{ "type": "bundle", "id": "bundle--17f97d69-4677-4371-9fd4-a18ae702576f", "spec_version": "2.1", "objects": [ { "type": "x-mitre-collection", "id": "x-mitre-collection--90c00720-636b-4485-b342-8751d232bf09", "spec_version": "2.1", "x_mitre_attack_spec_version": "2.1.0", "name": "ICS ATT&CK", "x_mitre_version": "11.2", "description": "The ATT&CK for Industrial Control Systems (ICS) knowledge base categorizes the unique set of tactics, techniques, and procedures (TTPs) used by threat actors in the ICS technology domain. ATT&CK for ICS outlines the portions of an ICS attack that are out of scope of Enterprise and reflects the various phases of an adversary\u2019s attack life cycle and the assets and systems they are known to target.", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-10-27T14:49:39.188Z", "modified": "2022-05-24T14:00:00.188Z", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_contents": [ { "object_ref": "attack-pattern--008b8f56-6107-48be-aa9f-746f927dbb61", "object_modified": "2022-05-06T17:47:23.891Z" }, { "object_ref": "attack-pattern--063b5b92-5361-481a-9c3f-95492ed9a2d8", "object_modified": "2022-05-06T17:47:23.978Z" }, { "object_ref": "attack-pattern--097924ce-a9a9-4039-8591-e0deedfb8722", "object_modified": "2022-05-24T12:09:05.073Z" }, { "object_ref": "attack-pattern--09a61657-46e1-439e-b3ed-3e4556a78243", "object_modified": "2022-05-06T17:47:23.950Z" }, { "object_ref": "attack-pattern--0fe075d5-beac-4d02-b93e-0f874997db72", "object_modified": "2022-05-06T17:47:23.997Z" }, { "object_ref": "attack-pattern--138979ba-0430-4de6-a128-2fc0b056ba36", "object_modified": "2022-05-06T17:47:23.940Z" }, { "object_ref": "attack-pattern--19a71d1e-6334-4233-8260-b749cae37953", "object_modified": "2022-05-06T17:47:23.886Z" }, { "object_ref": "attack-pattern--1af9e3fd-2bcc-414d-adbd-fe3b95c02ca1", "object_modified": "2022-05-24T14:57:44.326Z" }, { "object_ref": "attack-pattern--1b22b676-9347-4c55-9a35-ef0dc653db5b", "object_modified": "2022-05-06T17:47:23.911Z" }, { "object_ref": "attack-pattern--1c478716-71d9-46a4-9a53-fa5d576adb60", "object_modified": "2022-05-06T17:47:23.892Z" }, { "object_ref": "attack-pattern--23270e54-1d68-4c3b-b763-b25607bcef80", "object_modified": "2022-05-24T14:00:00.188Z" }, { "object_ref": "attack-pattern--24a9253e-8948-4c98-b751-8e2aee53127c", "object_modified": "2022-05-06T17:47:23.898Z" }, { "object_ref": "attack-pattern--25852363-5968-4673-b81d-341d5ed90bd1", "object_modified": "2022-05-06T17:47:23.960Z" }, { "object_ref": "attack-pattern--25dfc8ad-bd73-4dfd-84a9-3c3d383f76e9", "object_modified": "2022-05-06T17:47:23.917Z" }, { "object_ref": "attack-pattern--2736b752-4ec5-4421-a230-8977dea7649c", "object_modified": "2022-05-24T14:00:00.188Z" }, { "object_ref": "attack-pattern--2877063e-1851-48d2-bcc6-bc1d2733157e", "object_modified": "2022-05-06T17:47:23.995Z" }, { "object_ref": "attack-pattern--2883c520-7957-46ca-89bd-dab1ad53b601", "object_modified": "2022-05-24T11:42:52.057Z" }, { "object_ref": "attack-pattern--2900bbd8-308a-4274-b074-5b8bde8347bc", "object_modified": "2022-05-06T17:47:23.889Z" }, { "object_ref": "attack-pattern--2aa406ed-81c3-4c1d-ba83-cfbee5a2847a", "object_modified": "2022-05-24T11:48:05.134Z" }, { "object_ref": "attack-pattern--2bb4d762-bf4a-4bc3-9318-15cc6a354163", "object_modified": "2022-05-06T17:47:23.938Z" }, { "object_ref": "attack-pattern--2d0d40ad-22fa-4cc8-b264-072557e1364b", "object_modified": "2022-05-06T17:47:23.955Z" }, { "object_ref": "attack-pattern--2dc2b567-8821-49f9-9045-8740f3d0b958", "object_modified": "2022-05-06T17:47:23.977Z" }, { "object_ref": "attack-pattern--2fedbe69-581f-447d-8a78-32ee7db939a9", "object_modified": "2022-05-06T17:47:23.968Z" }, { "object_ref": "attack-pattern--3067b85e-271e-4bc5-81ad-ab1a81d411e3", "object_modified": "2022-05-06T17:47:23.960Z" }, { "object_ref": "attack-pattern--32632a95-6856-47b9-9ab7-fea5cd7dce00", "object_modified": "2022-05-06T17:47:23.919Z" }, { "object_ref": "attack-pattern--3405891b-16aa-4bd7-bd7c-733501f9b20f", "object_modified": "2022-05-24T14:00:00.188Z" }, { "object_ref": "attack-pattern--35392fb4-a31d-4c6a-b9f2-1c65b7f5e6b9", "object_modified": "2022-05-24T14:00:00.188Z" }, { "object_ref": "attack-pattern--36e9f5bc-ac13-4da4-a2f4-01f4877d9004", "object_modified": "2022-05-06T17:47:23.943Z" }, { "object_ref": "attack-pattern--38213338-1aab-479d-949b-c81b66ccca5c", "object_modified": "2022-05-06T17:47:23.958Z" }, { "object_ref": "attack-pattern--3b6b9246-43f8-4c69-ad7a-2b11cfe0a0d9", "object_modified": "2022-05-24T12:13:28.790Z" }, { "object_ref": "attack-pattern--3de230d4-3e42-4041-b089-17e1128feded", "object_modified": "2022-05-06T17:47:23.889Z" }, { "object_ref": "attack-pattern--3f1f4ccb-9be2-4ff8-8f69-dd972221169b", "object_modified": "2022-05-06T17:47:23.892Z" }, { "object_ref": "attack-pattern--40b300ba-f553-48bf-862e-9471b220d455", "object_modified": "2022-05-24T12:18:48.810Z" }, { "object_ref": "attack-pattern--493832d9-cea6-4b63-abe7-9a65a6473675", "object_modified": "2022-05-06T17:47:23.904Z" }, { "object_ref": "attack-pattern--4c2e1408-9d68-4187-8e6b-a77bc52700ec", "object_modified": "2022-05-06T17:47:23.947Z" }, { "object_ref": "attack-pattern--50d3222f-7550-4a3c-94e1-78cb6c81d064", "object_modified": "2022-05-06T17:47:24.397Z" }, { "object_ref": "attack-pattern--539d0484-fe95-485a-b654-86991c0d0d00", "object_modified": "2022-05-24T14:00:00.188Z" }, { "object_ref": "attack-pattern--53a26eee-1080-4d17-9762-2027d5a1b805", "object_modified": "2022-05-06T17:47:23.927Z" }, { "object_ref": "attack-pattern--53a48c74-0025-45f4-b04a-baa853df8204", "object_modified": "2022-05-06T17:47:23.927Z" }, { "object_ref": "attack-pattern--56ddc820-6cfb-407f-850b-52c035d123ac", "object_modified": "2022-05-06T17:47:23.912Z" }, { "object_ref": "attack-pattern--5a2610f6-9fff-41e1-bc27-575ca20383d4", "object_modified": "2022-05-06T17:47:23.918Z" }, { "object_ref": "attack-pattern--5e0f75da-e108-4688-a6de-a4f07cc2cbe3", "object_modified": "2022-05-06T17:47:23.983Z" }, { "object_ref": "attack-pattern--5f3da2f3-91c8-4d8b-a02f-bf43a11def55", "object_modified": "2022-05-24T14:00:00.188Z" }, { "object_ref": "attack-pattern--5fa00fdd-4a55-4191-94a0-564181d7fec2", "object_modified": "2022-05-06T17:47:23.939Z" }, { "object_ref": "attack-pattern--63b6942d-8359-4506-bfb3-cf87aa8120ee", "object_modified": "2022-05-06T17:47:23.938Z" }, { "object_ref": "attack-pattern--648f995e-9c3a-41e4-aeee-98bb41037426", "object_modified": "2022-05-24T14:00:00.188Z" }, { "object_ref": "attack-pattern--7374ab87-0782-41f8-b415-678c0950bb2a", "object_modified": "2022-05-24T14:00:00.188Z" }, { "object_ref": "attack-pattern--7830cfcf-b268-4ac0-a69e-73c6affbae9a", "object_modified": "2022-05-06T17:47:23.918Z" }, { "object_ref": "attack-pattern--83ebd22f-b401-4d59-8219-2294172cf916", "object_modified": "2022-05-24T14:00:00.188Z" }, { "object_ref": "attack-pattern--8535b71e-3c12-4258-a4ab-40257a1becc4", "object_modified": "2022-05-06T17:47:23.981Z" }, { "object_ref": "attack-pattern--85a45294-08f1-4539-bf00-7da08aa7b0ee", "object_modified": "2022-05-06T17:47:23.922Z" }, { "object_ref": "attack-pattern--8bb4538f-f16f-49f0-a431-70b5444c7349", "object_modified": "2022-05-06T17:47:23.906Z" }, { "object_ref": "attack-pattern--8d2f3bab-507c-4424-b58b-edc977bd215c", "object_modified": "2022-05-06T17:47:23.923Z" }, { "object_ref": "attack-pattern--8e7089d3-fba2-44f8-94a8-9a79c53920c4", "object_modified": "2022-05-06T17:47:23.893Z" }, { "object_ref": "attack-pattern--94f042ae-3033-4a8d-9ec3-26396533a541", "object_modified": "2022-05-24T14:00:00.188Z" }, { "object_ref": "attack-pattern--9a505987-ab05-4f46-a9a6-6441442eec3b", "object_modified": "2022-05-24T19:32:27.175Z" }, { "object_ref": "attack-pattern--9f947a1c-3860-48a8-8af0-a2dfa3efde03", "object_modified": "2022-05-06T17:47:23.919Z" }, { "object_ref": "attack-pattern--a81696ef-c106-482c-8f80-59c30f2569fb", "object_modified": "2022-05-24T14:00:00.188Z" }, { "object_ref": "attack-pattern--a8cfd474-9358-464f-a169-9c6f099a8e8a", "object_modified": "2022-05-24T14:00:00.188Z" }, { "object_ref": "attack-pattern--ab390887-afc0-4715-826d-b1b167d522ae", "object_modified": "2022-05-24T14:00:00.188Z" }, { "object_ref": "attack-pattern--abb0a255-eb9c-48d0-8f5c-874bb84c0e45", "object_modified": "2022-05-24T14:00:00.188Z" }, { "object_ref": "attack-pattern--ae62fe1a-ea1a-479b-8dc0-65d250bd8bc7", "object_modified": "2022-05-06T17:47:24.400Z" }, { "object_ref": "attack-pattern--b0628bfc-5376-4a38-9182-f324501cb4cf", "object_modified": "2022-05-06T17:47:23.924Z" }, { "object_ref": "attack-pattern--b14395bd-5419-4ef4-9bd8-696936f509bb", "object_modified": "2022-05-06T17:47:23.975Z" }, { "object_ref": "attack-pattern--b52870cc-83f3-473c-b895-72d91751030b", "object_modified": "2022-05-06T17:47:23.956Z" }, { "object_ref": "attack-pattern--b5b9bacb-97f2-4249-b804-47fd44de1f95", "object_modified": "2022-05-06T17:47:23.934Z" }, { "object_ref": "attack-pattern--b7e13ee8-182c-4f19-92a4-a88d7d855d54", "object_modified": "2022-05-06T17:47:23.985Z" }, { "object_ref": "attack-pattern--b9160e77-ea9e-4ba9-b1c8-53a3c466b13d", "object_modified": "2022-05-06T17:47:23.984Z" }, { "object_ref": "attack-pattern--ba203963-3182-41ac-af14-7e7ebc83cd61", "object_modified": "2022-05-24T14:00:00.188Z" }, { "object_ref": "attack-pattern--be69c571-d746-4b1f-bdd0-c0c9817e9068", "object_modified": "2022-05-06T17:47:23.960Z" }, { "object_ref": "attack-pattern--c267bbee-bb59-47fe-85e0-3ed210337c21", "object_modified": "2022-05-06T17:47:23.973Z" }, { "object_ref": "attack-pattern--c5e3cdbc-0387-4be9-8f83-ff5c0865f377", "object_modified": "2022-05-06T17:47:23.976Z" }, { "object_ref": "attack-pattern--cd2c76a4-5e23-4ca5-9c40-d5e0604f7101", "object_modified": "2022-05-24T11:56:16.241Z" }, { "object_ref": "attack-pattern--cfe68e93-ce94-4c0f-a57d-3aa72cedd618", "object_modified": "2022-05-24T14:00:00.188Z" }, { "object_ref": "attack-pattern--d5a69cfb-fc2a-46cb-99eb-74b236db5061", "object_modified": "2022-05-06T17:47:23.968Z" }, { "object_ref": "attack-pattern--d614a9cf-18eb-4800-81e4-ab8ddf0baa73", "object_modified": "2022-05-24T14:00:00.188Z" }, { "object_ref": "attack-pattern--d67adac8-e3b9-44f9-9e6d-6c2a7d69dbe4", "object_modified": "2022-05-06T17:47:23.900Z" }, { "object_ref": "attack-pattern--e076cca8-2f08-45c9-aff7-ea5ac798b387", "object_modified": "2022-05-06T17:47:23.981Z" }, { "object_ref": "attack-pattern--e0d74479-86d2-465d-bf36-903ebecef43e", "object_modified": "2022-05-24T14:00:00.188Z" }, { "object_ref": "attack-pattern--e1f9cdd2-9511-4fca-90d7-f3e92cfdd0bf", "object_modified": "2022-05-24T14:00:00.188Z" }, { "object_ref": "attack-pattern--e2994b6a-122b-4043-b654-7411c5198ec0", "object_modified": "2022-05-24T14:00:00.188Z" }, { "object_ref": "attack-pattern--e33c7ecc-5a38-497f-beb2-a9a2049a4c20", "object_modified": "2022-05-06T17:47:23.908Z" }, { "object_ref": "attack-pattern--e5de767e-f513-41cd-aa15-33f6ce5fbf92", "object_modified": "2022-05-06T17:47:23.949Z" }, { "object_ref": "attack-pattern--e6c31185-8040-4267-83d3-b217b8a92f07", "object_modified": "2022-05-24T14:31:04.264Z" }, { "object_ref": "attack-pattern--e72425f8-9ae6-41d3-bfdb-e1b865e60722", "object_modified": "2022-05-06T17:47:23.963Z" }, { "object_ref": "attack-pattern--ea0c980c-5cf0-43a7-a049-59c4c207566e", "object_modified": "2022-05-23T21:24:49.040Z" }, { "object_ref": "attack-pattern--ead7bd34-186e-4c79-9a4d-b65bcce6ed9d", "object_modified": "2022-05-06T17:47:23.932Z" }, { "object_ref": "attack-pattern--efbf7888-f61b-4572-9c80-7e2965c60707", "object_modified": "2022-05-24T11:51:30.717Z" }, { "object_ref": "attack-pattern--f8df6b57-14bc-425f-9a91-6f59f6799307", "object_modified": "2022-05-06T17:47:23.930Z" }, { "object_ref": "attack-pattern--fc5fda7e-6b2c-4457-b036-759896a2efa2", "object_modified": "2022-05-06T17:47:23.953Z" }, { "object_ref": "course-of-action--059ba11e-e3dc-49aa-84ca-88197f40d4ea", "object_modified": "2022-05-06T17:47:24.036Z" }, { "object_ref": "course-of-action--11f242bc-3121-438c-84b2-5cbd46a4bb17", "object_modified": "2022-05-06T17:47:24.043Z" }, { "object_ref": "course-of-action--143b4398-3222-480a-b6a4-e131bc2d3144", "object_modified": "2022-05-06T17:47:24.055Z" }, { "object_ref": "course-of-action--1e7ccfc0-94c8-496e-8d27-032120892291", "object_modified": "2022-05-06T17:47:24.051Z" }, { "object_ref": "course-of-action--2ab9fc6d-3cf6-4d7b-85f1-3ad6949233b3", "object_modified": "2022-05-06T17:47:24.054Z" }, { "object_ref": "course-of-action--2f0160b7-e982-49d7-9612-f19b810f1722", "object_modified": "2022-05-06T17:47:24.035Z" }, { "object_ref": "course-of-action--3172222b-4983-43f7-8983-753ded4f13bc", "object_modified": "2022-05-06T17:47:24.049Z" }, { "object_ref": "course-of-action--3222a807-521b-4a1a-aa13-f1cda45734b3", "object_modified": "2022-05-06T17:47:24.055Z" }, { "object_ref": "course-of-action--337c4e2a-21a7-4d9a-bfee-9efd6cebf0e5", "object_modified": "2022-05-06T17:47:24.040Z" }, { "object_ref": "course-of-action--3992ce42-43e9-4bea-b8db-a102ec3ec1e3", "object_modified": "2022-05-06T17:47:24.034Z" }, { "object_ref": "course-of-action--469b78dd-a54d-4f7c-8c3b-4a1dd916b433", "object_modified": "2022-05-06T17:47:24.048Z" }, { "object_ref": "course-of-action--49363b74-d506-4342-bd63-320586ebadb9", "object_modified": "2022-05-06T17:47:24.042Z" }, { "object_ref": "course-of-action--49b306c1-a046-42c5-a4d2-30f264ada110", "object_modified": "2022-05-06T17:47:24.044Z" }, { "object_ref": "course-of-action--4fa717d9-cabe-47c8-8cdd-86e9e2e37f30", "object_modified": "2022-05-06T17:47:24.042Z" }, { "object_ref": "course-of-action--52c7a1a9-3a78-4528-a44f-cd7b0fa3541a", "object_modified": "2022-05-06T17:47:24.057Z" }, { "object_ref": "course-of-action--5d97c693-e054-48ba-a3a3-eaf6942dfb65", "object_modified": "2022-05-06T17:47:24.053Z" }, { "object_ref": "course-of-action--622fe4d4-0e8e-4d17-9c25-6c9cef1f15d5", "object_modified": "2022-05-06T17:47:24.053Z" }, { "object_ref": "course-of-action--66cfe23e-34b6-4583-b178-ed6a412db2b0", "object_modified": "2022-05-06T17:47:24.060Z" }, { "object_ref": "course-of-action--6a02e38a-9629-40c0-8c7d-e98e3470315c", "object_modified": "2022-05-06T17:47:24.055Z" }, { "object_ref": "course-of-action--71eb7dad-07eb-4bbc-9df0-ac57bf2fba4a", "object_modified": "2022-05-06T17:47:24.039Z" }, { "object_ref": "course-of-action--72e46e53-e12d-4106-9c70-33241b6ed549", "object_modified": "2022-05-06T17:47:24.057Z" }, { "object_ref": "course-of-action--7f153c28-e5f1-4764-88fb-eea1d9b0ad4a", "object_modified": "2022-05-06T17:47:24.041Z" }, { "object_ref": "course-of-action--86b455f2-fb63-4043-93a8-32a3a7703a02", "object_modified": "2022-05-06T17:47:24.034Z" }, { "object_ref": "course-of-action--8a3aadd0-b5f4-433a-800e-4893e4196bb7", "object_modified": "2022-05-06T17:47:24.036Z" }, { "object_ref": "course-of-action--8ac1d6e1-b07f-476a-9732-84984ebc2405", "object_modified": "2022-05-06T17:47:24.038Z" }, { "object_ref": "course-of-action--8bc4a54e-810c-4600-8b6c-08fa8413a401", "object_modified": "2022-05-06T17:47:24.046Z" }, { "object_ref": "course-of-action--97f33c84-8508-45b9-8a1d-cac921828c9e", "object_modified": "2022-05-06T17:47:24.058Z" }, { "object_ref": "course-of-action--98aa0d61-fc9d-4b2d-8f18-b25d03549f53", "object_modified": "2022-05-06T17:47:24.060Z" }, { "object_ref": "course-of-action--99c746d7-a08a-4169-94f9-b8c0dad716fa", "object_modified": "2022-05-06T17:47:24.051Z" }, { "object_ref": "course-of-action--9a945a29-5233-4422-a9e3-3e957b0e8bce", "object_modified": "2022-05-06T17:47:24.051Z" }, { "object_ref": "course-of-action--9e3adcad-0b8f-4ecc-a2f3-06f607f53bf0", "object_modified": "2022-05-06T17:47:24.045Z" }, { "object_ref": "course-of-action--9f99fcfd-772e-4e63-9d39-e45612e546dc", "object_modified": "2022-05-06T17:47:24.041Z" }, { "object_ref": "course-of-action--aadac250-bcdc-44e3-a4ae-f52bd0a7a16a", "object_modified": "2022-05-06T17:47:24.060Z" }, { "object_ref": "course-of-action--ac8f3492-7fbb-4a0a-b0b4-b75ec676136c", "object_modified": "2022-05-06T17:47:24.058Z" }, { "object_ref": "course-of-action--ad12819e-3211-4291-b360-069f280cff0a", "object_modified": "2022-05-06T17:47:24.040Z" }, { "object_ref": "course-of-action--b11cad63-ef30-4eb8-af0d-6cc46eef3f3e", "object_modified": "2022-05-06T17:47:24.053Z" }, { "object_ref": "course-of-action--bcf91ebc-f316-4e19-b2f6-444e9940c697", "object_modified": "2022-05-06T17:47:24.037Z" }, { "object_ref": "course-of-action--c7257b6e-4159-4771-b1f3-2bb93adaecac", "object_modified": "2022-05-06T17:47:24.039Z" }, { "object_ref": "course-of-action--d0909119-2f71-4923-87db-b649881672d7", "object_modified": "2022-05-06T17:47:24.041Z" }, { "object_ref": "course-of-action--d48b79b2-076d-483e-949c-0d38aa347499", "object_modified": "2022-05-06T17:47:24.058Z" }, { "object_ref": "course-of-action--da44255d-85c5-492c-baf3-ee823d44f848", "object_modified": "2022-05-06T17:47:24.056Z" }, { "object_ref": "course-of-action--dc61c280-c29d-44e5-a960-c0dd1623d2ba", "object_modified": "2022-05-06T17:47:24.059Z" }, { "object_ref": "course-of-action--ddf3e568-f065-49e2-9106-42029a28ddbd", "object_modified": "2022-05-06T17:47:24.048Z" }, { "object_ref": "course-of-action--de0bc375-50e1-4e26-a342-a8ff8c9d3037", "object_modified": "2022-05-06T17:47:24.059Z" }, { "object_ref": "course-of-action--e0d38502-decb-481d-ad8b-b8f0a0c330bd", "object_modified": "2022-05-06T17:47:24.038Z" }, { "object_ref": "course-of-action--e57ebc6d-785f-40c8-adb1-b5b5e09b3b48", "object_modified": "2022-05-06T17:47:24.059Z" }, { "object_ref": "course-of-action--f0f5c87a-a58d-440a-b3b5-ca679d98c6dd", "object_modified": "2022-05-06T17:47:24.054Z" }, { "object_ref": "course-of-action--f9fcb3ec-6de0-4559-8cd9-ef1c0c7d1971", "object_modified": "2022-05-06T17:47:24.054Z" }, { "object_ref": "course-of-action--facb8840-ebe7-49f1-b464-8ef6c8131e21", "object_modified": "2022-05-06T17:47:24.057Z" }, { "object_ref": "course-of-action--faf2b40e-5981-433f-aa46-17458e0026f7", "object_modified": "2022-05-06T17:47:24.036Z" }, { "object_ref": "course-of-action--fce6866f-9a87-4d3e-a73c-f02d8937fe0e", "object_modified": "2022-05-06T17:47:24.048Z" }, { "object_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_modified": "2017-06-01T00:00:00.000Z" }, { "object_ref": "intrusion-set--00f67a77-86a4-4adf-be26-1a54fc713340", "object_modified": "2022-01-18T17:13:14.610Z" }, { "object_ref": "intrusion-set--190242d7-73fc-4738-af68-20162f7a5aae", "object_modified": "2022-05-24T19:26:10.721Z" }, { "object_ref": "intrusion-set--1c63d4ec-0a75-4daa-b1df-0d11af3d3cc1", "object_modified": "2022-05-24T19:21:16.242Z" }, { "object_ref": "intrusion-set--2a7914cf-dff3-428d-ab0f-1014d1c28aeb", "object_modified": "2021-10-14T17:23:58.316Z" }, { "object_ref": "intrusion-set--3753cc21-2dae-4dfb-8481-d004e74502cc", "object_modified": "2022-02-02T21:32:06.214Z" }, { "object_ref": "intrusion-set--381fcf73-60f6-4ab2-9991-6af3cbc35192", "object_modified": "2022-05-23T21:21:17.572Z" }, { "object_ref": "intrusion-set--4ca1929c-7d64-4aab-b849-badbfc0c760d", "object_modified": "2022-05-23T21:20:37.658Z" }, { "object_ref": "intrusion-set--68ba94ab-78b8-43e7-83e2-aed3466882c6", "object_modified": "2018-10-17T00:17:13.469Z" }, { "object_ref": "intrusion-set--76d59913-1d24-4992-a8ac-05a3eb093f71", "object_modified": "2022-05-24T14:00:00.188Z" }, { "object_ref": "intrusion-set--9538b1a4-4120-4e2d-bf59-3b11fcab05a4", "object_modified": "2022-05-24T16:22:20.856Z" }, { "object_ref": "intrusion-set--c77c5576-ca19-42ed-a36f-4b4486a84133", "object_modified": "2021-04-26T12:52:34.528Z" }, { "object_ref": "intrusion-set--c93fccb1-e8e8-42cf-ae33-2ad1d183913a", "object_modified": "2022-05-23T21:20:57