MITRE ATT&CK for ICS fixes #586

fixed issues in pull request #586
pull/587/head
Christophe Vandeplas 2020-10-01 20:42:40 +02:00
parent 0a72735f14
commit f95e88b1f9
26 changed files with 3438 additions and 4446 deletions

View File

@ -0,0 +1,287 @@
{
"authors": [
"MITRE"
],
"category": "asset",
"description": "A list of asset categories that are commonly found in industrial control systems.",
"name": "Assets",
"source": "https://collaborate.mitre.org/attackics/index.php/All_Assets",
"type": "mitre-ics-assets",
"uuid": "0594fbc2-6267-479b-85a3-c4be8e044454",
"values": [
{
"description": "A device which acts as both a server and controller, that hosts the control software used in communicating with lower-level control devices in an ICS network (e.g. Remote Terminal Units (RTUs) and Programmable Logic Controllers (PLCs)).",
"meta": {
"Levels": [
"Level 2 https://collaborate.mitre.org/attackics/index.php/Level_2"
],
"Notes": [
"A control server may also be referred to with these terms in a SCADA system: MTU, supervisory controller, or SCADA server."
],
"Techniques That Apply": [
"Automated Collection https://collaborate.mitre.org/attackics/index.php/Technique/T802",
"Brute Force I/O https://collaborate.mitre.org/attackics/index.php/Technique/T806",
"Commonly Used Port https://collaborate.mitre.org/attackics/index.php/Technique/T885",
"Data Destruction https://collaborate.mitre.org/attackics/index.php/Technique/T809",
"Data from Information Repositories https://collaborate.mitre.org/attackics/index.php/Technique/T811",
"Default Credentials https://collaborate.mitre.org/attackics/index.php/Technique/T812",
"External Remote Services https://collaborate.mitre.org/attackics/index.php/Technique/T822",
"Location Identification https://collaborate.mitre.org/attackics/index.php/Technique/T825",
"Man in the Middle https://collaborate.mitre.org/attackics/index.php/Technique/T830",
"Masquerading https://collaborate.mitre.org/attackics/index.php/Technique/T849",
"Modify Alarm Settings https://collaborate.mitre.org/attackics/index.php/Technique/T838",
"Modify Parameter https://collaborate.mitre.org/attackics/index.php/Technique/T836",
"Monitor Process State https://collaborate.mitre.org/attackics/index.php/Technique/T801 ",
"Point & Tag Identification https://collaborate.mitre.org/attackics/index.php/Technique/T861",
"Remote File Copy https://collaborate.mitre.org/attackics/index.php/Technique/T867",
"Remote System Discovery https://collaborate.mitre.org/attackics/index.php/Technique/T846",
"Replication Through Removable Media https://collaborate.mitre.org/attackics/index.php/Technique/T847",
"Rogue Master Device https://collaborate.mitre.org/attackics/index.php/Technique/T848",
"Role Identification https://collaborate.mitre.org/attackics/index.php/Technique/T850",
"Service Stop https://collaborate.mitre.org/attackics/index.php/Technique/T881",
"Spearphishing Attachment https://collaborate.mitre.org/attackics/index.php/Technique/T865",
"Spoof Reporting Message https://collaborate.mitre.org/attackics/index.php/Technique/T856",
"Standard Application Layer Protocol https://collaborate.mitre.org/attackics/index.php/Technique/T869",
"Valid Accounts https://collaborate.mitre.org/attackics/index.php/Technique/T859"
],
"refs": [
"https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf"
]
},
"uuid": "834fab50-be52-4611-95b6-6330d1db65c2",
"value": "Control Server"
},
{
"description": "A centralized database located on a computer installed in the control system DMZ supporting external corporate user data access for archival and analysis using statistical process control and other techniques.",
"meta": {
"Levels": [
"Level 2 https://collaborate.mitre.org/attackics/index.php/Level_2"
],
"Techniques That Apply": [
"Data Historian Compromise https://collaborate.mitre.org/attackics/index.php/Technique/T810",
"Data from Information Repositories https://collaborate.mitre.org/attackics/index.php/Technique/T811",
"Exploitation of Remote Services https://collaborate.mitre.org/attackics/index.php/Technique/T866",
"Monitor Process State https://collaborate.mitre.org/attackics/index.php/Technique/T801",
"Point & Tag Identification https://collaborate.mitre.org/attackics/index.php/Technique/T861",
"Remote File Copy https://collaborate.mitre.org/attackics/index.php/Technique/T867",
"Remote System Discovery https://collaborate.mitre.org/attackics/index.php/Technique/T846",
"Replication Through Removable Media https://collaborate.mitre.org/attackics/index.php/Technique/T847",
"Role Identification https://collaborate.mitre.org/attackics/index.php/Technique/T850",
"Service Stop https://collaborate.mitre.org/attackics/index.php/Technique/T881",
"Spearphishing Attachment https://collaborate.mitre.org/attackics/index.php/Technique/T865",
"Standard Application Layer Protocol https://collaborate.mitre.org/attackics/index.php/Technique/T869",
"Valid Accounts https://collaborate.mitre.org/attackics/index.php/Technique/T859"
],
"refs": [
"https://ics-cert.us-cert.gov/Secure-Architecture-Design-Definitions"
]
},
"uuid": "da06d4aa-2471-4582-aadf-e1653dd6575c",
"value": "Data Historian"
},
{
"description": "The engineering workstation is usually a high-end very reliable computing platform designed for configuration, maintenance and diagnostics of the control system applications and other control system equipment. The system is usually made up of redundant hard disk drives, high speed network interface, reliable CPUs, performance graphics hardware, and applications that provide configuration and monitoring tools to perform control system application development, compilation and distribution of system modifications.",
"meta": {
"Levels": [
"Level 0 https://collaborate.mitre.org/attackics/index.php/Level_0 ",
"Level 1 https://collaborate.mitre.org/attackics/index.php/Level_1",
"Level 2 https://collaborate.mitre.org/attackics/index.php/Level_2"
],
"Notes": [
"Many engineering workstations are laptops. Because of their mobile nature, lack of desktop standard, and frequent connection to control system devices and network, engineering workstations can serve as entry points for attacks."
],
"Techniques That Apply": [
"Commonly Used Port https://collaborate.mitre.org/attackics/index.php/Technique/T885",
"Data from Information Repositories https://collaborate.mitre.org/attackics/index.php/Technique/T811",
"Default Credentials https://collaborate.mitre.org/attackics/index.php/Technique/T812",
"Engineering Workstation Compromise https://collaborate.mitre.org/attackics/index.php/Technique/T818",
"Exploitation of Remote Services https://collaborate.mitre.org/attackics/index.php/Technique/T866",
"Hooking https://collaborate.mitre.org/attackics/index.php/Technique/T874 ",
"Loss of View https://collaborate.mitre.org/attackics/index.php/Technique/T829",
"Manipulation of View https://collaborate.mitre.org/attackics/index.php/Technique/T832",
"Project File Infection https://collaborate.mitre.org/attackics/index.php/Technique/T873",
"Rogue Master Device https://collaborate.mitre.org/attackics/index.php/Technique/T848",
"Scripting https://collaborate.mitre.org/attackics/index.php/Technique/T853",
"Service Stop https://collaborate.mitre.org/attackics/index.php/Technique/T881",
"Spearphishing Attachment https://collaborate.mitre.org/attackics/index.php/Technique/T865",
"Standard Application Layer Protocol https://collaborate.mitre.org/attackics/index.php/Technique/T869",
"User Execution https://collaborate.mitre.org/attackics/index.php/Technique/T863",
"Valid Accounts https://collaborate.mitre.org/attackics/index.php/Technique/T859"
],
"refss": [
"https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf"
]
},
"uuid": "b34cba3b-4294-4149-b119-214fadef0d01",
"value": "Engineering Workstation"
},
{
"description": "Controller terminology depends on the type of system they are associated with. They provide typical processing capabilities. Controllers, sometimes referred to as Remote Terminal Units (RTU) and Programmable Logic Controllers (PLC), are computerized control units that are typically rack or panel mounted with modular processing and interface cards. The units are collocated with the process equipment and interface through input and output modules to the various sensors and controlled devices. Most utilize a programmable logic-based application that provides scanning and writing of data to and from the IO interface modules and communicates with the control system network via various communications methods, including serial and network communications",
"meta": {
"Levels": [
"Level 0 https://collaborate.mitre.org/attackics/index.php/Level_0",
"Level 1 https://collaborate.mitre.org/attackics/index.php/Level_1"
],
"Notes": [
"Typically programmed in an IEC 61131 programming language, a PLC is designed for real time use in rugged, industrial environments. Connected to sensors and actuators, PLCs are categorized by the number and type of I/O ports they provide and by their I/O scan rate. \nAn RTU is a special purpose field device that supports SCADA remote stations with both wired and wireless communication capabilities, in order to communicate with the supervisory controller. Wireless radio is leveraged in remote situations where wired communications are not available; typically with field equipment. This role may also be fulfilled by PLCs with radio communication capabilities. The PLC may still be referred to as an RTU in this case."
],
"Techniques That Apply": [
"Activate Firmware Update Mode https://collaborate.mitre.org/attackics/index.php/Technique/T800",
"Alarm Suppression https://collaborate.mitre.org/attackics/index.php/Technique/T878",
"Automated Collection https://collaborate.mitre.org/attackics/index.php/Technique/T802",
"Block Command Message https://collaborate.mitre.org/attackics/index.php/Technique/T803",
"Block Reporting Message https://collaborate.mitre.org/attackics/index.php/Technique/T804",
"Block Serial COM https://collaborate.mitre.org/attackics/index.php/Technique/T805 ",
"Brute Force I/O https://collaborate.mitre.org/attackics/index.php/Technique/T806",
"Change Program State https://collaborate.mitre.org/attackics/index.php/Technique/T875",
"Commonly Used Port https://collaborate.mitre.org/attackics/index.php/Technique/T885",
"Control Device Identification https://collaborate.mitre.org/attackics/index.php/Technique/T808",
"Data Destruction https://collaborate.mitre.org/attackics/index.php/Technique/T809",
"Default Credentials https://collaborate.mitre.org/attackics/index.php/Technique/T812",
"Denial of Service https://collaborate.mitre.org/attackics/index.php/Technique/T814",
"Detect Operating Mode https://collaborate.mitre.org/attackics/index.php/Technique/T868",
"Detect Program State https://collaborate.mitre.org/attackics/index.php/Technique/T870",
"Device Restart/Shutdown https://collaborate.mitre.org/attackics/index.php/Technique/T816",
"Execution through API https://collaborate.mitre.org/attackics/index.php/Technique/T871",
"Exploitation for Evasion https://collaborate.mitre.org/attackics/index.php/Technique/T820",
"I/O Image https://collaborate.mitre.org/attackics/index.php/Technique/T877",
"I/O Module Discovery https://collaborate.mitre.org/attackics/index.php/Technique/T824",
"Man in the Middle https://collaborate.mitre.org/attackics/index.php/Technique/T830",
"Manipulate I/O Image https://collaborate.mitre.org/attackics/index.php/Technique/T835",
"Modify Alarm Settings https://collaborate.mitre.org/attackics/index.php/Technique/T838 ",
"Modify Control Logic https://collaborate.mitre.org/attackics/index.php/Technique/T833",
"Modify Parameter https://collaborate.mitre.org/attackics/index.php/Technique/T836",
"Module Firmware https://collaborate.mitre.org/attackics/index.php/Technique/T839",
"Monitor Process State https://collaborate.mitre.org/attackics/index.php/Technique/T801",
"Network Service Scanning https://collaborate.mitre.org/attackics/index.php/Technique/T841",
"Network Sniffing https://collaborate.mitre.org/attackics/index.php/Technique/T842",
"Program Download https://collaborate.mitre.org/attackics/index.php/Technique/T843",
"Program Organisational Units https://collaborate.mitre.org/attackics/index.php/Technique/T844",
"Program Upload https://collaborate.mitre.org/attackics/index.php/Technique/T845",
"Remote System Discovery https://collaborate.mitre.org/attackics/index.php/Technique/T846",
"Role Identification https://collaborate.mitre.org/attackics/index.php/Technique/T850",
"Rootkit https://collaborate.mitre.org/attackics/index.php/Technique/T851",
"Serial Connection Enumeration https://collaborate.mitre.org/attackics/index.php/Technique/T854",
"System Firmware https://collaborate.mitre.org/attackics/index.php/Technique/T857",
"Unauthorised Command Message https://collaborate.mitre.org/attackics/index.php/Technique/T855",
"Utilize/Change Operating Mode https://collaborate.mitre.org/attackics/index.php/Technique/T858",
"Valid Accounts https://collaborate.mitre.org/attackics/index.php/Technique/T859"
],
"refss": [
"https://ics-cert.us-cert.gov/Secure-Architecture-Design-Definitions",
"http://isa99.isa.org/ISA99%20Wiki/WP-2-1.aspx",
"https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf"
]
},
"uuid": "1de9f3b2-07fc-4614-b07f-d5468e51770a",
"value": "Field Controller/RTU/PLC/IED"
},
{
"description": "In computer science and human-computer interaction, the Human-Machine Interface (HMI) refers to the graphical, textual and auditory information the program presents to the user (operator) using computer monitors and audio subsystems, and the control sequences (such as keystrokes with the computer keyboard, movements of the computer mouse, and selections with the touchscreen) the user employs to control the program. Currently the following types of HMI are the most common: \nGraphical user interfaces(GUI) accept input via devices such as computer keyboard and mouse and provide articulated graphical output on the computer monitor. \nWeb-based user interfaces accept input and provide output by generating web pages which are transported via the network and viewed by the user using a web browser program. The operations user must be able to control the system and assess the state of the system. Each control system vendor provides a unique look-and-feel to their basic HMI applications. An older, not gender-neutral version of the term is man-machine interface (MMI). \nThe system may expose several user interfaces to serve different kinds of users. User interface screens may be optimized to provide the appropriate information and control interface to operations users, engineering users and management users.",
"meta": {
"Levels": [
"Level 1 https://collaborate.mitre.org/attackics/index.php/Level_1",
"Level 2 https://collaborate.mitre.org/attackics/index.php/Level_2"
],
"Notes": [
"In many cases, these involve video screens or computer terminals, push buttons, auditory feedback, flashing lights, etc. The human-machine interface provides means of: \nInput - allowing the users to control the machine \nOutput - allowing the machine to inform the users"
],
"Techniques That Apply": [
"Commonly Used Port https://collaborate.mitre.org/attackics/index.php/Technique/T885",
"Data Destruction https://collaborate.mitre.org/attackics/index.php/Technique/T809",
"Data from Information Repositories https://collaborate.mitre.org/attackics/index.php/Technique/T811",
"Default Credentials https://collaborate.mitre.org/attackics/index.php/Technique/T812",
"Exploit of Remote Services https://collaborate.mitre.org/attackics/index.php/Technique/T866",
"Graphical User Interface https://collaborate.mitre.org/attackics/index.php/Technique/T823",
"Indicator Removal on host https://collaborate.mitre.org/attackics/index.php/Technique/T872",
"Loss of View https://collaborate.mitre.org/attackics/index.php/Technique/T829",
"Man in the Middle https://collaborate.mitre.org/attackics/index.php/Technique/T830",
"Manipulation of View https://collaborate.mitre.org/attackics/index.php/Technique/T832",
"Masquerading https://collaborate.mitre.org/attackics/index.php/Technique/T849",
"Modify Alarm Settings https://collaborate.mitre.org/attackics/index.php/Technique/T838",
"Modify Parameter https://collaborate.mitre.org/attackics/index.php/Technique/T836",
"Monitor Process State https://collaborate.mitre.org/attackics/index.php/Technique/T801",
"Network Connection Enumeration https://collaborate.mitre.org/attackics/index.php/Technique/T840",
"Point and Tag Identification https://collaborate.mitre.org/attackics/index.php/Technique/T861",
"Project File Infection https://collaborate.mitre.org/attackics/index.php/Technique/T873",
"Remote File Copy https://collaborate.mitre.org/attackics/index.php/Technique/T867",
"Remote System Discovery https://collaborate.mitre.org/attackics/index.php/Technique/T846",
"Replication Through Removable Media https://collaborate.mitre.org/attackics/index.php/Technique/T847",
"Rogue Master Device https://collaborate.mitre.org/attackics/index.php/Technique/T848",
"Role Identification https://collaborate.mitre.org/attackics/index.php/Technique/T850",
"Screen Capture https://collaborate.mitre.org/attackics/index.php/Technique/T852",
"Service Stop https://collaborate.mitre.org/attackics/index.php/Technique/T881",
"Spearphishing Attachment https://collaborate.mitre.org/attackics/index.php/Technique/T865",
"Standard Application Layer Protocol https://collaborate.mitre.org/attackics/index.php/Technique/T869",
"User Execution https://collaborate.mitre.org/attackics/index.php/Technique/T863",
"Valid Accounts https://collaborate.mitre.org/attackics/index.php/Technique/T859"
],
"refss": [
"https://ics-cert.us-cert.gov/Secure-Architecture-Design-Definitions",
"http://isa99.isa.org/ISA99%20Wiki/WP-2-1.aspx"
]
},
"uuid": "3894cc68-79e0-4673-8548-c6e1b57a93e2",
"value": "Human-Machine Interface"
},
{
"description": "The Input/Output (I/O) server provides the interface between the control system LAN applications and the field equipment monitored and controlled by the control system applications. The I/O server, sometimes referred to as a Front-End Processor (FEP) or Data Acquisition Server (DAS), converts the control system application data into packets that are transmitted over various types of communications media to the end device locations. The I/O server also converts data received from the various end devices over different communications mediums into data formatted to communicate with the control system networked applications.",
"meta": {
"Levels": [
"Level 2 https://collaborate.mitre.org/attackics/index.php/Level_2"
],
"Techniques That Apply": [
"Blocking Reporting Message https://collaborate.mitre.org/attackics/index.php/Technique/T804",
"Block Serial COM https://collaborate.mitre.org/attackics/index.php/Technique/T805",
"External Remote Services https://collaborate.mitre.org/attackics/index.php/Technique/T822",
"Serial Connection Enumeration https://collaborate.mitre.org/attackics/index.php/Technique/T854",
"System Firmware https://collaborate.mitre.org/attackics/index.php/Technique/T857",
"Valid Accounts https://collaborate.mitre.org/attackics/index.php/Technique/T859"
],
"refss": [
"https://ics-cert.us-cert.gov/Secure-Architecture-Design-Definitions"
]
},
"uuid": "c98dda59-afe3-4154-b672-96f18cb5991b",
"value": "Input/Output Server"
},
{
"description": "A safety instrumented system (SIS) takes automated action to keep a plant in a safe state, or to put it into a safe state, when abnormal conditions are present. The SIS may implement a single function or multiple functions to protect against various process hazards in your plant. The function of protective relaying is to cause the prompt removal from service of an element of a power system when it suffers a short circuit or when it starts to operate in any abnormal manner that might cause damage or otherwise interfere with the effective operation of the rest of the system.",
"meta": {
"Levels": [
"Level 0 https://collaborate.mitre.org/attackics/index.php/Level_0",
"Level 1 https://collaborate.mitre.org/attackics/index.php/Level_1"
],
"Techniques That Apply": [
"Activate Firmware Update Mode https://collaborate.mitre.org/attackics/index.php/Technique/T800",
"Alarm Suppression https://collaborate.mitre.org/attackics/index.php/Technique/T878",
"Automated Collection https://collaborate.mitre.org/attackics/index.php/Technique/T802",
"Commonly Used Port https://collaborate.mitre.org/attackics/index.php/Technique/T885 ",
"Default Credentials https://collaborate.mitre.org/attackics/index.php/Technique/T812",
"Denial of Service https://collaborate.mitre.org/attackics/index.php/Technique/T814",
"Exploitation for Evasion https://collaborate.mitre.org/attackics/index.php/Technique/T820",
"Indicator Removal on host https://collaborate.mitre.org/attackics/index.php/Technique/T872",
"Modify Alarm Settings https://collaborate.mitre.org/attackics/index.php/Technique/T838",
"Modify Control Logic https://collaborate.mitre.org/attackics/index.php/Technique/T833",
"Modify Parameter https://collaborate.mitre.org/attackics/index.php/Technique/T836",
"Module Firmware https://collaborate.mitre.org/attackics/index.php/Technique/T839 ",
"Monitor Process State https://collaborate.mitre.org/attackics/index.php/Technique/T801",
"Program Download https://collaborate.mitre.org/attackics/index.php/Technique/T843",
"Program Organisation Units https://collaborate.mitre.org/attackics/index.php/Technique/T844",
"Program Upload https://collaborate.mitre.org/attackics/index.php/Technique/T845",
"Remote System Discovery https://collaborate.mitre.org/attackics/index.php/Technique/T846",
"System Firmware https://collaborate.mitre.org/attackics/index.php/Technique/T857",
"Utilize/Change Operating Mode https://collaborate.mitre.org/attackics/index.php/Technique/T858",
"Valid Accounts https://collaborate.mitre.org/attackics/index.php/Technique/T859 "
],
"refss": [
"http://sache.org/beacon/files/2009/07/en/read/2009-07-Beacon-s.pdf",
"http://www.gegridsolutions.com/multilin/notes/artsci/artsci.pdf"
]
},
"uuid": "01ce6089-11cb-422f-ab05-ffe61ee4b21c",
"value": "Safety Instrumented System/Protection Relay"
}
],
"version": 1
}

View File

@ -0,0 +1,270 @@
{
"authors": [
"MITRE"
],
"category": "actor",
"description": "Groups are sets of related intrusion activity that are tracked by a common name in the security community. Groups are also sometimes referred to as campaigns or intrusion sets. Some groups have multiple names associated with the same set of activities due to various organizations tracking the same set of activities by different names. Groups are mapped to publicly reported technique use and referenced in the ATT&CK for ICS knowledge base. Groups are also mapped to reported software used during intrusions.",
"name": "Groups",
"source": "https://collaborate.mitre.org/attackics/index.php/Groups",
"type": "mitre-ics-groups",
"uuid": "8fb1c036-8904-4d4b-82d5-0286da77eb7e",
"values": [
{
"description": "ALLANITE is a suspected Russian cyber espionage group, that has primarily targeted the electric utility sector within the United States and United Kingdom. The group's tactics and techniques are reportedly similar to Dragonfly / Dragonfly 2.0, although ALLANITEs technical capabilities have not exhibited disruptive or destructive abilities. It has been suggested that the group maintains a presence in ICS for the purpose of gaining understanding of processes and to maintain persistence.",
"meta": {
"Associated Group Descriptions": [
"ALLANITE",
"Palmetto Fusion"
],
"Techniques Used": [
"Screen Capture - ALLANITE has been identified to collect and distribute screenshots of ICS systems such as HMIs https://collaborate.mitre.org/attackics/index.php/Technique/T852",
"Drive-by Compromise - ALLANITE leverages watering hole attacks to gain access into electric utilities https://collaborate.mitre.org/attackics/index.php/Technique/T817",
"Valid Accounts - ALLANITE utilized credentials collected through phishing and watering hole attacks https://collaborate.mitre.org/attackics/index.php/Technique/T859",
"Spearphishing Attachment - ALLANITE utilized spear phishing to gain access into energy sector environments"
],
"refs": [
"https://dragos.com/resource/allanite/",
"https://www.us-cert.gov/ncas/alerts/TA17-293A",
"https://www.securityweek.com/allanite-group-targets-ics-networks-electric-utilities-us-uk",
"https://www.eisac.com/public-news-detail?id=115909"
]
},
"uuid": "fd28d200-2f1f-464a-af1f-fcadac7640a1",
"value": "ALLANITE"
},
{
"description": "APT33 is a suspected Iranian threat group that has carried out operations since at least 2013. The group has targeted organizations across multiple industries in the United States, Saudi Arabia, and South Korea, with a particular interest in the aviation and energy sectors.",
"meta": {
"Associated Group Descriptions": [
"APT33 - Fireeye noted a potential link between APT33 and Shamoon based on similar dropper malware DROPSHOT",
"Elfin - Symantec mentioned a potential link between Elfin and Shamoon based on such close occurances of the attacks within a particular organization",
"MAGNALLIUM"
],
"Techniques Used": [
"Spearphishing Attachment - APT33 sent spear phishing emails containing links to HTML application files, which were embedded with malicious code.2 APT33 has conducted targeted spear phishing campaigns against U.S. government agencies and private sector companies https://collaborate.mitre.org/attackics/index.php/Technique/T865",
"Scripting - APT33 utilized PowerShell scripts to establish command and control and install files for execution https://collaborate.mitre.org/attackics/index.php/Technique/T853",
"Screen Capture - APT33 utilize backdoors capable of capturing screenshots once installed on a system https://collaborate.mitre.org/attackics/index.php/Technique/T852"
],
"refs": [
"https://attack.mitre.org/groups/G0064/",
"https://www.fireeye.com/blog/threat-research/2017/09/apt33-insights-into-iranian-cyber-espionage.html",
"https://www.symantec.com/blogs/threat-intelligence/elfin-apt33-espionage",
"https://dragos.com/resource/magnallium/",
"https://www.wired.com/story/iran-hackers-us-phishing-tensions/",
"https://www.symantec.com/security-center/writeup/2017-030708-4403-99"
]
},
"uuid": "8f6f8a49-8a22-4494-a4c0-5a341444339a",
"value": "APT33"
},
{
"description": "Dragonfly is a cyber espionage group that has been active since at least 2011. They initially targeted defense and aviation companies but shifted to focus on the energy sector in early 2013. They have also targeted companies related to industrial control systems. A similar group emerged in 2015 and was identified by Symantec as Dragonfly 2.0. There is debate over the extent of the overlap between Dragonfly and Dragonfly 2.0, but there is sufficient evidence to lead to these being tracked as two separate groups.",
"meta": {
"Associated Group Descriptions": [
"Dragonfly",
"Energetic Bear"
],
"Software": [
"Backdoor.Oldrea"
],
"Techniques Used": [
"Screen Capture - Dragonfly has been reported to take screenshots of the GUI for ICS equipment, such as HMIs https://collaborate.mitre.org/attackics/index.php/Technique/T852",
"Spearphishing Attachment - Dragonfly sent pdf documents over email which contained links to malicious sites and downloads https://collaborate.mitre.org/attackics/index.php/Technique/T865",
"Drive-by Compromise - Dragonfly used intermediate targets for watering hole attacks on an intended target. A line of code is injected into the header.php file, this is used to redirect the visitors to an adversary controlled IP https://collaborate.mitre.org/attackics/index.php/Technique/T817",
"Valid Accounts - Dragonfly leveraged compromised user credentials to access the targets networks and download tools from a remote server https://collaborate.mitre.org/attackics/index.php/Technique/T859",
"Commonly Used Port - Dragonfly communicated with command and control over TCP ports 445 and 139 or UDP 137 or 138 https://collaborate.mitre.org/attackics/index.php/Technique/T885"
],
"refs": [
"https://attack.mitre.org/groups/G0035/",
"https://dragos.com/resource/dymalloy/",
"https://www.us-cert.gov/ncas/alerts/TA17-293A",
"http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/Dragonfly_Threat_Against_Western_Energy_Suppliers.pdf",
"https://www.symantec.com/connect/blogs/dragonfly-western-energy-sector-targeted-sophisticated-attack-group"
]
},
"uuid": "9b4143ce-253c-45c4-a160-0d0a7450aace",
"value": "Dragonfly"
},
{
"description": "Dragonfly 2.0 is a suspected Russian threat group which has been active since at least late 2015. Dragonfly 2.0's initial reported targets were a part of the energy sector, located within the United States, Switzerland, and Turkey. There is debate over the extent of overlap between Dragonfly 2.0 and Dragonfly, but there is sufficient evidence to lead to these being tracked as two separate groups.",
"meta": {
"Associated Group Descriptions": [
"Dragonfly 2.0",
"Beserk Bear",
"DYMALLOY"
],
"Techniques Used": [
"Spearphishing Attachment - Dragonfly 2.0 used the Phishery tool kit to conduct spear phishing attacks and gather credentials.14 Dragonfly 2.0 conducted a targeted spear phishing campaign against multiple electric utilities in the North America https://collaborate.mitre.org/attackics/index.php/Technique/T865",
"Supply Chain Compromise - Dragonfly 2.0 trojanized legitimate software to deliver malware disguised as standard windows applications https://collaborate.mitre.org/attackics/index.php/Technique/T862",
"https://collaborate.mitre.org/attackics/index.php/Technique/T817 https://collaborate.mitre.org/attackics/index.php/Technique/T817",
"Valid Accounts - Dragonfly 2.0 used credentials collected through spear phishing and watering hole attacks https://collaborate.mitre.org/attackics/index.php/Technique/T859"
],
"refs": [
"https://www.symantec.com/connect/blogs/dragonfly-western-energy-sector-targeted-sophisticated-attack-group",
"https://fortune.com/2017/09/06/hack-energy-grid-symantec/",
"https://dragos.com/resource/dymalloy/",
"https://blog.talosintelligence.com/2017/07/template-injection.html",
"https://dragos.com/wp-content/uploads/Sample-WorldView-Report.pdf",
"https://dragos.com/wp-content/uploads/yir-ics-activity-groups-threat-landscape-2018.pdf"
]
},
"uuid": "790c3072-49d1-4c4f-8fd0-dc3db50887c1",
"value": "Dragonfly 2.0"
},
{
"description": "HEXANE is a threat group that has targeted ICS organization within the oil & gas, and telecommunications sectors. Many of the targeted organizations have been located in the Middle East including Kuwait. HEXANE's targeting of telecommunications has been speculated to be part of an effort to establish man-in-the-middle capabilities throughout the region. HEXANE's TTPs appear similar to APT33 and OilRig but due to differences in victims and tools it is tracked as a separate entity.",
"meta": {
"Associated Group Descriptions": [
"HEXANE",
"Lyceum"
],
"Techniques Used": [
"Spearphishing Attachment - HEXANE has used malicious documents to drop malware and gain access into an environment https://collaborate.mitre.org/attackics/index.php/Technique/T865",
"Standard Application Layer Protocol - HEXANE communicated with command and control over HTTP and DNS https://collaborate.mitre.org/attackics/index.php/Technique/T869",
"Valid Accounts - HEXANE has used valid IT accounts to extend their spearphishing campaign within an organization https://collaborate.mitre.org/attackics/index.php/Technique/T859",
"Man in the Middle - HEXANE targeted telecommunication providers in the greater Middle East, Central Asia, and Africa, potentially as a stepping stone to network-focused man-in-the-middle and related attacks https://collaborate.mitre.org/attackics/index.php/Technique/T830",
"Scripting - HEXANE utilizes VBA macros and Powershell scripts such as DanDrop and kl.ps1 tools https://collaborate.mitre.org/attackics/index.php/Technique/T853"
],
"refs": [
"https://dragos.com/resource/hexane/",
"https://www.secureworks.com/blog/lyceum-takes-center-stage-in-middle-east-campaign",
"https://www.securityweek.com/researchers-analyze-tools-used-hexane-attackers-against-industrial-firms",
"https://www.bankinfosecurity.com/lyceum-apt-group-new-threat-to-oil-gas-companies-a-13003"
]
},
"uuid": "a529ddda-9a44-4a0f-912e-4681f442b488",
"value": "HEXANE"
},
{
"description": "Lazarus group is a suspected North Korean adversary group that has targeted networks associated with civilian electric energy in Europe, East Asia, and North America. Links have been established associating this group with the WannaCry ransomware from 2017.3 While WannaCry was not an ICS focused attack, Lazarus group is considered to be a threat to ICS. North Korean group definitions are known to have significant overlap, and the name Lazarus Group is known to encompass a broad range of activity. Some organizations use the name Lazarus Group to refer to any activity attributed to North Korea. Some organizations track North Korean clusters or groups such as Bluenoroff, APT37, and APT38 separately, while other organizations may track some activity associated with those group names by the name Lazarus Group.",
"meta": {
"Associated Group Descriptions": [
"Lazarus group",
"COVELLITE",
"HIDDEN COBRA",
"ZINC",
"Guardians of Peace"
],
"Software": [
"WannaCry"
],
"Techniques Used": [
"Spearphishing Attachment - Lazarus group has been observed targeting organizations using spearphishing documents with embedded malicious payloads. Highly targeted spear phishing campaigns have been conducted against a U.S. electric grid company https://collaborate.mitre.org/attackics/index.php/Technique/T865"
],
"refs": [
"https://www.us-cert.gov/HIDDEN-COBRA-North-Korean-Malicious-Cyber-Activity",
"https://dragos.com/resource/covellite/",
"https://www.us-cert.gov/ncas/alerts/TA17-132A",
"https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Report.pdf",
"https://www.us-cert.gov/ncas/alerts/TA17-164A",
"https://blogs.microsoft.com/on-the-issues/2017/12/19/microsoft-facebook-disrupt-zinc-malware-attack-protect-customers-internet-ongoing-cyberthreats/",
"https://www.securityweek.com/five-threat-groups-target-industrial-systems-dragos",
"https://www.symantec.com/connect/blogs/wannacry-ransomware-attacks-show-strong-links-lazarus-group"
]
},
"uuid": "3bbf3f0f-346d-49ad-9300-3bb0f23c83ef",
"value": "Lazarus group"
},
{
"description": "Leafminer is a threat group that has targeted Saudi Arabia, Japan, Europe and the United States. Within the US, Leafminer has targeted electric utilities and initial access into those organizations. Reporting indicates that Leafminer has not demonstrated ICS specific or destructive capabilities.",
"meta": {
"Associated Group Descriptions": [
"Leafminer",
"RASPITE"
],
"refs": [
"https://www.symantec.com/blogs/threat-intelligence/leafminer-espionage-middle-east",
"https://dragos.com/resource/raspite/"
]
},
"uuid": "956a44f1-0d5c-4f3c-a9a7-16f96f9656e4",
"value": "Leafminer"
},
{
"description": "OilRig is a suspected Iranian threat group that has targeted the financial, government, energy, chemical, and telecommunication sectors as well as petrochemical, oil & gas. OilRig has been observed operating in Iraq, Pakistan, Israel, and the UK, and has been linked to the Shamoon attacks in 2012 on Saudi Aramco. ",
"meta": {
"Associated Group Descriptions": [
"OilRig",
"CHRYSENE",
"Greenbug",
"APT 34"
],
"Techniques Used": [
"Spearphishing Attachment - OilRig used spearphishing emails with malicious Microsoft Excel spreadsheet attachments https://collaborate.mitre.org/attackics/index.php/Technique/T865",
"Scripting - OilRig has embedded a macro within spearphishing attachments that has been made up of both a VBScript and a PowerShell script https://collaborate.mitre.org/attackics/index.php/Technique/T853",
"Standard Application Layer Protocol - OilRig communicated with its command and control using HTTP requests https://collaborate.mitre.org/attackics/index.php/Technique/T869",
"Drive-by Compromise - OilRig has been seen utilizing watering hole attacks to collect credentials which could be used to gain access into ICS networks https://collaborate.mitre.org/attackics/index.php/Technique/T817",
"Valid Accounts - OilRig utilized stolen credentials to gain access to victim machines https://collaborate.mitre.org/attackics/index.php/Technique/T859"
],
"refs": [
"https://www.fireeye.com/current-threats/apt-groups.html#apt34",
"https://www.fireeye.com/blog/threat-research/2017/12/targeted-attack-in-middle-east-by-apt34.html",
"https://dragos.com/resource/chrysene/",
"https://unit42.paloaltonetworks.com/unit42-oilrig-targets-technology-service-provider-government-agency-quadagent/",
"https://unit42.paloaltonetworks.com/the-oilrig-campaign-attacks-on-saudi-arabian-organizations-deliver-helminth-backdoor/",
"https://www.cyberviser.com/2018/05/group-linked-to-shamoon-attacks-targeting-ics-networks-in-middle-east-and-uk/"
]
},
"uuid": "4945c0e7-9f4b-404d-83b2-e5cd3f26c32f",
"value": "OilRig"
},
{
"description": "Sandworm is a threat group associated with the Kiev, Ukraine electrical transmission substation attacks which resulted in the impact of electric grid operations on December 17th, 2016. Sandworm has been cited as the authors of the Industroyer malware which was used in the 2016 Ukraine attacks.",
"meta": {
"Associated Group Descriptions": [
"Sandworm",
"ELECTRUM"
],
"Software": [
"Industroyer",
"Notpetya"
],
"Techniques Used": [
"Internet Accessible Device - Sandworm actors exploited vulnerabilities in GE's Cimplicity HMI and Advantech/Broadwin WebAccess HMI software which had been directly exposed to the internet https://collaborate.mitre.org/attackics/index.php/Technique/T883",
"Valid Accounts - Sandworm used valid accounts to laterally move through VPN connections and dual-homed systems https://collaborate.mitre.org/attackics/index.php/Technique/T859"
],
"refs": [
"https://dragos.com/resource/electrum/",
"https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf",
"https://dragos.com/blog/crashoverride/CrashOverride-01.pdf",
"https://www.fireeye.com/blog/threat-research/2016/01/ukraine-and-sandworm-team.html",
"https://www.us-cert.gov/ics/alerts/ICS-ALERT-14-281-01B",
"https://www.us-cert.gov/ics/advisories/ICSA-11-094-02B",
"https://dragos.com/wp-content/uploads/CRASHOVERRIDE2018.pdf",
"https://www.welivesecurity.com/2018/10/11/new-telebots-backdoor-linking-industroyer-notpetya/",
"https://www.wired.com/story/notpetya-cyberattack-ukraine-russia-code-crashed-the-world/"
]
},
"uuid": "b4fbf3b0-1a5e-4bdc-8977-74fff1db19ff",
"value": "Sandworm"
},
{
"description": "XENOTIME is a threat group that has targeted and compromised industrial systems, specifically safety instrumented systems that are designed to provide safety and protective functions. Xenotime has previously targeted oil & gas, as well as electric sectors within the Middle east, Europe, and North America. Xenotime has also been reported to target ICS vendors, manufacturers, and organizations in the middle east. This group is one of the few with reported destructive capabilities.",
"meta": {
"Associated Group Descriptions": [
"XENOTIME",
"TEMP.Veles - Fireeye attributes with high confidence that intrusion activity and Triton development was supported by a Russian government-owned technical research institution."
],
"Software": [
"Triton"
],
"Techniques Used": [
"Drive-by Compromise - XENOTIME utilizes watering hole websites to target industrial employees https://collaborate.mitre.org/attackics/index.php/Technique/T817",
"External Remote Services - XENOTIME utilized remote desktop protocol (RDP) jump boxes to move into the ICS environment https://collaborate.mitre.org/attackics/index.php/Technique/T822",
"Valid Accounts - XENOTIME used valid credentials when laterally moving through RDP jump boxes into the ICS environment https://collaborate.mitre.org/attackics/index.php/Technique/T859",
"Supply Chain Compromise - XENOTIME targeted several ICS vendors and manufacturers https://collaborate.mitre.org/attackics/index.php/Technique/T862"
],
"refs": [
"https://dragos.com/resource/xenotime/",
"https://www.fireeye.com/blog/threat-research/2018/10/triton-attribution-russian-government-owned-lab-most-likely-built-tools.html",
"https://www.cyberscoop.com/xenotime-ics-cyber-attacks-trisis-dragos/",
"https://dragos.com/blog/trisis/TRISIS-01.pdf",
"https://dragos.com/wp-content/uploads/Dragos-Oil-and-Gas-Threat-Perspective-2019.pdf"
]
},
"uuid": "acb04037-e160-4a4e-a8cf-8a53a2f8221b",
"value": "XENOTIME"
}
],
"version": 1
}

