2f1f-464a-af1f-fcadac7640a1", - "value": "ALLANITE" -}, - { - "description": "APT33 is a suspected Iranian threat group that has carried out operations since at least 2013. The group has targeted organizations across multiple industries in the United States, Saudi Arabia, and South Korea, with a particular interest in the aviation and energy sectors.", - "meta": { - "Associated Group Descriptions": [ - "APT33 - Fireeye noted a potential link between APT33 and Shamoon based on similar dropper malware DROPSHOT", - "Elfin - Symantec mentioned a potential link between Elfin and Shamoon based on such close occurances of the attacks within a particular organization", - "MAGNALLIUM" - ], - "Techniques Used": [ - "Spearphishing Attachment - APT33 sent spear phishing emails containing links to HTML application files, which were embedded with malicious code.2 APT33 has conducted targeted spear phishing campaigns against U.S. government agencies and private sector companies https://collaborate.mitre.org/attackics/index.php/Technique/T865", - "Scripting - APT33 utilized PowerShell scripts to establish command and control and install files for execution https://collaborate.mitre.org/attackics/index.php/Technique/T853", - "Screen Capture - APT33 utilize backdoors capable of capturing screenshots once installed on a system https://collaborate.mitre.org/attackics/index.php/Technique/T852" - ], - "References": [ - "https://attack.mitre.org/groups/G0064/", - "https://www.fireeye.com/blog/threat-research/2017/09/apt33-insights-into-iranian-cyber-espionage.html", - "https://www.symantec.com/blogs/threat-intelligence/elfin-apt33-espionage", - "https://dragos.com/resource/magnallium/", - "https://www.wired.com/story/iran-hackers-us-phishing-tensions/", - "https://www.symantec.com/security-center/writeup/2017-030708-4403-99" - ] - }, - "uuid": "8f6f8a49-8a22-4494-a4c0-5a341444339a", - "value": "APT33" -}, - { - "description": "Dragonfly is a cyber espionage group that has been active since at least 2011. They initially targeted defense and aviation companies but shifted to focus on the energy sector in early 2013. They have also targeted companies related to industrial control systems. A similar group emerged in 2015 and was identified by Symantec as Dragonfly 2.0. There is debate over the extent of the overlap between Dragonfly and Dragonfly 2.0, but there is sufficient evidence to lead to these being tracked as two separate groups.", - "meta": { - "Associated Group Descriptions": [ - "Dragonfly", - "Energetic Bear" - ], - "Techniques Used": [ - "Screen Capture - Dragonfly has been reported to take screenshots of the GUI for ICS equipment, such as HMIs https://collaborate.mitre.org/attackics/index.php/Technique/T852", - "Spearphishing Attachment - Dragonfly sent pdf documents over email which contained links to malicious sites and downloads https://collaborate.mitre.org/attackics/index.php/Technique/T865", - "Drive-by Compromise - Dragonfly used intermediate targets for watering hole attacks on an intended target. A line of code is injected into the header.php file, this is used to redirect the visitors to an adversary controlled IP https://collaborate.mitre.org/attackics/index.php/Technique/T817", - "Valid Accounts - Dragonfly leveraged compromised user credentials to access the targets networks and download tools from a remote server https://collaborate.mitre.org/attackics/index.php/Technique/T859", - "Commonly Used Port - Dragonfly communicated with command and control over TCP ports 445 and 139 or UDP 137 or 138 https://collaborate.mitre.org/attackics/index.php/Technique/T885" - ], - "Software": [ - "Backdoor.Oldrea" - ], - "References": [ - "https://attack.mitre.org/groups/G0035/", - "https://dragos.com/resource/dymalloy/", - "https://www.us-cert.gov/ncas/alerts/TA17-293A", - "http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/Dragonfly_Threat_Against_Western_Energy_Suppliers.pdf", - "https://www.symantec.com/connect/blogs/dragonfly-western-energy-sector-targeted-sophisticated-attack-group" - ] - }, - "uuid": "9b4143ce-253c-45c4-a160-0d0a7450aace", - "value": "Dragonfly" -}, - { - "description": "Dragonfly 2.0 is a suspected Russian threat group which has been active since at least late 2015. Dragonfly 2.0's initial reported targets were a part of the energy sector, located within the United States, Switzerland, and Turkey. There is debate over the extent of overlap between Dragonfly 2.0 and Dragonfly, but there is sufficient evidence to lead to these being tracked as two separate groups.", - "meta": { - "Associated Group Descriptions": [ - "Dragonfly 2.0", - "Beserk Bear", - "DYMALLOY" - ], - "Techniques Used": [ - "Spearphishing Attachment - Dragonfly 2.0 used the Phishery tool kit to conduct spear phishing attacks and gather credentials.14 Dragonfly 2.0 conducted a targeted spear phishing campaign against multiple electric utilities in the North America https://collaborate.mitre.org/attackics/index.php/Technique/T865", - "Supply Chain Compromise - Dragonfly 2.0 trojanized legitimate software to deliver malware disguised as standard windows applications https://collaborate.mitre.org/attackics/index.php/Technique/T862", - "https://collaborate.mitre.org/attackics/index.php/Technique/T817 https://collaborate.mitre.org/attackics/index.php/Technique/T817", - "Valid Accounts - Dragonfly 2.0 used credentials collected through spear phishing and watering hole attacks https://collaborate.mitre.org/attackics/index.php/Technique/T859" - ], - "References": [ - "https://www.symantec.com/connect/blogs/dragonfly-western-energy-sector-targeted-sophisticated-attack-group", - "https://fortune.com/2017/09/06/hack-energy-grid-symantec/", - "https://dragos.com/resource/dymalloy/", - "https://blog.talosintelligence.com/2017/07/template-injection.html", - "https://dragos.com/wp-content/uploads/Sample-WorldView-Report.pdf", - "https://dragos.com/wp-content/uploads/yir-ics-activity-groups-threat-landscape-2018.pdf" - ] - }, - "uuid": "790c3072-49d1-4c4f-8fd0-dc3db50887c1", - "value": "Dragonfly 2.0" -}, - { - "description": "HEXANE is a threat group that has targeted ICS organization within the oil & gas, and telecommunications sectors. Many of the targeted organizations have been located in the Middle East including Kuwait. HEXANE's targeting of telecommunications has been speculated to be part of an effort to establish man-in-the-middle capabilities throughout the region. HEXANE's TTPs appear similar to APT33 and OilRig but due to differences in victims and tools it is tracked as a separate entity.", - "meta": { - "Associated Group Descriptions": [ - "HEXANE", - "Lyceum" - ], - "Techniques Used": [ - "Spearphishing Attachment - HEXANE has used malicious documents to drop malware and gain access into an environment https://collaborate.mitre.org/attackics/index.php/Technique/T865", - "Standard Application Layer Protocol - HEXANE communicated with command and control over HTTP and DNS https://collaborate.mitre.org/attackics/index.php/Technique/T869", - "Valid Accounts - HEXANE has used valid IT accounts to extend their spearphishing campaign within an organization https://collaborate.mitre.org/attackics/index.php/Technique/T859", - "Man in the Middle - HEXANE targeted telecommunication providers in the greater Middle East, Central Asia, and Africa, potentially as a stepping stone to network-focused man-in-the-middle and related attacks https://collaborate.mitre.org/attackics/index.php/Technique/T830", - "Scripting - HEXANE utilizes VBA macros and Powershell scripts such as DanDrop and kl.ps1 tools https://collaborate.mitre.org/attackics/index.php/Technique/T853" - ], - "References": [ - "https://dragos.com/resource/hexane/", - "https://www.secureworks.com/blog/lyceum-takes-center-stage-in-middle-east-campaign", - "https://www.securityweek.com/researchers-analyze-tools-used-hexane-attackers-against-industrial-firms", - "https://www.bankinfosecurity.com/lyceum-apt-group-new-threat-to-oil-gas-companies-a-13003" - ] - }, - "uuid": "a529ddda-9a44-4a0f-912e-4681f442b488", - "value": "HEXANE" -}, - { - "description": "Lazarus group is a suspected North Korean adversary group that has targeted networks associated with civilian electric energy in Europe, East Asia, and North America. Links have been established associating this group with the WannaCry ransomware from 2017.3 While WannaCry was not an ICS focused attack, Lazarus group is considered to be a threat to ICS. North Korean group definitions are known to have significant overlap, and the name Lazarus Group is known to encompass a broad range of activity. Some organizations use the name Lazarus Group to refer to any activity attributed to North Korea. Some organizations track North Korean clusters or groups such as Bluenoroff, APT37, and APT38 separately, while other organizations may track some activity associated with those group names by the name Lazarus Group.", - "meta": { - "Associated Group Descriptions": [ - "Lazarus group", - "COVELLITE", - "HIDDEN COBRA", - "ZINC", - "Guardians of Peace" - ], - "Techniques Used": [ - "Spearphishing Attachment - Lazarus group has been observed targeting organizations using spearphishing documents with embedded malicious payloads. Highly targeted spear phishing campaigns have been conducted against a U.S. electric grid company https://collaborate.mitre.org/attackics/index.php/Technique/T865" - ], - "Software": [ - "WannaCry" - ], - "References": [ - "https://www.us-cert.gov/HIDDEN-COBRA-North-Korean-Malicious-Cyber-Activity", - "https://dragos.com/resource/covellite/", - "https://www.us-cert.gov/ncas/alerts/TA17-132A", - "https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Report.pdf", - "https://www.us-cert.gov/ncas/alerts/TA17-164A", - "https://blogs.microsoft.com/on-the-issues/2017/12/19/microsoft-facebook-disrupt-zinc-malware-attack-protect-customers-internet-ongoing-cyberthreats/", - "https://www.securityweek.com/five-threat-groups-target-industrial-systems-dragos", - "https://www.symantec.com/connect/blogs/wannacry-ransomware-attacks-show-strong-links-lazarus-group" - ] - }, - "uuid": "3bbf3f0f-346d-49ad-9300-3bb0f23c83ef", - "value": "Lazarus group" -}, - { - "description": "Leafminer is a threat group that has targeted Saudi Arabia, Japan, Europe and the United States. Within the US, Leafminer has targeted electric utilities and initial access into those organizations. Reporting indicates that Leafminer has not demonstrated ICS specific or destructive capabilities.", - "meta": { - "Associated Group Descriptions": [ - "Leafminer", - "RASPITE" - ], - "References": [ - "https://www.symantec.com/blogs/threat-intelligence/leafminer-espionage-middle-east", - "https://dragos.com/resource/raspite/" - ] - }, - "uuid": "956a44f1-0d5c-4f3c-a9a7-16f96f9656e4", - "value": "Leafminer" -}, - { - "description": "OilRig is a suspected Iranian threat group that has targeted the financial, government, energy, chemical, and telecommunication sectors as well as petrochemical, oil & gas. OilRig has been observed operating in Iraq, Pakistan, Israel, and the UK, and has been linked to the Shamoon attacks in 2012 on Saudi Aramco. ", - "meta": { - "Associated Group Descriptions": [ - "OilRig", - "CHRYSENE", - "Greenbug", - "APT 34" - ], - "Techniques Used": [ - "Spearphishing Attachment - OilRig used spearphishing emails with malicious Microsoft Excel spreadsheet attachments https://collaborate.mitre.org/attackics/index.php/Technique/T865", - "Scripting - OilRig has embedded a macro within spearphishing attachments that has been made up of both a VBScript and a PowerShell script https://collaborate.mitre.org/attackics/index.php/Technique/T853", - "Standard Application Layer Protocol - OilRig communicated with its command and control using HTTP requests https://collaborate.mitre.org/attackics/index.php/Technique/T869", - "Drive-by Compromise - OilRig has been seen utilizing watering hole attacks to collect credentials which could be used to gain access into ICS networks https://collaborate.mitre.org/attackics/index.php/Technique/T817", - "Valid Accounts - OilRig utilized stolen credentials to gain access to victim machines https://collaborate.mitre.org/attackics/index.php/Technique/T859" - ], - "References": [ - "https://www.fireeye.com/current-threats/apt-groups.html#apt34", - "https://www.fireeye.com/blog/threat-research/2017/12/targeted-attack-in-middle-east-by-apt34.html", - "https://dragos.com/resource/chrysene/", - "https://unit42.paloaltonetworks.com/unit42-oilrig-targets-technology-service-provider-government-agency-quadagent/", - "https://unit42.paloaltonetworks.com/the-oilrig-campaign-attacks-on-saudi-arabian-organizations-deliver-helminth-backdoor/", - "https://www.cyberviser.com/2018/05/group-linked-to-shamoon-attacks-targeting-ics-networks-in-middle-east-and-uk/" - ] - }, - "uuid": "4945c0e7-9f4b-404d-83b2-e5cd3f26c32f", - "value": "OilRig" -}, - { - "description": "Sandworm is a threat group associated with the Kiev, Ukraine electrical transmission substation attacks which resulted in the impact of electric grid operations on December 17th, 2016. Sandworm has been cited as the authors of the Industroyer malware which was used in the 2016 Ukraine attacks.", - "meta": { - "Associated Group Descriptions": [ - "Sandworm", - "ELECTRUM" - ], - "Techniques Used": [ - "Internet Accessible Device - Sandworm actors exploited vulnerabilities in GE's Cimplicity HMI and Advantech/Broadwin WebAccess HMI software which had been directly exposed to the internet https://collaborate.mitre.org/attackics/index.php/Technique/T883", - "Valid Accounts - Sandworm used valid accounts to laterally move through VPN connections and dual-homed systems https://collaborate.mitre.org/attackics/index.php/Technique/T859" - ], - "Software": [ - "Industroyer", - "Notpetya" - ], - "References": [ - "https://dragos.com/resource/electrum/", - "https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf", - "https://dragos.com/blog/crashoverride/CrashOverride-01.pdf", - "https://www.fireeye.com/blog/threat-research/2016/01/ukraine-and-sandworm-team.html", - "https://www.us-cert.gov/ics/alerts/ICS-ALERT-14-281-01B", - "https://www.us-cert.gov/ics/advisories/ICSA-11-094-02B", - "https://dragos.com/wp-content/uploads/CRASHOVERRIDE2018.pdf", - "https://www.welivesecurity.com/2018/10/11/new-telebots-backdoor-linking-industroyer-notpetya/", - "https://www.wired.com/story/notpetya-cyberattack-ukraine-russia-code-crashed-the-world/" - ] - }, - "uuid": "b4fbf3b0-1a5e-4bdc-8977-74fff1db19ff", - "value": "Sandworm" -}, - { - "description": "XENOTIME is a threat group that has targeted and compromised industrial systems, specifically safety instrumented systems that are designed to provide safety and protective functions. Xenotime has previously targeted oil & gas, as well as electric sectors within the Middle east, Europe, and North America. Xenotime has also been reported to target ICS vendors, manufacturers, and organizations in the middle east. This group is one of the few with reported destructive capabilities.", - "meta": { - "Associated Group Descriptions": [ - "XENOTIME", - "TEMP.Veles - Fireeye attributes with high confidence that intrusion activity and Triton development was supported by a Russian government-owned technical research institution." - ], - "Techniques Used": [ - "Drive-by Compromise - XENOTIME utilizes watering hole websites to target industrial employees https://collaborate.mitre.org/attackics/index.php/Technique/T817", - "External Remote Services - XENOTIME utilized remote desktop protocol (RDP) jump boxes to move into the ICS environment https://collaborate.mitre.org/attackics/index.php/Technique/T822", - "Valid Accounts - XENOTIME used valid credentials when laterally moving through RDP jump boxes into the ICS environment https://collaborate.mitre.org/attackics/index.php/Technique/T859", - "Supply Chain Compromise - XENOTIME targeted several ICS vendors and manufacturers https://collaborate.mitre.org/attackics/index.php/Technique/T862" - ], - "Software": [ - "Triton" - ], - "References": [ - "https://dragos.com/resource/xenotime/", - "https://www.fireeye.com/blog/threat-research/2018/10/triton-attribution-russian-government-owned-lab-most-likely-built-tools.html", - "https://www.cyberscoop.com/xenotime-ics-cyber-attacks-trisis-dragos/", - "https://dragos.com/blog/trisis/TRISIS-01.pdf", - "https://dragos.com/wp-content/uploads/Dragos-Oil-and-Gas-Threat-Perspective-2019.pdf" - ] - }, - "uuid": "acb04037-e160-4a4e-a8cf-8a53a2f8221b", - "value": "XENOTIME" -} - ], - "version": 1 -} \ No newline at end of file diff --git a/ics_levels_cluster.json b/ics_levels_cluster.json deleted file mode 100644 index 098212a..0000000 --- a/ics_levels_cluster.json +++ /dev/null @@ -1,54 +0,0 @@ -{ - "author": [ - "Tony Williams" - ], - "category": "Levels", - "description": "Based on the Purdue Model to aid ATT&CK for ICS users to understand which techniques are applicable to their environment.", - "name": "Levels", - "source": "https://collaborate.mitre.org/attackics/index.php/All_Levels", - "type": "mitre-ics-levels", - "uuid": "952bcf79-eccd-45ac-9769-f61886bd0264", - "values": [ - { - "description": "The I/O network level includes the actual physical processes and sensors and actuators that are directly connected to process equipment.", - "meta": { - "Related Assets": [ - "Engineering Workstation https://collaborate.mitre.org/attackics/index.php/Engineering_Workstation", - "Field Controller/RTU/PLC/IED https://collaborate.mitre.org/attackics/index.php/Field_Controller/RTU/PLC/IED", - "Safety Instrumented System/Protection Relay https://collaborate.mitre.org/attackics/index.php/Safety_Instrumented_System/Protection_Relay" - ] - }, - "uuid": "614c4df5-b65f-4f3c-bb9f-b67549dfce2f", - "value": "Level 0" -}, - { - "description": "The control network level includes the functions involved in sensing and manipulating physical processes. Typical devices at this level are programmable logic controllers (PLCs), distributed control systems, safety instrumented systems and remote terminal units (RTUs).", - "meta": { - "Related Assets": [ - "Engineering Workstation https://collaborate.mitre.org/attackics/index.php/Engineering_Workstation", - "Field Controller/RTU/PLC/IED https://collaborate.mitre.org/attackics/index.php/Field_Controller/RTU/PLC/IED", - "Human-Machine Interface https://collaborate.mitre.org/attackics/index.php/Human-Machine_Interface", - "Safety Instrumented System/Protection Relay https://collaborate.mitre.org/attackics/index.php/Safety_Instrumented_System/Protection_Relay" - ] - }, - "uuid": "b9b1c942-b419-4919-ba14-40b24b0fbbd5", - "value": "Level 1" -}, - { - "description": "The supervisory control LAN level includes the functions involved in monitoring and controlling physical processes and the general deployment of systems such as human-machine interfaces (HMIs), engineering workstations and historians.", - "meta": { - "Related Assets": [ - "Control Server https://collaborate.mitre.org/attackics/index.php/Control_Server", - "Data Historian https://collaborate.mitre.org/attackics/index.php/Data_Historian", - "Engineering Workstation https://collaborate.mitre.org/attackics/index.php/Engineering_Workstation", - "Human-Machine Interface https://collaborate.mitre.org/attackics/index.php/Human-Machine_Interface", - "Input/Output Server https://collaborate.mitre.org/attackics/index.php/Input/Output_Server" - ] - }, - "uuid": "358d768d-5a97-4b1b-b185-044c1dd14357", - "value": "Level 2" -} - ], - "version": 1 -} - diff --git a/ics_levels_galaxy.json b/ics_levels_galaxy.json deleted file mode 100644 index e6f3ce2..0000000 --- a/ics_levels_galaxy.json +++ /dev/null @@ -1,10 +0,0 @@ -{ - "description": "ATT&CK for ICS Levels", - "icon": "layer-group", - "name": "Levels", - "namespace": "mitre-attack-for-ics", - "type": "mitre-ics-levels", - "uuid": "34d60262-0e7d-4c91-859b-de1fa9c54ae7", - "version": 1 -} - diff --git a/ics_software_cluster.json b/ics_software_cluster.json deleted file mode 100644 index 993c217..0000000 --- a/ics_software_cluster.json +++ /dev/null @@ -1,455 +0,0 @@ -{ - "author": [ - "Tony Williams" - ], - "category": "Software", - "description": "Software is a generic term for custom or commercial code, operating system utilities, open-source software, or other tools used to conduct behavior modeled in ATT&CK for ICS.", - "name": "Software", - "source": "https://collaborate.mitre.org/attackics/index.php/Software", - "type": "mitre-ics-software", - "uuid": "7d259f36-6e80-472e-9a42-9d4a83519825", - "values": [ - { - "description": "ACAD/Medre.A is a worm that steals operational information. The worm collects AutoCAD files with drawings. ACAD/Medre.A has the capability to be used for industrial espionage.", - "meta": { - "References": [ - ], - "Techniques Used": [ - "Theft of Operational Information - ACAD/Medre.A can collect AutoCad files with drawings. These drawings may contain operational information https://collaborate.mitre.org/attackics/index.php/Technique/T882", - "Data from Information Repositories - ACAD/Medre.A collects information related to the AutoCAD application. The worm collects AutoCAD (*.dwg) files with drawings from information repositories https://collaborate.mitre.org/attackics/index.php/Technique/T811" - ] - }, - "uuid": "73f55487-1e11-4cec-b57f-4cabe4633928", - "value": "ACAD/Medre.A" -}, - { - "description": "Backdoor.Oldrea is a Remote Access Trojan (RAT) that communicates with a Command and Control (C2) server. The C2 server can deploy payloads that provide additional functionality. One payload has been identified and analyzed that enumerates all connected network resources, such as computers or shared resources, and uses the classic DCOM-based (Distributed Component Object Model) version of the Open Platform Communications (OPC) standard to gather information about connected control system devices and resources within the network.", - "meta": { - "References": [ - "https://ics-cert.us-cert.gov/advisories/ICSA-14-178-01", - "https://ics-cert.us-cert.gov/alerts/ICS-ALERT-14-176-02A", - "https://www.f-secure.com/weblog/archives/00002718.html", - "https://pdfs.semanticscholar.org/18df/43ef1690b0fae15a36f770001160aefbc6c5.pdf", - "https://www.fireeye.com/blog/threat-research/2014/07/havex-its-down-with-opc.html", - "https://www.symantec.com/connect/blogs/dragonfly-western-energy-companies-under-sabotage-threat", - "https://www.youtube.com/watch?v=eywmb7UDODY&feature=youtu.be&t=939", - "https://www.sans.org/reading-room/whitepapers/ICS/impact-dragonfly-malware-industrial-control-systems-36672" - ], - "Groups": [ - "Dragonfly https://collaborate.mitre.org/attackics/index.php/Group/G0002" - ], - "Associated Software Descriptions": [ - "Backdoor.Oldrea", - "Havex" - ], - "Techniques Used": [ - "Role Identification - The Backdoor.Oldrea payload gathers server information that includes CLSID, server name, Program ID, OPC version, vendor information, running state, group count, and server bandwidth. This information helps indicate the role the server has in the control process https://collaborate.mitre.org/attackics/index.php/Technique/T850", - "Control Device Identification - The Backdoor.Oldrea payload has the capability of enumerating OPC tags, in addition to more generic OPC server information. The server data and tag names can provide information about the names and function of control devices https://collaborate.mitre.org/attackics/index.php/Technique/T808", - "Remote System Discovery - The Backdoor.Oldrea ICS malware plugin relies on Windows networking (WNet) to discover all the servers, including OPC servers, that are reachable by the compromised machine over the network https://collaborate.mitre.org/attackics/index.php/Technique/T846", - "Location Identification - The Backdoor.Oldrea payload has the capability of enumerating OPC tags, in addition to more generic OPC server information. The tag names, depending on the naming convention, can provide information about facilities and locations https://collaborate.mitre.org/attackics/index.php/Technique/T825", - "Denial of Service - The Backdoor.Oldrea payload has caused multiple common OPC platforms to intermittently crash. This could cause a denial of service effect on applications reliant on OPC communications https://collaborate.mitre.org/attackics/index.php/Technique/T814", - "Supply Chain Compromise - The Backdoor.Oldrea RAT is distributed through trojanized installers planted on compromised vendor sites https://collaborate.mitre.org/attackics/index.php/Technique/T862", - "Spearphishing Attachment - The Backdoor.Oldrea RAT is distributed through a trojanized installer attached to emails https://collaborate.mitre.org/attackics/index.php/Technique/T865", - "Automated Collection - Using OPC, a component of Backdoor.Oldrea gathers any details about connected devices and sends them back to the C2 for the attackers to analyze https://collaborate.mitre.org/attackics/index.php/Technique/T802", - "User Execution - Execution of Backdoor.Oldrea relies on a user opening a trojanized installer attached to an email https://collaborate.mitre.org/attackics/index.php/Technique/T863", - "Point & Tag Identification - Backdoor.Oldrea enumerates all OPC tags and queries for specific fields such as server state, tag name, type, access, and id Point & Tag Identification - Backdoor.Oldrea enumerates all OPC tags and queries for specific fields such as server state, tag name, type, access, and id https://collaborate.mitre.org/attackics/index.php/Technique/T861" - ] - }, - "uuid": "1a2b786f-6ed2-47f6-969c-8d9c62fb8f22", - "value": "Backdoor.Oldrea, Havex" -}, - { - "description": "Bad Rabbit is a self-propagating (“wormable”) ransomware that affected the transportation sector in Ukraine.", - "meta": { - "References": [ - "https://www.welivesecurity.com/2017/10/24/bad-rabbit-not-petya-back/", - "https://securelist.com/bad-rabbit-ransomware/82851/", - "https://dragos.com/blog/industry-news/implications-of-it-ransomware-for-ics-environments/" - ], - "Associated Software Descriptions": [ - "Bad Rabbit", - "Diskcoder.D" - ], - "Techniques Used": [ - "Drive-by Compromise - Bad Rabbit ransomware spreads through drive-by attacks where insecure websites are compromised. While the target is visiting a legitimate website, a malware dropper is being downloaded from the threat actor’s infrastructure https://collaborate.mitre.org/attackics/index.php/Technique/T817", - "User Execution - Bad Rabbit is disguised as an Adobe Flash installer. When the file is opened it starts locking the infected computer https://collaborate.mitre.org/attackics/index.php/Technique/T863", - "Loss of Productivity and Revenue - Several transportation organizations in Ukraine have suffered from being infected by Bad Rabbit, resulting in some computers becoming encrypted, according to media reports https://collaborate.mitre.org/attackics/index.php/Technique/T828", - "Exploitation of Remote Services - Bad Rabbit initially infected IT networks, but by means of an exploit (particularly the SMBv1-targeting MS17-010 vulnerability) spread to industrial networks https://collaborate.mitre.org/attackics/index.php/Technique/T866", - "External Remote Services - Bad Rabbit can utilize exposed SMB services to access industrial networks https://collaborate.mitre.org/attackics/index.php/Technique/T822", - "Remote File Copy - Bad Rabbit can move laterally through industrial networks by means of the SMB service https://collaborate.mitre.org/attackics/index.php/Technique/T867" - ] - }, - "uuid": "625cba2e-43ba-4abd-81e9-6fa78c442e6f", - "value": "Bad Rabbit, Diskcoder.D" -}, - { - "description": "BlackEnergy 3 is a malware toolkit that has been used by both criminal and APT actors. It support various plug-ins including a variant of KillDisk. It is known to have been used against the Ukrainian power grid.", - "meta": { - "References": [ - "https://www.boozallen.com/content/dam/boozallen/documents/2016/09/ukraine-report-when-the-lights-went-out.pdf" - ], - "Associated Software Descriptions": [ - "BlackEnergy 3" - ], - "Techniques Used": [ - "Valid Accounts - BlackEnergy utilizes valid user and administrator credentials, in addition to creating new administrator accounts to maintain presence https://collaborate.mitre.org/attackics/index.php/Technique/T859", - "Standard Application Layer Protocol - BlackEnergy uses HTTP POST request to contact external command and control servers https://collaborate.mitre.org/attackics/index.php/Technique/T869", - "Spearphishing Attachment - BlackEnergy targeted energy sector organizations in a wide reaching email spearphishing campaign. Adversaries utilized malicious Microsoft Word documents attachments https://collaborate.mitre.org/attackics/index.php/Technique/T865" - ] - }, - "uuid": "5ce0966c-0e03-4df7-8678-7d10781c0006", - "value": "BlackEnergy 3" -}, - { - "description": "Conficker is a computer worm that targets Microsoft Windows and was first detected in November 2008. It targets a vulnerability (MS08-067) in Windows OS software and dictionary attacks on administrator passwords to propagate while forming a botnet. Conficker made its way onto computers and removable disk drives in a nuclear power plant.", - "meta": { - "References": [ - "https://news.softpedia.com/news/on-chernobyl-s-30th-anniversary-malware-shuts-down-german-nuclear-power-plant-503429.shtml" - ], - "Associated Software Descriptions": [ - "Conficker", - "Downadup", - "Kido" - ], - "Techniques Used": [ - "Loss of Availability - A Conficker infection at a nuclear power plant forced the facility to temporarily shutdown https://collaborate.mitre.org/attackics/index.php/Technique/T826", - "Replication Through Removable Media - Conficker exploits Windows drive shares. Once it has infected a computer, Conficker automatically copies itself to all visible open drive shares on other computers inside the network.2 Nuclear power plant officials suspect someone brought in Conficker by accident on a USB thumb drive, either from home or computers found in the power plant's facility https://collaborate.mitre.org/attackics/index.php/Technique/T847", - "Loss of Productivity and Revenue - A Conficker infection at a nuclear power plant forced the facility to shutdown and go through security procedures involved with such events, with its staff scanning computer systems and going through all the regular checks and motions before putting the plant back into production https://collaborate.mitre.org/attackics/index.php/Technique/T828" - ] - }, - "uuid": "88b08418-dbcc-457b-b28a-9deeeac26745", - "value": "Conficker" -}, - { - "description": "Duqu is a collection of computer malware discovered in 2011. It is reportedly related to the Stuxnet worm, although Duqu is not self-replicating.", - "meta": { - "References": [ - "https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_duqu_the_precursor_to_the_next_stuxnet.pdf" - ], - "Associated Software Descriptions": [ - "Duqu" - ], - "Techniques Used": [ - "Theft of Operational Information - Duqu’s purpose is to gather intelligence data and assets from entities such as industrial infrastructure and system manufacturers, amongst others not in the industrial sector, in order to more easily conduct a future attack against another third party https://collaborate.mitre.org/attackics/index.php/Technique/T882", - "Data from Information Repositories - Duqu downloads additional modules for the collection of data in information repositories. The modules are named: infostealer 1, infostealer 2 and reconnaissance https://collaborate.mitre.org/attackics/index.php/Technique/T811" - ] - }, - "uuid": "7bc3d4cd-786f-4913-983f-0d1fa9eb132f", - "value": "Duqu" -}, - { - "description": "Flame is an attacker-instructed worm which may open a backdoor and steal information from a compromised computer. Flame has the capability to be used for industrial espionage.", - "meta": { - "References": [ - "https://www.symantec.com/security-center/writeup/2012-052811-0308-99", - "https://www.welivesecurity.com/2012/07/20/flame-in-depth-code-analysis-of-mssecmgr-ocx/", - "https://www.fireeye.com/blog/threat-research/2012/05/flamerskywiper-analysis.html" - ], - "Associated Software Descriptions": [ - "Flame", - "Flamer", - "sKyWIper" - ], - "Techniques Used": [ - "Theft of Operational Information - Flame can collect AutoCAD design data and visio diagrams as well as other documents that may contain operational information https://collaborate.mitre.org/attackics/index.php/Technique/T882", - "Data from Information Repositories - Flame has built-in modules to gather information from compromised computers https://collaborate.mitre.org/attackics/index.php/Technique/T811" - ] - }, - "uuid": "ed2618d4-0450-4466-92c4-61b89a46960e", - "value": "Flame" -}, - { - "description": "Industroyer is a sophisticated piece of malware designed to cause an Impact to the working processes of Industrial Control Systems (ICS), specifically ICSs used in electrical substations.1 Industroyer was alleged to be used in the attacks on the Ukrainian power grid in December 2016.", - "meta": { - "References": [ - "https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf", - "https://dragos.com/blog/crashoverride/CrashOverride-01.pdf", - "https://www.us-cert.gov/ncas/alerts/TA17-163A", - "https://dragos.com/wp-content/uploads/CRASHOVERRIDE2018.pdf", - "https://dragos.com/wp-content/uploads/CRASHOVERRIDE.pdf" - ], - "Groups": [ - "Sandworm" - ], - "Associated Software Descriptions": [ - "Industroyer", - "CRASHOVERRIDE" - ], - "Techniques Used": [ - "Data Historian Compromise - In Industroyer, after pivoting into the ICS environment, the adversary gained Initial Access to devices involved with critical process operations through a Microsoft Windows Server 2003 running a SQL Server https://collaborate.mitre.org/attackics/index.php/Technique/T810", - "Block Command Message - In Industroyer the first COM port from the configuration file is used for the actual communication and the two other COM ports are just opened to prevent other processes accessing them. Thus, the IEC 101 payload component is able to take over and maintain control of the RTU device https://collaborate.mitre.org/attackics/index.php/Technique/T803", - "Block Serial COM - In Industroyer the first COM port from the configuration file is used for the actual communication and the two other COM ports are just opened to prevent other processes accessing them. Thus, the IEC 101 payload component is able to take over and maintain control of the RTU device https://collaborate.mitre.org/attackics/index.php/Technique/T805", - "Data Destruction - Industroyer has a destructive wiper that overwrites all ICS configuration files across the hard drives and all mapped network drives specifically targeting ABB PCM600 configuration files https://collaborate.mitre.org/attackics/index.php/Technique/T809", - "Masquerading - Industroyer modules operate by inhibiting the normal SCADA master communication functions and then activate a replacement master communication module managed by the malware, which executes a script of commands to issue normal protocol messages https://collaborate.mitre.org/attackics/index.php/Technique/T849", - "Network Connection Enumeration - Industroyer contains an IEC 61850 module that enumerates all connected network adapters to determine their TCP/IP subnet masks https://collaborate.mitre.org/attackics/index.php/Technique/T840", - "Remote System Discovery - The Industroyer IEC 61850 payload enumerates all possible IP addresses for each of the subnet masks for the interfaces on the infected machine, and tries to connect to port 102 on each of those addresses. Therefore, this component has the ability to discover relevant devices in the network automatically https://collaborate.mitre.org/attackics/index.php/Technique/T846", - "Control Device Identification - Industroyer contains an OPC DA module that enumerates all OPC servers using the ICatInformation::EnumClassesOfCategories method with CATID_OPCDAServer20 category identifier and IOPCServer::GetStatus to identify the ones running. The OPC DA module also uses IOPCBrowseServerAddressSpace to look for items with the following strings: ctlSelOn, ctlOperOn, ctlSelOff, ctlOperOff, Pos and stVal https://collaborate.mitre.org/attackics/index.php/Technique/T808", - "Serial Connection Enumeration - Industroyer contains modules for IEC 101 and IEC 104 communications.1 IEC 101 uses serial for the physical connection and IEC 104 uses Ethernet. Analysis of the malware by Dragos states that both of the modules have equivalent functionality.2 The IEC 104 module uses Network Connection Enumeration to determine the Ethernet adapters on the device. Since functionality between the two modules are equivalent, this implies that the IEC 101 module is able to detect serial interfaces on the device https://collaborate.mitre.org/attackics/index.php/Technique/T854", - "Control Device Identification - If the target device responds appropriately, the Industroyer IEC 61850 payload then sends an InitiateRequest packet using the Manufacturing Message Specification (MMS). If the expected answer is received, it continues, sending an MMS getNameList request. Thereby, the component compiles a list of object names in a Virtual Manufacturing Device https://collaborate.mitre.org/attackics/index.php/Technique/T808", - "Role Identification - The Industroyer IEC 61850 component enumerates the objects discovered in the previous step and sends the domain-specific getNameList requests with each object name. This enumerates named variables in a specific domain https://collaborate.mitre.org/attackics/index.php/Technique/T850", - "Activate Firmware Update Mode - The Industroyer SIPROTEC DoS module exploits the CVE-2015-5374 vulnerability in order to render a Siemens SIPROTEC device unresponsive. Once this vulnerability is successfully exploited, the target device stops responding to any commands until it is rebooted manually.1 Once the tool is executed it sends specifically crafted packets to port 50,000 of the target IP addresses using UDP. The UDP packet contains the following 18 byte payload: 0x11 49 00 00 00 00 00 00 00 00 00 00 00 00 00 00 28 9E https://collaborate.mitre.org/attackics/index.php/Technique/T800", - "Unauthorized Command Message - The Industroyer IEC 101 module has the capability to communicate with devices (likely RTUs) via the IEC 101 protocol. The module will attempt to find all Information Object Addresses (IOAs) for the device and attempt to change their state in the following sequence: OFF, ON, OFF https://collaborate.mitre.org/attackics/index.php/Technique/T855", - "Brute Force I/O - The Industroyer IEC 104 module has 3 modes available to perform its attack. These modes are range, shift, and sequence. The range mode operates in 2 stages. The first stage of range mode gathers Information Object Addresses (IOA) and sends select and execute packets to switch the state. The second stage of range mode has an infinite loop where it will switch the state of all of the previously discovered IOAs. Shift mode is similar to range mode, but instead of staying within the same range, it will add a shift value to the default range values https://collaborate.mitre.org/attackics/index.php/Technique/T806", - "Device Restart/Shutdown - The Industroyer SIPROTEC DoS module exploits the CVE-2015-5374 vulnerability in order to render a Siemens SIPROTEC device unresponsive. Once this vulnerability is successfully exploited, the target device stops responding to any commands until it is rebooted manually.1 Once the tool is executed it sends specifically crafted packets to port 50,000 of the target IP addresses using UDP. The UDP packet contains the following 18 byte payload: 0x11 49 00 00 00 00 00 00 00 00 00 00 00 00 00 00 28 9E https://collaborate.mitre.org/attackics/index.php/Technique/T816", - "Denial of Service - The Industroyer SIPROTEC DoS module exploits the CVE-2015-5374 vulnerability in order to render a Siemens SIPROTEC device unresponsive. Once this vulnerability is successfully exploited, the target device stops responding to any commands until it is rebooted manually.1 Once the tool is executed it sends specifically crafted packets to port 50,000 of the target IP addresses using UDP. The UDP packet contains the following 18 byte payload: 0x11 49 00 00 00 00 00 00 00 00 00 00 00 00 00 00 28 9E https://collaborate.mitre.org/attackics/index.php/Technique/T814", - "Activate Firmware Update Mode - The Industroyer SPIROTEC DoS module places the victim device into firmware update mode. This is a legitimate use case under normal circumstances, but in this case is used the adversary to prevent the SPIROTEC from performing its designed protective functions. As a result the normal safeguards are disabled, leaving an unprotected link in the electric transmission https://collaborate.mitre.org/attackics/index.php/Technique/T800", - "Automated Collection - Industroyer automatically collects protocol object data to learn about control devices in the environment https://collaborate.mitre.org/attackics/index.php/Technique/T802", - "Loss of Control - Industroyer's data wiper component removes the registry image path throughout the system and overwrites all files, rendering the system unusable https://collaborate.mitre.org/attackics/index.php/Technique/T827", - "Loss of View - Industroyer's data wiper component removes the registry image path throughout the system and overwrites all files, rendering the system unusable https://collaborate.mitre.org/attackics/index.php/Technique/T829", - "Manipulation of Control - Industroyer toggles breakers to the open state utilizing unauthorized command messages https://collaborate.mitre.org/attackics/index.php/Technique/T831", - "Service Stop - Industroyer has the capability to stop a service itself, or to login as a user and stop a service as that user https://collaborate.mitre.org/attackics/index.php/Technique/T881", - "Block Reporting Message - Industroyer uses the first COM port from the configuration file for the communication and the other two COM ports are opened to prevent other processes accessing them. This may block processes or operators from getting reporting messages from a device. https://collaborate.mitre.org/attackics/index.php/Technique/T804", - "Denial of Control - Industroyer is able to block serial COM channels temporarily causing a denial of control https://collaborate.mitre.org/attackics/index.php/Technique/T813", - "Denial of View - Industroyer is able to block serial COM channels temporarily causing a denial of view https://collaborate.mitre.org/attackics/index.php/Technique/T815", - "Command-Line Interface - The name of the Industroyer payload DLL is supplied by the attackers via a command line parameter supplied in one of the main backdoor’s “execute a shell command” commands https://collaborate.mitre.org/attackics/index.php/Technique/T807", - "Manipulation of View - Industroyer's OPC module can brute force values and will send