.634Z" }, { "object_ref": "intrusion-set--dd2d9ca6-505b-4860-a604-233685b802c7", "object_modified": "2021-10-14T17:27:41.194Z" }, { "object_ref": "intrusion-set--f29b7c5e-2439-42ad-a86f-9f8984fafae3", "object_modified": "2022-05-24T19:27:30.581Z" }, { "object_ref": "intrusion-set--fbd29c89-18ba-4c2d-b792-51c0adee049f", "object_modified": "2022-05-23T21:22:08.170Z" }, { "object_ref": "malware--00e7d565-9883-4ee5-b642-8fd17fd6a3f5", "object_modified": "2022-05-11T14:00:00.188Z" }, { "object_ref": "malware--083bb47b-02c8-4423-81a2-f9ef58572974", "object_modified": "2022-05-11T14:00:00.188Z" }, { "object_ref": "malware--088f1d6e-0783-47c6-9923-9c79b2af43d4", "object_modified": "2022-05-20T16:22:32.608Z" }, { "object_ref": "malware--1d8dccb3-e779-4702-aeb1-6627a22cc585", "object_modified": "2022-05-24T14:00:00.188Z" }, { "object_ref": "malware--242622ca-3903-43d5-8aa0-3bbdaa3020ec", "object_modified": "2021-10-21T14:00:00.188Z" }, { "object_ref": "malware--2eaa5319-5e1e-4dd7-bbc4-566fced3964a", "object_modified": "2022-04-25T14:00:00.188Z" }, { "object_ref": "malware--496bff4d-0700-4b28-b06f-f30a63002be7", "object_modified": "2022-05-24T14:00:00.188Z" }, { "object_ref": "malware--49c04994-1035-4b58-89b7-cf8956e3b423", "object_modified": "2021-10-21T14:00:00.188Z" }, { "object_ref": "malware--4dcff507-5af8-47ce-964a-8d9569e9ccfe", "object_modified": "2022-05-24T14:00:00.188Z" }, { "object_ref": "malware--54cc1d4f-5c53-4f0e-9ef5-11b4998e82e4", "object_modified": "2022-04-25T14:00:00.188Z" }, { "object_ref": "malware--5719af9d-6b16-46f9-9b28-fb019541ddbb", "object_modified": "2022-04-25T14:00:00.188Z" }, { "object_ref": "malware--58eddbaf-7416-419a-ad7b-e65b9d4c3b55", "object_modified": "2022-04-25T14:00:00.188Z" }, { "object_ref": "malware--5af7a825-2d9f-400d-931a-e00eb9e27f48", "object_modified": "2022-05-23T21:22:58.477Z" }, { "object_ref": "malware--6108f800-10b8-4090-944e-be579f01263d", "object_modified": "2022-05-24T14:00:00.188Z" }, { "object_ref": "malware--68dca94f-c11d-421e-9287-7c501108e18c", "object_modified": "2022-04-25T14:00:00.188Z" }, { "object_ref": "malware--736a3b71-eccc-48b7-b5ed-adb2b74ca830", "object_modified": "2021-10-21T14:00:00.188Z" }, { "object_ref": "malware--75ecdbf1-c2bb-4afc-a3f9-c8da4de8c661", "object_modified": "2022-04-25T14:00:00.188Z" }, { "object_ref": "malware--80099a91-4c86-4bea-9ccb-dac55d61960e", "object_modified": "2022-05-24T14:00:00.188Z" }, { "object_ref": "malware--89ab0ca5-f7e0-4d16-bf2a-17d68117fa4b", "object_modified": "2021-04-29T14:49:39.188Z" }, { "object_ref": "malware--9e3c9495-5fbd-4676-b3ac-ddecceb57b8f", "object_modified": "2021-10-21T14:00:00.188Z" }, { "object_ref": "malware--a020a61c-423f-4195-8c46-ba1d21abba37", "object_modified": "2022-05-24T21:10:44.381Z" }, { "object_ref": "malware--a4a98eab-b691-45d9-8c48-869ef8fefd57", "object_modified": "2022-05-24T14:00:00.188Z" }, { "object_ref": "malware--ac61f1f9-7bb1-465e-9b8a-c2ce8e88baf5", "object_modified": "2022-05-24T21:09:01.019Z" }, { "object_ref": "malware--e221eb77-1502-4129-af1d-fe1ad55e7ec6", "object_modified": "2022-05-11T14:00:00.188Z" }, { "object_ref": "malware--e401d4fe-f0c9-44f0-98e6-f93487678808", "object_modified": "2022-05-23T21:22:34.355Z" }, { "object_ref": "malware--ff6840c9-4c87-4d07-bbb6-9f50aa33d498", "object_modified": "2022-04-25T14:00:00.188Z" }, { "object_ref": "relationship--00b98fa6-4913-40a4-8920-befed8621c41", "object_modified": "2022-05-24T14:00:00.188Z" }, { "object_ref": "relationship--00e6c22b-9275-4039-b6d4-2ac0680325d6", "object_modified": "2022-05-06T17:47:24.104Z" }, { "object_ref": "relationship--01b4a92f-da42-4dfa-8d59-53709b65940e", "object_modified": "2022-05-06T17:47:24.203Z" }, { "object_ref": "relationship--0278ddbc-67d5-444d-8082-bf9974dee920", "object_modified": "2022-05-24T14:00:00.188Z" }, { "object_ref": "relationship--028a3bcc-f299-4061-a0f2-8da85e0a3c81", "object_modified": "2022-05-06T17:47:24.177Z" }, { "object_ref": "relationship--03a9cdc7-3cc5-43e3-9a9c-97d1c4310e35", "object_modified": "2022-05-06T17:47:24.148Z" }, { "object_ref": "relationship--03d44496-7a15-4e23-820f-b6f1079dbbd3", "object_modified": "2022-05-06T17:47:24.209Z" }, { "object_ref": "relationship--042243fd-bfe0-4961-96de-a36232d3ff74", "object_modified": "2022-05-06T17:47:24.358Z" }, { "object_ref": "relationship--04882fef-2a6b-40d0-a101-da9c76a3572e", "object_modified": "2022-05-06T17:47:24.128Z" }, { "object_ref": "relationship--0491ef92-2941-4841-9fe6-2e1809788b52", "object_modified": "2022-05-06T17:47:24.210Z" }, { "object_ref": "relationship--04bf72de-75ba-4d95-ad24-f93ad835180c", "object_modified": "2022-05-06T17:47:24.291Z" }, { "object_ref": "relationship--04fa6b94-d633-40ff-9ab2-88f58c07c3e1", "object_modified": "2022-05-06T17:47:24.218Z" }, { "object_ref": "relationship--052a20b2-6d57-42f6-b3cd-bbc508a0c969", "object_modified": "2022-05-06T17:47:24.371Z" }, { "object_ref": "relationship--058396ca-3af4-444b-b261-74485c47e68c", "object_modified": "2022-05-06T17:47:24.256Z" }, { "object_ref": "relationship--06006cdb-688e-4632-91d5-a0340349048b", "object_modified": "2022-05-24T14:00:00.188Z" }, { "object_ref": "relationship--067932c3-0011-4ca2-9bbe-721c631e4e41", "object_modified": "2022-05-06T17:47:24.254Z" }, { "object_ref": "relationship--06c663f8-fcf1-47eb-ab79-284e93eafa6b", "object_modified": "2022-05-06T17:47:24.183Z" }, { "object_ref": "relationship--06c9c355-e0f0-488a-b7b0-5674877c19d6", "object_modified": "2022-05-24T14:00:00.188Z" }, { "object_ref": "relationship--06fc6ec4-7857-4f59-9bbf-df373152bcfd", "object_modified": "2022-05-24T14:00:00.188Z" }, { "object_ref": "relationship--07f4d65d-4572-450f-8cb2-908fee97bd67", "object_modified": "2022-05-06T17:47:24.228Z" }, { "object_ref": "relationship--08302021-aacf-428f-a0ce-e1034d925fb0", "object_modified": "2022-05-06T17:47:24.115Z" }, { "object_ref": "relationship--088580e9-ccea-426e-9411-c1de60de650d", "object_modified": "2022-05-06T17:47:24.206Z" }, { "object_ref": "relationship--08a4f730-bc3f-4050-973f-1ef2847db4e7", "object_modified": "2022-05-24T14:00:00.188Z" }, { "object_ref": "relationship--09977105-562f-4f45-a151-27a11a18031e", "object_modified": "2022-05-06T17:47:24.164Z" }, { "object_ref": "relationship--09fe4b04-b1d2-492c-9b10-59b94807ccf9", "object_modified": "2022-05-24T14:00:00.188Z" }, { "object_ref": "relationship--0a5d2136-e1f5-4a54-be64-a558f918bf0d", "object_modified": "2022-05-06T17:47:24.081Z" }, { "object_ref": "relationship--0a9292b6-3697-49bc-b41a-1c10853ae585", "object_modified": "2022-05-24T14:00:00.188Z" }, { "object_ref": "relationship--0b7f643e-8975-4998-acbb-7405fa944a68", "object_modified": "2022-05-24T14:00:00.188Z" }, { "object_ref": "relationship--0beb0088-3bea-4612-b2d9-ff9988f829ae", "object_modified": "2022-05-06T17:47:24.355Z" }, { "object_ref": "relationship--0c1fe5fc-3bdc-4d0e-94a0-6564f2ce4444", "object_modified": "2022-05-06T17:47:24.255Z" }, { "object_ref": "relationship--0c284ce0-0be2-4164-b686-7c383b246aec", "object_modified": "2022-05-06T17:47:24.164Z" }, { "object_ref": "relationship--0c9ed09d-4ce3-4e65-845a-c21dcc5d956f", "object_modified": "2022-05-06T17:47:24.070Z" }, { "object_ref": "relationship--0d305450-d5ca-46fe-8583-36c983dd0a88", "object_modified": "2022-05-24T14:00:00.188Z" }, { "object_ref": "relationship--0d540b53-6a5d-4f56-9dee-47707443b149", "object_modified": "2022-05-24T14:00:00.188Z" }, { "object_ref": "relationship--0df0cb6d-0067-48b2-a33e-495415713ab7", "object_modified": "2022-05-06T17:47:24.181Z" }, { "object_ref": "relationship--0e275c19-7688-47f8-8cd5-85eaacec465b", "object_modified": "2022-05-24T14:00:00.188Z" }, { "object_ref": "relationship--0e29f62d-4ffc-47ec-9623-72f874fbe905", "object_modified": "2022-05-06T17:47:24.319Z" }, { "object_ref": "relationship--0e4f272b-d744-4feb-9f3f-c24c3598538f", "object_modified": "2022-05-06T17:47:24.202Z" }, { "object_ref": "relationship--0eb112f6-c1cb-4843-93f5-f668aa0e9bd8", "object_modified": "2022-05-06T17:47:24.354Z" }, { "object_ref": "relationship--0f18b876-b698-4f70-aa98-50e8b5a7eae2", "object_modified": "2022-05-06T17:47:24.357Z" }, { "object_ref": "relationship--0f8a6c14-1050-404a-bb6e-4fe107d5b6cd", "object_modified": "2022-05-06T17:47:24.197Z" }, { "object_ref": "relationship--0ff88ef7-44fd-4307-b381-2e0bc76ce83b", "object_modified": "2022-05-06T17:47:24.209Z" }, { "object_ref": "relationship--0ffdee1a-1e83-4506-aba2-38c55812abb3", "object_modified": "2022-05-06T17:47:24.137Z" }, { "object_ref": "relationship--104b4f25-d0a9-41f6-94b3-fa85ee8b1523", "object_modified": "2022-05-06T17:47:24.229Z" }, { "object_ref": "relationship--10626671-941d-4a82-a835-56059058ef87", "object_modified": "2022-05-06T17:47:24.065Z" }, { "object_ref": "relationship--107d9a23-991b-44f5-97f6-7f6983c7013a", "object_modified": "2022-05-06T17:47:24.099Z" }, { "object_ref": "relationship--10e3816e-8ee2-4dcf-81b7-a22ec0b6fda5", "object_modified": "2022-05-06T17:47:24.385Z" }, { "object_ref": "relationship--10f8af1d-3a16-450d-bc42-28c2ccb1b20a", "object_modified": "2022-05-24T14:00:00.188Z" }, { "object_ref": "relationship--1110814e-81ff-4a23-9988-4b93e6f68a2b", "object_modified": "2022-05-24T14:00:00.188Z" }, { "object_ref": "relationship--111f437a-c67d-40e4-9515-7e9b22e65eff", "object_modified": "2022-05-06T17:47:24.234Z" }, { "object_ref": "relationship--1125d38f-3169-4d3f-8a0e-ec9ca51b6853", "object_modified": "2022-05-24T14:00:00.188Z" }, { "object_ref": "relationship--11ab5b1a-b7b3-43bb-bc19-d65bf4ed89f3", "object_modified": "2022-05-24T14:00:00.188Z" }, { "object_ref": "relationship--11e4eb54-b0b3-4f67-a93f-28cc10df00ab", "object_modified": "2022-05-06T17:47:24.266Z" }, { "object_ref": "relationship--1299dd2d-4f42-4f5f-876b-bf7dacd17c79", "object_modified": "2022-05-24T14:00:00.188Z" }, { "object_ref": "relationship--129a4d3f-fa4a-42c3-833e-8f15155b9693", "object_modified": "2022-03-09T23:42:34.056Z" }, { "object_ref": "relationship--12a6c5bc-c685-4249-b8c6-e6d49aa2b9ed", "object_modified": "2022-05-06T17:47:24.077Z" }, { "object_ref": "relationship--13809e98-1d74-4c39-b882-9d523c76cbde", "object_modified": "2022-05-06T17:47:24.343Z" }, { "object_ref": "relationship--139bb9e7-e5fd-4366-b2e6-4f74a73ec984", "object_modified": "2022-05-06T17:47:24.071Z" }, { "object_ref": "relationship--13fb2612-7c23-4b9d-a6e1-76f78062fc52", "object_modified": "2022-05-24T14:00:00.188Z" }, { "object_ref": "relationship--147c2158-b2af-4d88-9d59-594c67a9200e", "object_modified": "2022-05-06T17:47:24.204Z" }, { "object_ref": "relationship--15188683-7ded-4578-9102-73459ecbe095", "object_modified": "2022-05-24T14:00:00.188Z" }, { "object_ref": "relationship--154de746-5ea2-43b4-97b2-221b2433cbde", "object_modified": "2022-05-24T14:00:00.188Z" }, { "object_ref": "relationship--15a39e3b-124e-4e68-95b5-7b8020225c12", "object_modified": "2022-05-24T14:00:00.188Z" }, { "object_ref": "relationship--17525989-242e-4960-b59d-9ea62172263f", "object_modified": "2022-05-06T17:47:24.366Z" }, { "object_ref": "relationship--17ae41a5-cb45-4935-bec1-ea0c8bfb2f34", "object_modified": "2022-05-06T17:47:24.128Z" }, { "object_ref": "relationship--17fdec71-98e8-4314-a1be-037edede58bd", "object_modified": "2022-05-06T17:47:24.212Z" }, { "object_ref": "relationship--18ef2d69-d11a-4d31-a803-da989c4073f7", "object_modified": "2022-05-06T17:47:24.096Z" }, { "object_ref": "relationship--193c3cd3-0b22-4839-a1fa-413aee61e882", "object_modified": "2022-05-24T14:00:00.188Z" }, { "object_ref": "relationship--19ab6776-42de-48af-975a-568d31a3bb66", "object_modified": "2022-05-06T17:47:24.152Z" }, { "object_ref": "relationship--1a40cec9-47c3-404e-b039-b7ae83ffaf68", "object_modified": "2022-05-06T17:47:24.106Z" }, { "object_ref": "relationship--1aa02c37-973e-46bd-ab45-609463e514e9", "object_modified": "2022-05-06T17:47:24.228Z" }, { "object_ref": "relationship--1acccbe8-64e1-49ad-87df-215d5c87f050", "object_modified": "2022-05-24T14:00:00.188Z" }, { "object_ref": "relationship--1c12b1d6-d636-45c6-98f4-947ddb502cb0", "object_modified": "2022-05-24T14:00:00.188Z" }, { "object_ref": "relationship--1c3d966a-5995-48ed-919d-25b972010fe9", "object_modified": "2022-05-06T17:47:24.180Z" }, { "object_ref": "relationship--1c831708-28c2-47ae-a158-39f1f7b73406", "object_modified": "2022-05-06T17:47:24.285Z" }, { "object_ref": "relationship--1d35c947-447f-4693-9ab0-32dff56e664e", "object_modified": "2022-05-06T17:47:24.326Z" }, { "object_ref": "relationship--1dc35f79-0ada-4342-bd13-10d10c1b0335", "object_modified": "2022-05-06T17:47:24.267Z" }, { "object_ref": "relationship--1dfe3095-7c2e-4eba-ac4d-f9206b5ab7ad", "object_modified": "2022-05-06T17:47:24.373Z" }, { "object_ref": "relationship--1ed4d007-6d30-4d5d-8df9-3800ed56e042", "object_modified": "2022-05-24T14:00:00.188Z" }, { "object_ref": "relationship--1f6b87f3-6749-4caa-98d3-265ebbe0ecbe", "object_modified": "2022-05-24T14:00:00.188Z" }, { "object_ref": "relationship--1f804c9f-3b65-47eb-89f3-83edd0422fdc", "object_modified": "2022-05-24T14:00:00.188Z" }, { "object_ref": "relationship--1f87378c-49fb-4da5-8ed3-3672633d3713", "object_modified": "2022-05-06T17:47:24.123Z" }, { "object_ref": "relationship--1f8abf6f-0dd0-4449-b555-733fe7296177", "object_modified": "2022-05-06T17:47:24.344Z" }, { "object_ref": "relationship--1fc147bd-d6ab-4beb-908b-0fbe8e125b76", "object_modified": "2022-05-06T17:47:24.235Z" }, { "object_ref": "relationship--1fd4cf4e-a26c-4fe5-a7fd-f49b8aea8437", "object_modified": "2022-05-06T17:47:24.305Z" }, { "object_ref": "relationship--2057ec71-a94f-49cc-b348-2eeb44899afd", "object_modified": "2022-05-24T14:00:00.188Z" }, { "object_ref": "relationship--206cc4c8-797e-427b-86f1-4c81df391c6e", "object_modified": "2022-05-06T17:47:24.224Z" }, { "object_ref": "relationship--2089201c-c1c6-4d92-a737-a6499e26ee7f", "object_modified": "2022-05-06T17:47:24.094Z" }, { "object_ref": "relationship--20a0d820-59ef-42fc-9f56-7a93d1ce7a84", "object_modified": "2022-05-06T17:47:24.084Z" }, { "object_ref": "relationship--20f66fab-7a08-4707-ac79-92dac5acd11d", "object_modified": "2022-05-06T17:47:24.303Z" }, { "object_ref": "relationship--21041206-da58-45c7-adb0-db07caebdcb6", "object_modified": "2022-05-06T17:47:24.301Z" }, { "object_ref": "relationship--214eb531-411c-4b90-9dbf-dc0183cbb919", "object_modified": "2022-05-24T14:00:00.188Z" }, { "object_ref": "relationship--21b6ec9c-8779-49db-bf19-90e81893a6e4", "object_modified": "2022-05-06T17:47:24.089Z" }, { "object_ref": "relationship--220140ac-d927-4d86-9335-c04aa6ee3c61", "object_modified": "2022-05-06T17:47:24.126Z" }, { "object_ref": "relationship--22448288-32d9-4d2c-be16-0784e119fff1", "object_modified": "2022-05-06T17:47:24.077Z" }, { "object_ref": "relationship--228b9a13-0545-4ecf-99ff-be02addaf7fe", "object_modified": "2022-05-06T17:47:24.247Z" }, { "object_ref": "relationship--234da455-b795-4788-bc5d-22b4b58b2dc7", "object_modified": "2022-05-06T17:47:24.212Z" }, { "object_ref": "relationship--238f967a-0c29-4aa3-bbb5-3dc593473bbf", "object_modified": "2022-05-06T17:47:24.115Z" }, { "object_ref": "relationship--23fea80c-51fa-420b-bb5b-48c9a5766b1a", "object_modified": "2022-05-24T14:00:00.188Z" }, { "object_ref": "relationship--242b5a0d-e4e8-4ceb-a975-cf8efd64e981", "object_modified": "2022-05-06T17:47:24.138Z" }, { "object_ref": "relationship--243ad7b2-546c-4bf2-a3c0-1438b13e197d", "object_modified": "2022-05-06T17:47:24.169Z" }, { "object_ref": "relationship--25e7ca82-2784-433a-90a9-a3483615a655", "object_modified": "2019-09-09T19:15:45.677Z" }, { "object_ref": "relationship--26254163-4f25-4d30-8456-ca093459ff32", "object_modified": "2022-05-24T14:00:00.188Z" }, { "object_ref": "relationship--26d68f5d-6ee5-4d98-b175-943366ccc038", "object_modified": "2022-05-06T17:47:24.390Z" }, { "object_ref": "relationship--26e58427-a2bd-4e77-9939-16ef60a072e7", "object_modified": "2022-05-06T17:47:24.160Z" }, { "object_ref": "relationship--26fdd07e-d194-4f8e-a9af-d5b2f1d0222e", "object_modified": "2022-05-06T17:47:24.170Z" }, { "object_ref": "relationship--276aa6a6-e700-470a-8f72-02537ba7be9d", "object_modified": "2022-05-06T17:47:24.128Z" }, { "object_ref": "relationship--28afd84d-a53e-4b2f-9bee-133f7da6982a", "object_modified": "2022-05-06T17:47:24.315Z" }, { "object_ref": "relationship--2916cd9c-32d5-463a-a83b-448ef7720192", "object_modified": "2022-05-06T17:47:24.364Z" }, { "object_ref": "relationship--2971151c-0e8a-4567-84dc-01cf5dd35005", "object_modified": "2022-05-06T17:47:24.199Z" }, { "object_ref": "relationship--2b62e4c0-9267-47bd-8f4d-0394b13fb566", "object_modified": "2022-05-06T17:47:24.127Z" }, { "object_ref": "relationship--2c6f9c9e-efa9-4a87-aadf-64b2aeeaa09a", "object_modified": "2022-05-06T17:47:24.380Z" }, { "object_ref": "relationship--2c8dd182-e0a1-469d-aa65-7a1f734d9b46", "object_modified": "2022-05-06T17:47:24.071Z" }, { "object_ref": "relationship--2cd79563-0f5a-44a1-9be4-6dc330855d64", "object_modified": "2022-05-06T17:47:24.150Z" }, { "object_ref": "relationship--2d65925e-f437-4557-bd8b-4c0d14ffd0b0", "object_modified": "2022-05-24T14:00:00.188Z" }, { "object_ref": "relationship--2daeeaaa-5b4b-4bb7-a94d-78a5749027ca", "object_modified": "2022-05-06T17:47:24.126Z" }, { "object_ref": "relationship--2e0769d7-088e-45d5-a262-6dbc91a95073", "object_modified": "2022-05-24T14:00:00.188Z" }, { "object_ref": "relationship--2e377016-bb23-481e-b72b-a2ace8c72eb7", "object_modified": "2022-05-24T14:00:00.188Z" }, { "object_ref": "relationship--2e5f338d-92c4-4647-8fef-7c901ff774f5", "object_modified": "2022-05-06T17:47:24.220Z" }, { "object_ref": "relationship--2ecc567f-3aaa-4bd8-935f-4808d177a552", "object_modified": "2022-05-06T17:47:24.173Z" }, { "object_ref": "relationship--2f64b5aa-7e4d-4a5e-9960-69a63ad25083", "object_modified": "2022-05-06T17:47:24.201Z" }, { "object_ref": "relationship--2f6b635b-1441-4ef0-9289-1ed6b9098d4a", "object_modified": "2022-05-06T17:47:24.240Z" }, { "object_ref": "relationship--2fbb7867-79c5-4d45-9876-98c4041dd72e", "object_modified": "2022-05-06T17:47:24.226Z" }, { "object_ref": "relationship--2fd13fc0-e3f0-4099-ab20-d19ba6bcd4e0", "object_modified": "2022-05-06T17:47:24.322Z" }, { "object_ref": "relationship--2ff82993-5010-4450-89e7-341f449f3263", "object_modified": "2022-05-06T17:47:24.092Z" }, { "object_ref": "relationship--2fffbea8-c031-4de8-a451-447bbbe3e224", "object_modified": "2022-05-06T17:47:24.201Z" }, { "object_ref": "relationship--309e4558-e591-4d03-9bb9-07d30acf011f", "object_modified": "2022-05-06T17:47:24.309Z" }, { "object_ref": "relationship--31203165-79d0-42e5-81f1-62150dea2c43", "object_modified": "2022-05-24T14:00:00.188Z" }, { "object_ref": "relationship--3168a905-f398-403f-9345-de5893de1326", "object_modified": "2022-05-06T17:47:24.363Z" }, { "object_ref": "relationship--31897c41-1d47-4a34-b531-21c3f74651a8", "object_modified": "2022-05-06T17:47:24.302Z" }, { "object_ref": "relationship--31bf1721-78a2-4b6c-b325-5c44dc02ea33", "object_modified": "2022-05-06T17:47:24.374Z" }, { "object_ref": "relationship--321fc522-bc6b-4975-bee4-9098624d1e8c", "object_modified": "2022-05-24T14:00:00.188Z" }, { "object_ref": "relationship--327916f7-fe5d-4858-adeb-f72f74c60c25", "object_modified": "2022-05-06T17:47:24.332Z" }, { "object_ref": "relationship--32dbed4e-4dbe-4872-a013-c96111ed102e", "object_modified": "2022-05-06T17:47:24.383Z" }, { "object_ref": "relationship--33215dfa-53d0-4bd7-a15d-cec9315c7c4d", "object_modified": "2022-05-06T17:47:24.130Z" }, { "object_ref": "relationship--33486e89-f0f4-4507-9f13-48a8f22c8ac8", "object_modified": "2022-05-06T17:47:24.092Z" }, { "object_ref": "relationship--3439d550-61d5-40b4-a514-341509d3f701", "object_modified": "2022-05-24T