View File

@ -0,0 +1,53 @@
{
"authors": [
"MITRE"
],
"category": "level",
"description": "Based on the Purdue Model to aid ATT&CK for ICS users to understand which techniques are applicable to their environment.",
"name": "Levels",
"source": "https://collaborate.mitre.org/attackics/index.php/All_Levels",
"type": "mitre-ics-levels",
"uuid": "952bcf79-eccd-45ac-9769-f61886bd0264",
"values": [
{
"description": "The I/O network level includes the actual physical processes and sensors and actuators that are directly connected to process equipment.",
"meta": {
"Related Assets": [
"Engineering Workstation https://collaborate.mitre.org/attackics/index.php/Engineering_Workstation",
"Field Controller/RTU/PLC/IED https://collaborate.mitre.org/attackics/index.php/Field_Controller/RTU/PLC/IED",
"Safety Instrumented System/Protection Relay https://collaborate.mitre.org/attackics/index.php/Safety_Instrumented_System/Protection_Relay"
]
},
"uuid": "614c4df5-b65f-4f3c-bb9f-b67549dfce2f",
"value": "Level 0"
},
{
"description": "The control network level includes the functions involved in sensing and manipulating physical processes. Typical devices at this level are programmable logic controllers (PLCs), distributed control systems, safety instrumented systems and remote terminal units (RTUs).",
"meta": {
"Related Assets": [
"Engineering Workstation https://collaborate.mitre.org/attackics/index.php/Engineering_Workstation",
"Field Controller/RTU/PLC/IED https://collaborate.mitre.org/attackics/index.php/Field_Controller/RTU/PLC/IED",
"Human-Machine Interface https://collaborate.mitre.org/attackics/index.php/Human-Machine_Interface",
"Safety Instrumented System/Protection Relay https://collaborate.mitre.org/attackics/index.php/Safety_Instrumented_System/Protection_Relay"
]
},
"uuid": "b9b1c942-b419-4919-ba14-40b24b0fbbd5",
"value": "Level 1"
},
{
"description": "The supervisory control LAN level includes the functions involved in monitoring and controlling physical processes and the general deployment of systems such as human-machine interfaces (HMIs), engineering workstations and historians.",
"meta": {
"Related Assets": [
"Control Server https://collaborate.mitre.org/attackics/index.php/Control_Server",
"Data Historian https://collaborate.mitre.org/attackics/index.php/Data_Historian",
"Engineering Workstation https://collaborate.mitre.org/attackics/index.php/Engineering_Workstation",
"Human-Machine Interface https://collaborate.mitre.org/attackics/index.php/Human-Machine_Interface",
"Input/Output Server https://collaborate.mitre.org/attackics/index.php/Input/Output_Server"
]
},
"uuid": "358d768d-5a97-4b1b-b185-044c1dd14357",
"value": "Level 2"
}
],
"version": 1
}

View File

@ -0,0 +1,453 @@
{
"authors": [
"MITRE"
],
"category": "tool",
"description": "Software is a generic term for custom or commercial code, operating system utilities, open-source software, or other tools used to conduct behavior modeled in ATT&CK for ICS.",
"name": "Software",
"source": "https://collaborate.mitre.org/attackics/index.php/Software",
"type": "mitre-ics-software",
"uuid": "7d259f36-6e80-472e-9a42-9d4a83519825",
"values": [
{
"description": "ACAD/Medre.A is a worm that steals operational information. The worm collects AutoCAD files with drawings. ACAD/Medre.A has the capability to be used for industrial espionage.",
"meta": {
"Techniques Used": [
"Theft of Operational Information - ACAD/Medre.A can collect AutoCad files with drawings. These drawings may contain operational information https://collaborate.mitre.org/attackics/index.php/Technique/T882",
"Data from Information Repositories - ACAD/Medre.A collects information related to the AutoCAD application. The worm collects AutoCAD (*.dwg) files with drawings from information repositories https://collaborate.mitre.org/attackics/index.php/Technique/T811"
],
"refs": []
},
"uuid": "73f55487-1e11-4cec-b57f-4cabe4633928",
"value": "ACAD/Medre.A"
},
{
"description": "Backdoor.Oldrea is a Remote Access Trojan (RAT) that communicates with a Command and Control (C2) server. The C2 server can deploy payloads that provide additional functionality. One payload has been identified and analyzed that enumerates all connected network resources, such as computers or shared resources, and uses the classic DCOM-based (Distributed Component Object Model) version of the Open Platform Communications (OPC) standard to gather information about connected control system devices and resources within the network.",
"meta": {
"Associated Software Descriptions": [
"Backdoor.Oldrea",
"Havex"
],
"Groups": [
"Dragonfly https://collaborate.mitre.org/attackics/index.php/Group/G0002"
],
"Techniques Used": [
"Role Identification - The Backdoor.Oldrea payload gathers server information that includes CLSID, server name, Program ID, OPC version, vendor information, running state, group count, and server bandwidth. This information helps indicate the role the server has in the control process https://collaborate.mitre.org/attackics/index.php/Technique/T850",
"Control Device Identification - The Backdoor.Oldrea payload has the capability of enumerating OPC tags, in addition to more generic OPC server information. The server data and tag names can provide information about the names and function of control devices https://collaborate.mitre.org/attackics/index.php/Technique/T808",
"Remote System Discovery - The Backdoor.Oldrea ICS malware plugin relies on Windows networking (WNet) to discover all the servers, including OPC servers, that are reachable by the compromised machine over the network https://collaborate.mitre.org/attackics/index.php/Technique/T846",
"Location Identification - The Backdoor.Oldrea payload has the capability of enumerating OPC tags, in addition to more generic OPC server information. The tag names, depending on the naming convention, can provide information about facilities and locations https://collaborate.mitre.org/attackics/index.php/Technique/T825",
"Denial of Service - The Backdoor.Oldrea payload has caused multiple common OPC platforms to intermittently crash. This could cause a denial of service effect on applications reliant on OPC communications https://collaborate.mitre.org/attackics/index.php/Technique/T814",
"Supply Chain Compromise - The Backdoor.Oldrea RAT is distributed through trojanized installers planted on compromised vendor sites https://collaborate.mitre.org/attackics/index.php/Technique/T862",
"Spearphishing Attachment - The Backdoor.Oldrea RAT is distributed through a trojanized installer attached to emails https://collaborate.mitre.org/attackics/index.php/Technique/T865",
"Automated Collection - Using OPC, a component of Backdoor.Oldrea gathers any details about connected devices and sends them back to the C2 for the attackers to analyze https://collaborate.mitre.org/attackics/index.php/Technique/T802",
"User Execution - Execution of Backdoor.Oldrea relies on a user opening a trojanized installer attached to an email https://collaborate.mitre.org/attackics/index.php/Technique/T863",
"Point & Tag Identification - Backdoor.Oldrea enumerates all OPC tags and queries for specific fields such as server state, tag name, type, access, and id Point & Tag Identification - Backdoor.Oldrea enumerates all OPC tags and queries for specific fields such as server state, tag name, type, access, and id https://collaborate.mitre.org/attackics/index.php/Technique/T861"
],
"refs": [
"https://ics-cert.us-cert.gov/advisories/ICSA-14-178-01",
"https://ics-cert.us-cert.gov/alerts/ICS-ALERT-14-176-02A",
"https://www.f-secure.com/weblog/archives/00002718.html",
"https://pdfs.semanticscholar.org/18df/43ef1690b0fae15a36f770001160aefbc6c5.pdf",
"https://www.fireeye.com/blog/threat-research/2014/07/havex-its-down-with-opc.html",
"https://www.symantec.com/connect/blogs/dragonfly-western-energy-companies-under-sabotage-threat",
"https://www.youtube.com/watch?v=eywmb7UDODY&feature=youtu.be&t=939",
"https://www.sans.org/reading-room/whitepapers/ICS/impact-dragonfly-malware-industrial-control-systems-36672"
]
},
"uuid": "1a2b786f-6ed2-47f6-969c-8d9c62fb8f22",
"value": "Backdoor.Oldrea, Havex"
},
{
"description": "Bad Rabbit is a self-propagating (“wormable”) ransomware that affected the transportation sector in Ukraine.",
"meta": {
"Associated Software Descriptions": [
"Bad Rabbit",
"Diskcoder.D"
],
"Techniques Used": [
"Drive-by Compromise - Bad Rabbit ransomware spreads through drive-by attacks where insecure websites are compromised. While the target is visiting a legitimate website, a malware dropper is being downloaded from the threat actors infrastructure https://collaborate.mitre.org/attackics/index.php/Technique/T817",
"User Execution - Bad Rabbit is disguised as an Adobe Flash installer. When the file is opened it starts locking the infected computer https://collaborate.mitre.org/attackics/index.php/Technique/T863",
"Loss of Productivity and Revenue - Several transportation organizations in Ukraine have suffered from being infected by Bad Rabbit, resulting in some computers becoming encrypted, according to media reports https://collaborate.mitre.org/attackics/index.php/Technique/T828",
"Exploitation of Remote Services - Bad Rabbit initially infected IT networks, but by means of an exploit (particularly the SMBv1-targeting MS17-010 vulnerability) spread to industrial networks https://collaborate.mitre.org/attackics/index.php/Technique/T866",
"External Remote Services - Bad Rabbit can utilize exposed SMB services to access industrial networks https://collaborate.mitre.org/attackics/index.php/Technique/T822",
"Remote File Copy - Bad Rabbit can move laterally through industrial networks by means of the SMB service https://collaborate.mitre.org/attackics/index.php/Technique/T867"
],
"refs": [
"https://www.welivesecurity.com/2017/10/24/bad-rabbit-not-petya-back/",
"https://securelist.com/bad-rabbit-ransomware/82851/",
"https://dragos.com/blog/industry-news/implications-of-it-ransomware-for-ics-environments/"
]
},
"uuid": "625cba2e-43ba-4abd-81e9-6fa78c442e6f",
"value": "Bad Rabbit, Diskcoder.D"
},
{
"description": "BlackEnergy 3 is a malware toolkit that has been used by both criminal and APT actors. It support various plug-ins including a variant of KillDisk. It is known to have been used against the Ukrainian power grid.",
"meta": {
"Associated Software Descriptions": [
"BlackEnergy 3"
],
"Techniques Used": [
"Valid Accounts - BlackEnergy utilizes valid user and administrator credentials, in addition to creating new administrator accounts to maintain presence https://collaborate.mitre.org/attackics/index.php/Technique/T859",
"Standard Application Layer Protocol - BlackEnergy uses HTTP POST request to contact external command and control servers https://collaborate.mitre.org/attackics/index.php/Technique/T869",
"Spearphishing Attachment - BlackEnergy targeted energy sector organizations in a wide reaching email spearphishing campaign. Adversaries utilized malicious Microsoft Word documents attachments https://collaborate.mitre.org/attackics/index.php/Technique/T865"
],
"refs": [
"https://www.boozallen.com/content/dam/boozallen/documents/2016/09/ukraine-report-when-the-lights-went-out.pdf"
]
},
"uuid": "5ce0966c-0e03-4df7-8678-7d10781c0006",
"value": "BlackEnergy 3"
},
{
"description": "Conficker is a computer worm that targets Microsoft Windows and was first detected in November 2008. It targets a vulnerability (MS08-067) in Windows OS software and dictionary attacks on administrator passwords to propagate while forming a botnet. Conficker made its way onto computers and removable disk drives in a nuclear power plant.",
"meta": {
"Associated Software Descriptions": [
"Conficker",
"Downadup",
"Kido"
],
"Techniques Used": [
"Loss of Availability - A Conficker infection at a nuclear power plant forced the facility to temporarily shutdown https://collaborate.mitre.org/attackics/index.php/Technique/T826",
"Replication Through Removable Media - Conficker exploits Windows drive shares. Once it has infected a computer, Conficker automatically copies itself to all visible open drive shares on other computers inside the network.2 Nuclear power plant officials suspect someone brought in Conficker by accident on a USB thumb drive, either from home or computers found in the power plant's facility https://collaborate.mitre.org/attackics/index.php/Technique/T847",
"Loss of Productivity and Revenue - A Conficker infection at a nuclear power plant forced the facility to shutdown and go through security procedures involved with such events, with its staff scanning computer systems and going through all the regular checks and motions before putting the plant back into production https://collaborate.mitre.org/attackics/index.php/Technique/T828"
],
"refs": [
"https://news.softpedia.com/news/on-chernobyl-s-30th-anniversary-malware-shuts-down-german-nuclear-power-plant-503429.shtml"
]
},
"uuid": "88b08418-dbcc-457b-b28a-9deeeac26745",
"value": "Conficker"
},
{
"description": "Duqu is a collection of computer malware discovered in 2011. It is reportedly related to the Stuxnet worm, although Duqu is not self-replicating.",
"meta": {
"Associated Software Descriptions": [
"Duqu"
],
"Techniques Used": [
"Theft of Operational Information - Duqus purpose is to gather intelligence data and assets from entities such as industrial infrastructure and system manufacturers, amongst others not in the industrial sector, in order to more easily conduct a future attack against another third party https://collaborate.mitre.org/attackics/index.php/Technique/T882",
"Data from Information Repositories - Duqu downloads additional modules for the collection of data in information repositories. The modules are named: infostealer 1, infostealer 2 and reconnaissance https://collaborate.mitre.org/attackics/index.php/Technique/T811"
],
"refs": [
"https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_duqu_the_precursor_to_the_next_stuxnet.pdf"
]
},
"uuid": "7bc3d4cd-786f-4913-983f-0d1fa9eb132f",
"value": "Duqu"
},
{
"description": "Flame is an attacker-instructed worm which may open a backdoor and steal information from a compromised computer. Flame has the capability to be used for industrial espionage.",
"meta": {
"Associated Software Descriptions": [
"Flame",
"Flamer",
"sKyWIper"
],
"Techniques Used": [
"Theft of Operational Information - Flame can collect AutoCAD design data and visio diagrams as well as other documents that may contain operational information https://collaborate.mitre.org/attackics/index.php/Technique/T882",
"Data from Information Repositories - Flame has built-in modules to gather information from compromised computers https://collaborate.mitre.org/attackics/index.php/Technique/T811"
],
"refs": [
"https://www.symantec.com/security-center/writeup/2012-052811-0308-99",
"https://www.welivesecurity.com/2012/07/20/flame-in-depth-code-analysis-of-mssecmgr-ocx/",
"https://www.fireeye.com/blog/threat-research/2012/05/flamerskywiper-analysis.html"
]
},
"uuid": "ed2618d4-0450-4466-92c4-61b89a46960e",
"value": "Flame"
},
{
"description": "Industroyer is a sophisticated piece of malware designed to cause an Impact to the working processes of Industrial Control Systems (ICS), specifically ICSs used in electrical substations.1 Industroyer was alleged to be used in the attacks on the Ukrainian power grid in December 2016.",
"meta": {
"Associated Software Descriptions": [
"Industroyer",
"CRASHOVERRIDE"
],
"Groups": [
"Sandworm"
],
"Techniques Used": [
"Data Historian Compromise - In Industroyer, after pivoting into the ICS environment, the adversary gained Initial Access to devices involved with critical process operations through a Microsoft Windows Server 2003 running a SQL Server https://collaborate.mitre.org/attackics/index.php/Technique/T810",
"Block Command Message - In Industroyer the first COM port from the configuration file is used for the actual communication and the two other COM ports are just opened to prevent other processes accessing them. Thus, the IEC 101 payload component is able to take over and maintain control of the RTU device https://collaborate.mitre.org/attackics/index.php/Technique/T803",
"Block Serial COM - In Industroyer the first COM port from the configuration file is used for the actual communication and the two other COM ports are just opened to prevent other processes accessing them. Thus, the IEC 101 payload component is able to take over and maintain control of the RTU device https://collaborate.mitre.org/attackics/index.php/Technique/T805",
"Data Destruction - Industroyer has a destructive wiper that overwrites all ICS configuration files across the hard drives and all mapped network drives specifically targeting ABB PCM600 configuration files https://collaborate.mitre.org/attackics/index.php/Technique/T809",
"Masquerading - Industroyer modules operate by inhibiting the normal SCADA master communication functions and then activate a replacement master communication module managed by the malware, which executes a script of commands to issue normal protocol messages https://collaborate.mitre.org/attackics/index.php/Technique/T849",
"Network Connection Enumeration - Industroyer contains an IEC 61850 module that enumerates all connected network adapters to determine their TCP/IP subnet masks https://collaborate.mitre.org/attackics/index.php/Technique/T840",
"Remote System Discovery - The Industroyer IEC 61850 payload enumerates all possible IP addresses for each of the subnet masks for the interfaces on the infected machine, and tries to connect to port 102 on each of those addresses. Therefore, this component has the ability to discover relevant devices in the network automatically https://collaborate.mitre.org/attackics/index.php/Technique/T846",
"Control Device Identification - Industroyer contains an OPC DA module that enumerates all OPC servers using the ICatInformation::EnumClassesOfCategories method with CATID_OPCDAServer20 category identifier and IOPCServer::GetStatus to identify the ones running. The OPC DA module also uses IOPCBrowseServerAddressSpace to look for items with the following strings: ctlSelOn, ctlOperOn, ctlSelOff, ctlOperOff, Pos and stVal https://collaborate.mitre.org/attackics/index.php/Technique/T808",
"Serial Connection Enumeration - Industroyer contains modules for IEC 101 and IEC 104 communications.1 IEC 101 uses serial for the physical connection and IEC 104 uses Ethernet. Analysis of the malware by Dragos states that both of the modules have equivalent functionality.2 The IEC 104 module uses Network Connection Enumeration to determine the Ethernet adapters on the device. Since functionality between the two modules are equivalent, this implies that the IEC 101 module is able to detect serial interfaces on the device https://collaborate.mitre.org/attackics/index.php/Technique/T854",
"Control Device Identification - If the target device responds appropriately, the Industroyer IEC 61850 payload then sends an InitiateRequest packet using the Manufacturing Message Specification (MMS). If the expected answer is received, it continues, sending an MMS getNameList request. Thereby, the component compiles a list of object names in a Virtual Manufacturing Device https://collaborate.mitre.org/attackics/index.php/Technique/T808",
"Role Identification - The Industroyer IEC 61850 component enumerates the objects discovered in the previous step and sends the domain-specific getNameList requests with each object name. This enumerates named variables in a specific domain https://collaborate.mitre.org/attackics/index.php/Technique/T850",
"Activate Firmware Update Mode - The Industroyer SIPROTEC DoS module exploits the CVE-2015-5374 vulnerability in order to render a Siemens SIPROTEC device unresponsive. Once this vulnerability is successfully exploited, the target device stops responding to any commands until it is rebooted manually.1 Once the tool is executed it sends specifically crafted packets to port 50,000 of the target IP addresses using UDP. The UDP packet contains the following 18 byte payload: 0x11 49 00 00 00 00 00 00 00 00 00 00 00 00 00 00 28 9E https://collaborate.mitre.org/attackics/index.php/Technique/T800",
"Unauthorized Command Message - The Industroyer IEC 101 module has the capability to communicate with devices (likely RTUs) via the IEC 101 protocol. The module will attempt to find all Information Object Addresses (IOAs) for the device and attempt to change their state in the following sequence: OFF, ON, OFF https://collaborate.mitre.org/attackics/index.php/Technique/T855",
"Brute Force I/O - The Industroyer IEC 104 module has 3 modes available to perform its attack. These modes are range, shift, and sequence. The range mode operates in 2 stages. The first stage of range mode gathers Information Object Addresses (IOA) and sends select and execute packets to switch the state. The second stage of range mode has an infinite loop where it will switch the state of all of the previously discovered IOAs. Shift mode is similar to range mode, but instead of staying within the same range, it will add a shift value to the default range values https://collaborate.mitre.org/attackics/index.php/Technique/T806",
"Device Restart/Shutdown - The Industroyer SIPROTEC DoS module exploits the CVE-2015-5374 vulnerability in order to render a Siemens SIPROTEC device unresponsive. Once this vulnerability is successfully exploited, the target device stops responding to any commands until it is rebooted manually.1 Once the tool is executed it sends specifically crafted packets to port 50,000 of the target IP addresses using UDP. The UDP packet contains the following 18 byte payload: 0x11 49 00 00 00 00 00 00 00 00 00 00 00 00 00 00 28 9E https://collaborate.mitre.org/attackics/index.php/Technique/T816",
"Denial of Service - The Industroyer SIPROTEC DoS module exploits the CVE-2015-5374 vulnerability in order to render a Siemens SIPROTEC device unresponsive. Once this vulnerability is successfully exploited, the target device stops responding to any commands until it is rebooted manually.1 Once the tool is executed it sends specifically crafted packets to port 50,000 of the target IP addresses using UDP. The UDP packet contains the following 18 byte payload: 0x11 49 00 00 00 00 00 00 00 00 00 00 00 00 00 00 28 9E https://collaborate.mitre.org/attackics/index.php/Technique/T814",
"Activate Firmware Update Mode - The Industroyer SPIROTEC DoS module places the victim device into firmware update mode. This is a legitimate use case under normal circumstances, but in this case is used the adversary to prevent the SPIROTEC from performing its designed protective functions. As a result the normal safeguards are disabled, leaving an unprotected link in the electric transmission https://collaborate.mitre.org/attackics/index.php/Technique/T800",
"Automated Collection - Industroyer automatically collects protocol object data to learn about control devices in the environment https://collaborate.mitre.org/attackics/index.php/Technique/T802",
"Loss of Control - Industroyer's data wiper component removes the registry image path throughout the system and overwrites all files, rendering the system unusable https://collaborate.mitre.org/attackics/index.php/Technique/T827",
"Loss of View - Industroyer's data wiper component removes the registry image path throughout the system and overwrites all files, rendering the system unusable https://collaborate.mitre.org/attackics/index.php/Technique/T829",
"Manipulation of Control - Industroyer toggles breakers to the open state utilizing unauthorized command messages https://collaborate.mitre.org/attackics/index.php/Technique/T831",
"Service Stop - Industroyer has the capability to stop a service itself, or to login as a user and stop a service as that user https://collaborate.mitre.org/attackics/index.php/Technique/T881",
"Block Reporting Message - Industroyer uses the first COM port from the configuration file for the communication and the other two COM ports are opened to prevent other processes accessing them. This may block processes or operators from getting reporting messages from a device. https://collaborate.mitre.org/attackics/index.php/Technique/T804",
"Denial of Control - Industroyer is able to block serial COM channels temporarily causing a denial of control https://collaborate.mitre.org/attackics/index.php/Technique/T813",
"Denial of View - Industroyer is able to block serial COM channels temporarily causing a denial of view https://collaborate.mitre.org/attackics/index.php/Technique/T815",
"Command-Line Interface - The name of the Industroyer payload DLL is supplied by the attackers via a command line parameter supplied in one of the main backdoors “execute a shell command” commands https://collaborate.mitre.org/attackics/index.php/Technique/T807",
"Manipulation of View - Industroyer's OPC module can brute force values and will send out a 0x01 status which for the target systems equates to a “Primary Variable Out of Limits” misdirecting operators from understanding protective relay status https://collaborate.mitre.org/attackics/index.php/Technique/T832",
"Loss of Safety - Industroyer contained a module which leveraged a vulnerability in the Siemens SIPROTEC relays (CVE-2015-5374) to create a Denial of Service against automated protective relays https://collaborate.mitre.org/attackics/index.php/Technique/T880"
],
"refs": [
"https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf",
"https://dragos.com/blog/crashoverride/CrashOverride-01.pdf",
"https://www.us-cert.gov/ncas/alerts/TA17-163A",
"https://dragos.com/wp-content/uploads/CRASHOVERRIDE2018.pdf",
"https://dragos.com/wp-content/uploads/CRASHOVERRIDE.pdf"
]
},
"uuid": "d13b0ff8-9125-4990-8ec1-94782b4e22df",
"value": "Industroyer"
},
{
"description": "In 2015 the BlackEnergy malware contained a component called KillDisk. KillDisk's main functionality is to overwrite files with random data, rendering the OS unbootable.",
"meta": {
"Associated Software Descriptions": [
"KillDisk"
],
"Techniques Used": [
"Loss of View - KillDisk erases the master boot record (MBR) and system logs, leaving the system unusable https://collaborate.mitre.org/attackics/index.php/Technique/T829",
"Data Destruction - KillDisk is able to delete system files to make the system unbootable and targets 35 different types of files for deletion https://collaborate.mitre.org/attackics/index.php/Technique/T809",
"Indicator Removal on Host - KillDisk deletes application, security, setup, and system event logs from Windows systems https://collaborate.mitre.org/attackics/index.php/Technique/T872",
"Service Stop - KillDisk looks for and terminates two non-standard processes, one of which is an ICS application https://collaborate.mitre.org/attackics/index.php/Technique/T881"
],
"refs": [
"https://www.welivesecurity.com/2016/01/03/blackenergy-sshbeardoor-details-2015-attacks-ukrainian-news-media-electric-industry/",
"https://www.boozallen.com/content/dam/boozallen/documents/2016/09/ukraine-report-when-the-lights-went-out.pdf"
]
},
"uuid": "df960d5e-481a-47fe-8577-427057553a1b",
"value": "KillDisk"
},
{
"description": "LockerGoga is ransomware that has been tied to various attacks on industrial and manufacturing firms with apparently catastrophic consequences.",
"meta": {
"Associated Software Descriptions": [
"LockerGoga"
],
"Techniques Used": [
"Loss of Productivity and Revenue - While Norsk Hydro attempted to recover from a LockerGoga infection, most of its 160 manufacturing locations switched to manual (non-IT driven) operations. Manual operations can result in a loss of productivity https://collaborate.mitre.org/attackics/index.php/Technique/T828",
"Loss of View - Some of Norsk Hydro's production systems were impacted by a LockerGoga infection. This resulted in a loss of view which forced the company to switch to manual operations https://collaborate.mitre.org/attackics/index.php/Technique/T829",
"Loss of Control - Some of Norsk Hydro's production systems were impacted by a LockerGoga infection. This resulted in a loss of control which forced the company to switch to manual operations https://collaborate.mitre.org/attackics/index.php/Technique/T827"
],
"refs": [
"https://www.wired.com/story/lockergoga-ransomware-crippling-industrial-firms/",
"https://doublepulsar.com/how-lockergoga-took-down-hydro-ransomware-used-in-targeted-attacks-aimed-at-big-business-c666551f5880",
"https://www.hydro.com/en/media/on-the-agenda/cyber-attack/"
]
},
"uuid": "6187b975-7d80-4eb3-9c5a-89d07f2e3512",
"value": "LockerGoga"
},
{
"description": "NotPetya is malware that was first seen in a worldwide attack starting on June 27, 2017. The main purpose of the malware appeared to be to effectively destroy data and disk structures on compromised systems. Though NotPetya presents itself as a form of ransomware, it appears likely that the attackers never intended to make the encrypted data recoverable. As such, NotPetya may be more appropriately thought of as a form of wiper malware. NotPetya contains self-propagating (“wormable”) features to spread itself across a computer network using the SMBv1 exploits EternalBlue and EternalRomance.",
"meta": {
"Associated Software Descriptions": [
"NotPetya"
],
"Groups": [
"Sandworm"
],
"Techniques Used": [
"Exploitation of Remote Services - NotPetya initially infected IT networks, but by means of an exploit (particularly the SMBv1-targeting MS17-010 vulnerability) spread to industrial networks https://collaborate.mitre.org/attackics/index.php/Technique/T866",
"External Remote Services - NotPetya can utilize exposed SMB services to access industrial networks https://collaborate.mitre.org/attackics/index.php/Technique/T822",
"Remote File Copy - NotPetya can move laterally through industrial networks by means of the SMB service https://collaborate.mitre.org/attackics/index.php/Technique/T867",
"Loss of Productivity and Revenue - NotPetya disrupted manufacturing facilities supplying vaccines, resulting in a halt of production and the inability to meet demand for specific vaccines https://collaborate.mitre.org/attackics/index.php/Technique/T828"
],
"refs": [
"https://attack.mitre.org/software/S0368/",
"https://dragos.com/blog/industry-news/implications-of-it-ransomware-for-ics-environments/",
"https://www.bloomberg.com/news/features/2019-12-03/merck-cyberattack-s-1-3-billion-question-was-it-an-act-of-war"
]
},
"uuid": "564c7c31-234f-4427-aab7-80d40183a1e9",
"value": "NotPetya"
},
{
"description": "PLC-Blaster is a piece of proof-of-concept malware that runs on Siemens S7 PLCs. This worm locates other Siemens S7 PLCs on the network and attempts to infect them. Once this worm has infected its target and attempted to infect other devices on the network, the worm can then run one of many modules.",
"meta": {
"Associated Software Descriptions": [
"PLC-Blaster"
],
"Techniques Used": [
"Remote System Discovery - PLC-Blaster scans the network to find other Siemens S7 PLC devices to infect. It locates these devices by checking for a service listening on TCP port 102 https://collaborate.mitre.org/attackics/index.php/Technique/T846",
"Control Device Identification - The PLC-Blaster worm starts by scanning for probable targets. Siemens SIMATIC PLCs may be identified by the port 102/tcp https://collaborate.mitre.org/attackics/index.php/Technique/T808",
"Program Organization Units - PLC-Blaster copies itself to various Program Organization Units (POU) on the target device. The POUs include the Organization Block, Data Block, Function, and Function Block https://collaborate.mitre.org/attackics/index.php/Technique/T844",
"Manipulate I/O Image - PLC-Blaster may manipulate any outputs of the PLC. Using the POU POKE any value within the process image may be modified https://collaborate.mitre.org/attackics/index.php/Technique/T835",
"Execution through API - PLC-Blaster utilizes the PLC communication and management API to load executable Program Organization Units https://collaborate.mitre.org/attackics/index.php/Technique/T871",
"Change Program State - After PLC-Blaster is transferred to a PLC, the PLC begins execution of PLC-Blaster https://collaborate.mitre.org/attackics/index.php/Technique/T875",
"Denial of Service - The execution on the PLC can be stopped by violating the cycle time limit. The PLC-Blaster implements an endless loop triggering an error condition within the PLC with the impact of a DoS https://collaborate.mitre.org/attackics/index.php/Technique/T814"
],
"refs": [
"https://www.blackhat.com/docs/asia-16/materials/asia-16-Spenneberg-PLC-Blaster-A-Worm-Living-Solely-In-The-PLC-wp.pdf"
]
},
"uuid": "f0db07ce-a13b-4c6e-9ba5-fe2be3080ace",
"value": "PLC-Blaster"
},
{
"description": "Ryuk is ransomware that was first seen targeting large organizations for high-value ransoms in August of 2018. Ryuk temporarily disrupted operations at a manufacturing firm in 2018.",
"meta": {
"Associated Software Descriptions": [
"Ryuk"
],
"Techniques Used": [
"Loss of Productivity and Revenue - An enterprise resource planning (ERP) manufacturing server was lost to the Ryuk attack. The manufacturing process had to rely on paper and existing orders to keep the shop floor open https://collaborate.mitre.org/attackics/index.php/Technique/T828"
],
"refs": [
"https://www.crowdstrike.com/blog/big-game-hunting-with-ryuk-another-lucrative-targeted-ransomware/",
"https://www.darkreading.com/attacks-breaches/how-a-manufacturing-firm-recovered-from-a-devastating-ransomware-attack/d/d-id/1334760"
]
},
"uuid": "707075af-cabd-404d-8eb9-7c1ba063ac88",
"value": "Ryuk"
},
{
"description": "Stuxnet was the first publicly reported piece of malware to specifically target industrial control systems devices. Stuxnet is a large and complex piece of malware that utilized multiple different complex tactics including multiple zero-day vulnerabilites, a sophisticated Windows rootkit, and network infection routines.",
"meta": {
"Associated Software Descriptions": [
"Stuxnet"
],
"Techniques Used": [
"Remote System Discovery - Stuxnet scanned the network to identify the Siemens PLCs that it was targeting https://collaborate.mitre.org/attackics/index.php/Technique/T846",
"Rootkit - One of Stuxnet's rootkits is contained entirely in the fake s7otbxdx.dll. In order to continue existing undetected on the PLC it needs to account for at least the following situations: read requests for its own malicious code blocks, read requests for infected blocks (OB1, OB35, DP_RECV), and write requests that could overwrite Stuxnets own code. Stuxnet contains code to monitor and intercept these types of requests. The rootkit modifies these requests so that Stuxnets PLC code is not discovered or damaged https://collaborate.mitre.org/attackics/index.php/Technique/T851",
"Manipulate I/O Image - When the peripheral output is written to, sequence C intercepts the output and ensures it is not written to the process image output. The output is the instructions the PLC sends to a device to change its operating behavior. By intercepting the peripheral output, Stuxnet prevents an operator from noticing unauthorized commands sent to the peripheral https://collaborate.mitre.org/attackics/index.php/Technique/T835",
"Control Device Identification - The Siemens s7otbxdx.dll is responsible for handling PLC block exchange between the programming device (i.e., a computer running a Simatic manager on Windows) and the PLC. s7db_open function is an export hook that is used to obtain information used to create handles to manage a PLC (such a handle is used by APIs that manipulate the PLC). Stuxnet utilized this export hook to gain information about targeted PLCs such as model information. Stuxnet was specifically targeting CPUs 6ES7-315-2 (Series 300) with special system data block characteristics for sequence A or B and 6ES7-315-2 for sequence C. The PLC type can also be checked using the s7ag_read_szl API https://collaborate.mitre.org/attackics/index.php/Technique/T808",
"I/O Module Discovery - Stuxnet enumerates and parses the System Data Blocks (SDB). Stuxnet must find an SDB with the DWORD at offset 50h equal to 0100CB2Ch. This specifies that the system uses the Profibus communications processor module CP 342-5. In addition, specific values are searched for and counted: 7050h and 9500h. 7050h is assigned to part number KFC750V3 which appears to be a frequency converter drive (also known as variable frequency drive) manufactured by Fararo Paya in Teheran, Iran. 9500h is assigned to Vacon NX frequency converter drives manufactured by Vacon based in Finland https://collaborate.mitre.org/attackics/index.php/Technique/T824",
"Network Sniffing - DP_RECV is the name of a standard function block used by network coprocessors. It is used to receive network frames on the Profibus a standard industrial network bus used for distributed I/O. The original block is copied to FC1869, and then replaced by a malicious block. Each time the function is used to receive a packet, the malicious Stuxnet block takes control: it will call the original DP_RECV in FC1869 and then perform postprocessing on the packet data. This secondary thread is used to monitor a data block DB890 of sequence A or B. Though constantly running and probing this block (every 5 minutes), this thread has no purpose if the PLC is not infected. The purpose of the thread is to monitor each S7-315 on the bus. The replaced DP_RECV block (later on referred to as the “DP_RECV monitor”) is meant to monitor data sent by the frequency converter drives to the 315-2 CPU via CP 342-5 Profibus communication modules https://collaborate.mitre.org/attackics/index.php/Technique/T842",
"Monitor Process State - Stuxnet examines fields recorded by the DP_RECV monitor to determine if the target system is in a particular state of operation https://collaborate.mitre.org/attackics/index.php/Technique/T801",
"Modify Parameter - In states 3 and 4 Stuxnet sends two network bursts (done through the DP_SEND primitive). The data in the frames are instructions for the frequency converter drives. For example one of the frames contains records that change the maximum frequency (the speed at which the motor will operate). The frequency converter drives consist of parameters, which can be remotely configured via Profibus. One can write new values to these parameters changing the behavior of the device https://collaborate.mitre.org/attackics/index.php/Technique/T836",
"Manipulation of Control - Stuxnet can reprogram a PLC and change critical parameters in such a way that legitimate commands can be overridden or intercepted. In addition, Stuxnet can apply inappropriate command sequences or parameters to cause damage to property https://collaborate.mitre.org/attackics/index.php/Technique/T831",
"Program Download - Stuxnet infects PLCs with different code depending on the characteristics of the target system. An infection sequence consists of code blocks and data blocks that will be downloaded to the PLC to alter its behavior https://collaborate.mitre.org/attackics/index.php/Technique/T843",
"Program Organization Units - Stuxnet infects PLCs with different code depending on the characteristics of the target system. An infection sequence consists of code blocks and data blocks that will be downloaded to the PLC to alter its behavior https://collaborate.mitre.org/attackics/index.php/Technique/T844",
"Project File Infection - Stuxnet copies itself into Step 7 projects in such a way that it automatically executes when the Step 7 project is loaded https://collaborate.mitre.org/attackics/index.php/Technique/T873",
"Hooking - Stuxnet modifies the Import Address Tables DLLs to hook specific APIs that are used to open project files https://collaborate.mitre.org/attackics/index.php/Technique/T874",
"Unauthorized Command Message - In states 3 and 4 Stuxnet sends two network bursts (done through the DP_SEND primitive). The data in the frames are instructions for the frequency converter drives https://collaborate.mitre.org/attackics/index.php/Technique/T855",
"Change Program State - Stuxnet halts the original PLC code and the malicious PLC code begins sending frames of data based on the recorded values during the DP_RECV monitor phase https://collaborate.mitre.org/attackics/index.php/Technique/T875",
"I/O Image - Stuxnet copies the input area of an I/O image into data blocks with a one second interval between copies, forming a 21 second recording of the input area. The input area contains information being passed to the PLC from a peripheral. For example, the current state of a valve or the temperature of a device https://collaborate.mitre.org/attackics/index.php/Technique/T877",
"Rootkit - When the peripheral output is written to, sequence C of Stuxnet intercepts the output and ensures it is not written to the process image output. The output is the instructions the PLC sends to a device to change its operating behavior. By intercepting the peripheral output, Stuxnet prevents an operator from noticing unauthorized commands sent to the peripheral https://collaborate.mitre.org/attackics/index.php/Technique/T851",
"Masquerading - Stuxnet renames a dll responsible for handling communications with a PLC. It replaces the original .dll file with its own version that allows it to intercept any calls that are made to access the PLC https://collaborate.mitre.org/attackics/index.php/Technique/T849",
"Execution through API - Stuxnet utilizes the PLC communication and management API to load executable Program Organization Units https://collaborate.mitre.org/attackics/index.php/Technique/T871",
"Standard Application Layer Protocol - Stuxnet attempts to contact command and control servers over HTTP to send basic information about the computer it has compromised https://collaborate.mitre.org/attackics/index.php/Technique/T869",
"Commonly Used Port - Stuxnet attempts to contact command and control servers on port 80 to send basic information about the computer it has compromised https://collaborate.mitre.org/attackics/index.php/Technique/T885",
"Replication Through Removable Media - Stuxnet was able to self-replicate by being spread through removable drives. A willing insider or unknown third party, such as a contractor, may have brought the removable media into the target environment.1 The earliest version of Stuxnet relied on physical installation, infecting target systems when an infected configuration file carried by a USB stick was opened https://collaborate.mitre.org/attackics/index.php/Technique/T847",
"Man in the Middle - Stuxnet de-couples all inputs and signals from the legitimate code on a PLC and chooses what is passed to the original code. STUXNET effectively creates a man in the middle attack with the input and output signals and control logic https://collaborate.mitre.org/attackics/index.php/Technique/T830",
"Program Upload - Stuxnet replaces the DLL responsible for reading projects from a PLC to the step7 software. This allows Stuxnet the ability to upload a program from the PLC https://collaborate.mitre.org/attackics/index.php/Technique/T845",
"Manipulation of View - Stuxnet manipulates the view of operators replaying process input and manipulating the I/O image to evade detection and inhibit protection functions https://collaborate.mitre.org/attackics/index.php/Technique/T832",
"Engineering Workstation Compromise - Stuxnet utilized an engineering workstation as the initial access point for PLC devices https://collaborate.mitre.org/attackics/index.php/Technique/T818",
"Damage to Property - Stuxnet attacks were designed to over-pressure and damage centrifuge rotors by manipulating process pressure and rotor speeds over time. One focused on a routine to change centrifuge rotor speeds, while the other manipulated critical resonance speeds to over-pressure them https://collaborate.mitre.org/attackics/index.php/Technique/T879"
],
"refs": [
"https://www.wired.com/images_blogs/threatlevel/2010/11/w32_stuxnet_dossier.pdf",
"https://www.symantec.com/security-center/writeup/2010-071400-3123-99",
"https://www.us-cert.gov/ics/advisories/ICSA-10-238-01B",
"https://scadahacker.com/resources/stuxnet-mitigation.html",
"https://www.langner.com/wp-content/uploads/2017/03/to-kill-a-centrifuge.pdf"
]
},
"uuid": "119f4adc-b15c-48e0-8208-dae63673bb46",
"value": "Stuxnet"
},
{
"description": "Triton is an attack framework built to interact with Triconex Safety Instrumented System (SIS) controllers",
"meta": {
"Associated Software Descriptions": [
"Triton",
"TRISIS",
"Hatman"
],
"Groups": [
"XENOTIME"
],
"Techniques Used": [
"Utilize/Change Operating Mode - Triton is able to modify code if the Triconex SIS Controller is configured with the physical keyswitch in program mode during operation. If the controller is placed in Run mode (program changes not permitted), arbitrary changes in logic are not possible substantially reducing the likelihood of manipulation. Once the Triton implant is installed on the SIS it is able to conduct any operation regardless of any future position of the keyswitch https://collaborate.mitre.org/attackics/index.php/Technique/T858",
"Unauthorized Command Message - Using Triton, an adversary can manipulate the process into an unsafe state from the DCS while preventing the SIS from functioning appropriately https://collaborate.mitre.org/attackics/index.php/Technique/T855",
"Masquerading - The Triton malware was configured to masquerade as trilog.exe, which is the Triconex software for analyzing SIS logs https://collaborate.mitre.org/attackics/index.php/Technique/T849",
"Modify Control Logic - Triton can reprogram the SIS logic to cause it to trip and shutdown a process that is, in actuality, in a safe state. In other words, trigger a false positive. Triton also can reprogram the SIS logic to allow unsafe conditions to persist.1 The Triton malware is able to add a malicious program to the execution table of the controller. This action leaves the legitimate programs in place. If the controller failed, Triton would attempt to return it to a running state. If the controller did not recover within a certain time window, the sample would overwrite the malicious program to cover its tracks https://collaborate.mitre.org/attackics/index.php/Technique/T833",
"Scripting - In the version of Triton available at the time of publication, the component that programs the Triconex controllers is written entirely in Python. The modules that implement the communciation protocol and other supporting components are found in a separate file -- library.zip -- which the main script that employs this functionality is compiled into a standalone Windows executable -- trilog.exe -- that includes a Python environment https://collaborate.mitre.org/attackics/index.php/Technique/T853",
"Remote System Discovery - Triton uses a Python script that is capable of detecting Triconex controllers on the network by sending a specific UDP broadcast packet over port 1502 https://collaborate.mitre.org/attackics/index.php/Technique/T846",
"System Firmware - The malicious shellcode Triton uses is split into two separate pieces -- inject.bin and imain.bin. The former program is more generic code that handles injecting the payload into the running firmware, while the latter is the payload that actually performs the additional malicious functionality. The payload --imain.bin-- is designed to take a TriStation protocol get main processor diagnostic data command, look for a specially crafted packet body, and perform custom actions on demand. It is able to read and write memory on the safety controller and execute code at an arbitrary address within the firmware. In addition, if the memory address it writes to is within the firmware region, it disables address translation, writes the code at the provided address, flushes the instruction cache, and re-enables address translation. This allows the malware to make changes to the running firmware in memory. This allows Triton to change how the device operates and would allow for the modification of other actions that the Triton controller might make https://collaborate.mitre.org/attackics/index.php/Technique/T857",
"Scripting - A Python script seen in Triton communicates using four Python modules—TsBase, TsLow, TsHi, and TS_cnames—that collectively implement the TriStation network protocol (“TS”, via UDP 1502); this is the protocol that the TriStation TS1131 software uses to communicate with Triconex safety PLCs https://collaborate.mitre.org/attackics/index.php/Technique/T853",
"Exploitation for Evasion - Triton disables a firmware RAM/ROM consistency check, injects a payload (imain.bin) into the firmware memory region, and changes a jumptable entry to point to the added code 384. In Schneider Electric Triconex Tricon MP model 3008 firmware versions 10.0-10.4, system calls read directly from memory addresses within the control program area without any verification. Manipulating this data could allow adversary data to be copied anywhere within memory.910 Triconex systems include continuous means of detection including checksums for firmware and program integrity, memory and memory reference integrity, and configuration https://collaborate.mitre.org/attackics/index.php/Technique/T820",
"Control Device Identification - The Triton Python script is also capable of autodetecting Triconex controllers on the network by sending a specific UDP broadcast packet over port 1502 https://collaborate.mitre.org/attackics/index.php/Technique/T808",
"Engineering Workstation Compromise - The Triton malware gained remote access to an SIS engineering workstation https://collaborate.mitre.org/attackics/index.php/Technique/T818",
"Loss of Safety - Triton has the capability to reprogram the SIS logic to allow unsafe conditions to persist or reprogram the SIS to allow an unsafe state while using the DCS to create an unsafe state or hazard https://collaborate.mitre.org/attackics/index.php/Technique/T880",
"Program Download - Triton leveraged the TriStation protocol to download programs onto Triconex Safety Instrumented System https://collaborate.mitre.org/attackics/index.php/Technique/T843",
"ndicator Removal on Host - Triton would reset the controller to the previous state over TriStation and if this failed it would write a dummy program to memory in what was likely an attempt at anti-forensics https://collaborate.mitre.org/attackics/index.php/Technique/T872",
"Commonly Used Port - Triton framework can communicate with the implant utilizing the TriStation 'get main processor diagnostic data' command and looks for a specifically crafted packet body from which it extracts a command value and its arguments https://collaborate.mitre.org/attackics/index.php/Technique/T885",
"Execution through API - Triton leverages a reconstructed TriStation protocol within its framework to trigger APIs related to program download, program allocation, and program changes https://collaborate.mitre.org/attackics/index.php/Technique/T871",
"Detect Program State - Triton contains a file named TS_cnames.py which contains default definitions for program state (TS_progstate). Program state is referenced in TsHi.py https://collaborate.mitre.org/attackics/index.php/Technique/T870",
"Detect Operating Mode - Triton contains a file named TS_cnames.py which contains default definitions for key state (TS_keystate). Key state is referenced in TsHi.py https://collaborate.mitre.org/attackics/index.php/Technique/T868",
"Change Program State - Triton has the ability to halt or run a program through the TriStation protocol. TsHi.py contains instances of halt and run functions being executed https://collaborate.mitre.org/attackics/index.php/Technique/T875"
],
"refs": [
"https://www.fireeye.com/blog/threat-research/2017/12/attackers-deploy-new-ics-attack-framework-triton.html",
"https://dragos.com/blog/trisis/TRISIS-01.pdf",
"https://ics-cert.us-cert.gov/sites/default/files/documents/MAR-17-352-01%20HatMan%20-%20Safety%20System%20Targeted%20Malware%20%28Update%20B%29.pdf",
"https://www.youtube.com/watch?v=f09E75bWvkk&index=3&list=PL8OWO1qWXF4qYG19p7An4Vw3N2YZ86aRS&t=0s",
"https://www.youtube.com/watch?v=XwSJ8hloGvY",
"https://download.schneider-electric.com/files?p_enDocType=Technical+leaflet&p_File_Name=SEVD-2017-347-01+Triconex+V3.pdf&p_Doc_Ref=SEVD-2017-347-01",
"https://www.midnightbluelabs.com/blog/2018/1/16/analyzing-the-triton-industrial-malware",
"https://ics-cert.us-cert.gov/advisories/ICSA-18-107-02",
"https://nvd.nist.gov/vuln/detail/CVE-2018-8872",
"https://cwe.mitre.org/data/definitions/119.html",
"https://www.nrc.gov/docs/ML1209/ML120900890.pdf",
"https://github.com/MDudek-ICS/TRISIS-TRITON-HATMAN/tree/master/decompiled_code/library"
]
},
"uuid": "e98dca35-5141-4b6c-87e1-9ee36a92d54e",
"value": "Triton"
},
{
"description": "VPNFilter is a multi-stage, modular platform with versatile capabilities to support both intelligence-collection and destructive cyber attack operations. VPNFilter modules such as its packet sniffer ('ps') can collect traffic that passes through an infected device, allowing the theft of website credentials and monitoring of Modbus SCADA protocols",
"meta": {
"Associated Software Descriptions": [
"VPNFilter"
],
"Techniques Used": [
"Network Sniffing - The VPNFilter packet sniffer looks for basic authentication as well as monitors ICS traffic, and is specific to the TP-LINK R600-VPN. The malware uses a raw socket to look for connections to a pre-specified IP address, only looking at TCP packets that are 150 bytes or larger. Packets that are not on port 502, are scanned for BasicAuth, and that information is logged. This may have allowed credential harvesting from communications between devices accessing a modbus-enabled HMI https://collaborate.mitre.org/attackics/index.php/Technique/T842",
"Control Device Identification - The VPNFilter packet sniffer monitors ICS traffic, and is specific to the TP-LINK R600-VPN. The malware uses a raw socket to look for connections to a pre-specified IP address, only looking at TCP packets that are 150 bytes or larger. 'ps' identifies and logs on IPs and ports, but not the packet contents on port 502 (Modbus traffic). It does not validate the traffic as Modbus https://collaborate.mitre.org/attackics/index.php/Technique/T808"
],
"refs": [
"https://blog.talosintelligence.com/2018/06/vpnfilter-update.html",
"https://www.youtube.com/watch?v=yuZazP22rpI"
]
},
"uuid": "cea7e5ff-cfde-4856-9829-acd7166cd1f9",
"value": "VPNFilter"
},
{
"description": "WannaCry is ransomware that was first seen in a global attack during May 2017, which affected more than 150 countries. It contains self-propagating (“wormable”) features to spread itself across a computer network using the SMBv1 exploit EternalBlue.",
"meta": {
"Associated Software Descriptions": [
"WannaCry"
],
"Groups": [
"Lazarus group"
],
"Techniques Used": [
"Exploitation of Remote Services - WannaCry initially infected IT networks, but by means of an exploit (particularly the SMBv1-targeting MS17-010 vulnerability) spread to industrial networks https://collaborate.mitre.org/attackics/index.php/Technique/T866",
"External Remote Services - WannaCry can utilize exposed SMB services to access industrial networks https://collaborate.mitre.org/attackics/index.php/Technique/T822",
"Remote File Copy - WannaCry can move laterally through industrial networks by means of the SMB service https://collaborate.mitre.org/attackics/index.php/Technique/T867"
],
"refs": [
"https://attack.mitre.org/software/S0366/",
"https://www.us-cert.gov/ncas/alerts/TA17-132A",
"https://dragos.com/blog/industry-news/implications-of-it-ransomware-for-ics-environments/"
]
},
"uuid": "2901adef-0da6-4c1e-854b-b4e4e0d8e15a",
"value": "WannaCry"
}
],
"version": 1
}