out a 0x01 status which for the target systems equates to a “Primary Variable Out of Limits” misdirecting operators from understanding protective relay status https://collaborate.mitre.org/attackics/index.php/Technique/T832", - "Loss of Safety - Industroyer contained a module which leveraged a vulnerability in the Siemens SIPROTEC relays (CVE-2015-5374) to create a Denial of Service against automated protective relays https://collaborate.mitre.org/attackics/index.php/Technique/T880" - ] - }, - "uuid": "d13b0ff8-9125-4990-8ec1-94782b4e22df", - "value": "Industroyer" -}, - { - "description": "In 2015 the BlackEnergy malware contained a component called KillDisk. KillDisk's main functionality is to overwrite files with random data, rendering the OS unbootable.", - "meta": { - "References": [ - "https://www.welivesecurity.com/2016/01/03/blackenergy-sshbeardoor-details-2015-attacks-ukrainian-news-media-electric-industry/", - "https://www.boozallen.com/content/dam/boozallen/documents/2016/09/ukraine-report-when-the-lights-went-out.pdf" - ], - "Associated Software Descriptions": [ - "KillDisk" - ], - "Techniques Used": [ - "Loss of View - KillDisk erases the master boot record (MBR) and system logs, leaving the system unusable https://collaborate.mitre.org/attackics/index.php/Technique/T829", - "Data Destruction - KillDisk is able to delete system files to make the system unbootable and targets 35 different types of files for deletion https://collaborate.mitre.org/attackics/index.php/Technique/T809", - "Indicator Removal on Host - KillDisk deletes application, security, setup, and system event logs from Windows systems https://collaborate.mitre.org/attackics/index.php/Technique/T872", - "Service Stop - KillDisk looks for and terminates two non-standard processes, one of which is an ICS application https://collaborate.mitre.org/attackics/index.php/Technique/T881" - ] - }, - "uuid": "df960d5e-481a-47fe-8577-427057553a1b", - "value": "KillDisk" -}, - { - "description": "LockerGoga is ransomware that has been tied to various attacks on industrial and manufacturing firms with apparently catastrophic consequences.", - "meta": { - "References": [ - "https://www.wired.com/story/lockergoga-ransomware-crippling-industrial-firms/", - "https://doublepulsar.com/how-lockergoga-took-down-hydro-ransomware-used-in-targeted-attacks-aimed-at-big-business-c666551f5880", - "https://www.hydro.com/en/media/on-the-agenda/cyber-attack/" - ], - "Associated Software Descriptions": [ - "LockerGoga" - ], - "Techniques Used": [ - "Loss of Productivity and Revenue - While Norsk Hydro attempted to recover from a LockerGoga infection, most of its 160 manufacturing locations switched to manual (non-IT driven) operations. Manual operations can result in a loss of productivity https://collaborate.mitre.org/attackics/index.php/Technique/T828", - "Loss of View - Some of Norsk Hydro's production systems were impacted by a LockerGoga infection. This resulted in a loss of view which forced the company to switch to manual operations https://collaborate.mitre.org/attackics/index.php/Technique/T829", - "Loss of Control - Some of Norsk Hydro's production systems were impacted by a LockerGoga infection. This resulted in a loss of control which forced the company to switch to manual operations https://collaborate.mitre.org/attackics/index.php/Technique/T827" - ] - }, - "uuid": "6187b975-7d80-4eb3-9c5a-89d07f2e3512", - "value": "LockerGoga" -}, - { - "description": "NotPetya is malware that was first seen in a worldwide attack starting on June 27, 2017. The main purpose of the malware appeared to be to effectively destroy data and disk structures on compromised systems. Though NotPetya presents itself as a form of ransomware, it appears likely that the attackers never intended to make the encrypted data recoverable. As such, NotPetya may be more appropriately thought of as a form of wiper malware. NotPetya contains self-propagating (“wormable”) features to spread itself across a computer network using the SMBv1 exploits EternalBlue and EternalRomance.", - "meta": { - "References": [ - "https://attack.mitre.org/software/S0368/", - "https://dragos.com/blog/industry-news/implications-of-it-ransomware-for-ics-environments/", - "https://www.bloomberg.com/news/features/2019-12-03/merck-cyberattack-s-1-3-billion-question-was-it-an-act-of-war" - ], - "Groups": [ - "Sandworm" - ], - "Associated Software Descriptions": [ - "NotPetya" - ], - "Techniques Used": [ - "Exploitation of Remote Services - NotPetya initially infected IT networks, but by means of an exploit (particularly the SMBv1-targeting MS17-010 vulnerability) spread to industrial networks https://collaborate.mitre.org/attackics/index.php/Technique/T866", - "External Remote Services - NotPetya can utilize exposed SMB services to access industrial networks https://collaborate.mitre.org/attackics/index.php/Technique/T822", - "Remote File Copy - NotPetya can move laterally through industrial networks by means of the SMB service https://collaborate.mitre.org/attackics/index.php/Technique/T867", - "Loss of Productivity and Revenue - NotPetya disrupted manufacturing facilities supplying vaccines, resulting in a halt of production and the inability to meet demand for specific vaccines https://collaborate.mitre.org/attackics/index.php/Technique/T828" - ] - }, - "uuid": "564c7c31-234f-4427-aab7-80d40183a1e9", - "value": "NotPetya" -}, - { - "description": "PLC-Blaster is a piece of proof-of-concept malware that runs on Siemens S7 PLCs. This worm locates other Siemens S7 PLCs on the network and attempts to infect them. Once this worm has infected its target and attempted to infect other devices on the network, the worm can then run one of many modules.", - "meta": { - "References": [ - "https://www.blackhat.com/docs/asia-16/materials/asia-16-Spenneberg-PLC-Blaster-A-Worm-Living-Solely-In-The-PLC-wp.pdf" - ], - "Associated Software Descriptions": [ - "PLC-Blaster" - ], - "Techniques Used": [ - "Remote System Discovery - PLC-Blaster scans the network to find other Siemens S7 PLC devices to infect. It locates these devices by checking for a service listening on TCP port 102 https://collaborate.mitre.org/attackics/index.php/Technique/T846", - "Control Device Identification - The PLC-Blaster worm starts by scanning for probable targets. Siemens SIMATIC PLCs may be identified by the port 102/tcp https://collaborate.mitre.org/attackics/index.php/Technique/T808", - "Program Organization Units - PLC-Blaster copies itself to various Program Organization Units (POU) on the target device. The POUs include the Organization Block, Data Block, Function, and Function Block https://collaborate.mitre.org/attackics/index.php/Technique/T844", - "Manipulate I/O Image - PLC-Blaster may manipulate any outputs of the PLC. Using the POU POKE any value within the process image may be modified https://collaborate.mitre.org/attackics/index.php/Technique/T835", - "Execution through API - PLC-Blaster utilizes the PLC communication and management API to load executable Program Organization Units https://collaborate.mitre.org/attackics/index.php/Technique/T871", - "Change Program State - After PLC-Blaster is transferred to a PLC, the PLC begins execution of PLC-Blaster https://collaborate.mitre.org/attackics/index.php/Technique/T875", - "Denial of Service - The execution on the PLC can be stopped by violating the cycle time limit. The PLC-Blaster implements an endless loop triggering an error condition within the PLC with the impact of a DoS https://collaborate.mitre.org/attackics/index.php/Technique/T814" - ] - }, - "uuid": "f0db07ce-a13b-4c6e-9ba5-fe2be3080ace", - "value": "PLC-Blaster" -}, - { - "description": "Ryuk is ransomware that was first seen targeting large organizations for high-value ransoms in August of 2018. Ryuk temporarily disrupted operations at a manufacturing firm in 2018.", - "meta": { - "References": [ - "https://www.crowdstrike.com/blog/big-game-hunting-with-ryuk-another-lucrative-targeted-ransomware/", - "https://www.darkreading.com/attacks-breaches/how-a-manufacturing-firm-recovered-from-a-devastating-ransomware-attack/d/d-id/1334760" - ], - "Associated Software Descriptions": [ - "Ryuk" - ], - "Techniques Used": [ - "Loss of Productivity and Revenue - An enterprise resource planning (ERP) manufacturing server was lost to the Ryuk attack. The manufacturing process had to rely on paper and existing orders to keep the shop floor open https://collaborate.mitre.org/attackics/index.php/Technique/T828" - ] - }, - "uuid": "707075af-cabd-404d-8eb9-7c1ba063ac88", - "value": "Ryuk" -}, - { - "description": "Stuxnet was the first publicly reported piece of malware to specifically target industrial control systems devices. Stuxnet is a large and complex piece of malware that utilized multiple different complex tactics including multiple zero-day vulnerabilites, a sophisticated Windows rootkit, and network infection routines.", - "meta": { - "References": [ - "https://www.wired.com/images_blogs/threatlevel/2010/11/w32_stuxnet_dossier.pdf", - "https://www.symantec.com/security-center/writeup/2010-071400-3123-99", - "https://www.us-cert.gov/ics/advisories/ICSA-10-238-01B", - "https://scadahacker.com/resources/stuxnet-mitigation.html", - "https://www.langner.com/wp-content/uploads/2017/03/to-kill-a-centrifuge.pdf" - ], - "Associated Software Descriptions": [ - "Stuxnet" - ], - "Techniques Used": [ - "Remote System Discovery - Stuxnet scanned the network to identify the Siemens PLCs that it was targeting https://collaborate.mitre.org/attackics/index.php/Technique/T846", - "Rootkit - One of Stuxnet's rootkits is contained entirely in the fake s7otbxdx.dll. In order to continue existing undetected on the PLC it needs to account for at least the following situations: read requests for its own malicious code blocks, read requests for infected blocks (OB1, OB35, DP_RECV), and write requests that could overwrite Stuxnet’s own code. Stuxnet contains code to monitor and intercept these types of requests. The rootkit modifies these requests so that Stuxnet’s PLC code is not discovered or damaged https://collaborate.mitre.org/attackics/index.php/Technique/T851", - "Manipulate I/O Image - When the peripheral output is written to, sequence C intercepts the output and ensures it is not written to the process image output. The output is the instructions the PLC sends to a device to change its operating behavior. By intercepting the peripheral output, Stuxnet prevents an operator from noticing unauthorized commands sent to the peripheral https://collaborate.mitre.org/attackics/index.php/Technique/T835", - "Control Device Identification - The Siemens s7otbxdx.dll is responsible for handling PLC block exchange between the programming device (i.e., a computer running a Simatic manager on Windows) and the PLC. s7db_open function is an export hook that is used to obtain information used to create handles to manage a PLC (such a handle is used by APIs that manipulate the PLC). Stuxnet utilized this export hook to gain information about targeted PLCs such as model information. Stuxnet was specifically targeting CPUs 6ES7-315-2 (Series 300) with special system data block characteristics for sequence A or B and 6ES7-315-2 for sequence C. The PLC type can also be checked using the s7ag_read_szl API https://collaborate.mitre.org/attackics/index.php/Technique/T808", - "I/O Module Discovery - Stuxnet enumerates and parses the System Data Blocks (SDB). Stuxnet must find an SDB with the DWORD at offset 50h equal to 0100CB2Ch. This specifies that the system uses the Profibus communications processor module CP 342-5. In addition, specific values are searched for and counted: 7050h and 9500h. 7050h is assigned to part number KFC750V3 which appears to be a frequency converter drive (also known as variable frequency drive) manufactured by Fararo Paya in Teheran, Iran. 9500h is assigned to Vacon NX frequency converter drives manufactured by Vacon based in Finland https://collaborate.mitre.org/attackics/index.php/Technique/T824", - "Network Sniffing - DP_RECV is the name of a standard function block used by network coprocessors. It is used to receive network frames on the Profibus – a standard industrial network bus used for distributed I/O. The original block is copied to FC1869, and then replaced by a malicious block. Each time the function is used to receive a packet, the malicious Stuxnet block takes control: it will call the original DP_RECV in FC1869 and then perform postprocessing on the packet data. This secondary thread is used to monitor a data block DB890 of sequence A or B. Though constantly running and probing this block (every 5 minutes), this thread has no purpose if the PLC is not infected. The purpose of the thread is to monitor each S7-315 on the bus. The replaced DP_RECV block (later on referred to as the “DP_RECV monitor”) is meant to monitor data sent by the frequency converter drives to the 315-2 CPU via CP 342-5 Profibus communication modules https://collaborate.mitre.org/attackics/index.php/Technique/T842", - "Monitor Process State - Stuxnet examines fields recorded by the DP_RECV monitor to determine if the target system is in a particular state of operation https://collaborate.mitre.org/attackics/index.php/Technique/T801", - "Modify Parameter - In states 3 and 4 Stuxnet sends two network bursts (done through the DP_SEND primitive). The data in the frames are instructions for the frequency converter drives. For example one of the frames contains records that change the maximum frequency (the speed at which the motor will operate). The frequency converter drives consist of parameters, which can be remotely configured via Profibus. One can write new values to these parameters changing the behavior of the device https://collaborate.mitre.org/attackics/index.php/Technique/T836", - "Manipulation of Control - Stuxnet can reprogram a PLC and change critical parameters in such a way that legitimate commands can be overridden or intercepted. In addition, Stuxnet can apply inappropriate command sequences or parameters to cause damage to property https://collaborate.mitre.org/attackics/index.php/Technique/T831", - "Program Download - Stuxnet infects PLCs with different code depending on the characteristics of the target system. An infection sequence consists of code blocks and data blocks that will be downloaded to the PLC to alter its behavior https://collaborate.mitre.org/attackics/index.php/Technique/T843", - "Program Organization Units - Stuxnet infects PLCs with different code depending on the characteristics of the target system. An infection sequence consists of code blocks and data blocks that will be downloaded to the PLC to alter its behavior https://collaborate.mitre.org/attackics/index.php/Technique/T844", - "Project File Infection - Stuxnet copies itself into Step 7 projects in such a way that it automatically executes when the Step 7 project is loaded https://collaborate.mitre.org/attackics/index.php/Technique/T873", - "Hooking - Stuxnet modifies the Import Address Tables DLLs to hook specific APIs that are used to open project files https://collaborate.mitre.org/attackics/index.php/Technique/T874", - "Unauthorized Command Message - In states 3 and 4 Stuxnet sends two network bursts (done through the DP_SEND primitive). The data in the frames are instructions for the frequency converter drives https://collaborate.mitre.org/attackics/index.php/Technique/T855", - "Change Program State - Stuxnet halts the original PLC code and the malicious PLC code begins sending frames of data based on the recorded values during the DP_RECV monitor phase https://collaborate.mitre.org/attackics/index.php/Technique/T875", - "I/O Image - Stuxnet copies the input area of an I/O image into data blocks with a one second interval between copies, forming a 21 second recording of the input area. The input area contains information being passed to the PLC from a peripheral. For example, the current state of a valve or the temperature of a device https://collaborate.mitre.org/attackics/index.php/Technique/T877", - "Rootkit - When the peripheral output is written to, sequence C of Stuxnet intercepts the output and ensures it is not written to the process image output. The output is the instructions the PLC sends to a device to change its operating behavior. By intercepting the peripheral output, Stuxnet prevents an operator from noticing unauthorized commands sent to the peripheral https://collaborate.mitre.org/attackics/index.php/Technique/T851", - "Masquerading - Stuxnet renames a dll responsible for handling communications with a PLC. It replaces the original .dll file with its own version that allows it to intercept any calls that are made to access the PLC https://collaborate.mitre.org/attackics/index.php/Technique/T849", - "Execution through API - Stuxnet utilizes the PLC communication and management API to load executable Program Organization Units https://collaborate.mitre.org/attackics/index.php/Technique/T871", - "Standard Application Layer Protocol - Stuxnet attempts to contact command and control servers over HTTP to send basic information about the computer it has compromised https://collaborate.mitre.org/attackics/index.php/Technique/T869", - "Commonly Used Port - Stuxnet attempts to contact command and control servers on port 80 to send basic information about the computer it has compromised https://collaborate.mitre.org/attackics/index.php/Technique/T885", - "Replication Through Removable Media - Stuxnet was able to self-replicate by being spread through removable drives. A willing insider or unknown third party, such as a contractor, may have brought the removable media into the target environment.1 The earliest version of Stuxnet relied on physical installation, infecting target systems when an infected configuration file carried by a USB stick was opened https://collaborate.mitre.org/attackics/index.php/Technique/T847", - "Man in the Middle - Stuxnet de-couples all inputs and signals from the legitimate code on a PLC and chooses what is passed to the original code. STUXNET effectively creates a man in the middle attack with the input and output signals and control logic https://collaborate.mitre.org/attackics/index.php/Technique/T830", - "Program Upload - Stuxnet replaces the DLL responsible for reading projects from a PLC to the step7 software. This allows Stuxnet the ability to upload a program from the PLC https://collaborate.mitre.org/attackics/index.php/Technique/T845", - "Manipulation of View - Stuxnet manipulates the view of operators replaying process input and manipulating the I/O image to evade detection and inhibit protection functions https://collaborate.mitre.org/attackics/index.php/Technique/T832", - "Engineering Workstation Compromise - Stuxnet utilized an engineering workstation as the initial access point for PLC devices https://collaborate.mitre.org/attackics/index.php/Technique/T818", - "Damage to Property - Stuxnet attacks were designed to over-pressure and damage centrifuge rotors by manipulating process pressure and rotor speeds over time. One focused on a routine to change centrifuge rotor speeds, while the other manipulated critical resonance speeds to over-pressure them https://collaborate.mitre.org/attackics/index.php/Technique/T879" - ] - }, - "uuid": "119f4adc-b15c-48e0-8208-dae63673bb46", - "value": "Stuxnet" -}, - { - "description": "Triton is an attack framework built to interact with Triconex Safety Instrumented System (SIS) controllers", - "meta": { - "References": [ - "https://www.fireeye.com/blog/threat-research/2017/12/attackers-deploy-new-ics-attack-framework-triton.html", - "https://dragos.com/blog/trisis/TRISIS-01.pdf", - "https://ics-cert.us-cert.gov/sites/default/files/documents/MAR-17-352-01%20HatMan%20-%20Safety%20System%20Targeted%20Malware%20%28Update%20B%29.pdf", - "https://www.youtube.com/watch?v=f09E75bWvkk&index=3&list=PL8OWO1qWXF4qYG19p7An4Vw3N2YZ86aRS&t=0s", - "https://www.youtube.com/watch?v=XwSJ8hloGvY", - "https://download.schneider-electric.com/files?p_enDocType=Technical+leaflet&p_File_Name=SEVD-2017-347-01+Triconex+V3.pdf&p_Doc_Ref=SEVD-2017-347-01", - "https://www.midnightbluelabs.com/blog/2018/1/16/analyzing-the-triton-industrial-malware", - "https://ics-cert.us-cert.gov/advisories/ICSA-18-107-02", - "https://nvd.nist.gov/vuln/detail/CVE-2018-8872", - "https://cwe.mitre.org/data/definitions/119.html", - "https://www.nrc.gov/docs/ML1209/ML120900890.pdf", - "https://github.com/MDudek-ICS/TRISIS-TRITON-HATMAN/tree/master/decompiled_code/library" - ], - "Groups": [ - "XENOTIME" - ], - "Associated Software Descriptions": [ - "Triton", - "TRISIS", - "Hatman" - ], - "Techniques Used": [ - "Utilize/Change Operating Mode - Triton is able to modify code if the Triconex SIS Controller is configured with the physical keyswitch in ‘program mode’ during operation. If the controller is placed in Run mode (program changes not permitted), arbitrary changes in logic are not possible substantially reducing the likelihood of manipulation. Once the Triton implant is installed on the SIS it is able to conduct any operation regardless of any future position of the keyswitch https://collaborate.mitre.org/attackics/index.php/Technique/T858", - "Unauthorized Command Message - Using Triton, an adversary can manipulate the process into an unsafe state from the DCS while preventing the SIS from functioning appropriately https://collaborate.mitre.org/attackics/index.php/Technique/T855", - "Masquerading - The Triton malware was configured to masquerade as trilog.exe, which is the Triconex software for analyzing SIS logs https://collaborate.mitre.org/attackics/index.php/Technique/T849", - "Modify Control Logic - Triton can reprogram the SIS logic to cause it to trip and shutdown a process that is, in actuality, in a safe state. In other words, trigger a false positive. Triton also can reprogram the SIS logic to allow unsafe conditions to persist.1 The Triton malware is able to add a malicious program to the execution table of the controller. This action leaves the legitimate programs in place. If the controller failed, Triton would attempt to return it to a running state. If the controller did not recover within a certain time window, the sample would overwrite the malicious program to cover its tracks https://collaborate.mitre.org/attackics/index.php/Technique/T833", - "Scripting - In the version of Triton available at the time of publication, the component that programs the Triconex controllers is written entirely in Python. The modules that implement the communciation protocol and other supporting components are found in a separate file -- library.zip -- which the main script that employs this functionality is compiled into a standalone Windows executable -- trilog.exe -- that includes a Python environment https://collaborate.mitre.org/attackics/index.php/Technique/T853", - "Remote System Discovery - Triton uses a Python script that is capable of detecting Triconex controllers on the network by sending a specific UDP broadcast packet over port 1502 https://collaborate.mitre.org/attackics/index.php/Technique/T846", - "System Firmware - The malicious shellcode Triton uses is split into two separate pieces -- inject.bin and imain.bin. The former program is more generic code that handles injecting the payload into the running firmware, while the latter is the payload that actually performs the additional malicious functionality. The payload --imain.bin-- is designed to take a TriStation protocol get main processor diagnostic data command, look for a specially crafted packet body, and perform custom actions on demand. It is able to read and write memory on the safety controller and execute code at an arbitrary address within the firmware. In addition, if the memory address it writes to is within the firmware region, it disables address translation, writes the code at the provided address, flushes the instruction cache, and re-enables address translation. This allows the malware to make changes to the running firmware in memory. This allows Triton to change how the device operates and would allow for the modification of other actions that the Triton controller might make https://collaborate.mitre.org/attackics/index.php/Technique/T857", - "Scripting - A Python script seen in Triton communicates using four Python modules—TsBase, TsLow, TsHi, and TS_cnames—that collectively implement the TriStation network protocol (“TS”, via UDP 1502); this is the protocol that the TriStation TS1131 software uses to communicate with Triconex safety PLCs https://collaborate.mitre.org/attackics/index.php/Technique/T853", - "Exploitation for Evasion - Triton disables a firmware RAM/ROM consistency check, injects a payload (imain.bin) into the firmware memory region, and changes a jumptable entry to point to the added code 384. In Schneider Electric Triconex Tricon MP model 3008 firmware versions 10.0-10.4, system calls read directly from memory addresses within the control program area without any verification. Manipulating this data could allow adversary data to be copied anywhere within memory.910 Triconex systems include continuous means of detection including checksums for firmware and program integrity, memory and memory reference integrity, and configuration https://collaborate.mitre.org/attackics/index.php/Technique/T820", - "Control Device Identification - The Triton Python script is also capable of autodetecting Triconex controllers on the network by sending a specific UDP broadcast packet over port 1502 https://collaborate.mitre.org/attackics/index.php/Technique/T808", - "Engineering Workstation Compromise - The Triton malware gained remote access to an SIS engineering workstation https://collaborate.mitre.org/attackics/index.php/Technique/T818", - "Loss of Safety - Triton has the capability to reprogram the SIS logic to allow unsafe conditions to persist or reprogram the SIS to allow an unsafe state – while using the DCS to create an unsafe state or hazard https://collaborate.mitre.org/attackics/index.php/Technique/T880", - "Program Download - Triton leveraged the TriStation protocol to download programs onto Triconex Safety Instrumented System https://collaborate.mitre.org/attackics/index.php/Technique/T843", - "ndicator Removal on Host - Triton would reset the controller to the previous state over TriStation and if this failed it would write a dummy program to memory in what was likely an attempt at anti-forensics https://collaborate.mitre.org/attackics/index.php/Technique/T872", - "Commonly Used Port - Triton framework can communicate with the implant utilizing the TriStation 'get main processor diagnostic data' command and looks for a specifically crafted packet body from which it extracts a command value and its arguments https://collaborate.mitre.org/attackics/index.php/Technique/T885", - "Execution through API - Triton leverages a reconstructed TriStation protocol within its framework to trigger APIs related to program download, program allocation, and program changes https://collaborate.mitre.org/attackics/index.php/Technique/T871", - "Detect Program State - Triton contains a file named TS_cnames.py which contains default definitions for program state (TS_progstate). Program state is referenced in TsHi.py https://collaborate.mitre.org/attackics/index.php/Technique/T870", - "Detect Operating Mode - Triton contains a file named TS_cnames.py which contains default definitions for key state (TS_keystate). Key state is referenced in TsHi.py https://collaborate.mitre.org/attackics/index.php/Technique/T868", - "Change Program State - Triton has the ability to halt or run a program through the TriStation protocol. TsHi.py contains instances of halt and run functions being executed https://collaborate.mitre.org/attackics/index.php/Technique/T875" - ] - }, - "uuid": "e98dca35-5141-4b6c-87e1-9ee36a92d54e", - "value": "Triton" -}, - { - "description": "VPNFilter is a multi-stage, modular platform with versatile capabilities to support both intelligence-collection and destructive cyber attack operations. VPNFilter modules such as its packet sniffer ('ps') can collect traffic that passes through an infected device, allowing the theft of website credentials and monitoring of Modbus SCADA protocols", - "meta": { - "References": [ - "https://blog.talosintelligence.com/2018/06/vpnfilter-update.html", - "https://www.youtube.com/watch?v=yuZazP22rpI" - ], - "Associated Software Descriptions": [ - "VPNFilter" - ], - "Techniques Used": [ - "Network Sniffing - The VPNFilter packet sniffer looks for basic authentication as well as monitors ICS traffic, and is specific to the TP-LINK R600-VPN. The malware uses a raw socket to look for connections to a pre-specified IP address, only looking at TCP packets that are 150 bytes or larger. Packets that are not on port 502, are scanned for BasicAuth, and that information is logged. This may have allowed credential harvesting from communications between devices accessing a modbus-enabled HMI https://collaborate.mitre.org/attackics/index.php/Technique/T842", - "Control Device Identification - The VPNFilter packet sniffer monitors ICS traffic, and is specific to the TP-LINK R600-VPN. The malware uses a raw socket to look for connections to a pre-specified IP address, only looking at TCP packets that are 150 bytes or larger. 'ps' identifies and logs on IPs and ports, but not the packet contents on port 502 (Modbus traffic). It does not validate the traffic as Modbus https://collaborate.mitre.org/attackics/index.php/Technique/T808" - ] - }, - "uuid": "cea7e5ff-cfde-4856-9829-acd7166cd1f9", - "value": "VPNFilter" -}, - { - "description": "WannaCry is ransomware that was first seen in a global attack during May 2017, which affected more than 150 countries. It contains self-propagating (“wormable”) features to spread itself across a computer network using the SMBv1 exploit EternalBlue.", - "meta": { - "References": [ - "https://attack.mitre.org/software/S0366/", - "https://www.us-cert.gov/ncas/alerts/TA17-132A", - "https://dragos.com/blog/industry-news/implications-of-it-ransomware-for-ics-environments/" - ], - "Groups": [ - "Lazarus group" - ], - "Associated Software Descriptions": [ - "WannaCry" - ], - "Techniques Used": [ - "Exploitation of Remote Services - WannaCry initially infected IT networks, but by means of an exploit (particularly the SMBv1-targeting MS17-010 vulnerability) spread to industrial networks https://collaborate.mitre.org/attackics/index.php/Technique/T866", - "External Remote Services - WannaCry can utilize exposed SMB services to access industrial networks https://collaborate.mitre.org/attackics/index.php/Technique/T822", - "Remote File Copy - WannaCry can move laterally through industrial networks by means of the SMB service https://collaborate.mitre.org/attackics/index.php/Technique/T867" - ] - }, - "uuid": "2901adef-0da6-4c1e-854b-b4e4e0d8e15a", - "value": "WannaCry" -} - ], - "version": 1 -} - diff --git a/ics_software_galaxy.json b/ics_software_galaxy.json deleted file mode 100644 index 3084a55..0000000 --- a/ics_software_galaxy.json +++ /dev/null @@ -1,9 +0,0 @@ -{ - "description": "ATT&CK for ICS Software", - "icon": "file-code", - "name": "Software", - "namespace": "mitre-attack-for-ics", - "type": "mitre-ics-software", - "uuid": "9443a27f-f8b0-4bc7-ba88-7c023d727932", - "version": 1 -} diff --git a/ics_tactics_cluster.json b/ics_tactics_cluster.json deleted file mode 100644 index 3f01925..0000000 --- a/ics_tactics_cluster.json +++ /dev/null @@ -1,278 +0,0 @@ -{ - "author": [ - "Tony Williams" - ], - "category": "Tactics", - "description": "A list of all 11 tactics in ATT&CK for ICS", - "name": "Tactics", - "source": "https://collaborate.mitre.org/attackics/index.php/All_Tactics", - "type": "mitre-ics-tactics", - "uuid": "ae92140f-7816-45b6-aa7c-9ff3e8536f10", - "values": [ - { - "description": "The adversary is trying to gather data of interest and domain knowledge on your ICS environment to inform their goal. Collection consists of techniques adversaries use to gather domain knowledge and obtain contextual feedback in an ICS environment. This tactic is often performed as part of Discovery, to compile data on control systems and targets of interest that may be used to follow through on the adversary’s objective. Examples of these techniques include observing operation states, capturing screenshots, identifying unique device roles, and gathering system and diagram schematics. Collection of this data can play a key role in planning, executing, and even revising an ICS-targeted attack. Methods of collection depend on the categories of data being targeted, which can include protocol specific, device specific, and process specific configurations and functionality. Information collected may pertain to a combination of system, supervisory, device, and network related data, which conceptually fall under high, medium, and low levels of plan operations. For example, information repositories on plant data at a high level or device specific programs at a low level. Sensitive floor plans, vendor device manuals, and other references may also be at risk and exposed on the internet or otherwise publicly accessible.", - "meta": { - "References": [ - "https://www.blackhat.com/docs/asia-16/materials/asia-16-Spenneberg-PLC-Blaster-A-Worm-Living-Solely-In-The-PLC.pdf", - "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf", - "http://www.research.lancs.ac.uk/portal/files/196578358/sample_sigconf.pdf", - "https://www.us-cert.gov/ncas/alerts/TA17-293A" - ], - "Techniques in this Tactics Category": [ - "Automated Collection https://collaborate.mitre.org/attackics/index.php/Technique/T802", - "Data from Information Repositories https://collaborate.mitre.org/attackics/index.php/Technique/T811", - "Detect Operating Mode https://collaborate.mitre.org/attackics/index.php/Technique/T868", - "Detect Program State https://collaborate.mitre.org/attackics/index.php/Technique/T870", - "I/O Image https://collaborate.mitre.org/attackics/index.php/Technique/T877", - "Location Identification https://collaborate.mitre.org/attackics/index.php/Technique/T825", - "Monitor Process State https://collaborate.mitre.org/attackics/index.php/Technique/T801", - "Point & Tag Identification https://collaborate.mitre.org/attackics/index.php/Technique/T861", - "Program Upload https://collaborate.mitre.org/attackics/index.php/Technique/T845", - "Role Identification https://collaborate.mitre.org/attackics/index.php/Technique/T850", - "Screen Capture https://collaborate.mitre.org/attackics/index.php/Technique/T852" - ] - }, - "uuid": "834fab50-be52-4611-95b6-6330d1db65c2", - "value": "Collection" -}, - { - "description": "The adversary is trying to communicate with and control compromised systems, controllers, and platforms with access to your ICS environment. Command and Control consists of techniques that adversaries use to communicate with and send commands to compromised systems, devices, controllers, and platforms with specialized applications used in ICS environments. Examples of these specialized communication devices include human machine interfaces (HMIs), data historians, SCADA servers, and engineering workstations (EWS). Adversaries often seek to use commonly available resources and mimic expected network traffic to avoid detection and suspicion. For instance, commonly used ports and protocols in ICS environments, and even expected IT resources, depending on the target network. Command and Control may be established to varying degrees of stealth, often depending on the victim’s network structure and defenses.", - "meta": { - "References": [ - "https://attack.mitre.org/wiki/Technique/T1090" - ], - "Techniques in this Tactics Category": [ - "Commonly Used Port https://collaborate.mitre.org/attackics/index.php/Technique/T885", - "Connection Proxy https://collaborate.mitre.org/attackics/index.php/Technique/T884", - "Standard Application Layer Protocol https://collaborate.mitre.org/attackics/index.php/Technique/T869" - ] - }, - "uuid": "4fd3b7b1-6d05-4cab-8182-6ea52ecbde63", - "value": "Command and Control" -}, - { - "description": "The adversary is trying to figure out your ICS environment. Discovery consists of techniques that adversaries use to survey your ICS environment and gain knowledge about the internal network, control system devices, and how their processes interact. These techniques help adversaries observe the environment and determine next steps for target selection and Lateral Movement. They also allow adversaries to explore what they can control and gain insight on interactions between various control system processes. Discovery techniques are often an act of progression into the environment which enable the adversary to orient themselves before deciding how to act. Adversaries may use Discovery techniques that result in Collection, to help determine how available resources benefit their current objective. A combination of native device communications and functions, and custom tools are often used toward this post-compromise information-gathering objective.", - "meta": { - "References": [ - "https://attack.mitre.org/wiki/Technique/T1049", - "https://attack.mitre.org/wiki/Technique/T1040", - "https://attack.mitre.org/wiki/Technique/T1018" - ], - "Techniques in this Tactics Category": [ - "Control Device Identification https://collaborate.mitre.org/attackics/index.php/Technique/T808", - "I/O Module Discovery https://collaborate.mitre.org/attackics/index.php/Technique/T824", - "Network Connection Enumeration https://collaborate.mitre.org/attackics/index.php/Technique/T840", - "Network Service Scanning https://collaborate.mitre.org/attackics/index.php/Technique/T841", - "Network Sniffing https://collaborate.mitre.org/attackics/index.php/Technique/T842", - "Remote System Discovery https://collaborate.mitre.org/attackics/index.php/Technique/T846", - "Serial Connection Enumeration https://collaborate.mitre.org/attackics/index.php/Technique/T854" - ] - }, - "uuid": "021d9d90-a792-4b84-a9f8-892b11c7db55", - "value": "Discovery" -}, - { - "description": "The adversary is trying to avoid being detected.Evasion consists of techniques that adversaries use to avoid detection by both human operators and technical defenses throughout their compromise. Techniques used for evasion include removal of indicators of compromise, spoofing communications and reporting, and exploiting software vulnerabilities. Adversaries may also leverage and abuse trusted devices and processes to hide their activity, possibly by masquerading as master devices or native software. Methods of defense and operator evasion for this purpose are often more passive in nature, as opposed to Inhibit Response Function techniques. They may also vary depending on whether the target of evasion is human or technological in nature, such as security controls. Techniques under other tactics are cross-listed to evasion when those techniques include the added benefit of subverting operators and defenses. ", - "meta": { - "References": [ - "https://www.mitre.org/sites/default/files/pdf/08_1145.pdf", - "https://attack.mitre.org/wiki/Technique/T1014", - "http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6142258" - ], - "Techniques in this Tactics Category": [ - "Exploitation for Evasion https://collaborate.mitre.org/attackics/index.php/Technique/T820", - "Indicator Removal on Host https://collaborate.mitre.org/attackics/index.php/Technique/T872", - "Masquerading https://collaborate.mitre.org/attackics/index.php/Technique/T849", - "Rogue Master Device https://collaborate.mitre.org/attackics/index.php/Technique/T848", - "Rootkit https://collaborate.mitre.org/attackics/index.php/Technique/T851", - "Spoof Reporting Message https://collaborate.mitre.org/attackics/index.php/Technique/T856", - "Utilize/Change Operating Mode https://collaborate.mitre.org/attackics/index.php/Technique/T858" - ] - }, - "uuid": "099fdd9a-8894-4599-8e7f-59e82e285df6", - "value": "Evasion" -}, - { - "description": "The adversary is trying to run malicious code. Execution consists of techniques that result in adversary-controlled code running on a local or remote system, device, or other asset. This execution may also rely on unknowing end users or the manipulation of device operating modes to run. Adversaries may infect remote targets with programmed executables or malicious project files that operate according to specified behavior and may alter expected device behavior in subtle ways. Commands for execution may also be issued from command-line interfaces, APIs, GUIs, or other available interfaces. Techniques that run malicious code may also be paired with techniques from other tactics, particularly to aid network Discovery and Collection, impact operations, and inhibit response functions.", - "meta": { - "References": [ - "https://attack.mitre.org/wiki/Technique/T1059", - "https://ics.sans.org/media/E-ISAC_SANS_Ukraine_DUC_5.pdf", - "https://www.sans.org/reading-room/whitepapers/ICS/man-in-the-middle-attack-modbus-tcp-illustrated-wireshark-38095", - "http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6142258", - "http://www.dee.ufrj.br/controle_automatico/cursos/IEC61131-3_Programming_Industrial_Automation_Systems.pdf", - "https://cdn.selinc.com/assets/Literature/Publications/Technical%20Papers/6560_PracticalApplications_MW_20120224_Web.pdf?v=20151125-003051", - "https://www.blackhat.com/docs/asia-16/materials/asia-16-Spenneberg-PLC-Blaster-A-Worm-Living-Solely-In-The-PLC-wp.pdf", - "https://www.wired.com/images_blogs/threatlevel/2010/11/w32_stuxnet_dossier.pdf", - "https://infosys.beckhoff.com/english.php?content=../content/1033/tc3_sourcecontrol/18014398915785483.html&id=", - "http://www.plcdev.com/book/export/html/373", - "https://www.boozallen.com/content/dam/boozallen/documents/2016/09/ukraine-report-when-the-lights-went-out.pdf", - "https://www.f-secure.com/weblog/archives/00002718.html" - ], - "Techniques in this Tactics Category": [ - "Change Program State https://collaborate.mitre.org/attackics/index.php/Technique/T875", - "Command-Line Interface https://collaborate.mitre.org/attackics/index.php/Technique/T807", - "Execution through API https://collaborate.mitre.org/attackics/index.php/Technique/T871", - "Graphical User Interface https://collaborate.mitre.org/attackics/index.php/Technique/T823", - "Man in the Middle https://collaborate.mitre.org/attackics/index.php/Technique/T830", - "Program Organization Units https://collaborate.mitre.org/attackics/index.php/Technique/T844", - "Project File Infection https://collaborate.mitre.org/attackics/index.php/Technique/T873", - "Scripting https://collaborate.mitre.org/attackics/index.php/Technique/T853", - "User Execution https://collaborate.mitre.org/attackics/index.php/Technique/T863" - ] - }, - "uuid": "7779ec85-b841-44b8-9c5e-9c9d670a3938", - "value": "Execution" -}, - { - "description": "The adversary is trying to manipulate, interrupt, or destroy your ICS systems, data, and their surrounding environment. Impact consists of techniques that adversaries use to disrupt, compromise, destroy, and manipulate the integrity and availability of control system operations, processes, devices, and data. These techniques encompass the influence and effects resulting from adversarial efforts to attack the ICS environment or that tangentially impact it. Impact techniques can result in more instantaneous disruption to control processes and the operator, or may result in more long term damage or loss to the ICS environment and related operations. The adversary may leverage Impair Process Control techniques, which often manifest in more self-revealing impacts on operations, or Inhibit Response Function techniques to hinder safeguards and alarms in order to follow through with and provide cover for Impact. In some scenarios, control system processes can appear to function as expected, but may have been altered to benefit the adversary’s goal over the course of a longer duration. These techniques might be used by adversaries to follow through on their end goal or to provide cover for a confidentiality breach. Loss of Productivity and Revenue, Theft of Operational Information, and Damage to Property are meant to encompass some of the more granular goals of adversaries in targeted and untargeted attacks. These techniques in and of themselves are not necessarily detectable, but the associated adversary behavior can potentially be mitigated and/or detected.", - "meta": { - "References": [ - "https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Publications/Securitysituation/IT-Security-Situation-in-Germany-2014.pdf?