14:00:00.188Z" }, { "object_ref": "relationship--3478c49c-594b-4224-b7f9-2b0b09c67288", "object_modified": "2022-05-06T17:47:24.239Z" }, { "object_ref": "relationship--34ac1b1b-1103-4fc9-a62e-f1dd1451b28b", "object_modified": "2022-05-06T17:47:24.156Z" }, { "object_ref": "relationship--34d4101b-b4c9-4ea3-a84d-81e84e7f5033", "object_modified": "2022-05-06T17:47:24.168Z" }, { "object_ref": "relationship--350814da-5c36-42f9-8e58-8f9534e6ce0a", "object_modified": "2022-05-06T17:47:24.341Z" }, { "object_ref": "relationship--351e19c4-c16e-493a-9800-a433107aacf1", "object_modified": "2022-05-06T17:47:24.345Z" }, { "object_ref": "relationship--35cf6922-d48f-42ea-b7f5-f0258892bd52", "object_modified": "2022-05-06T17:47:24.142Z" }, { "object_ref": "relationship--3618a010-b94b-4974-b1be-7630d5c853c1", "object_modified": "2022-05-06T17:47:24.376Z" }, { "object_ref": "relationship--3663f10d-4a2c-4d37-bf5f-337c9891c2f4", "object_modified": "2022-05-24T14:00:00.188Z" }, { "object_ref": "relationship--366a4cd1-aa95-4985-9d80-b45a2551e298", "object_modified": "2022-05-06T17:47:24.179Z" }, { "object_ref": "relationship--375b7e67-8b3f-4102-9e3e-7e356b6c8bf4", "object_modified": "2022-05-24T14:00:00.188Z" }, { "object_ref": "relationship--37abb3d5-24fc-4397-844e-07548d324729", "object_modified": "2022-05-24T14:00:00.188Z" }, { "object_ref": "relationship--383e242a-72d4-4b40-8905-888595c34919", "object_modified": "2022-05-06T17:47:24.311Z" }, { "object_ref": "relationship--3858ec3b-5814-4515-9dda-f8009fbf4cd3", "object_modified": "2022-05-06T17:47:24.268Z" }, { "object_ref": "relationship--38a3c86b-c9bb-4a65-87c9-55429c68684f", "object_modified": "2022-05-24T14:00:00.188Z" }, { "object_ref": "relationship--39963a04-9675-4fa4-87ea-1b34145cc569", "object_modified": "2022-05-24T14:00:00.188Z" }, { "object_ref": "relationship--3a6cd53d-0d4e-4cf8-8edf-f9ebde4faac4", "object_modified": "2022-05-06T17:47:24.102Z" }, { "object_ref": "relationship--3a7d1db3-9383-4171-8938-382e9b0375c6", "object_modified": "2022-05-06T17:47:24.259Z" }, { "object_ref": "relationship--3aa69e19-f55f-4531-a26e-eb67d6ea24ee", "object_modified": "2022-05-24T14:00:00.188Z" }, { "object_ref": "relationship--3ab912a4-70aa-45f8-b2ef-57113dde2cfa", "object_modified": "2022-05-06T17:47:24.237Z" }, { "object_ref": "relationship--3b6567a9-6213-4db4-a069-1a86b1098b63", "object_modified": "2022-05-06T17:47:24.119Z" }, { "object_ref": "relationship--3b8cbbbf-a2a9-45a8-90bc-e8b5977fd91b", "object_modified": "2022-05-24T14:00:00.188Z" }, { "object_ref": "relationship--3be8045a-1f0d-4460-a76b-ae830e74c1e0", "object_modified": "2022-05-06T17:47:24.274Z" }, { "object_ref": "relationship--3be9d4d1-17e1-4f3e-b22a-edad8cf0c343", "object_modified": "2022-05-06T17:47:24.216Z" }, { "object_ref": "relationship--3bff265f-7ab9-4dae-b7a3-a5d9bc586f35", "object_modified": "2022-05-24T14:00:00.188Z" }, { "object_ref": "relationship--3c341d13-938e-4535-ac75-10a79abc7017", "object_modified": "2022-05-24T14:00:00.188Z" }, { "object_ref": "relationship--3c5bc8de-a7a4-4bda-a82f-8d149ec927f1", "object_modified": "2022-05-24T14:00:00.188Z" }, { "object_ref": "relationship--3d005ed8-77d3-4fed-9dd5-7e39ba8cb50a", "object_modified": "2022-05-06T17:47:24.323Z" }, { "object_ref": "relationship--3d20dad6-fb53-4d74-bc7e-54b9b88e1529", "object_modified": "2022-05-24T14:00:00.188Z" }, { "object_ref": "relationship--3d4ea0e2-9f51-40f9-a22b-8265f696fd83", "object_modified": "2022-05-24T14:00:00.188Z" }, { "object_ref": "relationship--3d676c1b-2650-4599-8a57-790c55f9977d", "object_modified": "2022-05-06T17:47:24.109Z" }, { "object_ref": "relationship--3d97d618-71bd-4b48-8cd2-e7d57ef205dd", "object_modified": "2022-05-24T14:00:00.188Z" }, { "object_ref": "relationship--3da977ab-c863-4e6f-a5b7-68173160da00", "object_modified": "2022-05-06T17:47:24.166Z" }, { "object_ref": "relationship--3dde2b07-7c30-4a18-a9df-f85db84f9b14", "object_modified": "2022-05-06T17:47:24.214Z" }, { "object_ref": "relationship--3ed98d8c-de30-499e-9a62-eae0207519f4", "object_modified": "2022-05-06T17:47:24.092Z" }, { "object_ref": "relationship--3f335e8f-68da-4b06-9d96-f371ddaf23e6", "object_modified": "2022-05-06T17:47:24.236Z" }, { "object_ref": "relationship--3f5f9f9d-9bb3-4461-b85b-501f6077e7b8", "object_modified": "2022-05-24T14:00:00.188Z" }, { "object_ref": "relationship--3f76d408-be8a-478e-8a5a-aab1d1f96572", "object_modified": "2022-05-06T17:47:24.251Z" }, { "object_ref": "relationship--40f63b01-dc59-475d-826a-74f38c6e81b9", "object_modified": "2022-05-24T14:00:00.188Z" }, { "object_ref": "relationship--4122cdb6-09a4-4b68-b0d1-5d880cf5a4ef", "object_modified": "2022-05-24T14:00:00.188Z" }, { "object_ref": "relationship--41adaf0b-b7ae-4bdb-9a5b-567fd0911d7a", "object_modified": "2022-05-06T17:47:24.145Z" }, { "object_ref": "relationship--41b87fd8-6e4d-4e53-a282-c85292fdaa22", "object_modified": "2022-05-06T17:47:24.160Z" }, { "object_ref": "relationship--41ff63a3-ddb9-47fb-8d92-bed74ed0d41d", "object_modified": "2022-05-06T17:47:24.379Z" }, { "object_ref": "relationship--4211c12a-57cf-4ebb-910a-6af7aa09cf34", "object_modified": "2022-05-06T17:47:24.187Z" }, { "object_ref": "relationship--4256a0c2-437d-4a4c-88ac-d08d3041b8c1", "object_modified": "2022-05-06T17:47:24.178Z" }, { "object_ref": "relationship--42ab7d24-8286-4a7a-8cd7-02e54a80e13f", "object_modified": "2022-05-06T17:47:24.185Z" }, { "object_ref": "relationship--433539bf-cb17-4de1-9c0f-e579b041514f", "object_modified": "2022-05-06T17:47:24.289Z" }, { "object_ref": "relationship--4369da69-bb09-4cc8-8600-081a450f50e0", "object_modified": "2022-05-06T17:47:24.120Z" }, { "object_ref": "relationship--43777394-ff59-4261-b1cf-b41a1f4f4d8b", "object_modified": "2022-05-24T14:00:00.188Z" }, { "object_ref": "relationship--43bdf580-b98f-49cf-92d5-3dac50450c86", "object_modified": "2022-05-06T17:47:24.214Z" }, { "object_ref": "relationship--4432dcbe-54ac-41cb-a50d-484a742f3583", "object_modified": "2022-05-24T14:00:00.188Z" }, { "object_ref": "relationship--446c95ea-5178-4ae9-8f92-cb20dd50f7de", "object_modified": "2022-05-06T17:47:24.166Z" }, { "object_ref": "relationship--44c857cf-7a4e-405a-87ca-7f6d79000589", "object_modified": "2022-05-06T17:47:24.095Z" }, { "object_ref": "relationship--45ee1822-71e4-4d92-976d-306561b70555", "object_modified": "2022-05-06T17:47:24.106Z" }, { "object_ref": "relationship--461e81a2-c7ad-499e-908d-05ef2f7bd9cd", "object_modified": "2022-05-06T17:47:24.073Z" }, { "object_ref": "relationship--4631bf49-da0b-4415-a226-112c99ff0f64", "object_modified": "2022-05-24T14:00:00.188Z" }, { "object_ref": "relationship--46332a77-2fd6-4033-96cf-6163172775ec", "object_modified": "2022-05-06T17:47:24.164Z" }, { "object_ref": "relationship--46bc86e4-e20b-4778-80d2-8891039e6fb4", "object_modified": "2022-05-06T17:47:24.294Z" }, { "object_ref": "relationship--46edf5ba-ebd3-4976-9cdc-1276ba253c98", "object_modified": "2022-05-06T17:47:24.364Z" }, { "object_ref": "relationship--47f15a06-8675-4698-833d-bd141ed9e755", "object_modified": "2022-05-06T17:47:24.122Z" }, { "object_ref": "relationship--48489baf-56c2-423e-964a-0a61688e4a19", "object_modified": "2022-05-06T17:47:24.224Z" }, { "object_ref": "relationship--491455dc-f7c8-4e12-811b-b8c5c041b4c3", "object_modified": "2022-05-06T17:47:24.102Z" }, { "object_ref": "relationship--4966e63c-ca05-466d-91f9-41d799a54471", "object_modified": "2022-05-06T17:47:24.186Z" }, { "object_ref": "relationship--49d38b21-5ce5-48d9-a356-639fc6c7a53d", "object_modified": "2022-05-06T17:47:24.097Z" }, { "object_ref": "relationship--49d941a6-4da2-4516-92d0-1bc64554b2f2", "object_modified": "2022-05-24T14:00:00.188Z" }, { "object_ref": "relationship--4a2f8d80-8098-482b-a4fb-b308b1f4cc99", "object_modified": "2022-05-24T14:00:00.188Z" }, { "object_ref": "relationship--4aa52c52-d5ec-4a54-97e3-db00bde08446", "object_modified": "2022-05-24T14:00:00.188Z" }, { "object_ref": "relationship--4b34b947-ed1b-4aae-a2a9-5c1373760255", "object_modified": "2022-05-06T17:47:24.341Z" }, { "object_ref": "relationship--4cce6bf1-1aa9-483d-a733-d6e52e091419", "object_modified": "2022-05-24T14:00:00.188Z" }, { "object_ref": "relationship--502a0b7e-048a-468a-b888-e91fde47c6eb", "object_modified": "2022-05-06T17:47:24.189Z" }, { "object_ref": "relationship--5041e17d-6349-4589-8c61-7b43964b5f9b", "object_modified": "2022-05-06T17:47:24.227Z" }, { "object_ref": "relationship--50a2b289-7bce-405d-8515-c2b5424cce5c", "object_modified": "2022-05-06T17:47:24.090Z" }, { "object_ref": "relationship--50b3247a-ea71-455e-b299-f00666c05146", "object_modified": "2022-05-06T17:47:24.321Z" }, { "object_ref": "relationship--50c20664-75dc-451e-b026-67b1d309e4b5", "object_modified": "2022-05-06T17:47:24.277Z" }, { "object_ref": "relationship--51eca7b9-6330-48a8-badd-65ed3e9d3639", "object_modified": "2022-05-06T17:47:24.072Z" }, { "object_ref": "relationship--51f9963c-c041-4bec-b482-5fda2fb5bca4", "object_modified": "2022-05-06T17:47:24.261Z" }, { "object_ref": "relationship--520aad6a-2483-45bc-a172-2417137f6ca0", "object_modified": "2022-05-06T17:47:24.143Z" }, { "object_ref": "relationship--5212f36b-216f-4e32-8b64-3b4c94dfada5", "object_modified": "2022-05-06T17:47:24.188Z" }, { "object_ref": "relationship--52855d5d-e835-470f-a675-751c2779c861", "object_modified": "2022-05-06T17:47:24.140Z" }, { "object_ref": "relationship--52c7176b-431d-44a6-8c03-7c15a8cf6ce1", "object_modified": "2022-05-06T17:47:24.133Z" }, { "object_ref": "relationship--531e0589-0dad-444d-aca4-6198ba5d9fcd", "object_modified": "2022-05-06T17:47:24.208Z" }, { "object_ref": "relationship--535c5160-17e0-44eb-9f4b-1a8e216b56a2", "object_modified": "2022-05-06T17:47:24.299Z" }, { "object_ref": "relationship--53a54e4a-2b38-4b0c-8f60-252a68767443", "object_modified": "2022-05-06T17:47:24.315Z" }, { "object_ref": "relationship--5424e327-396f-4b07-94a3-408ffc915686", "object_modified": "2022-05-06T17:47:24.352Z" }, { "object_ref": "relationship--54e73627-95de-4e6e-abf0-d93e20a1fe8f", "object_modified": "2022-05-24T14:00:00.188Z" }, { "object_ref": "relationship--54f6293a-1ccb-4dcb-b85c-9a2a57daddb9", "object_modified": "2022-05-24T14:00:00.188Z" }, { "object_ref": "relationship--55f3dd59-08be-4e23-a680-b6db7850b399", "object_modified": "2022-05-24T14:00:00.188Z" }, { "object_ref": "relationship--55fe102a-d32b-4a73-85b1-14a02d0e552f", "object_modified": "2022-05-06T17:47:24.362Z" }, { "object_ref": "relationship--56672ea4-cbf0-4a3e-8aed-edcc7d33133b", "object_modified": "2022-05-06T17:47:24.075Z" }, { "object_ref": "relationship--567acebd-4ba2-4723-a74d-514992321ccc", "object_modified": "2022-05-24T14:00:00.188Z" }, { "object_ref": "relationship--56dcc2d7-5243-4a5d-a556-8723642e98a4", "object_modified": "2022-05-06T17:47:24.339Z" }, { "object_ref": "relationship--575f0e0b-d68d-432b-abb3-cbd3e641fc88", "object_modified": "2022-05-06T17:47:24.199Z" }, { "object_ref": "relationship--5771ce27-7cc7-4144-8c11-c1a6d2ac3e2c", "object_modified": "2022-05-24T14:00:00.188Z" }, { "object_ref": "relationship--578117b2-0f4b-4d75-a2dc-3ee45976e616", "object_modified": "2022-05-06T17:47:24.145Z" }, { "object_ref": "relationship--5804ae3d-0daf-47a5-b026-d42878f55803", "object_modified": "2022-05-06T17:47:24.166Z" }, { "object_ref": "relationship--58269882-7e8d-4d24-b7a3-dbef6196cb61", "object_modified": "2022-05-06T17:47:24.086Z" }, { "object_ref": "relationship--58a0fd57-ea5f-46b0-84ac-c5b963fb7e94", "object_modified": "2022-05-06T17:47:24.168Z" }, { "object_ref": "relationship--58aa90a7-886b-4f37-ab16-a0beb0e64877", "object_modified": "2022-05-06T17:47:24.368Z" }, { "object_ref": "relationship--58cb4cb5-4b0f-4ce0-b3f9-5deb9de31c52", "object_modified": "2022-05-06T17:47:24.145Z" }, { "object_ref": "relationship--5901e8b3-7df0-43e0-bdc5-f4fd2792a572", "object_modified": "2022-05-24T14:00:00.188Z" }, { "object_ref": "relationship--590bdd67-31ef-4edd-b2ac-2bd1b98da19c", "object_modified": "2022-05-06T17:47:24.201Z" }, { "object_ref": "relationship--5914a482-dbb7-429d-96f3-77f0588ac12d", "object_modified": "2022-05-06T17:47:24.123Z" }, { "object_ref": "relationship--591620d3-5549-49db-9080-43f86a68a590", "object_modified": "2022-05-06T17:47:24.338Z" }, { "object_ref": "relationship--59c65014-1fee-4c2e-9ece-9883159bbed2", "object_modified": "2022-05-24T14:00:00.188Z" }, { "object_ref": "relationship--5a16cecc-4017-4ce8-97db-01cb66a1528e", "object_modified": "2022-05-24T14:00:00.188Z" }, { "object_ref": "relationship--5ae1cf3a-2603-4bf9-ace3-5b1ee5d8d757", "object_modified": "2022-05-06T17:47:24.180Z" }, { "object_ref": "relationship--5bb313a8-8407-4ec1-a4b0-683ded7f3302", "object_modified": "2022-05-06T17:47:24.253Z" }, { "object_ref": "relationship--5be1f2b1-75fd-4e7e-901b-495cee4ab5ad", "object_modified": "2022-05-06T17:47:24.209Z" }, { "object_ref": "relationship--5bf8473c-3c60-4a8a-8514-c2b50ab8a92d", "object_modified": "2022-05-06T17:47:24.156Z" }, { "object_ref": "relationship--5c0bdf4c-233f-42cd-8900-2a5cc8c9387c", "object_modified": "2022-05-06T17:47:24.303Z" }, { "object_ref": "relationship--5c695f49-6c76-4818-88b6-4db2bf029e43", "object_modified": "2022-05-24T14:00:00.188Z" }, { "object_ref": "relationship--5ca1d677-b41f-4f1e-b86b-f5637a418829", "object_modified": "2022-05-06T17:47:24.182Z" }, { "object_ref": "relationship--5d0a7979-0420-4fd1-b5ad-cb5565cbdf9d", "object_modified": "2022-05-06T17:47:24.094Z" }, { "object_ref": "relationship--5d33de22-35b0-47fa-bc63-f984522340b7", "object_modified": "2022-05-06T17:47:24.068Z" }, { "object_ref": "relationship--5d4b3eb8-5ed5-43ca-ac71-42f4a461b435", "object_modified": "2022-05-06T17:47:24.372Z" }, { "object_ref": "relationship--5d4f6aff-650c-45fe-a9d8-2080d3ea02d7", "object_modified": "2022-05-06T17:47:24.150Z" }, { "object_ref": "relationship--5de6bf53-0a02-439b-a8d0-248fa9640a36", "object_modified": "2022-05-06T17:47:24.201Z" }, { "object_ref": "relationship--5dfa5bad-8b0b-4884-bf01-04ea89e3ccf7", "object_modified": "2022-05-06T17:47:24.235Z" }, { "object_ref": "relationship--5e099568-fb5c-4f58-af7e-4e1b7a9d1128", "object_modified": "2022-05-06T17:47:24.305Z" }, { "object_ref": "relationship--5f03ee5d-534c-454c-aae3-b41130b00286", "object_modified": "2022-05-06T17:47:24.117Z" }, { "object_ref": "relationship--604a9bf0-81a3-425b-9005-779c4f0f749d", "object_modified": "2022-05-06T17:47:24.195Z" }, { "object_ref": "relationship--61668e93-6d9d-418d-9fbd-2d88c3a66544", "object_modified": "2022-05-06T17:47:24.199Z" }, { "object_ref": "relationship--6258c355-677c-452d-b1fc-27767232437b", "object_modified": "2022-05-06T17:47:24.297Z" }, { "object_ref": "relationship--632ca9a0-a9f3-4b27-96e1-9fcb8bab11cb", "object_modified": "2018-10-17T00:14:20.652Z" }, { "object_ref": "relationship--63323b12-86db-4b91-a701-90daf3f98f7c", "object_modified": "2022-05-06T17:47:24.122Z" }, { "object_ref": "relationship--63453d2f-30f6-40ab-b32c-506d940ecd20", "object_modified": "2022-05-06T17:47:24.061Z" }, { "object_ref": "relationship--636baf5a-1a1c-476b-bc54-fb27b27b58a2", "object_modified": "2022-05-24T14:00:00.188Z" }, { "object_ref": "relationship--63ca148e-12c9-4090-b51e-a8fb7a847a2a", "object_modified": "2022-05-06T17:47:24.342Z" }, { "object_ref": "relationship--641813ea-66a9-4949-848f-db83420aac39", "object_modified": "2022-05-06T17:47:24.387Z" }, { "object_ref": "relationship--6424de09-251d-4936-98fe-876fad2a713b", "object_modified": "2022-05-24T14:00:00.188Z" }, { "object_ref": "relationship--648c6649-5861-4b43-a7e5-a9665bafb576", "object_modified": "2022-05-06T17:47:24.272Z" }, { "object_ref": "relationship--64db6a39-64d2-4999-97d7-91c28c32f42e", "object_modified": "2022-05-06T17:47:24.101Z" }, { "object_ref": "relationship--652a68a2-a26b-4e8c-86dd-fd83187ed043", "object_modified": "2022-05-06T17:47:24.198Z" }, { "object_ref": "relationship--655e2f91-5d43-4c47-b7e0-8248b351f3ba", "object_modified": "2022-05-24T14:00:00.188Z" }, { "object_ref": "relationship--65a45501-10de-46a2-89bf-03bbf17aba33", "object_modified": "2022-05-06T17:47:24.166Z" }, { "object_ref": "relationship--65adbdda-7069-40ed-9825-b79ec87e4916", "object_modified": "2022-01-14T17:29:16.633Z" }, { "object_ref": "relationship--6603a100-d655-4e6b-8d38-73c11b89dde4", "object_modified": "2022-05-06T17:47:24.296Z" }, { "object_ref": "relationship--6637d8e6-6578-4d15-a993-d63ced4c4464", "object_modified": "2022-05-06T17:47:24.099Z" }, { "object_ref": "relationship--667df0e0-0995-4213-a98e-7efe7fa6b88e", "object_modified": "2022-05-06T17:47:24.286Z" }, { "object_ref": "relationship--66d637a0-4874-4b12-bd3a-b408acb06d26", "object_modified": "2022-05-24T14:00:00.188Z" }, { "object_ref": "relationship--66f79019-d52c-46a6-b605-c2335d1d3d20", "object_modified": "2022-05-06T17:47:24.288Z" }, { "object_ref": "relationship--671043a9-337f-411a-9ca9-3112e897ab09", "object_modified": "2022-05-06T17:47:24.184Z" }, { "object_ref": "relationship--679e7b8d-57d7-4c1d-8f42-1496606ea666", "object_modified": "2022-05-06T17:47:24.353Z" }, { "object_ref": "relationship--67abd801-72e2-4269-a063-cbd89d3c8f22", "object_modified": "2022-05-24T14:00:00.188Z" }, { "object_ref": "relationship--6833d534-9cbb-4b9f-85b6-93d3d2d6faca", "object_modified": "2022-05-06T17:47:24.202Z" }, { "object_ref": "relationship--686cbd74-ef49-4e77-9599-21777d3a4738", "object_modified": "2022-05-06T17:47:24.174Z" }, { "object_ref": "relationship--6895e54e-3968-41a9-9013-a082cd46fa44", "object_modified": "2022-05-20T17:07:10.940Z" }, { "object_ref": "relationship--68d30c45-766f-48b6-9405-0c969243332b", "object_modified": "2022-05-06T17:47:24.214Z" }, { "object_ref": "relationship--69146c10-d3d0-4f69-8164-9c21a1a4e10b", "object_modified": "2022-05-24T14:00:00.188Z" }, { "object_ref": "relationship--692324b4-064a-430c-8ffc-7f7acd537778", "object_modified": "2022-05-06T17:47:24.263Z" }, { "object_ref": "relationship--69576d3c-d0e8-459e-9f2e-0b9c560b2e04", "object_modified": "2022-05-06T17:47:24.218Z" }, { "object_ref": "relationship--698d7c50-daab-4087-a7b4-b2bc8dfd81a7", "object_modified": "2022-05-06T17:47:24.154Z" }, { "object_ref": "relationship--6a906975-390b-45f6-a81c-9ffeeb5ba327", "object_modified": "2022-05-24T14:00:00.188Z" }, { "object_ref": "relationship--6aa080d0-6e25-46e5-91d8-4af11f01ceef", "object_modified": "2022-05-24T14:00:00.188Z" }, { "object_ref": "relationship--6ad39b3a-a962-457f-852c-be7fc615e22f", "object_modified": "2022-05-06T17:47:24.136Z" }, { "object_ref": "relationship--6b5d2643-b399-43aa-8ab1-7557a0446b07", "object_modified": "2022-05-06T17:47:24.147Z" }, { "object_ref": "relationship--6b5fd6d8-ef70-4896-b1a4-7b6c29c3a0d4", "object_modified": "2022-05-06T17:47:24.101Z" }, { "object_ref": "relationship--6b987f2a-3d07-4791-9c1c-e4f6818521e8", "object_modified": "2022-05-24T14:00:00.188Z" }, { "object_ref": "relationship--6baa9172-04e4-416d-a009-668cda23fd5d", "object_modified": "2022-05-06T17:47:24.331Z" }, { "object_ref": "relationship--6be102a8-5d9c-494e-a8ce-7b0a1c86a863", "object_modified": "2022-05-24T14:00:00.188Z" }, { "object_ref": "relationship--6be4cef2-3d54-4cd8-97df-8a8b37c03605", "object_modified": "2022-05-06T17:47:24.089Z" }, { "object_ref": "relationship--6bf14e79-3287-4b9e-b222-9d527530df1e", "object_modified": "2022-05-24T14:00:00.188Z" }, { "object_ref": "relationship--6c15ec9f-2b48-419c-adc1-f989833f6187", "object_modified": "2022-05-06T17:47:24.224Z" }, { "object_ref": "relationship--6d1906b4-e815-4688-86f1-ce61d403f8c6", "object_modified": "2022-05-06T17:47:24.186Z" }, { "object_ref": "relationship--6d822f86-5793-403a-b176-5d533f6b81b3", "object_modified": "2022-05-06T17:47:24.252Z" }, { "object_ref": "relationship--6e3c2c04-0838-4863-80a7-d73ef5ac6a64", "object_modified": "2022-05-06T17:47:24.220Z" }, { "object_ref": "relationship--6ed07095-c23a-4676-807f-a544deaeb274", "object_modified": "2022-05-06T17:47:24.310Z" }, { "object_ref": "relationship--6f0384e6-73c8-4fc7-bc0c-0a8c2bfa473d", "object_modified": "2022-05-06T17:47:24.069Z" }, { "object_ref": "relationship--6f2c2043-6487-467a-bb49-e8cd2509ae9f", "object_modified": "2022-05-06T17:47:24.112Z" }, { "object_ref": "relationship--6fa3aee4-2a29-4c0f-9e61-1f7df5eccc00", "object_modified": "2022-05-06T17:47:24.300Z" }, { "object_ref": "relationship--70113c21-85f2-4232-8755-233f93864277", "object_modified": "2022-05-24T14:00:00.188Z" }, { "object_ref": "relationship--7041d8e5-3b74-402a-86b3-fd59def80632", "object_modified": "2022-05-06T17:47:24.135Z" }, { "object_ref": "relationship--709c4e40-c5c6-405b-bc3d-0adfea40ccd4", "object_modified": "2022-05-06T17:47:24.346Z" }, { "object_ref": "relationship--70a9010c-6943-4274-b854-50901c3e5a0e", "object_modified": "2022-05-24T14:00:00.188Z" }, { "object_ref": "relationship--711f17c2-c9f6-4d8d-bf79-117fcdc592c0", "object_modified": "2022-05-24T14:00:00.188Z" }, { "object_ref": "relationship--71422483-33e4-4131-a4ec-40322d91d8a0", "object_modified": "2022-05-06T17:47:24.262Z" }, { "object_ref": "relationship--71c81024-ea36-4853-940a-cd9d4cbcabed", "object_modified": "2022-05-06T17:47:24.394Z" }, { "object_ref": "relationship--71c9db9c-6f0c-4e33-a20a-dcd5b791a49a", "object_modified": "2022-05-06T17:47:24.228Z" }, { "object_ref": "relationship--71e9230d-eec8-4ce1-bc96-9288bacc8b13", "object_modified": "2022-05-06T17:47:24.140Z" }, { "object_ref": "relationship--7258c355-677c-452d-b1fc-27767232437b", "object_modified": "2022-05-06T17:47:24.297Z" }, { "object_ref": "relationship--739e7b8d-57d7-4c1d-8f42-1496606ea666", "object_modified": "2022-05-06T17:47:24.356Z" }, { "object_ref": "relationship--73a48431-3597-4a72-acb8-c1e5019073e2", "object_modified": "2022-05-24T14:00:00.188Z" }, { "object_ref": "relationship--7411b05d-209a-4907-83ce-00ab1538fbac", "object_modified": "2022-05-06T17:47:24.084Z" }, { "object_ref": "relationship--74b66248-2cb6-46ea-b52c-c7d60c170f3f", "object_modified": "2022-05-06T17:47:24.333Z" }, { "object_ref": "relationship--74ec9ce5-3155-488c-ae56-570c47a1d207", "object_modified": "2022-05-06T17:47:24.194Z" }, { "object_ref": "relationship--75366cbf-e45f-4cfd-9e76-5af4dfe10766", "object_modified": "2022-05-06T17:47:24.080Z" }, { "object_ref": "relationship--754521fc-4306-4daa-831b-6b6fb45847e2", "object_modified": "2022-05-06T17:47:24.108Z" }, { "object_ref": "relationship--758d5818-f919-4a6b-9dc2-a212595a11bd", "object_modified": "2022-05-06T17:47:24.062Z" }, { "object_ref": "relationship--75a60046-c4d7-498a-b256-9a93b5992dcc", "object_modified": "2022-05-24T14:00:00.188Z" }, { "object_ref": "relationship--7656e5bd-3b46-4acd-a2d0-250cc7075ddc", "object_modified": "2022-05-24T14:00:00.188Z" }, { "object_ref": "relationship--76b8bbce-1c65-4337-a4d7-320c594dc29e", "object_modified": "2022-05-24T14:00:00.188Z" }, { "object_ref": "relationship--78972893-5d8c-480f-a05d-481adc0c8bb0", "object_modified": "2022-05-24T14:00:00.188Z" }, { "object_ref": "relationship--792324b4-064a-430c-8ffc-7f7acd537778", "object_modified": "2022-05-06T17:47:24.264Z" }, { "object_ref": "relationship--79324bdd-cdab-4d0a-af60-af1047c1d117", "object_modified": "2022-05-06T17:47:24.170Z" }, { "object_ref": "relationship--798919d3-df8b-463f-b2be-4c1aa8089384", "object_modified": "2022-05-06T17:47:24.226Z" }, { "object_ref": "relationship--79bca627-3c39-4e2f-86e2-5006cecc1d23", "object_modified": "2022-05-24T14:00:00.188Z" }, { "object_ref": "relationship--79d05cb2-ded0-4847-b52e-af7af421f303", "object_modified": "2022-05-06T17:47:24.269Z" }, { "object_ref": "relationship--79fccaf1-3592-4af0-8a47-1d325b9fd5a4", "object_modified": "2022-05-24T14:00:00.188Z" }, { "object_ref": "relationship--7a55fc66-0d5c-4ef6-af28-d4a4bb84381d", "object_modified": "2022-05-06T17:47:24.295Z" }, { "object_ref": "relationship--7aa93b40-80da-4bb6-8a7c-88e5f5e44669", "object_modified": "2022-05-06T17:47:24.157Z" }, { "object_ref": "relationship--7bfaf0ff-6d88-460f-aa32-3fb0267b4f20", "object_modified": "2022-05-06T17:47:24.084Z" }, { "object_ref": "relationship--7c2edd6c-5189-4ba9-af3d-bdaff4a699ca", "object_modified": "2022-05-06T17:47:24.080Z" }, { "object_ref": "relationship--7c329018-b591-42c4-8806-4d02ccd47476", "object_modified": "2022-05-24T14:00:00.188Z" }, { "object_ref": "relationship--7c3b65e8-e8b7-4c3b-b27b-e216986d8976", "object_modified": "2022-05-06T17:47:24.281Z" }, { "object_ref": "relationship--7c893581-c847-495a-aa93-9d98c516e1ae", "object_modified": "2022-05-06T17:47:24.324Z" }, { "object_ref": "relationship--7d0ec383-4c5d-474d-9262-3f3c0d6c05b1", "object_modified": "2022-05-06T17:47:24.072Z" }, { "object_ref": "relationship--7d2db896-3051-483c-bc53-ca21832ee085", "object_modified": "2022-05-24T14:00:00.188Z" }, { "object_ref": "relationship--7d3ef0e3-560c-4e46-a0b4-dd1efc29e835", "object_modified": "2022-05-24T14:00:00.188Z" }, { "object_ref": "relationship--7d48e930-61c3-48e2-974e-a29d303c968f", "object_modified": "2022-05-24T14:00:00.188Z" }, { "object_ref": "relationship--7d5759cd-890e-4ec5-b92b-aba225d52960", "object_modified": "2022-05-06T17:47:24.079Z" }, { "object_ref": "relationship--7d66eae7-0dd4-4d21-ab07-8f7e350a7105", "object_modified": "2022-05-24T14:00:00.188Z" }, { "object_ref": "relationship--7d6c4a00-acde-40af-bf91-a4ef009cf135", "object_modified": "2022-05-06T17:47:24.156Z" }, { "object_ref": "relationship--7dad75e6-f569-4bb9-ad75-5eda55dff0b1", "object_modified": "2022-05-24T14:00:00.188Z" }, { "object_ref": "relationship--7db9687b-7099-4cb6-a040-bc32fc549a81", "object_modified": "2022-05-06T17:47:24.195Z" }, { "object_ref": "relationship--7dedeb73-ef90-4282-a635-cc37326773af", "object_modified": "2022-05-06T17:47:24.083Z" }, { "object_ref": "relationship--7e87ce08-a428-4e55-876e-80d2760121a5", "object_modified": "2022-05-24T14:00:00.188Z" }, { "object_ref": "relationship--7f1e688d-65f7-4737-a4ba-ee482710f8ec", "object_modified": "2022-05-24T14:00:00.188Z" }, { "object_ref": "relationship--7fc9fbfc-ab9f-4189-bc1f-d473e9ef36b5", "object_modified": "2022-05-06T17:47:24.071Z" }, { "object_ref": "relationship--7fdaa9be-aecf-459f-b028-7c35dc8b6451", "object_modified": "2022-05-06T17:47:24.152Z" }, { "object_ref": "relationship--7ff12adb-bc9a-42e5-9cbf-613b200c36dc", "object_modified": "2022-05-06T17:47:24.114Z" }, { "object_ref": "relationship--808174b7-3ab0-45b5-963e-5c10dd749e3c", "object_modified": "2022-05-06T17:47:24.140Z" }, { "object_ref": "relationship--808c57e7-72ef-4860-b9ea-8ea072e2385a", "object_modified": "2022-05-06T17:47:24.098Z" }, { "object_ref": "relationship--81add433-49d8-43ec-85d5-f48fe80e56e7", "object_modified": "2022-05-24T14:00:00.188Z" }, { "object_ref": "relationship--81ca994a-b350-424d-8f39-a0b64aa76260", "object_modified": "2022-05-06T17:47:24.204Z" }, { "object_ref": "relationship--82b20c35-88c6-49aa-8241-a59512b17b74", "object_modified": "2022-05-06T17:47:24.327Z" }, { "object_ref": "relationship--8334b3ab-f17f-460e-b627-ad85fc9c2409", "object_modified": "2022-05-24T14:00:00.188Z" }, { "object_ref": "relationship--83c29179-4805-403a-acf5-5151c4d2e556", "object_modified": "2022-05-06T17:47:24.283Z" }, { "object_ref": "relationship--83c8c216-7ff7-4bd3-9db4-573469628d95", "object_modified": "2022-05-06T17:47:24.270Z" }, { "object_ref": "relationship--83e5ebce-8d5d-43ca-a47f-ecb50ae8993a", "object_modified": "2022-05-24T14:00:00.188Z" }, { "object_ref": "relationship--841ec349-0f4c-43fa-89b8-ef3656497fc9", "object_modified": "2022-05-06T17:47:24.284Z" }, { "object_ref": "relationship--842a2b85-4e77-4eb6-99e1-c4a231aadf48", "object_modified": "2022-05-06T17:47:24.187Z" }, { "object_ref": "relationship--84e535be-960a-450a-91f9-4dc8c5e3f69d", "object_modified": "2022-05-06T17:47:24.384Z" }, { "object_ref": "relationship--86076ad1-8037-4dd0-88e7-9c40ec00af4a", "object_modified": "2022-05-06T17:47:24.368Z" }, { "object_ref": "relationship--86b868be-3e59-4497-9aa9-a2cd951a8f72", "object_modified": "2022-05-24T14:00:00.188Z" }, { "object_ref": "relationship--86c94552-de59-453d-ac06-28a6a64db930", "object_modified": "2022-05-24T14:00:00.188Z" }, { "object_ref": "relationship--86d45e92-80ba-4f97-b3a3-03ad3469658b", "object_modified": "2022-05-06T17:47:24.166Z" }, { "object_ref": "relationship--86ede365-4539-4475-b90b-9b3bfd2dbe97", "object_modified": "2022-05-24T14:00:00.188Z" }, { "object_ref": "relationship--86f1655a-db46-4d49-9051-6653da83eb13", "object_modified": "2022-05-06T17:47:24.092Z" }, { "object_ref": "relationship--874752f4-59a2-46e9-ae28-befe0142b223", "object_modified": "2022-05-06T17:47:24.313Z" }, { "object_ref": "relationship--87c8ab74-576d-4962-b641-0762d374d1e8", "object_modified": "2022-05-06T17:47:24.278Z" }, { "object_ref": "relationship--880161a4-d6c9-4e5b-a78d-39319cfa43ab", "object_modified": "2022-05-24T14:00:00.188Z" }, { "object_ref": "relationship--88da36ff-855b-4447-bfd1-3e34b30590e6", "object_modified": "2022-05-24T14:00:00.188Z" }, { "object_ref": "relationship--892c0bff-17b6-447b-a213-6a3189a1df82", "object_modified": "2022-05-24T14:00:00.188Z" }, { "object_ref": "relationship--8985cd3c-1429-4681-ad2e-9b3e46588a44", "object_modified": "2022-05-24T14:00:00.188Z" }, { "object_ref": "relationship--8a06c15b-b7e5-4374-9265-8d9020e126cd", "object_modified": "2022-05-06T17:47:24.330Z" }, { "object_ref": "relationship--8a604466-8437-4fe6-b6db-ec8fb05d702a", "object_modified": "2022-05-06T17:47:24.273Z" }, { "object_ref": "relationship--8b136d10-1fd7-4cd4-a3a7-b648b23adc92", "object_modified": "2022-05-24T14:00:00.188Z" }, { "object_ref": "relationship--8b17ad46-b0cc-4766-9cae-eba32260d468", "object_modified": "2022-05-06T17:47:24.135Z" }, { "object_ref": "relationship--8b2d82aa-75fc-4d6d-bb4b-9f600bd211fd", "object_modified": "2022-05-06T17:47:24.333Z" }, { "object_ref": "relationship--8b491011-322d-4e0b-8f79-449e1b2ee185", "object_modified": "2022-05-24T14:00:00.188Z" }, { "object_ref": "relationship--8baa4d55-c235-44da-b6fe-8866cf7f9915", "object_modified": "2022-05-24T14:00:00.188Z" }, { "object_ref": "relationship--8c1b22bd-7e31-427f-a9c5-085a606212ca", "object_modified": "2022-05-24T14:00:00.188Z" }, { "object_ref": "relationship--8ca2fe75-9bb3-4af5-8fee-accd33d6d2ec", "object_modified": "2022-05-06T17:47:24.101Z" }, { "object_ref": "relationship--8da928a0-1c87-471f-aad7-5a1fdd438357", "object_modified": "2022-05-24T14:00:00.188Z" }, { "object_ref": "relationship--8dab113a-a713-499b-ba1e-9c2cbeffb3c8", "object_modified": "2022-05-24T14:00:00.188Z" }, { "object_ref": "relationship--8ecf5eac-7767-411b-b54a-b374ea51b9e9", "object_modified": "2022-05-06T17:47:24.139Z" }, { "object_ref": "relationship--8f76d408-be8a-478e-8a5a-aab1d1f96572", "object_modified": "2022-05-06T17:47:24.248Z" }, { "object_ref": "relationship--8f90363e-2825-4178-807f-9268a28760fa", "object_modified": "2022-05-06T17:47:24.195Z" }, { "object_ref": "relationship--8fa6fe89-e704-4be4-a15b-50e188084aa3", "object_modified": "2022-05-06T17:47:24.120Z" }, { "object_ref": "relationship--8fcecf74-36df-41ab-9476-539c9ac0b339", "object_modified": "2022-05-06T17:47:24.179Z" }, { "object_ref": "relationship--90d9c8e3-0250-4096-8d98-7ca1d324d654", "object_modified": "2022-05-06T17:47:24.250Z" }, { "object_ref": "relationship--90dcb709-8f1b-4b37-bfc6-ef52a735dd7f", "object_modified": "2022-05-24T14:00:00.188Z" }, { "object_ref": "relationship--91f29477-2ff6-4dbf-bf68-c8825a938851", "object_modified": "2022-05-06T17:47:24.119Z" }, { "object_ref": "relationship--92634d06-42e5-407f-bcb7-cafb1ddeafce", "object_modified": "2022-05-06T17:47:24.395Z" }, { "object_ref": "relationship--92865095-f63e-461c-9e32-e202d514747d", "object_modified": "2022-05-06T17:47:24.370Z" }, { "object_ref": "relationship--92d1fd4f-6cc7-4db5-82f8-f8caa5ff59f0", "object_modified": "2022-05-06T17:47:24.130Z" }, { "object_ref": "relationship--92ea1c2a-3835-43de-bb56-24e937a6f322", "object_modified": "2022-05-24T14:00:00.188Z" }, { "object_ref": "relationship--93e24e03-6425-4ee8-99bb-c3a662c6cdce", "object_modified": "2022-05-06T17:47:24.347Z" }, { "object_ref": "relationship--949b498c-ca3f-4704-90bd-a22a4d34067f", "object_modified": "2022-05-24T14:00:00.188Z" }, { "object_ref": "relationship--9515f24c-1c33-4197-b9c9-b9992bc696ca", "object_modified": "2022-05-06T17:47:24.300Z" }, { "object_ref": "relationship--95b12e1a-7f21-4fa0-9b2a-c96c7c270625", "object_modified": "2022-05-06T17:47:24.388Z" }, { "object_ref": "relationship--966b59c0-8641-432c-84f7-b2a712004d74", "object_modified": "2022-05-06T17:47:24.274Z" }, { "object_ref": "relationship--968830b7-ee80-4a6e-96a4-9fc70470e4a9", "object_modified": "2022-05-06T17:47:24.112Z" }, { "object_ref": "relationship--973f5884-a076-413e-ac96-f0bd01375fb6", "object_modified": "2022-05-06T17:47:24.153Z" }, { "object_ref": "relationship--97538255-b049-4d15-91c4-6b227cbea476", "object_modified": "2022-05-24T14:00:00.188Z" }, { "object_ref": "relationship--97641754-f215-4b8f-b0cd-0d3142053c76", "object_modified": "2022-05-24T14:00:00.188Z" }, { "object_ref": "relationship--97c5b388-518a-46ec-b2b0-41bfa6a83204", "object_modified": "2022-05-06T17:47:24.115Z" }, { "object_ref": "relationship--97df42a5-e6d3-4fb7-a158-c161d14624ab", "object_modified": "2022-05-24T14:00:00.188Z" }, { "object_ref": "relationship--984992e3-0407-406a-b8dd-c114d8b2d9a2", "object_modified": "2022-05-06T17:47:24.172Z" }, { "object_ref": "relationship--98b229f8-6020-4fbb-b104-54fd478c14d9", "object_modified": "2022-05-24T14:00:00.188Z" }, { "object_ref": "relationship--98d447f4-397b-43e7-9740-c2e5ea6b1714", "object_modified": "2022-05-06T17:47:24.391Z" }, { "object_ref": "relationship--98f1d575-a975-42ae-8b00-2c9e22d560d5", "object_modified": "2022-05-06T17:47:24.127Z" }, { "object_ref": "relationship--9902691c-aaf2-48a1-b1ca-cd6f652ae1c6", "object_modified": "2022-05-06T17:47:24.276Z" }, { "object_ref": "relationship--990f944f-190d-456d-b194-f5ecb17a0868", "object_modified": "2022-05-06T17:47:24.261Z" }, { "object_ref": "relationship--99ec0a8e-4a4f-427c-89db-163e4b206021", "object_modified": "2022-05-06T17:47:24.094Z" }, { "object_ref": "relationship--9a44b2a8-9f4c-43df-9174-1cba6e165886", "object_modified": "2022-05-06T17:47:24.075Z" }, { "object_ref": "relationship--9a607f89-85b8-4fba-8eb7-7e4900ea693f", "object_modified": "2022-05-06T17:47:24.203Z" }, { "object_ref": "relationship--9ad74496-e164-4068-a0f5-379f507ba864", "object_modified": "2022-05-24T14:00:00.188Z" }, { "object_ref": "relationship--9b412b1f-2dd0-4e7f-8364-f625181ba1db", "object_modified": "2022-05-06T17:47:24.232Z" }, { "object_ref": "relationship--9b825e77-2b18-4bc8-8e1d-5f645d570dca", "object_modified": "2022-05-06T17:47:24.246Z" }, { "object_ref": "relationship--9cca3120-c95e-4f5e-bc4b-0521ab5cc512", "object_modified": "2022-05-06T17:47:24.203Z" }, { "object_ref": "relationship--9cf83701-a347-47b4-a67b-280df95b275d", "object_modified": "2022-05-24T14:00:00.188Z" }, { "object_ref": "relationship--9d5b9b9c-058f-4782-80aa-9d501442a03d", "object_modified": "2022-05-24T14:00:00.188Z" }, { "object_ref": "relationship--9d6f9bba-dd79-4cb6-a0f3-1284e58a6236", "object_modified": "2022-05-06T17:47:24.280Z" }, { "object_ref": "relationship--9db1ecfe-72eb-42da-a09e-746663a53854", "object_modified": "2022-05-06T17:47:24.335Z" }, { "object_ref": "relationship--9e0810a5-ad02-487f-b0a8-bf07decca493", "object_modified": "2022-05-24T14:00:00.188Z" }, { "object_ref": "relationship--9e8990f9-475b-43fe-91fb-25cc0634f0aa", "object_modified": "2022-05-24T14:00:00.188Z" }, { "object_ref": "relationship--9ebc0cc8-7be5-4d13-9540-8f0bb531b359", "object_modified": "2022-05-06T17:47:24.286Z" }, { "object_ref": "relationship--9f07c92a-78a0-438a-8cb2-01e2bddaeb42", "object_modified": "2022-05-20T16:59:02.474Z" }, { "object_ref": "relationship--9fa31b58-d4f3-43e4-b5b2-cafcd0c6a99d", "object_modified": "2022-05-06T17:47:24.392Z" }, { "object_ref": "relationship--9fb2a9b2-3b25-4f77-9f7a-e832b2e5071a", "object_modified": "2022-05-06T17:47:24.288Z" }, { "object_ref": "relationship--9ffc1ecb-09de-4841-a1f6-ebd1f3be7cea", "object_modified": "2022-05-24T14:00:00.188Z" }, { "object_ref": "relationship--a04169ed-c16b-466b-80ef-22a11067f475", "object_modified": "2022-05-06T17:47:24.278Z" }, { "object_ref": "relationship--a08d85dd-a8b3-4848-94aa-941c43b6d8f2", "object_modified": "2022-05-06T17:47:24.069Z" }, { "object_ref": "relationship--a1383f2a-2ee2-47df-a661-8904a7535e0c", "object_modified": "2022-05-06T17:47:24.233Z" }, { "object_ref": "relationship--a1cbbdb5-30ad-4139-9784-e5a134f8d405", "object_modified": "2022-05-06T17:47:24.275Z" }, { "object_ref": "relationship--a2142552-6b8d-4751-a3d4-1471420c02fc", "object_modified": "2022-05-24T14:00:00.188Z" }, { "object_ref": "relationship--a22fabd2-836e-4141-9219-c76cc10138ec", "object_modified": "2022-05-06T17:47:24.100Z" }, { "object_ref": "relationship--a28ecd81-a7dd-404c-9d7b-ce670b0fc83b", "object_modified": "2022-05-24T14:00:00.188Z" }, { "object_ref": "relationship--a47cd7b9-2b73-480c-a8ab-2dfa908e02ea", "object_modified": "2022-05-06T17:47:24.216Z" }, { "object_ref": "relationship--a4c81fe6-1ad9-4bba-a415-a3c099eaa2be", "object_modified": "2022-05-06T17:47:24.298Z" }, { "object_ref": "relationship--a618d7e4-23f0-4b8c-9f09-78d04ea7fc55", "object_modified": "2022-05-24T14:00:00.188Z" }, { "object_ref": "relationship--a6519c11-e9d4-4b6f-8d92-8efaa2144c28", "object_modified": "2022-05-06T17:47:24.268Z" }, { "object_ref": "relationship--a6d8b66d-fc10-404f-b0ae-e8c66506b818", "object_modified": "2022-05-06T17:47:24.279Z" }, { "object_ref": "relationship--a731ad54-0c3c-47bb-9559-d99950782beb", "object_modified": "2022-05-24T14:00:00.188Z" }, { "object_ref": "relationship--a74c14e2-eb8a-47bb-b64d-20aad9154297", "object_modified": "2022-05-06T17:47:24.218Z" }, { "object_ref": "relationship--a75ddacf-e87e-4a99-83f2-618486473163", "object_modified": "2022-05-06T17:47:24.217Z" }, { "object_ref": "relationship--a78e727c-8e42-448c-beb4-463804e18be0", "object_modified": "2022-05-06T17:47:24.123Z" }, { "object_ref": "relationship--a7ca9443-f833-4636-9c30-fcaddd3516c6", "object_modified": "2022-05-24T14:00:00.188Z" }, { "object_ref": "relationship--a7caa7f2-cfb9-4fc9-ae8d-49349b6c260f", "object_modified": "2022-05-06T17:47:24.175Z" }, { "object_ref": "relationship--a7fbe555-a61b-4b93-bfb2-8e0dd0d6323e", "object_modified": "2022-05-06T17:47:24.126Z" }, { "object_ref": "relationship--a82e9f8a-f81e-407a-b284-e0ae5f055c61", "object_modified": "2022-05-24T14:00:00.188Z" }, { "object_ref": "relationship--a846dbe5-9ef3-4fb6-93d5-f764671a75c8", "object_modified": "2022-05-06T17:47:24.381Z" }, { "object_ref": "relationship--a847aa03-ea56-47d1-8f4e-f9e0dd9707a0", "object_modified": "2022-05-06T17:47:24.125Z" }, { "object_ref": "relationship--a86cee0a-dc49-4c95-b5dc-37405337490b", "object_modified": "2022-05-06T17:47:24.079Z" }, { "object_ref": "relationship--a91002fe-21b2-4417-9c23-af712a7a035c", "object_modified": "2022-05-06T17:47:24.156Z" }, { "object_ref": "relationship--a946c9b1-5b89-44c9-b617-3412ffda34b9", "object_modified": "2022-05-06T17:47:24.344Z" }, { "object_ref": "relationship--aa205915-7571-47ee-8bc6-5aa1ace86690", "object_modified": "2022-05-24T14:00:00.188Z" }, { "object_ref": "relationship--aae5d42f-6bfc-44b6-8ff3-4b7abb4526ca", "object_modified": "2022-05-24T14:00:00.188Z" }, { "object_ref": "relationship--aaffd26a-728d-42a0-9d1f-423231c55f3e", "object_modified": "2022-05-06T17:47:24.361Z" }, { "object_ref": "relationship--ab306654-2abb-4983-8d30-df4058adb06c", "object