View File

@ -0,0 +1,278 @@
{
"authors": [
"MITRE"
],
"category": "tactic",
"description": "A list of all 11 tactics in ATT&CK for ICS",
"name": "Tactics",
"source": "https://collaborate.mitre.org/attackics/index.php/All_Tactics",
"type": "mitre-ics-tactics",
"uuid": "ae92140f-7816-45b6-aa7c-9ff3e8536f10",
"values": [
{
"description": "The adversary is trying to gather data of interest and domain knowledge on your ICS environment to inform their goal. Collection consists of techniques adversaries use to gather domain knowledge and obtain contextual feedback in an ICS environment. This tactic is often performed as part of Discovery, to compile data on control systems and targets of interest that may be used to follow through on the adversarys objective. Examples of these techniques include observing operation states, capturing screenshots, identifying unique device roles, and gathering system and diagram schematics. Collection of this data can play a key role in planning, executing, and even revising an ICS-targeted attack. Methods of collection depend on the categories of data being targeted, which can include protocol specific, device specific, and process specific configurations and functionality. Information collected may pertain to a combination of system, supervisory, device, and network related data, which conceptually fall under high, medium, and low levels of plan operations. For example, information repositories on plant data at a high level or device specific programs at a low level. Sensitive floor plans, vendor device manuals, and other refs may also be at risk and exposed on the internet or otherwise publicly accessible.",
"meta": {
"Techniques in this Tactics Category": [
"Automated Collection https://collaborate.mitre.org/attackics/index.php/Technique/T802",
"Data from Information Repositories https://collaborate.mitre.org/attackics/index.php/Technique/T811",
"Detect Operating Mode https://collaborate.mitre.org/attackics/index.php/Technique/T868",
"Detect Program State https://collaborate.mitre.org/attackics/index.php/Technique/T870",
"I/O Image https://collaborate.mitre.org/attackics/index.php/Technique/T877",
"Location Identification https://collaborate.mitre.org/attackics/index.php/Technique/T825",
"Monitor Process State https://collaborate.mitre.org/attackics/index.php/Technique/T801",
"Point & Tag Identification https://collaborate.mitre.org/attackics/index.php/Technique/T861",
"Program Upload https://collaborate.mitre.org/attackics/index.php/Technique/T845",
"Role Identification https://collaborate.mitre.org/attackics/index.php/Technique/T850",
"Screen Capture https://collaborate.mitre.org/attackics/index.php/Technique/T852"
],
"refs": [
"https://www.blackhat.com/docs/asia-16/materials/asia-16-Spenneberg-PLC-Blaster-A-Worm-Living-Solely-In-The-PLC.pdf",
"https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf",
"http://www.research.lancs.ac.uk/portal/files/196578358/sample_sigconf.pdf",
"https://www.us-cert.gov/ncas/alerts/TA17-293A"
]
},
"uuid": "834fab50-be52-4611-95b6-6330d1db65c2",
"value": "Collection"
},
{
"description": "The adversary is trying to communicate with and control compromised systems, controllers, and platforms with access to your ICS environment. Command and Control consists of techniques that adversaries use to communicate with and send commands to compromised systems, devices, controllers, and platforms with specialized applications used in ICS environments. Examples of these specialized communication devices include human machine interfaces (HMIs), data historians, SCADA servers, and engineering workstations (EWS). Adversaries often seek to use commonly available resources and mimic expected network traffic to avoid detection and suspicion. For instance, commonly used ports and protocols in ICS environments, and even expected IT resources, depending on the target network. Command and Control may be established to varying degrees of stealth, often depending on the victims network structure and defenses.",
"meta": {
"Techniques in this Tactics Category": [
"Commonly Used Port https://collaborate.mitre.org/attackics/index.php/Technique/T885",
"Connection Proxy https://collaborate.mitre.org/attackics/index.php/Technique/T884",
"Standard Application Layer Protocol https://collaborate.mitre.org/attackics/index.php/Technique/T869"
],
"refs": [
"https://attack.mitre.org/wiki/Technique/T1090"
]
},
"uuid": "4fd3b7b1-6d05-4cab-8182-6ea52ecbde63",
"value": "Command and Control"
},
{
"description": "The adversary is trying to figure out your ICS environment. Discovery consists of techniques that adversaries use to survey your ICS environment and gain knowledge about the internal network, control system devices, and how their processes interact. These techniques help adversaries observe the environment and determine next steps for target selection and Lateral Movement. They also allow adversaries to explore what they can control and gain insight on interactions between various control system processes. Discovery techniques are often an act of progression into the environment which enable the adversary to orient themselves before deciding how to act. Adversaries may use Discovery techniques that result in Collection, to help determine how available resources benefit their current objective. A combination of native device communications and functions, and custom tools are often used toward this post-compromise information-gathering objective.",
"meta": {
"Techniques in this Tactics Category": [
"Control Device Identification https://collaborate.mitre.org/attackics/index.php/Technique/T808",
"I/O Module Discovery https://collaborate.mitre.org/attackics/index.php/Technique/T824",
"Network Connection Enumeration https://collaborate.mitre.org/attackics/index.php/Technique/T840",
"Network Service Scanning https://collaborate.mitre.org/attackics/index.php/Technique/T841",
"Network Sniffing https://collaborate.mitre.org/attackics/index.php/Technique/T842",
"Remote System Discovery https://collaborate.mitre.org/attackics/index.php/Technique/T846",
"Serial Connection Enumeration https://collaborate.mitre.org/attackics/index.php/Technique/T854"
],
"refs": [
"https://attack.mitre.org/wiki/Technique/T1049",
"https://attack.mitre.org/wiki/Technique/T1040",
"https://attack.mitre.org/wiki/Technique/T1018"
]
},
"uuid": "021d9d90-a792-4b84-a9f8-892b11c7db55",
"value": "Discovery"
},
{
"description": "The adversary is trying to avoid being detected.Evasion consists of techniques that adversaries use to avoid detection by both human operators and technical defenses throughout their compromise. Techniques used for evasion include removal of indicators of compromise, spoofing communications and reporting, and exploiting software vulnerabilities. Adversaries may also leverage and abuse trusted devices and processes to hide their activity, possibly by masquerading as master devices or native software. Methods of defense and operator evasion for this purpose are often more passive in nature, as opposed to Inhibit Response Function techniques. They may also vary depending on whether the target of evasion is human or technological in nature, such as security controls. Techniques under other tactics are cross-listed to evasion when those techniques include the added benefit of subverting operators and defenses. ",
"meta": {
"Techniques in this Tactics Category": [
"Exploitation for Evasion https://collaborate.mitre.org/attackics/index.php/Technique/T820",
"Indicator Removal on Host https://collaborate.mitre.org/attackics/index.php/Technique/T872",
"Masquerading https://collaborate.mitre.org/attackics/index.php/Technique/T849",
"Rogue Master Device https://collaborate.mitre.org/attackics/index.php/Technique/T848",
"Rootkit https://collaborate.mitre.org/attackics/index.php/Technique/T851",
"Spoof Reporting Message https://collaborate.mitre.org/attackics/index.php/Technique/T856",
"Utilize/Change Operating Mode https://collaborate.mitre.org/attackics/index.php/Technique/T858"
],
"refs": [
"https://www.mitre.org/sites/default/files/pdf/08_1145.pdf",
"https://attack.mitre.org/wiki/Technique/T1014",
"http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6142258"
]
},
"uuid": "099fdd9a-8894-4599-8e7f-59e82e285df6",
"value": "Evasion"
},
{
"description": "The adversary is trying to run malicious code. Execution consists of techniques that result in adversary-controlled code running on a local or remote system, device, or other asset. This execution may also rely on unknowing end users or the manipulation of device operating modes to run. Adversaries may infect remote targets with programmed executables or malicious project files that operate according to specified behavior and may alter expected device behavior in subtle ways. Commands for execution may also be issued from command-line interfaces, APIs, GUIs, or other available interfaces. Techniques that run malicious code may also be paired with techniques from other tactics, particularly to aid network Discovery and Collection, impact operations, and inhibit response functions.",
"meta": {
"Techniques in this Tactics Category": [
"Change Program State https://collaborate.mitre.org/attackics/index.php/Technique/T875",
"Command-Line Interface https://collaborate.mitre.org/attackics/index.php/Technique/T807",
"Execution through API https://collaborate.mitre.org/attackics/index.php/Technique/T871",
"Graphical User Interface https://collaborate.mitre.org/attackics/index.php/Technique/T823",
"Man in the Middle https://collaborate.mitre.org/attackics/index.php/Technique/T830",
"Program Organization Units https://collaborate.mitre.org/attackics/index.php/Technique/T844",
"Project File Infection https://collaborate.mitre.org/attackics/index.php/Technique/T873",
"Scripting https://collaborate.mitre.org/attackics/index.php/Technique/T853",
"User Execution https://collaborate.mitre.org/attackics/index.php/Technique/T863"
],
"refs": [
"https://attack.mitre.org/wiki/Technique/T1059",
"https://ics.sans.org/media/E-ISAC_SANS_Ukraine_DUC_5.pdf",
"https://www.sans.org/reading-room/whitepapers/ICS/man-in-the-middle-attack-modbus-tcp-illustrated-wireshark-38095",
"http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6142258",
"http://www.dee.ufrj.br/controle_automatico/cursos/IEC61131-3_Programming_Industrial_Automation_Systems.pdf",
"https://cdn.selinc.com/assets/Literature/Publications/Technical%20Papers/6560_PracticalApplications_MW_20120224_Web.pdf?v=20151125-003051",
"https://www.blackhat.com/docs/asia-16/materials/asia-16-Spenneberg-PLC-Blaster-A-Worm-Living-Solely-In-The-PLC-wp.pdf",
"https://www.wired.com/images_blogs/threatlevel/2010/11/w32_stuxnet_dossier.pdf",
"https://infosys.beckhoff.com/english.php?content=../content/1033/tc3_sourcecontrol/18014398915785483.html&id=",
"http://www.plcdev.com/book/export/html/373",
"https://www.boozallen.com/content/dam/boozallen/documents/2016/09/ukraine-report-when-the-lights-went-out.pdf",
"https://www.f-secure.com/weblog/archives/00002718.html"
]
},
"uuid": "7779ec85-b841-44b8-9c5e-9c9d670a3938",
"value": "Execution"
},
{
"description": "The adversary is trying to manipulate, interrupt, or destroy your ICS systems, data, and their surrounding environment. Impact consists of techniques that adversaries use to disrupt, compromise, destroy, and manipulate the integrity and availability of control system operations, processes, devices, and data. These techniques encompass the influence and effects resulting from adversarial efforts to attack the ICS environment or that tangentially impact it. Impact techniques can result in more instantaneous disruption to control processes and the operator, or may result in more long term damage or loss to the ICS environment and related operations. The adversary may leverage Impair Process Control techniques, which often manifest in more self-revealing impacts on operations, or Inhibit Response Function techniques to hinder safeguards and alarms in order to follow through with and provide cover for Impact. In some scenarios, control system processes can appear to function as expected, but may have been altered to benefit the adversarys goal over the course of a longer duration. These techniques might be used by adversaries to follow through on their end goal or to provide cover for a confidentiality breach. Loss of Productivity and Revenue, Theft of Operational Information, and Damage to Property are meant to encompass some of the more granular goals of adversaries in targeted and untargeted attacks. These techniques in and of themselves are not necessarily detectable, but the associated adversary behavior can potentially be mitigated and/or detected.",
"meta": {
"Techniques in this Tactics Category": [
"Damage to Property https://collaborate.mitre.org/attackics/index.php/Technique/T879",
"Denial of Control https://collaborate.mitre.org/attackics/index.php/Technique/T813",
"Denial of View https://collaborate.mitre.org/attackics/index.php/Technique/T815",
"Loss of Availability https://collaborate.mitre.org/attackics/index.php/Technique/T826",
"Loss of Control https://collaborate.mitre.org/attackics/index.php/Technique/T827",
"Loss of Productivity and Revenue https://collaborate.mitre.org/attackics/index.php/Technique/T828",
"Loss of Safety https://collaborate.mitre.org/attackics/index.php/Technique/T880",
"Loss of View https://collaborate.mitre.org/attackics/index.php/Technique/T829",
"Manipulation of Control https://collaborate.mitre.org/attackics/index.php/Technique/T831",
"Manipulation of View https://collaborate.mitre.org/attackics/index.php/Technique/T832",
"Theft of Operational Information https://collaborate.mitre.org/attackics/index.php/Technique/T882"
],
"refs": [
"https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Publications/Securitysituation/IT-Security-Situation-in-Germany-2014.pdf?__blob=publicationFile&v=3",
"https://www.mitre.org/sites/default/files/pdf/08_1145.pdf",
"https://www.londonreconnections.com/2017/hacked-cyber-security-railways/",
"https://inhomelandsecurity.com/teen_hacker_in_poland_plays_tr/",
"https://www.schneier.com/blog/archives/2008/01/hacking_the_pol.html",
"https://www.corero.com/resources/files/whitepapers/cns_whitepaper_ics.pdf",
"https://www.sans.org/reading-room/whitepapers/ICS/industrial-control-system-cyber-kill-chain-36297",
"https://books.google.com/books?id=oXIYBAAAQBAJ&pg=PA249&lpg=PA249&dq=loss+denial+manipulation+of+view&source=bl&ots=dV1uQ8IUff&sig=ACfU3U2NIwGjhg051D_Ytw6npyEk9xcf4w&hl=en&sa=X&ved=2ahUKEwj2wJ7y4tDlAhVmplkKHSTaDnQQ6AEwAHoECAgQAQ#v=onepage&q=loss%20denial%20manipulation%20of%20view&f=false",
"https://time.com/4270728/iran-cyber-attack-dam-fbi/",
"https://www.wsj.com/articles/iranian-hackers-infiltrated-new-york-dam-in-2013-1450662559"
]
},
"uuid": "40c9594e-ae8b-48f1-8e11-0e08ead4d44b",
"value": "Impact"
},
{
"description": "The adversary is trying to manipulate, disable, or damage physical control processes. Impair Process Control consists of techniques that adversaries use to disrupt control logic and cause determinantal effects to processes being controlled in the target environment. Targets of interest may include active procedures or parameters that manipulate the physical environment. These techniques can also include prevention or manipulation of reporting elements and control logic. If an adversary has modified process functionality, then they may also obfuscate the results, which are often self-revealing in their impact on the outcome of a product or the environment. The direct physical control these techniques exert may also threaten the safety of operators and downstream users, which can prompt response mechanisms. Adversaries may follow up with or use Inhibit Response Function techniques in tandem, to assist with the successful abuse of control processes to result in Impact.",
"meta": {
"Techniques in this Tactics Category": [
"Brute Force I/O https://collaborate.mitre.org/attackics/index.php/Technique/T806",
"Change Program State https://collaborate.mitre.org/attackics/index.php/Technique/T875",
"Masquerading https://collaborate.mitre.org/attackics/index.php/Technique/T849",
"Modify Control Logic https://collaborate.mitre.org/attackics/index.php/Technique/T833",
"Modify Parameter https://collaborate.mitre.org/attackics/index.php/Technique/T836",
"Module Firmware https://collaborate.mitre.org/attackics/index.php/Technique/T839",
"Program Download https://collaborate.mitre.org/attackics/index.php/Technique/T843",
"Rogue Master Device https://collaborate.mitre.org/attackics/index.php/Technique/T848",
"Service Stop https://collaborate.mitre.org/attackics/index.php/Technique/T881",
"Spoof Reporting Message https://collaborate.mitre.org/attackics/index.php/Technique/T856",
"Unauthorized Command Message https://collaborate.mitre.org/attackics/index.php/Technique/T855"
],
"refs": [
"https://www.langner.com/wp-content/uploads/2017/03/to-kill-a-centrifuge.pdf",
"https://www.mitre.org/sites/default/files/pdf/08_1145.pdf",
"https://www.researchgate.net/publication/228849043_Leveraging_ethernet_card_vulnerabilities_in_field_devices",
"https://attack.mitre.org/techniques/T1489/",
"http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6142258",
"https://ics.sans.org/media/E-ISAC_SANS_Ukraine_DUC_5.pdf"
]
},
"uuid": "aa3913db-52ce-4856-b0db-fce6af13e4d6",
"value": "Impair Process Control"
},
{
"description": "The adversary is trying to manipulate, disable, or damage physical control processes. Impair Process Control consists of techniques that adversaries use to disrupt control logic and cause determinantal effects to processes being controlled in the target environment. Targets of interest may include active procedures or parameters that manipulate the physical environment. These techniques can also include prevention or manipulation of reporting elements and control logic. If an adversary has modified process functionality, then they may also obfuscate the results, which are often self-revealing in their impact on the outcome of a product or the environment. The direct physical control these techniques exert may also threaten the safety of operators and downstream users, which can prompt response mechanisms. Adversaries may follow up with or use Inhibit Response Function techniques in tandem, to assist with the successful abuse of control processes to result in Impact.",
"meta": {
"Techniques in this Tactics Category": [
"Activate Firmware Update Mode https://collaborate.mitre.org/attackics/index.php/Technique/T800",
"Alarm Suppression https://collaborate.mitre.org/attackics/index.php/Technique/T878",
"Block Command Message https://collaborate.mitre.org/attackics/index.php/Technique/T803",
"Block Reporting Message https://collaborate.mitre.org/attackics/index.php/Technique/T804",
"Block Serial COM https://collaborate.mitre.org/attackics/index.php/Technique/T805",
"Data Destruction https://collaborate.mitre.org/attackics/index.php/Technique/T809",
"Denial of Service https://collaborate.mitre.org/attackics/index.php/Technique/T814",
"Device Restart/Shutdown https://collaborate.mitre.org/attackics/index.php/Technique/T816",
"Manipulate I/O Image https://collaborate.mitre.org/attackics/index.php/Technique/T835",
"Modify Alarm Settings https://collaborate.mitre.org/attackics/index.php/Technique/T838",
"Modify Control Logic https://collaborate.mitre.org/attackics/index.php/Technique/T833",
"Program Download https://collaborate.mitre.org/attackics/index.php/Technique/T843",
"Rootkit https://collaborate.mitre.org/attackics/index.php/Technique/T851",
"System Firmware https://collaborate.mitre.org/attackics/index.php/Technique/T857",
"Utilize/Change Operating Mode https://collaborate.mitre.org/attackics/index.php/Technique/T858"
],
"refs": [
"https://www.mitre.org/sites/default/files/pdf/08_1145.pdf",
"https://troopers.de/downloads/troopers19/TROOPERS19_NGI_IoT_diet_poisoned_fruit.pdf",
"http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6142258",
"https://ics.sans.org/media/E-ISAC_SANS_Ukraine_DUC_5.pdf",
"https://attack.mitre.org/wiki/Technique/T1107",
"https://www.us-cert.gov/ics/alerts/ICS-ALERT-17-102-01A",
"https://ics-cert.us-cert.gov/advisories/ICSA-15-202-01",
"http://cwe.mitre.org/data/definitions/400.html",
"https://nvd.nist.gov/vuln/detail/CVE-2015-5374",
"https://www.isa.org/standards-and-publications/isa-publications/intech/2010/december/programmable-logic-controller-hardware/",
"https://www.langner.com/wp-content/uploads/2017/03/to-kill-a-centrifuge.pdf",
"https://attack.mitre.org/wiki/Technique/T1014",
"http://www.sciencedirect.com/science/article/pii/S1874548213000231"
]
},
"uuid": "35bf4454-d73b-43ff-8a38-85342f595009",
"value": "Inhibit Response Function"
},
{
"description": "The adversary is trying to get into your ICS environment. Initial Access consists of techniques that adversaries may use as entry vectors to gain an initial foothold within an ICS environment. These techniques include compromising operational technology assets, IT resources in the OT network, and external remote services and websites. They may also target third party entities and users with privileged access. In particular, these initial access footholds may include devices and communication mechanisms with access to and privileges in both the IT and OT environments. IT resources in the OT environment are also potentially vulnerable to the same attacks as enterprise IT systems. Trusted third parties of concern may include vendors, maintenance personnel, engineers, external integrators, and other outside entities involved in expected ICS operations. Vendor maintained assets may include physical devices, software, and operational equipment. Initial access techniques may also leverage outside devices, such as radios, controllers, or removable media, to remotely interfere with and possibly infect OT operations. ",
"meta": {
"Techniques in this Tactics Category": [
"Data Historian Compromise https://collaborate.mitre.org/attackics/index.php/Technique/T810",
"Drive-by Compromise https://collaborate.mitre.org/attackics/index.php/Technique/T817",
"Engineering Workstation Compromise https://collaborate.mitre.org/attackics/index.php/Technique/T818",
"Exploit Public-Facing Application https://collaborate.mitre.org/attackics/index.php/Technique/T819",
"External Remote Services https://collaborate.mitre.org/attackics/index.php/Technique/T822",
"Internet Accessible Device https://collaborate.mitre.org/attackics/index.php/Technique/T883",
"Replication Through Removable Media https://collaborate.mitre.org/attackics/index.php/Technique/T847",
"Spearphishing Attachment https://collaborate.mitre.org/attackics/index.php/Technique/T865",
"Supply Chain Compromise https://collaborate.mitre.org/attackics/index.php/Technique/T862",
"Wireless Compromise https://collaborate.mitre.org/attackics/index.php/Technique/T860"
],
"refs": [
"https://dragos.com/wp-content/uploads/CRASHOVERRIDE2018.pdf",
"https://www.us-cert.gov/ncas/alerts/TA18-074A",
"https://www.us-cert.gov/ics/alerts/ICS-ALERT-14-281-01B",
"https://attack.mitre.org/wiki/Technique/T1133",
"https://ics.sans.org/media/E-ISAC_SANS_Ukraine_DUC_5.pdf",
"https://www.wired.com/2016/03/inside-cunning-unprecedented-hack-ukraines-power-grid/",
"https://ics-cert.us-cert.gov/alerts/IR-ALERT-H-16-056-01",
"https://www.fireeye.com/blog/threat-research/2016/01/ukraine-and-sandworm-team.html",
"https://www.us-cert.gov/sites/default/files/Monitors/ICS-CERT_Monitor_Jan-April2014.pdf",
"https://www.wsj.com/articles/iranian-hackers-infiltrated-new-york-dam-in-2013-1450662559",
"https://time.com/4270728/iran-cyber-attack-dam-fbi/",
"https://www.kkw-gundremmingen.de/presse.php?id=571",
"https://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/malware-discovered-in-german-nuclear-power-plant",
"https://www.reuters.com/article/us-nuclearpower-cyber-germany/german-nuclear-plant-infected-with-computer-viruses-operator-says-idUSKCN0XN2OS",
"https://news.softpedia.com/news/on-chernobyl-s-30th-anniversary-malware-shuts-down-german-nuclear-power-plant-503429.shtml",
"https://www.sciencealert.com/multiple-computer-viruses-have-been-discovered-in-this-german-nuclear-plant",
"https://www.geek.com/apps/german-nuclear-plant-found-riddled-with-conficker-other-viruses-1653415/",
"https://arstechnica.com/information-technology/2016/04/german-nuclear-plants-fuel-rod-system-swarming-with-old-malware/",
"https://www.darkreading.com/endpoint/german-nuclear-power-plant-infected-with-malware/d/d-id/1325298",
"https://www.bbc.com/news/technology-36158606",
"https://www.welivesecurity.com/2016/04/28/malware-found-german-nuclear-power-plant/",
"https://attack.mitre.org/techniques/T1193/",
"https://www.f-secure.com/weblog/archives/00002718.html",
"https://www.blackhat.com/docs/us-14/materials/us-14-Bolshev-ICSCorsair-How-I-Will-PWN-Your-ERP-Through-4-20mA-Current-Loop-WP.pdf",
"https://www.slideshare.net/dgpeters/17-bolshev-1-13",
"https://www.mitre.org/sites/default/files/pdf/08_1145.pdf",
"https://www.londonreconnections.com/2017/hacked-cyber-security-railways/",
"https://inhomelandsecurity.com/teen_hacker_in_poland_plays_tr/",
"https://www.schneier.com/blog/archives/2008/01/hacking_the_pol.html"
]
},
"uuid": "2366ffb0-91ba-4b8e-bfad-d460c98d43a8",
"value": "Innitial Access"
}
],
"version": 1
}