__blob=publicationFile&v=3", - "https://www.mitre.org/sites/default/files/pdf/08_1145.pdf", - "https://www.londonreconnections.com/2017/hacked-cyber-security-railways/", - "https://inhomelandsecurity.com/teen_hacker_in_poland_plays_tr/", - "https://www.schneier.com/blog/archives/2008/01/hacking_the_pol.html", - "https://www.corero.com/resources/files/whitepapers/cns_whitepaper_ics.pdf", - "https://www.sans.org/reading-room/whitepapers/ICS/industrial-control-system-cyber-kill-chain-36297", - "https://books.google.com/books?id=oXIYBAAAQBAJ&pg=PA249&lpg=PA249&dq=loss+denial+manipulation+of+view&source=bl&ots=dV1uQ8IUff&sig=ACfU3U2NIwGjhg051D_Ytw6npyEk9xcf4w&hl=en&sa=X&ved=2ahUKEwj2wJ7y4tDlAhVmplkKHSTaDnQQ6AEwAHoECAgQAQ#v=onepage&q=loss%20denial%20manipulation%20of%20view&f=false", - "https://time.com/4270728/iran-cyber-attack-dam-fbi/", - "https://www.wsj.com/articles/iranian-hackers-infiltrated-new-york-dam-in-2013-1450662559" - ], - "Techniques in this Tactics Category": [ - "Damage to Property https://collaborate.mitre.org/attackics/index.php/Technique/T879", - "Denial of Control https://collaborate.mitre.org/attackics/index.php/Technique/T813", - "Denial of View https://collaborate.mitre.org/attackics/index.php/Technique/T815", - "Loss of Availability https://collaborate.mitre.org/attackics/index.php/Technique/T826", - "Loss of Control https://collaborate.mitre.org/attackics/index.php/Technique/T827", - "Loss of Productivity and Revenue https://collaborate.mitre.org/attackics/index.php/Technique/T828", - "Loss of Safety https://collaborate.mitre.org/attackics/index.php/Technique/T880", - "Loss of View https://collaborate.mitre.org/attackics/index.php/Technique/T829", - "Manipulation of Control https://collaborate.mitre.org/attackics/index.php/Technique/T831", - "Manipulation of View https://collaborate.mitre.org/attackics/index.php/Technique/T832", - "Theft of Operational Information https://collaborate.mitre.org/attackics/index.php/Technique/T882" - ] - }, - "uuid": "40c9594e-ae8b-48f1-8e11-0e08ead4d44b", - "value": "Impact" -}, - { - "description": "The adversary is trying to manipulate, disable, or damage physical control processes. Impair Process Control consists of techniques that adversaries use to disrupt control logic and cause determinantal effects to processes being controlled in the target environment. Targets of interest may include active procedures or parameters that manipulate the physical environment. These techniques can also include prevention or manipulation of reporting elements and control logic. If an adversary has modified process functionality, then they may also obfuscate the results, which are often self-revealing in their impact on the outcome of a product or the environment. The direct physical control these techniques exert may also threaten the safety of operators and downstream users, which can prompt response mechanisms. Adversaries may follow up with or use Inhibit Response Function techniques in tandem, to assist with the successful abuse of control processes to result in Impact.", - "meta": { - "References": [ - "https://www.langner.com/wp-content/uploads/2017/03/to-kill-a-centrifuge.pdf", - "https://www.mitre.org/sites/default/files/pdf/08_1145.pdf", - "https://www.researchgate.net/publication/228849043_Leveraging_ethernet_card_vulnerabilities_in_field_devices", - "https://attack.mitre.org/techniques/T1489/", - "http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6142258", - "https://ics.sans.org/media/E-ISAC_SANS_Ukraine_DUC_5.pdf" - ], - "Techniques in this Tactics Category": [ - "Brute Force I/O https://collaborate.mitre.org/attackics/index.php/Technique/T806", - "Change Program State https://collaborate.mitre.org/attackics/index.php/Technique/T875", - "Masquerading https://collaborate.mitre.org/attackics/index.php/Technique/T849", - "Modify Control Logic https://collaborate.mitre.org/attackics/index.php/Technique/T833", - "Modify Parameter https://collaborate.mitre.org/attackics/index.php/Technique/T836", - "Module Firmware https://collaborate.mitre.org/attackics/index.php/Technique/T839", - "Program Download https://collaborate.mitre.org/attackics/index.php/Technique/T843", - "Rogue Master Device https://collaborate.mitre.org/attackics/index.php/Technique/T848", - "Service Stop https://collaborate.mitre.org/attackics/index.php/Technique/T881", - "Spoof Reporting Message https://collaborate.mitre.org/attackics/index.php/Technique/T856", - "Unauthorized Command Message https://collaborate.mitre.org/attackics/index.php/Technique/T855" - ] - }, - "uuid": "aa3913db-52ce-4856-b0db-fce6af13e4d6", - "value": "Impair Process Control" -}, - { - "description": "The adversary is trying to manipulate, disable, or damage physical control processes. Impair Process Control consists of techniques that adversaries use to disrupt control logic and cause determinantal effects to processes being controlled in the target environment. Targets of interest may include active procedures or parameters that manipulate the physical environment. These techniques can also include prevention or manipulation of reporting elements and control logic. If an adversary has modified process functionality, then they may also obfuscate the results, which are often self-revealing in their impact on the outcome of a product or the environment. The direct physical control these techniques exert may also threaten the safety of operators and downstream users, which can prompt response mechanisms. Adversaries may follow up with or use Inhibit Response Function techniques in tandem, to assist with the successful abuse of control processes to result in Impact.", - "meta": { - "References": [ - "https://www.mitre.org/sites/default/files/pdf/08_1145.pdf", - "https://troopers.de/downloads/troopers19/TROOPERS19_NGI_IoT_diet_poisoned_fruit.pdf", - "http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6142258", - "https://ics.sans.org/media/E-ISAC_SANS_Ukraine_DUC_5.pdf", - "https://attack.mitre.org/wiki/Technique/T1107", - "https://www.us-cert.gov/ics/alerts/ICS-ALERT-17-102-01A", - "https://ics-cert.us-cert.gov/advisories/ICSA-15-202-01", - "http://cwe.mitre.org/data/definitions/400.html", - "https://nvd.nist.gov/vuln/detail/CVE-2015-5374", - "https://www.isa.org/standards-and-publications/isa-publications/intech/2010/december/programmable-logic-controller-hardware/", - "https://www.langner.com/wp-content/uploads/2017/03/to-kill-a-centrifuge.pdf", - "https://attack.mitre.org/wiki/Technique/T1014", - "http://www.sciencedirect.com/science/article/pii/S1874548213000231" - ], - "Techniques in this Tactics Category": [ - "Activate Firmware Update Mode https://collaborate.mitre.org/attackics/index.php/Technique/T800", - "Alarm Suppression https://collaborate.mitre.org/attackics/index.php/Technique/T878", - "Block Command Message https://collaborate.mitre.org/attackics/index.php/Technique/T803", - "Block Reporting Message https://collaborate.mitre.org/attackics/index.php/Technique/T804", - "Block Serial COM https://collaborate.mitre.org/attackics/index.php/Technique/T805", - "Data Destruction https://collaborate.mitre.org/attackics/index.php/Technique/T809", - "Denial of Service https://collaborate.mitre.org/attackics/index.php/Technique/T814", - "Device Restart/Shutdown https://collaborate.mitre.org/attackics/index.php/Technique/T816", - "Manipulate I/O Image https://collaborate.mitre.org/attackics/index.php/Technique/T835", - "Modify Alarm Settings https://collaborate.mitre.org/attackics/index.php/Technique/T838", - "Modify Control Logic https://collaborate.mitre.org/attackics/index.php/Technique/T833", - "Program Download https://collaborate.mitre.org/attackics/index.php/Technique/T843", - "Rootkit https://collaborate.mitre.org/attackics/index.php/Technique/T851", - "System Firmware https://collaborate.mitre.org/attackics/index.php/Technique/T857", - "Utilize/Change Operating Mode https://collaborate.mitre.org/attackics/index.php/Technique/T858" - ] - }, - "uuid": "35bf4454-d73b-43ff-8a38-85342f595009", - "value": "Inhibit Response Function" -}, - { - "description": "The adversary is trying to get into your ICS environment. Initial Access consists of techniques that adversaries may use as entry vectors to gain an initial foothold within an ICS environment. These techniques include compromising operational technology assets, IT resources in the OT network, and external remote services and websites. They may also target third party entities and users with privileged access. In particular, these initial access footholds may include devices and communication mechanisms with access to and privileges in both the IT and OT environments. IT resources in the OT environment are also potentially vulnerable to the same attacks as enterprise IT systems. Trusted third parties of concern may include vendors, maintenance personnel, engineers, external integrators, and other outside entities involved in expected ICS operations. Vendor maintained assets may include physical devices, software, and operational equipment. Initial access techniques may also leverage outside devices, such as radios, controllers, or removable media, to remotely interfere with and possibly infect OT operations. ", - "meta": { - "References": [ - "https://dragos.com/wp-content/uploads/CRASHOVERRIDE2018.pdf", - "https://www.us-cert.gov/ncas/alerts/TA18-074A", - "https://www.us-cert.gov/ics/alerts/ICS-ALERT-14-281-01B", - "https://attack.mitre.org/wiki/Technique/T1133", - "https://ics.sans.org/media/E-ISAC_SANS_Ukraine_DUC_5.pdf", - "https://www.wired.com/2016/03/inside-cunning-unprecedented-hack-ukraines-power-grid/", - "https://ics-cert.us-cert.gov/alerts/IR-ALERT-H-16-056-01", - "https://www.fireeye.com/blog/threat-research/2016/01/ukraine-and-sandworm-team.html", - "https://www.us-cert.gov/sites/default/files/Monitors/ICS-CERT_Monitor_Jan-April2014.pdf", - "https://www.wsj.com/articles/iranian-hackers-infiltrated-new-york-dam-in-2013-1450662559", - "https://time.com/4270728/iran-cyber-attack-dam-fbi/", - "https://www.kkw-gundremmingen.de/presse.php?id=571", - "https://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/malware-discovered-in-german-nuclear-power-plant", - "https://www.reuters.com/article/us-nuclearpower-cyber-germany/german-nuclear-plant-infected-with-computer-viruses-operator-says-idUSKCN0XN2OS", - "https://news.softpedia.com/news/on-chernobyl-s-30th-anniversary-malware-shuts-down-german-nuclear-power-plant-503429.shtml", - "https://www.sciencealert.com/multiple-computer-viruses-have-been-discovered-in-this-german-nuclear-plant", - "https://www.geek.com/apps/german-nuclear-plant-found-riddled-with-conficker-other-viruses-1653415/", - "https://arstechnica.com/information-technology/2016/04/german-nuclear-plants-fuel-rod-system-swarming-with-old-malware/", - "https://www.darkreading.com/endpoint/german-nuclear-power-plant-infected-with-malware/d/d-id/1325298", - "https://www.bbc.com/news/technology-36158606", - "https://www.welivesecurity.com/2016/04/28/malware-found-german-nuclear-power-plant/", - "https://attack.mitre.org/techniques/T1193/", - "https://www.f-secure.com/weblog/archives/00002718.html", - "https://www.blackhat.com/docs/us-14/materials/us-14-Bolshev-ICSCorsair-How-I-Will-PWN-Your-ERP-Through-4-20mA-Current-Loop-WP.pdf", - "https://www.slideshare.net/dgpeters/17-bolshev-1-13", - "https://www.mitre.org/sites/default/files/pdf/08_1145.pdf", - "https://www.londonreconnections.com/2017/hacked-cyber-security-railways/", - "https://inhomelandsecurity.com/teen_hacker_in_poland_plays_tr/", - "https://www.schneier.com/blog/archives/2008/01/hacking_the_pol.html" - ], - "Techniques in this Tactics Category": [ - "Data Historian Compromise https://collaborate.mitre.org/attackics/index.php/Technique/T810", - "Drive-by Compromise https://collaborate.mitre.org/attackics/index.php/Technique/T817", - "Engineering Workstation Compromise https://collaborate.mitre.org/attackics/index.php/Technique/T818", - "Exploit Public-Facing Application https://collaborate.mitre.org/attackics/index.php/Technique/T819", - "External Remote Services https://collaborate.mitre.org/attackics/index.php/Technique/T822", - "Internet Accessible Device https://collaborate.mitre.org/attackics/index.php/Technique/T883", - "Replication Through Removable Media https://collaborate.mitre.org/attackics/index.php/Technique/T847", - "Spearphishing Attachment https://collaborate.mitre.org/attackics/index.php/Technique/T865", - "Supply Chain Compromise https://collaborate.mitre.org/attackics/index.php/Technique/T862", - "Wireless Compromise https://collaborate.mitre.org/attackics/index.php/Technique/T860" - ] - }, - "uuid": "2366ffb0-91ba-4b8e-bfad-d460c98d43a8", - "value": "Innitial Access" -} - ], - "version": 1 -} \ No newline at end of file diff --git a/ics_tactics_galaxy.json b/ics_tactics_galaxy.json deleted file mode 100644 index 7cdae2a..0000000 --- a/ics_tactics_galaxy.json +++ /dev/null @@ -1,10 +0,0 @@ -{ - "description": "ATT&CK for ICS Tactics", - "icon": "chess-pawn", - "name": "Tactics", - "namespace": "mitre-attack-for-ics", - "type": "mitre-ics-tactics", - "uuid": "e521606c-3c66-4621-9040-6f0f792fc999", - "version": 1 -} - diff --git a/ics_technique_matrix_cluster.json b/ics_technique_matrix_cluster.json deleted file mode 100644 index 0735bf4..0000000 --- a/ics_technique_matrix_cluster.json +++ /dev/null @@ -1,958 +0,0 @@ -{ - "author": [ - "Tony Williams" - ], - "category": "Technique Matrix", - "description": "ATT&CK for ICS Technique Matrix", - "name": "Technique Matrix", - "source": "https://collaborate.mitre.org/attackics/index.php/Main_Page", - "type": "mitre-ics-technique-matrix", - "uuid": "005ffa53-9400-4231-bbf2-c49c22c2683c", - "values": [ - { - "description": "T810: Adversaries may compromise and gain control of a data historian to gain a foothold into the control system environment. Access to a data historian may be used to learn stored database archival and analysis information on the control system. A dual-homed data historian may provide adversaries an interface from the IT environment to the OT environment.", - "meta": { - "kill_chain": [ - "Technique Matrix:Initial Access" - ] - }, - "uuid": "71955277-ac75-4bfb-a268-cd496f317981", - "value": "Data Historian Compromise" -}, - { - "description": "T817: Adversaries may gain access to a system during a drive-by compromise, when a user visits a website as part of a regular browsing session.With this technique, the user's web browser is targeted and exploited simply by visiting the compromised website.", - "meta": { - "kill_chain": [ - "Technique Matrix:Initial Access" - ] - }, - "uuid": "f12762ff-5d54-4544-8091-80d22d771799", - "value": "Drive-by Compromise" -}, - { - "description": "T818: Adversaries may compromise and gain control of an engineering workstation as an Initial Access technique into the control system environment. Access to an engineering workstation may occur as a result of remote access or by physical means, such as a person with privileged access or infection by removable media. A dual-homed engineering workstation may allow the adversary access into multiple networks. For example, unsegregated process control, safety system, or information system networks.", - "meta": { - "kill_chain": [ - "Technique Matrix:Initial Access" - ] - }, - "uuid": "697497fb-af7d-4a08-91df-405e62e14b1f", - "value": "Engineering Workstation Compromise" -}, - { - "description": "T819: Adversaries may attempt to exploit public-facing applications to leverage weaknesses on Internet-facing computer systems, programs, or assets in order to cause unintended or unexpected behavior. These public-facing applications may include user interfaces, software, data, or commands. In particular, a public-facing application in the IT environment may provide adversaries an interface into the OT environment.", - "meta": { - "kill_chain": [ - "Technique Matrix:Initial Access" - ] - }, - "uuid": "de7f14f7-2292-428c-894e-44a13bbd86c0", - "value": "Exploit Public-Facing Application" -}, - { - "description": "T822: Adversaries may leverage external remote services as a point of initial access into your network. These services allow users to connect to internal network resources from external locations. Examples are VPNs, Citrix, and other access mechanisms. Remote service gateways often manage connections and credential authentication for these services.", - "meta": { - "kill_chain": [ - "Technique Matrix:Initial Access" - ] - }, - "uuid": "6b149ac6-c7d4-45c9-9240-90c2b6e4c4c9", - "value": "External Remote Services" -}, - { - "description": "T883: Adversaries may gain access into industrial environments directly through systems exposed to the internet for remote access rather than through External Remote Services. Minimal protections provided by these devices such as password authentication may be targeted and compromised.", - "meta": { - "kill_chain": [ - "Technique Matrix:Initial Access" - ] - }, - "uuid": "78d5b40d-6452-446d-8d50-5a48e633eb81", - "value": "Internet Accessible Device" -}, - { - "description": "T847: Adversaries may gain access into industrial environments directly through systems exposed to the internet for remote access rather than through External Remote Services. Minimal protections provided by these devices such as password authentication may be targeted and compromised.", - "meta": { - "kill_chain": [ - "Technique Matrix:Initial Access" - ] - }, - "uuid": "26d3a202-15db-447e-9681-4647d3ca5040", - "value": "Replication Through Removable Media" -}, - { - "description": "T865: Adversaries may use a spearphishing attachment, a variant of spearphishing, as a form of a social engineering attack against specific targets. Spearphishing attachments are different from other forms of spearphishing in that they employ malware attached to an email. All forms of spearphishing are electronically delivered and target a specific individual, company, or industry. In this scenario, adversaries attach a file to the spearphishing email and usually rely upon User Execution to gain execution and access.", - "meta": { - "kill_chain": [ - "Technique Matrix:Initial Access" - ] - }, - "uuid": "2252992e-c1a8-4900-91cd-ada02f23c6c9", - "value": "Spearphishing Attachment" -}, - { - "description": "T862: Adversaries may perform supply chain compromise to gain control systems environment access by means of infected products, software, and workflows. Supply chain compromise is the manipulation of products, such as devices or software, or their delivery mechanisms before receipt by the end consumer. Adversary compromise of these products and mechanisms is done for the goal of data or system compromise, once infected products are introduced to the target environment.", - "meta": { - "kill_chain": [ - "Technique Matrix:Initial Access" - ] - }, - "uuid": "123b7a01-785b-4679-9c69-828296d17ef2", - "value": "Supply Chain Compromise" -}, - { - "description": "T860: Adversaries may perform wireless compromise as a method of gaining communications and unauthorized access to a wireless network. Access to a wireless network may be gained through the compromise of a wireless device.12 Adversaries may also utilize radios and other wireless communication devices on the same frequency as the wireless network. Wireless compromise can be done as an initial access vector from a remote distance.", - "meta": { - "kill_chain": [ - "Technique Matrix:Initial Access" - ] - }, - "uuid": "0827be38-7863-4af6-b2aa-bde01e3cb9b9", - "value": "Wireless Compromise" - }, - { - "description": "T875: Adversaries may attempt to change the state of the current program on a control device. Program state changes may be used to allow for another program to take over control or be loaded onto the device.", - "meta": { - "kill_chain": [ - "Technique Matrix:Execution" - ] - }, - "uuid": "a5de16bf-b123-4ca7-8136-7549b014abc1", - "value": "Change Program State" -}, - { - "description": "T807: Adversaries may utilize command-line interfaces(CLIs)to interact with systems and execute commands. CLIs provide a means of interacting with computer systems and are a common feature across many types of platforms and devices within control systems environments. Adversaries may also use CLIs to install and run new software, including malicious tools that may be installed over the course of an operation.", - "meta": { - "kill_chain": [ - "Technique Matrix:Execution" - ] - }, - "uuid": "a6cb2662-e099-4c35-b621-4cc047b76027", - "value": "Command-Line Interface" -}, - { - "description": "T871: Adversaries may attempt to leverage Application Program Interfaces (APIs) used for communication between control software and the hardware. Specific functionality is often coded into APIs which can be called by software to engage specific functions on a device or other software, such as Change Program State of a program on a PLC.", - "meta": { - "kill_chain": [ - "Technique Matrix:Execution" - ] - }, - "uuid": "6b3cfa9e-cbd9-48fb-91e4-75910153ce6e", - "value": "Execution through API" -}, - { - "description": "T823: Adversaries may attempt to gain access to a machine via a Graphical User Interface (GUI) to enhance execution capabilities. Access to a GUI allows a user to interact with a computer in a more visual manner than a CLI. A GUI allows users to move a cursor and click on interface objects, with a mouse and keyboard as the main input devices, as opposed to just using the keyboard.", - "meta": { - "kill_chain": [ - "Technique Matrix:Execution" - ] - }, - "uuid": "125c702e-a49d-41d1-b8ce-7700b89a32bc", - "value": "Graphical User Interface" -}, - { - "description": "T830: Adversaries with privileged network access may seek to modify network traffic in real time using man-in-the-middle (MITM) attacks. This type of attack allows the adversary to intercept traffic to and/or from a particular device on the network. If a MITM attack is established, then the adversary has the ability to block, log, modify, or inject traffic into the communication stream. There are several ways to accomplish this attack, but some of the most-common are Address Resolution Protocol (ARP) poisoning and the use of a proxy.", - "meta": { - "kill_chain": [ - "Technique Matrix:Execution" - ] - }, - "uuid": "8cef4c48-4b4b-4861-a423-0331f618f476", - "value": "Man in the Middle" -}, - { - "description": "T844: Program Organizational Units (POUs) are block structures used within PLC programming to create programs and projects. POUs can be used to hold user programs written in IEC 61131-3 languages: Structured text, Instruction list, Function block, and Ladder logic. They can also provide additional functionality, such as establishing connections between the PLC and other devices using TCON.", - "meta": { - "kill_chain": [ - "Technique Matrix:Execution" - ] - }, - "uuid": "fe2ba1de-686d-42ab-b09f-670d31da5509", - "value": "Program Organisation Units" -}, - { - "description": "T873: Adversaries may attempt to infect project files with malicious code. These project files may consist of objects, program organization units, variables such as tags, documentation, and other configurations needed for PLC programs to function. Using built in functions of the engineering software, adversaries may be able to download an infected program to a PLC in the operating environment enabling further execution and persistence techniques.", - "meta": { - "kill_chain": [ - "Technique Matrix:Execution" - ] - }, - "uuid": "fe4f5116-b54c-4fc9-ac32-b7a7f97d2636", - "value": "Project File Infection" -}, - { - "description": "T853: Adversaries may use scripting languages to execute arbitrary code in the form of a pre-written script or in the form of user-supplied code to an interpreter. Scripting languages are programming languages that differ from compiled languages, in that scripting languages use an interpreter, instead of a compiler. These interpreters read and compile part of the source code just before it is executed, as opposed to compilers, which compile each and every line of code to an executable file. Scripting allows software developers to run their code on any system where the interpreter exists. This way, they can distribute one package, instead of precompiling executables for many different systems. Scripting languages, such as Python, have their interpreters shipped as a default with many Linux distributions.", - "meta": { - "kill_chain": [ - "Technique Matrix:Execution" - ] - }, - "uuid": "37895354-a93a-4ca2-85cf-403d6c1ab9a2", - "value": "Scripting" -}, - { - "description": "T863: Adversaries may rely on a targeted organizations’ user interaction for the execution of malicious code. User interaction may consist of installing applications, opening email attachments, or granting higher permissions to documents.", - "meta": { - "kill_chain": [ - "Technique Matrix:Execution" - ] - }, - "uuid": "f6e39713-2d05-46d0-89c2-b4a9da13dc03", - "value": "User Execution" -}, - { - "description": "T874: Adversaries may hook into application programming interface (API) functions used by processes to redirect calls for persistent means. Windows processes often leverage these API functions to perform tasks that require reusable system resources. Windows API functions are typically stored in dynamic-link libraries (DLLs) as exported functions.", - "meta": { - "kill_chain": [ - "Technique Matrix:Persistence" - ] - }, - "uuid": "aa9e4783-f0b8-4838-9cbd-ca6301754004", - "value": "Hooking" -}, - { - "description": "T839: Adversaries may install malicious or vulnerable firmware onto modular hardware devices. Control system devices often contain modular hardware devices. These devices may have their own set of firmware that is separate from the firmware of the main control system equipment.", - "meta": { - "kill_chain": [ - "Technique Matrix:Persistence" - ] - }, - "uuid": "f004bce4-f161-468f-86dd-3a2c1c9f9945", - "value": "Module Firmware" -}, - { - "description": "T843: Adversaries may perform a program download to load malicious or unintended program logic on a device as a method of persistence or to disrupt response functions or process control. Program download onto devices, such as PLCs, allows adversaries to implement custom logic. Malicious PLC programs may be used to disrupt physical processes or enable adversary persistence. The act of a program download will cause the PLC to enter a STOP operation state, which may prevent response functions from operating correctly.", - "meta": { - "kill_chain": [ - "Technique Matrix:Persistence" - ] - }, - "uuid": "ef6aa7a4-ab2a-4489-ac85-304e6ce06552", - "value": "Program Download" -}, - { - "description": "T873: Adversaries may attempt to infect project files with malicious code. These project files may consist of objects, program organization units, variables such as tags, documentation, and other configurations needed for PLC programs to function. Using built in functions of the engineering software, adversaries may be able to download an infected program to a PLC in the operating environment enabling further execution and persistence techniques.", - "meta": { - "kill_chain": [ - "Technique Matrix:Persistence" - ] - }, - "uuid": "0169122e-36f5-4223-a7fe-0d9863470566", - "value": "Project File Infection" -}, - { - "description": "T857: System firmware on modern assets is often designed with an update feature. Older device firmware may be factory installed and require special reprograming equipment. When available, the firmware update feature enables vendors to remotely patch bugs and perform upgrades. Device firmware updates are often delegated to the user and may be done using a software update package. It may also be possible to perform this task over the network.", - "meta": { - "kill_chain": [ - "Technique Matrix:Persistence" - ] - }, - "uuid": "3f4afa40-be02-42c9-937c-e5c1059e5a86", - "value": "System Firmware" -}, - { - "description": "T859: Adversaries may steal the credentials of a specific user or service account using credential access techniques. In some cases, default credentials for control system devices may be publicly available. Compromised credentials may be used to bypass access controls placed on various resources on hosts and within the network, and may even be used for persistent access to remote systems. Compromised and default credentials may also grant an adversary increased privilege to specific systems and devices or access to restricted areas of the network. Adversaries may choose not to use malware or tools, in conjunction with the legitimate access those credentials provide, to make it harder to detect their presence or to control devices and send legitimate commands in an unintended way.", - "meta": { - "kill_chain": [ - "Technique Matrix:Persistence" - ] - }, - "uuid": "6b214211-394d-4d9c-b92f-7c77b9b4efdb", - "value": "Valid Accounts" -}, - { - "description": "T820: Adversaries may exploit a software vulnerability to take advantage of a programming error in a program, service, or within the operating system software or kernel itself to evade detection. Vulnerabilities may exist in software that can be used to disable or circumvent security features.", - "meta": { - "kill_chain": [ - "Technique Matrix:Evasion" - ] - }, - "uuid": "3a4c6ba2-6895-4cec-a468-a1ea41c77edd", - "value": "Exploitation for Evasion" -}, - { - "description": "T872: Adversaries may attempt to remove indicators of their presence on a system in an effort to cover their tracks. In cases where an adversary may feel detection is imminent, they may try to overwrite, delete, or cover up changes they have made to the device.", - "meta": { - "kill_chain": [ - "Technique Matrix:Evasion" - ] - }, - "uuid": "be992931-bcf0-4ad9-898a-12d78007805f", - "value": "Indicator Removal on Host" -}, - { - "description": "T849: Adversaries may use masquerading to disguise a malicious application or executable as another file, to avoid operator and engineer suspicion. Possible disguises of these masquerading files can include commonly found programs, expected vendor executables and configuration files, and other commonplace application and naming conventions. By impersonating expected and vendor-relevant files and applications, operators and engineers may not notice the presence of the underlying malicious content and possibly end up running those masquerading as legitimate functions.", - "meta": { - "kill_chain": [ - "Technique Matrix:Evasion" - ] - }, - "uuid": "eaeedd92-dbe9-4624-b6bb-1b7bf88f9c17", - "value": "Masquerading" -}, - { - "description": "T848: Adversaries may setup a rogue master to leverage control server functions to communicate with slave devices. A rogue master device can be used to send legitimate control messages to other control system devices, affecting processes in unintended ways. It may also be used to disrupt network communications by capturing and receiving the network traffic meant for the actual master device. Impersonating a master device may also allow an adversary to avoid detection.", - "meta": { - "kill_chain": [ - "Technique Matrix:Evasion" - ] - }, - "uuid": "824f7bf4-15b3-4421-8aee-d93cef18abc0", - "value": "Rogue Master Device" -}, - { - "description": "T851: Adversaries may deploy rootkits to hide the presence of programs, files, network connections, services, drivers, and other system components. Rootkits are programs that hide the existence of malware by intercepting and modifying operating-system API calls that supply system information. Rootkits or rootkit-enabling functionality may reside at the user or kernel level in the operating system, or lower.", - "meta": { - "kill_chain": [ - "Technique Matrix:Evasion" - ] - }, - "uuid": "5690f110-5867-48b5-b952-9a5332ffa6af", - "value": "Rootkit" -}, - { - "description": "T856: Adversaries may spoof reporting messages in control systems environments to achieve evasion and assist with impairment of process controls. Reporting messages are used in control systems so that operators and network defenders can understand the status of the network. Reporting messages show the status of devices and any important events that the devices control.", - "meta": { - "kill_chain": [ - "Technique Matrix:Evasion" - ] - }, - "uuid": "cb2dd5d6-0733-4e2e-aff4-b2ae583c5958", - "value": "Spoof Reporting Message" -}, - { - "description": "T858: Adversaries may place controllers into an alternate mode of operation to enable configuration setting changes for evasive code execution or to inhibit device functionality. Programmable controllers typically have several modes of operation. These modes can be broken down into three main categories: program run, program edit, and program write. Each of these modes puts the device in a state in which certain functions are available. For instance, the program edit mode allows alterations to be made to the user program while the device is still online.", - "meta": { - "kill_chain": [ - "Technique Matrix:Evasion" - ] - }, - "uuid": "c06ce396-1a44-4d67-8674-cbbbab3c28ff", - "value": "Utilize/Change Operating Mode" -}, - { - "description": "T808: Adversaries may perform control device identification to determine the make and model of a target device. Management software and device APIs may be utilized by the adversary to gain this information. By identifying and obtaining device specifics, the adversary may be able to determine device vulnerabilities. This device information can also be used to understand device functionality and inform the decision to target the environment.", - "meta": { - "kill_chain": [ - "Technique Matrix:Discovery" - ] - }, - "uuid": "e54c2304-7758-4166-93cb-e9fa71072c7b", - "value": "Control Device Identification" -}, - { - "description": "T824: Adversaries may use input/output (I/O) module discovery to gather key information about a control system device. An I/O module is a device that allows the control system device to either receive or send signals to other devices. These signals can be analog or digital, and may support a number of different protocols. Devices are often able to use attachable I/O modules to increase the number of inputs and outputs that it can utilize. An adversary with access to a device can use native device functions to enumerate I/O modules that are connected to the device. Information regarding the I/O modules can aid the adversary in understanding related control processes.", - "meta": { - "kill_chain": [ - "Technique Matrix:Discovery" - ] - }, - "uuid": "6236f6db-413b-4fd3-8788-39e062c4cd1d", - "value": "I/O Module Discovery" -}, - { - "description": "T840: Adversaries may perform network connection enumeration to discover information about device communication patterns. If an adversary can inspect the state of a network connection with tools, such as netstat, in conjunction with System Firmware, then they can determine the role of certain devices on the network. The adversary can also use Network Sniffing to watch network traffic for details about the source, destination, protocol, and content.", - "meta": { - "kill_chain": [ - "Technique Matrix:Discovery" - ] - }, - "uuid": "845228e3-f859-4aa6-96cd-b23ee18b2f31", - "value": "Network Connection Enumeration" -}, - { - "description": "T841: Network Service Scanning is the process of discovering services on networked systems. This can be achieved through a technique called port scanning or probing. Port scanning interacts with the TCP/IP ports on a target system to determine whether ports are open, closed, or filtered by a firewall. This does not reveal the service that is running behind the port, but since many common services are run on specific port numbers, the type of service can be assumed. More in-depth testing includes interaction with the actual service to determine the service type and specific version. One of the most-popular tools to use for Network Service Scanning is Nmap.", - "meta": { - "kill_chain": [ - "Technique Matrix:Discovery" - ] - }, - "uuid": "0c3403ab-eb9d-4192-b70c-c87eec584a22", - "value": "Network Service Scanning" -}, - { - "description": "T842: Network sniffing is the practice of using a network interface on a computer system to monitor or capture information1 regardless of whether it is the specified destination for the information.", - "meta": { - "kill_chain": [ - "Technique Matrix:Discovery" - ] - }, - "uuid": "de476155-9fc5-4358-8900-9146e147c228", - "value": "Network Sniffing" -}, - { - "description": "T846: Remote System Discovery is the process of identifying the presence of hosts on a network, and details about them. This process is common to network administrators validating the presence of machines and services, as well as adversaries mapping out a network for future-attack targets. An adversary may attempt to gain information about the target network via network enumeration techniques such as port scanning. One of the most popular tools for enumeration is Nmap. Remote System Discovery allows adversaries to map out hosts on the network as well as the TCP/IP ports that are open, closed, or filtered. Remote System Discovery tools also aid in by attempting to connect to the service and determine its exact version. The adversary may use this information to pick an exploit for a particular version if a known vulnerability exists.", - "meta": { - "kill_chain": [ - "Technique Matrix:Discovery" - ] - }, - "uuid": "3ac07eea-8cec-4087-824c-a69b9fa42384", - "value": "Remote System Discovery" -}, - { - "description": "T854: Adversaries may perform serial connection enumeration to gather situational awareness after gaining access to devices in the OT network. Control systems devices often communicate to each other via various types of serial communication mediums. These serial communications are used to facilitate informational communication, as well as commands. Serial Connection Enumeration differs from I/O Module Discovery, as I/O modules are auxiliary systems to the main system, and devices that are connected via serial connection are normally discrete systems.", - "meta": { - "kill_chain": [ - "Technique Matrix:Discovery" - ] - }, - "uuid": "072123cb-08e9-4c7e-b47b-8fd4d76a778a", - "value": "Serial Connection Enumeration" -}, - { - "description": "T812: Adversaries may leverage manufacturer or supplier set default credentials on control system devices. These default credentials may have administrative permissions and may be necessary for initial configuration of the device. It is general best practice to change the passwords for these accounts as soon as possible, but some manufacturers may have devices that have passwords or usernames that cannot be changed.", - "meta": { - "kill_chain": [ - "Technique Matrix:Lateral Movement" - ] - }, - "uuid": "b67eb554-d305-454b-9b72-0b9082cf51bd", - "value": "Default Credentials" -}, - { - "description": "T866: Adversaries may exploit a software vulnerability to take advantage of a programming error in a program, service, or within the operating system software or kernel itself to enable remote service abuse. A common goal for post-compromise exploitation of remote services is for lateral movement to enable access to a remote system.", - "meta": { - "kill_chain": [ - "Technique Matrix:Lateral Movement" - ] - }, - "uuid": "0d9fec39-95b2-4516-a9a7-c4b48a3fa9bb", - "value": "Exploitation of Remote Services" -}, - { - "description": "T822: Adversaries may leverage external remote services as a point of initial access into your network. These services allow users to connect to internal network resources from external locations. Examples are VPNs, Citrix, and other access mechanisms. Remote service gateways often manage connections and credential authentication for these services.", - "meta": { - "kill_chain": [ - "Technique Matrix:Lateral Movement" - ] - }, - "uuid": "e096543e-e4c0-4eb0-acb1-df9feaae9697", - "value": "External Remote Services" -}, - { - "description": "T844: Program Organizational Units (POUs) are block structures used within PLC programming to create programs and projects. POUs can be used to hold user programs written in IEC 61131-3 languages: Structured text, Instruction list, Function block, and Ladder logic. They can also provide additional functionality, such as establishing connections between the PLC and other devices using TCON.", - "meta": { - "kill_chain": [ - "Technique Matrix:Lateral Movement" - ] - }, - "uuid": "92ed2463-473d-4bf6-a6e7-dcbd46b32791", - "value": "Program Organization Units" -}, - { - "description": "T867: Adversaries may copy files from one system to another to stage adversary tools or other files over the course of an operation.1 Copying of files may also be performed laterally between internal victim systems to support Lateral Movement with remote Execution using inherent file sharing protocols such as file sharing over SMB to connected network shares.", - "meta": { - "kill_chain": [ - "Technique Matrix:Lateral Movement" - ] - }, - "uuid": "ac6e920d-9880-4fe6-b8f0-e0d0fbfd01a9", - "value": "Remote File Copy" -}, - { - "description": "T859: Adversaries may steal the credentials of a specific user or service account using credential access techniques. In some cases, default credentials for control system devices may be publicly available. Compromised credentials may be used to bypass access controls placed on various resources on hosts and within the network, and may even be used for persistent access to remote systems. Compromised and default