_modified": "2022-05-06T17:47:24.304Z" }, { "object_ref": "relationship--ab60fe4a-5860-410a-8bca-2cdbea95e5f8", "object_modified": "2022-05-06T17:47:24.080Z" }, { "object_ref": "relationship--ab8e129c-5411-4784-9194-068fa915da23", "object_modified": "2022-05-06T17:47:24.291Z" }, { "object_ref": "relationship--ad7770c3-fe24-4285-9ce2-1616a1061472", "object_modified": "2019-06-28T14:59:17.849Z" }, { "object_ref": "relationship--ad77a940-150c-4d73-bf5a-1df2d9436f9c", "object_modified": "2022-05-24T14:00:00.188Z" }, { "object_ref": "relationship--ad7fd147-066e-4ed5-aa9d-7b2f1771150d", "object_modified": "2022-05-06T17:47:24.111Z" }, { "object_ref": "relationship--ade12d27-13bb-4ebf-be08-7039cf699682", "object_modified": "2022-05-06T17:47:24.065Z" }, { "object_ref": "relationship--ae10e97a-90ac-498b-8601-01081dc4af8b", "object_modified": "2022-05-06T17:47:24.188Z" }, { "object_ref": "relationship--ae7487f1-a2d0-443d-b418-cd726c5ac15f", "object_modified": "2022-05-06T17:47:24.167Z" }, { "object_ref": "relationship--aed56362-d7b5-4ec9-9016-b727eafca04d", "object_modified": "2022-05-24T14:00:00.188Z" }, { "object_ref": "relationship--af24e067-966d-41f8-b1ea-5a6e11ff1a2a", "object_modified": "2022-05-24T14:00:00.188Z" }, { "object_ref": "relationship--afb0b60e-e604-4b96-abb9-57fdce4e5108", "object_modified": "2022-05-06T17:47:24.133Z" }, { "object_ref": "relationship--afd63145-6033-49e4-ad43-d0b35fa5ed88", "object_modified": "2022-05-06T17:47:24.061Z" }, { "object_ref": "relationship--b0f137d8-3c56-4f6c-9d59-1ec231d61391", "object_modified": "2022-05-24T14:00:00.188Z" }, { "object_ref": "relationship--b0fe8a56-cb76-4d79-9ba9-9358ef08aa08", "object_modified": "2022-05-24T14:00:00.188Z" }, { "object_ref": "relationship--b116fcca-e872-4735-b7e2-4e4c8e34621a", "object_modified": "2022-05-24T14:00:00.188Z" }, { "object_ref": "relationship--b13417ea-d8da-497f-818f-d2d90562039a", "object_modified": "2022-05-06T17:47:24.142Z" }, { "object_ref": "relationship--b1768154-221c-48be-ab2b-549ec1eddafb", "object_modified": "2022-05-06T17:47:24.068Z" }, { "object_ref": "relationship--b1d993d5-9e7e-4043-a651-07c7b5ad5a6b", "object_modified": "2022-05-06T17:47:24.228Z" }, { "object_ref": "relationship--b252a076-6d4e-49f5-95ac-16264ef05b1d", "object_modified": "2022-05-06T17:47:24.290Z" }, { "object_ref": "relationship--b2d4989c-e2d1-40c4-b1d8-07834a71f26f", "object_modified": "2022-05-06T17:47:24.385Z" }, { "object_ref": "relationship--b2defaaf-625d-416e-8a9d-8be6d89bacdc", "object_modified": "2022-05-06T17:47:24.192Z" }, { "object_ref": "relationship--b2e10e48-8bd9-472a-9c6f-1d38650e8df1", "object_modified": "2022-05-06T17:47:24.239Z" }, { "object_ref": "relationship--b343e131-e448-46c6-815b-b86e4bd6d638", "object_modified": "2022-05-06T17:47:24.394Z" }, { "object_ref": "relationship--b349ef5f-4a05-4eef-afe4-1543b8c832fa", "object_modified": "2022-02-28T17:02:50.401Z" }, { "object_ref": "relationship--b363cbbb-679c-47e0-8ad0-af98ebf51e60", "object_modified": "2022-05-06T17:47:24.236Z" }, { "object_ref": "relationship--b3862aa6-7bd0-46a4-83b6-bb687bb7caa6", "object_modified": "2022-05-06T17:47:24.393Z" }, { "object_ref": "relationship--b3b24837-83ed-46c5-ba80-66a832c7072e", "object_modified": "2022-05-06T17:47:24.062Z" }, { "object_ref": "relationship--b3e19503-8d9c-472c-8c1d-8564778052c1", "object_modified": "2022-05-24T14:00:00.188Z" }, { "object_ref": "relationship--b401f65c-5324-4fc0-8fce-0aa2ebf1f919", "object_modified": "2022-05-24T14:00:00.188Z" }, { "object_ref": "relationship--b452a076-6d4e-49f5-95ac-16264ef05b1d", "object_modified": "2022-05-06T17:47:24.292Z" }, { "object_ref": "relationship--b47dbc50-fd8f-4e5b-bb3d-e93b68bf5497", "object_modified": "2022-05-06T17:47:24.143Z" }, { "object_ref": "relationship--b48be9f9-de0e-4548-ade3-09d47af52798", "object_modified": "2022-05-24T14:00:00.188Z" }, { "object_ref": "relationship--b5ab26e2-eb90-4f19-b35a-b8a0a5438961", "object_modified": "2022-05-06T17:47:24.293Z" }, { "object_ref": "relationship--b5bb5ec3-aa3c-4734-8425-4be80c5658a9", "object_modified": "2022-05-06T17:47:24.143Z" }, { "object_ref": "relationship--b5e52859-8dab-4e7e-af70-bb38c6993c98", "object_modified": "2022-05-06T17:47:24.200Z" }, { "object_ref": "relationship--b5f94430-be03-43ed-97e1-0424d783073e", "object_modified": "2022-05-06T17:47:24.392Z" }, { "object_ref": "relationship--b628d878-4f35-4580-8d42-26984d13821e", "object_modified": "2022-05-06T17:47:24.143Z" }, { "object_ref": "relationship--b69f31c3-6c12-4b81-8e74-9c58ea635fa4", "object_modified": "2022-05-06T17:47:24.232Z" }, { "object_ref": "relationship--b72b7dfd-f134-4324-84b8-52ff13fc6b5c", "object_modified": "2022-05-06T17:47:24.128Z" }, { "object_ref": "relationship--b778b3c3-5dd3-4c0b-b7d9-78e6bb40a544", "object_modified": "2022-05-24T14:00:00.188Z" }, { "object_ref": "relationship--b7f23af2-e948-4531-af56-1a1b4d03702f", "object_modified": "2022-05-06T17:47:24.172Z" }, { "object_ref": "relationship--b8b1739d-dfa2-44e9-907f-7085e262512f", "object_modified": "2022-05-24T14:00:00.188Z" }, { "object_ref": "relationship--b8d484f3-85e7-4208-8ae4-72f0e055a290", "object_modified": "2022-05-24T14:00:00.188Z" }, { "object_ref": "relationship--b8d6e550-18fe-49ad-9964-7802bbe0cb58", "object_modified": "2022-05-06T17:47:24.134Z" }, { "object_ref": "relationship--b8edcf0a-ec53-4203-b3ad-2cc734a1f1dd", "object_modified": "2022-05-06T17:47:24.226Z" }, { "object_ref": "relationship--b8f6d6a8-e668-4596-8ec2-41c5d1bd211d", "object_modified": "2022-05-06T17:47:24.097Z" }, { "object_ref": "relationship--b95967ff-27e6-41e8-bec4-e0ceefa7cc6c", "object_modified": "2022-05-24T14:00:00.188Z" }, { "object_ref": "relationship--b960c5ed-1ea8-4dde-9203-c02d291d3bc6", "object_modified": "2022-05-06T17:47:24.222Z" }, { "object_ref": "relationship--b9632b4d-43c3-4bfa-88e0-629245acb8eb", "object_modified": "2022-05-06T17:47:24.091Z" }, { "object_ref": "relationship--b9e82422-b072-494f-99c1-fcab07b90133", "object_modified": "2022-05-06T17:47:24.146Z" }, { "object_ref": "relationship--b9f77643-782c-4df0-9f29-81323d0c05d8", "object_modified": "2022-05-24T14:00:00.188Z" }, { "object_ref": "relationship--ba010007-6dde-4c9d-8452-69527cd1c2ba", "object_modified": "2022-05-06T17:47:24.091Z" }, { "object_ref": "relationship--baf4bd30-4213-43c3-b70c-54418e734caf", "object_modified": "2022-05-06T17:47:24.184Z" }, { "object_ref": "relationship--baf7daf3-2116-4051-91b5-f82e146167d0", "object_modified": "2022-05-06T17:47:24.235Z" }, { "object_ref": "relationship--bbf297d3-0c3c-44be-b780-332bac17b0ba", "object_modified": "2022-05-06T17:47:24.222Z" }, { "object_ref": "relationship--bc3744d6-9275-4d91-8888-16d5f4d5187b", "object_modified": "2022-05-06T17:47:24.112Z" }, { "object_ref": "relationship--bc383819-2e40-49b4-bea9-95eb5d418877", "object_modified": "2022-05-06T17:47:24.328Z" }, { "object_ref": "relationship--bc74ff8f-d5fa-40fb-8c0b-f16af3ff36e3", "object_modified": "2022-05-06T17:47:24.218Z" }, { "object_ref": "relationship--bcaa4f7e-2e84-4bbb-9fb7-ca8fb003108f", "object_modified": "2022-05-06T17:47:24.214Z" }, { "object_ref": "relationship--bcece7ce-91b5-40b3-b87a-25cab3600e5c", "object_modified": "2022-05-06T17:47:24.311Z" }, { "object_ref": "relationship--bda03e8d-5e06-4470-b786-11b11c7c97c7", "object_modified": "2022-05-06T17:47:24.203Z" }, { "object_ref": "relationship--bde941c6-2ca0-4f94-9336-027e7eee15a1", "object_modified": "2022-05-06T17:47:24.082Z" }, { "object_ref": "relationship--be532c78-daf5-431b-adae-ab11af395513", "object_modified": "2022-05-06T17:47:24.314Z" }, { "object_ref": "relationship--be950e87-80ac-49ea-810a-553c7f72151b", "object_modified": "2022-05-06T17:47:24.073Z" }, { "object_ref": "relationship--bf75ca96-3f9d-413c-a244-888a3fbf0be3", "object_modified": "2022-05-24T14:00:00.188Z" }, { "object_ref": "relationship--bff99f91-e1a9-4379-a2d9-5a99615a95d1", "object_modified": "2020-09-22T19:41:27.951Z" }, { "object_ref": "relationship--c0efb24a-2329-401a-bba6-817f2867bb3f", "object_modified": "2022-05-06T17:47:24.183Z" }, { "object_ref": "relationship--c11a95c2-6e9d-4d90-b6ab-20227869f2e4", "object_modified": "2022-05-24T14:00:00.188Z" }, { "object_ref": "relationship--c195a0e9-d46c-487f-9a96-b138e9ca05d2", "object_modified": "2022-05-06T17:47:24.204Z" }, { "object_ref": "relationship--c26a9375-be67-4b21-b027-33812a76ed93", "object_modified": "2022-05-24T14:00:00.188Z" }, { "object_ref": "relationship--c2fe42b4-6750-4b51-86b7-6c37fbfdef2d", "object_modified": "2022-05-06T17:47:24.097Z" }, { "object_ref": "relationship--c347b69c-e3f6-4eca-ba57-0781c7dc8eac", "object_modified": "2022-05-06T17:47:24.265Z" }, { "object_ref": "relationship--c4122b58-f1b2-4656-a715-55016700bf75", "object_modified": "2022-05-06T17:47:24.271Z" }, { "object_ref": "relationship--c473686a-2452-4ee6-bf1d-54bf3e575d95", "object_modified": "2022-05-24T14:00:00.188Z" }, { "object_ref": "relationship--c4e8dd42-9855-4a36-b915-dc7e1a91e235", "object_modified": "2022-05-06T17:47:24.376Z" }, { "object_ref": "relationship--c59a3d89-c8fa-4c5d-813e-f4495d892d1a", "object_modified": "2022-05-06T17:47:24.349Z" }, { "object_ref": "relationship--c5dd0d66-99f1-4efd-b0f9-bf9f9118ff16", "object_modified": "2022-03-17T15:07:01.055Z" }, { "object_ref": "relationship--c5fd0969-c151-4849-94c2-83e2e208cff7", "object_modified": "2022-05-06T17:47:24.168Z" }, { "object_ref": "relationship--c63c35c2-a402-4d0d-bf25-f48eb9b379c1", "object_modified": "2022-05-24T14:00:00.188Z" }, { "object_ref": "relationship--c64f2ed2-f7a7-4333-b0d3-d687ffb7ad6b", "object_modified": "2022-05-06T17:47:24.147Z" }, { "object_ref": "relationship--c6520346-fe47-44ce-af75-d99004ac2977", "object_modified": "2022-05-06T17:47:24.317Z" }, { "object_ref": "relationship--c6562519-81c5-4eca-a815-f46ac0ed4bcc", "object_modified": "2022-05-06T17:47:24.070Z" }, { "object_ref": "relationship--c664bb6c-59f0-4b31-bbb4-ef66fca933d4", "object_modified": "2022-05-24T14:00:00.188Z" }, { "object_ref": "relationship--c67e3535-69a9-4234-8170-4ad6efc632b7", "object_modified": "2022-05-06T17:47:24.211Z" }, { "object_ref": "relationship--c69eab3c-861c-45f5-8858-a595fcc7e6f6", "object_modified": "2022-05-06T17:47:24.132Z" }, { "object_ref": "relationship--c785c026-4139-4c56-a6dd-cdd3ba75bab1", "object_modified": "2022-05-06T17:47:24.272Z" }, { "object_ref": "relationship--c78f497f-01c3-4efb-aa74-92b700b9c02b", "object_modified": "2022-05-06T17:47:24.186Z" }, { "object_ref": "relationship--c7a1037f-cb28-40d4-be19-78e2f0e0aa68", "object_modified": "2022-05-24T14:00:00.188Z" }, { "object_ref": "relationship--c7aac6c9-da16-46e2-8cfa-dca07a0a7562", "object_modified": "2022-05-06T17:47:24.174Z" }, { "object_ref": "relationship--c848b096-3703-4962-b8a2-57682e26f31b", "object_modified": "2022-05-06T17:47:24.389Z" }, { "object_ref": "relationship--c84e39ab-30c1-40e3-95a8-fcbb271e913c", "object_modified": "2022-05-06T17:47:24.348Z" }, { "object_ref": "relationship--c8a40335-90d6-496a-b4f9-1cc93d3fffc6", "object_modified": "2022-05-06T17:47:24.212Z" }, { "object_ref": "relationship--c8dd2735-bd04-4413-847d-316b77c6de19", "object_modified": "2022-05-06T17:47:24.083Z" }, { "object_ref": "relationship--c9065f74-556d-4728-8072-f96642e70316", "object_modified": "2022-05-06T17:47:24.187Z" }, { "object_ref": "relationship--c90cfddb-253b-41c8-9057-2abde6f8aa6d", "object_modified": "2022-05-06T17:47:24.308Z" }, { "object_ref": "relationship--c9395e2a-afaf-427c-bcb2-ae663d72c05c", "object_modified": "2022-05-06T17:47:24.068Z" }, { "object_ref": "relationship--c9c1c589-b5c6-4231-982f-cae0aa41f349", "object_modified": "2022-05-06T17:47:24.247Z" }, { "object_ref": "relationship--ca0c26d7-c4a9-4c4a-bbd4-f3df4b1f5f69", "object_modified": "2022-05-24T14:00:00.188Z" }, { "object_ref": "relationship--ca3c4d4b-cf53-4489-904f-8a220e421aeb", "object_modified": "2022-05-06T17:47:24.282Z" }, { "object_ref": "relationship--ca5c7ae7-5273-4888-bc50-183d6e200972", "object_modified": "2022-05-06T17:47:24.105Z" }, { "object_ref": "relationship--ca64a927-f050-41b3-80d3-93d22cdef26a", "object_modified": "2022-05-06T17:47:24.081Z" }, { "object_ref": "relationship--ca768c2a-0f14-471c-90a5-bce649e88d51", "object_modified": "2022-05-06T17:47:24.105Z" }, { "object_ref": "relationship--cad91f87-7cc7-4771-8c7b-1599793ed3c1", "object_modified": "2022-05-06T17:47:24.349Z" }, { "object_ref": "relationship--cb1037c1-4b83-4a79-ba12-00558bb6b42b", "object_modified": "2021-10-04T20:54:09.057Z" }, { "object_ref": "relationship--cb30d507-edc6-4197-947c-7b3a6e395c0d", "object_modified": "2022-05-06T17:47:24.178Z" }, { "object_ref": "relationship--cb38425c-646d-4bc8-bdea-e6cc630c3034", "object_modified": "2022-05-06T17:47:24.321Z" }, { "object_ref": "relationship--cb4d802e-df5b-4017-81dd-47f65fff23a3", "object_modified": "2022-05-06T17:47:24.219Z" }, { "object_ref": "relationship--cca191a1-3c50-4d4f-8f79-4247e58af610", "object_modified": "2022-05-06T17:47:24.146Z" }, { "object_ref": "relationship--ccae6e5d-8a9e-4bab-ae77-26a2bd722f67", "object_modified": "2022-05-06T17:47:24.320Z" }, { "object_ref": "relationship--ccc67bb3-acc3-4294-81b3-4a0d972f2dd7", "object_modified": "2022-05-06T17:47:24.338Z" }, { "object_ref": "relationship--cd297a7b-4b02-407e-a798-e36fef4cf3a1", "object_modified": "2022-05-06T17:47:24.072Z" }, { "object_ref": "relationship--ce0d3a3a-9c62-4bfb-a47a-7b1b23e9f035", "object_modified": "2022-05-24T14:00:00.188Z" }, { "object_ref": "relationship--ce64ed04-f0ff-4897-b636-3177c9c5d9bb", "object_modified": "2022-02-28T17:02:50.467Z" }, { "object_ref": "relationship--ce7c17b7-b60d-4ebd-9014-2c421a64d70a", "object_modified": "2022-05-06T17:47:24.207Z" }, { "object_ref": "relationship--cf703ecc-e9f5-4d56-94d4-8fda9837e614", "object_modified": "2022-05-24T14:00:00.188Z" }, { "object_ref": "relationship--cf8ac499-8c1c-4615-b933-7587f1b9488b", "object_modified": "2022-05-06T17:47:24.216Z" }, { "object_ref": "relationship--cfcbca89-8912-40c0-ac15-47882162b132", "object_modified": "2022-05-24T14:00:00.188Z" }, { "object_ref": "relationship--d08fdedd-12f6-4681-9167-70d070432dee", "object_modified": "2022-05-06T17:47:24.208Z" }, { "object_ref": "relationship--d16e8909-d055-4174-aeb1-22c0613b2f73", "object_modified": "2022-05-06T17:47:24.141Z" }, { "object_ref": "relationship--d1971b32-3a15-4544-9f36-80c05121deb6", "object_modified": "2022-05-06T17:47:24.160Z" }, { "object_ref": "relationship--d1d98f8c-aea2-4f06-9b0d-c543ed42c6a4", "object_modified": "2022-05-06T17:47:24.086Z" }, { "object_ref": "relationship--d2dc57eb-5be2-4f9c-a4f7-18d2085ff412", "object_modified": "2022-05-06T17:47:24.377Z" }, { "object_ref": "relationship--d3c94120-e6b5-4bd2-88f0-9c73f76b0104", "object_modified": "2022-05-06T17:47:24.227Z" }, { "object_ref": "relationship--d406671b-4d22-4cd5-8568-d04b0b70b51c", "object_modified": "2022-05-24T14:00:00.188Z" }, { "object_ref": "relationship--d464d443-6298-47eb-b767-8f1136f6b6b5", "object_modified": "2022-05-06T17:47:24.369Z" }, { "object_ref": "relationship--d4968f45-d06b-4843-8f72-6e08beb94cab", "object_modified": "2021-12-07T18:39:07.922Z" }, { "object_ref": "relationship--d50a3d89-c8fa-4c5d-813e-f4495d892d1a", "object_modified": "2022-05-06T17:47:24.350Z" }, { "object_ref": "relationship--d6a2a1a8-8f5b-4e94-8fce-8edd8a17627a", "object_modified": "2022-05-06T17:47:24.209Z" }, { "object_ref": "relationship--d6a8b25c-53d4-4df1-8728-20ed4ba5ddab", "object_modified": "2022-05-24T14:00:00.188Z" }, { "object_ref": "relationship--d72e7d01-56be-4fbd-8957-3384533ba83b", "object_modified": "2022-05-06T17:47:24.335Z" }, { "object_ref": "relationship--d73dd5b6-5c66-405c-831f-fc020cdb1df1", "object_modified": "2022-05-24T14:00:00.188Z" }, { "object_ref": "relationship--d7ea83fa-87c7-4d36-96d5-aee554504040", "object_modified": "2022-05-06T17:47:24.257Z" }, { "object_ref": "relationship--d8354850-bd4c-4bd9-a585-b107f5f1398f", "object_modified": "2022-05-06T17:47:24.340Z" }, { "object_ref": "relationship--d854cc38-adf7-485d-96b5-70606f6cb87e", "object_modified": "2022-05-06T17:47:24.208Z" }, { "object_ref": "relationship--d86e88d9-cfcb-4a0c-b60f-cb43afaf792d", "object_modified": "2022-05-24T14:00:00.188Z" }, { "object_ref": "relationship--d8f45959-e0fc-4b4f-a074-a3acea926300", "object_modified": "2022-05-06T17:47:24.194Z" }, { "object_ref": "relationship--d90aeeb6-3686-483a-8403-6514ecfe1a50", "object_modified": "2022-05-06T17:47:24.249Z" }, { "object_ref": "relationship--d9165ecb-bc10-4189-a7e4-057bdf05bf3f", "object_modified": "2022-05-06T17:47:24.259Z" }, { "object_ref": "relationship--dadfed22-d70c-482b-9026-964396d75484", "object_modified": "2022-05-24T14:00:00.188Z" }, { "object_ref": "relationship--dbc7ce23-f51a-4f87-b024-8b9109b8bba7", "object_modified": "2022-05-24T14:00:00.188Z" }, { "object_ref": "relationship--dbdd9a97-81df-40b8-b72d-ac67d121b8b3", "object_modified": "2022-05-06T17:47:24.170Z" }, { "object_ref": "relationship--dc15440d-6683-435a-8c87-64daea29bcaa", "object_modified": "2022-05-06T17:47:24.379Z" }, { "object_ref": "relationship--dc35c44a-a90c-48a1-8811-af2618216e42", "object_modified": "2022-05-06T17:47:24.124Z" }, { "object_ref": "relationship--dc46ffc2-eac7-4491-8d2a-46cf8e2e963f", "object_modified": "2022-05-06T17:47:24.218Z" }, { "object_ref": "relationship--dda89758-9d0b-446d-b594-85acc7f9cb90", "object_modified": "2022-05-06T17:47:24.137Z" }, { "object_ref": "relationship--dded2d68-35c7-42c4-af10-efe7731673e3", "object_modified": "2022-05-06T17:47:24.108Z" }, { "object_ref": "relationship--de8b8a69-5f08-421a-96f0-2bed5707508d", "object_modified": "2022-05-24T14:00:00.188Z" }, { "object_ref": "relationship--df6da4ec-cbe8-4f93-a41f-3726a9491938", "object_modified": "2022-05-06T17:47:24.168Z" }, { "object_ref": "relationship--df95c619-33ee-4484-934a-78857717323e", "object_modified": "2022-05-24T14:00:00.188Z" }, { "object_ref": "relationship--dfd0dc6c-33ad-44a4-9def-1d8e23e278fb", "object_modified": "2022-04-15T22:05:32.209Z" }, { "object_ref": "relationship--dfe43fa1-ffc2-4c6c-a91d-f2ca55f21ccb", "object_modified": "2022-05-06T17:47:24.325Z" }, { "object_ref": "relationship--e02565fe-65ff-4b70-8a8d-b0abf6d9a9f4", "object_modified": "2022-05-24T14:00:00.188Z" }, { "object_ref": "relationship--e09e253c-fd28-49ae-988e-1f80d769e8b8", "object_modified": "2022-05-06T17:47:24.227Z" }, { "object_ref": "relationship--e0aee02c-b424-4781-be10-793d71594c31", "object_modified": "2022-05-06T17:47:24.251Z" }, { "object_ref": "relationship--e0d101cc-1284-4e88-82d6-227fe5d19d8a", "object_modified": "2022-05-06T17:47:24.123Z" }, { "object_ref": "relationship--e1461f8d-6a16-4526-ac0b-0acd27ae8065", "object_modified": "2022-05-24T14:00:00.188Z" }, { "object_ref": "relationship--e18af08c-3953-4b1d-b46c-45572fdb5187", "object_modified": "2022-05-24T14:00:00.188Z" }, { "object_ref": "relationship--e1fed66a-fa4e-4d65-abfb-b01e2744e6c9", "object_modified": "2022-05-24T14:00:00.188Z" }, { "object_ref": "relationship--e21525ba-bf4d-4b50-8833-61ac1dd32f4d", "object_modified": "2022-05-24T14:00:00.188Z" }, { "object_ref": "relationship--e257913e-40ba-4a05-ba97-0c3175c966b5", "object_modified": "2022-05-06T17:47:24.318Z" }, { "object_ref": "relationship--e323dee4-a896-4a82-85f5-d51d311b0437", "object_modified": "2022-05-06T17:47:24.307Z" }, { "object_ref": "relationship--e32f18e1-f88f-4af7-a798-0774bb646ab2", "object_modified": "2022-05-24T14:00:00.188Z" }, { "object_ref": "relationship--e5afc447-a241-4773-9a8a-3d6fd205d926", "object_modified": "2022-05-06T17:47:24.106Z" }, { "object_ref": "relationship--e5b62475-bd08-4ac6-a6f7-78f1843bf506", "object_modified": "2022-05-24T14:00:00.188Z" }, { "object_ref": "relationship--e607bb66-e53f-4684-b3f1-36