File diff suppressed because it is too large Load Diff

View File

@ -0,0 +1,9 @@
{
"description": "ATT&CK for ICS Assets",
"icon": "certificate",
"name": "Assets",
"namespace": "mitre-attack-ics",
"type": "mitre-ics-assets",
"uuid": "86b19468-784e-4ec9-9af9-f069aa4cf70d",
"version": 1
}

View File

@ -0,0 +1,9 @@
{
"description": "ATT&CK for ICS Groups",
"icon": "skull-crossbones",
"name": "Groups",
"namespace": "mitre-attack-ics",
"type": "mitre-ics-groups",
"uuid": "abb28bd9-fa79-4815-b5b3-fb138f433e55",
"version": 1
}

View File

@ -0,0 +1,9 @@
{
"description": "ATT&CK for ICS Levels",
"icon": "layer-group",
"name": "Levels",
"namespace": "mitre-attack-ics",
"type": "mitre-ics-levels",
"uuid": "34d60262-0e7d-4c91-859b-de1fa9c54ae7",
"version": 1
}

View File

@ -0,0 +1,9 @@
{
"description": "ATT&CK for ICS Software",
"icon": "file-code",
"name": "Software",
"namespace": "mitre-attack-ics",
"type": "mitre-ics-software",
"uuid": "9443a27f-f8b0-4bc7-ba88-7c023d727932",
"version": 1
}

View File

@ -0,0 +1,9 @@
{
"description": "ATT&CK for ICS Tactics",
"icon": "chess-pawn",
"name": "Tactics",
"namespace": "mitre-attack-ics",
"type": "mitre-ics-tactics",
"uuid": "e521606c-3c66-4621-9040-6f0f792fc999",
"version": 1
}

View File

@ -0,0 +1,9 @@
{
"description": "ATT&CK for ICS Techniques",
"icon": "user-ninja",
"name": "Techniques",
"namespace": "mitre-attack-ics",
"type": "mitre-ics-techniques",
"uuid": "99261a7e-2270-40eb-823f-834cc1ad3159",
"version": 1
}

View File

@ -1,9 +0,0 @@
{
"description": "ATT&CK for ICS Groups",
"icon": "skull-crossbones",
"name": "Groups",
"namespace": "mitre-attack-for-ics",
"type": "mitre-ics-groups",
"uuid": "abb28bd9-fa79-4815-b5b3-fb138f433e55",
"version": 1
}

View File

@ -1,298 +0,0 @@
{
"author": [
"Tony Williams"
],
"category": "Assets",
"description": "A list of asset categories that are commonly found in industrial control systems.",
"name": "Assets",
"source": "https://collaborate.mitre.org/attackics/index.php/All_Assets",
"type": "mitre-ics-assets",
"uuid": "0594fbc2-6267-479b-85a3-c4be8e044454",
"values": [
{
"description": "A device which acts as both a server and controller, that hosts the control software used in communicating with lower-level control devices in an ICS network (e.g. Remote Terminal Units (RTUs) and Programmable Logic Controllers (PLCs)).",
"meta": {
"References": [
"https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf"
],
"Levels": [
"Level 2 https://collaborate.mitre.org/attackics/index.php/Level_2"
],
"Notes": [
"A control server may also be referred to with these terms in a SCADA system: MTU, supervisory controller, or SCADA server."
],
"Techniques That Apply": [
"Automated Collection https://collaborate.mitre.org/attackics/index.php/Technique/T802",
"Brute Force I/O https://collaborate.mitre.org/attackics/index.php/Technique/T806",
"Commonly Used Port https://collaborate.mitre.org/attackics/index.php/Technique/T885",
"Data Destruction https://collaborate.mitre.org/attackics/index.php/Technique/T809",
"Data from Information Repositories https://collaborate.mitre.org/attackics/index.php/Technique/T811",
"Default Credentials https://collaborate.mitre.org/attackics/index.php/Technique/T812",
"External Remote Services https://collaborate.mitre.org/attackics/index.php/Technique/T822",
"Location Identification https://collaborate.mitre.org/attackics/index.php/Technique/T825",
"Man in the Middle https://collaborate.mitre.org/attackics/index.php/Technique/T830",
"Masquerading https://collaborate.mitre.org/attackics/index.php/Technique/T849",
"Modify Alarm Settings https://collaborate.mitre.org/attackics/index.php/Technique/T838",
"Modify Parameter https://collaborate.mitre.org/attackics/index.php/Technique/T836",
"Monitor Process State https://collaborate.mitre.org/attackics/index.php/Technique/T801 ",
"Point & Tag Identification https://collaborate.mitre.org/attackics/index.php/Technique/T861",
"Remote File Copy https://collaborate.mitre.org/attackics/index.php/Technique/T867",
"Remote System Discovery https://collaborate.mitre.org/attackics/index.php/Technique/T846",
"Replication Through Removable Media https://collaborate.mitre.org/attackics/index.php/Technique/T847",
"Rogue Master Device https://collaborate.mitre.org/attackics/index.php/Technique/T848",
"Role Identification https://collaborate.mitre.org/attackics/index.php/Technique/T850",
"Service Stop https://collaborate.mitre.org/attackics/index.php/Technique/T881",
"Spearphishing Attachment https://collaborate.mitre.org/attackics/index.php/Technique/T865",
"Spoof Reporting Message https://collaborate.mitre.org/attackics/index.php/Technique/T856",
"Standard Application Layer Protocol https://collaborate.mitre.org/attackics/index.php/Technique/T869",
"Valid Accounts https://collaborate.mitre.org/attackics/index.php/Technique/T859"
]
},
"uuid": "834fab50-be52-4611-95b6-6330d1db65c2",
"value": "Control Server"
},
{
"description": "A centralized database located on a computer installed in the control system DMZ supporting external corporate user data access for archival and analysis using statistical process control and other techniques.",
"meta": {
"references": [
"https://ics-cert.us-cert.gov/Secure-Architecture-Design-Definitions"
],
"Levels": [
"Level 2 https://collaborate.mitre.org/attackics/index.php/Level_2"
],
"Techniques That Apply": [
"Data Historian Compromise https://collaborate.mitre.org/attackics/index.php/Technique/T810",
"Data from Information Repositories https://collaborate.mitre.org/attackics/index.php/Technique/T811",
"Exploitation of Remote Services https://collaborate.mitre.org/attackics/index.php/Technique/T866",
"Monitor Process State https://collaborate.mitre.org/attackics/index.php/Technique/T801",
"Point & Tag Identification https://collaborate.mitre.org/attackics/index.php/Technique/T861",
"Remote File Copy https://collaborate.mitre.org/attackics/index.php/Technique/T867",
"Remote System Discovery https://collaborate.mitre.org/attackics/index.php/Technique/T846",
"Replication Through Removable Media https://collaborate.mitre.org/attackics/index.php/Technique/T847",
"Role Identification https://collaborate.mitre.org/attackics/index.php/Technique/T850",
"Service Stop https://collaborate.mitre.org/attackics/index.php/Technique/T881",
"Spearphishing Attachment https://collaborate.mitre.org/attackics/index.php/Technique/T865",
"Standard Application Layer Protocol https://collaborate.mitre.org/attackics/index.php/Technique/T869",
"Valid Accounts https://collaborate.mitre.org/attackics/index.php/Technique/T859"
]
},
"uuid": "da06d4aa-2471-4582-aadf-e1653dd6575c",
"value": "Data Historian"
},
{
"description": "The engineering workstation is usually a high-end very reliable computing platform designed for configuration, maintenance and diagnostics of the control system applications and other control system equipment. The system is usually made up of redundant hard disk drives, high speed network interface, reliable CPUs, performance graphics hardware, and applications that provide configuration and monitoring tools to perform control system application development, compilation and distribution of system modifications.",
"meta": {
"referencess": [
"https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf"
],
"Levels": [
"Level 0 https://collaborate.mitre.org/attackics/index.php/Level_0 ",
"Level 1 https://collaborate.mitre.org/attackics/index.php/Level_1",
"Level 2 https://collaborate.mitre.org/attackics/index.php/Level_2"
],
"Notes": [
"Many engineering workstations are laptops. Because of their mobile nature, lack of desktop standard, and frequent connection to control system devices and network, engineering workstations can serve as entry points for attacks."
],
"Techniques That Apply": [
"Commonly Used Port https://collaborate.mitre.org/attackics/index.php/Technique/T885",
"Data from Information Repositories https://collaborate.mitre.org/attackics/index.php/Technique/T811",
"Default Credentials https://collaborate.mitre.org/attackics/index.php/Technique/T812",
"Engineering Workstation Compromise https://collaborate.mitre.org/attackics/index.php/Technique/T818",
"Exploitation of Remote Services https://collaborate.mitre.org/attackics/index.php/Technique/T866",
"Hooking https://collaborate.mitre.org/attackics/index.php/Technique/T874 ",
"Loss of View https://collaborate.mitre.org/attackics/index.php/Technique/T829",
"Manipulation of View https://collaborate.mitre.org/attackics/index.php/Technique/T832",
"Project File Infection https://collaborate.mitre.org/attackics/index.php/Technique/T873",
"Rogue Master Device https://collaborate.mitre.org/attackics/index.php/Technique/T848",
"Scripting https://collaborate.mitre.org/attackics/index.php/Technique/T853",
"Service Stop https://collaborate.mitre.org/attackics/index.php/Technique/T881",
"Spearphishing Attachment https://collaborate.mitre.org/attackics/index.php/Technique/T865",
"Standard Application Layer Protocol https://collaborate.mitre.org/attackics/index.php/Technique/T869",
"User Execution https://collaborate.mitre.org/attackics/index.php/Technique/T863",
"Valid Accounts https://collaborate.mitre.org/attackics/index.php/Technique/T859"
]
},
"uuid": "b34cba3b-4294-4149-b119-214fadef0d01",
"value": "Engineering Workstation"
},
{
"description": "Controller terminology depends on the type of system they are associated with. They provide typical processing capabilities. Controllers, sometimes referred to as Remote Terminal Units (RTU) and Programmable Logic Controllers (PLC), are computerized control units that are typically rack or panel mounted with modular processing and interface cards. The units are collocated with the process equipment and interface through input and output modules to the various sensors and controlled devices. Most utilize a programmable logic-based application that provides scanning and writing of data to and from the IO interface modules and communicates with the control system network via various communications methods, including serial and network communications",
"meta": {
"referencess": [
"https://ics-cert.us-cert.gov/Secure-Architecture-Design-Definitions",
"http://isa99.isa.org/ISA99%20Wiki/WP-2-1.aspx",
"https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf"
],
"Levels": [
"Level 0 https://collaborate.mitre.org/attackics/index.php/Level_0",
"Level 1 https://collaborate.mitre.org/attackics/index.php/Level_1"
],
"Notes": [
"Typically programmed in an IEC 61131 programming language, a PLC is designed for real time use in rugged, industrial environments. Connected to sensors and actuators, PLCs are categorized by the number and type of I/O ports they provide and by their I/O scan rate. \nAn RTU is a special purpose field device that supports SCADA remote stations with both wired and wireless communication capabilities, in order to communicate with the supervisory controller. Wireless radio is leveraged in remote situations where wired communications are not available; typically with field equipment. This role may also be fulfilled by PLCs with radio communication capabilities. The PLC may still be referred to as an RTU in this case."
],
"Techniques That Apply": [
"Activate Firmware Update Mode https://collaborate.mitre.org/attackics/index.php/Technique/T800",
"Alarm Suppression https://collaborate.mitre.org/attackics/index.php/Technique/T878",
"Automated Collection https://collaborate.mitre.org/attackics/index.php/Technique/T802",
"Block Command Message https://collaborate.mitre.org/attackics/index.php/Technique/T803",
"Block Reporting Message https://collaborate.mitre.org/attackics/index.php/Technique/T804",
"Block Serial COM https://collaborate.mitre.org/attackics/index.php/Technique/T805 ",
"Brute Force I/O https://collaborate.mitre.org/attackics/index.php/Technique/T806",
"Change Program State https://collaborate.mitre.org/attackics/index.php/Technique/T875",
"Commonly Used Port https://collaborate.mitre.org/attackics/index.php/Technique/T885",
"Control Device Identification https://collaborate.mitre.org/attackics/index.php/Technique/T808",
"Data Destruction https://collaborate.mitre.org/attackics/index.php/Technique/T809",
"Default Credentials https://collaborate.mitre.org/attackics/index.php/Technique/T812",
"Denial of Service https://collaborate.mitre.org/attackics/index.php/Technique/T814",
"Detect Operating Mode https://collaborate.mitre.org/attackics/index.php/Technique/T868",
"Detect Program State https://collaborate.mitre.org/attackics/index.php/Technique/T870",
"Device Restart/Shutdown https://collaborate.mitre.org/attackics/index.php/Technique/T816",
"Execution through API https://collaborate.mitre.org/attackics/index.php/Technique/T871",
"Exploitation for Evasion https://collaborate.mitre.org/attackics/index.php/Technique/T820",
"I/O Image https://collaborate.mitre.org/attackics/index.php/Technique/T877",
"I/O Module Discovery https://collaborate.mitre.org/attackics/index.php/Technique/T824",
"Man in the Middle https://collaborate.mitre.org/attackics/index.php/Technique/T830",
"Manipulate I/O Image https://collaborate.mitre.org/attackics/index.php/Technique/T835",
"Modify Alarm Settings https://collaborate.mitre.org/attackics/index.php/Technique/T838 ",
"Modify Control Logic https://collaborate.mitre.org/attackics/index.php/Technique/T833",
"Modify Parameter https://collaborate.mitre.org/attackics/index.php/Technique/T836",
"Module Firmware https://collaborate.mitre.org/attackics/index.php/Technique/T839",
"Monitor Process State https://collaborate.mitre.org/attackics/index.php/Technique/T801",
"Network Service Scanning https://collaborate.mitre.org/attackics/index.php/Technique/T841",
"Network Sniffing https://collaborate.mitre.org/attackics/index.php/Technique/T842",
"Program Download https://collaborate.mitre.org/attackics/index.php/Technique/T843",
"Program Organisational Units https://collaborate.mitre.org/attackics/index.php/Technique/T844",
"Program Upload https://collaborate.mitre.org/attackics/index.php/Technique/T845",
"Remote System Discovery https://collaborate.mitre.org/attackics/index.php/Technique/T846",
"Role Identification https://collaborate.mitre.org/attackics/index.php/Technique/T850",
"Rootkit https://collaborate.mitre.org/attackics/index.php/Technique/T851",
"Serial Connection Enumeration https://collaborate.mitre.org/attackics/index.php/Technique/T854",
"System Firmware https://collaborate.mitre.org/attackics/index.php/Technique/T857",
"Unauthorised Command Message https://collaborate.mitre.org/attackics/index.php/Technique/T855",
"Utilize/Change Operating Mode https://collaborate.mitre.org/attackics/index.php/Technique/T858",
"Valid Accounts https://collaborate.mitre.org/attackics/index.php/Technique/T859"
]
},
"uuid": "1de9f3b2-07fc-4614-b07f-d5468e51770a",
"value": "Field Controller/RTU/PLC/IED"
},
{
"description": "In computer science and human-computer interaction, the Human-Machine Interface (HMI) refers to the graphical, textual and auditory information the program presents to the user (operator) using computer monitors and audio subsystems, and the control sequences (such as keystrokes with the computer keyboard, movements of the computer mouse, and selections with the touchscreen) the user employs to control the program. Currently the following types of HMI are the most common: \nGraphical user interfaces(GUI) accept input via devices such as computer keyboard and mouse and provide articulated graphical output on the computer monitor. \nWeb-based user interfaces accept input and provide output by generating web pages which are transported via the network and viewed by the user using a web browser program. The operations user must be able to control the system and assess the state of the system. Each control system vendor provides a unique look-and-feel to their basic HMI applications. An older, not gender-neutral version of the term is man-machine interface (MMI). \nThe system may expose several user interfaces to serve different kinds of users. User interface screens may be optimized to provide the appropriate information and control interface to operations users, engineering users and management users.",
"meta": {
"referencess": [
"https://ics-cert.us-cert.gov/Secure-Architecture-Design-Definitions",
"http://isa99.isa.org/ISA99%20Wiki/WP-2-1.aspx"
],
"Levels": [
"Level 1 https://collaborate.mitre.org/attackics/index.php/Level_1",
"Level 2 https://collaborate.mitre.org/attackics/index.php/Level_2"
],
"Notes": [
"In many cases, these involve video screens or computer terminals, push buttons, auditory feedback, flashing lights, etc. The human-machine interface provides means of: \nInput - allowing the users to control the machine \nOutput - allowing the machine to inform the users"
],
"Techniques That Apply": [
"Commonly Used Port https://collaborate.mitre.org/attackics/index.php/Technique/T885",
"Data Destruction https://collaborate.mitre.org/attackics/index.php/Technique/T809",
"Data from Information Repositories https://collaborate.mitre.org/attackics/index.php/Technique/T811",
"Default Credentials https://collaborate.mitre.org/attackics/index.php/Technique/T812",
"Exploit of Remote Services https://collaborate.mitre.org/attackics/index.php/Technique/T866",
"Graphical User Interface https://collaborate.mitre.org/attackics/index.php/Technique/T823",
"Indicator Removal on host https://collaborate.mitre.org/attackics/index.php/Technique/T872",
"Loss of View https://collaborate.mitre.org/attackics/index.php/Technique/T829",
"Man in the Middle https://collaborate.mitre.org/attackics/index.php/Technique/T830",
"Manipulation of View https://collaborate.mitre.org/attackics/index.php/Technique/T832",
"Masquerading https://collaborate.mitre.org/attackics/index.php/Technique/T849",
"Modify Alarm Settings https://collaborate.mitre.org/attackics/index.php/Technique/T838",
"Modify Parameter https://collaborate.mitre.org/attackics/index.php/Technique/T836",
"Monitor Process State https://collaborate.mitre.org/attackics/index.php/Technique/T801",
"Network Connection Enumeration https://collaborate.mitre.org/attackics/index.php/Technique/T840",
"Point and Tag Identification https://collaborate.mitre.org/attackics/index.php/Technique/T861",
"Project File Infection https://collaborate.mitre.org/attackics/index.php/Technique/T873",
"Remote File Copy https://collaborate.mitre.org/attackics/index.php/Technique/T867",
"Remote System Discovery https://collaborate.mitre.org/attackics/index.php/Technique/T846",
"Replication Through Removable Media https://collaborate.mitre.org/attackics/index.php/Technique/T847",
"Rogue Master Device https://collaborate.mitre.org/attackics/index.php/Technique/T848",
"Role Identification https://collaborate.mitre.org/attackics/index.php/Technique/T850",
"Screen Capture https://collaborate.mitre.org/attackics/index.php/Technique/T852",
"Service Stop https://collaborate.mitre.org/attackics/index.php/Technique/T881",
"Spearphishing Attachment https://collaborate.mitre.org/attackics/index.php/Technique/T865",
"Standard Application Layer Protocol https://collaborate.mitre.org/attackics/index.php/Technique/T869",
"User Execution https://collaborate.mitre.org/attackics/index.php/Technique/T863",
"Valid Accounts https://collaborate.mitre.org/attackics/index.php/Technique/T859"
]
},
"uuid": "3894cc68-79e0-4673-8548-c6e1b57a93e2",
"value": "Human-Machine Interface"
},
{
"description": "The Input/Output (I/O) server provides the interface between the control system LAN applications and the field equipment monitored and controlled by the control system applications. The I/O server, sometimes referred to as a Front-End Processor (FEP) or Data Acquisition Server (DAS), converts the control system application data into packets that are transmitted over various types of communications media to the end device locations. The I/O server also converts data received from the various end devices over different communications mediums into data formatted to communicate with the control system networked applications.",
"meta": {
"referencess": [
"https://ics-cert.us-cert.gov/Secure-Architecture-Design-Definitions"
],
"Levels": [
"Level 2 https://collaborate.mitre.org/attackics/index.php/Level_2"
],
"Techniques That Apply": [
"Blocking Reporting Message https://collaborate.mitre.org/attackics/index.php/Technique/T804",
"Block Serial COM https://collaborate.mitre.org/attackics/index.php/Technique/T805",
"External Remote Services https://collaborate.mitre.org/attackics/index.php/Technique/T822",
"Serial Connection Enumeration https://collaborate.mitre.org/attackics/index.php/Technique/T854",
"System Firmware https://collaborate.mitre.org/attackics/index.php/Technique/T857",
"Valid Accounts https://collaborate.mitre.org/attackics/index.php/Technique/T859"
]
},
"uuid": "c98dda59-afe3-4154-b672-96f18cb5991b",
"value": "Input/Output Server"
},
{
"description": "A safety instrumented system (SIS) takes automated action to keep a plant in a safe state, or to put it into a safe state, when abnormal conditions are present. The SIS may implement a single function or multiple functions to protect against various process hazards in your plant. The function of protective relaying is to cause the prompt removal from service of an element of a power system when it suffers a short circuit or when it starts to operate in any abnormal manner that might cause damage or otherwise interfere with the effective operation of the rest of the system.",
"meta": {
"referencess": [
"http://sache.org/beacon/files/2009/07/en/read/2009-07-Beacon-s.pdf",
"http://www.gegridsolutions.com/multilin/notes/artsci/artsci.pdf"
],
"Levels": [
"Level 0 https://collaborate.mitre.org/attackics/index.php/Level_0",
"Level 1 https://collaborate.mitre.org/attackics/index.php/Level_1"
],
"Techniques That Apply": [
"Activate Firmware Update Mode https://collaborate.mitre.org/attackics/index.php/Technique/T800",
"Alarm Suppression https://collaborate.mitre.org/attackics/index.php/Technique/T878",
"Automated Collection https://collaborate.mitre.org/attackics/index.php/Technique/T802",
"Commonly Used Port https://collaborate.mitre.org/attackics/index.php/Technique/T885 ",
"Default Credentials https://collaborate.mitre.org/attackics/index.php/Technique/T812",
"Denial of Service https://collaborate.mitre.org/attackics/index.php/Technique/T814",
"Exploitation for Evasion https://collaborate.mitre.org/attackics/index.php/Technique/T820",
"Indicator Removal on host https://collaborate.mitre.org/attackics/index.php/Technique/T872",
"Modify Alarm Settings https://collaborate.mitre.org/attackics/index.php/Technique/T838",
"Modify Control Logic https://collaborate.mitre.org/attackics/index.php/Technique/T833",
"Modify Parameter https://collaborate.mitre.org/attackics/index.php/Technique/T836",
"Module Firmware https://collaborate.mitre.org/attackics/index.php/Technique/T839 ",
"Monitor Process State https://collaborate.mitre.org/attackics/index.php/Technique/T801",
"Program Download https://collaborate.mitre.org/attackics/index.php/Technique/T843",
"Program Organisation Units https://collaborate.mitre.org/attackics/index.php/Technique/T844",
"Program Upload https://collaborate.mitre.org/attackics/index.php/Technique/T845",
"Remote System Discovery https://collaborate.mitre.org/attackics/index.php/Technique/T846",
"System Firmware https://collaborate.mitre.org/attackics/index.php/Technique/T857",
"Utilize/Change Operating Mode https://collaborate.mitre.org/attackics/index.php/Technique/T858",
"Valid Accounts https://collaborate.mitre.org/attackics/index.php/Technique/T859 "
]
},
"uuid": "01ce6089-11cb-422f-ab05-ffe61ee4b21c",
"value": "Safety Instrumented System/Protection Relay"
}
],
"version": 1
}

View File

@ -1,10 +0,0 @@
{
"description": "ATT&CK for ICS Assets",
"icon": "certificate",
"name": "Assets",
"namespace": "mitre-attack-for-ics",
"type": "mitre-ics-assets",
"uuid": "86b19468-784e-4ec9-9af9-f069aa4cf70d",
"version": 1
}