credentials may also grant an adversary increased privilege to specific systems and devices or access to restricted areas of the network. Adversaries may choose not to use malware or tools, in conjunction with the legitimate access those credentials provide, to make it harder to detect their presence or to control devices and send legitimate commands in an unintended way.", - "meta": { - "kill_chain": [ - "Technique Matrix:Lateral Movement" - ] - }, - "uuid": "9ede0533-551d-407e-ad35-a0c325dbf5c4", - "value": "Valid Accounts" -}, - { - "description": "T802: Adversaries may automate collection of industrial environment information using tools or scripts. This automated collection may leverage native control protocols and tools available in the control systems environment. For example, the OPC protocol may be used to enumerate and gather information. Access to a system or interface with these native protocols may allow collection and enumeration of other attached, communicating servers and devices.", - "meta": { - "kill_chain": [ - "Technique Matrix:Collection" - ] - }, - "uuid": "4f559e96-f297-48ae-9a98-639bd63cee3f", - "value": "Automated Collection" -}, - { - "description": "T811: Adversaries may target and collect data from information repositories. This can include sensitive data such as specifications, schematics, or diagrams of control system layouts, devices, and processes. Examples of target information repositories include reference databases and local machines on the process environment.", - "meta": { - "kill_chain": [ - "Technique Matrix:Collection" - ] - }, - "uuid": "2666163e-c72e-4e13-9f81-4433beb92c93", - "value": "Data from Information Repositories" -}, - { - "description": "T868: Adversaries may gather information about the current operating state of a PLC. CPU operating modes are often controlled by a key switch on the PLC. Example states may be run, prog, stop, remote, and invalid. Knowledge of these states may be valuable to an adversary to determine if they are able to reprogram the PLC.", - "meta": { - "kill_chain": [ - "Technique Matrix:Collection" - ] - }, - "uuid": "d8eb72d0-879a-4f06-a220-33aafdbf075d", - "value": "Detect Operating Mode" -}, - { - "description": "T877: Adversaries may seek to capture process image values related to the inputs and outputs of a PLC. Within a PLC all input and output states are stored into an I/O image. This image is used by the user program instead of directly interacting with physical I/O.", - "meta": { - "kill_chain": [ - "Technique Matrix:Collection" - ] - }, - "uuid": "fb3f7181-f54a-4552-8aef-c205b5d9f70a", - "value": "I/O Image" -}, - { - "description": "T825: Adversaries may perform location identification using device data to inform operations and targeted impact for attacks. Location identification data can come in a number of forms, including geographic location, location relative to other control system devices, time zone, and current time. An adversary may use an embedded global positioning system (GPS) module in a device to figure out the physical coordinates of a device. NIST SP800-82 recommends that devices utilize GPS or another location determining mechanism to attach appropriate timestamps to log entries1. While this assists in logging and event tracking, an adversary could use the underlying positioning mechanism to determine the general location of a device. An adversary can also infer the physical location of serially connected devices by using serial connection enumeration.", - "meta": { - "kill_chain": [ - "Technique Matrix:Collection" - ] - }, - "uuid": "eb77b9b5-664a-4402-94c1-ff6e68c4a031", - "value": "Location Identification" -}, - { - "description": "T801: Adversaries may gather information about the physical process state. This information may be used to gain more information about the process itself or used as a trigger for malicious actions. The sources of process state information may vary such as, OPC tags, historian data, specific PLC block information, or network traffic.", - "meta": { - "kill_chain": [ - "Technique Matrix:Collection" - ] - }, - "uuid": "f51cac7e-e377-4d6c-8bf6-4a284e645f35", - "value": "Monitor Process State" -}, - { - "description": "T861: Adversaries may collect point and tag values to gain a more comprehensive understanding of the process environment. Points may be values such as inputs, memory locations, outputs or other process specific variables.1 Tags are the identifiers given to points for operator convenience.", - "meta": { - "kill_chain": [ - "Technique Matrix:Collection" - ] - }, - "uuid": "23f90d65-611f-42fc-82f9-e1117bad6481", - "value": "Point and Tag Identification" -}, - { - "description": "T845: Adversaries may attempt to upload a program from a PLC to gather information about an industrial process. Uploading a program may allow them to acquire and study the underlying logic. Methods of program upload include vendor software, which enables the user to upload and read a program running on a PLC. This software can be used to upload the target program to a workstation, jump box, or an interfacing device.", - "meta": { - "kill_chain": [ - "Technique Matrix:Collection" - ] - }, - "uuid": "fd05f928-be95-459a-add0-d03d73c1a5f2", - "value": "Program Upload" -}, - { - "description": "T850: Adversaries may perform role identification of devices involved with physical processes of interest in a target control system. Control systems devices often work in concert to control a physical process. Each device can have one or more roles that it performs within that control process. By collecting this role-based data, an adversary can construct a more targeted attack.", - "meta": { - "kill_chain": [ - "Technique Matrix:Collection" - ] - }, - "uuid": "05b1ad22-7971-48c1-924c-55fcae709cdd", - "value": "Role Identification" -}, - { - "description": "T852: Adversaries may attempt to perform screen capture of devices in the control system environment. Screenshots may be taken of workstations, HMIs, or other devices that display environment-relevant process, device, reporting, alarm, or related data. These device displays may reveal information regarding the ICS process, layout, control, and related schematics. In particular, an HMI can provide a lot of important industrial process information.1 Analysis of screen captures may provide the adversary with an understanding of intended operations and interactions between critical devices.", - "meta": { - "kill_chain": [ - "Technique Matrix:Collection" - ] - }, - "uuid": "86be4b62-0180-4651-a6a6-da1a45cc10df", - "value": "Screen Capture" -}, - { - "description": "T885: Adversaries may communicate over a commonly used port to bypass firewalls or network detection systems and to blend in with normal network activity, to avoid more detailed inspection. They may use the protocol associated with the port, or a completely different protocol. They may use commonly open ports such as TCP:80(HTTP),TCP:443(HTTPS),TCP/UDP:53(DNS),TCP:1024-4999(OPC on XP/Win2k3),TCP:49152-65535(OPC on Vista and later),TCP:23(TELNET),UDP:161(SNMP),TCP:502(MODBUS),TCP:102(S7comm/ISO-TSAP),TCP:20000(DNP3),TCP:44818(Ethernet/IP).", - "meta": { - "kill_chain": [ - "Technique Matrix:Command and Control" - ] - }, - "uuid": "01470ce5-c23b-4083-a90f-4ffde6362475", - "value": "Commonly Used Port" -}, - { - "description": "T884: Adversaries may use a connection proxy to direct network traffic between systems or act as an intermediary for network communications.", - "meta": { - "kill_chain": [ - "Technique Matrix:Command and Control" - ] - }, - "uuid": "ac6c341f-94eb-42fd-a818-0463ba978f0d", - "value": "Connection Proxy" -}, - { - "description": "T869: Adversaries may establish command and control capabilities over commonly used application layer protocols such as HTTP(S), OPC, RDP, telnet, DNP3, and modbus. These protocols may be used to disguise adversary actions as benign network traffic. Standard protocols may be seen on their associated port or in some cases over a non-standard port.", - "meta": { - "kill_chain": [ - "Technique Matrix:Command and Control" - ] - }, - "uuid": "19c90986-98cd-48f3-9c29-884a97787497", - "value": "Standard Application Layer Protocol" -}, - { - "description": "T800: Adversaries may activate firmware update mode on devices to prevent expected response functions from engaging in reaction to an emergency or process malfunction. For example, devices such as protection relays may have an operation mode designed for firmware installation. This mode may halt process monitoring and related functions to allow new firmware to be loaded. A device left in update mode may be placed in an inactive holding state if no firmware is provided to it. By entering and leaving a device in this mode, the adversary may deny its usual functionalities.", - "meta": { - "kill_chain": [ - "Technique Matrix:Inhibit Response Function" - ] - }, - "uuid": "723d53c8-b41b-4e36-bcbd-a0f08393f625", - "value": "Active Firmware Update Mode" -}, - { - "description": "T878: Adversaries may target protection function alarms to prevent them from notifying operators of critical conditions. Alarm messages may be a part of an overall reporting system and of particular interest for adversaries. Disruption of the alarm system does not imply the disruption of the reporting system as a whole.", - "meta": { - "kill_chain": [ - "Technique Matrix:Inhibit Response Function" - ] - }, - "uuid": "91c5fad4-7278-462e-a98b-6556addf8b70", - "value": "Alarm Suppression" -}, - { - "description": "T803: Adversaries may block a command message from reaching its intended target to prevent command execution. In OT networks, command messages are sent to provide instructions to control system devices. A blocked command message can inhibit response functions from correcting a disruption or unsafe condition.", - "meta": { - "kill_chain": [ - "Technique Matrix:Inhibit Response Function" - ] - }, - "uuid": "7ee52584-fb2e-407d-83bf-d26fcda17e56", - "value": "Block Command Message" -}, - { - "description": "T804: Adversaries may block or prevent a reporting message from reaching its intended target. Reporting messages relay the status of control system devices, which can include event log data and I/O values of the associated device. By blocking these reporting messages, an adversary can potentially hide their actions from an operator.", - "meta": { - "kill_chain": [ - "Technique Matrix:Inhibit Response Function" - ] - }, - "uuid": "327c63ed-59d5-4565-be22-a75bb85e751c", - "value": "Block Reporting Message" -}, - { - "description": "T805: Adversaries may block access to serial COM to prevent instructions or configurations from reaching target devices. Serial Communication ports (COM) allow communication with control system devices. Devices can receive command and configuration messages over such serial COM. Devices also use serial COM to send command and reporting messages. Blocking device serial COM may also block command messages and block reporting messages.", - "meta": { - "kill_chain": [ - "Technique Matrix:Inhibit Response Function" - ] - }, - "uuid": "1511927c-47cc-4da6-a462-84ee206d1317", - "value": "Block Serial COM" -}, - { - "description": "T809: Adversaries may perform data destruction over the course of an operation. The adversary may drop or create malware, tools, or other non-native files on a target system to accomplish this, potentially leaving behind traces of malicious activities. Such non-native files and other data may be removed over the course of an intrusion to maintain a small footprint or as a standard part of the post-intrusion cleanup process.", - "meta": { - "kill_chain": [ - "Technique Matrix:Inhibit Response Function" - ] - }, - "uuid": "be284064-e0de-448c-860d-2e140dfde1c0", - "value": "Data Destruction" -}, - { - "description": "T814: Adversaries may perform Denial-of-Service (DoS) attacks to disrupt expected device functionality. Examples of DoS attacks include overwhelming the target device with a high volume of requests in a short time period and sending the target device a request it does not know how to handle. Disrupting device state may temporarily render it unresponsive, possibly lasting until a reboot can occur. When placed in this state, devices may be unable to send and receive requests, and may not perform expected response functions in reaction to other events in the environment.", - "meta": { - "kill_chain": [ - "Technique Matrix:Inhibit Response Function" - ] - }, - "uuid": "b4a7de26-746e-4981-a82c-9a1139d65cdd", - "value": "Denial of Service" -}, - { - "description": "T816: Adversaries may forcibly restart or shutdown a device in the ICS environment to disrupt and potentially cause adverse effects on the physical processes it helps to control. Methods of device restart and shutdown exist as built-in, standard functionalities. This can include interactive device web interfaces, CLIs, and network protocol commands, among others. Device restart or shutdown may also occur as a consequence of changing a device into an alternative mode of operation for testing or firmware loading.", - "meta": { - "kill_chain": [ - "Technique Matrix:Inhibit Response Function" - ] - }, - "uuid": "e82dada6-7306-46c4-bbd9-e29dcf033ceb", - "value": "Device Restart/Shutdown" -}, - { - "description": "T835: Adversaries may manipulate the I/O image of PLCs through various means to prevent them from functioning as expected. Methods of I/O image manipulation may include overriding the I/O table via direct memory manipulation or using the override function used for testing PLC programs.", - "meta": { - "kill_chain": [ - "Technique Matrix:Inhibit Response Function" - ] - }, - "uuid": "d390887c-68af-4e4f-87b4-6d2888ce21e6", - "value": "Manipulate I/O Image" -}, - { - "description": "T838: Adversaries may modify alarm settings to prevent alerts that may inform operators of their presence or to prevent responses to dangerous and unintended scenarios. Reporting messages are a standard part of data acquisition in control systems. Reporting messages are used as a way to transmit system state information and acknowledgements that specific actions have occurred. These messages provide vital information for the management of a physical process, and keep operators, engineers, and administrators aware of the state of system devices and physical processes.", - "meta": { - "kill_chain": [ - "Technique Matrix:Inhibit Response Function" - ] - }, - "uuid": "f676877a-b6c4-4d58-84da-56808847270e", - "value": "Modify Alarm Settings" -}, - { - "description": "T843: Adversaries may perform a program download to load malicious or unintended program logic on a device as a method of persistence or to disrupt response functions or process control. Program download onto devices, such as PLCs, allows adversaries to implement custom logic. Malicious PLC programs may be used to disrupt physical processes or enable adversary persistence. The act of a program download will cause the PLC to enter a STOP operation state, which may prevent response functions from operating correctly.", - "meta": { - "kill_chain": [ - "Technique Matrix:Inhibit Response Function" - ] - }, - "uuid": "4897156e-0462-45b7-8637-f222b68c6a48", - "value": "Program Download" -}, - { - "description": "T851: Adversaries may deploy rootkits to hide the presence of programs, files, network connections, services, drivers, and other system components. Rootkits are programs that hide the existence of malware by intercepting and modifying operating-system API calls that supply system information. Rootkits or rootkit-enabling functionality may reside at the user or kernel level in the operating system, or lower.", - "meta": { - "kill_chain": [ - "Technique Matrix:Inhibit Response Function" - ] - }, - "uuid": "15c52f96-2396-4a8e-b183-3898378a7ccd", - "value": "Rootkit" -}, - { - "description": "T857: System firmware on modern assets is often designed with an update feature. Older device firmware may be factory installed and require special reprograming equipment. When available, the firmware update feature enables vendors to remotely patch bugs and perform upgrades. Device firmware updates are often delegated to the user and may be done using a software update package. It may also be possible to perform this task over the network.", - "meta": { - "kill_chain": [ - "Technique Matrix:Inhibit Response Function" - ] - }, - "uuid": "4d9b87ba-bd66-4497-b3d4-8ed476425e48", - "value": "System Firmware" -}, - { - "description": "T858: Adversaries may place controllers into an alternate mode of operation to enable configuration setting changes for evasive code execution or to inhibit device functionality. Programmable controllers typically have several modes of operation. These modes can be broken down into three main categories: program run, program edit, and program write. Each of these modes puts the device in a state in which certain functions are available. For instance, the program edit mode allows alterations to be made to the user program while the device is still online.", - "meta": { - "kill_chain": [ - "Technique Matrix:Inhibit Response Function" - ] - }, - "uuid": "b24e02c6-a575-4ab8-a214-76c195e9e00a", - "value": "Utilize/Change Operating Mode" -}, - { - "description": "T806: Adversaries may brute force I/O addresses on a device and attempt to exhaustively perform an action. By enumerating the full range of I/O addresses, an adversary may manipulate a process function without having to target specific I/O interfaces. More than one process function manipulation and enumeration pass may occur on the targeted I/O range in a brute force attempt.", - "meta": { - "kill_chain": [ - "Technique Matrix:Impair Process Control" - ] - }, - "uuid": "ab9f5dd3-71cc-4de6-9ea9-7e5a35696888", - "value": "Brute Force I/O" -}, - { - "description": "T875: Adversaries may attempt to change the state of the current program on a control device. Program state changes may be used to allow for another program to take over control or be loaded onto the device.", - "meta": { - "kill_chain": [ - "Technique Matrix:Impair Process Control" - ] - }, - "uuid": "12bac6b2-e822-4424-afe3-90c441ef52dc", - "value": "Change Program State" -}, - { - "description": "T849: Adversaries may use masquerading to disguise a malicious application or executable as another file, to avoid operator and engineer suspicion. Possible disguises of these masquerading files can include commonly found programs, expected vendor executables and configuration files, and other commonplace application and naming conventions. By impersonating expected and vendor-relevant files and applications, operators and engineers may not notice the presence of the underlying malicious content and possibly end up running those masquerading as legitimate functions.", - "meta": { - "kill_chain": [ - "Technique Matrix:Impair Process Control" - ] - }, - "uuid": "6fe928e8-5433-4774-b108-60c9eba75acc", - "value": "Masquerading" -}, - { - "description": "T833: Adversaries may place malicious code in a system, which can cause the system to malfunction by modifying its control logic. Control system devices use programming languages (e.g. relay ladder logic) to control physical processes by affecting actuators, which cause machines to operate, based on environment sensor readings. These devices often include the ability to perform remote control logic updates.", - "meta": { - "kill_chain": [ - "Technique Matrix:Impair Process Control" - ] - }, - "uuid": "f4050bde-112b-46f0-a02a-6661f3472efd", - "value": "Modify Control Logic" -}, - { - "description": "T836: Adversaries may modify parameters used to instruct industrial control system devices. These devices operate via programs that dictate how and when to perform actions based on such parameters. Such parameters can determine the extent to which an action is performed and may specify additional options. For example, a program on a control system device dictating motor processes may take a parameter defining the total number of seconds to run that motor.", - "meta": { - "kill_chain": [ - "Technique Matrix:Impair Process Control" - ] - }, - "uuid": "6183345c-c5cf-44d8-9dc2-91f259f4ed4e", - "value": "Modify Parameter" -}, - { - "description": "T839: Adversaries may install malicious or vulnerable firmware onto modular hardware devices. Control system devices often contain modular hardware devices. These devices may have their own set of firmware that is separate from the firmware of the main control system equipment.", - "meta": { - "kill_chain": [ - "Technique Matrix:Impair Process Control" - ] - }, - "uuid": "492cb581-f4a6-4393-a85a-6eb0935c95d0", - "value": "Module Firmware" -}, - { - "description": "T843: Adversaries may perform a program download to load malicious or unintended program logic on a device as a method of persistence or to disrupt response functions or process control. Program download onto devices, such as PLCs, allows adversaries to implement custom logic. Malicious PLC programs may be used to disrupt physical processes or enable adversary persistence. The act of a program download will cause the PLC to enter a STOP operation state, which may prevent response functions from operating correctly.", - "meta": { - "kill_chain": [ - "Technique Matrix:Impair Process Control" - ] - }, - "uuid": "86f88e91-acdb-4702-a28a-ed10332643c6", - "value": "Program Download" -}, - { - "description": "T848: Adversaries may setup a rogue master to leverage control server functions to communicate with slave devices. A rogue master device can be used to send legitimate control messages to other control system devices, affecting processes in unintended ways. It may also be used to disrupt network communications by capturing and receiving the network traffic meant for the actual master device. Impersonating a master device may also allow an adversary to avoid detection.", - "meta": { - "kill_chain": [ - "Technique Matrix:Impair Process Control" - ] - }, - "uuid": "c5d76758-d103-4dcf-83e7-fa0818a8bdf5", - "value": "Rogue Master Device" -}, - { - "description": "T881: Adversaries may stop or disable services on a system to render those services unavailable to legitimate users. Stopping critical services can inhibit or stop response to an incident or aid in the adversary's overall objectives to cause damage to the environment.", - "meta": { - "kill_chain": [ - "Technique Matrix:Impair Process Control" - ] - }, - "uuid": "7fd8cfb0-5064-4ffb-bc88-fe81e05ffa73", - "value": "Service Stop" -}, - { - "description": "T856: Adversaries may spoof reporting messages in control systems environments to achieve evasion and assist with impairment of process controls. Reporting messages are used in control systems so that operators and network defenders can understand the status of the network. Reporting messages show the status of devices and any important events that the devices control.", - "meta": { - "kill_chain": [ - "Technique Matrix:Impair Process Control" - ] - }, - "uuid": "5e489242-3d3b-4c21-9d8e-9c27857252c6", - "value": "Spoof Reporting Message" -}, - { - "description": "T855: Adversaries may send unauthorized command messages to instruct control systems devices to perform actions outside their expected functionality for process control. Command messages are used in ICS networks to give direct instructions to control systems devices. If an adversary can send an unauthorized command message to a control system, then it can instruct the control systems device to perform an action outside the normal bounds of the device's actions. An adversary could potentially instruct a control systems device to perform an action that will cause an Impact.", - "meta": { - "kill_chain": [ - "Technique Matrix:Impair Process Control" - ] - }, - "uuid": "a2085515-4b94-4fea-8d9c-1ffc6aa550d9", - "value": "Unauthorized Command Message" -}, - { - "description": "T879: Adversaries may cause damage and destruction of property to infrastructure, equipment, and the surrounding environment when attacking control systems. This technique may result in device and operational equipment breakdown, or represent tangential damage from other techniques used in an attack. Depending on the severity of physical damage and disruption caused to control processes and systems, this technique may result in Loss of Safety. Operations that result in Loss of Control may also cause damage to property, which may be directly or indirectly motivated by an adversary seeking to cause impact in the form of Loss of Productivity and Revenue.", - "meta": { - "kill_chain": [ - "Technique Matrix:Impact" - ] - }, - "uuid": "73e7afd3-fa10-49b9-baac-9c3765bf570e", - "value": "Damage to Property" -}, - { - "description": "T813: Adversaries may cause a denial of control to temporarily prevent operators and engineers from interacting with process controls. An adversary may attempt to deny process control access to cause a temporary loss of communication with the control device or to prevent operator adjustment of process controls. An affected process may still be operating during the period of control loss, but not necessarily in a desired state.", - "meta": { - "kill_chain": [ - "Technique Matrix:Impact" - ] - }, - "uuid": "d18daaa4-1b59-482c-b9bb-1f50c3d6af7a", - "value": "Denial of Control" -}, - { - "description": "T815: Adversaries may cause a denial of view in attempt to disrupt and prevent operator oversight on the status of an ICS environment. This may manifest itself as a temporary communication failure between a device and its control source, where the interface recovers and becomes available once the interference ceases.", - "meta": { - "kill_chain": [ - "Technique Matrix:Impact" - ] - }, - "uuid": "69224a2a-13f5-42dc-b200-2e7b09acf514", - "value": "Denial of View" -}, - { - "description": "T826: Adversaries may attempt to disrupt essential components or systems to prevent owner and operator from delivering products or services.", - "meta": { - "kill_chain": [ - "Technique Matrix:Impact" - ] - }, - "uuid": "7c53baea-b24d-40de-8753-e65139c93ced", - "value": "Loss of Availability" -}, - { - "description": "T827: Adversaries may seek to achieve a sustained loss of control or a runaway condition in which operators cannot issue any commands even if the malicious interference has subsided.", - "meta": { - "kill_chain": [ - "Technique Matrix:Impact" - ] - }, - "uuid": "62fee86a-2f24-4a2b-8b4c-795e82495d7d", - "value": "Loss of Control" -}, - { - "description": "T828: Adversaries may cause loss of productivity and revenue through disruption and even damage to the availability and integrity of control system operations, devices, and related processes. This technique may manifest as a direct effect of an ICS-targeting attack or tangentially, due to an IT-targeting attack against non-segregated environments. In some cases, this may result from the postponement and disruption of ICS operations and production as part of a remediation effort. Operations may be brought to a halt and effectively stopped in an effort to contain and properly remove malware or due to the Loss of Safety.", - "meta": { - "kill_chain": [ - "Technique Matrix:Impact" - ] - }, - "uuid": "4b593ce1-3f07-4f00-86dd-e614e999ed2e", - "value": "Loss of Productivity and Revenue" -}, - { - "description": "T880: Adversaries may cause loss of safety whether on purpose or as a consequence of actions taken to accomplish an operation. The loss of safety can describe a physical impact and threat, or the potential for unsafe conditions and activity in terms of control systems environments, devices, or processes. For instance, an adversary may issue commands or influence and possibly inhibit safety mechanisms that allow the injury of and possible loss of life. This can also encompass scenarios resulting in the failure of a safety mechanism or control, that may lead to unsafe and dangerous execution and outcomes of physical processes and related systems.", - "meta": { - "kill_chain": [ - "Technique Matrix:Impact" - ] - }, - "uuid": "c514cc66-b02d-497b-bac0-57f58b831442", - "value": "Loss of Safety" -}, - { - "description": "T829: Adversaries may cause a sustained or permanent loss of view where the ICS equipment will require local, hands-on operator intervention; for instance, a restart or manual operation. By causing a sustained reporting or visibility loss, the adversary can effectively hide the present state of operations. This loss of view can occur without affecting the physical processes themselves.", - "meta": { - "kill_chain": [ - "Technique Matrix:Impact" - ] - }, - "uuid": "d48aa5dc-40af-4299-85c5-64b2b28ea009", - "value": "Loss of View" -}, - { - "description": "T831: Adversaries may manipulate physical process control within the industrial environment. Methods of manipulating control can include changes to set point values, tags, or other parameters. Adversaries may manipulate control systems devices or possibly leverage their own, to communicate with and command physical control processes. The duration of manipulation may be temporary or longer sustained, depending on operator detection.", - "meta": { - "kill_chain": [ - "Technique Matrix:Impact" - ] - }, - "uuid": "1ff2853a-42bd-4aed-8aad-ed25ecc603d6", - "value": "Manipulation of Control" -}, - { - "description": "T832: Adversaries may attempt to manipulate the information reported back to operators or controllers. This manipulation may be short term or sustained. During this time the process itself could be in a much different state than what is reported.", - "meta": { - "kill_chain": [ - "Technique Matrix:Impact" - ] - }, - "uuid": "5420f2d9-debe-4e3e-8717-0952afa92dd9", - "value": "Manipulation of View" -}, - { - "description": "T882: Adversaries may steal operational information on a production environment as a direct mission outcome for personal gain or to inform future operations. This information may include design documents, schedules, rotational data, or similar artifacts that provide insight on operations.", - "meta": { - "kill_chain": [ - "Technique Matrix:Impact" - ] - }, - "uuid": "fb6e8505-98a6-489f-a8a6-4abc0b7927a1", - "value": "Theft of Operational Information" -} - ], - "version": 1 -} - - - - \ No newline at end of file diff --git a/ics_technique_matrix_galaxy.json b/ics_technique_matrix_galaxy.json deleted file mode 100644 index d428f75..0000000 --- a/ics_technique_matrix_galaxy.json +++ /dev/null @@ -1,24 +0,0 @@ -{ - "description": "ATT&CK for ICS Technique Matrix", - "icon": "buromobelexperte", - "kill_chain_order": { - "Technique Matrix": [ - "Initial Access", - "Execution", - "Persistence", - "Evasion", - "Discovery", - "Lateral Movement", - "Collection", - "Command and Control", - "Inhibit Response Function", - "Impair Process Control", - "Impact" - ] - }, - "name": "ATT&CK for ICS Technique Matrix", - "namespace": "mitre-attack-for-ics", - "type": "mitre-ics-technique-matrix", - "uuid": "87d7849c-8e57-4c2e-a7ba-9a3e0771abb7", - "version": 1 - } diff --git a/ics_techniques_cluster.json b/ics_techniques_cluster.json deleted file mode 100644 index 454c69d..0000000 --- a/ics_techniques_cluster.json +++ /dev/null @@ -1,2051 +0,0 @@ -{ - "author": [ - "Tony Williams" - ], - "category": "Techniques", - "description": "A list of Techniques in ATT&CK for ICS.", - "name": "Techniques", - "source": "https://collaborate.mitre.org/attackics/index.php/All_Techniques", - "type": "mitre-ics-techniques", - "uuid": "633e91db-adf8-458e-a09e-7ee0eb588bf3", - "values": [ - { - "description": "Adversaries may activate firmware update mode on devices to prevent expected response functions from engaging in reaction to an emergency or process malfunction. For example, devices such as protection relays may have an operation mode designed for firmware installation. This mode may halt process monitoring and related functions to allow new firmware to be loaded. A device left in update mode may be placed in an inactive holding state if no firmware is provided to it. By entering and leaving a device in this mode, the adversary may deny its usual functionalities.", - "meta": { - "Technique ID": [ - "T800" - ], - "Tactic": [ - "Inhibit Response Function" - ], - "Proceedure Examples": [ - "The Industroyer SPIROTEC DoS module places the victim device into firmware update mode. This is a legitimate use case under normal circumstances, but in this case is used the adversary to prevent the SPIROTEC from performing its designed protective functions. As a result the normal safeguards are disabled, leaving an unprotected link in the electric transmission", - "The Industroyer SIPROTEC DoS module exploits the CVE-2015-5374 vulnerability in order to render a Siemens SIPROTEC device unresponsive. Once this vulnerability is successfully exploited, the target device stops responding to any commands until it is rebooted manually. Once the tool is executed it sends specifically crafted packets to port 50,000 of the target IP addresses using UDP. The UDP packet contains the following 18 byte payload: 0x11 49 00 00 00 00 00 00 00 00 00 00 00 00 00 00 28 9E" - ], - "References": [ - "https://dragos.com/wp-content/uploads/CRASHOVERRIDE.pdf", - "https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf" - ] - }, - "uuid": "d07be12d-39a2-448c-8e92-f40a46ed9865", - "value": "Activate Firmware Update Mode" -}, - { - "description": "Adversaries may target protection function alarms to prevent them from notifying operators of critical conditions. Alarm messages may be a part of an overall reporting system and of particular interest for adversaries. Disruption of the alarm system does not imply the disruption of the reporting system as a whole. In the Maroochy Attack, the adversary suppressed alarm reporting to the central computer. A Secura presentation on targeting OT notes a dual fold goal for adversaries attempting alarm suppression: prevent outgoing alarms from being raised and prevent incoming alarms from being responded to. The method of suppression may greatly depend on the type of alarm in question: An alarm raised by a protocol message. An alarm signaled with I/O. An alarm bit set in a flag and read In ICS environments, the adversary may have to suppress or contend with multiple alarms and/or alarm propagation to achieve a specific goal to evade detection or prevent intended responses from occurring.2 Methods of suppression may involve tampering or altering device displays and logs, modifying in memory code to fixed values, or even tampering with assembly level instruction code.", - "meta": { - "Technique ID": [ - "T878" - ], - "Tactic": [ - "Inhibit Response Function" - ], - "References": [ - "https://www.mitre.org/sites/default/files/pdf/08_1145.pdf", - "https://troopers.de/downloads/troopers19/TROOPERS19_NGI_IoT_diet_poisoned_fruit.pdf" - ] - }, - "uuid": "f35e36fd-1a4a-4fc5-a881-9db30b51b43f", - "value": "Alarm Suppression" -}, - { - "description": "Adversaries may automate collection of industrial environment information using tools or scripts. This automated collection may leverage native control protocols and tools available in the control systems environment. For example, the OPC protocol may be used to enumerate and gather information. Access to a system or interface with these native protocols may allow collection and enumeration of other attached, communicating servers and devices.", - "meta": { - "Technique ID": [ - "T802" - ], - "Tactic": [ - "Collection" - ], - "Proceedure Examples": [ - "Using OPC, a component of Backdoor.Oldrea gathers any details about connected devices and sends them back to the C2 for the attackers to analyze.", - "Industroyer automatically collects protocol object data to learn about control devices in the environment." - ], - "References": [ - "https://www.f-secure.com/weblog/archives/00002718.html", - "https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf" - ] - }, - "uuid": "cd10178b-3af2-4169-9d19-73194c379fa0", - "value": "Automated Collection" -}, - { - "description": "Adversaries may block a command message from reaching its intended target to prevent command execution. In OT networks, command messages are sent to provide instructions to control system devices. A blocked command message can inhibit response functions from correcting a disruption or unsafe condition. In the 2015 attack on the Ukranian power grid, malicious firmware was used to render communication devices inoperable and effectively prevent them from receiving remote command messages.", - "meta": { - "Technique ID": [ - "T803" - ], - "Tactic": [ - "Inhibit Response Function" - ], - "Proceedure Examples": [ - "In Industroyer the first COM port from the configuration file is used for the actual communication and the two other COM ports are just opened to prevent other processes accessing them. Thus, the IEC 101 payload component is able to take over and maintain control of the RTU device." - ], - "Mitigations": [ - "Implement Virtual Local Area Networks (VLANs) to divide physical networks into smaller, logical ones with isolated traffic from each other. This limits both broadcast traffic and unnecessary flooding.", - "Secure the environment to minimize wires susceptible to interference and limit access points to cables. Keep the ICS and IT networks separate.", - "Monitor the network for expected outcomes and to detect unexpected states.", - "Implement antivirus and malware detection tools to protect against threats, such as code enabling improper network access." - ], - "References": [ - "http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6142258", - "https://ics.sans.org/media/E-ISAC_SANS_Ukraine_DUC_5.pdf", - "https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf", - "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf" - ] - }, - "uuid": "bc454d80-054b-48bf-8848-289ec9d8277d", - "value": "Block Command Message" -}, - { - "description": "Adversaries may block or prevent a reporting message from reaching its intended target. Reporting messages relay the status of control system devices, which can include event log data and I/O values of the associated device. By blocking these reporting messages, an adversary can potentially hide their actions from an operator. Blocking reporting messages in control systems that manage physical processes may contribute to system impact, causing inhibition of a response function. A control system may not be able to respond in a proper or timely manner to an event, such as a dangerous fault, if its corresponding reporting message is blocked. In the 2015 attack on the Ukranian power grid, malicious firmware was used to render communication devices inoperable and effectively block messages from being reported.", - "meta": { - "Technique ID": [ - "T804" - ], - "Tactic": [ - "Inhibit Response Function" - ], - "Proceedure Examples": [ - "Industroyer uses the first COM port from the configuration file for the communication and the other two COM ports are opened to prevent other processes accessing them. This may block processes or operators from getting reporting messages from a device." - ], - "Mitigations": [ - "Implement Virtual Local Area Networks (VLANs) to divide physical networks into smaller, logical ones with isolated traffic from each other.", - "Secure the environment to minimize wires susceptible to interference and limit access points to cables. Keep the ICS and IT networks separate.", - "Monitor the network for expected outcomes and to detect unexpected states. For instance, an expected report does not occur may indicate reason for concern.", - "Implement antivirus and malware detection tools to protect against threats, such as code enabling improper network access.", - "Authenticate wireless users’ access with a secure IEEE 802.1x authentication protocol, that authenticates users via user certificates or a Remote Authentication Dial In User Service (RADIUS) server." - ], - "References": [ - "http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6142258", - "https://ics.sans.org/media/E-ISAC_SANS_Ukraine_DUC_5.pdf", - "https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf", - "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf" - ] - }, - "uuid": "c70c3328-e180-4947-badd-8088686aec7f", - "value": "Block Reporting Message" -}, - { - "description": "Adversaries may block access to serial COM to prevent instructions or configurations from reaching target devices. Serial Communication ports (COM) allow communication with control system devices. Devices can receive command and configuration messages over such serial COM. Devices also use serial COM to send command and reporting messages. Blocking device serial COM may also block command messages and block reporting messages. A serial to Ethernet converter is often connected to a serial COM to facilitate communication between serial and Ethernet devices. One approach to blocking a serial COM would be to create and hold open a TCP session with the Ethernet side of the converter. A serial to Ethernet converter may have a few ports open to facilitate multiple communications. For example, if there are three serial COM available -- 1, 2 and 3 --, the converter might be listening on the corresponding ports 20001, 20002, and 20003. If a TCP/IP connection is opened with one of these ports and held open, then the port will be unavailable for use by another party. One way the adversary could achieve this would be to initiate a TCP session with the serial to Ethernet converter at 10.0.0.1 via Telnet on serial port 1 with the following command: telnet 10.0.0.1 20001.", - "meta": { - "Technique ID": [ - "T805" - ], - "Tactic": [ - "Inhibit Response Function" - ], - "Proceedure Examples": [ - "In Industroyer the first COM port from the configuration file is used for the actual communication and the two other COM ports are just opened to prevent other processes accessing them. Thus, the IEC 101 payload component is able to take over and maintain control of the RTU device." - ], - "Mitigations": [ - "In ICS environments with dial-up modems, disconnect the modems when not in use or automate their disconnection after being active for a given amount of time, if feasible.", - "Restrict access to both physical control and network environments with strong passwords. Consider forms of multi-factor authentication, such introducing as biometrics, smart cards, or tokens, to supplement traditional passwords.", - "Lock down and secure portable devices and removable media. Portable ICS assets should not be used outside of the ICS network.", - "Use only authorized media in the physical environment and be aware of anomalies. Take care to keep backups and stored data in secure, protected locations.", - "Implement antivirus and malware detection tools to detect improper access to serial COM by malicious or unexpected programs. Maintain environmental awareness to help detect instances when a serial COM may be blocked, resulting in commands or reports not being carried out." - ], - "References": [ - "https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf", - "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf" - ] - }, - "uuid": "6def9c26-dbd6-4410-a363-02bd2e235c22", - "value": "Block Serial COM" -}, - { - "description": "Adversaries may brute force I/O addresses on a device and attempt to exhaustively perform an action. By enumerating the full range of I/O addresses, an adversary may manipulate a process function without having to target specific I/O interfaces. More than one process function manipulation and enumeration pass may occur on the targeted I/O range in a brute force attempt.", - "meta": { - "Technique ID": [ - "T806" - ], - "Tactic": [ - "Impair Process Control" - ], - "Proceedure Examples": [ - "The Industroyer IEC 104 module has 3 modes available to perform its attack. These modes are range, shift, and sequence. The range mode operates in 2 stages. The first stage of range mode gathers Information Object Addresses (IOA) and sends select and execute packets to switch the state. The second stage of range mode has an infinite loop where it will switch the state of all of the previously discovered IOAs. Shift mode is similar to range mode, but instead of staying within the same range, it will add a shift value to the default range values." - ], - "References": [ - "https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf" - ] - }, - "uuid": "f5b5b616-1b96-485e-8b7b-620e94145bea", - "value": "Brute Force I/O" -}, - { - "description": "Adversaries may attempt to change the state of the current program on a control device. Program state changes may be used to allow for another program to take over control or be loaded onto the device.", - "meta": { - "Technique ID": [ - "T875" - ], - "Tactic": [ - "Execution Impair Process Control" - ], - "Proceedure Examples": [ - "After PLC-Blaster is transferred to a PLC, the PLC begins execution of PLC-Blaster.", - "Stuxnet halts the original PLC code and the malicious PLC code begins sending frames of data based on the recorded values during the DP_RECV monitor phase.", - "Triton has the ability to halt or run a program through the TriStation protocol. TsHi.py contains instances of halt and run functions being executed." - ], - "References": [ - "https://www.blackhat.com/docs/asia-16/materials/asia-16-Spenneberg-PLC-Blaster-A-Worm-Living-Solely-In-The-PLC-wp.pdf", - "https://www.wired.com/images_blogs/threatlevel/2010/11/w32_stuxnet_dossier.pdf", - "https://github.com/MDudek-ICS/TRISIS-TRITON-HATMAN/tree/master/decompiled_code/library" - ] - }, - "uuid": "1f846cbc-ed70-429c-b489-eaf1f0f99ca6", - "value": "Change Program State" -}, - { - "description": "Adversaries may utilize command-line interfaces (CLIs) to interact with systems and execute commands. CLIs provide a means of interacting with computer systems and are a common feature across many types of platforms and devices within control systems environments. Adversaries may also use CLIs to install and run new software, including malicious tools that may be installed over the course of an operation. CLIs are typically accessed locally, but can also be exposed via services, such as SSH, Telnet, and RDP. Commands that are executed in the CLI execute with the current permissions level of the process running the terminal emulator, unless the command specifies a change in permissions context. Many controllers have CLI interfaces for management purposes.", - "meta": { - "Technique ID": [ - "T807" - ], - "Tactic": [ - "Execution" - ], - "Procedure Examples": [ - "The name of the Industroyer payload DLL is supplied by the attackers via a command line parameter supplied in one of the main backdoor’s “execute a shell command” commands." - ], - "Mitigations": [ - "Restrict access to control room(s), portable devices, and removable media, which should be locked down and physically secured.", - "Authentication of accounts should be enforced, and when applicable, account permissions and privileges should be limited to an as-needed basis.", - "In ICS environments with dial-up modems, disconnect the modems when not in use or automate their disconnection after being active for a given amount of time, if feasible.", - "In general, reduce and restrict access to both physical resources and the network, wherever CLIs might be exposed." - ], - "References": [ - "https://attack.mitre.org/wiki/Technique/T1059", - "https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf", - "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf" - ] - }, - "uuid": "1e6829cd-e6f3-4ff9-b56d-c6f0a2bb88ae", - "value": "Command-Line Interface" -}, - { - "description": "Adversaries may communicate over a commonly used port to bypass firewalls or network detection systems and to blend in with normal network activity, to avoid more detailed inspection. They may use the protocol associated with the port, or a completely different protocol. They may use commonly open ports, such as the examples as follows TCP:80 (HTTP), TCP:443 (HTTPS), TCP/UDP:53 (DNS), TCP:1024-4999 (OPC on XP/Win2k3), TCP:49152-65535 (OPC on Vista and later), TCP:23 (TELNET), UDP:161 (SNMP), TCP:502 (MODBUS), TCP:102 (S7comm/ISO-TSAP), TCP:20000 (DNP3), TCP:44818 (Ethernet/IP)", - "meta": { - "Technique ID": [ - "T885" - ], - "Tactic": [ - "Command and Control" - ], - "Proceedure Examples": [ - "Dragonfly communicated with command and control over TCP ports 445 and 139 or UDP 137 or 138.", - "Stuxnet attempts to contact command and control servers on port 80 to send basic information about the computer it has compromised.", - "Triton framework can communicate with the implant utilizing the TriStation 'get main processor diagnostic data' command and looks for a specifically crafted packet body from which it extracts a command value and its arguments." - ], - "Mitigations": [ - "Access to device configuration settings should be restricted. Be wary of improper modifications before, during, and after system implementation", - "Settings should be in the most restrictive mode, consistent with ICS operational requirements 4, including the limitation of open ports to those that are necessary.", - "Leverage access control capabilities, such as whitelists, to limit communications to and from permitted, known entities.", - "Assess and secure new device acquisitions as they enter the environment to detect and prevent the introduction of tampered with components.", - "VPNs can be used to provide secure access from an untrusted network to the ICS control network and restrict access to and from host computers.", - "Intrusion detection can be put in place to monitor traffic and logs. Unexpected or a high amount of traffic involving even commonly used ports can be suspicious when it deviates from the often consistent state of the ICS environment." - ], - "References": [ - "https://www.us-cert.gov/ncas/alerts/TA17-293A", - "https://www.wired.com/images_blogs/threatlevel/2010/11/w32_stuxnet_dossier.pdf", - "https://www.midnightbluelabs.com/blog/2018/1/16/analyzing-the-triton-industrial-malware", - "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf" - ] - }, - "uuid": "6f53940b-f5ee-4fcc-8752-2c9bdb16381c", - "value": "Commonly Used Port" -}, - { - "description": "Adversaries may use a connection proxy to direct network traffic between systems or act as an intermediary for network communications. The definition of a proxy can also be expanded to encompass trust relationships between networks in peer-to-peer, mesh, or trusted connections between networks consisting of hosts or systems that regularly communicate with each other. The network may be within a single organization or across multiple organizations with trust relationships. Adversaries could use these types of relationships to manage command and control communications, to reduce the number of simultaneous outbound network connections, to provide resiliency in the face of connection loss, or to ride over existing trusted communications paths between victims to avoid suspicion.", - "meta": { - "Technique ID": [ - "T884" - ], - "Tactic": [ - "Command and Control" - ], - "Mitigations": [ - "Implement Virtual Local Area Networks (VLANs) to divide physical networks into smaller, logical ones with isolated traffic from each other.", - "VPNs can be used to provide secure access from an untrusted network to the ICS control network and restrict access to and from host computers.", - "Where applicable, further restrict network traffic by enforcing whitelisting of known, trusted devices. Limit access and editing privileges to such lists.", - "Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level. Signatures are often for unique indicators within protocols and may be based on the specific C2 protocol used by a particular adversary or tool, and will likely be different across various malware families and versions. Adversaries will likely change tool C2 signatures over time or construct protocols in such a way as to avoid detection by common defensive tools." - ], - "References": [ - "https://attack.mitre.org/wiki/Technique/T1090", - "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf", - "https://www.cpni.gov.uk/Documents/Publications/2014/2014-04-23-c2-report-birmingham.pdf" - ] - }, - "uuid": "2c5bf128-129a-482f-b578-995b389c9e2e", - "value": "Connection Proxy" -}, - { - "description": "Adversaries may cause damage and destruction of property to infrastructure, equipment, and the surrounding environment when attacking control systems. This technique may result in device and operational equipment breakdown, or represent tangential damage from other techniques used in an attack. Depending on the severity of physical damage and disruption caused to control processes and systems, this technique may result in Loss of Safety. Operations that result in Loss of Control may also cause damage to property, which may be directly or indirectly motivated by an adversary seeking to cause impact in the form of Loss of Productivity and Revenue. The German Federal Office for Information Security (BSI) reported a targeted attack on a steel mill under an incidents affecting business section of its 2014 IT Security Report. These targeted attacks affected industrial operations and resulted in breakdowns of control system components and even entire installations. As a result of these breakdowns, massive impact and damage resulted from the uncontrolled shutdown of a blast furnace. In the Maroochy Attack, Vitek Boden gained remote computer access to the control system and altered data so that whatever function should have occurred at affected pumping stations did not occur or occurred in a different way. This ultimately led to 800,000 liters of raw sewage being spilled out into the community. The raw sewage affected local parks, rivers, and even a local hotel. This resulted in harm to marine life and produced a sickening stench from the community's now blackened rivers. A Polish student used a remote controller device to interface with the Lodz city tram system in Poland.345 Using this remote, the student was able to capture and replay legitimate tram signals. This resulted in damage to impacted trams, people, and the surrounding property. Reportedly, four trams were derailed and were forced to make emergency stops.4 Commands issued by the student may have also resulted in tram collisions, causing harm to those on board and the environment outside.", - "meta": { - "Technique ID": [ - "T879" - ], - "Tactic": [ - "Impact" - ], - "Proceedure Examples": [ - "Stuxnet attacks were designed to over-pressure and damage centrifuge rotors by manipulating process pressure and rotor speeds over time. One focused on a routine to change centrifuge rotor speeds, while the other manipulated critical resonance speeds to over-pressure them." - ], - "References": [ - "https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Publications/Securitysituation/IT-Security-Situation-in-Germany-2014.pdf?__blob=publicationFile&v=3", - "https://www.mitre.org/sites/default/files/pdf/08_1145.pdf", - "https://www.londonreconnections.com/2017/hacked-cyber-security-railways/", - "https://inhomelandsecurity.com/teen_hacker_in_poland_plays_tr/", - "https://www.schneier.com/blog/archives/2008/01/hacking_the_pol.html", - "https://www.langner.com/wp-content/uploads/2017/03/to-kill-a-centrifuge.pdf" - ] - }, - "uuid": "0f14bec1-cc6e-4c73-a0de-77b9cf3f525f", - "value": "Damage to Property" -}, - { - "description": "Adversaries may perform data destruction over the course of an operation. The adversary may drop or create malware, tools, or other non-native files on a target system to accomplish this, potentially leaving behind traces of malicious activities. Such non-native files and other data may be removed over the course of an intrusion to maintain a small footprint or as a standard part of the post-intrusion cleanup process. Data destruction may also be used to render operator interfaces unable to respond and to disrupt response functions from occurring as expected. An adversary may also destroy data backups that are vital to recovery after an incident. Standard file deletion commands are available on most operating system and device interfaces to perform cleanup, but adversaries may use other tools as well. Two examples are Windows Sysinternals SDelete and Active@ Killdisk.", - "meta": { - "Technique ID": [ - "T809" - ], - "Tactic": [ - "Inhibit Response Function" - ], - "Proceedure Examples": [ - "Industroyer has a destructive wiper that overwrites all ICS configuration files across the hard drives and all mapped network drives specifically targeting ABB PCM600 configuration files.", - "KillDisk is able to delete system files to make the system unbootable and targets 35 different types of files for deletion." - ], - "Mitigations": [ - "Password authentication can be used as a barrier to Data Destruction, in addition to restricting user account file access according to the principle of least privilege. The default for newly created accounts should be minimal, to reduce adversary movement capabilities.", - "Best password practices, and the implementation of multi-factor authentication can also add security, particularly if data in the environment has a high risk of interception or may be sent in plaintext.", - "Restrict access to control room(s), portable devices, and removable media, which should be locked down and physically secured. Unauthorized and suspicious media should be avoided and kept away from systems and the network. Keep track of cables, to ensure that the ICS and IT environments remain separate and no interceptive, adversarial devices are installed.", - "Take note of suspicious files and run antivirus and malware detecting solutions to assist in catching malicious programs that can result in Data Destruction.", - "dentify unnecessary system utilities, third-party tools, or potentially malicious software that may be used to delete files, and audit and/or block them by using whitelisting5 tools like AppLocker or Software Restriction Policies where appropriate." - ], - "References": [ - "https://attack.mitre.org/wiki/Technique/T1107", - "https://dragos.com/blog/crashoverride/CrashOverride-01.pdf", - "https://www.welivesecurity.com/2016/01/03/blackenergy-sshbeardoor-details-2015-attacks-ukrainian-news-media-electric-industry/", - "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf", - "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599", - "http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html", - "https://www.iad.gov/iad/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm", - "http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx", - "https://technet.microsoft.com/en-us/library/ee791851.aspx" - ] - }, - "uuid": "cc76d9dc-1e26-48a1-baa1-c42b2aa6d381", - "value": "Data Destruction" -}, - { - "description": "Adversaries may compromise and gain control of a data historian to gain a foothold into the control system environment. Access to a data historian may be used to learn stored database archival and analysis information on the control system. A dual-homed data historian may provide adversaries an interface from the IT environment to the OT environment. Dragos has released an updated analysis on CrashOverride that outlines the attack from the ICS network breach to payload delivery and execution.1 The report summarized that CrashOverride represents a new application of malware, but relied on standard intrusion techniques. In particular, new artifacts include references to a Microsoft Windows Server 2003 host, with a SQL Server. Within the ICS environment, such a database server can act as a data historian. Dragos noted a device with this role should be expected to have extensive connections within the ICS environment. Adversary activity leveraged database capabilities to perform reconnaissance, including directory queries and network connectivity checks. ", - "meta": { - "Technique ID": [ - "T810" - ], - "Tactic": [ - "Initial Access" - ], - "Proceedure Examples": [ - "In Industroyer, after pivoting into the ICS environment, the adversary gained Initial Access to devices involved with critical process operations through a Microsoft Windows Server 2003 running a SQL Server." - ], - "References": [ - "https://dragos.com/wp-content/uploads/CRASHOVERRIDE2018.pdf" - ] - }, - "uuid": "bb11d289-4661-444b-8923-e77ce630f487", - "value": "Data Historian Compromise" -}, - { - "description": "Adversaries may target and collect data from information repositories. This can include sensitive data such as specifications, schematics, or diagrams of control system layouts, devices, and processes. Examples of target information repositories include reference databases and local machines on the process environment.", - "meta": { - "Technique ID": [ - "T811" - ], - "Tactic": [ - "Collection" - ], - "Proceedure Examples": [ - "ACAD/Medre.A collects information related to the AutoCAD application. The worm collects AutoCAD (*.dwg) files with drawings from information repositories.", - "Duqu downloads additional modules for the collection of data in information repositories. The modules are named: infostealer 1, infostealer 2 and reconnaissance.", - "Flame has built-in modules to gather information from compromised computers." - ], - "References": [ - "https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_duqu_the_precursor_to_the_next_stuxnet.pdf", - "https://www.symantec.com/security-center/writeup/2012-052811-0308-99" - ] - }, - "uuid": "ec83fca8-a475-42fd-9ae5-db666ec6dd3d", - "value": "Data from Information Repositories" -}, - { - "description": "Adversaries may leverage manufacturer or supplier set default credentials on control system devices. These default credentials may have administrative permissions and may be necessary for initial configuration of the device. It is general best practice to change the passwords for these accounts as soon as possible, but some manufacturers may have devices that have passwords or usernames that cannot be changed. Default credentials are normally documented in an instruction manual that is either packaged with the device, published online through official means, or published online through unofficial means. Adversaries may leverage default credentials that have not been properly modified or disabled. ", - "meta": { - "Technique ID": [ - "T811" - ], - "Tactic": [ - "Lateral Movement" - ], - "Mitigations": [ - "Restrict user privileges with Role-Based Access Control (RBAC). Configure and assign “roles” based on the principle of least privilege. Levels of access can dictate several factors, including the ability to view, use, and alter specific ICS data or device functions.", - "Change default passwords to strong ones, when possible. In some instances, network traffic may be easily intercepted or sent in plaintext. In these instances, multi-factor authentication can act as both a barrier to the adversary and help alert the account owner of unauthorized access. Triple-factor authentication may also be considered.", - "Be aware of device patching and maintenance that would enable password changes or stronger passwords than currently used ones.", - "Authenticate wireless communications and access with a secure IEEE 802.1x authentication protocol.", - "Restrict access to control room(s), portable devices, and removable media, which should be locked down and physically secured.", - "In general, console user actions should be traceable, whether it may manually (e.g. control room sign in) or automatic (e.g. login at the application and/or OS layer).1 Protect and restrict access to the resulting logs.", - "Implementing Challenge/Response authentication eliminates the risk of discovery or replay that traditional password exchange has. Physical, token authentication can also be considered. It is also easier to notice if these have gotten lost or stolen, unlike traditional passwords. Smart cards another option to consider, and provide additional functionality over token authentication. Biometric authentication may also be good supplement to software-only password solutions. Secure and check new acquisitions for tampering and signs of malicious components.", - "VPNs can be used to provide secure access from an untrusted network to the ICS control network and restrict access to and from host computers.", - "In the event the adversary is already inside the network, an intrusion detection system can help detect and record unusual patterns of activity." - ], - "References": [ - "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf" - ] - }, - "uuid": "c40fbcf3-5baf-4589-8f3a-e544790d2e37", - "value": "Default Credentials" -}, - { - "description": "Adversaries may cause a denial of control to temporarily prevent operators and engineers from interacting with process controls. An adversary may attempt to deny process control access to cause a temporary loss of communication with the control device or to prevent operator adjustment of process controls. An affected process may still be operating during the period of control loss, but not necessarily in a desired state. In the Maroochy attack, the adversary was able to temporarily shut an investigator out of the network preventing them from issuing any controls. ", - "meta": { - "Technique ID": [ - "T813" - ], - "Tactic": [ - "Impact" - ], - "Proceedure Examples": [ - "Industroyer is able to block serial COM channels temporarily causing a denial of control." - ], - "References": [ - "https://www.corero.com/resources/files/whitepapers/cns_whitepaper_ics.pdf", - "https://www.sans.org/reading-room/whitepapers/ICS/industrial-control-system-cyber-kill-chain-36297", - "https://books.google.com/books?id=oXIYBAAAQBAJ&pg=PA249&lpg=PA249&dq=loss+denial+manipulation+of+view&source=bl&ots=dV1uQ8IUff&sig=ACfU3U2NIwGjhg051D_Ytw6npyEk9xcf4w&hl=en&sa=X&ved=2ahUKEwj2wJ7y4tDlAhVmplkKHSTaDnQQ6AEwAHoECAgQAQ#v=onepage&q=loss%20denial%20manipulation%20of%20view&f=false", - "https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf" - ] - }, - "uuid": "8d7682dc-e23b-4a53-bac7-ca92ad5d7772", - "value": "Denial of Control" -}, - { - "description": "Adversaries may perform Denial-of-Service (DoS) attacks to disrupt expected device functionality. Examples of DoS attacks include overwhelming the target device with a high volume of requests in a short time period and sending the target device a request it does not know how to handle. Disrupting device state may temporarily render it unresponsive, possibly lasting until a reboot can occur. When placed in this state, devices may be unable to send and receive requests, and may not perform expected response functions in reaction to other events in the environment. Some ICS devices are particularly sensitive to DoS events, and may become unresponsive in reaction to even a simple ping sweep. Adversaries may also attempt to execute a Permanent Denial-of-Service (PDoS) against certain devices, such as in the case of the BrickerBot malware. Adversaries may exploit a software vulnerability to cause a denial of service by taking advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Vulnerabilities may exist in software that can be used to cause a or denial of service condition. Adversaries may have prior knowledge about industrial protocols or control devices used in the environment through Control Device Identification. There are examples of adversaries remotely causing a Device Restart/Shutdown by exploiting a vulnerability that induces uncontrolled resource consumption. In the Maroochy attack, the adversary was able to shut an investigator out of the network.", - "meta": { - "Technique ID": [ - "T814" - ], - "Tactic": [ - "Inhibit Response Function" - ], - "Proceedure Examples": [ - "The Backdoor.Oldrea payload has caused multiple common OPC platforms to intermittently crash. This could cause a denial of service effect on applications reliant on OPC communications.", - "The Industroyer SIPROTEC DoS module exploits the CVE-2015-5374 vulnerability in order to render a Siemens SIPROTEC device unresponsive. Once this vulnerability is successfully exploited, the target device stops responding to any commands until it is rebooted manually.7 Once the tool is executed it sends specifically crafted packets to port 50,000 of the target IP addresses using UDP. The UDP packet contains the following 18 byte payload: 0x11 49 00 00 00 00 00 00 00 00 00 00 00 00 00 00 28 9E", - "The execution on the PLC can be stopped by violating the cycle time limit. The PLC-Blaster implements an endless loop triggering an error condition within the PLC with the impact of a DoS." - ], - "References": [ - "https://www.us-cert.gov/ics/alerts/ICS-ALERT-17-102-01A", - "https://ics-cert.us-cert.gov/advisories/ICSA-15-202-01", - "http://cwe.mitre.org/data/definitions/400.html", - "https://nvd.nist.gov/vuln/detail/CVE-2015-5374", - "https://www.mitre.org/sites/default/files/pdf/08_1145.pdf", - "https://ics-cert.us-cert.gov/advisories/ICSA-14-178-01", - "https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf", - "https://www.blackhat.com/docs/asia-16/materials/asia-16-Spenneberg-PLC-Blaster-A-Worm-Living-Solely-In-The-PLC-wp.pdf" - ] - }, - "uuid": "5dc02bb0-3332-459b-a66e-148e152ee063", - "value": "Denial of Service" -}, - { - "description": "Adversaries may cause a denial of view in attempt to disrupt and prevent operator oversight on the status of an ICS environment. This may manifest itself as a temporary communication failure between a device and its control source, where the interface recovers and becomes available once the interference ceases. An adversary may attempt to deny operator visibility by preventing them from receiving status and reporting messages. Denying this view may temporarily block and prevent operators from noticing a change in state or anomalous behavior. The environment's data and processes may still be operational, but functioning in an unintended or adversarial manner. In the Maroochy attack, the adversary was able to temporarily shut an investigator out of the network, preventing them from viewing the state of the system.", - "meta": { - "Technique ID": [ - "T815" - ], - "Tactic": [ - "Impact" - ], - "Proceedure Examples": [ - "Industroyer is able to block serial COM channels temporarily causing a denial of view." - ], - "References": [ - "https://www.corero.com/resources/files/whitepapers/cns_whitepaper_ics.pdf", - "https://www.sans.org/reading-room/whitepapers/ICS/industrial-control-system-cyber-kill-chain-36297", - "", - "https://books.google.com/books?id=oXIYBAAAQBAJ&pg=PA249&lpg=PA249&dq=loss+denial+manipulation+of+view&source=bl&ots=dV1uQ8IUff&sig=ACfU3U2NIwGjhg051D_Ytw6npyEk9xcf4w&hl=en&sa=X&ved=2ahUKEwj2wJ7y4tDlAhVmplkKHSTaDnQQ6AEwAHoECAgQAQ#v=onepage&q=loss%20denial%20manipulation%20of%20view&f=false" - ] - }, - "uuid": "3840a392-0074-42ba-9303-d8bf18ce0048", - "value": "Denial of View" -}, - { - "description": "Adversaries may gather information about the current operating state of a PLC. CPU operating modes are often controlled by a key switch on the PLC. Example states may be run, prog, stop, remote, and invalid. Knowledge of these states may be valuable to an adversary to determine if they are able to reprogram the PLC. ", - "meta": { - "Technique ID": [ - "T868" - ], - "Tactic": [ - "Collection" - ], - "Proceedure Examples": [ - "Triton contains a file named TS_cnames.py which contains default definitions for key state (TS_keystate). Key state is referenced in TsHi.py." - ], - "References": [ - "Triton contains a file named TS_cnames.py which contains default definitions for key state (TS_keystate). Key state is referenced in TsHi.py." - ] - }, - "uuid": "b12d6ee9-db15-45de-a1d7-594803e53960", - "value": "Detect Operating Mode" -}, - { - "description": "Adversaries may seek to gather information about the current state of a program on a PLC. State information reveals information about the program, including whether it's running, halted, stopped, or has generated an exception. This information may be leveraged as a verification of malicious program execution or to determine if a PLC is ready to download a new program. ", - "meta": { - "Technique ID": [ - "T870" - ], - "Tactic": [ - "Collection" - ], - "Proceedure Examples": [ - "Triton contains a file named TS_cnames.py which contains default definitions for program state (TS_progstate). Program state is referenced in TsHi.py." - ], - "References": [ - "https://github.com/MDudek-ICS/TRISIS-TRITON-HATMAN/tree/master/decompiled_code/library" - ] - }, - "uuid": "2afa4852-71bc-41c9-b524-643cddb3e7fa", - "value": "Detect Program State" -}, - { - "description": "Adversaries may forcibly restart or shutdown a device in the ICS environment to disrupt and potentially cause adverse effects on the physical processes it helps to control. Methods of device restart and shutdown exist as built-in, standard functionalities. This can include interactive device web interfaces, CLIs, and network protocol commands, among others. Device restart or shutdown may also occur as a consequence of changing a device into an alternative mode of operation for testing or firmware loading. Unexpected restart or shutdown of control system devices may contribute to impact, by preventing expected response functions from activating and being received in critical states. This can also be a sign of malicious device modification, as many updates require a shutdown in order to take affect. For example, DNP3's function code 0x0D can reset and reconfigure DNP3 outstations by forcing them to perform a complete power cycle. In the 2015 attack on the Ukranian power grid, the adversaries gained access to the control networks of three different energy companies. The adversaries scheduled disconnects for the uniterruptable power supply (UPS) systems so that when power was disconnected from the substations, the devices would shut down and service could not be recovered.", - "meta": { - "Technique ID": [ - "T816" - ], - "Tactic": [ - "Inhibit Response Function" - ], - "Proceedure Examples": [ - "The Industroyer SIPROTEC DoS module exploits the CVE-2015-5374 vulnerability in order to render a Siemens SIPROTEC device unresponsive. Once this vulnerability is successfully exploited, the target device stops responding to any commands until it is rebooted manually.3 Once the tool is executed it sends specifically crafted packets to port 50,000 of the target IP addresses using UDP. The UDP packet contains the following 18 byte payload: 0x11 49 00 00 00 00 00 00 00 00 00 00 00 00 00 00 28 9E." - ], - "Mitigations": [ - "Restrict user privileges with Role-Based Access Control (RBAC). Configure and assign “roles” based on the principle of least privilege. Levels of access can dictate several factors, including the ability to view, use, and alter specific ICS data or device functions.", - "In general, it is unlikely devices in an ICS environment should experience frequent shutdowns. Therefore, monitor physical devices for unexpected state changes and the network for suspicious, related activity", - "Whenever possible, intrusion detection systems, sensors, logs, and patch management should be done in real-time. These tools can provide tangible records of evidence and system integrity. Additionally, active log management utilities may actually flag an attack or event in progress and provide location and tracing information to help respond to the incident.", - "Applying best password policies and being multi-factor authentication enabled can add an additional barrier to device shutdown, in the situation only verified users have the shutdown capability.", - "Restrict access to control room(s), portable devices, and removable media, which should be locked down and physically secured. Keep track of cables, to ensure that the ICS and IT environments remain separate and no interceptive, adversarial devices are installed. Cable exposure should be as minimal as possible, to reduce likely hood of tampering.", - "Depending on security needs and risks, it might also be prudent to disable or physically protect power buttons to prevent unauthorized use." - ], - "References": [ - "http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6142258", - "https://ics.sans.org/media/E-ISAC_SANS_Ukraine_DUC_5.pdf", - "https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf", - "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf" - ] - }, - "uuid": "e3b4487b-d29f-4940-a02d-8c948374964b", - "value": "Device Restart/Shutdown" -}, - { - "description": "Adversaries may gain access to a system during a drive-by compromise, when a user visits a website as part of a regular browsing session.With this technique, the user's web browser is targeted and exploited simply by visiting the compromised website. The adversary may target a specific community, such as trusted third party suppliers or other industry specific groups, which often visit the target website. This kind of targeted attack relies on a common interest, and is known as a strategic web compromise or watering hole attack. The National Cyber Awareness System (NCAS) has issued a Technical Alert (TA) regarding Russian government cyber activity targeting critical infrastructure sectors. Analysis by DHS and FBI has noted two distinct categories of victims in the Dragonfly campaign on the Western energy sector: staging and intended targets. The adversary targeted the less secure networks of staging targets, including trusted third-party suppliers and related peripheral organizations. Initial access to the intended targets used watering hole attacks to target process control, ICS, and critical infrastructure related trade publications and informational websites. ", - "meta": { - "Technique ID": [ - "T817" - ], - "Tactic": [ - "Initial Access" - ], - "Proceedure Examples": [ - "ALLANITE leverages watering hole attacks to gain access into electric utilities.", - "Dragonfly 2.0 utilized watering hole attacks to gather credentials, by compromising websites that energy sector organizations might access.", - "Dragonfly used intermediate targets for watering hole attacks on an intended target. A line of code is injected into the header.php file, this is used to redirect the visitors to an adversary controlled IP.", - "OilRig has been seen utilizing watering hole attacks to collect credentials which could be used to gain access into ICS networks", - "XENOTIME utilizes watering hole websites to target industrial employees.", - "Bad Rabbit ransomware spreads through drive-by attacks where insecure websites are compromised. While the target is visiting a legitimate website, a malware dropper is being downloaded from the threat actor’s infrastructure." - ], - "References": [ - "https://www.us-cert.gov/ncas/alerts/TA18-074A", - "https://www.securityweek.com/allanite-group-targets-ics-networks-electric-utilities-us-uk", - "https://www.symantec.com/connect/blogs/dragonfly-western-energy-sector-targeted-sophisticated-attack-group", - "https://www.us-cert.gov/ncas/alerts/TA17-293A", - "https://www.cyberviser.com/2018/05/group-linked-to-shamoon-attacks-targeting-ics-networks-in-middle-east-and-uk/", - "https://www.cyberscoop.com/xenotime-ics-cyber-attacks-trisis-dragos/", - "https://securelist.com/bad-rabbit-ransomware/82851/" - ] - }, - "uuid": "3eb64b2b-2710-446e-a30d-d49728d17350", - "value": "Drive-by Compromise" -}, - { - "description": "Adversaries may compromise and gain control of an engineering workstation as an Initial Access technique into the control system environment. Access to an engineering workstation may occur as a result of remote access or by physical means, such as a person with privileged access or infection by removable media. A dual-homed engineering workstation may allow the adversary access into multiple networks. For example, unsegregated process control, safety system, or information system networks. An Engineering Workstation is designed as a reliable computing platform that configures, maintains, and diagnoses control system equipment and applications. Compromise of an engineering workstation may provide access to and control of other control system applications and equipment. In the Maroochy attack, the adversary utilized a computer, possibly stolen, with proprietary engineering software to communicate with a wastewater system. ", - "meta": { - "Technique ID": [ - "T818" - ], - "Tactic": [ - "Initial Access" - ], - "Proceedure Examples": [ - "Stuxnet utilized an engineering workstation as the initial access point for PLC devices.", - "The Triton malware gained remote access to an SIS engineering workstation." - ], - "References": [ - "https://www.wired.com/images_blogs/threatlevel/2010/11/w32_stuxnet_dossier.pdf", - "https://www.fireeye.com/blog/threat-research/2017/12/attackers-deploy-new-ics-attack-framework-triton.html" - ] - }, - "uuid": "56fc2528-7ad9-4ff4-8a65-b7641822074e", - "value": "Engineering Workstation Compromise" -}, - { - "description": "Adversaries may attempt to leverage Application Program Interfaces (APIs) used for communication between control software and the hardware. Specific functionality is often coded into APIs which can be called by software to engage specific functions on a device or other software, such as Change Program State of a program on a PLC. ", - "meta": { - "Technique ID": [ - "T871" - ], - "Tactic": [ - "Execution" - ], - "Proceedure Examples": [ - "PLC-Blaster utilizes the PLC communication and management API to load executable Program Organization Units.", - "Stuxnet utilizes the PLC communication and management API to load executable Program Organization Units.", - "Triton leverages a reconstructed TriStation protocol within its framework to trigger APIs related to program download, program allocation, and program changes" - ], - "References": [ - "https://www.blackhat.com/docs/asia-16/materials/asia-16-Spenneberg-PLC-Blaster-A-Worm-Living-Solely-In-The-PLC-wp.pdf", - "https://www.wired.com/images_blogs/threatlevel/2010/11/w32_stuxnet_dossier.pdf", - "https://www.midnightbluelabs.com/blog/2018/1/16/analyzing-the-triton-industrial-malware" - ] - }, - "uuid": "66ff7ce5-3daf-4651-9157-b6df2009e1b6", - "value": "Execution through API" -}, - { - "description": "Adversaries may attempt to exploit public-facing applications to leverage weaknesses on Internet-facing computer systems, programs, or assets in order to cause unintended or unexpected behavior. These public-facing applications may include user interfaces, software, data, or commands. In particular, a public-facing application in the IT environment may provide adversaries an interface into the OT environment. ICS-CERT analysis has identified the probable initial infection vector for systems running GE’s Cimplicity HMI with a direct connection to the Internet.", - "meta": { - "Technique ID": [ - "T819" - ], - "Tactic": [ - "Initial Access" - ], - "References": [ - "https://www.us-cert.gov/ics/alerts/ICS-ALERT-14-281-01B" - ] - }, - "uuid": "fce2a3b6-4bf0-4f98-9287-8849f0ed08d0", - "value": "Exploit Public-Facing Application" -}, - { - "description": "Adversaries may exploit a software vulnerability to take advantage of a programming error in a program, service, or within the operating system software or kernel itself to evade detection. Vulnerabilities may exist in software that can be used to disable or circumvent security features. Adversaries may have prior knowledge through Control Device Identification about security features implemented on control devices. These device security features will likely be targeted directly for exploitation. There are examples of firmware RAM/ROM consistency checks on control devices being targeted by adversaries to enable the installation of malicious System Firmware. ", - "meta": { - "Technique ID": [ - "T820" - ], - "Tactic": [ - "Evasion" - ], - "Proceedure Examples": [ - "Triton disables a firmware RAM/ROM consistency check, injects a payload (imain.bin) into the firmware memory region, and changes a jumptable entry to point to the added code. In Schneider Electric Triconex Tricon MP model 3008 firmware versions 10.0-10.4, system calls read directly from memory addresses within the control program area without any verification. Manipulating this data could allow adversary data to be copied anywhere within memory.45 Triconex systems include continuous means of detection including checksums for firmware and program integrity, memory and memory reference integrity, and configuration " - ], - "References": [ - "https://ics-cert.us-cert.gov/sites/default/files/documents/MAR-17-352-01%20HatMan%20-%20Safety%20System%20Targeted%20Malware%20%28Update%20B%29.pdf", - "https://ics-cert.us-cert.gov/advisories/ICSA-18-107-02", - "https://www.youtube.com/watch?v=f09E75bWvkk&index=3&list=PL8OWO1qWXF4qYG19p7An4Vw3N2YZ86aRS&t=0s", - "https://nvd.nist.gov/vuln/detail/CVE-2018-8872", - "https://cwe.mitre.org/data/definitions/119.html", - "https://www.nrc.gov/docs/ML1209/ML120900890.pdf" - ] - }, - "uuid": "8b5ed78d-5902-4656-99a8-05f8733f56bd", - "value": "Exploitation for Evasion" -}, - { - "description": "Adversaries may exploit a software vulnerability to take advantage of a programming error in a program, service, or within the operating system software or kernel itself to enable remote service abuse. A common goal for post-compromise exploitation of remote services is for lateral movement to enable access to a remote system. ICS asset owners and operators have been affected by ransomware (or disruptive malware masquerading as ransomware) migrating from enterprise IT to ICS environments: WannaCry, NotPetya, and BadRabbit. In each of these cases, self-propagating (“wormable”) malware initially infected IT networks, but through exploit (particularly the SMBv1-targeting MS17-010 vulnerability) spread to industrial networks, producing significant impacts.", - "meta": { - "Technique ID": [ - "T866" - ], - "Tactic": [ - "Lateral Movement" - ], - "Proceedure Examples": [ - "Bad Rabbit initially infected IT networks, but by means of an exploit (particularly the SMBv1-targeting MS17-010 vulnerability) spread to industrial