a997e27d01", "object_modified": "2022-05-06T17:47:24.087Z" }, { "object_ref": "relationship--e6be2fb4-3815-4e52-8dec-2aed1dc3b7cf", "object_modified": "2022-05-06T17:47:24.154Z" }, { "object_ref": "relationship--e6e0ef82-2cb6-43fe-8f4a-b9e4d5a57b13", "object_modified": "2022-05-06T17:47:24.081Z" }, { "object_ref": "relationship--e6f65513-facb-4e55-82e4-1d012a7173ec", "object_modified": "2022-05-24T14:00:00.188Z" }, { "object_ref": "relationship--e767c178-e4b2-490a-b544-bb1b2d6c7de4", "object_modified": "2022-05-06T17:47:24.109Z" }, { "object_ref": "relationship--e852e64c-b5e0-4e7f-a189-bbc7aa7932c7", "object_modified": "2022-05-06T17:47:24.097Z" }, { "object_ref": "relationship--e8af0b34-4a67-4966-a34a-c4d1b346ea15", "object_modified": "2022-05-06T17:47:24.104Z" }, { "object_ref": "relationship--e8d5ee60-952f-42ff-bf48-7da9cd0fdb23", "object_modified": "2022-05-24T14:00:00.188Z" }, { "object_ref": "relationship--e8eaac2d-a4bf-408f-b24f-14471db7059b", "object_modified": "2022-05-06T17:47:24.088Z" }, { "object_ref": "relationship--e95531d9-93df-46be-a580-21b0c571186a", "object_modified": "2022-05-24T14:00:00.188Z" }, { "object_ref": "relationship--e9f5096e-b9fc-459a-a303-88763b1269cc", "object_modified": "2020-05-15T19:15:35.568Z" }, { "object_ref": "relationship--ea50253a-3220-458b-b810-ad032f2b182f", "object_modified": "2022-05-06T17:47:24.336Z" }, { "object_ref": "relationship--ea5828bb-5da7-4ed8-83b8-8d3b0e51cb3a", "object_modified": "2022-05-24T14:00:00.188Z" }, { "object_ref": "relationship--ea7c032f-da08-4c6f-b74e-0565dc5be02e", "object_modified": "2022-05-06T17:47:24.287Z" }, { "object_ref": "relationship--ea817c7a-9424-4204-90a5-6f8fb86037be", "object_modified": "2022-05-06T17:47:24.230Z" }, { "object_ref": "relationship--eac550b4-3bd2-4309-8b37-b797dd0bd8a7", "object_modified": "2022-05-06T17:47:24.101Z" }, { "object_ref": "relationship--eaeb3c8d-9d91-4eb0-8049-5cb99e141026", "object_modified": "2022-05-06T17:47:24.331Z" }, { "object_ref": "relationship--eaffb916-14cc-4c88-a943-0e6402ccc9e1", "object_modified": "2022-05-24T14:00:00.188Z" }, { "object_ref": "relationship--eb06ac7d-117a-48ab-ae3b-8bfa8f332f60", "object_modified": "2022-05-24T14:00:00.188Z" }, { "object_ref": "relationship--eb1e05ef-58df-4c6d-acd7-5cc63ff7f44f", "object_modified": "2022-05-06T17:47:24.389Z" }, { "object_ref": "relationship--ebc34374-2dee-4dc1-b0b7-f31ae94dab11", "object_modified": "2022-05-06T17:47:24.175Z" }, { "object_ref": "relationship--ec105f62-2552-41fa-8b07-619dc1bf9b19", "object_modified": "2022-05-06T17:47:24.177Z" }, { "object_ref": "relationship--ecf39e19-439f-4e9a-97c2-673ce4eb0a1a", "object_modified": "2022-05-06T17:47:24.139Z" }, { "object_ref": "relationship--ed432378-62bc-433c-b61b-6d87997c33f4", "object_modified": "2022-05-24T14:00:00.188Z" }, { "object_ref": "relationship--edf73653-b2d7-422f-b433-b6a428ff12d4", "object_modified": "2022-05-06T17:47:24.258Z" }, { "object_ref": "relationship--ee1a52bc-6c1b-4e2c-b296-173dccbc020a", "object_modified": "2022-05-24T14:00:00.188Z" }, { "object_ref": "relationship--ee1bf429-2c7c-4eb6-acca-e758522baf2e", "object_modified": "2022-05-06T17:47:24.306Z" }, { "object_ref": "relationship--ee2fdebd-1587-4e53-a7d7-c15fcc88879d", "object_modified": "2022-05-06T17:47:24.260Z" }, { "object_ref": "relationship--ee3309e1-12fb-4f5e-8fe6-6426cca19811", "object_modified": "2022-05-24T14:00:00.188Z" }, { "object_ref": "relationship--ee89466e-0655-4217-844d-fb8ea4f76247", "object_modified": "2022-05-06T17:47:24.065Z" }, { "object_ref": "relationship--eecca3e7-4db5-40d4-b04c-13f84701acb3", "object_modified": "2022-05-06T17:47:24.140Z" }, { "object_ref": "relationship--eeeaa0d4-0ca0-468e-ae13-43ab7aba61b4", "object_modified": "2022-05-06T17:47:24.231Z" }, { "object_ref": "relationship--eeeff03f-7436-4f76-8591-42075e6647d4", "object_modified": "2022-05-06T17:47:24.076Z" }, { "object_ref": "relationship--ef615d62-fe85-4740-9c5d-5dddff9b5693", "object_modified": "2022-05-06T17:47:24.360Z" }, { "object_ref": "relationship--efb80069-e4be-4055-bd34-06d1376b4601", "object_modified": "2022-05-06T17:47:24.109Z" }, { "object_ref": "relationship--f0ac1d07-fccd-4330-93cf-fbc985ee6fb9", "object_modified": "2022-05-06T17:47:24.160Z" }, { "object_ref": "relationship--f0c81c9f-2fb7-4e7d-98ed-c75e3be7d962", "object_modified": "2022-05-06T17:47:24.316Z" }, { "object_ref": "relationship--f0c8a954-c1a0-453a-9c1d-484305abdab2", "object_modified": "2022-05-06T17:47:24.189Z" }, { "object_ref": "relationship--f130282b-f681-455f-966b-55829842be92", "object_modified": "2022-05-06T17:47:24.328Z" }, { "object_ref": "relationship--f145b7e5-048b-46e7-8439-e2b88917523c", "object_modified": "2022-05-24T14:00:00.188Z" }, { "object_ref": "relationship--f15f24d2-e581-46ce-83e4-a924f572aae6", "object_modified": "2022-05-06T17:47:24.065Z" }, { "object_ref": "relationship--f20d8eed-b517-4297-b32a-9a5e0845de9f", "object_modified": "2022-05-06T17:47:24.150Z" }, { "object_ref": "relationship--f29ecf69-1753-44bb-9b80-1025f49cadda", "object_modified": "2022-05-06T17:47:24.323Z" }, { "object_ref": "relationship--f2e6103d-ca06-45c4-8fe9-049687fc4361", "object_modified": "2022-05-24T14:00:00.188Z" }, { "object_ref": "relationship--f2e672bb-8c73-4066-94d8-7dfb9a8025a7", "object_modified": "2022-05-24T14:00:00.188Z" }, { "object_ref": "relationship--f2e9ed5f-e92c-4964-8e9d-1a02e7da2728", "object_modified": "2022-05-24T14:00:00.188Z" }, { "object_ref": "relationship--f347b4fe-d829-427d-851a-fff3393441db", "object_modified": "2022-05-06T17:47:24.280Z" }, { "object_ref": "relationship--f40cc6f5-111c-418f-aa84-50d920fa6c48", "object_modified": "2022-05-06T17:47:24.118Z" }, { "object_ref": "relationship--f45c2df8-30e7-45d0-8067-7b2870767574", "object_modified": "2022-05-06T17:47:24.180Z" }, { "object_ref": "relationship--f497fd3e-8f05-4db2-97cc-48a8d35a8827", "object_modified": "2022-05-06T17:47:24.091Z" }, { "object_ref": "relationship--f4f98ce1-d0b8-4699-b602-33a6a6ffca67", "object_modified": "2022-05-24T14:00:00.188Z" }, { "object_ref": "relationship--f584a257-c22a-434b-aa2d-6220987821ab", "object_modified": "2022-05-06T17:47:24.346Z" }, { "object_ref": "relationship--f65a8ce8-90fa-4d92-a0dc-3ee544c541fe", "object_modified": "2022-05-06T17:47:24.378Z" }, { "object_ref": "relationship--f664bf42-5fb2-41e5-b790-978ddf866da3", "object_modified": "2022-05-24T14:00:00.188Z" }, { "object_ref": "relationship--f6b1e463-5db5-40c7-8a6d-5f70194fdadd", "object_modified": "2022-05-06T17:47:24.361Z" }, { "object_ref": "relationship--f6ff74c2-d088-4252-a8e0-189574863765", "object_modified": "2022-05-06T17:47:24.139Z" }, { "object_ref": "relationship--f703f8b2-b6b9-41f3-a551-6bb3647c45cc", "object_modified": "2022-05-06T17:47:24.147Z" }, { "object_ref": "relationship--f8318ac4-8ed0-478d-be87-faa2c9d8a740", "object_modified": "2022-05-06T17:47:24.375Z" }, { "object_ref": "relationship--f862418a-e7b4-4783-8949-7145f3dee665", "object_modified": "2022-05-06T17:47:24.104Z" }, { "object_ref": "relationship--f8cf3800-6521-41d9-b272-d6ba2db0ccd2", "object_modified": "2022-05-24T14:00:00.188Z" }, { "object_ref": "relationship--f951d934-d555-45e9-a564-27b84518cae4", "object_modified": "2022-05-06T17:47:24.070Z" }, { "object_ref": "relationship--f9625775-662c-425e-9ea0-6cb3f3bf5c3c", "object_modified": "2022-05-24T14:00:00.188Z" }, { "object_ref": "relationship--f9aa3364-a1eb-4776-ae03-c39b250545a0", "object_modified": "2022-05-06T17:47:24.185Z" }, { "object_ref": "relationship--f9c29dd4-1c5e-4f7e-b60a-862319a6d0a0", "object_modified": "2022-05-06T17:47:24.184Z" }, { "object_ref": "relationship--fa1bde35-63d9-4c5c-969b-2c17c29089fa", "object_modified": "2022-05-06T17:47:24.175Z" }, { "object_ref": "relationship--fb80368e-b3f6-4fa3-828b-b1cf792ea161", "object_modified": "2022-05-24T14:00:00.188Z" }, { "object_ref": "relationship--fc1d3924-3210-4ca6-b3cc-a7a525eab47c", "object_modified": "2022-05-24T14:00:00.188Z" }, { "object_ref": "relationship--fc1ebb31-4e15-4638-8706-00505ba00b9a", "object_modified": "2022-05-24T14:00:00.188Z" }, { "object_ref": "relationship--fc3d0a84-e7c7-415c-ae47-42bc513e9bf9", "object_modified": "2022-05-24T14:00:00.188Z" }, { "object_ref": "relationship--fc4803cb-d6bf-4674-bf40-d4b0997824ba", "object_modified": "2022-05-06T17:47:24.351Z" }, { "object_ref": "relationship--fc6cc5f2-ef5b-4a28-a0b2-a277ee98191d", "object_modified": "2022-05-24T14:00:00.188Z" }, { "object_ref": "relationship--fcb7733f-553d-43de-a8c6-c85a5cd65041", "object_modified": "2022-05-06T17:47:24.111Z" }, { "object_ref": "relationship--fcd3fdbf-4909-48ab-85c4-ce4b34172eb0", "object_modified": "2022-05-06T17:47:24.106Z" }, { "object_ref": "relationship--fd856176-396c-4121-9754-35e49bfa5758", "object_modified": "2022-05-24T14:00:00.188Z" }, { "object_ref": "relationship--fe22637e-7187-4990-b24a-5dc851eec736", "object_modified": "2022-05-24T14:00:00.188Z" }, { "object_ref": "relationship--ff3f0668-98df-44c1-88c2-711f05720eb8", "object_modified": "2022-05-06T17:47:24.060Z" }, { "object_ref": "relationship--ffc5bbce-8d9c-4276-9dc6-efed5c01af8b", "object_modified": "2022-05-06T17:47:24.257Z" }, { "object_ref": "relationship--ffc80065-cd83-4536-89d7-fe80ab5a5ad4", "object_modified": "2022-05-24T14:00:00.188Z" }, { "object_ref": "x-mitre-data-component--1177a4c5-31c8-400c-8544-9071166afa0e", "object_modified": "2022-05-24T14:00:00.188Z" }, { "object_ref": "x-mitre-data-component--181a9f8c-c780-4f1f-91a8-edb770e904ba", "object_modified": "2022-05-24T14:00:00.188Z" }, { "object_ref": "x-mitre-data-component--235b7491-2d2b-4617-9a52-3c0783680f71", "object_modified": "2022-05-24T14:00:00.188Z" }, { "object_ref": "x-mitre-data-component--2b3bfe19-d59a-460d-93bb-2f546adc2d2c", "object_modified": "2022-05-24T14:00:00.188Z" }, { "object_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c", "object_modified": "2022-05-24T14:00:00.188Z" }, { "object_ref": "x-mitre-data-component--39b9db72-8b48-4595-a18d-db5bbba3091b", "object_modified": "2022-05-24T14:00:00.188Z" }, { "object_ref": "x-mitre-data-component--3d20385b-24ef-40e1-9f56-f39750379077", "object_modified": "2022-05-24T14:00:00.188Z" }, { "object_ref": "x-mitre-data-component--3d6e6b3b-4aa8-40e1-8c47-91db0f313d9f", "object_modified": "2022-05-24T14:00:00.188Z" }, { "object_ref": "x-mitre-data-component--4c12c1c8-bcef-4daf-8e5b-fca235f71d9e", "object_modified": "2022-05-24T14:00:00.188Z" }, { "object_ref": "x-mitre-data-component--4dcd8ba3-2075-4f8b-941e-39884ffaac08", "object_modified": "2022-05-24T14:00:00.188Z" }, { "object_ref": "x-mitre-data-component--5297a638-1382-4f0c-8472-0d21830bf705", "object_modified": "2022-05-24T14:00:00.188Z" }, { "object_ref": "x-mitre-data-component--61f1d40e-f3d0-4cc6-aa2d-937b6204194f", "object_modified": "2022-05-24T14:00:00.188Z" }, { "object_ref": "x-mitre-data-component--639e87f3-acb6-448a-9645-258f20da4bc5", "object_modified": "2022-05-24T14:00:00.188Z" }, { "object_ref": "x-mitre-data-component--685f917a-e95e-4ba0-ade1-c7d354dae6e0", "object_modified": "2022-05-24T14:00:00.188Z" }, { "object_ref": "x-mitre-data-component--74fa567d-bc90-425c-8a41-3c703abb221c", "object_modified": "2022-05-24T14:00:00.188Z" }, { "object_ref": "x-mitre-data-component--7b375092-3a61-448d-900a-77c9a4bde4dc", "object_modified": "2022-05-24T14:00:00.188Z" }, { "object_ref": "x-mitre-data-component--84572de3-9583-4c73-aabd-06ea88123dd8", "object_modified": "2022-05-24T14:00:00.188Z" }, { "object_ref": "x-mitre-data-component--931b3fc6-ad68-42a8-9018-e98515eedc95", "object_modified": "2022-05-24T14:00:00.188Z" }, { "object_ref": "x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e", "object_modified": "2022-05-24T14:00:00.188Z" }, { "object_ref": "x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa", "object_modified": "2022-05-24T14:00:00.188Z" }, { "object_ref": "x-mitre-data-component--9ce98c86-8d30-4043-ba54-0784d478d0b5", "object_modified": "2022-05-24T14:00:00.188Z" }, { "object_ref": "x-mitre-data-component--9d56be63-3501-4dd3-bb5f-63c580833298", "object_modified": "2022-05-24T14:00:00.188Z" }, { "object_ref": "x-mitre-data-component--9f387817-df83-432a-b56b-a8fb7f71eedd", "object_modified": "2022-05-24T14:00:00.188Z" }, { "object_ref": "x-mitre-data-component--a7f22107-02e5-4982-9067-6625d4a1765a", "object_modified": "2022-05-24T14:00:00.188Z" }, { "object_ref": "x-mitre-data-component--a953ca55-921a-44f7-9b8d-3d40141aa17e", "object_modified": "2022-05-24T14:00:00.188Z" }, { "object_ref": "x-mitre-data-component--b9d031bb-d150-4fc6-8025-688201bf3ffd", "object_modified": "2022-05-24T14:00:00.188Z" }, { "object_ref": "x-mitre-data-component--c0a4a086-cc20-4e1e-b7cb-29d99dfa3fb1", "object_modified": "2022-05-24T14:00:00.188Z" }, { "object_ref": "x-mitre-data-component--da85d358-741a-410d-9433-20d6269a6170", "object_modified": "2022-05-24T14:00:00.188Z" }, { "object_ref": "x-mitre-data-component--e905dad2-00d6-477c-97e8-800427abd0e8", "object_modified": "2022-05-24T14:00:00.188Z" }, { "object_ref": "x-mitre-data-component--ee575f4a-2d4f-48f6-b18b-89067760adc1", "object_modified": "2022-05-24T14:00:00.188Z" }, { "object_ref": "x-mitre-data-component--f5468e67-51c7-4756-9b4f-65707708e7fa", "object_modified": "2022-05-24T14:00:00.188Z" }, { "object_ref": "x-mitre-data-component--faa34cf6-cf32-4dc9-bd6a-8f7a606ff65b", "object_modified": "2022-05-24T14:00:00.188Z" }, { "object_ref": "x-mitre-data-source--0b4f86ed-f4ab-46a3-8ed1-175be1974da6", "object_modified": "2022-03-30T14:26:51.807Z" }, { "object_ref": "x-mitre-data-source--0f42a24c-e035-4f93-a91c-5f7076bd8da0", "object_modified": "2022-05-11T14:00:00.188Z" }, { "object_ref": "x-mitre-data-source--12c1e727-7fa4-49b6-af81-366ed2ce231e", "object_modified": "2021-11-10T09:30:48.698Z" }, { "object_ref": "x-mitre-data-source--1b8c9f31-ad35-4850-bf8c-80c565ad3552", "object_modified": "2022-05-24T14:00:00.188Z" }, { "object_ref": "x-mitre-data-source--40269753-26bd-437b-986e-159c66dec5e4", "object_modified": "2022-05-11T14:00:00.188Z" }, { "object_ref": "x-mitre-data-source--4358c631-e253-4557-86df-f687d0ef9891", "object_modified": "2022-03-30T14:26:51.805Z" }, { "object_ref": "x-mitre-data-source--509ed41e-ca42-461e-9058-24602256daf9", "object_modified": "2022-04-21T14:50:59.123Z" }, { "object_ref": "x-mitre-data-source--61bbbf27-f7c3-46ba-a6bc-48ae76928065", "object_modified": "2022-03-30T14:26:51.804Z" }, { "object_ref": "x-mitre-data-source--73691708-ffb5-4e29-906d-f485f6fa7089", "object_modified": "2022-04-20T18:09:26.646Z" }, { "object_ref": "x-mitre-data-source--ba27545a-9c32-47ea-ba6a-cce50f1b326e", "object_modified": "2022-03-30T14:26:51.806Z" }, { "object_ref": "x-mitre-data-source--c000cd5c-bbb3-4606-af6f-6c6d9de0bbe3", "object_modified": "2022-03-30T14:26:51.806Z" }, { "object_ref": "x-mitre-data-source--c9ddfb51-eb45-4e22-b614-44ac1caa7883", "object_modified": "2022-03-30T14:26:51.806Z" }, { "object_ref": "x-mitre-data-source--ca1cb239-ff6d-4f64-b9d7-41c8556a8b4f", "object_modified": "2022-03-30T14:26:51.805Z" }, { "object_ref": "x-mitre-data-source--d710099e-df94-4be4-bf85-cabd30e912bb", "object_modified": "2022-03-30T14:26:51.807Z" }, { "object_ref": "x-mitre-data-source--e8b8ede7-337b-4c0c-8c32-5c7872c1ee22", "object_modified": "2022-03-30T14:26:51.806Z" }, { "object_ref": "x-mitre-data-source--f424e4b4-a8a4-4c58-a4ae-4f53bfd08563", "object_modified": "2022-03-30T14:26:51.806Z" }, { "object_ref": "x-mitre-matrix--575f48f4-8897-4468-897b-48bb364af6c7", "object_modified": "2022-05-24T14:00:00.188Z" }, { "object_ref": "x-mitre-tactic--298fe907-7931-4fd2-8131-2814dd493134", "object_modified": "2022-05-06T17:47:24.396Z" }, { "object_ref": "x-mitre-tactic--33752ae7-f875-4f43-bdb6-d8d02d341046", "object_modified": "2022-05-23T21:37:22.752Z" }, { "object_ref": "x-mitre-tactic--51c25a9e-8615-40c0-8afd-1da578847924", "object_modified": "2022-05-06T17:47:24.396Z" }, { "object_ref": "x-mitre-tactic--696af733-728e-49d7-8261-75fdc590f453", "object_modified": "2022-05-06T17:47:24.396Z" }, { "object_ref": "x-mitre-tactic--69da72d2-f550-41c5-ab9e-e8255707f28a", "object_modified": "2022-05-06T17:47:24.396Z" }, { "object_ref": "x-mitre-tactic--77542f83-70d0-40c2-8a9d-ad2eb8b00279", "object_modified": "2022-05-06T17:47:24.396Z" }, { "object_ref": "x-mitre-tactic--78f1d2ae-a579-44c4-8fc5-3e1775c73fac", "object_modified": "2022-05-06T17:47:24.396Z" }, { "object_ref": "x-mitre-tactic--93bf9a8e-b14c-4587-b6d5-9efc7c12eb45", "object_modified": "2022-05-06T17:47:24.396Z" }, { "object_ref": "x-mitre-tactic--97c8ff73-bd14-4b6c-ac32-3d91d2c41e3f", "object_modified": "2022-05-06T17:47:24.395Z" }, { "object_ref": "x-mitre-tactic--b2a67b1e-913c-46f6-b219-048a90560bb9", "object_modified": "2022-05-06T17:47:24.395Z" }, { "object_ref": "x-mitre-tactic--ddf70682-f3ce-479c-a9a4-7eadf9bfead7", "object_modified": "2022-05-06T17:47:24.396Z" }, { "object_ref": "x-mitre-tactic--ff048b6c-b872-4218-b68c-3735ebd1f024", "object_modified": "2022-05-06T17:47:24.396Z" }, { "object_ref": "relationship--1244a56a-1faf-4898-9f2f-fda78b665276", "object_modified": "2022-05-24T14:00:00.188Z" }, { "object_ref": "relationship--39c957e3-f89b-4b41-93af-bde08f00ce36", "object_modified": "2022-05-24T14:00:00.188Z" }, { "object_ref": "relationship--5fe3f0a3-1330-4b51-be17-b38a54b6e605", "object_modified": "2022-05-24T14:00:00.188Z" }, { "object_ref": "relationship--710999e7-8f0d-4028-b42b-5cfb7d9cb031", "object_modified": "2022-05-24T14:00:00.188Z" }, { "object_ref": "relationship--866774a2-ce03-4682-ab7e-b9570adb093b", "object_modified": "2022-05-24T14:00:00.188Z" }, { "object_ref": "relationship--86ce5a6d-18da-4631-b6d6-7b22f2de5152", "object_modified": "2022-05-24T14:00:00.188Z" }, { "object_ref": "x-mitre-data-source--b1717cb4-d536-4e2b-b5e5-07e67e26183c", "object_modified": "2022-05-24T14:00:00.188Z" }, { "object_ref": "relationship--533175a0-7555-4342-a461-1ab1cd183b31", "object_modified": "2022-05-11T14:00:00.188Z" }, { "object_ref": "relationship--00f7ecba-7692-4b7f-b9d8-193c67b11ccc", "object_modified": "2022-04-25T14:00:00.188Z" }, { "object_ref": "relationship--05ac3316-a770-4c5d-b164-3494590395dd", "object_modified": "2022-04-25T14:00:00.188Z" }, { "object_ref": "relationship--12e936f4-cd52-40b2-8463-b76827649ebb", "object_modified": "2022-04-25T14:00:00.188Z" }, { "object_ref": "relationship--1ef966c6-36e0-4952-971f-cf9dee711478", "object_modified": "2022-04-25T14:00:00.188Z" }, { "object_ref": "relationship--21811a5f-75c3-447e-98f6-0431b4de124d", "object_modified": "2022-04-25T14:00:00.188Z" }, { "object_ref": "relationship--2cacc971-b132-47a2-a7b6-94900bb6983c", "object_modified": "2022-04-25T14:00:00.188Z" }, { "object_ref": "relationship--2da5cf39-7937-4ed3-b847-cb1926e6a4a5", "object_modified": "2022-04-25T14:00:00.188Z" }, { "object_ref": "relationship--2e1d172e-709b-4a30-8949-9494ccb7a2a9", "object_modified": "2022-04-25T14:00:00.188Z" }, { "object_ref": "relationship--3a73f450-a73a-4202-bf40-f1ec168d2ca6", "object_modified": "2022-04-25T14:00:00.188Z" }, { "object_ref": "relationship--425c5160-17e0-44eb-9f4b-1a8e216b56a2", "object_modified": "2022-04-25T14:00:00.188Z" }, { "object_ref": "relationship--430f0cb6-26aa-4bb6-b0f5-f1a5f6b3bdff", "object_modified": "2022-04-25T14:00:00.188Z" }, { "object_ref": "relationship--4798d35e-5df7-4f9c-b5bd-354669aecf2c", "object_modified": "2022-04-25T14:00:00.188Z" }, { "object_ref": "relationship--50c20ad6-d88f-467a-954b-cc469f1723e6", "object_modified": "2022-04-25T14:00:00.188Z" }, { "object_ref": "relationship--515914bd-654c-43b7-888f-8d755b961fba", "object_modified": "2022-04-25T14:00:00.188Z" }, { "object_ref": "relationship--5258c355-677c-452d-b1fc-27767232437b", "object