View File

@ -1,270 +0,0 @@
{
"author": [
"Tony Williams"
],
"category": "Groups",
"description": "Groups are sets of related intrusion activity that are tracked by a common name in the security community. Groups are also sometimes referred to as campaigns or intrusion sets. Some groups have multiple names associated with the same set of activities due to various organizations tracking the same set of activities by different names. Groups are mapped to publicly reported technique use and referenced in the ATT&CK for ICS knowledge base. Groups are also mapped to reported software used during intrusions.",
"name": "Groups",
"source": "https://collaborate.mitre.org/attackics/index.php/Groups",
"type": "mitre-ics-groups",
"uuid": "8fb1c036-8904-4d4b-82d5-0286da77eb7e",
"values": [
{
"description": "ALLANITE is a suspected Russian cyber espionage group, that has primarily targeted the electric utility sector within the United States and United Kingdom. The group's tactics and techniques are reportedly similar to Dragonfly / Dragonfly 2.0, although ALLANITEs technical capabilities have not exhibited disruptive or destructive abilities. It has been suggested that the group maintains a presence in ICS for the purpose of gaining understanding of processes and to maintain persistence.",
"meta": {
"Associated Group Descriptions": [
"ALLANITE",
"Palmetto Fusion"
],
"Techniques Used": [
"Screen Capture - ALLANITE has been identified to collect and distribute screenshots of ICS systems such as HMIs https://collaborate.mitre.org/attackics/index.php/Technique/T852",
"Drive-by Compromise - ALLANITE leverages watering hole attacks to gain access into electric utilities https://collaborate.mitre.org/attackics/index.php/Technique/T817",
"Valid Accounts - ALLANITE utilized credentials collected through phishing and watering hole attacks https://collaborate.mitre.org/attackics/index.php/Technique/T859",
"Spearphishing Attachment - ALLANITE utilized spear phishing to gain access into energy sector environments"
],
"References": [
"https://dragos.com/resource/allanite/",
"https://www.us-cert.gov/ncas/alerts/TA17-293A",
"https://www.securityweek.com/allanite-group-targets-ics-networks-electric-utilities-us-uk",
"https://www.eisac.com/public-news-detail?id=115909"
]
},
"uuid": "fd28d200-2f1f-464a-af1f-fcadac7640a1",
"value": "ALLANITE"
},
{
"description": "APT33 is a suspected Iranian threat group that has carried out operations since at least 2013. The group has targeted organizations across multiple industries in the United States, Saudi Arabia, and South Korea, with a particular interest in the aviation and energy sectors.",
"meta": {
"Associated Group Descriptions": [
"APT33 - Fireeye noted a potential link between APT33 and Shamoon based on similar dropper malware DROPSHOT",
"Elfin - Symantec mentioned a potential link between Elfin and Shamoon based on such close occurances of the attacks within a particular organization",
"MAGNALLIUM"
],
"Techniques Used": [
"Spearphishing Attachment - APT33 sent spear phishing emails containing links to HTML application files, which were embedded with malicious code.2 APT33 has conducted targeted spear phishing campaigns against U.S. government agencies and private sector companies https://collaborate.mitre.org/attackics/index.php/Technique/T865",
"Scripting - APT33 utilized PowerShell scripts to establish command and control and install files for execution https://collaborate.mitre.org/attackics/index.php/Technique/T853",
"Screen Capture - APT33 utilize backdoors capable of capturing screenshots once installed on a system https://collaborate.mitre.org/attackics/index.php/Technique/T852"
],
"References": [
"https://attack.mitre.org/groups/G0064/",
"https://www.fireeye.com/blog/threat-research/2017/09/apt33-insights-into-iranian-cyber-espionage.html",
"https://www.symantec.com/blogs/threat-intelligence/elfin-apt33-espionage",
"https://dragos.com/resource/magnallium/",
"https://www.wired.com/story/iran-hackers-us-phishing-tensions/",
"https://www.symantec.com/security-center/writeup/2017-030708-4403-99"
]
},
"uuid": "8f6f8a49-8a22-4494-a4c0-5a341444339a",
"value": "APT33"
},
{
"description": "Dragonfly is a cyber espionage group that has been active since at least 2011. They initially targeted defense and aviation companies but shifted to focus on the energy sector in early 2013. They have also targeted companies related to industrial control systems. A similar group emerged in 2015 and was identified by Symantec as Dragonfly 2.0. There is debate over the extent of the overlap between Dragonfly and Dragonfly 2.0, but there is sufficient evidence to lead to these being tracked as two separate groups.",
"meta": {
"Associated Group Descriptions": [
"Dragonfly",
"Energetic Bear"
],
"Techniques Used": [
"Screen Capture - Dragonfly has been reported to take screenshots of the GUI for ICS equipment, such as HMIs https://collaborate.mitre.org/attackics/index.php/Technique/T852",
"Spearphishing Attachment - Dragonfly sent pdf documents over email which contained links to malicious sites and downloads https://collaborate.mitre.org/attackics/index.php/Technique/T865",
"Drive-by Compromise - Dragonfly used intermediate targets for watering hole attacks on an intended target. A line of code is injected into the header.php file, this is used to redirect the visitors to an adversary controlled IP https://collaborate.mitre.org/attackics/index.php/Technique/T817",
"Valid Accounts - Dragonfly leveraged compromised user credentials to access the targets networks and download tools from a remote server https://collaborate.mitre.org/attackics/index.php/Technique/T859",
"Commonly Used Port - Dragonfly communicated with command and control over TCP ports 445 and 139 or UDP 137 or 138 https://collaborate.mitre.org/attackics/index.php/Technique/T885"
],
"Software": [
"Backdoor.Oldrea"
],
"References": [
"https://attack.mitre.org/groups/G0035/",
"https://dragos.com/resource/dymalloy/",
"https://www.us-cert.gov/ncas/alerts/TA17-293A",
"http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/Dragonfly_Threat_Against_Western_Energy_Suppliers.pdf",
"https://www.symantec.com/connect/blogs/dragonfly-western-energy-sector-targeted-sophisticated-attack-group"
]
},
"uuid": "9b4143ce-253c-45c4-a160-0d0a7450aace",
"value": "Dragonfly"
},
{
"description": "Dragonfly 2.0 is a suspected Russian threat group which has been active since at least late 2015. Dragonfly 2.0's initial reported targets were a part of the energy sector, located within the United States, Switzerland, and Turkey. There is debate over the extent of overlap between Dragonfly 2.0 and Dragonfly, but there is sufficient evidence to lead to these being tracked as two separate groups.",
"meta": {
"Associated Group Descriptions": [
"Dragonfly 2.0",
"Beserk Bear",
"DYMALLOY"
],
"Techniques Used": [
"Spearphishing Attachment - Dragonfly 2.0 used the Phishery tool kit to conduct spear phishing attacks and gather credentials.14 Dragonfly 2.0 conducted a targeted spear phishing campaign against multiple electric utilities in the North America https://collaborate.mitre.org/attackics/index.php/Technique/T865",
"Supply Chain Compromise - Dragonfly 2.0 trojanized legitimate software to deliver malware disguised as standard windows applications https://collaborate.mitre.org/attackics/index.php/Technique/T862",
"https://collaborate.mitre.org/attackics/index.php/Technique/T817 https://collaborate.mitre.org/attackics/index.php/Technique/T817",
"Valid Accounts - Dragonfly 2.0 used credentials collected through spear phishing and watering hole attacks https://collaborate.mitre.org/attackics/index.php/Technique/T859"
],
"References": [
"https://www.symantec.com/connect/blogs/dragonfly-western-energy-sector-targeted-sophisticated-attack-group",
"https://fortune.com/2017/09/06/hack-energy-grid-symantec/",
"https://dragos.com/resource/dymalloy/",
"https://blog.talosintelligence.com/2017/07/template-injection.html",
"https://dragos.com/wp-content/uploads/Sample-WorldView-Report.pdf",
"https://dragos.com/wp-content/uploads/yir-ics-activity-groups-threat-landscape-2018.pdf"
]
},
"uuid": "790c3072-49d1-4c4f-8fd0-dc3db50887c1",
"value": "Dragonfly 2.0"
},
{
"description": "HEXANE is a threat group that has targeted ICS organization within the oil & gas, and telecommunications sectors. Many of the targeted organizations have been located in the Middle East including Kuwait. HEXANE's targeting of telecommunications has been speculated to be part of an effort to establish man-in-the-middle capabilities throughout the region. HEXANE's TTPs appear similar to APT33 and OilRig but due to differences in victims and tools it is tracked as a separate entity.",
"meta": {
"Associated Group Descriptions": [
"HEXANE",
"Lyceum"
],
"Techniques Used": [
"Spearphishing Attachment - HEXANE has used malicious documents to drop malware and gain access into an environment https://collaborate.mitre.org/attackics/index.php/Technique/T865",
"Standard Application Layer Protocol - HEXANE communicated with command and control over HTTP and DNS https://collaborate.mitre.org/attackics/index.php/Technique/T869",
"Valid Accounts - HEXANE has used valid IT accounts to extend their spearphishing campaign within an organization https://collaborate.mitre.org/attackics/index.php/Technique/T859",
"Man in the Middle - HEXANE targeted telecommunication providers in the greater Middle East, Central Asia, and Africa, potentially as a stepping stone to network-focused man-in-the-middle and related attacks https://collaborate.mitre.org/attackics/index.php/Technique/T830",
"Scripting - HEXANE utilizes VBA macros and Powershell scripts such as DanDrop and kl.ps1 tools https://collaborate.mitre.org/attackics/index.php/Technique/T853"
],
"References": [
"https://dragos.com/resource/hexane/",
"https://www.secureworks.com/blog/lyceum-takes-center-stage-in-middle-east-campaign",
"https://www.securityweek.com/researchers-analyze-tools-used-hexane-attackers-against-industrial-firms",
"https://www.bankinfosecurity.com/lyceum-apt-group-new-threat-to-oil-gas-companies-a-13003"
]
},
"uuid": "a529ddda-9a44-4a0f-912e-4681f442b488",
"value": "HEXANE"
},
{
"description": "Lazarus group is a suspected North Korean adversary group that has targeted networks associated with civilian electric energy in Europe, East Asia, and North America. Links have been established associating this group with the WannaCry ransomware from 2017.3 While WannaCry was not an ICS focused attack, Lazarus group is considered to be a threat to ICS. North Korean group definitions are known to have significant overlap, and the name Lazarus Group is known to encompass a broad range of activity. Some organizations use the name Lazarus Group to refer to any activity attributed to North Korea. Some organizations track North Korean clusters or groups such as Bluenoroff, APT37, and APT38 separately, while other organizations may track some activity associated with those group names by the name Lazarus Group.",
"meta": {
"Associated Group Descriptions": [
"Lazarus group",
"COVELLITE",
"HIDDEN COBRA",
"ZINC",
"Guardians of Peace"
],
"Techniques Used": [
"Spearphishing Attachment - Lazarus group has been observed targeting organizations using spearphishing documents with embedded malicious payloads. Highly targeted spear phishing campaigns have been conducted against a U.S. electric grid company https://collaborate.mitre.org/attackics/index.php/Technique/T865"
],
"Software": [
"WannaCry"
],
"References": [
"https://www.us-cert.gov/HIDDEN-COBRA-North-Korean-Malicious-Cyber-Activity",
"https://dragos.com/resource/covellite/",
"https://www.us-cert.gov/ncas/alerts/TA17-132A",
"https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Report.pdf",
"https://www.us-cert.gov/ncas/alerts/TA17-164A",
"https://blogs.microsoft.com/on-the-issues/2017/12/19/microsoft-facebook-disrupt-zinc-malware-attack-protect-customers-internet-ongoing-cyberthreats/",
"https://www.securityweek.com/five-threat-groups-target-industrial-systems-dragos",
"https://www.symantec.com/connect/blogs/wannacry-ransomware-attacks-show-strong-links-lazarus-group"
]
},
"uuid": "3bbf3f0f-346d-49ad-9300-3bb0f23c83ef",
"value": "Lazarus group"
},
{
"description": "Leafminer is a threat group that has targeted Saudi Arabia, Japan, Europe and the United States. Within the US, Leafminer has targeted electric utilities and initial access into those organizations. Reporting indicates that Leafminer has not demonstrated ICS specific or destructive capabilities.",
"meta": {
"Associated Group Descriptions": [
"Leafminer",
"RASPITE"
],
"References": [
"https://www.symantec.com/blogs/threat-intelligence/leafminer-espionage-middle-east",
"https://dragos.com/resource/raspite/"
]
},
"uuid": "956a44f1-0d5c-4f3c-a9a7-16f96f9656e4",
"value": "Leafminer"
},
{
"description": "OilRig is a suspected Iranian threat group that has targeted the financial, government, energy, chemical, and telecommunication sectors as well as petrochemical, oil & gas. OilRig has been observed operating in Iraq, Pakistan, Israel, and the UK, and has been linked to the Shamoon attacks in 2012 on Saudi Aramco. ",
"meta": {
"Associated Group Descriptions": [
"OilRig",
"CHRYSENE",
"Greenbug",
"APT 34"
],
"Techniques Used": [
"Spearphishing Attachment - OilRig used spearphishing emails with malicious Microsoft Excel spreadsheet attachments https://collaborate.mitre.org/attackics/index.php/Technique/T865",
"Scripting - OilRig has embedded a macro within spearphishing attachments that has been made up of both a VBScript and a PowerShell script https://collaborate.mitre.org/attackics/index.php/Technique/T853",
"Standard Application Layer Protocol - OilRig communicated with its command and control using HTTP requests https://collaborate.mitre.org/attackics/index.php/Technique/T869",
"Drive-by Compromise - OilRig has been seen utilizing watering hole attacks to collect credentials which could be used to gain access into ICS networks https://collaborate.mitre.org/attackics/index.php/Technique/T817",
"Valid Accounts - OilRig utilized stolen credentials to gain access to victim machines https://collaborate.mitre.org/attackics/index.php/Technique/T859"
],
"References": [
"https://www.fireeye.com/current-threats/apt-groups.html#apt34",
"https://www.fireeye.com/blog/threat-research/2017/12/targeted-attack-in-middle-east-by-apt34.html",
"https://dragos.com/resource/chrysene/",
"https://unit42.paloaltonetworks.com/unit42-oilrig-targets-technology-service-provider-government-agency-quadagent/",
"https://unit42.paloaltonetworks.com/the-oilrig-campaign-attacks-on-saudi-arabian-organizations-deliver-helminth-backdoor/",
"https://www.cyberviser.com/2018/05/group-linked-to-shamoon-attacks-targeting-ics-networks-in-middle-east-and-uk/"
]
},
"uuid": "4945c0e7-9f4b-404d-83b2-e5cd3f26c32f",
"value": "OilRig"
},
{
"description": "Sandworm is a threat group associated with the Kiev, Ukraine electrical transmission substation attacks which resulted in the impact of electric grid operations on December 17th, 2016. Sandworm has been cited as the authors of the Industroyer malware which was used in the 2016 Ukraine attacks.",
"meta": {
"Associated Group Descriptions": [
"Sandworm",
"ELECTRUM"
],
"Techniques Used": [
"Internet Accessible Device - Sandworm actors exploited vulnerabilities in GE's Cimplicity HMI and Advantech/Broadwin WebAccess HMI software which had been directly exposed to the internet https://collaborate.mitre.org/attackics/index.php/Technique/T883",
"Valid Accounts - Sandworm used valid accounts to laterally move through VPN connections and dual-homed systems https://collaborate.mitre.org/attackics/index.php/Technique/T859"
],
"Software": [
"Industroyer",
"Notpetya"
],
"References": [
"https://dragos.com/resource/electrum/",
"https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf",
"https://dragos.com/blog/crashoverride/CrashOverride-01.pdf",
"https://www.fireeye.com/blog/threat-research/2016/01/ukraine-and-sandworm-team.html",
"https://www.us-cert.gov/ics/alerts/ICS-ALERT-14-281-01B",
"https://www.us-cert.gov/ics/advisories/ICSA-11-094-02B",
"https://dragos.com/wp-content/uploads/CRASHOVERRIDE2018.pdf",
"https://www.welivesecurity.com/2018/10/11/new-telebots-backdoor-linking-industroyer-notpetya/",
"https://www.wired.com/story/notpetya-cyberattack-ukraine-russia-code-crashed-the-world/"
]
},
"uuid": "b4fbf3b0-1a5e-4bdc-8977-74fff1db19ff",
"value": "Sandworm"
},
{
"description": "XENOTIME is a threat group that has targeted and compromised industrial systems, specifically safety instrumented systems that are designed to provide safety and protective functions. Xenotime has previously targeted oil & gas, as well as electric sectors within the Middle east, Europe, and North America. Xenotime has also been reported to target ICS vendors, manufacturers, and organizations in the middle east. This group is one of the few with reported destructive capabilities.",
"meta": {
"Associated Group Descriptions": [
"XENOTIME",
"TEMP.Veles - Fireeye attributes with high confidence that intrusion activity and Triton development was supported by a Russian government-owned technical research institution."
],
"Techniques Used": [
"Drive-by Compromise - XENOTIME utilizes watering hole websites to target industrial employees https://collaborate.mitre.org/attackics/index.php/Technique/T817",
"External Remote Services - XENOTIME utilized remote desktop protocol (RDP) jump boxes to move into the ICS environment https://collaborate.mitre.org/attackics/index.php/Technique/T822",
"Valid Accounts - XENOTIME used valid credentials when laterally moving through RDP jump boxes into the ICS environment https://collaborate.mitre.org/attackics/index.php/Technique/T859",
"Supply Chain Compromise - XENOTIME targeted several ICS vendors and manufacturers https://collaborate.mitre.org/attackics/index.php/Technique/T862"
],
"Software": [
"Triton"
],
"References": [
"https://dragos.com/resource/xenotime/",
"https://www.fireeye.com/blog/threat-research/2018/10/triton-attribution-russian-government-owned-lab-most-likely-built-tools.html",
"https://www.cyberscoop.com/xenotime-ics-cyber-attacks-trisis-dragos/",
"https://dragos.com/blog/trisis/TRISIS-01.pdf",
"https://dragos.com/wp-content/uploads/Dragos-Oil-and-Gas-Threat-Perspective-2019.pdf"
]
},
"uuid": "acb04037-e160-4a4e-a8cf-8a53a2f8221b",
"value": "XENOTIME"
}
],
"version": 1
}

View File

@ -1,54 +0,0 @@
{
"author": [
"Tony Williams"
],
"category": "Levels",
"description": "Based on the Purdue Model to aid ATT&CK for ICS users to understand which techniques are applicable to their environment.",
"name": "Levels",
"source": "https://collaborate.mitre.org/attackics/index.php/All_Levels",
"type": "mitre-ics-levels",
"uuid": "952bcf79-eccd-45ac-9769-f61886bd0264",
"values": [
{
"description": "The I/O network level includes the actual physical processes and sensors and actuators that are directly connected to process equipment.",
"meta": {
"Related Assets": [
"Engineering Workstation https://collaborate.mitre.org/attackics/index.php/Engineering_Workstation",
"Field Controller/RTU/PLC/IED https://collaborate.mitre.org/attackics/index.php/Field_Controller/RTU/PLC/IED",
"Safety Instrumented System/Protection Relay https://collaborate.mitre.org/attackics/index.php/Safety_Instrumented_System/Protection_Relay"
]
},
"uuid": "614c4df5-b65f-4f3c-bb9f-b67549dfce2f",
"value": "Level 0"
},
{
"description": "The control network level includes the functions involved in sensing and manipulating physical processes. Typical devices at this level are programmable logic controllers (PLCs), distributed control systems, safety instrumented systems and remote terminal units (RTUs).",
"meta": {
"Related Assets": [
"Engineering Workstation https://collaborate.mitre.org/attackics/index.php/Engineering_Workstation",
"Field Controller/RTU/PLC/IED https://collaborate.mitre.org/attackics/index.php/Field_Controller/RTU/PLC/IED",
"Human-Machine Interface https://collaborate.mitre.org/attackics/index.php/Human-Machine_Interface",
"Safety Instrumented System/Protection Relay https://collaborate.mitre.org/attackics/index.php/Safety_Instrumented_System/Protection_Relay"
]
},
"uuid": "b9b1c942-b419-4919-ba14-40b24b0fbbd5",
"value": "Level 1"
},
{
"description": "The supervisory control LAN level includes the functions involved in monitoring and controlling physical processes and the general deployment of systems such as human-machine interfaces (HMIs), engineering workstations and historians.",
"meta": {
"Related Assets": [
"Control Server https://collaborate.mitre.org/attackics/index.php/Control_Server",
"Data Historian https://collaborate.mitre.org/attackics/index.php/Data_Historian",
"Engineering Workstation https://collaborate.mitre.org/attackics/index.php/Engineering_Workstation",
"Human-Machine Interface https://collaborate.mitre.org/attackics/index.php/Human-Machine_Interface",
"Input/Output Server https://collaborate.mitre.org/attackics/index.php/Input/Output_Server"
]
},
"uuid": "358d768d-5a97-4b1b-b185-044c1dd14357",
"value": "Level 2"
}
],
"version": 1
}

View File

@ -1,10 +0,0 @@
{
"description": "ATT&CK for ICS Levels",
"icon": "layer-group",
"name": "Levels",
"namespace": "mitre-attack-for-ics",
"type": "mitre-ics-levels",
"uuid": "34d60262-0e7d-4c91-859b-de1fa9c54ae7",
"version": 1
}