networks.", - "NotPetya initially infected IT networks, but by means of an exploit (particularly the SMBv1-targeting MS17-010 vulnerability) spread to industrial networks.", - "WannaCry initially infected IT networks, but by means of an exploit (particularly the SMBv1-targeting MS17-010 vulnerability) spread to industrial networks." - ], - "References": [ - "https://attack.mitre.org/techniques/T1210/", - "https://dragos.com/blog/industry-news/implications-of-it-ransomware-for-ics-environments/" - ] - }, - "uuid": "c9324642-1af8-45d5-8b99-a8227e541f9d", - "value": "Exploitation of Remote Services" -}, - { - "description": "Adversaries may leverage external remote services as a point of initial access into your network. These services allow users to connect to internal network resources from external locations. Examples are VPNs, Citrix, and other access mechanisms. Remote service gateways often manage connections and credential authentication for these services. External remote services allow administration of a control system from outside the system. Often, vendors and internal engineering groups have access to external remote services to control system networks via the corporate network. In some cases, this access is enabled directly from the internet. While remote access enables ease of maintenance when a control system is in a remote area, compromise of remote access solutions is a liability. The adversary may use these services to gain access to and execute attacks against a control system network. Access to valid accounts is often a requirement. As they look for an entry point into the control system network, adversaries may begin searching for existing point?to?point VPN implementations at trusted third party networks or through remote support employee connections where split tunneling is enabled. In the Maroochy Attack, the adversary was able to gain remote computer access to the system over radio. The 2015 attack on the Ukranian power grid showed the use of existing remote access tools within the environment to access the control system network. The adversary harvested worker credentials, some of them for VPNs the grid workers used to remotely log into the control system networks.3245 The VPNs into these networks appear to have lacked two?factor authentication.", - "meta": { - "Technique ID": [ - "T822" - ], - "Tactic": [ - "Lateral Movement, Initial Access" - ], - "Proceedure Examples": [ - "XENOTIME utilized remote desktop protocol (RDP) jump boxes to move into the ICS environment.", - "Bad Rabbit can utilize exposed SMB services to access industrial networks.", - "NotPetya can utilize exposed SMB services to access industrial networks.", - "WannaCry can utilize exposed SMB services to access industrial networks" - ], - "Mitigations": [ - "Restrict user privileges with Role-Based Access Control (RBAC). Configure and assign “roles” based on the principle of least privilege. Levels of access can dictate several factors, including the ability to view, use, and alter specific ICS data or device functions.", - "Configure remote control software to use unique user names and passwords, strong authentication, encryption if determined appropriate, and audit logs. Use of this software by remote users should be monitored on an almost real-time frequency.", - "Enable console user actions to be traceable, either manually (e.g., control room sign in) or automatically (e.g. ,login at the application and/or OS layer).8 Protect and restrict access to the resulting logs.", - "In environments with a high risk of interception or intrusion, consider supplementing password authentication with other forms of authentication such as multi-factor authentication using biometric or physical tokens.", - "Secure and restrict access to the control room(s), which could be leveraged to set up an external remote service. Ensure VPNs, which are commonly used to provide secure access to ICS environments from untrusted networks, are properly configured.", - "Maintain awareness and observe use of External Remote Services with intrusion detection systems and solutions. Timely patch maintenance will assist with reducing the likelihood of Exploitation of Vulnerability for External Remote Service." - ], - "References": [ - "https://attack.mitre.org/wiki/Technique/T1133", - "https://ics.sans.org/media/E-ISAC_SANS_Ukraine_DUC_5.pdf", - "https://www.wired.com/2016/03/inside-cunning-unprecedented-hack-ukraines-power-grid/", - "https://ics-cert.us-cert.gov/alerts/IR-ALERT-H-16-056-01", - "https://www.fireeye.com/blog/threat-research/2016/01/ukraine-and-sandworm-team.html", - "https://dragos.com/blog/trisis/TRISIS-01.pdf", - "https://dragos.com/blog/industry-news/implications-of-it-ransomware-for-ics-environments/", - "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf" - ] - }, - "uuid": "51aa0e11-3141-4c65-a6bf-2a434ff62e11", - "value": "External Remote Services" -}, - { - "description": "Adversaries may attempt to gain access to a machine via a Graphical User Interface (GUI) to enhance execution capabilities. Access to a GUI allows a user to interact with a computer in a more visual manner than a CLI. A GUI allows users to move a cursor and click on interface objects, with a mouse and keyboard as the main input devices, as opposed to just using the keyboard. If physical access is not an option, then access might be possible via protocols such as VNC on Linux-based and Unix-based operating systems, and RDP on Windows operating systems. An adversary can use this access to execute programs and applications on the target machine. In the 2015 attack on the Ukrainian power grid, the adversary utilized the GUI of HMIs in the SCADA environment to open breakers.", - "meta": { - "Technique ID": [ - "T823" - ], - "Tactic": [ - "Execution" - ], - "Mitigations": [ - "Restrict access to control room(s), portable devices, and removable media, which should be locked down and physically secured. Physical control room or control systems access often implies also gaining logical access.", - "Unauthorized and suspicious media should be avoided and kept away from systems and the network.", - "Authentication and strong passwords should be used to protect access to GUIs. Associated accounts and GUI sessions should be restricted to appropriate capabilities and actions.", - "Prevent adversaries from gaining access to credentials through Credential Access that can be used to log into remote desktop sessions on systems.", - "Identify unnecessary system utilities, third-party tools, or potentially malicious software that may be used to log into remote interactive sessions, and audit and/or block them by using whitelisting tools, like AppLocker and Software Restriction Policies where appropriate." - ], - "References": [ - "https://ics.sans.org/media/E-ISAC_SANS_Ukraine_DUC_5.pdf", - "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf", - "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599", - "http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html", - "https://www.iad.gov/iad/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm", - "http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx", - "https://technet.microsoft.com/en-us/library/ee791851.aspx" - ] - }, - "uuid": "fe7af615-363e-4d57-89f3-b513e3d2ea30", - "value": "Graphical User Interface" -}, - { - "description": "Adversaries may hook into application programming interface (API) functions used by processes to redirect calls for persistent means. Windows processes often leverage these API functions to perform tasks that require reusable system resources. Windows API functions are typically stored in dynamic-link libraries (DLLs) as exported functions. One type of hooking seen in ICS involves redirecting calls to these functions via import address table (IAT) hooking. IAT hooking uses modifications to a process’s IAT, where pointers to imported API functions are stored.", - "meta": { - "Technique ID": [ - "T874" - ], - "Tactic": [ - "Persistence" - ], - "Proceedure Examples": [ - "Stuxnet modifies the Import Address Tables DLLs to hook specific APIs that are used to open project files." - ], - "References": [ - "https://attack.mitre.org/techniques/T1179/", - "https://www.wired.com/images_blogs/threatlevel/2010/11/w32_stuxnet_dossier.pdf" - ] - }, - "uuid": "eb51ef09-1119-42e5-a54a-bae8da791160", - "value": "Hooking" -}, - { - "description": "Adversaries may seek to capture process image values related to the inputs and outputs of a PLC. Within a PLC all input and output states are stored into an I/O image. This image is used by the user program instead of directly interacting with physical I/O.", - "meta": { - "Technique ID": [ - "T877" - ], - "Tactic": [ - "Collection" - ], - "Proceedure Examples": [ - "Stuxnet copies the input area of an I/O image into data blocks with a one second interval between copies, forming a 21 second recording of the input area. The input area contains information being passed to the PLC from a peripheral. For example, the current state of a valve or the temperature of a device." - ], - "References": [ - "https://www.blackhat.com/docs/asia-16/materials/asia-16-Spenneberg-PLC-Blaster-A-Worm-Living-Solely-In-The-PLC.pdf", - "https://www.wired.com/images_blogs/threatlevel/2010/11/w32_stuxnet_dossier.pdf" - ] - }, - "uuid": "a721f6e3-0b80-4eca-bbd1-43a6891ac8cd", - "value": "I/O Image" -}, - { - "description": "Adversaries may use input/output (I/O) module discovery to gather key information about a control system device. An I/O module is a device that allows the control system device to either receive or send signals to other devices. These signals can be analog or digital, and may support a number of different protocols. Devices are often able to use attachable I/O modules to increase the number of inputs and outputs that it can utilize. An adversary with access to a device can use native device functions to enumerate I/O modules that are connected to the device. Information regarding the I/O modules can aid the adversary in understanding related control processes. ", - "meta": { - "Technique ID": [ - "T824" - ], - "Tactic": [ - "Discovery" - ], - "Proceedure Examples": [ - "Stuxnet enumerates and parses the System Data Blocks (SDB). Stuxnet must find an SDB with the DWORD at offset 50h equal to 0100CB2Ch. This specifies that the system uses the Profibus communications processor module CP 342-5. In addition, specific values are searched for and counted: 7050h and 9500h. 7050h is assigned to part number KFC750V3 which appears to be a frequency converter drive (also known as variable frequency drive) manufactured by Fararo Paya in Teheran, Iran. 9500h is assigned to Vacon NX frequency converter drives manufactured by Vacon based in Finland." - ], - "Mitigations": [ - "Restrict access to control room(s), portable devices, and removable media, which should be locked down and physically secured. *Ensure ICS and IT network cables are kept separate and that devices are locked up when possible. *Consider multi-factor authentication solutions, such as biometric or card-based tokens, to supplement traditional password-protection to access physical rooms." - ], - "References": [ - "https://www.wired.com/images_blogs/threatlevel/2010/11/w32_stuxnet_dossier.pdf", - "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf" - ] - }, - "uuid": "10ea82ba-9f19-476a-8ec5-c653e0add46c", - "value": "I/O Module Discovery" -}, - { - "description": "Adversaries may attempt to remove indicators of their presence on a system in an effort to cover their tracks. In cases where an adversary may feel detection is imminent, they may try to overwrite, delete, or cover up changes they have made to the device. ", - "meta": { - "Technique ID": [ - "T872" - ], - "Tactic": [ - "Evasion" - ], - "Proceedure Examples": [ - "KillDisk deletes application, security, setup, and system event logs from Windows systems.", - "Triton would reset the controller to the previous state over TriStation and if this failed it would write a dummy program to memory in what was likely an attempt at anti-forensics." - ], - "References": [ - "https://www.welivesecurity.com/2016/01/03/blackenergy-sshbeardoor-details-2015-attacks-ukrainian-news-media-electric-industry/", - "https://www.midnightbluelabs.com/blog/2018/1/16/analyzing-the-triton-industrial-malware" - ] - }, - "uuid": "54e8db05-d233-48f4-9467-702f60bd53c0", - "value": "Indicator Removal on Host" -}, - { - "description": "Adversaries may gain access into industrial environments directly through systems exposed to the internet for remote access rather than through External Remote Services. Minimal protections provided by these devices such as password authentication may be targeted and compromised. In the case of the Bowman dam incident, adversaries leveraged access to the dam control network through a cellular modem. Access to the device was protected by password authentication, although the application was vulnerable to brute forcing.", - "meta": { - "Technique ID": [ - "T833" - ], - "Tactic": [ - "Initial Access" - ], - "Proceedure Examples": [ - "Sandworm actors exploited vulnerabilities in GE's Cimplicity HMI and Advantech/Broadwin WebAccess HMI software which had been directly exposed to the internet." - ], - "References": [ - "https://www.us-cert.gov/sites/default/files/Monitors/ICS-CERT_Monitor_Jan-April2014.pdf", - "https://www.wsj.com/articles/iranian-hackers-infiltrated-new-york-dam-in-2013-1450662559", - "https://time.com/4270728/iran-cyber-attack-dam-fbi/", - "https://www.us-cert.gov/ics/alerts/ICS-ALERT-14-281-01B", - "https://www.us-cert.gov/ics/advisories/ICSA-11-094-02B" - ] - }, - "uuid": "a9251e7f-921e-40f3-9ad7-8ab3f38e3136", - "value": "Internet Accessible Device" -}, - { - "description": "Adversaries may perform location identification using device data to inform operations and targeted impact for attacks. Location identification data can come in a number of forms, including geographic location, location relative to other control system devices, time zone, and current time. An adversary may use an embedded global positioning system (GPS) module in a device to figure out the physical coordinates of a device. NIST SP800-82 recommends that devices utilize GPS or another location determining mechanism to attach appropriate timestamps to log entries1. While this assists in logging and event tracking, an adversary could use the underlying positioning mechanism to determine the general location of a device. An adversary can also infer the physical location of serially connected devices by using serial connection enumeration. An adversary attempt to attack and cause Impact could potentially affect other control system devices in close proximity. Device local-time and time-zone settings can also provide adversaries a rough indicator of device location, when specific geographic identifiers cannot be determined from the system.", - "meta": { - "Technique ID": [ - "T825" - ], - "Tactic": [ - "Collection" - ], - "Proceedure Examples": [ - "The Backdoor.Oldrea payload has the capability of enumerating OPC tags, in addition to more generic OPC server information. The tag names, depending on the naming convention, can provide information about facilities and locations." - ], - "Mitigations": [ - "Prior to wireless network installation, survey the area to determine the antenna location and strength that minimizes exposure of the network. An adversary is capable of extending the effective range of a wireless LAN with powerful directional antennas.", - "Restrict access to control room(s), portable devices, and removable media, which should be locked down and physically secured. Physical control room or control systems access often implies also gaining logical access", - "Unauthorized and suspicious media should be avoided and kept away from systems and the network.", - "Ensure ICS and IT network cables are kept separate and that devices are locked up when possible. Protecting and securing cables reduces potential collateral damage and the likelihood of being tampered with.", - "Whenever possible, protect location information from outside eyes. Limit viewing of any stored data to those with the need to know and try to restrict data sending to encrypted channels." - ], - "References": [ - "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf", - "https://ics-cert.us-cert.gov/advisories/ICSA-14-178-01", - "https://www.f-secure.com/weblog/archives/00002718.html" - ] - }, - "uuid": "48aed709-3fcf-4d51-8316-c4dc6b90114f", - "value": "Location Identification" -}, - { - "description": "Adversaries may attempt to disrupt essential components or systems to prevent owner and operator from delivering products or services. Adversaries may leverage malware to delete or encrypt critical data on HMIs, workstations, or databases. ", - "meta": { - "Technique ID": [ - "T826" - ], - "Tactic": [ - "Impact" - ], - "Proceedure Examples": [ - "A Conficker infection at a nuclear power plant forced the facility to temporarily shutdown." - ], - "References": [ - "https://www.corero.com/resources/files/whitepapers/cns_whitepaper_ics.pdf", - "https://www.sans.org/reading-room/whitepapers/ICS/industrial-control-system-cyber-kill-chain-36297", - "https://books.google.com/books?id=oXIYBAAAQBAJ&pg=PA249&lpg=PA249&dq=loss+denial+manipulation+of+view&source=bl&ots=dV1uQ8IUff&sig=ACfU3U2NIwGjhg051D_Ytw6npyEk9xcf4w&hl=en&sa=X&ved=2ahUKEwj2wJ7y4tDlAhVmplkKHSTaDnQQ6AEwAHoECAgQAQ#v=onepage&q=loss%20denial%20manipulation%20of%20view&f=false", - "https://news.softpedia.com/news/on-chernobyl-s-30th-anniversary-malware-shuts-down-german-nuclear-power-plant-503429.shtml" - ] - }, - "uuid": "b997f861-a587-48d5-9070-a358b1b67ac6", - "value": "Loss of Availability" -}, - { - "description": "Adversaries may seek to achieve a sustained loss of control or a runaway condition in which operators cannot issue any commands even if the malicious interference has subsided.", - "meta": { - "Technique ID": [ - "T827" - ], - "Tactic": [ - "Impact" - ], - "Proceedure Examples": [ - "Industroyer's data wiper component removes the registry image path throughout the system and overwrites all files, rendering the system unusable.", - "Some of Norsk Hydro's production systems were impacted by a LockerGoga infection. This resulted in a loss of control which forced the company to switch to manual operations." - ], - "References": [ - "https://www.corero.com/resources/files/whitepapers/cns_whitepaper_ics.pdf", - "https://www.sans.org/reading-room/whitepapers/ICS/industrial-control-system-cyber-kill-chain-36297", - "https://books.google.com/books?id=oXIYBAAAQBAJ&pg=PA249&lpg=PA249&dq=loss+denial+manipulation+of+view&source=bl&ots=dV1uQ8IUff&sig=ACfU3U2NIwGjhg051D_Ytw6npyEk9xcf4w&hl=en&sa=X&ved=2ahUKEwj2wJ7y4tDlAhVmplkKHSTaDnQQ6AEwAHoECAgQAQ#v=onepage&q=loss%20denial%20manipulation%20of%20view&f=false", - "https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf", - "https://doublepulsar.com/how-lockergoga-took-down-hydro-ransomware-used-in-targeted-attacks-aimed-at-big-business-c666551f5880", - "https://www.hydro.com/en/media/on-the-agenda/cyber-attack/" - ] - }, - "uuid": "0d1979d5-d62c-4836-b14a-46f5a6d68bca", - "value": "Loss of Control" -}, - { - "description": "Adversaries may cause loss of productivity and revenue through disruption and even damage to the availability and integrity of control system operations, devices, and related processes. This technique may manifest as a direct effect of an ICS-targeting attack or tangentially, due to an IT-targeting attack against non-segregated environments. In some cases, this may result from the postponement and disruption of ICS operations and production as part of a remediation effort. Operations may be brought to a halt and effectively stopped in an effort to contain and properly remove malware or due to the Loss of Safety. ", - "meta": { - "Technique ID": [ - "T828" - ], - "Tactic": [ - "Impact" - ], - "Proceedure Examples": [ - "Several transportation organizations in Ukraine have suffered from being infected by Bad Rabbit, resulting in some computers becoming encrypted, according to media reports.", - "A Conficker infection at a nuclear power plant forced the facility to shutdown and go through security procedures involved with such events, with its staff scanning computer systems and going through all the regular checks and motions before putting the plant back into production.", - "While Norsk Hydro attempted to recover from a LockerGoga infection, most of its 160 manufacturing locations switched to manual (non-IT driven) operations. Manual operations can result in a loss of productivity", - "NotPetya disrupted manufacturing facilities supplying vaccines, resulting in a halt of production and the inability to meet demand for specific vaccines.", - "An enterprise resource planning (ERP) manufacturing server was lost to the Ryuk attack. The manufacturing process had to rely on paper and existing orders to keep the shop floor open." - ], - "References": [ - "https://www.welivesecurity.com/2017/10/24/bad-rabbit-not-petya-back/", - "https://news.softpedia.com/news/on-chernobyl-s-30th-anniversary-malware-shuts-down-german-nuclear-power-plant-503429.shtml", - "https://doublepulsar.com/how-lockergoga-took-down-hydro-ransomware-used-in-targeted-attacks-aimed-at-big-business-c666551f5880", - "https://www.hydro.com/en/media/on-the-agenda/cyber-attack/", - "https://www.bloomberg.com/news/features/2019-12-03/merck-cyberattack-s-1-3-billion-question-was-it-an-act-of-war", - "https://www.darkreading.com/attacks-breaches/how-a-manufacturing-firm-recovered-from-a-devastating-ransomware-attack/d/d-id/1334760" - ] - }, - "uuid": "f2905196-e419-4740-bca9-0fc3af846bc0", - "value": "Loss of Productivity and Revenue" -}, - { - "description": "Adversaries may cause loss of safety whether on purpose or as a consequence of actions taken to accomplish an operation. The loss of safety can describe a physical impact and threat, or the potential for unsafe conditions and activity in terms of control systems environments, devices, or processes. For instance, an adversary may issue commands or influence and possibly inhibit safety mechanisms that allow the injury of and possible loss of life. This can also encompass scenarios resulting in the failure of a safety mechanism or control, that may lead to unsafe and dangerous execution and outcomes of physical processes and related systems. The German Federal Office for Information Security (BSI) reported a targeted attack on a steel mill in its 2014 IT Security Report. These targeted attacks affected industrial operations and resulted in breakdowns of control system components and even entire installations. As a result of these breakdowns, massive impact resulted in damage and unsafe conditions from the uncontrolled shutdown of a blast furnace. A Polish student used a remote controller device to interface with the Lodz city tram system in Poland.567 Using this remote, the student was able to capture and replay legitimate tram signals. As a consequence, four trams were derailed and twelve people injured due to resulting emergency stops. The track controlling commands issued may have also resulted in tram collisions, a further risk to those on board and nearby the areas of impact.", - "meta": { - "Technique ID": [ - "T880" - ], - "Tactic": [ - "Impact" - ], - "Proceedure Examples": [ - "Industroyer contained a module which leveraged a vulnerability in the Siemens SIPROTEC relays (CVE-2015-5374) to create a Denial of Service against automated protective relays.", - "Triton has the capability to reprogram the SIS logic to allow unsafe conditions to persist or reprogram the SIS to allow an unsafe state – while using the DCS to create an unsafe state or hazard." - ], - "References": [ - "https://www.corero.com/resources/files/whitepapers/cns_whitepaper_ics.pdf", - "https://www.sans.org/reading-room/whitepapers/ICS/industrial-control-system-cyber-kill-chain-36297", - "https://books.google.com/books?id=oXIYBAAAQBAJ&pg=PA249&lpg=PA249&dq=loss+denial+manipulation+of+view&source=bl&ots=dV1uQ8IUff&sig=ACfU3U2NIwGjhg051D_Ytw6npyEk9xcf4w&hl=en&sa=X&ved=2ahUKEwj2wJ7y4tDlAhVmplkKHSTaDnQQ6AEwAHoECAgQAQ#v=onepage&q=loss%20denial%20manipulation%20of%20view&f=false", - "https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Publications/Securitysituation/IT-Security-Situation-in-Germany-2014.pdf?__blob=publicationFile&v=3", - "https://www.londonreconnections.com/2017/hacked-cyber-security-railways/", - "https://inhomelandsecurity.com/teen_hacker_in_poland_plays_tr/", - "https://www.schneier.com/blog/archives/2008/01/hacking_the_pol.html", - "https://dragos.com/wp-content/uploads/CRASHOVERRIDE2018.pdf", - "https://www.fireeye.com/blog/threat-research/2017/12/attackers-deploy-new-ics-attack-framework-triton.html" - ] - }, - "uuid": "4f46d0e0-91ee-4ab2-a5b7-168ee099b715", - "value": "Loss of Safety" -}, - { - "description": "Adversaries may cause a sustained or permanent loss of view where the ICS equipment will require local, hands-on operator intervention; for instance, a restart or manual operation. By causing a sustained reporting or visibility loss, the adversary can effectively hide the present state of operations. This loss of view can occur without affecting the physical processes themselves.", - "meta": { - "Technique ID": [ - "T829" - ], - "Tactic": [ - "Impact" - ], - "Proceedure Examples": [ - "Industroyer's data wiper component removes the registry image path throughout the system and overwrites all files, rendering the system unusable. KillDisk erases the master boot record (MBR) and system logs, leaving the system unusable.", - "Some of Norsk Hydro's production systems were impacted by a LockerGoga infection. This resulted in a loss of view which forced the company to switch to manual operations." - ], - "References": [ - "https://www.corero.com/resources/files/whitepapers/cns_whitepaper_ics.pdf", - "https://www.sans.org/reading-room/whitepapers/ICS/industrial-control-system-cyber-kill-chain-36297", - "https://books.google.com/books?id=oXIYBAAAQBAJ&pg=PA249&lpg=PA249&dq=loss+denial+manipulation+of+view&source=bl&ots=dV1uQ8IUff&sig=ACfU3U2NIwGjhg051D_Ytw6npyEk9xcf4w&hl=en&sa=X&ved=2ahUKEwj2wJ7y4tDlAhVmplkKHSTaDnQQ6AEwAHoECAgQAQ#v=onepage&q=loss%20denial%20manipulation%20of%20view&f=false", - "https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf", - "https://www.boozallen.com/content/dam/boozallen/documents/2016/09/ukraine-report-when-the-lights-went-out.pdf", - "https://doublepulsar.com/how-lockergoga-took-down-hydro-ransomware-used-in-targeted-attacks-aimed-at-big-business-c666551f5880", - "https://www.hydro.com/en/media/on-the-agenda/cyber-attack/" - ] - }, - "uuid": "ceee160f-8d23-41bd-b3f8-cfb87713e1a2", - "value": "Loss of View" -}, - { - "description": "Adversaries with privileged network access may seek to modify network traffic in real time using man-in-the-middle (MITM) attacks. This type of attack allows the adversary to intercept traffic to and/or from a particular device on the network. If a MITM attack is established, then the adversary has the ability to block, log, modify, or inject traffic into the communication stream. There are several ways to accomplish this attack, but some of the most-common are Address Resolution Protocol (ARP) poisoning and the use of a proxy. A MITM attack may allow an adversary to perform the following attacks: Block Reporting Message, Modify Parameter, Unauthorized Command Message, Spoof Reporting Message ", - "meta": { - "Technique ID": [ - "T830" - ], - "Tactic": [ - "Execution" - ], - "Proceedure Examples": [ - "HEXANE targeted telecommunication providers in the greater Middle East, Central Asia, and Africa, potentially as a stepping stone to network-focused man-in-the-middle and related attacks.", - "Stuxnet de-couples all inputs and signals from the legitimate code on a PLC and chooses what is passed to the original code. STUXNET effectively creates a man in the middle attack with the input and output signals and control logic." - ], - "Mitigations": [ - "Encrypt and protect the integrity of wireless device communications, while taking care not to degrade end device performance. OSI Layer 2 encryption, rather than Layer 3, can reduce encryption-based latency. Hardware accelerator solutions for cryptographic functions may also be considered. Special care should be taken to ensure passwords used with encrypted, as opposed to non-encrypted protocols are not the same. Password lockout policies can be enforced, but take care to balance this with operational needs, that might result in a few failed login attempts in stressful situations.4 *Implementing Challenge/Response authentication eliminates the risk of discovery or replay that traditional password exchange has.4*Restrict access to control room(s), portable devices, and removable media, which should be locked down and physically secured. Unauthorized and suspicious media should be avoided and kept away from systems and the network.4 *Ensure ICS and IT network cables are kept separate and that devices are locked up when possible. VPNs can be used to provide secure access from an untrusted network to the ICS control network and restrict access to and from host computers. Depending on how it is deployed, an Intrusion Detection System (IDS) might be able to detect or help with the detection of a MitM attack." - ], - "References": [ - "https://www.sans.org/reading-room/whitepapers/ICS/man-in-the-middle-attack-modbus-tcp-illustrated-wireshark-38095", - "http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6142258", - "https://dragos.com/resource/hexane/", - "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf" - ] - }, - "uuid": "23bcd8f2-4e1e-473b-83fa-8e895e503236", - "value": "Man in the Middle" -}, - { - "description": "Adversaries may manipulate the I/O image of PLCs through various means to prevent them from functioning as expected. Methods of I/O image manipulation may include overriding the I/O table via direct memory manipulation or using the override function used for testing PLC programs. During the PLC scan cycle, the state of the actual physical inputs is copied to a portion of the PLC memory, commonly called the input image table. When the program is scanned, it examines the input image table to read the state of a physical input. When the logic determines the state of a physical output, it writes to a portion of the PLC memory commonly called the output image table. The output image may also be examined during the program scan. To update the physical outputs, the output image table contents are copied to the physical outputs after the program is scanned. One of the unique characteristics of PLCs is their ability to override the status of a physical discrete input or to override the logic driving a physical output coil and force the output to a desired status. ", - "meta": { - "Technique ID": [ - "T835" - ], - "Tactic": [ - "Inhibit Response Function" - ], - "Proceedure Examples": [ - "PLC-Blaster may manipulate any outputs of the PLC. Using the POU POKE any value within the process image may be modified.", - "When the peripheral output is written to, sequence C intercepts the output and ensures it is not written to the process image output. The output is the instructions the PLC sends to a device to change its operating behavior. By intercepting the peripheral output, Stuxnet prevents an operator from noticing unauthorized commands sent to the peripheral." - ], - "References": [ - "https://www.isa.org/standards-and-publications/isa-publications/intech/2010/december/programmable-logic-controller-hardware/", - "https://www.blackhat.com/docs/asia-16/materials/asia-16-Spenneberg-PLC-Blaster-A-Worm-Living-Solely-In-The-PLC-wp.pdf", - "https://www.wired.com/images_blogs/threatlevel/2010/11/w32_stuxnet_dossier.pdf" - ] - }, - "uuid": "08fe1ccd-247f-45a4-b4f0-4d7f8329f510", - "value": "Manipulate I/O Image" -}, - { - "description": "Adversaries may manipulate physical process control within the industrial environment. Methods of manipulating control can include changes to set point values, tags, or other parameters. Adversaries may manipulate control systems devices or possibly leverage their own, to communicate with and command physical control processes. The duration of manipulation may be temporary or longer sustained, depending on operator detection. Methods of Manipulation of Control include: Man-in-the-middle, Spoof command message, Changing setpoints", - "meta": { - "Technique ID": [ - "T831" - ], - "Tactic": [ - "Impact" - ], - "Proceedure Examples": [ - "Industroyer toggles breakers to the open state utilizing unauthorized command messages.", - "Stuxnet can reprogram a PLC and change critical parameters in such a way that legitimate commands can be overridden or intercepted. In addition, Stuxnet can apply inappropriate command sequences or parameters to cause damage to property." - ], - "References": [ - "Stuxnet can reprogram a PLC and change critical parameters in such a way that legitimate commands can be overridden or intercepted. In addition, Stuxnet can apply inappropriate command sequences or parameters to cause damage to property." - ] - }, - "uuid": "9366f29b-dcea-468c-bc47-579747a75978", - "value": "Manipulation of Control" -}, - { - "description": "Adversaries may use masquerading to disguise a malicious application or executable as another file, to avoid operator and engineer suspicion. Possible disguises of these masquerading files can include commonly found programs, expected vendor executables and configuration files, and other commonplace application and naming conventions. By impersonating expected and vendor-relevant files and applications, operators and engineers may not notice the presence of the underlying malicious content and possibly end up running those masquerading as legitimate functions. Applications and other files commonly found on Windows systems or in engineering workstations have been impersonated before. This can be as simple as renaming a file to effectively disguise it in the ICS environment. ", - "meta": { - "Technique ID": [ - "T849" - ], - "Tactic": [ - "Evasion, Impair Process Control" - ], - "Proceedure Examples": [ - "Industroyer modules operate by inhibiting the normal SCADA master communication functions and then activate a replacement master communication module managed by the malware, which executes a script of commands to issue normal protocol messages.", - "Stuxnet renames a dll responsible for handling communications with a PLC. It replaces the original .dll file with its own version that allows it to intercept any calls that are made to access the PLC.", - "The Triton malware was configured to masquerade as trilog.exe, which is the Triconex software for analyzing SIS logs." - ], - "References": [ - "https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf", - "https://www.wired.com/images_blogs/threatlevel/2010/11/w32_stuxnet_dossier.pdf", - "https://www.fireeye.com/blog/threat-research/2017/12/attackers-deploy-new-ics-attack-framework-triton.html" - ] - }, - "uuid": "e90b468f-8789-45e2-90fc-6cab1d121283", - "value": "Masquerading" -}, - { - "description": "Adversaries may modify alarm settings to prevent alerts that may inform operators of their presence or to prevent responses to dangerous and unintended scenarios. Reporting messages are a standard part of data acquisition in control systems. Reporting messages are used as a way to transmit system state information and acknowledgements that specific actions have occurred. These messages provide vital information for the management of a physical process, and keep operators, engineers, and administrators aware of the state of system devices and physical processes. If an adversary is able to change the reporting settings, certain events could be prevented from being reported. This type of modification can also prevent operators or devices from performing actions to keep the system in a safe state. If critical reporting messages cannot trigger these actions then a Impact could occur. In ICS environments, the adversary may have to use Alarm Suppression or contend with multiple alarms and/or alarm propagation to achieve a specific goal to evade detection or prevent intended responses from occurring. Methods of suppression often rely on modification of alarm settings, such as modifying in memory code to fixed values or tampering with assembly level instruction code. In the Maroochy Attack, the adversary disabled alarms at four pumping stations. This caused alarms to not be reported to the central computer.", - "meta": { - "Technique ID": [ - "T838" - ], - "Tactic": [ - "Inhibit Response Function" - ], - "Mitigations": [ - "Restrict access to report settings changes and automatically log any such changes, keeping actions accountable to user accounts.", - "Restrict ICS user privileges to only those necessary to perform one’s job using Role-Based Access Control (RBAC). Configure these “roles” based on the principle of least privilege. Levels of access can dictate several factors, such as the ability to view, use, and alter specific ICS data or device functions.", - "Auditing tools can provide tangible records of evidence and system integrity, and should be done on a real-time basis when feasible. 