_modified": "2022-04-25T14:00:00.188Z" }, { "object_ref": "relationship--53e6cf7c-e60b-4b83-8bb4-c0266e8a0c94", "object_modified": "2022-04-25T14:00:00.188Z" }, { "object_ref": "relationship--5445c04b-f792-4850-aaa7-d643998b240d", "object_modified": "2022-04-25T14:00:00.188Z" }, { "object_ref": "relationship--58ac6d42-857e-43e7-a21e-6c226ec35960", "object_modified": "2022-04-25T14:00:00.188Z" }, { "object_ref": "relationship--5da973cf-d956-4bbe-890d-34fc4c28040c", "object_modified": "2022-04-25T14:00:00.188Z" }, { "object_ref": "relationship--61d4d944-a75f-4830-9199-937658b9bec9", "object_modified": "2022-04-25T14:00:00.188Z" }, { "object_ref": "relationship--62f3f530-59ed-4f7e-8647-c05d4363d9d4", "object_modified": "2022-04-25T14:00:00.188Z" }, { "object_ref": "relationship--63351c36-80ca-4937-9a49-e6319d14c215", "object_modified": "2022-04-25T14:00:00.188Z" }, { "object_ref": "relationship--6727e45e-1c65-4420-9ff6-f378ed9a1874", "object_modified": "2022-04-25T14:00:00.188Z" }, { "object_ref": "relationship--6a8e92be-1ab0-4cac-9ca9-9d14a870ecd9", "object_modified": "2022-04-25T14:00:00.188Z" }, { "object_ref": "relationship--6d2b684a-4e72-46ee-a8ad-4fe30b5ed20c", "object_modified": "2022-04-25T14:00:00.188Z" }, { "object_ref": "relationship--6d36ad87-7dbd-47ec-9d5d-9e5f5c3df896", "object_modified": "2022-04-25T14:00:00.188Z" }, { "object_ref": "relationship--6ef54ce4-bbbc-47c8-9e2a-c41cfe3db6c1", "object_modified": "2022-04-25T14:00:00.188Z" }, { "object_ref": "relationship--86fe184d-1dda-481a-ab33-8ee1707cd388", "object_modified": "2022-04-25T14:00:00.188Z" }, { "object_ref": "relationship--8d4c346b-5da0-4c93-aca6-cba15fd532f2", "object_modified": "2022-04-25T14:00:00.188Z" }, { "object_ref": "relationship--a0b4fb40-7bee-4cf2-9be6-5e3a0ea40f71", "object_modified": "2022-04-25T14:00:00.188Z" }, { "object_ref": "relationship--b233e131-e448-46c6-815b-b86e4bd6d638", "object_modified": "2022-04-25T14:00:00.188Z" }, { "object_ref": "relationship--b9c2c589-b5c6-4231-982f-cae0aa41f349", "object_modified": "2022-04-25T14:00:00.188Z" }, { "object_ref": "relationship--c4307cc3-871b-4043-8a23-2a2e8b265df7", "object_modified": "2022-04-25T14:00:00.188Z" }, { "object_ref": "relationship--c9965454-2b58-4438-bcce-473bf1cc98cd", "object_modified": "2022-04-25T14:00:00.188Z" }, { "object_ref": "relationship--ce5b0067-64d8-4b1e-b0b8-e09dec5cb721", "object_modified": "2022-04-25T14:00:00.188Z" }, { "object_ref": "relationship--f15f6e89-ad73-4962-ba7b-81d060ae3aa3", "object_modified": "2022-04-25T14:00:00.188Z" }, { "object_ref": "relationship--f374ce58-fd26-4177-897e-a2b81c3e522c", "object_modified": "2022-04-25T14:00:00.188Z" }, { "object_ref": "relationship--f465566c-e8ef-4b1f-bdfb-b392c08b7840", "object_modified": "2022-04-25T14:00:00.188Z" }, { "object_ref": "relationship--f6084bd2-06a2-4891-95ab-1fb246c9881a", "object_modified": "2022-04-25T14:00:00.188Z" }, { "object_ref": "relationship--f6a2e31d-a2e1-460d-9fb4-e94770f54cbd", "object_modified": "2022-04-25T14:00:00.188Z" }, { "object_ref": "relationship--f85f342c-ec0f-4fc5-b188-b633963ea78e", "object_modified": "2022-04-25T14:00:00.188Z" }, { "object_ref": "relationship--ff87ed0a-87bd-46cb-aacc-19c439250923", "object_modified": "2022-04-25T14:00:00.188Z" }, { "object_ref": "relationship--29412608-a184-4ac3-9ee6-bd2d5063bf0d", "object_modified": "2021-10-21T14:00:00.188Z" }, { "object_ref": "relationship--9887bb6b-3dce-4553-99cb-e901997b3e4c", "object_modified": "2021-10-21T14:00:00.188Z" }, { "object_ref": "relationship--d59a9843-bc7b-4309-9cfb-226f7cd1b14c", "object_modified": "2021-10-21T14:00:00.188Z" }, { "object_ref": "course-of-action--12241367-a8b7-49b4-b86e-2236901ba50c", "object_modified": "2019-06-10T20:46:02.263Z" }, { "object_ref": "course-of-action--15437c6d-b998-4a36-be41-4ace3d54d266", "object_modified": "2020-07-14T22:22:06.356Z" }, { "object_ref": "course-of-action--1dcaeb21-9348-42ea-950a-f842aaf1ae1f", "object_modified": "2020-06-09T20:51:00.027Z" }, { "object_ref": "course-of-action--20f6a9df-37c4-4e20-9e47-025983b1b39d", "object_modified": "2020-06-20T20:46:36.342Z" }, { "object_ref": "course-of-action--21da4fd4-27ad-4e9c-b93d-0b9b14d02c96", "object_modified": "2019-06-06T20:52:59.206Z" }, { "object_ref": "course-of-action--25dc1ce8-eb55-4333-ae30-a7cb4f5894a1", "object_modified": "2018-10-17T00:14:20.652Z" }, { "object_ref": "course-of-action--2995bc22-2851-4345-ad19-4e7e295be264", "object_modified": "2020-06-09T20:48:12.326Z" }, { "object_ref": "course-of-action--2a4f6c11-a4a7-4cb9-b0ef-6ae1bb3a718a", "object_modified": "2020-10-21T19:08:13.228Z" }, { "object_ref": "course-of-action--2f316f6c-ae42-44fe-adf8-150989e0f6d3", "object_modified": "2020-06-19T16:50:45.681Z" }, { "object_ref": "course-of-action--3efe43d1-6f3f-4fcb-ab39-4a730971f70b", "object_modified": "2020-03-31T13:11:28.201Z" }, { "object_ref": "course-of-action--47e0e9fe-96ce-4f65-8bb1-8be1feacb5db", "object_modified": "2022-02-28T19:50:41.210Z" }, { "object_ref": "course-of-action--590777b3-b475-4c7c-aaf8-f4a73b140312", "object_modified": "2020-05-20T13:12:02.881Z" }, { "object_ref": "course-of-action--7bb5fae9-53ad-4424-866b-f0ea2a8b731d", "object_modified": "2019-06-06T20:15:34.146Z" }, { "object_ref": "course-of-action--7da0387c-ba92-4553-b291-b636ee42b2eb", "object_modified": "2020-05-19T12:28:50.603Z" }, { "object_ref": "course-of-action--86598de0-b347-4928-9eb0-0acbfc21908c", "object_modified": "2020-05-14T13:05:39.500Z" }, { "object_ref": "course-of-action--874c0166-e407-45c2-a1d9-e4e3a6570fd8", "object_modified": "2019-06-06T19:55:50.927Z" }, { "object_ref": "course-of-action--90c218c3-fbf8-4830-98a7-e8cfb7eaa485", "object_modified": "2019-06-06T21:10:35.792Z" }, { "object_ref": "course-of-action--93e7968a-9074-4eac-8ae9-9f5200ec3317", "object_modified": "2020-05-20T13:49:12.270Z" }, { "object_ref": "course-of-action--987988f0-cf86-4680-a875-2f6456ab2448", "object_modified": "2020-05-20T15:12:39.136Z" }, { "object_ref": "course-of-action--9bb9e696-bff8-4ae1-9454-961fc7d91d5f", "object_modified": "2020-03-31T13:08:36.655Z" }, { "object_ref": "course-of-action--a2c36a5d-4058-475e-8e77-fff75e50d3b9", "object_modified": "2019-06-06T20:58:59.577Z" }, { "object_ref": "course-of-action--a6a47a06-08fc-4ec4-bdc3-20373375ebb9", "object_modified": "2020-03-31T13:07:15.684Z" }, { "object_ref": "course-of-action--b045d015-6bed-4490-bd38-56b41ece59a0", "object_modified": "2019-06-10T20:53:36.319Z" }, { "object_ref": "course-of-action--b5dbb4c5-b0b1-40b1-80b6-e9e84ab90067", "object_modified": "2020-03-31T13:11:09.471Z" }, { "object_ref": "course-of-action--b9f0c069-abbe-4a07-a245-2481219a1463", "object_modified": "2020-03-31T13:08:03.851Z" }, { "object_ref": "course-of-action--cc2399fd-3cd3-4319-8d0a-fbd6420cdaf8", "object_modified": "2020-11-19T20:44:07.442Z" }, { "object_ref": "course-of-action--d2a24649-9694-4c97-9c62-ce7b270bf6a3", "object_modified": "2020-06-20T20:22:55.938Z" }, { "object_ref": "course-of-action--e3388c78-2a8d-47c2-8422-c1398b324462", "object_modified": "2020-05-29T16:34:40.344Z" }, { "object_ref": "course-of-action--e5d930e9-775a-40ad-9bdb-b941d8dfe86b", "object_modified": "2020-07-07T12:42:39.005Z" }, { "object_ref": "course-of-action--e8242a33-481c-4891-af63-4cf3e4cf6aff", "object_modified": "2019-06-11T17:00:01.740Z" }, { "object_ref": "course-of-action--eb88d97c-32f1-40be-80f0-d61a4b0b4b31", "object_modified": "2020-03-31T13:12:04.776Z" }, { "object_ref": "course-of-action--f9f9e6ef-bc0a-41ad-ba11-0924e5e84c4c", "object_modified": "2019-06-13T16:07:21.233Z" }, { "object_ref": "course-of-action--feff9142-e8c2-46f4-842b-bd6fb3d41157", "object_modified": "2019-06-11T16:43:44.834Z" }, { "object_ref": "intrusion-set--32bca8ff-d900-4877-aa65-d70baa041b74", "object_modified": "2021-10-12T23:23:16.109Z" }, { "object_ref": "relationship--02547978-3323-4291-827e-081d0ca650d8", "object_modified": "2021-04-29T14:49:39.188Z" }, { "object_ref": "relationship--06659568-4206-415a-bf77-e412dd657ab1", "object_modified": "2021-04-29T14:49:39.188Z" }, { "object_ref": "relationship--06d273d4-3110-4bb2-8caf-89d691e1abad", "object_modified": "2021-04-29T14:49:39.188Z" }, { "object_ref": "relationship--0810db31-f49e-4bfd-b40a-19dc84527bca", "object_modified": "2021-04-29T14:49:39.188Z" }, { "object_ref": "relationship--09ef0e68-c9b4-4cca-aa25-e65137e8f63a", "object_modified": "2021-04-29T14:49:39.188Z" }, { "object_ref": "relationship--1013a29f-70b5-4fda-a510-2c3477618d62", "object_modified": "2021-04-29T14:49:39.188Z" }, { "object_ref": "relationship--15ee5b5e-2b62-45f8-82c0-1bee67ba07f9", "object_modified": "2021-04-29T14:49:39.188Z" }, { "object_ref": "relationship--1964c6f5-7c11-42e7-ad3c-e9bf8d70ae54", "object_modified": "2021-04-29T14:49:39.188Z" }, { "object_ref": "relationship--1c066ecf-c728-4002-8618-8167216d23cf", "object_modified": "2021-04-29T14:49:39.188Z" }, { "object_ref": "relationship--2367a5b7-a562-462f-9d6f-c42617f2ba9d", "object_modified": "2021-04-29T14:49:39.188Z" }, { "object_ref": "relationship--2c2a7347-94de-4e83-a50e-1a4bbd4db17b", "object_modified": "2021-04-29T14:49:39.188Z" }, { "object_ref": "relationship--2ee703c3-c9de-4b7c-99f6-3849b257b438", "object_modified": "2021-04-29T14:49:39.188Z" }, { "object_ref": "relationship--31c21f43-4609-49cc-a49a-f013e7ccc69f", "object_modified": "2021-04-29T14:49:39.188Z" }, { "object_ref": "relationship--33be9511-60ea-4142-930f-15a00a4448b9", "object_modified": "2021-04-29T14:49:39.188Z" }, { "object_ref": "relationship--3427eddf-7846-4e52-8339-0f38e60a2d03", "object_modified": "2021-04-29T14:49:39.188Z" }, { "object_ref": "relationship--3cf93229-fb60-4fc1-9edd-3e0a0c0b2302", "object_modified": "2021-04-29T14:49:39.188Z" }, { "object_ref": "relationship--3e8cb54b-323a-4858-bbb3-a3944339eefa", "object_modified": "2021-04-29T14:49:39.188Z" }, { "object_ref": "relationship--438229aa-e593-4eb6-961e-2d82c429edf8", "object_modified": "2021-04-29T14:49:39.188Z" }, { "object_ref": "relationship--4e1e2ce9-5935-4890-8466-b9683fc38ec8", "object_modified": "2021-04-29T14:49:39.188Z" }, { "object_ref": "relationship--57067f2e-eba2-4b39-b154-2bd142485c44", "object_modified": "2021-04-29T14:49:39.188Z" }, { "object_ref": "relationship--611c859a-4347-4dbc-a3fd-ad47b2384f78", "object_modified": "2021-04-29T14:49:39.188Z" }, { "object_ref": "relationship--64e11c1c-64fb-41df-bf0a-c874616b1412", "object_modified": "2021-04-29T14:49:39.188Z" }, { "object_ref": "relationship--694de87e-7ecb-453c-a7b7-5690631b4026", "object_modified": "2021-04-29T14:49:39.188Z" }, { "object_ref": "relationship--701f66f4-2267-4c22-85f4-81391953289a", "object_modified": "2021-04-29T14:49:39.188Z" }, { "object_ref": "relationship--81f8bb8b-7372-47ad-b030-1ea977d5372d", "object_modified": "2021-04-29T14:49:39.188Z" }, { "object_ref": "relationship--831b01b1-f005-4705-b052-bb50e7bf0338", "object_modified": "2021-04-29T14:49:39.188Z" }, { "object_ref": "relationship--85a55000-f88e-4331-9dad-0fa779d9a52e", "object_modified": "2021-04-29T14:49:39.188Z" }, { "object_ref": "relationship--8df73177-cb78-41fa-9102-266838100665", "object_modified": "2021-04-29T14:49:39.188Z" }, { "object_ref": "relationship--8e779618-146f-4219-9b50-a4ceca6b2210", "object_modified": "2021-04-29T14:49:39.188Z" }, { "object_ref": "relationship--8f5d517c-b1ba-4848-92ad-f5a4355b3898", "object_modified": "2021-04-29T14:49:39.188Z" }, { "object_ref": "relationship--8f7dcde0-03a5-4f13-a728-67a43429b45e", "object_modified": "2021-04-29T14:49:39.188Z" }, { "object_ref": "relationship--94a27526-f76b-4a64-8c9a-71f09e6fd9d4", "object_modified": "2021-04-29T14:49:39.188Z" }, { "object_ref": "relationship--9f010e39-922a-4f20-9dd9-98f4178c5263", "object_modified": "2021-04-29T14:49:39.188Z" }, { "object_ref": "relationship--a0974da1-6122-477c-9c3c-f46aa64470e6", "object_modified": "2021-04-29T14:49:39.188Z" }, { "object_ref": "relationship--a36e7ebf-d667-4f16-b3d4-cb241e15c9d0", "object_modified": "2021-04-29T14:49:39.188Z" }, { "object_ref": "relationship--a4ead3e8-f1ce-4d8e-a801-cb20f8e241e3", "object_modified": "2021-04-29T14:49:39.188Z" }, { "object_ref": "relationship--a7c31dc3-1ea7-4f7a-baa0-26be762c2af1", "object_modified": "2021-04-29T14:49:39.188Z" }, { "object_ref": "relationship--afc04523-f7df-4067-9fcb-e7e25f0b5b03", "object_modified": "2021-04-29T14:49:39.188Z" }, { "object_ref": "relationship--afcfced0-8e9f-4e6a-870e-0d095f878aa2", "object_modified": "2021-04-29T14:49:39.188Z" }, { "object_ref": "relationship--bdbbcf46-58de-47ec-a6e1-a46689b303cf", "object_modified": "2021-04-29T14:49:39.188Z" }, { "object_ref": "relationship--be5a616f-473e-4a21-92fd-b9aa6f555232", "object_modified": "2021-04-29T14:49:39.188Z" }, { "object_ref": "relationship--c6c28b76-7a31-4668-ad25-933a1b52f312", "object_modified": "2021-04-29T14:49:39.188Z" }, { "object_ref": "relationship--c790953b-62a5-4ded-b31c-b0825329ad2e", "object_modified": "2021-04-29T14:49:39.188Z" }, { "object_ref": "relationship--c8a72fcd-dc9f-4303-994b-347b6d9e44b3", "object_modified": "2021-04-29T14:49:39.188Z" }, { "object_ref": "relationship--c8e8dbd1-965d-4507-8549-84063d0890b5", "object_modified": "2021-04-29T14:49:39.188Z" }, { "object_ref": "relationship--d2b3dc96-7adb-4d38-b3cf-b448535ffa60", "object_modified": "2021-04-29T14:49:39.188Z" }, { "object_ref": "relationship--d5359d6f-776d-4c82-8990-f7578834dbf1", "object_modified": "2021-04-29T14:49:39.188Z" }, { "object_ref": "relationship--d598f3d0-a4b1-4a6c-9aa6-990e4a2c2912", "object_modified": "2021-04-29T14:49:39.188Z" }, { "object_ref": "relationship--d698b63a-b7ce-4303-b5b0-fcca4450074d", "object_modified": "2021-04-29T14:49:39.188Z" }, { "object_ref": "relationship--d72ebee3-0747-47e6-b300-2138dbfaf01e", "object_modified": "2021-04-29T14:49:39.188Z" }, { "object_ref": "relationship--d9bed8cf-8d1e-46cb-bd6d-b0266a1b0010", "object_modified": "2021-04-29T14:49:39.188Z" }, { "object_ref": "relationship--dcb74406-f7b2-4eae-8da7-07ad5a3c99d6", "object_modified": "2021-04-29T14:49:39.188Z" }, { "object_ref": "relationship--e02a41f2-73b9-4cf9-820a-23156bf697e5", "object_modified": "2021-04-29T14:49:39.188Z" }, { "object_ref": "relationship--e05d8fc1-fd50-4a78-ae2f-41fcba913fc1", "object_modified": "2021-04-29T14:49:39.188Z" }, { "object_ref": "relationship--e4007011-03a8-44f5-be65-f4bc924beb97", "object_modified": "2021-04-29T14:49:39.188Z" }, { "object_ref": "relationship--eaec9abc-730e-4dda-92db-e289f6bccf7b", "object_modified": "2021-04-29T14:49:39.188Z" }, { "object_ref": "relationship--f13cf1cc-dfbd-4da1-9201-f9e8dccbc7a6", "object_modified": "2021-04-29T14:49:39.188Z" }, { "object_ref": "relationship--f2a47999-6d07-442f-a202-7ee345f41465", "object_modified": "2021-04-29T14:49:39.188Z" }, { "object_ref": "relationship--f3a55817-63f1-4370-93d0-a9e1fbe245e6", "object_modified": "2021-04-29T14:49:39.188Z" }, { "object_ref": "relationship--f80cb0ae-96e7-4425-b9de-b8835a45e45b", "object_modified": "2021-04-29T14:49:39.188Z" }, { "object_ref": "relationship--f836cab1-6c45-4ede-a220-40f88a80a14e", "object_modified": "2021-04-29T14:49:39.188Z" }, { "object_ref": "relationship--fc786a05-2ad9-4c3c-a4c4-b85cd12ded88", "object_modified": "2021-04-29T14:49:39.188Z" }, { "object_ref": "relationship--ff5f3c74-f511-4112-beed-e7419342bc44", "object_modified": "2021-04-29T14:49:39.188Z" }, { "object_ref": "relationship--90818d25-6ece-4035-aece-62e489abef7d", "object_modified": "2020-11-12T14:49:39.188Z" } ] }, { "x_mitre_platforms": [ "Field Controller/RTU/PLC/IED", "Device Configuration/Parameters" ], "x_mitre_domains": [ "ics-attack" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "attack-pattern", "id": "attack-pattern--008b8f56-6107-48be-aa9f-746f927dbb61", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-05-21T17:43:26.506Z", "modified": "2022-05-06T17:47:23.891Z", "name": "Block Command Message", "description": "Adversaries may block a command message from reaching its intended target to prevent command execution. In OT networks, command messages are sent to provide instructions to control system devices. A blocked command message can inhibit response functions from correcting a disruption or unsafe condition. (Citation: Bonnie Zhu, Anthony Joseph, Shankar Sastry 2011) (Citation: Electricity Information Sharing and Analysis Center; SANS Industrial Control Systems March 2016)", "kill_chain_phases": [ { "kill_chain_name": "mitre-ics-attack", "phase_name": "inhibit-response-function" } ], "external_references": [ { "source_name": "mitre-ics-attack", "url": "https://attack.mitre.org/techniques/T0803", "external_id": "T0803" }, { "source_name": "Bonnie Zhu, Anthony Joseph, Shankar Sastry 2011", "description": "Bonnie Zhu, Anthony Joseph, Shankar Sastry 2011 A Taxonomy of Cyber Attacks on SCADA Systems Retrieved. 2018/01/12 ", "url": "http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6142258" }, { "source_name": "Electricity Information Sharing and Analysis Center; SANS Industrial Control Systems March 2016", "description": "Electricity Information Sharing and Analysis Center; SANS Industrial Control Systems 2016, March 18 Analysis of the Cyber Attack on the Ukranian Power Grid: Defense Use Case Retrieved. 2018/03/27 ", "url": "https://assets.contentstack.io/v3/assets/blt36c2e63521272fdc/blt6a77276749b76a40/607f235992f0063e5c070fff/E-ISAC_SANS_Ukraine_DUC_5%5b73%5d.pdf" } ], "x_mitre_data_sources": [ "Network Traffic: Network Traffic Flow", "Network Traffic: Network Connection Creation", "Application Log: Application Log Content", "Process: Process Termination", "Operational Databases: Process History/Live Data", "Operational Databases: Process/Event Alarm" ], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "spec_version": "2.1" }, { "x_mitre_platforms": [ "Human-Machine Interface", "Control Server", "Data Historian", "Engineering Workstation" ], "x_mitre_domains": [ "ics-attack" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "attack-pattern", "id": "attack-pattern--063b5b92-5361-481a-9c3f-95492ed9a2d8", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-05-21T17:43:26.506Z", "modified": "2022-05-06T17:47:23.978Z", "name": "Service Stop", "description": "Adversaries may stop or disable services on a system to render those services unavailable to legitimate users. Stopping critical services can inhibit or stop response to an incident or aid in the adversary's overall objectives to cause damage to the environment. (Citation: Enterprise ATT&CK) Services may not allow for modification of their data stores while running. Adversaries may stop services in order to conduct Data Destruction. (Citation: Enterprise ATT&CK)", "kill_chain_phases": [ { "kill_chain_name": "mitre-ics-attack", "phase_name": "inhibit-response-function" } ], "external_references": [ { "source_name": "mitre-ics-attack", "url": "https://attack.mitre.org/techniques/T0881", "external_id": "T0881" }, { "source_name": "Enterprise ATT&CK", "description": "Enterprise ATT&CK Service Stop Retrieved. 2019/10/29 ", "url": "https://attack.mitre.org/techniques/T1489/" }, { "source_name": "Enterprise ATT&CK", "description": "Enterprise ATT&CK Enterprise ATT&CK Service Stop Retrieved. 2019/10/29 Service Stop Retrieved. 