View File

@ -1,455 +0,0 @@
{
"author": [
"Tony Williams"
],
"category": "Software",
"description": "Software is a generic term for custom or commercial code, operating system utilities, open-source software, or other tools used to conduct behavior modeled in ATT&CK for ICS.",
"name": "Software",
"source": "https://collaborate.mitre.org/attackics/index.php/Software",
"type": "mitre-ics-software",
"uuid": "7d259f36-6e80-472e-9a42-9d4a83519825",
"values": [
{
"description": "ACAD/Medre.A is a worm that steals operational information. The worm collects AutoCAD files with drawings. ACAD/Medre.A has the capability to be used for industrial espionage.",
"meta": {
"References": [
],
"Techniques Used": [
"Theft of Operational Information - ACAD/Medre.A can collect AutoCad files with drawings. These drawings may contain operational information https://collaborate.mitre.org/attackics/index.php/Technique/T882",
"Data from Information Repositories - ACAD/Medre.A collects information related to the AutoCAD application. The worm collects AutoCAD (*.dwg) files with drawings from information repositories https://collaborate.mitre.org/attackics/index.php/Technique/T811"
]
},
"uuid": "73f55487-1e11-4cec-b57f-4cabe4633928",
"value": "ACAD/Medre.A"
},
{
"description": "Backdoor.Oldrea is a Remote Access Trojan (RAT) that communicates with a Command and Control (C2) server. The C2 server can deploy payloads that provide additional functionality. One payload has been identified and analyzed that enumerates all connected network resources, such as computers or shared resources, and uses the classic DCOM-based (Distributed Component Object Model) version of the Open Platform Communications (OPC) standard to gather information about connected control system devices and resources within the network.",
"meta": {
"References": [
"https://ics-cert.us-cert.gov/advisories/ICSA-14-178-01",
"https://ics-cert.us-cert.gov/alerts/ICS-ALERT-14-176-02A",
"https://www.f-secure.com/weblog/archives/00002718.html",
"https://pdfs.semanticscholar.org/18df/43ef1690b0fae15a36f770001160aefbc6c5.pdf",
"https://www.fireeye.com/blog/threat-research/2014/07/havex-its-down-with-opc.html",
"https://www.symantec.com/connect/blogs/dragonfly-western-energy-companies-under-sabotage-threat",
"https://www.youtube.com/watch?v=eywmb7UDODY&feature=youtu.be&t=939",
"https://www.sans.org/reading-room/whitepapers/ICS/impact-dragonfly-malware-industrial-control-systems-36672"
],
"Groups": [
"Dragonfly https://collaborate.mitre.org/attackics/index.php/Group/G0002"
],
"Associated Software Descriptions": [
"Backdoor.Oldrea",
"Havex"
],
"Techniques Used": [
"Role Identification - The Backdoor.Oldrea payload gathers server information that includes CLSID, server name, Program ID, OPC version, vendor information, running state, group count, and server bandwidth. This information helps indicate the role the server has in the control process https://collaborate.mitre.org/attackics/index.php/Technique/T850",
"Control Device Identification - The Backdoor.Oldrea payload has the capability of enumerating OPC tags, in addition to more generic OPC server information. The server data and tag names can provide information about the names and function of control devices https://collaborate.mitre.org/attackics/index.php/Technique/T808",
"Remote System Discovery - The Backdoor.Oldrea ICS malware plugin relies on Windows networking (WNet) to discover all the servers, including OPC servers, that are reachable by the compromised machine over the network https://collaborate.mitre.org/attackics/index.php/Technique/T846",
"Location Identification - The Backdoor.Oldrea payload has the capability of enumerating OPC tags, in addition to more generic OPC server information. The tag names, depending on the naming convention, can provide information about facilities and locations https://collaborate.mitre.org/attackics/index.php/Technique/T825",
"Denial of Service - The Backdoor.Oldrea payload has caused multiple common OPC platforms to intermittently crash. This could cause a denial of service effect on applications reliant on OPC communications https://collaborate.mitre.org/attackics/index.php/Technique/T814",
"Supply Chain Compromise - The Backdoor.Oldrea RAT is distributed through trojanized installers planted on compromised vendor sites https://collaborate.mitre.org/attackics/index.php/Technique/T862",
"Spearphishing Attachment - The Backdoor.Oldrea RAT is distributed through a trojanized installer attached to emails https://collaborate.mitre.org/attackics/index.php/Technique/T865",
"Automated Collection - Using OPC, a component of Backdoor.Oldrea gathers any details about connected devices and sends them back to the C2 for the attackers to analyze https://collaborate.mitre.org/attackics/index.php/Technique/T802",
"User Execution - Execution of Backdoor.Oldrea relies on a user opening a trojanized installer attached to an email https://collaborate.mitre.org/attackics/index.php/Technique/T863",
"Point & Tag Identification - Backdoor.Oldrea enumerates all OPC tags and queries for specific fields such as server state, tag name, type, access, and id Point & Tag Identification - Backdoor.Oldrea enumerates all OPC tags and queries for specific fields such as server state, tag name, type, access, and id https://collaborate.mitre.org/attackics/index.php/Technique/T861"
]
},
"uuid": "1a2b786f-6ed2-47f6-969c-8d9c62fb8f22",
"value": "Backdoor.Oldrea, Havex"
},
{
"description": "Bad Rabbit is a self-propagating (“wormable”) ransomware that affected the transportation sector in Ukraine.",
"meta": {
"References": [
"https://www.welivesecurity.com/2017/10/24/bad-rabbit-not-petya-back/",
"https://securelist.com/bad-rabbit-ransomware/82851/",
"https://dragos.com/blog/industry-news/implications-of-it-ransomware-for-ics-environments/"
],
"Associated Software Descriptions": [
"Bad Rabbit",
"Diskcoder.D"
],
"Techniques Used": [
"Drive-by Compromise - Bad Rabbit ransomware spreads through drive-by attacks where insecure websites are compromised. While the target is visiting a legitimate website, a malware dropper is being downloaded from the threat actors infrastructure https://collaborate.mitre.org/attackics/index.php/Technique/T817",
"User Execution - Bad Rabbit is disguised as an Adobe Flash installer. When the file is opened it starts locking the infected computer https://collaborate.mitre.org/attackics/index.php/Technique/T863",
"Loss of Productivity and Revenue - Several transportation organizations in Ukraine have suffered from being infected by Bad Rabbit, resulting in some computers becoming encrypted, according to media reports https://collaborate.mitre.org/attackics/index.php/Technique/T828",
"Exploitation of Remote Services - Bad Rabbit initially infected IT networks, but by means of an exploit (particularly the SMBv1-targeting MS17-010 vulnerability) spread to industrial networks https://collaborate.mitre.org/attackics/index.php/Technique/T866",
"External Remote Services - Bad Rabbit can utilize exposed SMB services to access industrial networks https://collaborate.mitre.org/attackics/index.php/Technique/T822",
"Remote File Copy - Bad Rabbit can move laterally through industrial networks by means of the SMB service https://collaborate.mitre.org/attackics/index.php/Technique/T867"
]
},
"uuid": "625cba2e-43ba-4abd-81e9-6fa78c442e6f",
"value": "Bad Rabbit, Diskcoder.D"
},
{
"description": "BlackEnergy 3 is a malware toolkit that has been used by both criminal and APT actors. It support various plug-ins including a variant of KillDisk. It is known to have been used against the Ukrainian power grid.",
"meta": {
"References": [
"https://www.boozallen.com/content/dam/boozallen/documents/2016/09/ukraine-report-when-the-lights-went-out.pdf"
],
"Associated Software Descriptions": [
"BlackEnergy 3"
],
"Techniques Used": [
"Valid Accounts - BlackEnergy utilizes valid user and administrator credentials, in addition to creating new administrator accounts to maintain presence https://collaborate.mitre.org/attackics/index.php/Technique/T859",
"Standard Application Layer Protocol - BlackEnergy uses HTTP POST request to contact external command and control servers https://collaborate.mitre.org/attackics/index.php/Technique/T869",
"Spearphishing Attachment - BlackEnergy targeted energy sector organizations in a wide reaching email spearphishing campaign. Adversaries utilized malicious Microsoft Word documents attachments https://collaborate.mitre.org/attackics/index.php/Technique/T865"
]
},
"uuid": "5ce0966c-0e03-4df7-8678-7d10781c0006",
"value": "BlackEnergy 3"
},
{
"description": "Conficker is a computer worm that targets Microsoft Windows and was first detected in November 2008. It targets a vulnerability (MS08-067) in Windows OS software and dictionary attacks on administrator passwords to propagate while forming a botnet. Conficker made its way onto computers and removable disk drives in a nuclear power plant.",
"meta": {
"References": [
"https://news.softpedia.com/news/on-chernobyl-s-30th-anniversary-malware-shuts-down-german-nuclear-power-plant-503429.shtml"
],
"Associated Software Descriptions": [
"Conficker",
"Downadup",
"Kido"
],
"Techniques Used": [
"Loss of Availability - A Conficker infection at a nuclear power plant forced the facility to temporarily shutdown https://collaborate.mitre.org/attackics/index.php/Technique/T826",
"Replication Through Removable Media - Conficker exploits Windows drive shares. Once it has infected a computer, Conficker automatically copies itself to all visible open drive shares on other computers inside the network.2 Nuclear power plant officials suspect someone brought in Conficker by accident on a USB thumb drive, either from home or computers found in the power plant's facility https://collaborate.mitre.org/attackics/index.php/Technique/T847",
"Loss of Productivity and Revenue - A Conficker infection at a nuclear power plant forced the facility to shutdown and go through security procedures involved with such events, with its staff scanning computer systems and going through all the regular checks and motions before putting the plant back into production https://collaborate.mitre.org/attackics/index.php/Technique/T828"
]
},
"uuid": "88b08418-dbcc-457b-b28a-9deeeac26745",
"value": "Conficker"
},
{
"description": "Duqu is a collection of computer malware discovered in 2011. It is reportedly related to the Stuxnet worm, although Duqu is not self-replicating.",
"meta": {
"References": [
"https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_duqu_the_precursor_to_the_next_stuxnet.pdf"
],
"Associated Software Descriptions": [
"Duqu"
],
"Techniques Used": [
"Theft of Operational Information - Duqus purpose is to gather intelligence data and assets from entities such as industrial infrastructure and system manufacturers, amongst others not in the industrial sector, in order to more easily conduct a future attack against another third party https://collaborate.mitre.org/attackics/index.php/Technique/T882",
"Data from Information Repositories - Duqu downloads additional modules for the collection of data in information repositories. The modules are named: infostealer 1, infostealer 2 and reconnaissance https://collaborate.mitre.org/attackics/index.php/Technique/T811"
]
},
"uuid": "7bc3d4cd-786f-4913-983f-0d1fa9eb132f",
"value": "Duqu"
},
{
"description": "Flame is an attacker-instructed worm which may open a backdoor and steal information from a compromised computer. Flame has the capability to be used for industrial espionage.",
"meta": {
"References": [
"https://www.symantec.com/security-center/writeup/2012-052811-0308-99",
"https://www.welivesecurity.com/2012/07/20/flame-in-depth-code-analysis-of-mssecmgr-ocx/",
"https://www.fireeye.com/blog/threat-research/2012/05/flamerskywiper-analysis.html"
],
"Associated Software Descriptions": [
"Flame",
"Flamer",
"sKyWIper"
],
"Techniques Used": [
"Theft of Operational Information - Flame can collect AutoCAD design data and visio diagrams as well as other documents that may contain operational information https://collaborate.mitre.org/attackics/index.php/Technique/T882",
"Data from Information Repositories - Flame has built-in modules to gather information from compromised computers https://collaborate.mitre.org/attackics/index.php/Technique/T811"
]
},
"uuid": "ed2618d4-0450-4466-92c4-61b89a46960e",
"value": "Flame"
},
{
"description": "Industroyer is a sophisticated piece of malware designed to cause an Impact to the working processes of Industrial Control Systems (ICS), specifically ICSs used in electrical substations.1 Industroyer was alleged to be used in the attacks on the Ukrainian power grid in December 2016.",
"meta": {
"References": [
"https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf",
"https://dragos.com/blog/crashoverride/CrashOverride-01.pdf",
"https://www.us-cert.gov/ncas/alerts/TA17-163A",
"https://dragos.com/wp-content/uploads/CRASHOVERRIDE2018.pdf",
"https://dragos.com/wp-content/uploads/CRASHOVERRIDE.pdf"
],
"Groups": [
"Sandworm"
],
"Associated Software Descriptions": [
"Industroyer",
"CRASHOVERRIDE"
],
"Techniques Used": [
"Data Historian Compromise - In Industroyer, after pivoting into the ICS environment, the adversary gained Initial Access to devices involved with critical process operations through a Microsoft Windows Server 2003 running a SQL Server https://collaborate.mitre.org/attackics/index.php/Technique/T810",
"Block Command Message - In Industroyer the first COM port from the configuration file is used for the actual communication and the two other COM ports are just opened to prevent other processes accessing them. Thus, the IEC 101 payload component is able to take over and maintain control of the RTU device https://collaborate.mitre.org/attackics/index.php/Technique/T803",
"Block Serial COM - In Industroyer the first COM port from the configuration file is used for the actual communication and the two other COM ports are just opened to prevent other processes accessing them. Thus, the IEC 101 payload component is able to take over and maintain control of the RTU device https://collaborate.mitre.org/attackics/index.php/Technique/T805",
"Data Destruction - Industroyer has a destructive wiper that overwrites all ICS configuration files across the hard drives and all mapped network drives specifically targeting ABB PCM600 configuration files https://collaborate.mitre.org/attackics/index.php/Technique/T809",
"Masquerading - Industroyer modules operate by inhibiting the normal SCADA master communication functions and then activate a replacement master communication module managed by the malware, which executes a script of commands to issue normal protocol messages https://collaborate.mitre.org/attackics/index.php/Technique/T849",
"Network Connection Enumeration - Industroyer contains an IEC 61850 module that enumerates all connected network adapters to determine their TCP/IP subnet masks https://collaborate.mitre.org/attackics/index.php/Technique/T840",
"Remote System Discovery - The Industroyer IEC 61850 payload enumerates all possible IP addresses for each of the subnet masks for the interfaces on the infected machine, and tries to connect to port 102 on each of those addresses. Therefore, this component has the ability to discover relevant devices in the network automatically https://collaborate.mitre.org/attackics/index.php/Technique/T846",
"Control Device Identification - Industroyer contains an OPC DA module that enumerates all OPC servers using the ICatInformation::EnumClassesOfCategories method with CATID_OPCDAServer20 category identifier and IOPCServer::GetStatus to identify the ones running. The OPC DA module also uses IOPCBrowseServerAddressSpace to look for items with the following strings: ctlSelOn, ctlOperOn, ctlSelOff, ctlOperOff, Pos and stVal https://collaborate.mitre.org/attackics/index.php/Technique/T808",
"Serial Connection Enumeration - Industroyer contains modules for IEC 101 and IEC 104 communications.1 IEC 101 uses serial for the physical connection and IEC 104 uses Ethernet. Analysis of the malware by Dragos states that both of the modules have equivalent functionality.2 The IEC 104 module uses Network Connection Enumeration to determine the Ethernet adapters on the device. Since functionality between the two modules are equivalent, this implies that the IEC 101 module is able to detect serial interfaces on the device https://collaborate.mitre.org/attackics/index.php/Technique/T854",
"Control Device Identification - If the target device responds appropriately, the Industroyer IEC 61850 payload then sends an InitiateRequest packet using the Manufacturing Message Specification (MMS). If the expected answer is received, it continues, sending an MMS getNameList request. Thereby, the component compiles a list of object names in a Virtual Manufacturing Device https://collaborate.mitre.org/attackics/index.php/Technique/T808",
"Role Identification - The Industroyer IEC 61850 component enumerates the objects discovered in the previous step and sends the domain-specific getNameList requests with each object name. This enumerates named variables in a specific domain https://collaborate.mitre.org/attackics/index.php/Technique/T850",
"Activate Firmware Update Mode - The Industroyer SIPROTEC DoS module exploits the CVE-2015-5374 vulnerability in order to render a Siemens SIPROTEC device unresponsive. Once this vulnerability is successfully exploited, the target device stops responding to any commands until it is rebooted manually.1 Once the tool is executed it sends specifically crafted packets to port 50,000 of the target IP addresses using UDP. The UDP packet contains the following 18 byte payload: 0x11 49 00 00 00 00 00 00 00 00 00 00 00 00 00 00 28 9E https://collaborate.mitre.org/attackics/index.php/Technique/T800",
"Unauthorized Command Message - The Industroyer IEC 101 module has the capability to communicate with devices (likely RTUs) via the IEC 101 protocol. The module will attempt to find all Information Object Addresses (IOAs) for the device and attempt to change their state in the following sequence: OFF, ON, OFF https://collaborate.mitre.org/attackics/index.php/Technique/T855",
"Brute Force I/O - The Industroyer IEC 104 module has 3 modes available to perform its attack. These modes are range, shift, and sequence. The range mode operates in 2 stages. The first stage of range mode gathers Information Object Addresses (IOA) and sends select and execute packets to switch the state. The second stage of range mode has an infinite loop where it will switch the state of all of the previously discovered IOAs. Shift mode is similar to range mode, but instead of staying within the same range, it will add a shift value to the default range values https://collaborate.mitre.org/attackics/index.php/Technique/T806",
"Device Restart/Shutdown - The Industroyer SIPROTEC DoS module exploits the CVE-2015-5374 vulnerability in order to render a Siemens SIPROTEC device unresponsive. Once this vulnerability is successfully exploited, the target device stops responding to any commands until it is rebooted manually.1 Once the tool is executed it sends specifically crafted packets to port 50,000 of the target IP addresses using UDP. The UDP packet contains the following 18 byte payload: 0x11 49 00 00 00 00 00 00 00 00 00 00 00 00 00 00 28 9E https://collaborate.mitre.org/attackics/index.php/Technique/T816",
"Denial of Service - The Industroyer SIPROTEC DoS module exploits the CVE-2015-5374 vulnerability in order to render a Siemens SIPROTEC device unresponsive. Once this vulnerability is successfully exploited, the target device stops responding to any commands until it is rebooted manually.1 Once the tool is executed it sends specifically crafted packets to port 50,000 of the target IP addresses using UDP. The UDP packet contains the following 18 byte payload: 0x11 49 00 00 00 00 00 00 00 00 00 00 00 00 00 00 28 9E https://collaborate.mitre.org/attackics/index.php/Technique/T814",
"Activate Firmware Update Mode - The Industroyer SPIROTEC DoS module places the victim device into firmware update mode. This is a legitimate use case under normal circumstances, but in this case is used the adversary to prevent the SPIROTEC from performing its designed protective functions. As a result the normal safeguards are disabled, leaving an unprotected link in the electric transmission https://collaborate.mitre.org/attackics/index.php/Technique/T800",
"Automated Collection - Industroyer automatically collects protocol object data to learn about control devices in the environment https://collaborate.mitre.org/attackics/index.php/Technique/T802",
"Loss of Control - Industroyer's data wiper component removes the registry image path throughout the system and overwrites all files, rendering the system unusable https://collaborate.mitre.org/attackics/index.php/Technique/T827",
"Loss of View - Industroyer's data wiper component removes the registry image path throughout the system and overwrites all files, rendering the system unusable https://collaborate.mitre.org/attackics/index.php/Technique/T829",
"Manipulation of Control - Industroyer toggles breakers to the open state utilizing unauthorized command messages https://collaborate.mitre.org/attackics/index.php/Technique/T831",
"Service Stop - Industroyer has the capability to stop a service itself, or to login as a user and stop a service as that user https://collaborate.mitre.org/attackics/index.php/Technique/T881",
"Block Reporting Message - Industroyer uses the first COM port from the configuration file for the communication and the other two COM ports are opened to prevent other processes accessing them. This may block processes or operators from getting reporting messages from a device. https://collaborate.mitre.org/attackics/index.php/Technique/T804",
"Denial of Control - Industroyer is able to block serial COM channels temporarily causing a denial of control https://collaborate.mitre.org/attackics/index.php/Technique/T813",
"Denial of View - Industroyer is able to block serial COM channels temporarily causing a denial of view https://collaborate.mitre.org/attackics/index.php/Technique/T815",
"Command-Line Interface - The name of the Industroyer payload DLL is supplied by the attackers via a command line parameter supplied in one of the main backdoors “execute a shell command” commands https://collaborate.mitre.org/attackics/index.php/Technique/T807",
"Manipulation of View - Industroyer's OPC module can brute force values and will send out a 0x01 status which for the target systems equates to a “Primary Variable Out of Limits” misdirecting operators from understanding protective relay status https://collaborate.mitre.org/attackics/index.php/Technique/T832",
"Loss of Safety - Industroyer contained a module which leveraged a vulnerability in the Siemens SIPROTEC relays (CVE-2015-5374) to create a Denial of Service against automated protective relays https://collaborate.mitre.org/attackics/index.php/Technique/T880"
]
},
"uuid": "d13b0ff8-9125-4990-8ec1-94782b4e22df",
"value": "Industroyer"
},
{
"description": "In 2015 the BlackEnergy malware contained a component called KillDisk. KillDisk's main functionality is to overwrite files with random data, rendering the OS unbootable.",
"meta": {
"References": [
"https://www.welivesecurity.com/2016/01/03/blackenergy-sshbeardoor-details-2015-attacks-ukrainian-news-media-electric-industry/",
"https://www.boozallen.com/content/dam/boozallen/documents/2016/09/ukraine-report-when-the-lights-went-out.pdf"
],
"Associated Software Descriptions": [
"KillDisk"
],
"Techniques Used": [
"Loss of View - KillDisk erases the master boot record (MBR) and system logs, leaving the system unusable https://collaborate.mitre.org/attackics/index.php/Technique/T829",
"Data Destruction - KillDisk is able to delete system files to make the system unbootable and targets 35 different types of files for deletion https://collaborate.mitre.org/attackics/index.php/Technique/T809",
"Indicator Removal on Host - KillDisk deletes application, security, setup, and system event logs from Windows systems https://collaborate.mitre.org/attackics/index.php/Technique/T872",
"Service Stop - KillDisk looks for and terminates two non-standard processes, one of which is an ICS application https://collaborate.mitre.org/attackics/index.php/Technique/T881"
]
},
"uuid": "df960d5e-481a-47fe-8577-427057553a1b",
"value": "KillDisk"
},
{
"description": "LockerGoga is ransomware that has been tied to various attacks on industrial and manufacturing firms with apparently catastrophic consequences.",
"meta": {
"References": [
"https://www.wired.com/story/lockergoga-ransomware-crippling-industrial-firms/",
"https://doublepulsar.com/how-lockergoga-took-down-hydro-ransomware-used-in-targeted-attacks-aimed-at-big-business-c666551f5880",
"https://www.hydro.com/en/media/on-the-agenda/cyber-attack/"
],
"Associated Software Descriptions": [
"LockerGoga"
],
"Techniques Used": [
"Loss of Productivity and Revenue - While Norsk Hydro attempted to recover from a LockerGoga infection, most of its 160 manufacturing locations switched to manual (non-IT driven) operations. Manual operations can result in a loss of productivity https://collaborate.mitre.org/attackics/index.php/Technique/T828",
"Loss of View - Some of Norsk Hydro's production systems were impacted by a LockerGoga infection. This resulted in a loss of view which forced the company to switch to manual operations https://collaborate.mitre.org/attackics/index.php/Technique/T829",
"Loss of Control - Some of Norsk Hydro's production systems were impacted by a LockerGoga infection. This resulted in a loss of control which forced the company to switch to manual operations https://collaborate.mitre.org/attackics/index.php/Technique/T827"
]
},
"uuid": "6187b975-7d80-4eb3-9c5a-89d07f2e3512",
"value": "LockerGoga"
},
{
"description": "NotPetya is malware that was first seen in a worldwide attack starting on June 27, 2017. The main purpose of the malware appeared to be to effectively destroy data and disk structures on compromised systems. Though NotPetya presents itself as a form of ransomware, it appears likely that the attackers never intended to make the encrypted data recoverable. As such, NotPetya may be more appropriately thought of as a form of wiper malware. NotPetya contains self-propagating (“wormable”) features to spread itself across a computer network using the SMBv1 exploits EternalBlue and EternalRomance.",
"meta": {
"References": [
"https://attack.mitre.org/software/S0368/",
"https://dragos.com/blog/industry-news/implications-of-it-ransomware-for-ics-environments/",
"https://www.bloomberg.com/news/features/2019-12-03/merck-cyberattack-s-1-3-billion-question-was-it-an-act-of-war"
],
"Groups": [
"Sandworm"
],
"Associated Software Descriptions": [
"NotPetya"
],
"Techniques Used": [
"Exploitation of Remote Services - NotPetya initially infected IT networks, but by means of an exploit (particularly the SMBv1-targeting MS17-010 vulnerability) spread to industrial networks https://collaborate.mitre.org/attackics/index.php/Technique/T866",
"External Remote Services - NotPetya can utilize exposed SMB services to access industrial networks https://collaborate.mitre.org/attackics/index.php/Technique/T822",
"Remote File Copy - NotPetya can move laterally through industrial networks by means of the SMB service https://collaborate.mitre.org/attackics/index.php/Technique/T867",
"Loss of Productivity and Revenue - NotPetya disrupted manufacturing facilities supplying vaccines, resulting in a halt of production and the inability to meet demand for specific vaccines https://collaborate.mitre.org/attackics/index.php/Technique/T828"
]
},
"uuid": "564c7c31-234f-4427-aab7-80d40183a1e9",
"value": "NotPetya"
},
{
"description": "PLC-Blaster is a piece of proof-of-concept malware that runs on Siemens S7 PLCs. This worm locates other Siemens S7 PLCs on the network and attempts to infect them. Once this worm has infected its target and attempted to infect other devices on the network, the worm can then run one of many modules.",
"meta": {
"References": [
"https://www.blackhat.com/docs/asia-16/materials/asia-16-Spenneberg-PLC-Blaster-A-Worm-Living-Solely-In-The-PLC-wp.pdf"
],
"Associated Software Descriptions": [
"PLC-Blaster"
],
"Techniques Used": [
"Remote System Discovery - PLC-Blaster scans the network to find other Siemens S7 PLC devices to infect. It locates these devices by checking for a service listening on TCP port 102 https://collaborate.mitre.org/attackics/index.php/Technique/T846",
"Control Device Identification - The PLC-Blaster worm starts by scanning for probable targets. Siemens SIMATIC PLCs may be identified by the port 102/tcp https://collaborate.mitre.org/attackics/index.php/Technique/T808",
"Program Organization Units - PLC-Blaster copies itself to various Program Organization Units (POU) on the target device. The POUs include the Organization Block, Data Block, Function, and Function Block https://collaborate.mitre.org/attackics/index.php/Technique/T844",
"Manipulate I/O Image - PLC-Blaster may manipulate any outputs of the PLC. Using the POU POKE any value within the process image may be modified https://collaborate.mitre.org/attackics/index.php/Technique/T835",
"Execution through API - PLC-Blaster utilizes the PLC communication and management API to load executable Program Organization Units https://collaborate.mitre.org/attackics/index.php/Technique/T871",
"Change Program State - After PLC-Blaster is transferred to a PLC, the PLC begins execution of PLC-Blaster https://collaborate.mitre.org/attackics/index.php/Technique/T875",
"Denial of Service - The execution on the PLC can be stopped by violating the cycle time limit. The PLC-Blaster implements an endless loop triggering an error condition within the PLC with the impact of a DoS https://collaborate.mitre.org/attackics/index.php/Technique/T814"
]
},
"uuid": "f0db07ce-a13b-4c6e-9ba5-fe2be3080ace",
"value": "PLC-Blaster"
},
{
"description": "Ryuk is ransomware that was first seen targeting large organizations for high-value ransoms in August of 2018. Ryuk temporarily disrupted operations at a manufacturing firm in 2018.",
"meta": {
"References": [
"https://www.crowdstrike.com/blog/big-game-hunting-with-ryuk-another-lucrative-targeted-ransomware/",
"https://www.darkreading.com/attacks-breaches/how-a-manufacturing-firm-recovered-from-a-devastating-ransomware-attack/d/d-id/1334760"
],
"Associated Software Descriptions": [
"Ryuk"
],
"Techniques Used": [
"Loss of Productivity and Revenue - An enterprise resource planning (ERP) manufacturing server was lost to the Ryuk attack. The manufacturing process had to rely on paper and existing orders to keep the shop floor open https://collaborate.mitre.org/attackics/index.php/Technique/T828"
]
},
"uuid": "707075af-cabd-404d-8eb9-7c1ba063ac88",
"value": "Ryuk"
},
{
"description": "Stuxnet was the first publicly reported piece of malware to specifically target industrial control systems devices. Stuxnet is a large and complex piece of malware that utilized multiple different complex tactics including multiple zero-day vulnerabilites, a sophisticated Windows rootkit, and network infection routines.",
"meta": {
"References": [
"https://www.wired.com/images_blogs/threatlevel/2010/11/w32_stuxnet_dossier.pdf",
"https://www.symantec.com/security-center/writeup/2010-071400-3123-99",
"https://www.us-cert.gov/ics/advisories/ICSA-10-238-01B",
"https://scadahacker.com/resources/stuxnet-mitigation.html",
"https://www.langner.com/wp-content/uploads/2017/03/to-kill-a-centrifuge.pdf"
],
"Associated Software Descriptions": [
"Stuxnet"
],
"Techniques Used": [
"Remote System Discovery - Stuxnet scanned the network to identify the Siemens PLCs that it was targeting https://collaborate.mitre.org/attackics/index.php/Technique/T846",
"Rootkit - One of Stuxnet's rootkits is contained entirely in the fake s7otbxdx.dll. In order to continue existing undetected on the PLC it needs to account for at least the following situations: read requests for its own malicious code blocks, read requests for infected blocks (OB1, OB35, DP_RECV), and write requests that could overwrite Stuxnets own code. Stuxnet contains code to monitor and intercept these types of requests. The rootkit modifies these requests so that Stuxnets PLC code is not discovered or damaged https://collaborate.mitre.org/attackics/index.php/Technique/T851",
"Manipulate I/O Image - When the peripheral output is written to, sequence C intercepts the output and ensures it is not written to the process image output. The output is the instructions the PLC sends to a device to change its operating behavior. By intercepting the peripheral output, Stuxnet prevents an operator from noticing unauthorized commands sent to the peripheral https://collaborate.mitre.org/attackics/index.php/Technique/T835",
"Control Device Identification - The Siemens s7otbxdx.dll is responsible for handling PLC block exchange between the programming device (i.e., a computer running a Simatic manager on Windows) and the PLC. s7db_open function is an export hook that is used to obtain information used to create handles to manage a PLC (such a handle is used by APIs that manipulate the PLC). Stuxnet utilized this export hook to gain information about targeted PLCs such as model information. Stuxnet was specifically targeting CPUs 6ES7-315-2 (Series 300) with special system data block characteristics for sequence A or B and 6ES7-315-2 for sequence C. The PLC type can also be checked using the s7ag_read_szl API https://collaborate.mitre.org/attackics/index.php/Technique/T808",
"I/O Module Discovery - Stuxnet enumerates and parses the System Data Blocks (SDB). Stuxnet must find an SDB with the DWORD at offset 50h equal to 0100CB2Ch. This specifies that the system uses the Profibus communications processor module CP 342-5. In addition, specific values are searched for and counted: 7050h and 9500h. 7050h is assigned to part number KFC750V3 which appears to be a frequency converter drive (also known as variable frequency drive) manufactured by Fararo Paya in Teheran, Iran. 9500h is assigned to Vacon NX frequency converter drives manufactured by Vacon based in Finland https://collaborate.mitre.org/attackics/index.php/Technique/T824",
"Network Sniffing - DP_RECV is the name of a standard function block used by network coprocessors. It is used to receive network frames on the Profibus a standard industrial network bus used for distributed I/O. The original block is copied to FC1869, and then replaced by a malicious block. Each time the function is used to receive a packet, the malicious Stuxnet block takes control: it will call the original DP_RECV in FC1869 and then perform postprocessing on the packet data. This secondary thread is used to monitor a data block DB890 of sequence A or B. Though constantly running and probing this block (every 5 minutes), this thread has no purpose if the PLC is not infected. The purpose of the thread is to monitor each S7-315 on the bus. The replaced DP_RECV block (later on referred to as the “DP_RECV monitor”) is meant to monitor data sent by the frequency converter drives to the 315-2 CPU via CP 342-5 Profibus communication modules https://collaborate.mitre.org/attackics/index.php/Technique/T842",
"Monitor Process State - Stuxnet examines fields recorded by the DP_RECV monitor to determine if the target system is in a particular state of operation https://collaborate.mitre.org/attackics/index.php/Technique/T801",
"Modify Parameter - In states 3 and 4 Stuxnet sends two network bursts (done through the DP_SEND primitive). The data in the frames are instructions for the frequency converter drives. For example one of the frames contains records that change the maximum frequency (the speed at which the motor will operate). The frequency converter drives consist of parameters, which can be remotely configured via Profibus. One can write new values to these parameters changing the behavior of the device https://collaborate.mitre.org/attackics/index.php/Technique/T836",
"Manipulation of Control - Stuxnet can reprogram a PLC and change critical parameters in such a way that legitimate commands can be overridden or intercepted. In addition, Stuxnet can apply inappropriate command sequences or parameters to cause damage to property https://collaborate.mitre.org/attackics/index.php/Technique/T831",
"Program Download - Stuxnet infects PLCs with different code depending on the characteristics of the target system. An infection sequence consists of code blocks and data blocks that will be downloaded to the PLC to alter its behavior https://collaborate.mitre.org/attackics/index.php/Technique/T843",
"Program Organization Units - Stuxnet infects PLCs with different code depending on the characteristics of the target system. An infection sequence consists of code blocks and data blocks that will be downloaded to the PLC to alter its behavior https://collaborate.mitre.org/attackics/index.php/Technique/T844",
"Project File Infection - Stuxnet copies itself into Step 7 projects in such a way that it automatically executes when the Step 7 project is loaded https://collaborate.mitre.org/attackics/index.php/Technique/T873",
"Hooking - Stuxnet modifies the Import Address Tables DLLs to hook specific APIs that are used to open project files https://collaborate.mitre.org/attackics/index.php/Technique/T874",
"Unauthorized Command Message - In states 3 and 4 Stuxnet sends two network bursts (done through the DP_SEND primitive). The data in the frames are instructions for the frequency converter drives https://collaborate.mitre.org/attackics/index.php/Technique/T855",
"Change Program State - Stuxnet halts the original PLC code and the malicious PLC code begins sending frames of data based on the recorded values during the DP_RECV monitor phase https://collaborate.mitre.org/attackics/index.php/Technique/T875",
"I/O Image - Stuxnet copies the input area of an I/O image into data blocks with a one second interval between copies, forming a 21 second recording of the input area. The input area contains information being passed to the PLC from a peripheral. For example, the current state of a valve or the temperature of a device https://collaborate.mitre.org/attackics/index.php/Technique/T877",
"Rootkit - When the peripheral output is written to, sequence C of Stuxnet intercepts the output and ensures it is not written to the process image output. The output is the instructions the PLC sends to a device to change its operating behavior. By intercepting the peripheral output, Stuxnet prevents an operator from noticing unauthorized commands sent to the peripheral https://collaborate.mitre.org/attackics/index.php/Technique/T851",
"Masquerading - Stuxnet renames a dll responsible for handling communications with a PLC. It replaces the original .dll file with its own version that allows it to intercept any calls that are made to access the PLC https://collaborate.mitre.org/attackics/index.php/Technique/T849",
"Execution through API - Stuxnet utilizes the PLC communication and management API to load executable Program Organization Units https://collaborate.mitre.org/attackics/index.php/Technique/T871",
"Standard Application Layer Protocol - Stuxnet attempts to contact command and control servers over HTTP to send basic information about the computer it has compromised https://collaborate.mitre.org/attackics/index.php/Technique/T869",
"Commonly Used Port - Stuxnet attempts to contact command and control servers on port 80 to send basic information about the computer it has compromised https://collaborate.mitre.org/attackics/index.php/Technique/T885",
"Replication Through Removable Media - Stuxnet was able to self-replicate by being spread through removable drives. A willing insider or unknown third party, such as a contractor, may have brought the removable media into the target environment.1 The earliest version of Stuxnet relied on physical installation, infecting target systems when an infected configuration file carried by a USB stick was opened https://collaborate.mitre.org/attackics/index.php/Technique/T847",
"Man in the Middle - Stuxnet de-couples all inputs and signals from the legitimate code on a PLC and chooses what is passed to the original code. STUXNET effectively creates a man in the middle attack with the input and output signals and control logic https://collaborate.mitre.org/attackics/index.php/Technique/T830",
"Program Upload - Stuxnet replaces the DLL responsible for reading projects from a PLC to the step7 software. This allows Stuxnet the ability to upload a program from the PLC https://collaborate.mitre.org/attackics/index.php/Technique/T845",
"Manipulation of View - Stuxnet manipulates the view of operators replaying process input and manipulating the I/O image to evade detection and inhibit protection functions https://collaborate.mitre.org/attackics/index.php/Technique/T832",
"Engineering Workstation Compromise - Stuxnet utilized an engineering workstation as the initial access point for PLC devices https://collaborate.mitre.org/attackics/index.php/Technique/T818",
"Damage to Property - Stuxnet attacks were designed to over-pressure and damage centrifuge rotors by manipulating process pressure and rotor speeds over time. One focused on a routine to change centrifuge rotor speeds, while the other manipulated critical resonance speeds to over-pressure them https://collaborate.mitre.org/attackics/index.php/Technique/T879"
]
},
"uuid": "119f4adc-b15c-48e0-8208-dae63673bb46",
"value": "Stuxnet"
},
{
"description": "Triton is an attack framework built to interact with Triconex Safety Instrumented System (SIS) controllers",
"meta": {
"References": [
"https://www.fireeye.com/blog/threat-research/2017/12/attackers-deploy-new-ics-attack-framework-triton.html",
"https://dragos.com/blog/trisis/TRISIS-01.pdf",
"https://ics-cert.us-cert.gov/sites/default/files/documents/MAR-17-352-01%20HatMan%20-%20Safety%20System%20Targeted%20Malware%20%28Update%20B%29.pdf",
"https://www.youtube.com/watch?v=f09E75bWvkk&index=3&list=PL8OWO1qWXF4qYG19p7An4Vw3N2YZ86aRS&t=0s",
"https://www.youtube.com/watch?v=XwSJ8hloGvY",
"https://download.schneider-electric.com/files?p_enDocType=Technical+leaflet&p_File_Name=SEVD-2017-347-01+Triconex+V3.pdf&p_Doc_Ref=SEVD-2017-347-01",
"https://www.midnightbluelabs.com/blog/2018/1/16/analyzing-the-triton-industrial-malware",
"https://ics-cert.us-cert.gov/advisories/ICSA-18-107-02",
"https://nvd.nist.gov/vuln/detail/CVE-2018-8872",
"https://cwe.mitre.org/data/definitions/119.html",
"https://www.nrc.gov/docs/ML1209/ML120900890.pdf",
"https://github.com/MDudek-ICS/TRISIS-TRITON-HATMAN/tree/master/decompiled_code/library"
],
"Groups": [
"XENOTIME"
],
"Associated Software Descriptions": [
"Triton",
"TRISIS",
"Hatman"
],
"Techniques Used": [
"Utilize/Change Operating Mode - Triton is able to modify code if the Triconex SIS Controller is configured with the physical keyswitch in program mode during operation. If the controller is placed in Run mode (program changes not permitted), arbitrary changes in logic are not possible substantially reducing the likelihood of manipulation. Once the Triton implant is installed on the SIS it is able to conduct any operation regardless of any future position of the keyswitch https://collaborate.mitre.org/attackics/index.php/Technique/T858",
"Unauthorized Command Message - Using Triton, an adversary can manipulate the process into an unsafe state from the DCS while preventing the SIS from functioning appropriately https://collaborate.mitre.org/attackics/index.php/Technique/T855",
"Masquerading - The Triton malware was configured to masquerade as trilog.exe, which is the Triconex software for analyzing SIS logs https://collaborate.mitre.org/attackics/index.php/Technique/T849",
"Modify Control Logic - Triton can reprogram the SIS logic to cause it to trip and shutdown a process that is, in actuality, in a safe state. In other words, trigger a false positive. Triton also can reprogram the SIS logic to allow unsafe conditions to persist.1 The Triton malware is able to add a malicious program to the execution table of the controller. This action leaves the legitimate programs in place. If the controller failed, Triton would attempt to return it to a running state. If the controller did not recover within a certain time window, the sample would overwrite the malicious program to cover its tracks https://collaborate.mitre.org/attackics/index.php/Technique/T833",
"Scripting - In the version of Triton available at the time of publication, the component that programs the Triconex controllers is written entirely in Python. The modules that implement the communciation protocol and other supporting components are found in a separate file -- library.zip -- which the main script that employs this functionality is compiled into a standalone Windows executable -- trilog.exe -- that includes a Python environment https://collaborate.mitre.org/attackics/index.php/Technique/T853",
"Remote System Discovery - Triton uses a Python script that is capable of detecting Triconex controllers on the network by sending a specific UDP broadcast packet over port 1502 https://collaborate.mitre.org/attackics/index.php/Technique/T846",
"System Firmware - The malicious shellcode Triton uses is split into two separate pieces -- inject.bin and imain.bin. The former program is more generic code that handles injecting the payload into the running firmware, while the latter is the payload that actually performs the additional malicious functionality. The payload --imain.bin-- is designed to take a TriStation protocol get main processor diagnostic data command, look for a specially crafted packet body, and perform custom actions on demand. It is able to read and write memory on the safety controller and execute code at an arbitrary address within the firmware. In addition, if the memory address it writes to is within the firmware region, it disables address translation, writes the code at the provided address, flushes the instruction cache, and re-enables address translation. This allows the malware to make changes to the running firmware in memory. This allows Triton to change how the device operates and would allow for the modification of other actions that the Triton controller might make https://collaborate.mitre.org/attackics/index.php/Technique/T857",
"Scripting - A Python script seen in Triton communicates using four Python modules—TsBase, TsLow, TsHi, and TS_cnames—that collectively implement the TriStation network protocol (“TS”, via UDP 1502); this is the protocol that the TriStation TS1131 software uses to communicate with Triconex safety PLCs https://collaborate.mitre.org/attackics/index.php/Technique/T853",
"Exploitation for Evasion - Triton disables a firmware RAM/ROM consistency check, injects a payload (imain.bin) into the firmware memory region, and changes a jumptable entry to point to the added code 384. In Schneider Electric Triconex Tricon MP model 3008 firmware versions 10.0-10.4, system calls read directly from memory addresses within the control program area without any verification. Manipulating this data could allow adversary data to be copied anywhere within memory.910 Triconex systems include continuous means of detection including checksums for firmware and program integrity, memory and memory reference integrity, and configuration https://collaborate.mitre.org/attackics/index.php/Technique/T820",
"Control Device Identification - The Triton Python script is also capable of autodetecting Triconex controllers on the network by sending a specific UDP broadcast packet over port 1502 https://collaborate.mitre.org/attackics/index.php/Technique/T808",
"Engineering Workstation Compromise - The Triton malware gained remote access to an SIS engineering workstation https://collaborate.mitre.org/attackics/index.php/Technique/T818",
"Loss of Safety - Triton has the capability to reprogram the SIS logic to allow unsafe conditions to persist or reprogram the SIS to allow an unsafe state while using the DCS to create an unsafe state or hazard https://collaborate.mitre.org/attackics/index.php/Technique/T880",
"Program Download - Triton leveraged the TriStation protocol to download programs onto Triconex Safety Instrumented System https://collaborate.mitre.org/attackics/index.php/Technique/T843",
"ndicator Removal on Host - Triton would reset the controller to the previous state over TriStation and if this failed it would write a dummy program to memory in what was likely an attempt at anti-forensics https://collaborate.mitre.org/attackics/index.php/Technique/T872",
"Commonly Used Port - Triton framework can communicate with the implant utilizing the TriStation 'get main processor diagnostic data' command and looks for a specifically crafted packet body from which it extracts a command value and its arguments https://collaborate.mitre.org/attackics/index.php/Technique/T885",
"Execution through API - Triton leverages a reconstructed TriStation protocol within its framework to trigger APIs related to program download, program allocation, and program changes https://collaborate.mitre.org/attackics/index.php/Technique/T871",
"Detect Program State - Triton contains a file named TS_cnames.py which contains default definitions for program state (TS_progstate). Program state is referenced in TsHi.py https://collaborate.mitre.org/attackics/index.php/Technique/T870",
"Detect Operating Mode - Triton contains a file named TS_cnames.py which contains default definitions for key state (TS_keystate). Key state is referenced in TsHi.py https://collaborate.mitre.org/attackics/index.php/Technique/T868",
"Change Program State - Triton has the ability to halt or run a program through the TriStation protocol. TsHi.py contains instances of halt and run functions being executed https://collaborate.mitre.org/attackics/index.php/Technique/T875"
]
},
"uuid": "e98dca35-5141-4b6c-87e1-9ee36a92d54e",
"value": "Triton"
},
{
"description": "VPNFilter is a multi-stage, modular platform with versatile capabilities to support both intelligence-collection and destructive cyber attack operations. VPNFilter modules such as its packet sniffer ('ps') can collect traffic that passes through an infected device, allowing the theft of website credentials and monitoring of Modbus SCADA protocols",
"meta": {
"References": [
"https://blog.talosintelligence.com/2018/06/vpnfilter-update.html",
"https://www.youtube.com/watch?v=yuZazP22rpI"
],
"Associated Software Descriptions": [
"VPNFilter"
],
"Techniques Used": [
"Network Sniffing - The VPNFilter packet sniffer looks for basic authentication as well as monitors ICS traffic, and is specific to the TP-LINK R600-VPN. The malware uses a raw socket to look for connections to a pre-specified IP address, only looking at TCP packets that are 150 bytes or larger. Packets that are not on port 502, are scanned for BasicAuth, and that information is logged. This may have allowed credential harvesting from communications between devices accessing a modbus-enabled HMI https://collaborate.mitre.org/attackics/index.php/Technique/T842",
"Control Device Identification - The VPNFilter packet sniffer monitors ICS traffic, and is specific to the TP-LINK R600-VPN. The malware uses a raw socket to look for connections to a pre-specified IP address, only looking at TCP packets that are 150 bytes or larger. 'ps' identifies and logs on IPs and ports, but not the packet contents on port 502 (Modbus traffic). It does not validate the traffic as Modbus https://collaborate.mitre.org/attackics/index.php/Technique/T808"
]
},
"uuid": "cea7e5ff-cfde-4856-9829-acd7166cd1f9",
"value": "VPNFilter"
},
{
"description": "WannaCry is ransomware that was first seen in a global attack during May 2017, which affected more than 150 countries. It contains self-propagating (“wormable”) features to spread itself across a computer network using the SMBv1 exploit EternalBlue.",
"meta": {
"References": [
"https://attack.mitre.org/software/S0366/",
"https://www.us-cert.gov/ncas/alerts/TA17-132A",
"https://dragos.com/blog/industry-news/implications-of-it-ransomware-for-ics-environments/"
],
"Groups": [
"Lazarus group"
],
"Associated Software Descriptions": [
"WannaCry"
],
"Techniques Used": [
"Exploitation of Remote Services - WannaCry initially infected IT networks, but by means of an exploit (particularly the SMBv1-targeting MS17-010 vulnerability) spread to industrial networks https://collaborate.mitre.org/attackics/index.php/Technique/T866",
"External Remote Services - WannaCry can utilize exposed SMB services to access industrial networks https://collaborate.mitre.org/attackics/index.php/Technique/T822",
"Remote File Copy - WannaCry can move laterally through industrial networks by means of the SMB service https://collaborate.mitre.org/attackics/index.php/Technique/T867"
]
},
"uuid": "2901adef-0da6-4c1e-854b-b4e4e0d8e15a",
"value": "WannaCry"
}
],
"version": 1
}

View File

@ -1,9 +0,0 @@
{
"description": "ATT&CK for ICS Software",
"icon": "file-code",
"name": "Software",
"namespace": "mitre-attack-for-ics",
"type": "mitre-ics-software",
"uuid": "9443a27f-f8b0-4bc7-ba88-7c023d727932",
"version": 1
}