3 These tools may include monitoring of sensors, logs, Intrusion Detection Systems (IDS), antivirus, patch management, policy management software, and other security mechanisms.", - "Secure and restrict authorization to the control room and the physical environment. ICS devices should stay in their designated areas. Portable ICS assets should be secured and used only in the ICS network", - "Intrusion detection systems (IDS) monitor events on a network and ensure unusual activity is brought to attention. Comparing the reporting commands, or lack of certain reports, against the IDS can assist with detecting anomalies.", - "For instance, reporting behavior for critical or unsafe conditions and safety alarms should rarely, if ever, be turned off. Unsafe conditions coupled with no reports could indicate an attack." - ], - "References": [ - "https://troopers.de/downloads/troopers19/TROOPERS19_NGI_IoT_diet_poisoned_fruit.pdf", - "https://www.mitre.org/sites/default/files/pdf/08_1145.pdf", - "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf" - ] - }, - "uuid": "d3691a42-3964-4629-bd95-89ddd71e6e38", - "value": "Modify Alarm Settings" -}, - { - "description": "Adversaries may place malicious code in a system, which can cause the system to malfunction by modifying its control logic. Control system devices use programming languages (e.g. relay ladder logic) to control physical processes by affecting actuators, which cause machines to operate, based on environment sensor readings. These devices often include the ability to perform remote control logic updates. Program code is normally edited in a vendor-specific Integrated Development Environment (IDE) that relies on proprietary tools and features. These IDEs allow an engineer to perform host target development and may have the ability to run the code on the machine it is programmed for. The IDE will transmit the control logic to the testing device, and will perform the required device-specific functions to apply the changes and make them active. An adversary may attempt to use this host target IDE to modify device control logic. Even though proprietary tools are often used to edit and update control logic, the process can usually be reverse-engineered and reproduced with open-source tools. An adversary can de-calibrate a sensor by removing functions in control logic that account for sensor error. This can be used to change a control process without actually spoofing command messages to a controller or device. It is believed this process happened in the lesser known over-pressurizer attacks build into Stuxnet. Pressure sensors are not perfect at translating pressure into an analog output signal, but their errors can be corrected by calibration. The pressure controller can be told what the “real” pressure is for given analog signals and then automatically linearize the measurement to what would be the “real” pressure. If the linearization is overwritten by malicious code on the S7-417 controller, analog pressure readings will be “corrected” during the attack by the pressure controller, which then interprets all analog pressure readings as perfectly normal pressure no matter how high or low their analog values are. The pressure controller then acts accordingly by never opening the stage exhaust valves. In the meantime, actual pressure keeps rising. In the Maroochy Attack, Vitek Boden gained remote computer access to the control system and altered data so that whatever function should have occurred at affected pumping stations did not occur or occurred in a different way. The software program installed in the laptop was one developed by Hunter Watertech for its use in changing configurations in the PDS computers. This ultimately led to 800,000 liters of raw sewage being spilled out into the community.", - "meta": { - "Technique ID": [ - "T833" - ], - "Tactic": [ - "Impair Process Control, Inhibit Response Function" - ], - "Proceedure Examples": [ - "Triton can reprogram the SIS logic to cause it to trip and shutdown a process that is, in actuality, in a safe state. In other words, trigger a false positive. Triton also can reprogram the SIS logic to allow unsafe conditions to persist. The Triton malware is able to add a malicious program to the execution table of the controller. This action leaves the legitimate programs in place. If the controller failed, Triton would attempt to return it to a running state. If the controller did not recover within a certain time window, the sample would overwrite the malicious program to cover its tracks." - ], - "Mitigations": [ - "Restrict user privileges with Role-Based Access Control (RBAC). Configure and assign “roles” based on the principle of least privilege. Levels of access can dictate several factors, including the ability to view, use, and alter specific ICS data or device functions.", - "Monitor sensors, logs, Intrusion Detection Systems (IDS), antivirus, patch management, policy management software, and other security mechanisms on a real-time basis as feasible. These tools can provide tangible records of evidence and system integrity. Additionally, active log management utilities may actually flag an attack or event in progress and provide location and tracing information to help respond to the incident.", - "Restrict access to control room(s), portable devices, and removable media, which should be locked down and physically secured. Avoid unauthorized and suspicious media and keep it away from systems and the network. Keep track of cables, to ensure that the ICS and IT environments remain separate and no interceptive, adversarial devices are installed.", - "Encrypt and protect the integrity of wireless device communications, while taking care not to degrade end device performance. OSI Layer 2 encryption, rather than Layer 3, can reduce encryption-based latency. Hardware accelerator solutions for cryptographic functions may also be considered. Restrict access to control room(s), portable devices, and removable media, which should be locked down and physically secured.", - "Make use of antivirus and malware detection tools to further secure the environment. In particular, intrusion detection system solutions can assist with monitoring the ICS environment for unexpected or alarming behaviors." - ], - "References": [ - "https://www.langner.com/wp-content/uploads/2017/03/to-kill-a-centrifuge.pdf", - "https://www.mitre.org/sites/default/files/pdf/08_1145.pdf", - "https://www.fireeye.com/blog/threat-research/2017/12/attackers-deploy-new-ics-attack-framework-triton.html", - "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf" - ] - }, - "uuid": "8f0ff984-424f-4c9e-b446-467f9d6493a0", - "value": "Modify Control Logic" -}, - { - "description": "Adversaries may modify parameters used to instruct industrial control system devices. These devices operate via programs that dictate how and when to perform actions based on such parameters. Such parameters can determine the extent to which an action is performed and may specify additional options. For example, a program on a control system device dictating motor processes may take a parameter defining the total number of seconds to run that motor. An adversary can potentially modify these parameters to produce an outcome outside of what was intended by the operators. By modifying system and process critical parameters, the adversary may cause Impact to equipment and/or control processes. Modified parameters may be turned into dangerous, out-of-bounds, or unexpected values from typical operations. For example, specifying that a process run for more or less time than it should, or dictating an unusually high, low, or invalid value as a parameter. In the Maroochy Attack, Vitek Boden gained remote computer access to the control system and altered data so that whatever function should have occurred at affected pumping stations did not occur or occurred in a different way. The software program installed in the laptop was one developed by Hunter Watertech for its use in changing configurations in the PDS computers. This ultimately led to 800,000 liters of raw sewage being spilled out into the community.", - "meta": { - "Technique ID": [ - "T836" - ], - "Tactic": [ - "Impair Process Control" - ], - "Proceedure Examples": [ - "In states 3 and 4 Stuxnet sends two network bursts (done through the DP_SEND primitive). The data in the frames are instructions for the frequency converter drives. For example one of the frames contains records that change the maximum frequency (the speed at which the motor will operate). The frequency converter drives consist of parameters, which can be remotely configured via Profibus. One can write new values to these parameters changing the behavior of the device." - ], - "Mitigations": [ - "Restrict user privileges with Role-Based Access Control (RBAC). Configure and assign “roles” based on the principle of least privilege. Levels of access can dictate several factors, including the ability to view, use, and alter specific ICS data or device functions.", - "Access to device configuration settings should be restricted. IT products should be secured, in the most restrictive mode, on par with ICS operational requirements. Be wary of improper modifications before, during, and after system implementation.", - "Monitor system parameters for safe, expected settings and raise alerts when unsafe parameters, unexpected changes, or odd system states occur. Logging and/or associating device changes to accounts may also be beneficial, as an ICS environment rarely changes", - "Secure and restrict authorization to the control room and the physical environment. Ensure ICS and IT network cables are kept separate and that devices are locked up when possible." - ], - "References": [ - "https://www.mitre.org/sites/default/files/pdf/08_1145.pdf", - "https://www.wired.com/images_blogs/threatlevel/2010/11/w32_stuxnet_dossier.pdf", - "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf" - - ] - }, - "uuid": "8da151db-39aa-4424-a236-415dec458799", - "value": "Modify Parameter" -}, - { - "description": "Adversaries may install malicious or vulnerable firmware onto modular hardware devices. Control system devices often contain modular hardware devices. These devices may have their own set of firmware that is separate from the firmware of the main control system equipment. This technique is similar to System Firmware, but is conducted on other system components that may not have the same capabilities or level of integrity checking. Although it results in a device re-image, malicious device firmware may provide persistent access to remaining devices. An easy point of access for an adversary is the Ethernet card, which may have its own CPU, RAM, and operating system. The adversary may attack and likely exploit the computer on an Ethernet card. Exploitation of the Ethernet card computer may enable the adversary to accomplish additional attacks, such as the following: Delayed Attack - The adversary may stage an attack in advance and choose when to launch it, such as at a particularly damaging time. Brick the Ethernet Card - Malicious firmware may be programmed to result in an Ethernet card failure, requiring a factory return. Random Attack or Failure - The adversary may load malicious firmware onto multiple field devices. Execution of an attack and the time it occurs is generated by a pseudo-random number generator. A Field Device Worm - The adversary may choose to identify all field devices of the same model, with the end goal of performing a device-wide compromise. Attack Other Cards on the Field Device - Although it is not the most important module in a field device, the Ethernet card is most accessible to the adversary and malware. Compromise of the Ethernet card may provide a more direct route to compromising other modules, such as the CPU module.", - "meta": { - "Technique ID": [ - "T839" - ], - "Tactic": [ - "Impair Process Control" - ], - "Mitigations": [ - "Access to device configuration settings should be restricted. IT products should be secured, in the most restrictive mode, on par with ICS operational requirements.", - "Maintain and patch module firmware, checking to ensure the version and state are as expected. Firmware that requires a cryptographic key will be harder for the adversary to alter.", - "Be wary of improper modifications before, during, and after system implementation.", - "Ensure field devices require source and data authentication in order for users to update firmware and perform similar options. Enforcing proper firmware update policies and procedures may help distinguish intended update activity from malicious activity. Note that compromised devices may continue to function as expected by an asset owner, and that it is possible for many to be compromised in such a way.", - "Restrict access to control room(s), portable devices, and removable media, which should be locked down and physically secured. Unauthorized and suspicious media should be avoided and kept away from systems and the network.", - "Ensure ICS and IT network cables are kept separate and that devices are locked up when possible, to reduce the likelihood they can be tampered with.", - "Hold new acquisitions to strict security requirements; be sure they are properly secured and haven’t been tampered with. Monitor existing module firmware with applicable assessments to ensure devices are at the expected versions", - "Monitor the network and enforce access control practices, such as whitelisting, to reduce points of contact to and from control system devices, where applicable. Utilize intrusion detection system (IDS) capabilities to assist with detecting and preventing the spread of malicious files", - "Limit access to the network and require authentication as a barrier. Test access to field devices from outside the network, to help determine if an adversary could reach them." - ], - "References": [ - "https://www.researchgate.net/publication/228849043_Leveraging_ethernet_card_vulnerabilities_in_field_devices", - "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf" - ] - }, - "uuid": "08f44b76-8a2f-43d8-b51c-a18ef3e0a999", - "value": "Module Firmware" -}, - { - "description": "Adversaries may gather information about the physical process state. This information may be used to gain more information about the process itself or used as a trigger for malicious actions. The sources of process state information may vary such as, OPC tags, historian data, specific PLC block information, or network traffic. ", - "meta": { - "Technique ID": [ - "T801" - ], - "Tactic": [ - "Collection" - ], - "Proceedure Examples": [ - "Stuxnet examines fields recorded by the DP_RECV monitor to determine if the target system is in a particular state of operation." - ], - "Mitigations": [ - "When feasible, monitor and compare ICS device behavior and physical state to expected behavior and physical state. Contingency plans should be in place to handle and minimize impact from unexpected behavior.2 The physical layout and cable setup should be monitored to detect anomalies and to prevent crossover of ICS and IT environments.", - "Access to device configuration settings should be restricted. IT products should be secured, in the most restrictive mode, on par with ICS operational requirements. Maintenance of such devices and products should be performed, keeping in mind operational concerns", - "Restrict access to control room(s), portable devices, and removable media, which should be locked down and physically secured. Unauthorized and suspicious media should be avoided and kept away from systems and the network. Keeping a controlled and consistent asset inventory can assist with this", - "Special care should be taken to ensure backups and other data are restricted to authorized users and kept out of the adversary’s hands. Never use portable ICS environment assets outside of the ICS network." - ], - "References": [ - "https://www.wired.com/images_blogs/threatlevel/2010/11/w32_stuxnet_dossier.pdf", - "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf" - ] - }, - "uuid": "48947a94-a769-41a8-bc13-60aecfdcfa90", - "value": "Monitor Process State" -}, - { - "description": "Adversaries may perform network connection enumeration to discover information about device communication patterns. If an adversary can inspect the state of a network connection with tools, such as netstat, in conjunction with System Firmware, then they can determine the role of certain devices on the network. The adversary can also use Network Sniffing to watch network traffic for details about the source, destination, protocol, and content.", - "meta": { - "Technique ID": [ - "T840" - ], - "Tactic": [ - "Discovery" - ], - "Proceedure Examples": [ - "Industroyer contains an IEC 61850 module that enumerates all connected network adapters to determine their TCP/IP subnet masks." - ], - "Mitigations": [ - "Restrict access to control room(s), portable devices, and removable media, which should be locked down and physically secured. Unauthorized and suspicious media should be avoided and kept away from systems and the network.", - "Ensure ICS and IT network cables are kept separate and that devices are locked up when possible, to reduce the likelihood they can be tampered with", - "Restrict communications to and from devices over the network with access controls, such as whitelists.", - "Utilize intrusion detection system (IDS) capabilities and heuristics to detect adversarial monitoring of the environment and modules or actions that deviate from normal functionality" - ], - "References": [ - "https://attack.mitre.org/wiki/Technique/T1049", - "https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf", - "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf" - ] - }, - "uuid": "96775fdf-1e64-47d6-b4bc-40d586aff9fd", - "value": "Network Connection Enumeration" -}, - { - "description": "Network Service Scanning is the process of discovering services on networked systems. This can be achieved through a technique called port scanning or probing. Port scanning interacts with the TCP/IP ports on a target system to determine whether ports are open, closed, or filtered by a firewall. This does not reveal the service that is running behind the port, but since many common services are run on specific port numbers, the type of service can be assumed. More in-depth testing includes interaction with the actual service to determine the service type and specific version. One of the most-popular tools to use for Network Service Scanning is Nmap. An adversary may attempt to gain information about a target device and its role on the network via Network Service Scanning techniques, such as port scanning. Network Service Scanning is useful for determining potential vulnerabilities in services on target devices. Network Service Scanning is closely tied to. Scanning ports can be noisy on a network. In some attacks, adversaries probe for specific ports using custom tools. This was specifically seen in the Triton and PLC-Blaster attacks.", - "meta": { - "Technique ID": [ - "T841" - ], - "Tactic": [ - "Discovery" - ], - "Mitigations": [ - "Isolate wireless access points and data servers for wireless worker devices on their own network with documented and minimal (single if possible) connections to the ICS network", - "Segmenting the network with VLANs allow switches to enforce security policies and segregate traffic at the Ethernet layer. Secure and restrict authorization to the control room and the physical environment.", - "Physical control room or control systems access often implies also gaining logical access.", - "Ensure ICS and IT network cables are kept separate and that devices are locked up when possible, to reduce the likelihood they can be tampered with.", - "Monitor the network and enforce access control practices, such as whitelisting, to reduce points of contact to and from control system devices, where applicable. Utilize intrusion detection system (IDS) capabilities to assist with detecting and preventing the spread of malicious files.", - "Implement heuristics to detect monitoring and invasive probing activity on the network, such as port scanning. Filter and limit communications to and from devices. Ensure devices are patched and up-to-date." - ], - "References": [ - "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf" - ] - }, - "uuid": "d9476518-569b-4baa-b01f-09d6ec61b101", - "value": "Network Service Scanning" -}, - { - "description": "Network sniffing is the practice of using a network interface on a computer system to monitor or capture information1 regardless of whether it is the specified destination for the information. An adversary may attempt to sniff the traffic to gain information about the target. This information can vary in the level of importance. Relatively unimportant information is general communications to and from machines. Relatively important information would be login information. User credentials may be sent over an unencrypted protocol, such as Telnet, that can be captured and obtained through network packet analysis. Network sniffing can be a way to discover information for Control Device Identification. In addition, ARP and Domain Name Service (DNS) poisoning can be used to capture credentials to websites, proxies, and internal systems by redirecting traffic to an adversary.", - "meta": { - "Technique ID": [ - "T842" - ], - "Tactic": [ - "Discovery" - ], - "Proceedure Examples": [ - "DP_RECV is the name of a standard function block used by network coprocessors. It is used to receive network frames on the Profibus – a standard industrial network bus used for distributed I/O. The original block is copied to FC1869, and then replaced by a malicious block. Each time the function is used to receive a packet, the malicious Stuxnet block takes control: it will call the original DP_RECV in FC1869 and then perform postprocessing on the packet data. This secondary thread is used to monitor a data block DB890 of sequence A or B. Though constantly running and probing this block (every 5 minutes), this thread has no purpose if the PLC is not infected. The purpose of the thread is to monitor each S7-315 on the bus. The replaced DP_RECV block (later on referred to as the “DP_RECV monitor”) is meant to monitor data sent by the frequency converter drives to the 315-2 CPU via CP 342-5 Profibus communication modules.", - "The VPNFilter packet sniffer looks for basic authentication as well as monitors ICS traffic, and is specific to the TP-LINK R600-VPN. The malware uses a raw socket to look for connections to a pre-specified IP address, only looking at TCP packets that are 150 bytes or larger. Packets that are not on port 502, are scanned for BasicAuth, and that information is logged. This may have allowed credential harvesting from communications between devices accessing a modbus-enabled HMI." - ], - "Mitigations": [ - "Prior to wireless network installation, survey the area to determine the antenna location and strength that minimizes exposure of the network. An adversary is capable of extending the effective range of a wireless LAN with powerful directional antennas.", - "Isolate wireless access points and data servers for wireless worker devices on their own network with documented and minimal (single if possible) connections to the ICS network", - "Segmenting the network with VLANs allow switches to enforce security policies and segregate traffic at the Ethernet layer. Proper segmentation helps mitigate the risk of broadcast storms resulting from port scans. Assigning each automation cell to a single VLAN limits unnecessary traffic flooding.", - "Implement VPNs to further restrict access in and out of control system computers and controllers, which help remove unauthorized, non-essential traffic from the intermediary network.", - "In ICS environments with dial-up modems, disconnect the modems when not in use or automate their disconnection after being active for a given amount of time, if reasonable.", - "Network services will often transmit in plaintext, making third-party eavesdropping easy. When communications over both encrypted and non-encrypted protocols with passwords exist, be sure to use different passwords.", - "Implementing Challenge/Response authentication eliminates the risk of discovery or replay that traditional password exchange has.", - "Secure and restrict authorization to the control room and the physical environment. Ensure ICS and IT network cables are kept separate and that devices are locked up when possible.", - "Encrypt and protect the integrity of wireless device communications, while taking care not to degrade end device performance. OSI Layer 2 encryption, rather than Layer 3, can reduce encryption-based latency. Hardware accelerator solutions for cryptographic functions may also be considered.", - "Ensure that all wireless traffic is encrypted appropriately. Use Kerberos, SSL, and multifactor authentication wherever possible. Monitor switches and network for span port usage, ARP/DNS poisoning, and router reconfiguration.", - "Make use of antivirus and malware detection tools to further secure the environment. Monitor the network and enforce access control practices, such as whitelisting, to reduce points of contact to and from control system devices, where applicable. Implement heuristics to detect monitoring and invasive probing activity on the network.", - "Identify and block potentially malicious software that may be used to sniff or analyze network traffic by using whitelisting6 tools, like AppLocker,78 or Software Restriction Policies9 where appropriate." - ], - "References": [ - "https://attack.mitre.org/wiki/Technique/T1040", - "https://www.wired.com/images_blogs/threatlevel/2010/11/w32_stuxnet_dossier.pdf", - "https://blog.talosintelligence.com/2018/06/vpnfilter-update.html", - "https://www.youtube.com/watch?v=yuZazP22rpI", - "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf", - "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599", - "http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html", - "https://www.iad.gov/iad/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm", - "http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx", - "https://technet.microsoft.com/en-us/library/ee791851.aspx" - ] - }, - "uuid": "7bccc6c8-43eb-4d26-ba17-98167a068627", - "value": "Network Sniffing" -}, - { - "description": "Adversaries may collect point and tag values to gain a more comprehensive understanding of the process environment. Points may be values such as inputs, memory locations, outputs or other process specific variables.1 Tags are the identifiers given to points for operator convenience. Collecting such tags provides valuable context to environmental points and enables an adversary to map inputs, outputs, and other values to their control processes. Understanding the points being collected may inform an adversary on which processes and values to keep track of over the course of an operation. ", - "meta": { - "Technique ID": [ - "T861" - ], - "Tactic": [ - "Collection" - ], - "Proceedure Examples": [ - "Backdoor.Oldrea enumerates all OPC tags and queries for specific fields such as server state, tag name, type, access, and id" - ], - "References": [ - "Backdoor.Oldrea enumerates all OPC tags and queries for specific fields such as server state, tag name, type, access, and id", - "https://www.fireeye.com/blog/threat-research/2014/07/havex-its-down-with-opc.html" - ] - }, - "uuid": "6b1da46d-fbe4-4b84-a4e1-1ece7daf6a93", - "value": "Point & Tag Identification" -}, - { - "description": "Adversaries may perform a program download to load malicious or unintended program logic on a device as a method of persistence or to disrupt response functions or process control. Program download onto devices, such as PLCs, allows adversaries to implement custom logic. Malicious PLC programs may be used to disrupt physical processes or enable adversary persistence. The act of a program download will cause the PLC to enter a STOP operation state, which may prevent response functions from operating correctly. ", - "meta": { - "Technique ID": [ - "T843" - ], - "Tactic": [ - "Persistence, Impair Process Control, Inhibit Response Function" - ], - "Proceedure Examples": [ - "Stuxnet infects PLCs with different code depending on the characteristics of the target system. An infection sequence consists of code blocks and data blocks that will be downloaded to the PLC to alter its behavior.", - "Triton leveraged the TriStation protocol to download programs onto Triconex Safety Instrumented System." - ], - "References": [ - "https://www.wired.com/images_blogs/threatlevel/2010/11/w32_stuxnet_dossier.pdf", - "https://www.midnightbluelabs.com/blog/2018/1/16/analyzing-the-triton-industrial-malware" - ] - }, - "uuid": "53f180f4-9093-4d1e-8372-3e10943b820e", - "value": "Program Download" -}, - { - "description": "Program Organizational Units (POUs) are block structures used within PLC programming to create programs and projects. POUs can be used to hold user programs written in IEC 61131-3 languages: Structured text, Instruction list, Function block, and Ladder logic. They can also provide additional functionality, such as establishing connections between the PLC and other devices using TCON. Stuxnet uses a simple code-prepending infection technique to infect Organization Blocks (OB). For example, the following sequence of actions is performed when OB1 is infected: Increase the size of the original block. Write malicious code to the beginning of the block. Insert the original OB1 code after the malicious code.", - "meta": { - "Technique ID": [ - "T844" - ], - "Tactic": [ - "Lateral Movement, Execution" - ], - "Proceedure Examples": [ - "PLC-Blaster copies itself to various Program Organization Units (POU) on the target device. The POUs include the Organization Block, Data Block, Function, and Function Block.", - "Stuxnet infects PLCs with different code depending on the characteristics of the target system. An infection sequence consists of code blocks and data blocks that will be downloaded to the PLC to alter its behavior." - ], - "References": [ - "Stuxnet infects PLCs with different code depending on the characteristics of the target system. An infection sequence consists of code blocks and data blocks that will be downloaded to the PLC to alter its behavior.", - "https://cdn.selinc.com/assets/Literature/Publications/Technical%20Papers/6560_PracticalApplications_MW_20120224_Web.pdf?v=20151125-003051", - "https://www.blackhat.com/docs/asia-16/materials/asia-16-Spenneberg-PLC-Blaster-A-Worm-Living-Solely-In-The-PLC-wp.pdf", - "https://www.wired.com/images_blogs/threatlevel/2010/11/w32_stuxnet_dossier.pdf" - ] - }, - "uuid": "326ade02-552b-4c68-b4e4-f41599b49a32", - "value": "Program Organization Units" -}, - { - "description": "Adversaries may attempt to upload a program from a PLC to gather information about an industrial process. Uploading a program may allow them to acquire and study the underlying logic. Methods of program upload include vendor software, which enables the user to upload and read a program running on a PLC. This software can be used to upload the target program to a workstation, jump box, or an interfacing device. ", - "meta": { - "Technique ID": [ - "T845" - ], - "Tactic": [ - "Collection" - ], - "Proceedure Examples": [ - "Stuxnet replaces the DLL responsible for reading projects from a PLC to the step7 software. This allows Stuxnet the ability to upload a program from the PLC." - ], - "References": [ - "https://www.wired.com/images_blogs/threatlevel/2010/11/w32_stuxnet_dossier.pdf" - ] - }, - "uuid": "1931da8b-1781-480b-b7db-26b7c432821c", - "value": "Program Upload" -}, - { - "description": "Adversaries may attempt to infect project files with malicious code. These project files may consist of objects, program organization units, variables such as tags, documentation, and other configurations needed for PLC programs to function. Using built in functions of the engineering software, adversaries may be able to download an infected program to a PLC in the operating environment enabling further execution and persistence techniques. Adversaries may export their own code into project files with conditions to execute at specific intervals.3 Malicious programs allow adversaries control of all aspects of the process enabled by the PLC. Once the project file is downloaded to a PLC the workstation device may be disconnected with the infected project file still executing.", - "meta": { - "Technique ID": [ - "T873" - ], - "Tactic": [ - "Persistence, Execution" - ], - "Proceedure Examples": [ - "Stuxnet copies itself into Step 7 projects in such a way that it automatically executes when the Step 7 project is loaded" - ], - "References": [ - "https://infosys.beckhoff.com/english.php?content=../content/1033/tc3_sourcecontrol/18014398915785483.html&id=", - "http://www.plcdev.com/book/export/html/373", - "https://www.wired.com/images_blogs/threatlevel/2010/11/w32_stuxnet_dossier.pdf" - ] - }, - "uuid": "46034514-6c9c-4afd-8158-246279fcd7d1", - "value": "Project File Infection" -}, - { - "description": "Adversaries may copy files from one system to another to stage adversary tools or other files over the course of an operation. Copying of files may also be performed laterally between internal victim systems to support Lateral Movement with remote Execution using inherent file sharing protocols such as file sharing over SMB to connected network shares. In control systems environments, malware may use SMB and other file sharing protocols to move laterally through industrial networks. ", - "meta": { - "Technique ID": [ - "T867" - ], - "Tactic": [ - "Lateral Movement" - ], - "Proceedure Examples": [ - "Bad Rabbit can move laterally through industrial networks by means of the SMB service.", - "NotPetya can move laterally through industrial networks by means of the SMB service.", - "WannaCry can move laterally through industrial networks by means of the SMB service." - ], - "References": [ - "WannaCry can move laterally through industrial networks by means of the SMB service.", - "https://dragos.com/blog/industry-news/implications-of-it-ransomware-for-ics-environments/" - ] - }, - "uuid": "de0f0771-1772-421c-b2d4-4f913067583d", - "value": "Remote File Copy" -}, - { - "description": "Remote System Discovery is the process of identifying the presence of hosts on a network1, and details about them. This process is common to network administrators validating the presence of machines and services, as well as adversaries mapping out a network for future-attack targets. An adversary may attempt to gain information about the target network via network enumeration techniques such as port scanning. One of the most popular tools for enumeration is Nmap. Remote System Discovery allows adversaries to map out hosts on the network as well as the TCP/IP ports that are open, closed, or filtered. Remote System Discovery tools also aid in by attempting to connect to the service and determine its exact version. The adversary may use this information to pick an exploit for a particular version if a known vulnerability exists.", - "meta": { - "Technique ID": [ - "T846" - ], - "Tactic": [ - "Discovery" - ], - "Proceedure Examples": [ - "The Backdoor.Oldrea ICS malware plugin relies on Windows networking (WNet) to discover all the servers, including OPC servers, that are reachable by the compromised machine over the network.", - "The Industroyer IEC 61850 payload enumerates all possible IP addresses for each of the subnet masks for the interfaces on the infected machine, and tries to connect to port 102 on each of those addresses. Therefore, this component has the ability to discover relevant devices in the network automatically.", - "PLC-Blaster scans the network to find other Siemens S7 PLC devices to infect. It locates these devices by checking for a service listening on TCP port 102.", - "Stuxnet scanned the network to identify the Siemens PLCs that it was targeting.", - "Triton uses a Python script that is capable of detecting Triconex controllers on the network by sending a specific UDP broadcast packet over port 1502." - ], - "Mitigations": [ - "Segmenting the network with VLANs allow switches to enforce security policies and segregate traffic at the Ethernet layer.7 Proper segmentation helps mitigate the risk of broadcast storms resulting from port scans. Assigning each automation cell to a single VLAN limits unnecessary traffic flooding.", - "Prior to wireless network installation, survey the area to determine the antenna location and strength that minimizes exposure of the network. An adversary is capable of extending the effective range of a wireless LAN with powerful directional antennas.", - "Secure and restrict authorization to the control room and the physical environment. ICS devices should stay in their designated areas.", - "Implement VPNs to further restrict access in and out of control system computers and controllers, which help remove unauthorized, non-essential traffic from the intermediary network.", - "Monitor the network and enforce access control practices, such as whitelisting, to reduce points of contact to and from control system devices, where applicable. Utilize intrusion detection system (IDS) capabilities to assist with detecting and preventing the spread of malicious files.", - "Implement heuristics to detect monitoring and invasive probing activity on the network. Filter and limit communications to and from devices. Ensure devices are patched and up-to-date." - ], - "References": [ - "https://attack.mitre.org/wiki/Technique/T1018", - "https://pdfs.semanticscholar.org/18df/43ef1690b0fae15a36f770001160aefbc6c5.pdf", - "https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf", - "https://www.blackhat.com/docs/asia-16/materials/asia-16-Spenneberg-PLC-Blaster-A-Worm-Living-Solely-In-The-PLC-wp.pdf", - "https://www.wired.com/images_blogs/threatlevel/2010/11/w32_stuxnet_dossier.pdf", - "https://ics-cert.us-cert.gov/sites/default/files/documents/MAR-17-352-01%20HatMan%20-%20Safety%20System%20Targeted%20Malware%20%28Update%20B%29.pdf", - "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf" - ] - }, - "uuid": "a65e1d32-cbff-40cb-af45-72fd5ad393ff", - "value": "Remote System Discovery" -}, - { - "description": "Adversaries may move onto systems, such as those separated from the enterprise network, by copying malware to removable media which is inserted into the control systems environment. The adversary may rely on unknowing trusted third parties, such as suppliers or contractors with access privileges, to introduce the removable media. This technique enables initial access to target devices that never connect to untrusted networks, but are physically accessible. Operators of the German nuclear power plant, Gundremmingen, discovered malware on a facility computer not connected to the internet. The malware included Conficker and W32.Ramnit, which were also found on eighteen removable disk drives in the facility. The plant has since checked for infection and cleaned up more than 1,000 computers.9 An ESET researcher commented that internet disconnection does not guarantee system safety from infection or payload execution.", - "meta": { - "Technique ID": [ - "T847" - ], - "Tactic": [ - "Initial Access" - ], - "Proceedure Examples": [ - "Conficker exploits Windows drive shares. Once it has infected a computer, Conficker automatically copies itself to all visible open drive shares on other computers inside the network. Nuclear power plant officials suspect someone brought in Conficker by accident on a USB thumb drive, either from home or computers found in the power plant's facility.", - "Stuxnet was able to self-replicate by being spread through removable drives. A willing insider or unknown third party, such as a contractor, may have brought the removable media into the target environment. The earliest version of Stuxnet relied on physical installation, infecting target systems when an infected configuration file carried by a USB stick was opened." - ], - "References": [ - "https://www.kkw-gundremmingen.de/presse.php?id=571", - "Stuxnet was able to self-replicate by being spread through removable drives. A willing insider or unknown third party, such as a contractor, may have brought the removable media into the target environment.12 The earliest version of Stuxnet relied on physical installation, infecting target systems when an infected configuration file carried by a USB stick was opened.", - "https://www.reuters.com/article/us-nuclearpower-cyber-germany/german-nuclear-plant-infected-with-computer-viruses-operator-says-idUSKCN0XN2OS", - "https://news.softpedia.com/news/on-chernobyl-s-30th-anniversary-malware-shuts-down-german-nuclear-power-plant-503429.shtml", - "https://www.sciencealert.com/multiple-computer-viruses-have-been-discovered-in-this-german-nuclear-plant", - "https://www.geek.com/apps/german-nuclear-plant-found-riddled-with-conficker-other-viruses-1653415/", - "https://arstechnica.com/information-technology/2016/04/german-nuclear-plants-fuel-rod-system-swarming-with-old-malware/", - "https://www.darkreading.com/endpoint/german-nuclear-power-plant-infected-with-malware/d/d-id/1325298", - "https://www.bbc.com/news/technology-36158606", - "https://www.welivesecurity.com/2016/04/28/malware-found-german-nuclear-power-plant/", - "https://support.symantec.com/us/en/article.tech93179.html", - "https://www.wired.com/images_blogs/threatlevel/2010/11/w32_stuxnet_dossier.pdf", - "https://www.langner.com/wp-content/uploads/2017/03/to-kill-a-centrifuge.pdf" - ] - }, - "uuid": "00697a1d-aa6d-4a52-91cf-4c0cbb9ff81f", - "value": "Replication Through Removable Media" -}, - { - "description": "Adversaries may setup a rogue master to leverage control server functions to communicate with slave devices. A rogue master device can be used to send legitimate control messages to other control system devices, affecting processes in unintended ways. It may also be used to disrupt network communications by capturing and receiving the network traffic meant for the actual master device. Impersonating a master device may also allow an adversary to avoid detection. In the Maroochy Attack, Vitek Boden falsified network addresses in order to send false data and instructions to pumping stations.", - "meta": { - "Technique ID": [ - "T848" - ], - "Tactic": [ - "Evasion Impair Process Control" - ], - "Mitigations": [ - "Implement Virtual Local Area Networks (VLANs) to divide physical networks into smaller, logical ones with isolated traffic from each other. This limits both broadcast traffic and unnecessary flooding.", - "Encrypt and protect the integrity of wireless device communications, while taking care not to degrade end device performance. OSI Layer 2 encryption, rather than Layer 3, can reduce encryption-based latency. Hardware accelerator solutions for cryptographic functions may also be considered", - "Protect physical devices and restrict access to different locations with authentication to reduce the likelihood the adversary can introduce an outside device. Inventorying of devices and capabilities can assist in finding unknown entities.", - "Check new acquisitions for unexpected features and tampering that could enable them to masquerade as another device.", - "When creating security rules, avoid exclusions based on file name or file path. Require signed binaries. Use file system access controls to protect folders such as C:\\Windows\\System32. Use tools that restrict program execution via whitelisting by attributes other than file name.", - "Identify potentially malicious software that may look like a legitimate program based on name and location, and audit and/or block it by using whitelisting tools like AppLocker or Software Restriction Policies where appropriate." - ], - "References": [ - "https://www.mitre.org/sites/default/files/pdf/08_1145.pdf", - "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf", - "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599", - "http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html", - "https://www.iad.gov/iad/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm", - "http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx", - "https://technet.microsoft.com/en-us/library/ee791851.aspx" - ] - }, - "uuid": "988cb83e-1ecd-4711-8c71-2d461dddd4f7", - "value": "Rogue Master Device" -}, - { - "description": "Adversaries may perform role identification of devices involved with physical processes of interest in a target control system. Control systems devices often work in concert to control a physical process. Each device can have one or more roles that it performs within that control process. By collecting this role-based data, an adversary can construct a more targeted attack. For example, a power generation plant may have unique devices such as one that monitors power output of a generator and another that controls the speed of a turbine. Examining devices roles allows the adversary to observe how the two devices work together to monitor and control a physical process. Understanding the role of a target device can inform the adversary's decision on what action to take, in order to cause Impact and influence or disrupt the integrity of operations. Furthermore, an adversary may be able to capture control system protocol traffic. By studying this traffic, the adversary may be able to determine which devices are outstations, and which are masters. Understanding of master devices and their role within control processes can enable the use of Rogue Master Device. ", - "meta": { - "Technique ID": [ - "T850" - ], - "Tactic": [ - "Collection" - ], - "Proceedure Examples": [ - "The Backdoor.Oldrea payload gathers server information that includes CLSID, server name, Program ID, OPC version, vendor information, running state, group count, and server bandwidth. This information helps indicate the role the server has in the control process.", - "The Industroyer IEC 61850 component enumerates the objects discovered in the previous step and sends the domain-specific getNameList requests with each object name. This enumerates named variables in a specific domain." - ], - "Mitigations": [ - "Restrict user privileges with Role-Based Access Control (RBAC). Configure and assign “roles” based on the principle of least privilege. Levels of access can dictate several factors, including the ability to view, use, and alter specific ICS data or device functions.", - "Encrypt and protect the integrity of wireless device communications. Encryption at OSI Layer 2 can be considered instead of at Layer 3, to reduce latency. Authenticate wireless users’ access with a secure IEEE 802.1x authentication protocol, that authenticates users via user certificates or a Remote Authentication Dial In User Service (RADIUS) server.", - "Filter and limit communications to and from devices on the network. Implement relevant heuristics to detect adversarial probing and unexpected communications activity.", - "Wireless access points and data servers for wireless worker devices should be located on an isolated network with minimal connections to the ICS network.", - "Restrict access to control room(s), portable devices, and removable media, which should be locked down and physically secured. Unauthorized and suspicious media should be avoided and kept away from systems and the network.", - "Ensure ICS and IT network cables are kept separate and that devices are locked up when possible, to reduce the likelihood they can be tampered with." - ], - "References": [ - "Ensure ICS and IT network cables are kept separate and that devices are locked up when possible, to reduce the likelihood they can be tampered with.", - "https://www.f-secure.com/weblog/archives/00002718.html", - "https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf", - "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf" - ] - }, - "uuid": "52099a90-ab4f-43a8-8047-89492f5dadc4", - "value": "Role Identification" -}, - { - "description": "Adversaries may deploy rootkits to hide the presence of programs, files, network connections, services, drivers, and other system components. Rootkits are programs that hide the existence of malware by intercepting and modifying operating-system API calls that supply system information. Rootkits or rootkit-enabling functionality may reside at the user or kernel level in the operating system, or lower. Firmware rootkits that affect the operating system yield nearly full control of the system. While firmware rootkits are normally