View File

@ -1,278 +0,0 @@
{
"author": [
"Tony Williams"
],
"category": "Tactics",
"description": "A list of all 11 tactics in ATT&CK for ICS",
"name": "Tactics",
"source": "https://collaborate.mitre.org/attackics/index.php/All_Tactics",
"type": "mitre-ics-tactics",
"uuid": "ae92140f-7816-45b6-aa7c-9ff3e8536f10",
"values": [
{
"description": "The adversary is trying to gather data of interest and domain knowledge on your ICS environment to inform their goal. Collection consists of techniques adversaries use to gather domain knowledge and obtain contextual feedback in an ICS environment. This tactic is often performed as part of Discovery, to compile data on control systems and targets of interest that may be used to follow through on the adversarys objective. Examples of these techniques include observing operation states, capturing screenshots, identifying unique device roles, and gathering system and diagram schematics. Collection of this data can play a key role in planning, executing, and even revising an ICS-targeted attack. Methods of collection depend on the categories of data being targeted, which can include protocol specific, device specific, and process specific configurations and functionality. Information collected may pertain to a combination of system, supervisory, device, and network related data, which conceptually fall under high, medium, and low levels of plan operations. For example, information repositories on plant data at a high level or device specific programs at a low level. Sensitive floor plans, vendor device manuals, and other references may also be at risk and exposed on the internet or otherwise publicly accessible.",
"meta": {
"References": [
"https://www.blackhat.com/docs/asia-16/materials/asia-16-Spenneberg-PLC-Blaster-A-Worm-Living-Solely-In-The-PLC.pdf",
"https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf",
"http://www.research.lancs.ac.uk/portal/files/196578358/sample_sigconf.pdf",
"https://www.us-cert.gov/ncas/alerts/TA17-293A"
],
"Techniques in this Tactics Category": [
"Automated Collection https://collaborate.mitre.org/attackics/index.php/Technique/T802",
"Data from Information Repositories https://collaborate.mitre.org/attackics/index.php/Technique/T811",
"Detect Operating Mode https://collaborate.mitre.org/attackics/index.php/Technique/T868",
"Detect Program State https://collaborate.mitre.org/attackics/index.php/Technique/T870",
"I/O Image https://collaborate.mitre.org/attackics/index.php/Technique/T877",
"Location Identification https://collaborate.mitre.org/attackics/index.php/Technique/T825",
"Monitor Process State https://collaborate.mitre.org/attackics/index.php/Technique/T801",
"Point & Tag Identification https://collaborate.mitre.org/attackics/index.php/Technique/T861",
"Program Upload https://collaborate.mitre.org/attackics/index.php/Technique/T845",
"Role Identification https://collaborate.mitre.org/attackics/index.php/Technique/T850",
"Screen Capture https://collaborate.mitre.org/attackics/index.php/Technique/T852"
]
},
"uuid": "834fab50-be52-4611-95b6-6330d1db65c2",
"value": "Collection"
},
{
"description": "The adversary is trying to communicate with and control compromised systems, controllers, and platforms with access to your ICS environment. Command and Control consists of techniques that adversaries use to communicate with and send commands to compromised systems, devices, controllers, and platforms with specialized applications used in ICS environments. Examples of these specialized communication devices include human machine interfaces (HMIs), data historians, SCADA servers, and engineering workstations (EWS). Adversaries often seek to use commonly available resources and mimic expected network traffic to avoid detection and suspicion. For instance, commonly used ports and protocols in ICS environments, and even expected IT resources, depending on the target network. Command and Control may be established to varying degrees of stealth, often depending on the victims network structure and defenses.",
"meta": {
"References": [
"https://attack.mitre.org/wiki/Technique/T1090"
],
"Techniques in this Tactics Category": [
"Commonly Used Port https://collaborate.mitre.org/attackics/index.php/Technique/T885",
"Connection Proxy https://collaborate.mitre.org/attackics/index.php/Technique/T884",
"Standard Application Layer Protocol https://collaborate.mitre.org/attackics/index.php/Technique/T869"
]
},
"uuid": "4fd3b7b1-6d05-4cab-8182-6ea52ecbde63",
"value": "Command and Control"
},
{
"description": "The adversary is trying to figure out your ICS environment. Discovery consists of techniques that adversaries use to survey your ICS environment and gain knowledge about the internal network, control system devices, and how their processes interact. These techniques help adversaries observe the environment and determine next steps for target selection and Lateral Movement. They also allow adversaries to explore what they can control and gain insight on interactions between various control system processes. Discovery techniques are often an act of progression into the environment which enable the adversary to orient themselves before deciding how to act. Adversaries may use Discovery techniques that result in Collection, to help determine how available resources benefit their current objective. A combination of native device communications and functions, and custom tools are often used toward this post-compromise information-gathering objective.",
"meta": {
"References": [
"https://attack.mitre.org/wiki/Technique/T1049",
"https://attack.mitre.org/wiki/Technique/T1040",
"https://attack.mitre.org/wiki/Technique/T1018"
],
"Techniques in this Tactics Category": [
"Control Device Identification https://collaborate.mitre.org/attackics/index.php/Technique/T808",
"I/O Module Discovery https://collaborate.mitre.org/attackics/index.php/Technique/T824",
"Network Connection Enumeration https://collaborate.mitre.org/attackics/index.php/Technique/T840",
"Network Service Scanning https://collaborate.mitre.org/attackics/index.php/Technique/T841",
"Network Sniffing https://collaborate.mitre.org/attackics/index.php/Technique/T842",
"Remote System Discovery https://collaborate.mitre.org/attackics/index.php/Technique/T846",
"Serial Connection Enumeration https://collaborate.mitre.org/attackics/index.php/Technique/T854"
]
},
"uuid": "021d9d90-a792-4b84-a9f8-892b11c7db55",
"value": "Discovery"
},
{
"description": "The adversary is trying to avoid being detected.Evasion consists of techniques that adversaries use to avoid detection by both human operators and technical defenses throughout their compromise. Techniques used for evasion include removal of indicators of compromise, spoofing communications and reporting, and exploiting software vulnerabilities. Adversaries may also leverage and abuse trusted devices and processes to hide their activity, possibly by masquerading as master devices or native software. Methods of defense and operator evasion for this purpose are often more passive in nature, as opposed to Inhibit Response Function techniques. They may also vary depending on whether the target of evasion is human or technological in nature, such as security controls. Techniques under other tactics are cross-listed to evasion when those techniques include the added benefit of subverting operators and defenses. ",
"meta": {
"References": [
"https://www.mitre.org/sites/default/files/pdf/08_1145.pdf",
"https://attack.mitre.org/wiki/Technique/T1014",
"http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6142258"
],
"Techniques in this Tactics Category": [
"Exploitation for Evasion https://collaborate.mitre.org/attackics/index.php/Technique/T820",
"Indicator Removal on Host https://collaborate.mitre.org/attackics/index.php/Technique/T872",
"Masquerading https://collaborate.mitre.org/attackics/index.php/Technique/T849",
"Rogue Master Device https://collaborate.mitre.org/attackics/index.php/Technique/T848",
"Rootkit https://collaborate.mitre.org/attackics/index.php/Technique/T851",
"Spoof Reporting Message https://collaborate.mitre.org/attackics/index.php/Technique/T856",
"Utilize/Change Operating Mode https://collaborate.mitre.org/attackics/index.php/Technique/T858"
]
},
"uuid": "099fdd9a-8894-4599-8e7f-59e82e285df6",
"value": "Evasion"
},
{
"description": "The adversary is trying to run malicious code. Execution consists of techniques that result in adversary-controlled code running on a local or remote system, device, or other asset. This execution may also rely on unknowing end users or the manipulation of device operating modes to run. Adversaries may infect remote targets with programmed executables or malicious project files that operate according to specified behavior and may alter expected device behavior in subtle ways. Commands for execution may also be issued from command-line interfaces, APIs, GUIs, or other available interfaces. Techniques that run malicious code may also be paired with techniques from other tactics, particularly to aid network Discovery and Collection, impact operations, and inhibit response functions.",
"meta": {
"References": [
"https://attack.mitre.org/wiki/Technique/T1059",
"https://ics.sans.org/media/E-ISAC_SANS_Ukraine_DUC_5.pdf",
"https://www.sans.org/reading-room/whitepapers/ICS/man-in-the-middle-attack-modbus-tcp-illustrated-wireshark-38095",
"http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6142258",
"http://www.dee.ufrj.br/controle_automatico/cursos/IEC61131-3_Programming_Industrial_Automation_Systems.pdf",
"https://cdn.selinc.com/assets/Literature/Publications/Technical%20Papers/6560_PracticalApplications_MW_20120224_Web.pdf?v=20151125-003051",
"https://www.blackhat.com/docs/asia-16/materials/asia-16-Spenneberg-PLC-Blaster-A-Worm-Living-Solely-In-The-PLC-wp.pdf",
"https://www.wired.com/images_blogs/threatlevel/2010/11/w32_stuxnet_dossier.pdf",
"https://infosys.beckhoff.com/english.php?content=../content/1033/tc3_sourcecontrol/18014398915785483.html&id=",
"http://www.plcdev.com/book/export/html/373",
"https://www.boozallen.com/content/dam/boozallen/documents/2016/09/ukraine-report-when-the-lights-went-out.pdf",
"https://www.f-secure.com/weblog/archives/00002718.html"
],
"Techniques in this Tactics Category": [
"Change Program State https://collaborate.mitre.org/attackics/index.php/Technique/T875",
"Command-Line Interface https://collaborate.mitre.org/attackics/index.php/Technique/T807",
"Execution through API https://collaborate.mitre.org/attackics/index.php/Technique/T871",
"Graphical User Interface https://collaborate.mitre.org/attackics/index.php/Technique/T823",
"Man in the Middle https://collaborate.mitre.org/attackics/index.php/Technique/T830",
"Program Organization Units https://collaborate.mitre.org/attackics/index.php/Technique/T844",
"Project File Infection https://collaborate.mitre.org/attackics/index.php/Technique/T873",
"Scripting https://collaborate.mitre.org/attackics/index.php/Technique/T853",
"User Execution https://collaborate.mitre.org/attackics/index.php/Technique/T863"
]
},
"uuid": "7779ec85-b841-44b8-9c5e-9c9d670a3938",
"value": "Execution"
},
{
"description": "The adversary is trying to manipulate, interrupt, or destroy your ICS systems, data, and their surrounding environment. Impact consists of techniques that adversaries use to disrupt, compromise, destroy, and manipulate the integrity and availability of control system operations, processes, devices, and data. These techniques encompass the influence and effects resulting from adversarial efforts to attack the ICS environment or that tangentially impact it. Impact techniques can result in more instantaneous disruption to control processes and the operator, or may result in more long term damage or loss to the ICS environment and related operations. The adversary may leverage Impair Process Control techniques, which often manifest in more self-revealing impacts on operations, or Inhibit Response Function techniques to hinder safeguards and alarms in order to follow through with and provide cover for Impact. In some scenarios, control system processes can appear to function as expected, but may have been altered to benefit the adversarys goal over the course of a longer duration. These techniques might be used by adversaries to follow through on their end goal or to provide cover for a confidentiality breach. Loss of Productivity and Revenue, Theft of Operational Information, and Damage to Property are meant to encompass some of the more granular goals of adversaries in targeted and untargeted attacks. These techniques in and of themselves are not necessarily detectable, but the associated adversary behavior can potentially be mitigated and/or detected.",
"meta": {
"References": [
"https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Publications/Securitysituation/IT-Security-Situation-in-Germany-2014.pdf?__blob=publicationFile&v=3",
"https://www.mitre.org/sites/default/files/pdf/08_1145.pdf",
"https://www.londonreconnections.com/2017/hacked-cyber-security-railways/",
"https://inhomelandsecurity.com/teen_hacker_in_poland_plays_tr/",
"https://www.schneier.com/blog/archives/2008/01/hacking_the_pol.html",
"https://www.corero.com/resources/files/whitepapers/cns_whitepaper_ics.pdf",
"https://www.sans.org/reading-room/whitepapers/ICS/industrial-control-system-cyber-kill-chain-36297",
"https://books.google.com/books?id=oXIYBAAAQBAJ&pg=PA249&lpg=PA249&dq=loss+denial+manipulation+of+view&source=bl&ots=dV1uQ8IUff&sig=ACfU3U2NIwGjhg051D_Ytw6npyEk9xcf4w&hl=en&sa=X&ved=2ahUKEwj2wJ7y4tDlAhVmplkKHSTaDnQQ6AEwAHoECAgQAQ#v=onepage&q=loss%20denial%20manipulation%20of%20view&f=false",
"https://time.com/4270728/iran-cyber-attack-dam-fbi/",
"https://www.wsj.com/articles/iranian-hackers-infiltrated-new-york-dam-in-2013-1450662559"
],
"Techniques in this Tactics Category": [
"Damage to Property https://collaborate.mitre.org/attackics/index.php/Technique/T879",
"Denial of Control https://collaborate.mitre.org/attackics/index.php/Technique/T813",
"Denial of View https://collaborate.mitre.org/attackics/index.php/Technique/T815",
"Loss of Availability https://collaborate.mitre.org/attackics/index.php/Technique/T826",
"Loss of Control https://collaborate.mitre.org/attackics/index.php/Technique/T827",
"Loss of Productivity and Revenue https://collaborate.mitre.org/attackics/index.php/Technique/T828",
"Loss of Safety https://collaborate.mitre.org/attackics/index.php/Technique/T880",
"Loss of View https://collaborate.mitre.org/attackics/index.php/Technique/T829",
"Manipulation of Control https://collaborate.mitre.org/attackics/index.php/Technique/T831",
"Manipulation of View https://collaborate.mitre.org/attackics/index.php/Technique/T832",
"Theft of Operational Information https://collaborate.mitre.org/attackics/index.php/Technique/T882"
]
},
"uuid": "40c9594e-ae8b-48f1-8e11-0e08ead4d44b",
"value": "Impact"
},
{
"description": "The adversary is trying to manipulate, disable, or damage physical control processes. Impair Process Control consists of techniques that adversaries use to disrupt control logic and cause determinantal effects to processes being controlled in the target environment. Targets of interest may include active procedures or parameters that manipulate the physical environment. These techniques can also include prevention or manipulation of reporting elements and control logic. If an adversary has modified process functionality, then they may also obfuscate the results, which are often self-revealing in their impact on the outcome of a product or the environment. The direct physical control these techniques exert may also threaten the safety of operators and downstream users, which can prompt response mechanisms. Adversaries may follow up with or use Inhibit Response Function techniques in tandem, to assist with the successful abuse of control processes to result in Impact.",
"meta": {
"References": [
"https://www.langner.com/wp-content/uploads/2017/03/to-kill-a-centrifuge.pdf",
"https://www.mitre.org/sites/default/files/pdf/08_1145.pdf",
"https://www.researchgate.net/publication/228849043_Leveraging_ethernet_card_vulnerabilities_in_field_devices",
"https://attack.mitre.org/techniques/T1489/",
"http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6142258",
"https://ics.sans.org/media/E-ISAC_SANS_Ukraine_DUC_5.pdf"
],
"Techniques in this Tactics Category": [
"Brute Force I/O https://collaborate.mitre.org/attackics/index.php/Technique/T806",
"Change Program State https://collaborate.mitre.org/attackics/index.php/Technique/T875",
"Masquerading https://collaborate.mitre.org/attackics/index.php/Technique/T849",
"Modify Control Logic https://collaborate.mitre.org/attackics/index.php/Technique/T833",
"Modify Parameter https://collaborate.mitre.org/attackics/index.php/Technique/T836",
"Module Firmware https://collaborate.mitre.org/attackics/index.php/Technique/T839",
"Program Download https://collaborate.mitre.org/attackics/index.php/Technique/T843",
"Rogue Master Device https://collaborate.mitre.org/attackics/index.php/Technique/T848",
"Service Stop https://collaborate.mitre.org/attackics/index.php/Technique/T881",
"Spoof Reporting Message https://collaborate.mitre.org/attackics/index.php/Technique/T856",
"Unauthorized Command Message https://collaborate.mitre.org/attackics/index.php/Technique/T855"
]
},
"uuid": "aa3913db-52ce-4856-b0db-fce6af13e4d6",
"value": "Impair Process Control"
},
{
"description": "The adversary is trying to manipulate, disable, or damage physical control processes. Impair Process Control consists of techniques that adversaries use to disrupt control logic and cause determinantal effects to processes being controlled in the target environment. Targets of interest may include active procedures or parameters that manipulate the physical environment. These techniques can also include prevention or manipulation of reporting elements and control logic. If an adversary has modified process functionality, then they may also obfuscate the results, which are often self-revealing in their impact on the outcome of a product or the environment. The direct physical control these techniques exert may also threaten the safety of operators and downstream users, which can prompt response mechanisms. Adversaries may follow up with or use Inhibit Response Function techniques in tandem, to assist with the successful abuse of control processes to result in Impact.",
"meta": {
"References": [
"https://www.mitre.org/sites/default/files/pdf/08_1145.pdf",
"https://troopers.de/downloads/troopers19/TROOPERS19_NGI_IoT_diet_poisoned_fruit.pdf",
"http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6142258",
"https://ics.sans.org/media/E-ISAC_SANS_Ukraine_DUC_5.pdf",
"https://attack.mitre.org/wiki/Technique/T1107",
"https://www.us-cert.gov/ics/alerts/ICS-ALERT-17-102-01A",
"https://ics-cert.us-cert.gov/advisories/ICSA-15-202-01",
"http://cwe.mitre.org/data/definitions/400.html",
"https://nvd.nist.gov/vuln/detail/CVE-2015-5374",
"https://www.isa.org/standards-and-publications/isa-publications/intech/2010/december/programmable-logic-controller-hardware/",
"https://www.langner.com/wp-content/uploads/2017/03/to-kill-a-centrifuge.pdf",
"https://attack.mitre.org/wiki/Technique/T1014",
"http://www.sciencedirect.com/science/article/pii/S1874548213000231"
],
"Techniques in this Tactics Category": [
"Activate Firmware Update Mode https://collaborate.mitre.org/attackics/index.php/Technique/T800",
"Alarm Suppression https://collaborate.mitre.org/attackics/index.php/Technique/T878",
"Block Command Message https://collaborate.mitre.org/attackics/index.php/Technique/T803",
"Block Reporting Message https://collaborate.mitre.org/attackics/index.php/Technique/T804",
"Block Serial COM https://collaborate.mitre.org/attackics/index.php/Technique/T805",
"Data Destruction https://collaborate.mitre.org/attackics/index.php/Technique/T809",
"Denial of Service https://collaborate.mitre.org/attackics/index.php/Technique/T814",
"Device Restart/Shutdown https://collaborate.mitre.org/attackics/index.php/Technique/T816",
"Manipulate I/O Image https://collaborate.mitre.org/attackics/index.php/Technique/T835",
"Modify Alarm Settings https://collaborate.mitre.org/attackics/index.php/Technique/T838",
"Modify Control Logic https://collaborate.mitre.org/attackics/index.php/Technique/T833",
"Program Download https://collaborate.mitre.org/attackics/index.php/Technique/T843",
"Rootkit https://collaborate.mitre.org/attackics/index.php/Technique/T851",
"System Firmware https://collaborate.mitre.org/attackics/index.php/Technique/T857",
"Utilize/Change Operating Mode https://collaborate.mitre.org/attackics/index.php/Technique/T858"
]
},
"uuid": "35bf4454-d73b-43ff-8a38-85342f595009",
"value": "Inhibit Response Function"
},
{
"description": "The adversary is trying to get into your ICS environment. Initial Access consists of techniques that adversaries may use as entry vectors to gain an initial foothold within an ICS environment. These techniques include compromising operational technology assets, IT resources in the OT network, and external remote services and websites. They may also target third party entities and users with privileged access. In particular, these initial access footholds may include devices and communication mechanisms with access to and privileges in both the IT and OT environments. IT resources in the OT environment are also potentially vulnerable to the same attacks as enterprise IT systems. Trusted third parties of concern may include vendors, maintenance personnel, engineers, external integrators, and other outside entities involved in expected ICS operations. Vendor maintained assets may include physical devices, software, and operational equipment. Initial access techniques may also leverage outside devices, such as radios, controllers, or removable media, to remotely interfere with and possibly infect OT operations. ",
"meta": {
"References": [
"https://dragos.com/wp-content/uploads/CRASHOVERRIDE2018.pdf",
"https://www.us-cert.gov/ncas/alerts/TA18-074A",
"https://www.us-cert.gov/ics/alerts/ICS-ALERT-14-281-01B",
"https://attack.mitre.org/wiki/Technique/T1133",
"https://ics.sans.org/media/E-ISAC_SANS_Ukraine_DUC_5.pdf",
"https://www.wired.com/2016/03/inside-cunning-unprecedented-hack-ukraines-power-grid/",
"https://ics-cert.us-cert.gov/alerts/IR-ALERT-H-16-056-01",
"https://www.fireeye.com/blog/threat-research/2016/01/ukraine-and-sandworm-team.html",
"https://www.us-cert.gov/sites/default/files/Monitors/ICS-CERT_Monitor_Jan-April2014.pdf",
"https://www.wsj.com/articles/iranian-hackers-infiltrated-new-york-dam-in-2013-1450662559",
"https://time.com/4270728/iran-cyber-attack-dam-fbi/",
"https://www.kkw-gundremmingen.de/presse.php?id=571",
"https://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/malware-discovered-in-german-nuclear-power-plant",
"https://www.reuters.com/article/us-nuclearpower-cyber-germany/german-nuclear-plant-infected-with-computer-viruses-operator-says-idUSKCN0XN2OS",
"https://news.softpedia.com/news/on-chernobyl-s-30th-anniversary-malware-shuts-down-german-nuclear-power-plant-503429.shtml",
"https://www.sciencealert.com/multiple-computer-viruses-have-been-discovered-in-this-german-nuclear-plant",
"https://www.geek.com/apps/german-nuclear-plant-found-riddled-with-conficker-other-viruses-1653415/",
"https://arstechnica.com/information-technology/2016/04/german-nuclear-plants-fuel-rod-system-swarming-with-old-malware/",
"https://www.darkreading.com/endpoint/german-nuclear-power-plant-infected-with-malware/d/d-id/1325298",
"https://www.bbc.com/news/technology-36158606",
"https://www.welivesecurity.com/2016/04/28/malware-found-german-nuclear-power-plant/",
"https://attack.mitre.org/techniques/T1193/",
"https://www.f-secure.com/weblog/archives/00002718.html",
"https://www.blackhat.com/docs/us-14/materials/us-14-Bolshev-ICSCorsair-How-I-Will-PWN-Your-ERP-Through-4-20mA-Current-Loop-WP.pdf",
"https://www.slideshare.net/dgpeters/17-bolshev-1-13",
"https://www.mitre.org/sites/default/files/pdf/08_1145.pdf",
"https://www.londonreconnections.com/2017/hacked-cyber-security-railways/",
"https://inhomelandsecurity.com/teen_hacker_in_poland_plays_tr/",
"https://www.schneier.com/blog/archives/2008/01/hacking_the_pol.html"
],
"Techniques in this Tactics Category": [
"Data Historian Compromise https://collaborate.mitre.org/attackics/index.php/Technique/T810",
"Drive-by Compromise https://collaborate.mitre.org/attackics/index.php/Technique/T817",
"Engineering Workstation Compromise https://collaborate.mitre.org/attackics/index.php/Technique/T818",
"Exploit Public-Facing Application https://collaborate.mitre.org/attackics/index.php/Technique/T819",
"External Remote Services https://collaborate.mitre.org/attackics/index.php/Technique/T822",
"Internet Accessible Device https://collaborate.mitre.org/attackics/index.php/Technique/T883",
"Replication Through Removable Media https://collaborate.mitre.org/attackics/index.php/Technique/T847",
"Spearphishing Attachment https://collaborate.mitre.org/attackics/index.php/Technique/T865",
"Supply Chain Compromise https://collaborate.mitre.org/attackics/index.php/Technique/T862",
"Wireless Compromise https://collaborate.mitre.org/attackics/index.php/Technique/T860"
]
},
"uuid": "2366ffb0-91ba-4b8e-bfad-d460c98d43a8",
"value": "Innitial Access"
}
],
"version": 1
}

View File

@ -1,10 +0,0 @@
{
"description": "ATT&CK for ICS Tactics",
"icon": "chess-pawn",
"name": "Tactics",
"namespace": "mitre-attack-for-ics",
"type": "mitre-ics-tactics",
"uuid": "e521606c-3c66-4621-9040-6f0f792fc999",
"version": 1
}