developed for the main processing board, they can also be developed for I/O that can be attached to the asset. Compromise of this firmware allows the modification of all of the process variables and functions the module engages in. This may result in commands being disregarded and false information being fed to the main device. By tampering with device processes, an adversary may inhibit its expected response functions and possibly enable Impact. ", - "meta": { - "Technique ID": [ - "T851" - ], - "Tactic": [ - "Evasion, Impair Process Control" - ], - "Proceedure Examples": [ - "One of Stuxnet's rootkits is contained entirely in the fake s7otbxdx.dll. In order to continue existing undetected on the PLC it needs to account for at least the following situations: read requests for its own malicious code blocks, read requests for infected blocks (OB1, OB35, DP_RECV), and write requests that could overwrite Stuxnet’s own code. Stuxnet contains code to monitor and intercept these types of requests. The rootkit modifies these requests so that Stuxnet’s PLC code is not discovered or damaged.", - "When the peripheral output is written to, sequence C of Stuxnet intercepts the output and ensures it is not written to the process image output. The output is the instructions the PLC sends to a device to change its operating behavior. By intercepting the peripheral output, Stuxnet prevents an operator from noticing unauthorized commands sent to the peripheral." - ], - "Mitigation": [ - "Restrict access to control room(s), portable devices, and removable media, which should be locked down and physically secured. Unauthorized and suspicious media should be avoided and kept away from systems and the network.", - "Ensure ICS and IT network cables are kept separate and that devices are locked up when possible, to reduce the likelihood they can be tampered with.", - "Hold new acquisitions to strict security requirements; be sure they are properly secured and haven’t been tampered with", - "In environments with a high risk of interception or intrusion, organizations should consider supplementing password authentication with other forms of authentication such as multi-factor authentication using biometric or physical tokens.", - "Make use of antivirus and malware detection tools to further secure the environment.", - "Identify potentially malicious software that may contain rootkit functionality, and audit and/or block it by using whitelisting tools, like AppLocker, or Software Restriction Policies where appropriate." - ], - "References": [ - "https://attack.mitre.org/wiki/Technique/T1014", - "https://www.langner.com/wp-content/uploads/2017/03/to-kill-a-centrifuge.pdf", - "https://www.wired.com/images_blogs/threatlevel/2010/11/w32_stuxnet_dossier.pdf", - "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf", - "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599", - "http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html", - "https://www.iad.gov/iad/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm", - "http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx", - "https://technet.microsoft.com/en-us/library/ee791851.aspx" - ] - }, - "uuid": "753a01c8-60c3-41f4-9241-166d884e1b84", - "value": "Rootkit" -}, - { - "description": "Adversaries may attempt to perform screen capture of devices in the control system environment. Screenshots may be taken of workstations, HMIs, or other devices that display environment-relevant process, device, reporting, alarm, or related data. These device displays may reveal information regarding the ICS process, layout, control, and related schematics. In particular, an HMI can provide a lot of important industrial process information. Analysis of screen captures may provide the adversary with an understanding of intended operations and interactions between critical devices. ", - "meta": { - "Technique ID": [ - "T852" - ], - "Tactic": [ - "Collection" - ], - "Proceedure Examples": [ - "ALLANITE has been identified to collect and distribute screenshots of ICS systems such as HMIs", - "APT33 utilize backdoors capable of capturing screenshots once installed on a system", - "Dragonfly has been reported to take screenshots of the GUI for ICS equipment, such as HMIs." - ], - "References": [ - "https://www.us-cert.gov/ncas/alerts/TA17-293A", - "https://dragos.com/resource/allanite/", - "https://www.fireeye.com/blog/threat-research/2017/09/apt33-insights-into-iranian-cyber-espionage.html", - "https://www.symantec.com/security-center/writeup/2017-030708-4403-99" - ] - }, - "uuid": "2711392c-7f55-4d48-a505-cfd5de3c3e0e", - "value": "Screen Capture" -}, - { - "description": "Adversaries may use scripting languages to execute arbitrary code in the form of a pre-written script or in the form of user-supplied code to an interpreter. Scripting languages are programming languages that differ from compiled languages, in that scripting languages use an interpreter, instead of a compiler. These interpreters read and compile part of the source code just before it is executed, as opposed to compilers, which compile each and every line of code to an executable file. Scripting allows software developers to run their code on any system where the interpreter exists. This way, they can distribute one package, instead of precompiling executables for many different systems. Scripting languages, such as Python, have their interpreters shipped as a default with many Linux distributions. In addition to being a useful tool for developers and administrators, scripting language interpreters may be abused by the adversary to execute code in the target environment. Due to the nature of scripting languages, this allows for weaponized code to be deployed to a target easily, and leaves open the possibility of on-the-fly scripting to perform a task. ", - "meta": { - "Technique ID": [ - "T854" - ], - "Tactic": [ - "Execution" - ], - "Proceedure Examples": [ - "APT33 utilized PowerShell scripts to establish command and control and install files for execution.", - "HEXANE utilizes VBA macros and Powershell scripts such as DanDrop and kl.ps1 tools", - "OilRig has embedded a macro within spearphishing attachments that has been made up of both a VBScript and a PowerShell script.", - "In the version of Triton available at the time of publication, the component that programs the Triconex controllers is written entirely in Python. The modules that implement the communciation protocol and other supporting components are found in a separate file -- library.zip -- which the main script that employs this functionality is compiled into a standalone Windows executable -- trilog.exe -- that includes a Python environment.", - "A Python script seen in Triton communicates using four Python modules—TsBase, TsLow, TsHi, and TS_cnames—that collectively implement the TriStation network protocol (“TS”, via UDP 1502); this is the protocol that the TriStation TS1131 software uses to communicate with Triconex safety PLCs." - ], - "Mitigations": [ - "Restrict user privileges with Role-Based Access Control (RBAC). Configure and assign “roles” based on the principle of least privilege. Levels of access can dictate several factors, including the ability to view, use, and alter specific ICS data or device functions", - "These access restrictions should also apply to configuration and systems settings.", - "The ability to make certain changes, alter settings, and run files should be at least protected by basic password authentication. In environments where passwords may be intercepted or sent as plaintext, implement multi-factor authentication to supplement password use.", - "Restrict access to control room(s), portable devices, and removable media, which should be locked down and physically secured. Unauthorized and suspicious media should be avoided and kept away from systems and the network.", - "Physical access to systems may allow the adversary to run scripts, if privileged accounts are logged in. Consider enforcing a logoff or timeout policy, consistent with operational needs." - ], - "References": [ - "https://www.symantec.com/blogs/threat-intelligence/elfin-apt33-espionage", - "https://dragos.com/resource/magnallium/", - "https://www.securityweek.com/researchers-analyze-tools-used-hexane-attackers-against-industrial-firms", - "https://www.bankinfosecurity.com/lyceum-apt-group-new-threat-to-oil-gas-companies-a-13003", - "https://unit42.paloaltonetworks.com/the-oilrig-campaign-attacks-on-saudi-arabian-organizations-deliver-helminth-backdoor/", - "https://ics-cert.us-cert.gov/sites/default/files/documents/MAR-17-352-01%20HatMan%20-%20Safety%20System%20Targeted%20Malware%20%28Update%20B%29.pdf", - "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf" - ] - }, - "uuid": "38959743-d33f-4e4c-9be2-3c1f773b0c30", - "value": "Scripting" -}, - { - "description": "Adversaries may perform serial connection enumeration to gather situational awareness after gaining access to devices in the OT network. Control systems devices often communicate to each other via various types of serial communication mediums. These serial communications are used to facilitate informational communication, as well as commands. Serial Connection Enumeration differs from I/O Module Discovery, as I/O modules are auxiliary systems to the main system, and devices that are connected via serial connection are normally discrete systems. While IT and OT networks may work in tandem, the exact structure of the OT network may not be discernible from the IT network alone. After gaining access to a device on the OT network, an adversary may be able to enumerate the serial connections. From this perspective, the adversary can see the specific physical devices to which the compromised device is connected to. This gives the adversary greater situational awareness and can influence the actions that the adversary can take in an attack. ", - "meta": { - "Technique ID": [ - "T854" - ], - "Tactic": [ - "Discovery" - ], - "Proceedure Examples": [ - "", - "Industroyer contains modules for IEC 101 and IEC 104 communications. IEC 101 uses serial for the physical connection and IEC 104 uses Ethernet. Analysis of the malware by Dragos states that both of the modules have equivalent functionality. The IEC 104 module uses Network Connection Enumeration to determine the Ethernet adapters on the device. Since functionality between the two modules are equivalent, this implies that the IEC 101 module is able to detect serial interfaces on the device." - ], - "Mitigations": [ - "Restrict access to control room(s), portable devices, and removable media, which should be locked down and physically secured. Unauthorized and suspicious media should be avoided and kept away from systems and the network.", - "Keep documentation and portable assets secured and stowed away when not in use.", - "Limit communications to and from devices wherever possible, such as enforcing whitelist policies for network-based communications." - ], - "References": [ - "https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf", - "https://dragos.com/blog/crashoverride/CrashOverride-01.pdf", - "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf" - ] - }, - "uuid": "7bbc25f1-eec4-4ecc-bc98-071dc89d25b2", - "value": "Serial Connection Enumeration" -}, - { - "description": "Adversaries may stop or disable services on a system to render those services unavailable to legitimate users. Stopping critical services can inhibit or stop response to an incident or aid in the adversary's overall objectives to cause damage to the environment. Services may not allow for modification of their data stores while running. Adversaries may stop services in order to conduct Data Destruction.", - "meta": { - "Technique ID": [ - "T881" - ], - "Tactic": [ - "Impair Process Control" - ], - "Proceedure Examples": [ - "Industroyer has the capability to stop a service itself, or to login as a user and stop a service as that user.", - "KillDisk looks for and terminates two non-standard processes, one of which is an ICS application." - ], - "References": [ - "https://attack.mitre.org/techniques/T1489/", - "https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf", - "https://www.welivesecurity.com/2016/01/03/blackenergy-sshbeardoor-details-2015-attacks-ukrainian-news-media-electric-industry/" - ] - }, - "uuid": "249f3b38-db72-4941-a36c-59b5db185b87", - "value": "Service Stop" -}, - { - "description": "Adversaries may use a spearphishing attachment, a variant of spearphishing, as a form of a social engineering attack against specific targets. Spearphishing attachments are different from other forms of spearphishing in that they employ malware attached to an email. All forms of spearphishing are electronically delivered and target a specific individual, company, or industry. In this scenario, adversaries attach a file to the spearphishing email and usually rely upon User Execution to gain execution and access.", - "meta": { - "Technique ID": [ - "T865" - ], - "Tactic": [ - "Initial Access" - ], - "Proceedure Examples": [ - "ALLANITE utilized spear phishing to gain access into energy sector environments", - "APT33 sent spear phishing emails containing links to HTML application files, which were embedded with malicious code.", - "APT33 has conducted targeted spear phishing campaigns against U.S. government agencies and private sector companies.", - "Dragonfly 2.0 used the Phishery tool kit to conduct spear phishing attacks and gather credentials.56 Dragonfly 2.0 conducted a targeted spear phishing campaign against multiple electric utilities in the North America", - "Dragonfly sent pdf documents over email which contained links to malicious sites and downloads", - "HEXANE has used malicious documents to drop malware and gain access into an environment.", - "Lazarus group has been observed targeting organizations using spearphishing documents with embedded malicious payloads.11 Highly targeted spear phishing campaigns have been conducted against a U.S. electric grid company.", - "OilRig used spearphishing emails with malicious Microsoft Excel spreadsheet attachments.", - "The Backdoor.Oldrea RAT is distributed through a trojanized installer attached to emails.", - "BlackEnergy targeted energy sector organizations in a wide reaching email spearphishing campaign. Adversaries utilized malicious Microsoft Word documents attachments." - ], - "References": [ - "https://attack.mitre.org/techniques/T1193/", - "https://www.eisac.com/public-news-detail?id=115909", - "https://www.fireeye.com/blog/threat-research/2017/09/apt33-insights-into-iranian-cyber-espionage.html", - "https://www.wired.com/story/iran-hackers-us-phishing-tensions/", - "https://www.symantec.com/connect/blogs/dragonfly-western-energy-sector-targeted-sophisticated-attack-group", - "https://www.symantec.com/connect/blogs/dragonfly-western-energy-sector-targeted-sophisticated-attack-group", - "https://dragos.com/wp-content/uploads/Sample-WorldView-Report.pdf", - "https://dragos.com/wp-content/uploads/yir-ics-activity-groups-threat-landscape-2018.pdf", - "https://www.us-cert.gov/ncas/alerts/TA17-293A", - "https://dragos.com/resource/hexane/", - "https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Report.pdf", - "https://www.securityweek.com/five-threat-groups-target-industrial-systems-dragos", - "https://unit42.paloaltonetworks.com/the-oilrig-campaign-attacks-on-saudi-arabian-organizations-deliver-helminth-backdoor/", - "https://www.f-secure.com/weblog/archives/00002718.html", - "https://www.boozallen.com/content/dam/boozallen/documents/2016/09/ukraine-report-when-the-lights-went-out.pdf" - ] - }, - "uuid": "813ea621-37d0-44dc-aaef-74cacca69f43", - "value": "Spearphishing Attachment" -}, - { - "description": "Adversaries may establish command and control capabilities over commonly used application layer protocols such as HTTP(S), OPC, RDP, telnet, DNP3, and modbus. These protocols may be used to disguise adversary actions as benign network traffic. Standard protocols may be seen on their associated port or in some cases over a non-standard port. Adversaries may use these protocols to reach out of the network for command and control, or in some cases to other infected devices within the network. ", - "meta": { - "Technique ID": [ - "T869" - ], - "Tactic": [ - "Command and Control" - ], - "Proceedure Examples": [ - "HEXANE communicated with command and control over HTTP and DNS.", - "OilRig communicated with its command and control using HTTP requests", - "BlackEnergy uses HTTP POST request to contact external command and control servers.", - "Stuxnet attempts to contact command and control servers over HTTP to send basic information about the computer it has compromised." - ], - "References": [ - "https://dragos.com/resource/hexane/", - "https://unit42.paloaltonetworks.com/the-oilrig-campaign-attacks-on-saudi-arabian-organizations-deliver-helminth-backdoor/", - "https://www.boozallen.com/content/dam/boozallen/documents/2016/09/ukraine-report-when-the-lights-went-out.pdf", - "https://www.wired.com/images_blogs/threatlevel/2010/11/w32_stuxnet_dossier.pdf" - ] - }, - "uuid": "6b277198-78b1-4910-bfea-21803c1b8048", - "value": "Standard Application Layer Protocol" -}, - { - "description": "Adversaries may perform supply chain compromise to gain control systems environment access by means of infected products, software, and workflows. Supply chain compromise is the manipulation of products, such as devices or software, or their delivery mechanisms before receipt by the end consumer. Adversary compromise of these products and mechanisms is done for the goal of data or system compromise, once infected products are introduced to the target environment. Supply chain compromise can occur at all stages of the supply chain, from manipulation of development tools and environments to manipulation of developed products and tools distribution mechanisms. This may involve the compromise and replacement of legitimate software and patches, such as on third party or vendor websites. Targeting of supply chain compromise can be done in attempts to infiltrate the environments of a specific audience. In control systems environments with assets in both the IT and OT networks, it is possible a supply chain compromise affecting the IT environment could enable further access to the OT environment. F-Secure Labs analyzed the approach the adversary used to compromise victim systems with Havex. The adversary planted trojanized software installers available on legitimate ICS/SCADA vendor websites. After being downloaded, this software infected the host computer with a Remote Access Trojan (RAT).", - "meta": { - "Technique ID": [ - "T862" - ], - "Tactic": [ - "Initial Access" - ], - "Proceedure Examples": [ - "Dragonfly 2.0 trojanized legitimate software to deliver malware disguised as standard windows applications.", - "ENOTIME targeted several ICS vendors and manufacturers.", - "The Backdoor.Oldrea RAT is distributed through trojanized installers planted on compromised vendor sites." - ], - "References": [ - "https://www.f-secure.com/weblog/archives/00002718.html", - "https://www.symantec.com/connect/blogs/dragonfly-western-energy-sector-targeted-sophisticated-attack-group", - "https://dragos.com/wp-content/uploads/Dragos-Oil-and-Gas-Threat-Perspective-2019.pdf", - "https://www.f-secure.com/weblog/archives/00002718.html" - ] - }, - "uuid": "eb58509d-92e4-4d43-bfd6-99b26dc62d37", - "value": "Supply Chain Compromise" -}, - { - "description": "System firmware on modern assets is often designed with an update feature. Older device firmware may be factory installed and require special reprograming equipment. When available, the firmware update feature enables vendors to remotely patch bugs and perform upgrades. Device firmware updates are often delegated to the user and may be done using a software update package. It may also be possible to perform this task over the network. An adversary may exploit the firmware update feature on accessible devices to upload malicious or out-of-date firmware. Malicious modification of device firmware may provide an adversary with root access to a device, given firmware is one of the lowest programming abstraction layers. In the 2015 attack on the Ukranian power grid, the adversaries gained access to the control networks of three different energy companies. The adversaries developed malicious firmware for the serial-to-ethernet devices which rendered them inoperable and severed connections between the control center and the substation.", - "meta": { - "Technique ID": [ - "T857" - ], - "Tactic": [ - "Persistence, Inhibit Response Function" - ], - "Proceedure Examples": [ - "The malicious shellcode Triton uses is split into two separate pieces -- inject.bin and imain.bin. The former program is more generic code that handles injecting the payload into the running firmware, while the latter is the payload that actually performs the additional malicious functionality. The payload --imain.bin-- is designed to take a TriStation protocol get main processor diagnostic data command, look for a specially crafted packet body, and perform custom actions on demand. It is able to read and write memory on the safety controller and execute code at an arbitrary address within the firmware. In addition, if the memory address it writes to is within the firmware region, it disables address translation, writes the code at the provided address, flushes the instruction cache, and re-enables address translation. This allows the malware to make changes to the running firmware in memory. This allows Triton to change how the device operates and would allow for the modification of other actions that the Triton controller might make" - ], - "Mitigations": [ - "Access to device configuration settings should be restricted. IT products should be secured, in the most restrictive mode, on par with ICS operational requirements.", - "Maintain and patch module firmware, checking to ensure the version and state are as expected. Firmware that requires a cryptographic key will be harder for the adversary to alter", - "Be wary of improper modifications before, during, and after system implementation", - "Enforcing proper firmware update policies and procedures may help distinguish intended update activity from malicious activity. Require source and data authentication, at a minimum, as part of this process.", - "Restrict access to control room(s), portable devices, and removable media, which should be locked down and physically secured. Unauthorized and suspicious media should be avoided and kept away from systems and the network. Take care to keep backups and stored data in secure, protected locations.", - "Ensure ICS and IT network cables are kept separate and that devices are locked up when possible, to reduce the likelihood they can be tampered with.", - "Hold new acquisitions to strict security requirements; be sure they are properly secured and haven’t been tampered with. Monitor existing module firmware with applicable assessments to ensure devices are at the expected versions.", - "Monitor the network and enforce access control practices, such as whitelisting, to reduce points of contact to and from control system devices, where applicable. Utilize intrusion detection system (IDS) capabilities to assist with detecting and preventing the spread of malicious files", - "Limit access to the network and require authentication as a barrier. Test access to field devices from outside the network, to help determine if an adversary could reach them." - ], - "References": [ - "http://www.sciencedirect.com/science/article/pii/S1874548213000231", - "https://ics.sans.org/media/E-ISAC_SANS_Ukraine_DUC_5.pdf", - "https://ics-cert.us-cert.gov/sites/default/files/documents/MAR-17-352-01%20HatMan%20-%20Safety%20System%20Targeted%20Malware%20%28Update%20B%29.pdf", - "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf" - ] - }, - "uuid": "1d8e19f2-66f7-4a48-9f9d-26b6d512cdcd", - "value": "System Firmware" -}, - { - "description": "Adversaries may steal operational information on a production environment as a direct mission outcome for personal gain or to inform future operations. This information may include design documents, schedules, rotational data, or similar artifacts that provide insight on operations. In the Bowman Dam incident, adversaries probed systems for operational data.", - "meta": { - "Technique ID": [ - "T882" - ], - "Tactic": [ - "Impact" - ], - "Proceedure Examples": [ - "ACAD/Medre.A can collect AutoCad files with drawings. These drawings may contain operational information.", - "Duqu’s purpose is to gather intelligence data and assets from entities such as industrial infrastructure and system manufacturers, amongst others not in the industrial sector, in order to more easily conduct a future attack against another third party.", - "Flame can collect AutoCAD design data and visio diagrams as well as other documents that may contain operational information." - ], - "References": [ - "https://time.com/4270728/iran-cyber-attack-dam-fbi/", - "https://www.wsj.com/articles/iranian-hackers-infiltrated-new-york-dam-in-2013-1450662559", - "https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_duqu_the_precursor_to_the_next_stuxnet.pdf", - "https://www.symantec.com/security-center/writeup/2012-052811-0308-99" - ] - }, - "uuid": "c92ffac5-3979-4209-8f81-9ca45e556a73", - "value": "Theft of Operational Information" -}, - { - "description": "Adversaries may send unauthorized command messages to instruct control systems devices to perform actions outside their expected functionality for process control. Command messages are used in ICS networks to give direct instructions to control systems devices. If an adversary can send an unauthorized command message to a control system, then it can instruct the control systems device to perform an action outside the normal bounds of the device's actions. An adversary could potentially instruct a control systems device to perform an action that will cause an Impact. In the Maroochy Attack, the adversary used a dedicated analog two-way radio system to send false data and instructions to pumping stations and the central computer. In the 2015 attack on the Ukranian power grid, the adversaries gained access to the control networks of three different energy companies. The adversaries used valid credentials to seize control of operator workstations and access a distribution management system (DMS) client application via a VPN. The adversaries used these tools to issue unauthorized commands to breakers at substations which caused a loss of power to over 225,000 customers over various areas.", - "meta": { - "Technique ID": [ - "T855" - ], - "Tactic": [ - "Impair Process Control" - ], - "Proceedure Examples": [ - "The Industroyer IEC 101 module has the capability to communicate with devices (likely RTUs) via the IEC 101 protocol. The module will attempt to find all Information Object Addresses (IOAs) for the device and attempt to change their state in the following sequence: OFF, ON, OFF.", - "In states 3 and 4 Stuxnet sends two network bursts (done through the DP_SEND primitive). The data in the frames are instructions for the frequency converter drives.", - "Using Triton, an adversary can manipulate the process into an unsafe state from the DCS while preventing the SIS from functioning appropriately." - ], - "Mitigations": [ - "Implement Virtual Local Area Networks (VLANs) to divide physical networks into smaller, logical ones with isolated traffic from each other. This limits both broadcast traffic and unnecessary flooding", - "In ICS environments with dial-up modems, disconnect the modems when not in use or automate their disconnection after being active for a given amount of time, if reasonable.", - "When feasible, monitor and compare ICS device behavior and physical state to expected behavior and physical state. Contingency plans should be in place to handle and minimize impact from unexpected behavior.", - "Restrict access to control room(s), portable devices, and removable media, which should be locked down and physically secured. Unauthorized and suspicious media should be avoided and kept away from systems and the network. Keep track of cables, to ensure that the ICS and IT environments remain separate and no interceptive, adversarial devices are installed.", - "Encrypt and protect the integrity of wireless device communications, while taking care not to degrade end device performance. OSI Layer 2 encryption, rather than Layer 3, can reduce encryption-based latency. Hardware accelerator solutions for cryptographic functions may also be considered.", - "Antivirus and malicious code detection tools can assist with detecting and preventing impact of malware. Secure Windows, Unix, and Linux, etc.-based systems like traditional IT equipment. Follow vendor recommendations for other computers and services with time-dependent code and changes differentiating them from standard devices.", - "Leverage Intrusion Detection Systems (IDS) capabilities for event monitoring, such as looking for unusual activity and traffic patterns and detecting abnormal changes to functionality. If timestamps or methods of authentication are associated with commands, these may be useful metrics to determine spoofed sources. For instance, a spoofed message sent with unusual timing or an extra command sent, coinciding with a legitimate source." - ], - "References": [ - "http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6142258", - "https://www.mitre.org/sites/default/files/pdf/08_1145.pdf", - "https://ics.sans.org/media/E-ISAC_SANS_Ukraine_DUC_5.pdf", - "https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf", - "https://www.wired.com/images_blogs/threatlevel/2010/11/w32_stuxnet_dossier.pdf", - "https://www.fireeye.com/blog/threat-research/2017/12/attackers-deploy-new-ics-attack-framework-triton.html", - "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf" - ] - }, - "uuid": "78fb294d-11e9-49d3-9469-40665308a710", - "value": "Unauthorized Command Message" -}, - { - "description": "Adversaries may rely on a targeted organizations’ user interaction for the execution of malicious code. User interaction may consist of installing applications, opening email attachments, or granting higher permissions to documents. Adversaries may embed malicious code or visual basic code into files such as Microsoft Word and Excel documents or software installers. Execution of this code requires that the user enable scripting or write access within the document. Embedded code may not always be noticeable to the user especially in cases of trojanized software", - "meta": { - "Technique ID": [ - "T863" - ], - "Tactic": [ - "Execution" - ], - "Proceedure Examples": [ - "Execution of Backdoor.Oldrea relies on a user opening a trojanized installer attached to an email.", - "Bad Rabbit is disguised as an Adobe Flash installer. When the file is opened it starts locking the infected computer." - ], - "References": [ - "https://www.boozallen.com/content/dam/boozallen/documents/2016/09/ukraine-report-when-the-lights-went-out.pdf", - "https://www.f-secure.com/weblog/archives/00002718.html", - "https://www.youtube.com/watch?v=eywmb7UDODY&feature=youtu.be&t=939", - "https://securelist.com/bad-rabbit-ransomware/82851/" - ] - }, - "uuid": "0df00d45-2105-4ab0-ad6d-de0a9b7d898d", - "value": "User Execution" -}, - { - "description": "Adversaries may place controllers into an alternate mode of operation to enable configuration setting changes for evasive code execution or to inhibit device functionality. Programmable controllers typically have several modes of operation. These modes can be broken down into three main categories: program run, program edit, and program write. Each of these modes puts the device in a state in which certain functions are available. For instance, the program edit mode allows alterations to be made to the user program while the device is still online. By driving a device into an alternate mode of operation, an adversary has the ability to change configuration settings in such a way to cause a Impact to equipment and/or industrial process associated with the targeted device. An adversary may also use this alternate mode to execute arbitrary code which could be used to evade defenses. ", - "meta": { - "Technique ID": [ - "T858" - ], - "Tactic": [ - "Evasion, Inhibit Response Function" - ], - "Proceedure Examples": [ - "Triton is able to modify code if the Triconex SIS Controller is configured with the physical keyswitch in ‘program mode’ during operation. If the controller is placed in Run mode (program changes not permitted), arbitrary changes in logic are not possible substantially reducing the likelihood of manipulation. Once the Triton implant is installed on the SIS it is able to conduct any operation regardless of any future position of the keyswitch." - ], - "Mitigations": [ - "Restrict user privileges with Role-Based Access Control (RBAC). Configure and assign “roles” based on the principle of least privilege. Levels of access can dictate several factors, including the ability to view, use, and alter specific ICS data or device functions.", - "Supplement restricted privileges and environment access with strong passwords. Consider forms of multi-factor authentication, such as introducing biometrics, smart cards, or tokens, to supplement traditional passwords.", - "Implementing Challenge/Response authentication eliminates the risk of discovery or replay that traditional password exchange has.", - "Network services in ICS often transmit in plaintext, making third-party eavesdropping easy. Always use different passwords, especially if credentials may be transmitted across both encrypted and non-encrypted protocols", - "Restrict device configuration settings access. Be wary of improper modifications before, during, and after system implementation. IT products should be secured as restrictively as possible, in accordance with ICS operational requirements.", - "Protect and restrict physical access to locations, devices, and systems. Lockdown and secure portable devices and removable media. Portable ICS assets should not be used outside of the ICS network", - "When possible, real-time monitoring and management of ICS devices and the network can help detect anomalous behavior. Always check new device acquisitions for the presence of backdoors and malicious tampering." - ], - "References": [ - "https://www.fireeye.com/blog/threat-research/2017/12/attackers-deploy-new-ics-attack-framework-triton.html", - "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf" - ] - }, - "uuid": "9e5e5c49-45ec-4dd3-a890-9bcbb7f99a81", - "value": "Utilize/Change Operating Mode" -}, - { - "description": "Adversaries may steal the credentials of a specific user or service account using credential access techniques. In some cases, default credentials for control system devices may be publicly available. Compromised credentials may be used to bypass access controls placed on various resources on hosts and within the network, and may even be used for persistent access to remote systems. Compromised and default credentials may also grant an adversary increased privilege to specific systems and devices or access to restricted areas of the network. Adversaries may choose not to use malware or tools, in conjunction with the legitimate access those credentials provide, to make it harder to detect their presence or to control devices and send legitimate commands in an unintended way. Adversaries may also create accounts, sometimes using predefined account names and passwords, to provide a means of backup access for persistence. The overlap of credentials and permissions across a network of systems is of concern because the adversary may be able to pivot across accounts and systems to reach a high level of access (i.e., domain or enterprise administrator) and possibly between the enterprise and operational technology environments. Adversaries may be able to leverage valid credentials from one system to gain access to another system. In the 2015 attack on the Ukranian power grid, the adversaries used valid credentials to interact directly with the client application of the distribution management system (DMS) server via a VPN and native remote access services to access employee workstations hosting HMI applications.2 The adversaries caused outages at three different energy companies, causing loss of power to over 225,000 customers over various areas.", - "meta": { - "Technique ID": [ - "T859" - ], - "Tactic": [ - "Persistence, Lateral Movement" - ], - "Proceedure Examples": [ - "ALLANITE utilized credentials collected through phishing and watering hole attacks.", - "Dragonfly 2.0 used credentials collected through spear phishing and watering hole attacks.", - "Dragonfly leveraged compromised user credentials to access the targets networks and download tools from a remote server.", - "HEXANE has used valid IT accounts to extend their spearphishing campaign within an organization.", - "OilRig utilized stolen credentials to gain access to victim machines.", - "Sandworm used valid accounts to laterally move through VPN connections and dual-homed systems", - "XENOTIME used valid credentials when laterally moving through RDP jump boxes into the ICS environment.", - "BlackEnergy utilizes valid user and administrator credentials, in addition to creating new administrator accounts to maintain presence." - ], - "Mitigations": [ - "Restrict user privileges with Role-Based Access Control (RBAC). Configure and assign “roles” based on the principle of least privilege. Levels of access can dictate several factors, including the ability to view, use, and alter specific ICS data or device functions.", - "Privilege restriction should extend to hardware, firmware, software, documentation, and settings modifications.", - "Authenticate wireless users’ access with a secure IEEE 802.1x authentication protocol, that authenticates users via user certificates or a Remote Authentication Dial In User Service (RADIUS) server.", - "In general, console user actions should be traceable, whether it may manually (e.g. control room sign in) or automatic (e.g. login at the application and/or OS layer).11 Protect and restrict access to the resulting logs.", - "Special care should be taken to ensure passwords used with encrypted, as opposed to non-encrypted protocols are not the same. Password lockout policies can be enforced, but take care to balance this with operational needs, that might result in a few failed login attempts in stressful situations.", - "Implementing Challenge/Response authentication eliminates the risk of discovery or replay that traditional password exchange has", - "Physical token authentication can also be considered. It is also easier to notice if these have gotten lost or stolen, unlike traditional passwords. Smart cards another option to consider, and provide additional functionality over token authentication. Biometric authentication may also be good supplement to software-only password solutions.", - "Restrict access to control room(s), portable devices, and removable media, which should be locked down and physically secured. Unauthorized and suspicious media should be avoided and kept away from systems and the network.", - "Antivirus and malware detection should be employed to assist with detecting and preventing malicious code from being run, in the event a Valid Account is compromised.", - "Network monitoring and intrusion detection systems can be leveraged to observe activity and may help identify suspicious account activity and movement at unexpected times." - ], - "References": [ - "https://www.boozallen.com/content/dam/boozallen/documents/2016/09/ukraine-report-when-the-lights-went-out.pdf", - "https://ics.sans.org/media/E-ISAC_SANS_Ukraine_DUC_5.pdf", - "https://dragos.com/resource/allanite/", - "https://dragos.com/resource/dymalloy/", - "https://www.us-cert.gov/ncas/alerts/TA17-293A", - "https://www.secureworks.com/blog/lyceum-takes-center-stage-in-middle-east-campaign", - "https://dragos.com/resource/chrysene/", - "https://dragos.com/resource/electrum/", - "https://dragos.com/wp-content/uploads/CRASHOVERRIDE2018.pdf", - "https://dragos.com/blog/trisis/TRISIS-01.pdf", - "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf" - ] - }, - "uuid": "439051c8-9404-40f1-a4c9-d6bef22ea5fd", - "value": "Valid Accounts" -}, - { - "description": "Adversaries may perform wireless compromise as a method of gaining communications and unauthorized access to a wireless network. Access to a wireless network may be gained through the compromise of a wireless device.12 Adversaries may also utilize radios and other wireless communication devices on the same frequency as the wireless network. Wireless compromise can be done as an initial access vector from a remote distance. A joint case study on the Maroochy Shire Water Services event examined the attack from a cyber security perspective.3 The adversary disrupted Maroochy Shire's radio-controlled sewage system by driving around with stolen radio equipment and issuing commands with them. Boden used a two-way radio to communicate with and set the frequencies of Maroochy Shire's repeater stations. A Polish student used a modified TV remote controller to gain access to and control over the Lodz city tram system in Poland. The remote controller device allowed the student to interface with the tram’s network to modify track settings and override operator control. The adversary may have accomplished this by aligning the controller to the frequency and amplitude of IR control protocol signals. The controller then enabled initial access to the network, allowing the capture and replay of tram signals", - "meta": { - "Technique ID": [ - "T860" - ], - "Tactic": [ - "Initial Access" - ], - "References": [ - "https://www.blackhat.com/docs/us-14/materials/us-14-Bolshev-ICSCorsair-How-I-Will-PWN-Your-ERP-Through-4-20mA-Current-Loop-WP.pdf", - "https://www.slideshare.net/dgpeters/17-bolshev-1-13", - "https://www.mitre.org/sites/default/files/pdf/08_1145.pdf", - "https://www.londonreconnections.com/2017/hacked-cyber-security-railways/", - "https://www.londonreconnections.com/2017/hacked-cyber-security-railways/", - "https://inhomelandsecurity.com/teen_hacker_in_poland_plays_tr/", - "https://www.schneier.com/blog/archives/2008/01/hacking_the_pol.html" - ] - }, - "uuid": "6330fa53-0ba5-4be6-bd76-1cb4f9a535d4", - "value": "Wireless Compromise" -} - ], - "version": 1 -} - - - - - - - diff --git a/ics_techniques_galaxy.json b/ics_techniques_galaxy.json deleted file mode 100644 index 8bd862e..0000000 --- a/ics_techniques_galaxy.json +++ /dev/null @@ -1,10 +0,0 @@ -{ - "description": "ATT&CK for ICS Techniques", - "icon": "user-ninja", - "name": "Techniques", - "namespace": "mitre-attack-for-ics", - "type": "mitre-ics-techniques", - "uuid": "99261a7e-2270-40eb-823f-834cc1ad3159", - "version": 1 -} -