View File

@ -1,958 +0,0 @@
{
"author": [
"Tony Williams"
],
"category": "Technique Matrix",
"description": "ATT&CK for ICS Technique Matrix",
"name": "Technique Matrix",
"source": "https://collaborate.mitre.org/attackics/index.php/Main_Page",
"type": "mitre-ics-technique-matrix",
"uuid": "005ffa53-9400-4231-bbf2-c49c22c2683c",
"values": [
{
"description": "T810: Adversaries may compromise and gain control of a data historian to gain a foothold into the control system environment. Access to a data historian may be used to learn stored database archival and analysis information on the control system. A dual-homed data historian may provide adversaries an interface from the IT environment to the OT environment.",
"meta": {
"kill_chain": [
"Technique Matrix:Initial Access"
]
},
"uuid": "71955277-ac75-4bfb-a268-cd496f317981",
"value": "Data Historian Compromise"
},
{
"description": "T817: Adversaries may gain access to a system during a drive-by compromise, when a user visits a website as part of a regular browsing session.With this technique, the user's web browser is targeted and exploited simply by visiting the compromised website.",
"meta": {
"kill_chain": [
"Technique Matrix:Initial Access"
]
},
"uuid": "f12762ff-5d54-4544-8091-80d22d771799",
"value": "Drive-by Compromise"
},
{
"description": "T818: Adversaries may compromise and gain control of an engineering workstation as an Initial Access technique into the control system environment. Access to an engineering workstation may occur as a result of remote access or by physical means, such as a person with privileged access or infection by removable media. A dual-homed engineering workstation may allow the adversary access into multiple networks. For example, unsegregated process control, safety system, or information system networks.",
"meta": {
"kill_chain": [
"Technique Matrix:Initial Access"
]
},
"uuid": "697497fb-af7d-4a08-91df-405e62e14b1f",
"value": "Engineering Workstation Compromise"
},
{
"description": "T819: Adversaries may attempt to exploit public-facing applications to leverage weaknesses on Internet-facing computer systems, programs, or assets in order to cause unintended or unexpected behavior. These public-facing applications may include user interfaces, software, data, or commands. In particular, a public-facing application in the IT environment may provide adversaries an interface into the OT environment.",
"meta": {
"kill_chain": [
"Technique Matrix:Initial Access"
]
},
"uuid": "de7f14f7-2292-428c-894e-44a13bbd86c0",
"value": "Exploit Public-Facing Application"
},
{
"description": "T822: Adversaries may leverage external remote services as a point of initial access into your network. These services allow users to connect to internal network resources from external locations. Examples are VPNs, Citrix, and other access mechanisms. Remote service gateways often manage connections and credential authentication for these services.",
"meta": {
"kill_chain": [
"Technique Matrix:Initial Access"
]
},
"uuid": "6b149ac6-c7d4-45c9-9240-90c2b6e4c4c9",
"value": "External Remote Services"
},
{
"description": "T883: Adversaries may gain access into industrial environments directly through systems exposed to the internet for remote access rather than through External Remote Services. Minimal protections provided by these devices such as password authentication may be targeted and compromised.",
"meta": {
"kill_chain": [
"Technique Matrix:Initial Access"
]
},
"uuid": "78d5b40d-6452-446d-8d50-5a48e633eb81",
"value": "Internet Accessible Device"
},
{
"description": "T847: Adversaries may gain access into industrial environments directly through systems exposed to the internet for remote access rather than through External Remote Services. Minimal protections provided by these devices such as password authentication may be targeted and compromised.",
"meta": {
"kill_chain": [
"Technique Matrix:Initial Access"
]
},
"uuid": "26d3a202-15db-447e-9681-4647d3ca5040",
"value": "Replication Through Removable Media"
},
{
"description": "T865: Adversaries may use a spearphishing attachment, a variant of spearphishing, as a form of a social engineering attack against specific targets. Spearphishing attachments are different from other forms of spearphishing in that they employ malware attached to an email. All forms of spearphishing are electronically delivered and target a specific individual, company, or industry. In this scenario, adversaries attach a file to the spearphishing email and usually rely upon User Execution to gain execution and access.",
"meta": {
"kill_chain": [
"Technique Matrix:Initial Access"
]
},
"uuid": "2252992e-c1a8-4900-91cd-ada02f23c6c9",
"value": "Spearphishing Attachment"
},
{
"description": "T862: Adversaries may perform supply chain compromise to gain control systems environment access by means of infected products, software, and workflows. Supply chain compromise is the manipulation of products, such as devices or software, or their delivery mechanisms before receipt by the end consumer. Adversary compromise of these products and mechanisms is done for the goal of data or system compromise, once infected products are introduced to the target environment.",
"meta": {
"kill_chain": [
"Technique Matrix:Initial Access"
]
},
"uuid": "123b7a01-785b-4679-9c69-828296d17ef2",
"value": "Supply Chain Compromise"
},
{
"description": "T860: Adversaries may perform wireless compromise as a method of gaining communications and unauthorized access to a wireless network. Access to a wireless network may be gained through the compromise of a wireless device.12 Adversaries may also utilize radios and other wireless communication devices on the same frequency as the wireless network. Wireless compromise can be done as an initial access vector from a remote distance.",
"meta": {
"kill_chain": [
"Technique Matrix:Initial Access"
]
},
"uuid": "0827be38-7863-4af6-b2aa-bde01e3cb9b9",
"value": "Wireless Compromise"
},
{
"description": "T875: Adversaries may attempt to change the state of the current program on a control device. Program state changes may be used to allow for another program to take over control or be loaded onto the device.",
"meta": {
"kill_chain": [
"Technique Matrix:Execution"
]
},
"uuid": "a5de16bf-b123-4ca7-8136-7549b014abc1",
"value": "Change Program State"
},
{
"description": "T807: Adversaries may utilize command-line interfaces(CLIs)to interact with systems and execute commands. CLIs provide a means of interacting with computer systems and are a common feature across many types of platforms and devices within control systems environments. Adversaries may also use CLIs to install and run new software, including malicious tools that may be installed over the course of an operation.",
"meta": {
"kill_chain": [
"Technique Matrix:Execution"
]
},
"uuid": "a6cb2662-e099-4c35-b621-4cc047b76027",
"value": "Command-Line Interface"
},
{
"description": "T871: Adversaries may attempt to leverage Application Program Interfaces (APIs) used for communication between control software and the hardware. Specific functionality is often coded into APIs which can be called by software to engage specific functions on a device or other software, such as Change Program State of a program on a PLC.",
"meta": {
"kill_chain": [
"Technique Matrix:Execution"
]
},
"uuid": "6b3cfa9e-cbd9-48fb-91e4-75910153ce6e",
"value": "Execution through API"
},
{
"description": "T823: Adversaries may attempt to gain access to a machine via a Graphical User Interface (GUI) to enhance execution capabilities. Access to a GUI allows a user to interact with a computer in a more visual manner than a CLI. A GUI allows users to move a cursor and click on interface objects, with a mouse and keyboard as the main input devices, as opposed to just using the keyboard.",
"meta": {
"kill_chain": [
"Technique Matrix:Execution"
]
},
"uuid": "125c702e-a49d-41d1-b8ce-7700b89a32bc",
"value": "Graphical User Interface"
},
{
"description": "T830: Adversaries with privileged network access may seek to modify network traffic in real time using man-in-the-middle (MITM) attacks. This type of attack allows the adversary to intercept traffic to and/or from a particular device on the network. If a MITM attack is established, then the adversary has the ability to block, log, modify, or inject traffic into the communication stream. There are several ways to accomplish this attack, but some of the most-common are Address Resolution Protocol (ARP) poisoning and the use of a proxy.",
"meta": {
"kill_chain": [
"Technique Matrix:Execution"
]
},
"uuid": "8cef4c48-4b4b-4861-a423-0331f618f476",
"value": "Man in the Middle"
},
{
"description": "T844: Program Organizational Units (POUs) are block structures used within PLC programming to create programs and projects. POUs can be used to hold user programs written in IEC 61131-3 languages: Structured text, Instruction list, Function block, and Ladder logic. They can also provide additional functionality, such as establishing connections between the PLC and other devices using TCON.",
"meta": {
"kill_chain": [
"Technique Matrix:Execution"
]
},
"uuid": "fe2ba1de-686d-42ab-b09f-670d31da5509",
"value": "Program Organisation Units"
},
{
"description": "T873: Adversaries may attempt to infect project files with malicious code. These project files may consist of objects, program organization units, variables such as tags, documentation, and other configurations needed for PLC programs to function. Using built in functions of the engineering software, adversaries may be able to download an infected program to a PLC in the operating environment enabling further execution and persistence techniques.",
"meta": {
"kill_chain": [
"Technique Matrix:Execution"
]
},
"uuid": "fe4f5116-b54c-4fc9-ac32-b7a7f97d2636",
"value": "Project File Infection"
},
{
"description": "T853: Adversaries may use scripting languages to execute arbitrary code in the form of a pre-written script or in the form of user-supplied code to an interpreter. Scripting languages are programming languages that differ from compiled languages, in that scripting languages use an interpreter, instead of a compiler. These interpreters read and compile part of the source code just before it is executed, as opposed to compilers, which compile each and every line of code to an executable file. Scripting allows software developers to run their code on any system where the interpreter exists. This way, they can distribute one package, instead of precompiling executables for many different systems. Scripting languages, such as Python, have their interpreters shipped as a default with many Linux distributions.",
"meta": {
"kill_chain": [
"Technique Matrix:Execution"
]
},
"uuid": "37895354-a93a-4ca2-85cf-403d6c1ab9a2",
"value": "Scripting"
},
{
"description": "T863: Adversaries may rely on a targeted organizations’ user interaction for the execution of malicious code. User interaction may consist of installing applications, opening email attachments, or granting higher permissions to documents.",
"meta": {
"kill_chain": [
"Technique Matrix:Execution"
]
},
"uuid": "f6e39713-2d05-46d0-89c2-b4a9da13dc03",
"value": "User Execution"
},
{
"description": "T874: Adversaries may hook into application programming interface (API) functions used by processes to redirect calls for persistent means. Windows processes often leverage these API functions to perform tasks that require reusable system resources. Windows API functions are typically stored in dynamic-link libraries (DLLs) as exported functions.",
"meta": {
"kill_chain": [
"Technique Matrix:Persistence"
]
},
"uuid": "aa9e4783-f0b8-4838-9cbd-ca6301754004",
"value": "Hooking"
},
{
"description": "T839: Adversaries may install malicious or vulnerable firmware onto modular hardware devices. Control system devices often contain modular hardware devices. These devices may have their own set of firmware that is separate from the firmware of the main control system equipment.",
"meta": {
"kill_chain": [
"Technique Matrix:Persistence"
]
},
"uuid": "f004bce4-f161-468f-86dd-3a2c1c9f9945",
"value": "Module Firmware"
},
{
"description": "T843: Adversaries may perform a program download to load malicious or unintended program logic on a device as a method of persistence or to disrupt response functions or process control. Program download onto devices, such as PLCs, allows adversaries to implement custom logic. Malicious PLC programs may be used to disrupt physical processes or enable adversary persistence. The act of a program download will cause the PLC to enter a STOP operation state, which may prevent response functions from operating correctly.",
"meta": {
"kill_chain": [
"Technique Matrix:Persistence"
]
},
"uuid": "ef6aa7a4-ab2a-4489-ac85-304e6ce06552",
"value": "Program Download"
},
{
"description": "T873: Adversaries may attempt to infect project files with malicious code. These project files may consist of objects, program organization units, variables such as tags, documentation, and other configurations needed for PLC programs to function. Using built in functions of the engineering software, adversaries may be able to download an infected program to a PLC in the operating environment enabling further execution and persistence techniques.",
"meta": {
"kill_chain": [
"Technique Matrix:Persistence"
]
},
"uuid": "0169122e-36f5-4223-a7fe-0d9863470566",
"value": "Project File Infection"
},
{
"description": "T857: System firmware on modern assets is often designed with an update feature. Older device firmware may be factory installed and require special reprograming equipment. When available, the firmware update feature enables vendors to remotely patch bugs and perform upgrades. Device firmware updates are often delegated to the user and may be done using a software update package. It may also be possible to perform this task over the network.",
"meta": {
"kill_chain": [
"Technique Matrix:Persistence"
]
},
"uuid": "3f4afa40-be02-42c9-937c-e5c1059e5a86",
"value": "System Firmware"
},
{
"description": "T859: Adversaries may steal the credentials of a specific user or service account using credential access techniques. In some cases, default credentials for control system devices may be publicly available. Compromised credentials may be used to bypass access controls placed on various resources on hosts and within the network, and may even be used for persistent access to remote systems. Compromised and default credentials may also grant an adversary increased privilege to specific systems and devices or access to restricted areas of the network. Adversaries may choose not to use malware or tools, in conjunction with the legitimate access those credentials provide, to make it harder to detect their presence or to control devices and send legitimate commands in an unintended way.",
"meta": {
"kill_chain": [
"Technique Matrix:Persistence"
]
},
"uuid": "6b214211-394d-4d9c-b92f-7c77b9b4efdb",
"value": "Valid Accounts"
},
{
"description": "T820: Adversaries may exploit a software vulnerability to take advantage of a programming error in a program, service, or within the operating system software or kernel itself to evade detection. Vulnerabilities may exist in software that can be used to disable or circumvent security features.",
"meta": {
"kill_chain": [
"Technique Matrix:Evasion"
]
},
"uuid": "3a4c6ba2-6895-4cec-a468-a1ea41c77edd",
"value": "Exploitation for Evasion"
},
{
"description": "T872: Adversaries may attempt to remove indicators of their presence on a system in an effort to cover their tracks. In cases where an adversary may feel detection is imminent, they may try to overwrite, delete, or cover up changes they have made to the device.",
"meta": {
"kill_chain": [
"Technique Matrix:Evasion"
]
},
"uuid": "be992931-bcf0-4ad9-898a-12d78007805f",
"value": "Indicator Removal on Host"
},
{
"description": "T849: Adversaries may use masquerading to disguise a malicious application or executable as another file, to avoid operator and engineer suspicion. Possible disguises of these masquerading files can include commonly found programs, expected vendor executables and configuration files, and other commonplace application and naming conventions. By impersonating expected and vendor-relevant files and applications, operators and engineers may not notice the presence of the underlying malicious content and possibly end up running those masquerading as legitimate functions.",
"meta": {
"kill_chain": [
"Technique Matrix:Evasion"
]
},
"uuid": "eaeedd92-dbe9-4624-b6bb-1b7bf88f9c17",
"value": "Masquerading"
},
{
"description": "T848: Adversaries may setup a rogue master to leverage control server functions to communicate with slave devices. A rogue master device can be used to send legitimate control messages to other control system devices, affecting processes in unintended ways. It may also be used to disrupt network communications by capturing and receiving the network traffic meant for the actual master device. Impersonating a master device may also allow an adversary to avoid detection.",
"meta": {
"kill_chain": [
"Technique Matrix:Evasion"
]
},
"uuid": "824f7bf4-15b3-4421-8aee-d93cef18abc0",
"value": "Rogue Master Device"
},
{
"description": "T851: Adversaries may deploy rootkits to hide the presence of programs, files, network connections, services, drivers, and other system components. Rootkits are programs that hide the existence of malware by intercepting and modifying operating-system API calls that supply system information. Rootkits or rootkit-enabling functionality may reside at the user or kernel level in the operating system, or lower.",
"meta": {
"kill_chain": [
"Technique Matrix:Evasion"
]
},
"uuid": "5690f110-5867-48b5-b952-9a5332ffa6af",
"value": "Rootkit"
},
{
"description": "T856: Adversaries may spoof reporting messages in control systems environments to achieve evasion and assist with impairment of process controls. Reporting messages are used in control systems so that operators and network defenders can understand the status of the network. Reporting messages show the status of devices and any important events that the devices control.",
"meta": {
"kill_chain": [
"Technique Matrix:Evasion"
]
},
"uuid": "cb2dd5d6-0733-4e2e-aff4-b2ae583c5958",
"value": "Spoof Reporting Message"
},
{
"description": "T858: Adversaries may place controllers into an alternate mode of operation to enable configuration setting changes for evasive code execution or to inhibit device functionality. Programmable controllers typically have several modes of operation. These modes can be broken down into three main categories: program run, program edit, and program write. Each of these modes puts the device in a state in which certain functions are available. For instance, the program edit mode allows alterations to be made to the user program while the device is still online.",
"meta": {
"kill_chain": [
"Technique Matrix:Evasion"
]
},
"uuid": "c06ce396-1a44-4d67-8674-cbbbab3c28ff",
"value": "Utilize/Change Operating Mode"
},
{
"description": "T808: Adversaries may perform control device identification to determine the make and model of a target device. Management software and device APIs may be utilized by the adversary to gain this information. By identifying and obtaining device specifics, the adversary may be able to determine device vulnerabilities. This device information can also be used to understand device functionality and inform the decision to target the environment.",
"meta": {
"kill_chain": [
"Technique Matrix:Discovery"
]
},
"uuid": "e54c2304-7758-4166-93cb-e9fa71072c7b",
"value": "Control Device Identification"
},
{
"description": "T824: Adversaries may use input/output (I/O) module discovery to gather key information about a control system device. An I/O module is a device that allows the control system device to either receive or send signals to other devices. These signals can be analog or digital, and may support a number of different protocols. Devices are often able to use attachable I/O modules to increase the number of inputs and outputs that it can utilize. An adversary with access to a device can use native device functions to enumerate I/O modules that are connected to the device. Information regarding the I/O modules can aid the adversary in understanding related control processes.",
"meta": {
"kill_chain": [
"Technique Matrix:Discovery"
]
},
"uuid": "6236f6db-413b-4fd3-8788-39e062c4cd1d",
"value": "I/O Module Discovery"
},
{
"description": "T840: Adversaries may perform network connection enumeration to discover information about device communication patterns. If an adversary can inspect the state of a network connection with tools, such as netstat, in conjunction with System Firmware, then they can determine the role of certain devices on the network. The adversary can also use Network Sniffing to watch network traffic for details about the source, destination, protocol, and content.",
"meta": {
"kill_chain": [
"Technique Matrix:Discovery"
]
},
"uuid": "845228e3-f859-4aa6-96cd-b23ee18b2f31",
"value": "Network Connection Enumeration"
},
{
"description": "T841: Network Service Scanning is the process of discovering services on networked systems. This can be achieved through a technique called port scanning or probing. Port scanning interacts with the TCP/IP ports on a target system to determine whether ports are open, closed, or filtered by a firewall. This does not reveal the service that is running behind the port, but since many common services are run on specific port numbers, the type of service can be assumed. More in-depth testing includes interaction with the actual service to determine the service type and specific version. One of the most-popular tools to use for Network Service Scanning is Nmap.",
"meta": {
"kill_chain": [
"Technique Matrix:Discovery"
]
},
"uuid": "0c3403ab-eb9d-4192-b70c-c87eec584a22",
"value": "Network Service Scanning"
},
{
"description": "T842: Network sniffing is the practice of using a network interface on a computer system to monitor or capture information1 regardless of whether it is the specified destination for the information.",
"meta": {
"kill_chain": [
"Technique Matrix:Discovery"
]
},
"uuid": "de476155-9fc5-4358-8900-9146e147c228",
"value": "Network Sniffing"
},
{
"description": "T846: Remote System Discovery is the process of identifying the presence of hosts on a network, and details about them. This process is common to network administrators validating the presence of machines and services, as well as adversaries mapping out a network for future-attack targets. An adversary may attempt to gain information about the target network via network enumeration techniques such as port scanning. One of the most popular tools for enumeration is Nmap. Remote System Discovery allows adversaries to map out hosts on the network as well as the TCP/IP ports that are open, closed, or filtered. Remote System Discovery tools also aid in by attempting to connect to the service and determine its exact version. The adversary may use this information to pick an exploit for a particular version if a known vulnerability exists.",
"meta": {
"kill_chain": [
"Technique Matrix:Discovery"
]
},
"uuid": "3ac07eea-8cec-4087-824c-a69b9fa42384",
"value": "Remote System Discovery"
},
{
"description": "T854: Adversaries may perform serial connection enumeration to gather situational awareness after gaining access to devices in the OT network. Control systems devices often communicate to each other via various types of serial communication mediums. These serial communications are used to facilitate informational communication, as well as commands. Serial Connection Enumeration differs from I/O Module Discovery, as I/O modules are auxiliary systems to the main system, and devices that are connected via serial connection are normally discrete systems.",
"meta": {
"kill_chain": [
"Technique Matrix:Discovery"
]
},
"uuid": "072123cb-08e9-4c7e-b47b-8fd4d76a778a",
"value": "Serial Connection Enumeration"
},
{
"description": "T812: Adversaries may leverage manufacturer or supplier set default credentials on control system devices. These default credentials may have administrative permissions and may be necessary for initial configuration of the device. It is general best practice to change the passwords for these accounts as soon as possible, but some manufacturers may have devices that have passwords or usernames that cannot be changed.",
"meta": {
"kill_chain": [
"Technique Matrix:Lateral Movement"
]
},
"uuid": "b67eb554-d305-454b-9b72-0b9082cf51bd",
"value": "Default Credentials"
},
{
"description": "T866: Adversaries may exploit a software vulnerability to take advantage of a programming error in a program, service, or within the operating system software or kernel itself to enable remote service abuse. A common goal for post-compromise exploitation of remote services is for lateral movement to enable access to a remote system.",
"meta": {
"kill_chain": [
"Technique Matrix:Lateral Movement"
]
},
"uuid": "0d9fec39-95b2-4516-a9a7-c4b48a3fa9bb",
"value": "Exploitation of Remote Services"
},
{
"description": "T822: Adversaries may leverage external remote services as a point of initial access into your network. These services allow users to connect to internal network resources from external locations. Examples are VPNs, Citrix, and other access mechanisms. Remote service gateways often manage connections and credential authentication for these services.",
"meta": {
"kill_chain": [
"Technique Matrix:Lateral Movement"
]
},
"uuid": "e096543e-e4c0-4eb0-acb1-df9feaae9697",
"value": "External Remote Services"
},
{
"description": "T844: Program Organizational Units (POUs) are block structures used within PLC programming to create programs and projects. POUs can be used to hold user programs written in IEC 61131-3 languages: Structured text, Instruction list, Function block, and Ladder logic. They can also provide additional functionality, such as establishing connections between the PLC and other devices using TCON.",
"meta": {
"kill_chain": [
"Technique Matrix:Lateral Movement"
]
},
"uuid": "92ed2463-473d-4bf6-a6e7-dcbd46b32791",
"value": "Program Organization Units"
},
{
"description": "T867: Adversaries may copy files from one system to another to stage adversary tools or other files over the course of an operation.1 Copying of files may also be performed laterally between internal victim systems to support Lateral Movement with remote Execution using inherent file sharing protocols such as file sharing over SMB to connected network shares.",
"meta": {
"kill_chain": [
"Technique Matrix:Lateral Movement"
]
},
"uuid": "ac6e920d-9880-4fe6-b8f0-e0d0fbfd01a9",
"value": "Remote File Copy"
},
{
"description": "T859: Adversaries may steal the credentials of a specific user or service account using credential access techniques. In some cases, default credentials for control system devices may be publicly available. Compromised credentials may be used to bypass access controls placed on various resources on hosts and within the network, and may even be used for persistent access to remote systems. Compromised and default credentials may also grant an adversary increased privilege to specific systems and devices or access to restricted areas of the network. Adversaries may choose not to use malware or tools, in conjunction with the legitimate access those credentials provide, to make it harder to detect their presence or to control devices and send legitimate commands in an unintended way.",
"meta": {
"kill_chain": [
"Technique Matrix:Lateral Movement"
]
},
"uuid": "9ede0533-551d-407e-ad35-a0c325dbf5c4",
"value": "Valid Accounts"
},
{
"description": "T802: Adversaries may automate collection of industrial environment information using tools or scripts. This automated collection may leverage native control protocols and tools available in the control systems environment. For example, the OPC protocol may be used to enumerate and gather information. Access to a system or interface with these native protocols may allow collection and enumeration of other attached, communicating servers and devices.",
"meta": {
"kill_chain": [
"Technique Matrix:Collection"
]
},
"uuid": "4f559e96-f297-48ae-9a98-639bd63cee3f",
"value": "Automated Collection"
},
{
"description": "T811: Adversaries may target and collect data from information repositories. This can include sensitive data such as specifications, schematics, or diagrams of control system layouts, devices, and processes. Examples of target information repositories include reference databases and local machines on the process environment.",
"meta": {
"kill_chain": [
"Technique Matrix:Collection"
]
},
"uuid": "2666163e-c72e-4e13-9f81-4433beb92c93",
"value": "Data from Information Repositories"
},
{
"description": "T868: Adversaries may gather information about the current operating state of a PLC. CPU operating modes are often controlled by a key switch on the PLC. Example states may be run, prog, stop, remote, and invalid. Knowledge of these states may be valuable to an adversary to determine if they are able to reprogram the PLC.",
"meta": {
"kill_chain": [
"Technique Matrix:Collection"
]
},
"uuid": "d8eb72d0-879a-4f06-a220-33aafdbf075d",
"value": "Detect Operating Mode"
},
{
"description": "T877: Adversaries may seek to capture process image values related to the inputs and outputs of a PLC. Within a PLC all input and output states are stored into an I/O image. This image is used by the user program instead of directly interacting with physical I/O.",
"meta": {
"kill_chain": [
"Technique Matrix:Collection"
]
},
"uuid": "fb3f7181-f54a-4552-8aef-c205b5d9f70a",
"value": "I/O Image"
},
{
"description": "T825: Adversaries may perform location identification using device data to inform operations and targeted impact for attacks. Location identification data can come in a number of forms, including geographic location, location relative to other control system devices, time zone, and current time. An adversary may use an embedded global positioning system (GPS) module in a device to figure out the physical coordinates of a device. NIST SP800-82 recommends that devices utilize GPS or another location determining mechanism to attach appropriate timestamps to log entries1. While this assists in logging and event tracking, an adversary could use the underlying positioning mechanism to determine the general location of a device. An adversary can also infer the physical location of serially connected devices by using serial connection enumeration.",
"meta": {
"kill_chain": [
"Technique Matrix:Collection"
]
},
"uuid": "eb77b9b5-664a-4402-94c1-ff6e68c4a031",
"value": "Location Identification"
},
{
"description": "T801: Adversaries may gather information about the physical process state. This information may be used to gain more information about the process itself or used as a trigger for malicious actions. The sources of process state information may vary such as, OPC tags, historian data, specific PLC block information, or network traffic.",
"meta": {
"kill_chain": [
"Technique Matrix:Collection"
]
},
"uuid": "f51cac7e-e377-4d6c-8bf6-4a284e645f35",
"value": "Monitor Process State"
},
{
"description": "T861: Adversaries may collect point and tag values to gain a more comprehensive understanding of the process environment. Points may be values such as inputs, memory locations, outputs or other process specific variables.1 Tags are the identifiers given to points for operator convenience.",
"meta": {
"kill_chain": [
"Technique Matrix:Collection"
]
},
"uuid": "23f90d65-611f-42fc-82f9-e1117bad6481",
"value": "Point and Tag Identification"
},
{
"description": "T845: Adversaries may attempt to upload a program from a PLC to gather information about an industrial process. Uploading a program may allow them to acquire and study the underlying logic. Methods of program upload include vendor software, which enables the user to upload and read a program running on a PLC. This software can be used to upload the target program to a workstation, jump box, or an interfacing device.",
"meta": {
"kill_chain": [
"Technique Matrix:Collection"
]
},
"uuid": "fd05f928-be95-459a-add0-d03d73c1a5f2",
"value": "Program Upload"
},
{
"description": "T850: Adversaries may perform role identification of devices involved with physical processes of interest in a target control system. Control systems devices often work in concert to control a physical process. Each device can have one or more roles that it performs within that control process. By collecting this role-based data, an adversary can construct a more targeted attack.",
"meta": {
"kill_chain": [
"Technique Matrix:Collection"
]
},
"uuid": "05b1ad22-7971-48c1-924c-55fcae709cdd",
"value": "Role Identification"
},
{
"description": "T852: Adversaries may attempt to perform screen capture of devices in the control system environment. Screenshots may be taken of workstations, HMIs, or other devices that display environment-relevant process, device, reporting, alarm, or related data. These device displays may reveal information regarding the ICS process, layout, control, and related schematics. In particular, an HMI can provide a lot of important industrial process information.1 Analysis of screen captures may provide the adversary with an understanding of intended operations and interactions between critical devices.",
"meta": {
"kill_chain": [
"Technique Matrix:Collection"
]
},
"uuid": "86be4b62-0180-4651-a6a6-da1a45cc10df",
"value": "Screen Capture"
},
{
"description": "T885: Adversaries may communicate over a commonly used port to bypass firewalls or network detection systems and to blend in with normal network activity, to avoid more detailed inspection. They may use the protocol associated with the port, or a completely different protocol. They may use commonly open ports such as TCP:80(HTTP),TCP:443(HTTPS),TCP/UDP:53(DNS),TCP:1024-4999(OPC on XP/Win2k3),TCP:49152-65535(OPC on Vista and later),TCP:23(TELNET),UDP:161(SNMP),TCP:502(MODBUS),TCP:102(S7comm/ISO-TSAP),TCP:20000(DNP3),TCP:44818(Ethernet/IP).",
"meta": {
"kill_chain": [
"Technique Matrix:Command and Control"
]
},
"uuid": "01470ce5-c23b-4083-a90f-4ffde6362475",
"value": "Commonly Used Port"
},
{
"description": "T884: Adversaries may use a connection proxy to direct network traffic between systems or act as an intermediary for network communications.",
"meta": {
"kill_chain": [
"Technique Matrix:Command and Control"
]
},
"uuid": "ac6c341f-94eb-42fd-a818-0463ba978f0d",
"value": "Connection Proxy"
},
{
"description": "T869: Adversaries may establish command and control capabilities over commonly used application layer protocols such as HTTP(S), OPC, RDP, telnet, DNP3, and modbus. These protocols may be used to disguise adversary actions as benign network traffic. Standard protocols may be seen on their associated port or in some cases over a non-standard port.",
"meta": {
"kill_chain": [
"Technique Matrix:Command and Control"
]
},
"uuid": "19c90986-98cd-48f3-9c29-884a97787497",
"value": "Standard Application Layer Protocol"
},
{
"description": "T800: Adversaries may activate firmware update mode on devices to prevent expected response functions from engaging in reaction to an emergency or process malfunction. For example, devices such as protection relays may have an operation mode designed for firmware installation. This mode may halt process monitoring and related functions to allow new firmware to be loaded. A device left in update mode may be placed in an inactive holding state if no firmware is provided to it. By entering and leaving a device in this mode, the adversary may deny its usual functionalities.",
"meta": {
"kill_chain": [
"Technique Matrix:Inhibit Response Function"
]
},
"uuid": "723d53c8-b41b-4e36-bcbd-a0f08393f625",
"value": "Active Firmware Update Mode"
},
{
"description": "T878: Adversaries may target protection function alarms to prevent them from notifying operators of critical conditions. Alarm messages may be a part of an overall reporting system and of particular interest for adversaries. Disruption of the alarm system does not imply the disruption of the reporting system as a whole.",
"meta": {
"kill_chain": [
"Technique Matrix:Inhibit Response Function"
]
},
"uuid": "91c5fad4-7278-462e-a98b-6556addf8b70",
"value": "Alarm Suppression"
},
{
"description": "T803: Adversaries may block a command message from reaching its intended target to prevent command execution. In OT networks, command messages are sent to provide instructions to control system devices. A blocked command message can inhibit response functions from correcting a disruption or unsafe condition.",
"meta": {
"kill_chain": [
"Technique Matrix:Inhibit Response Function"
]
},
"uuid": "7ee52584-fb2e-407d-83bf-d26fcda17e56",
"value": "Block Command Message"
},
{
"description": "T804: Adversaries may block or prevent a reporting message from reaching its intended target. Reporting messages relay the status of control system devices, which can include event log data and I/O values of the associated device. By blocking these reporting messages, an adversary can potentially hide their actions from an operator.",
"meta": {
"kill_chain": [
"Technique Matrix:Inhibit Response Function"
]
},
"uuid": "327c63ed-59d5-4565-be22-a75bb85e751c",
"value": "Block Reporting Message"
},
{
"description": "T805: Adversaries may block access to serial COM to prevent instructions or configurations from reaching target devices. Serial Communication ports (COM) allow communication with control system devices. Devices can receive command and configuration messages over such serial COM. Devices also use serial COM to send command and reporting messages. Blocking device serial COM may also block command messages and block reporting messages.",
"meta": {
"kill_chain": [
"Technique Matrix:Inhibit Response Function"
]
},
"uuid": "1511927c-47cc-4da6-a462-84ee206d1317",
"value": "Block Serial COM"
},
{
"description": "T809: Adversaries may perform data destruction over the course of an operation. The adversary may drop or create malware, tools, or other non-native files on a target system to accomplish this, potentially leaving behind traces of malicious activities. Such non-native files and other data may be removed over the course of an intrusion to maintain a small footprint or as a standard part of the post-intrusion cleanup process.",
"meta": {
"kill_chain": [
"Technique Matrix:Inhibit Response Function"
]
},
"uuid": "be284064-e0de-448c-860d-2e140dfde1c0",
"value": "Data Destruction"
},
{
"description": "T814: Adversaries may perform Denial-of-Service (DoS) attacks to disrupt expected device functionality. Examples of DoS attacks include overwhelming the target device with a high volume of requests in a short time period and sending the target device a request it does not know how to handle. Disrupting device state may temporarily render it unresponsive, possibly lasting until a reboot can occur. When placed in this state, devices may be unable to send and receive requests, and may not perform expected response functions in reaction to other events in the environment.",
"meta": {
"kill_chain": [
"Technique Matrix:Inhibit Response Function"
]
},
"uuid": "b4a7de26-746e-4981-a82c-9a1139d65cdd",
"value": "Denial of Service"
},
{
"description": "T816: Adversaries may forcibly restart or shutdown a device in the ICS environment to disrupt and potentially cause adverse effects on the physical processes it helps to control. Methods of device restart and shutdown exist as built-in, standard functionalities. This can include interactive device web interfaces, CLIs, and network protocol commands, among others. Device restart or shutdown may also occur as a consequence of changing a device into an alternative mode of operation for testing or firmware loading.",
"meta": {
"kill_chain": [
"Technique Matrix:Inhibit Response Function"
]
},
"uuid": "e82dada6-7306-46c4-bbd9-e29dcf033ceb",
"value": "Device Restart/Shutdown"
},
{
"description": "T835: Adversaries may manipulate the I/O image of PLCs through various means to prevent them from functioning as expected. Methods of I/O image manipulation may include overriding the I/O table via direct memory manipulation or using the override function used for testing PLC programs.",
"meta": {
"kill_chain": [
"Technique Matrix:Inhibit Response Function"
]
},
"uuid": "d390887c-68af-4e4f-87b4-6d2888ce21e6",
"value": "Manipulate I/O Image"
},
{
"description": "T838: Adversaries may modify alarm settings to prevent alerts that may inform operators of their presence or to prevent responses to dangerous and unintended scenarios. Reporting messages are a standard part of data acquisition in control systems. Reporting messages are used as a way to transmit system state information and acknowledgements that specific actions have occurred. These messages provide vital information for the management of a physical process, and keep operators, engineers, and administrators aware of the state of system devices and physical processes.",
"meta": {
"kill_chain": [
"Technique Matrix:Inhibit Response Function"
]
},
"uuid": "f676877a-b6c4-4d58-84da-56808847270e",
"value": "Modify Alarm Settings"
},
{
"description": "T843: Adversaries may perform a program download to load malicious or unintended program logic on a device as a method of persistence or to disrupt response functions or process control. Program download onto devices, such as PLCs, allows adversaries to implement custom logic. Malicious PLC programs may be used to disrupt physical processes or enable adversary persistence. The act of a program download will cause the PLC to enter a STOP operation state, which may prevent response functions from operating correctly.",
"meta": {
"kill_chain": [
"Technique Matrix:Inhibit Response Function"
]
},
"uuid": "4897156e-0462-45b7-8637-f222b68c6a48",
"value": "Program Download"
},
{
"description": "T851: Adversaries may deploy rootkits to hide the presence of programs, files, network connections, services, drivers, and other system components. Rootkits are programs that hide the existence of malware by intercepting and modifying operating-system API calls that supply system information. Rootkits or rootkit-enabling functionality may reside at the user or kernel level in the operating system, or lower.",
"meta": {
"kill_chain": [
"Technique Matrix:Inhibit Response Function"
]
},
"uuid": "15c52f96-2396-4a8e-b183-3898378a7ccd",
"value": "Rootkit"
},
{
"description": "T857: System firmware on modern assets is often designed with an update feature. Older device firmware may be factory installed and require special reprograming equipment. When available, the firmware update feature enables vendors to remotely patch bugs and perform upgrades. Device firmware updates are often delegated to the user and may be done using a software update package. It may also be possible to perform this task over the network.",
"meta": {
"kill_chain": [
"Technique Matrix:Inhibit Response Function"
]
},
"uuid": "4d9b87ba-bd66-4497-b3d4-8ed476425e48",
"value": "System Firmware"
},
{
"description": "T858: Adversaries may place controllers into an alternate mode of operation to enable configuration setting changes for evasive code execution or to inhibit device functionality. Programmable controllers typically have several modes of operation. These modes can be broken down into three main categories: program run, program edit, and program write. Each of these modes puts the device in a state in which certain functions are available. For instance, the program edit mode allows alterations to be made to the user program while the device is still online.",
"meta": {
"kill_chain": [
"Technique Matrix:Inhibit Response Function"
]
},
"uuid": "b24e02c6-a575-4ab8-a214-76c195e9e00a",
"value": "Utilize/Change Operating Mode"
},
{
"description": "T806: Adversaries may brute force I/O addresses on a device and attempt to exhaustively perform an action. By enumerating the full range of I/O addresses, an adversary may manipulate a process function without having to target specific I/O interfaces. More than one process function manipulation and enumeration pass may occur on the targeted I/O range in a brute force attempt.",
"meta": {
"kill_chain": [
"Technique Matrix:Impair Process Control"
]
},
"uuid": "ab9f5dd3-71cc-4de6-9ea9-7e5a35696888",
"value": "Brute Force I/O"
},
{
"description": "T875: Adversaries may attempt to change the state of the current program on a control device. Program state changes may be used to allow for another program to take over control or be loaded onto the device.",
"meta": {
"kill_chain": [
"Technique Matrix:Impair Process Control"
]
},
"uuid": "12bac6b2-e822-4424-afe3-90c441ef52dc",
"value": "Change Program State"
},
{
"description": "T849: Adversaries may use masquerading to disguise a malicious application or executable as another file, to avoid operator and engineer suspicion. Possible disguises of these masquerading files can include commonly found programs, expected vendor executables and configuration files, and other commonplace application and naming conventions. By impersonating expected and vendor-relevant files and applications, operators and engineers may not notice the presence of the underlying malicious content and possibly end up running those masquerading as legitimate functions.",
"meta": {
"kill_chain": [
"Technique Matrix:Impair Process Control"
]
},
"uuid": "6fe928e8-5433-4774-b108-60c9eba75acc",
"value": "Masquerading"
},
{
"description": "T833: Adversaries may place malicious code in a system, which can cause the system to malfunction by modifying its control logic. Control system devices use programming languages (e.g. relay ladder logic) to control physical processes by affecting actuators, which cause machines to operate, based on environment sensor readings. These devices often include the ability to perform remote control logic updates.",
"meta": {
"kill_chain": [
"Technique Matrix:Impair Process Control"
]
},
"uuid": "f4050bde-112b-46f0-a02a-6661f3472efd",
"value": "Modify Control Logic"
},
{
"description": "T836: Adversaries may modify parameters used to instruct industrial control system devices. These devices operate via programs that dictate how and when to perform actions based on such parameters. Such parameters can determine the extent to which an action is performed and may specify additional options. For example, a program on a control system device dictating motor processes may take a parameter defining the total number of seconds to run that motor.",
"meta": {
"kill_chain": [
"Technique Matrix:Impair Process Control"
]
},
"uuid": "6183345c-c5cf-44d8-9dc2-91f259f4ed4e",
"value": "Modify Parameter"
},
{
"description": "T839: Adversaries may install malicious or vulnerable firmware onto modular hardware devices. Control system devices often contain modular hardware devices. These devices may have their own set of firmware that is separate from the firmware of the main control system equipment.",
"meta": {
"kill_chain": [
"Technique Matrix:Impair Process Control"
]
},
"uuid": "492cb581-f4a6-4393-a85a-6eb0935c95d0",
"value": "Module Firmware"
},
{
"description": "T843: Adversaries may perform a program download to load malicious or unintended program logic on a device as a method of persistence or to disrupt response functions or process control. Program download onto devices, such as PLCs, allows adversaries to implement custom logic. Malicious PLC programs may be used to disrupt physical processes or enable adversary persistence. The act of a program download will cause the PLC to enter a STOP operation state, which may prevent response functions from operating correctly.",
"meta": {
"kill_chain": [
"Technique Matrix:Impair Process Control"
]
},
"uuid": "86f88e91-acdb-4702-a28a-ed10332643c6",
"value": "Program Download"
},
{
"description": "T848: Adversaries may setup a rogue master to leverage control server functions to communicate with slave devices. A rogue master device can be used to send legitimate control messages to other control system devices, affecting processes in unintended ways. It may also be used to disrupt network communications by capturing and receiving the network traffic meant for the actual master device. Impersonating a master device may also allow an adversary to avoid detection.",
"meta": {
"kill_chain": [
"Technique Matrix:Impair Process Control"
]
},
"uuid": "c5d76758-d103-4dcf-83e7-fa0818a8bdf5",
"value": "Rogue Master Device"
},
{
"description": "T881: Adversaries may stop or disable services on a system to render those services unavailable to legitimate users. Stopping critical services can inhibit or stop response to an incident or aid in the adversary's overall objectives to cause damage to the environment.",
"meta": {
"kill_chain": [
"Technique Matrix:Impair Process Control"
]
},
"uuid": "7fd8cfb0-5064-4ffb-bc88-fe81e05ffa73",
"value": "Service Stop"
},
{
"description": "T856: Adversaries may spoof reporting messages in control systems environments to achieve evasion and assist with impairment of process controls. Reporting messages are used in control systems so that operators and network defenders can understand the status of the network. Reporting messages show the status of devices and any important events that the devices control.",
"meta": {
"kill_chain": [
"Technique Matrix:Impair Process Control"
]
},
"uuid": "5e489242-3d3b-4c21-9d8e-9c27857252c6",
"value": "Spoof Reporting Message"
},
{
"description": "T855: Adversaries may send unauthorized command messages to instruct control systems devices to perform actions outside their expected functionality for process control. Command messages are used in ICS networks to give direct instructions to control systems devices. If an adversary can send an unauthorized command message to a control system, then it can instruct the control systems device to perform an action outside the normal bounds of the device's actions. An adversary could potentially instruct a control systems device to perform an action that will cause an Impact.",
"meta": {
"kill_chain": [
"Technique Matrix:Impair Process Control"
]
},
"uuid": "a2085515-4b94-4fea-8d9c-1ffc6aa550d9",
"value": "Unauthorized Command Message"
},
{
"description": "T879: Adversaries may cause damage and destruction of property to infrastructure, equipment, and the surrounding environment when attacking control systems. This technique may result in device and operational equipment breakdown, or represent tangential damage from other techniques used in an attack. Depending on the severity of physical damage and disruption caused to control processes and systems, this technique may result in Loss of Safety. Operations that result in Loss of Control may also cause damage to property, which may be directly or indirectly motivated by an adversary seeking to cause impact in the form of Loss of Productivity and Revenue.",
"meta": {
"kill_chain": [
"Technique Matrix:Impact"
]
},
"uuid": "73e7afd3-fa10-49b9-baac-9c3765bf570e",
"value": "Damage to Property"
},
{
"description": "T813: Adversaries may cause a denial of control to temporarily prevent operators and engineers from interacting with process controls. An adversary may attempt to deny process control access to cause a temporary loss of communication with the control device or to prevent operator adjustment of process controls. An affected process may still be operating during the period of control loss, but not necessarily in a desired state.",
"meta": {
"kill_chain": [
"Technique Matrix:Impact"
]
},
"uuid": "d18daaa4-1b59-482c-b9bb-1f50c3d6af7a",
"value": "Denial of Control"
},
{
"description": "T815: Adversaries may cause a denial of view in attempt to disrupt and prevent operator oversight on the status of an ICS environment. This may manifest itself as a temporary communication failure between a device and its control source, where the interface recovers and becomes available once the interference ceases.",
"meta": {
"kill_chain": [
"Technique Matrix:Impact"
]
},
"uuid": "69224a2a-13f5-42dc-b200-2e7b09acf514",
"value": "Denial of View"
},
{
"description": "T826: Adversaries may attempt to disrupt essential components or systems to prevent owner and operator from delivering products or services.",
"meta": {
"kill_chain": [
"Technique Matrix:Impact"
]
},
"uuid": "7c53baea-b24d-40de-8753-e65139c93ced",
"value": "Loss of Availability"
},
{
"description": "T827: Adversaries may seek to achieve a sustained loss of control or a runaway condition in which operators cannot issue any commands even if the malicious interference has subsided.",
"meta": {
"kill_chain": [
"Technique Matrix:Impact"
]
},
"uuid": "62fee86a-2f24-4a2b-8b4c-795e82495d7d",
"value": "Loss of Control"
},
{
"description": "T828: Adversaries may cause loss of productivity and revenue through disruption and even damage to the availability and integrity of control system operations, devices, and related processes. This technique may manifest as a direct effect of an ICS-targeting attack or tangentially, due to an IT-targeting attack against non-segregated environments. In some cases, this may result from the postponement and disruption of ICS operations and production as part of a remediation effort. Operations may be brought to a halt and effectively stopped in an effort to contain and properly remove malware or due to the Loss of Safety.",
"meta": {
"kill_chain": [
"Technique Matrix:Impact"
]
},
"uuid": "4b593ce1-3f07-4f00-86dd-e614e999ed2e",
"value": "Loss of Productivity and Revenue"
},
{
"description": "T880: Adversaries may cause loss of safety whether on purpose or as a consequence of actions taken to accomplish an operation. The loss of safety can describe a physical impact and threat, or the potential for unsafe conditions and activity in terms of control systems environments, devices, or processes. For instance, an adversary may issue commands or influence and possibly inhibit safety mechanisms that allow the injury of and possible loss of life. This can also encompass scenarios resulting in the failure of a safety mechanism or control, that may lead to unsafe and dangerous execution and outcomes of physical processes and related systems.",
"meta": {
"kill_chain": [
"Technique Matrix:Impact"
]
},
"uuid": "c514cc66-b02d-497b-bac0-57f58b831442",
"value": "Loss of Safety"
},
{
"description": "T829: Adversaries may cause a sustained or permanent loss of view where the ICS equipment will require local, hands-on operator intervention; for instance, a restart or manual operation. By causing a sustained reporting or visibility loss, the adversary can effectively hide the present state of operations. This loss of view can occur without affecting the physical processes themselves.",
"meta": {
"kill_chain": [
"Technique Matrix:Impact"
]
},
"uuid": "d48aa5dc-40af-4299-85c5-64b2b28ea009",
"value": "Loss of View"
},
{
"description": "T831: Adversaries may manipulate physical process control within the industrial environment. Methods of manipulating control can include changes to set point values, tags, or other parameters. Adversaries may manipulate control systems devices or possibly leverage their own, to communicate with and command physical control processes. The duration of manipulation may be temporary or longer sustained, depending on operator detection.",
"meta": {
"kill_chain": [
"Technique Matrix:Impact"
]
},
"uuid": "1ff2853a-42bd-4aed-8aad-ed25ecc603d6",
"value": "Manipulation of Control"
},
{
"description": "T832: Adversaries may attempt to manipulate the information reported back to operators or controllers. This manipulation may be short term or sustained. During this time the process itself could be in a much different state than what is reported.",
"meta": {
"kill_chain": [
"Technique Matrix:Impact"
]
},
"uuid": "5420f2d9-debe-4e3e-8717-0952afa92dd9",
"value": "Manipulation of View"
},
{
"description": "T882: Adversaries may steal operational information on a production environment as a direct mission outcome for personal gain or to inform future operations. This information may include design documents, schedules, rotational data, or similar artifacts that provide insight on operations.",
"meta": {
"kill_chain": [
"Technique Matrix:Impact"
]
},
"uuid": "fb6e8505-98a6-489f-a8a6-4abc0b7927a1",
"value": "Theft of Operational Information"
}
],
"version": 1
}

View File

@ -1,24 +0,0 @@
{
"description": "ATT&CK for ICS Technique Matrix",
"icon": "buromobelexperte",
"kill_chain_order": {
"Technique Matrix": [
"Initial Access",
"Execution",
"Persistence",
"Evasion",
"Discovery",
"Lateral Movement",
"Collection",
"Command and Control",
"Inhibit Response Function",
"Impair Process Control",
"Impact"
]
},
"name": "ATT&CK for ICS Technique Matrix",
"namespace": "mitre-attack-for-ics",
"type": "mitre-ics-technique-matrix",
"uuid": "87d7849c-8e57-4c2e-a7ba-9a3e0771abb7",
"version": 1
}

File diff suppressed because it is too large Load Diff

View File

@ -1,10 +0,0 @@
{
"description": "ATT&CK for ICS Techniques",
"icon": "user-ninja",
"name": "Techniques",
"namespace": "mitre-attack-for-ics",
"type": "mitre-ics-techniques",
"uuid": "99261a7e-2270-40eb-823f-834cc1ad3159",
"version": 1
}