2019/10/29 ", "url": "https://attack.mitre.org/techniques/T1489/" } ], "x_mitre_data_sources": [ "Command: Command Execution", "File: File Modification", "Process: OS API Execution", "Process: Process Creation", "Process: Process Termination", "Service: Service Metadata", "Windows Registry: Windows Registry Key Modification" ], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "spec_version": "2.1" }, { "x_mitre_platforms": [ "Control Server", "Field Controller/RTU/PLC/IED", "Safety Instrumented System/Protection Relay", "Human-Machine Interface" ], "x_mitre_domains": [ "ics-attack" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "attack-pattern", "id": "attack-pattern--097924ce-a9a9-4039-8591-e0deedfb8722", "created": "2020-05-21T17:43:26.506Z", "x_mitre_version": "1.0", "external_references": [ { "source_name": "mitre-attack", "external_id": "T0836", "url": "https://attack.mitre.org/techniques/T0836" }, { "source_name": "Marshall Abrams July 2008", "url": "https://www.mitre.org/sites/default/files/pdf/08_1145.pdf", "description": "Marshall Abrams 2008, July 23 Malicious Control System Cyber Security Attack Case Study Maroochy Water Services, Australia Retrieved. 2018/03/27 " }, { "source_name": "Pinellas County Sheriffs Office February 2021", "url": "https://www.youtube.com/watch?v=MkXDSOgLQ6M", "description": "Pinellas County Sheriffs Office 2021, February 8 Treatment Plant Intrusion Press Conference Retrieved. 2021/10/08 " } ], "x_mitre_deprecated": false, "revoked": false, "description": "Adversaries may modify parameters used to instruct industrial control system devices. These devices operate via programs that dictate how and when to perform actions based on such parameters. Such parameters can determine the extent to which an action is performed and may specify additional options. For example, a program on a control system device dictating motor processes may take a parameter defining the total number of seconds to run that motor. \n\nAn adversary can potentially modify these parameters to produce an outcome outside of what was intended by the operators. By modifying system and process critical parameters, the adversary may cause [Impact](https://attack.mitre.org/tactics/TA0105) to equipment and/or control processes. Modified parameters may be turned into dangerous, out-of-bounds, or unexpected values from typical operations. For example, specifying that a process run for more or less time than it should, or dictating an unusually high, low, or invalid value as a parameter. \n\nIn the Maroochy Attack, Vitek Boden gained remote computer access to the control system and altered data so that whatever function should have occurred at affected pumping stations did not occur or occurred in a different way. The software program installed in the laptop was one developed by Hunter Watertech for its use in changing configurations in the PDS computers. This ultimately led to 800,000 liters of raw sewage being spilled out into the community. (Citation: Marshall Abrams July 2008) \n\nIn the Oldsmar water treatment attack, adversaries raised the sodium hydroxide setpoint value from 100 part-per-million (ppm) to 11,100 ppm, far beyond normal operating levels. (Citation: Pinellas County Sheriffs Office February 2021)", "modified": "2022-05-24T12:09:05.073Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "name": "Modify Parameter", "x_mitre_detection": "", "kill_chain_phases": [ { "kill_chain_name": "mitre-ics-attack", "phase_name": "impair-process-control" } ], "x_mitre_is_subtechnique": false, "x_mitre_data_sources": [ "Network Traffic: Network Traffic Content", "Application Log: Application Log Content", "Operational Databases: Device Alarm", "Asset: Device Configuration/Parameters" ], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "spec_version": "2.1" }, { "x_mitre_platforms": [ "Field Controller/RTU/PLC/IED" ], "x_mitre_domains": [ "ics-attack" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "attack-pattern", "id": "attack-pattern--09a61657-46e1-439e-b3ed-3e4556a78243", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2021-04-13T11:15:26.506Z", "modified": "2022-05-06T17:47:23.950Z", "name": "Modify Controller Tasking", "description": "Adversaries may modify the tasking of a controller to allow for the execution of their own programs. This can allow an adversary to manipulate the execution flow and behavior of a controller. According to 61131-3, the association of a Task with a Program Organization Unit (POU) defines a task association. (Citation: IEC February 2013) An adversary may modify these associations or create new ones to manipulate the execution flow of a controller. Modification of controller tasking can be accomplished using a Program Download in addition to other types of program modification such as online edit and program append. Tasks have properties, such as interval, frequency and priority to meet the requirements of program execution. Some controller vendors implement tasks with implicit, pre-defined properties whereas others allow for these properties to be formulated explicitly. An adversary may associate their program with tasks that have a higher priority or execute associated programs more frequently. For instance, to ensure cyclic execution of their program on a Siemens controller, an adversary may add their program to the task, Organization Block 1 (OB1).", "kill_chain_phases": [ { "kill_chain_name": "mitre-ics-attack", "phase_name": "execution-ics" } ], "external_references": [ { "source_name": "mitre-ics-attack", "url": "https://attack.mitre.org/techniques/T0821", "external_id": "T0821" }, { "source_name": "IEC February 2013", "description": "IEC 2013, February 20 IEC 61131-3:2013 Programmable controllers - Part 3: Programming languages Retrieved. 2019/10/22 ", "url": "https://webstore.iec.ch/publication/4552" } ], "x_mitre_data_sources": [ "File: File Modification", "Asset: Software/Firmware" ], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "spec_version": "2.1" }, { "x_mitre_platforms": [ "None" ], "x_mitre_domains": [ "ics-attack" ], "x_mitre_contributors": [ "ICSCoE Japan" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "attack-pattern", "id": "attack-pattern--0fe075d5-beac-4d02-b93e-0f874997db72", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-05-21T17:43:26.506Z", "modified": "2022-05-06T17:47:23.997Z", "name": "Wireless Sniffing", "description": "Adversaries may seek to capture radio frequency (RF) communication used for remote control and reporting in distributed environments. RF communication frequencies vary between 3 kHz to 300 GHz, although are commonly between 300 MHz to 6 GHz. (Citation: Candell, R., Hany, M., Lee, K. B., Liu,Y., Quimby, J., Remley, K. April 2018) The wavelength and frequency of the signal affect how the signal propagates through open air, obstacles (e.g. walls and trees) and the type of radio required to capture them. These characteristics are often standardized in the protocol and hardware and may have an effect on how the signal is captured. Some examples of wireless protocols that may be found in cyber-physical environments are: WirelessHART, Zigbee, WIA-FA, and 700 MHz Public Safety Spectrum. Adversaries may capture RF communications by using specialized hardware, such as software defined radio (SDR), handheld radio, or a computer with radio demodulator tuned to the communication frequency. (Citation: Bastille April 2017) Information transmitted over a wireless medium may be captured in-transit whether the sniffing device is the intended destination or not. This technique may be particularly useful to an adversary when the communications are not encrypted. (Citation: Gallagher, S. April 2017) In the 2017 Dallas Siren incident, it is suspected that adversaries likely captured wireless command message broadcasts on a 700 MHz frequency during a regular test of the system. These messages were later replayed to trigger the alarm systems. (Citation: Gallagher, S. April 2017)", "kill_chain_phases": [ { "kill_chain_name": "mitre-ics-attack", "phase_name": "discovery-ics" }, { "kill_chain_name": "mitre-ics-attack", "phase_name": "collection-ics" } ], "external_references": [ { "source_name": "mitre-ics-attack", "url": "https://attack.mitre.org/techniques/T0887", "external_id": "T0887" }, { "source_name": "Candell, R., Hany, M., Lee, K. B., Liu,Y., Quimby, J., Remley, K. April 2018", "description": "Candell, R., Hany, M., Lee, K. B., Liu,Y., Quimby, J., Remley, K. 2018, April Guide to Industrial Wireless Systems Deployments Retrieved. 2020/12/01 ", "url": "https://nvlpubs.nist.gov/nistpubs/ams/NIST.AMS.300-4.pdf" }, { "source_name": "Bastille April 2017", "description": "Bastille 2017, April 17 Dallas Siren Attack Retrieved. 2020/11/06 ", "url": "https://www.bastille.net/blogs/2017/4/17/dallas-siren-attack" }, { "source_name": "Gallagher, S. April 2017", "description": "Gallagher, S. 2017, April 12 Pirate radio: Signal spoof set off Dallas emergency sirens, not network hack Retrieved. 2020/12/01 ", "url": "https://arstechnica.com/information-technology/2017/04/dallas-siren-hack-used-radio-signals-to-spoof-alarm-says-city-manager/" }, { "source_name": "Gallagher, S. April 2017", "description": "Gallagher, S. 2017, April 12 Pirate radio: Signal spoof set off Dallas emergency sirens, not network hack Retrieved. 2020/12/01 ", "url": "https://arstechnica.com/information-technology/2017/04/dallas-siren-hack-used-radio-signals-to-spoof-alarm-says-city-manager/" } ], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "spec_version": "2.1" }, { "x_mitre_platforms": [ "Human-Machine Interface", "Engineering Workstation" ], "x_mitre_domains": [ "ics-attack" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "attack-pattern", "id": "attack-pattern--138979ba-0430-4de6-a128-2fc0b056ba36", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-05-21T17:43:26.506Z", "modified": "2022-05-06T17:47:23.940Z", "name": "Loss of View", "description": "Adversaries may cause a sustained or permanent loss of view where the ICS equipment will require local, hands-on operator intervention; for instance, a restart or manual operation. By causing a sustained reporting or visibility loss, the adversary can effectively hide the present state of operations. This loss of view can occur without affecting the physical processes themselves. (Citation: Corero) (Citation: Michael J. Assante and Robert M. Lee) (Citation: Tyson Macaulay)", "kill_chain_phases": [ { "kill_chain_name": "mitre-ics-attack", "phase_name": "impact-ics" } ], "external_references": [ { "source_name": "mitre-ics-attack", "url": "https://attack.mitre.org/techniques/T0829", "external_id": "T0829" }, { "source_name": "Corero", "description": "Corero Industrial Control System (ICS) Security Retrieved. 2019/11/04 ", "url": "https://www.corero.com/resources/files/whitepapers/cns_whitepaper_ics.pdf" }, { "source_name": "Michael J. Assante and Robert M. Lee", "description": "Michael J. Assante and Robert M. Lee Corero Industrial Control System (ICS) Security Retrieved. 2019/11/04 The Industrial Control System Cyber Kill Chain Retrieved. 2019/11/04 ", "url": "https://www.sans.org/reading-room/whitepapers/ICS/industrial-control-system-cyber-kill-chain-36297" }, { "source_name": "Tyson Macaulay", "description": "Tyson Macaulay Michael J. Assante and Robert M. Lee Corero Industrial Control System (ICS) Security Retrieved. 2019/11/04 The Industrial Control System Cyber Kill Chain Retrieved. 2019/11/04 RIoT Control: Understanding and Managing Risks and the Internet of Things Retrieved. 2019/11/04 ", "url": "https://books.google.com/books?id=oXIYBAAAQBAJ&pg=PA249&lpg=PA249&dq=loss+denial+manipulation+of+view&source=bl&ots=dV1uQ8IUff&sig=ACfU3U2NIwGjhg051D_Ytw6npyEk9xcf4w&hl=en&sa=X&ved=2ahUKEwj2wJ7y4tDlAhVmplkKHSTaDnQQ6AEwAHoECAgQAQ#v=onepage&q=loss%20denial%20manipulation%20of%20view&f=false" } ], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "spec_version": "2.1" }, { "x_mitre_platforms": [ "Field Controller/RTU/PLC/IED", "Safety Instrumented System/Protection Relay" ], "x_mitre_domains": [ "ics-attack" ], "x_mitre_contributors": [ "Joe Slowik - Dragos" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "attack-pattern", "id": "attack-pattern--19a71d1e-6334-4233-8260-b749cae37953", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-05-21T17:43:26.506Z", "modified": "2022-05-06T17:47:23.886Z", "name": "Activate Firmware Update Mode", "description": "Adversaries may activate firmware update mode on devices to prevent expected response functions from engaging in reaction to an emergency or process malfunction. For example, devices such as protection relays may have an operation mode designed for firmware installation. This mode may halt process monitoring and related functions to allow new firmware to be loaded. A device left in update mode may be placed in an inactive holding state if no firmware is provided to it. By entering and leaving a device in this mode, the adversary may deny its usual functionalities.", "kill_chain_phases": [ { "kill_chain_name": "mitre-ics-attack", "phase_name": "inhibit-response-function" } ], "external_references": [ { "source_name": "mitre-ics-attack", "url": "https://attack.mitre.org/techniques/T0800", "external_id": "T0800" } ], "x_mitre_data_sources": [ "Network Traffic: Network Traffic Content", "Application Log: Application Log Content", "Operational Databases: Device Alarm" ], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "spec_version": "2.1" }, { "x_mitre_platforms": [ "None" ], "x_mitre_domains": [ "ics-attack" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "attack-pattern", "id": "attack-pattern--1af9e3fd-2bcc-414d-adbd-fe3b95c02ca1", "created": "2020-05-21T17:43:26.506Z", "x_mitre_version": "1.0", "external_references": [ { "source_name": "mitre-attack", "external_id": "T0831", "url": "https://attack.mitre.org/techniques/T0831" }, { "source_name": "Bruce Schneier January 2008", "url": "https://www.schneier.com/blog/archives/2008/01/hacking_the_pol.html", "description": "Bruce Schneier 2008, January 17 Hacking Polish Trams Retrieved. 2019/10/17 " }, { "source_name": "John Bill May 2017", "url": "https://www.londonreconnections.com/2017/hacked-cyber-security-railways/", "description": "John Bill 2017, May 12 Hacked Cyber Security Railways Retrieved. 2019/10/17 " }, { "source_name": "Shelley Smith February 2008", "url": "https://inhomelandsecurity.com/teen_hacker_in_poland_plays_tr/", "description": "Shelley Smith 2008, February 12 Teen Hacker in Poland Plays Trains and Derails City Tram System Retrieved. 2019/10/17 " } ], "x_mitre_deprecated": false, "revoked": false, "description": "Adversaries may manipulate physical process control within the industrial environment. Methods of manipulating control can include changes to set point values, tags, or other parameters. Adversaries may manipulate control systems devices or possibly leverage their own, to communicate with and command physical control processes. The duration of manipulation may be temporary or longer sustained, depending on operator detection. \n\nMethods of Manipulation of Control include: \n\n* Man-in-the-middle \n* Spoof command message \n* Changing setpoints \n\nA Polish student used a remote controller device to interface with the Lodz city tram system in Poland. (Citation: John Bill May 2017) (Citation: Shelley Smith February 2008) (Citation: Bruce Schneier January 2008) Using this remote, the student was able to capture and replay legitimate tram signals. As a consequence, four trams were derailed and twelve people injured due to resulting emergency stops. (Citation: Shelley Smith February 2008) The track controlling commands issued may have also resulted in tram collisions, a further risk to those on board and nearby the areas of impact. (Citation: Bruce Schneier January 2008)", "modified": "2022-05-24T14:57:44.326Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "name": "Manipulation of Control", "x_mitre_detection": "", "kill_chain_phases": [ { "kill_chain_name": "mitre-ics-attack", "phase_name": "impact-ics" } ], "x_mitre_is_subtechnique": false, "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "spec_version": "2.1" }, { "x_mitre_platforms": [ "Field Controller/RTU/PLC/IED", "Safety Instrumented System/Protection Relay" ], "x_mitre_domains": [ "ics-attack" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "attack-pattern", "id": "attack-pattern--1b22b676-9347-4c55-9a35-ef0dc653db5b", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-05-21T17:43:26.506Z", "modified": "2022-05-06T17:47:23.911Z", "name": "Denial of Service", "description": "Adversaries may perform Denial-of-Service (DoS) attacks to disrupt expected device functionality. Examples of DoS attacks include overwhelming the target device with a high volume of requests in a short time period and sending the target device a request it does not know how to handle. Disrupting device state may temporarily render it unresponsive, possibly lasting until a reboot can occur. When placed in this state, devices may be unable to send and receive requests, and may not perform expected response functions in reaction to other events in the environment. Some ICS devices are particularly sensitive to DoS events, and may become unresponsive in reaction to even a simple ping sweep. Adversaries may also attempt to execute a Permanent Denial-of-Service (PDoS) against certain devices, such as in the case of the BrickerBot malware. (Citation: ICS-CERT April 2017) Adversaries may exploit a software vulnerability to cause a denial of service by taking advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Vulnerabilities may exist in software that can be used to cause a T1023 or denial of service condition. Adversaries may have prior knowledge about industrial protocols or control devices used in the environment through [Remote System Information Discovery](https://attack.mitre.org/techniques/T0888). There are examples of adversaries remotely causing a [Device Restart/Shutdown](https://attack.mitre.org/techniques/T0816) by exploiting a vulnerability that induces uncontrolled resource consumption. (Citation: ICS-CERT August 2018) (Citation: Common Weakness Enumeration January 2019) (Citation: MITRE March 2018) In the Maroochy attack, the adversary was able to shut an investigator out of the network. (Citation: Marshall Abrams July 2008)", "kill_chain_phases": [ { "kill_chain_name": "mitre-ics-attack", "phase_name": "inhibit-response-function" } ], "external_references": [ { "source_name": "mitre-ics-attack", "url": "https://attack.mitre.org/techniques/T0814", "external_id": "T0814" }, { "source_name": "ICS-CERT April 2017", "description": "ICS-CERT 2017, April 18 CS Alert (ICS-ALERT-17-102-01A) BrickerBot Permanent Denial-of-Service Attack Retrieved. 2019/10/24 ", "url": "https://www.us-cert.gov/ics/alerts/ICS-ALERT-17-102-01A" }, { "source_name": "ICS-CERT August 2018", "description": "ICS-CERT 2018, August 27 Advisory (ICSA-15-202-01) - Siemens SIPROTEC Denial-of-Service Vulnerability Retrieved. 2019/03/14 ", "url": "https://ics-cert.us-cert.gov/advisories/ICSA-15-202-01" }, { "source_name": "Common Weakness Enumeration January 2019", "description": "Common Weakness Enumeration 2019, January 03 CWE-400: Uncontrolled Resource Consumption Retrieved. 2019/03/14 ", "url": "http://cwe.mitre.org/data/definitions/400.html" }, { "source_name": "MITRE March 2018", "description": "MITRE 2018, March 22 CVE-2015-5374 Retrieved. 2019/03/14 ", "url": "https://nvd.nist.gov/vuln/detail/CVE-2015-5374" }, { "source_name": "Marshall Abrams July 2008", "description": "Marshall Abrams 2008, July 23 Malicious Control System Cyber Security Attack Case Study Maroochy Water Services, Australia Retrieved. 2018/03/27 ", "url": "https://www.mitre.org/sites/default/files/pdf/08_1145.pdf" } ], "x_mitre_data_sources": [ "Application Log: Application Log Content", "Network Traffic: Network Traffic Content", "Network Traffic: Network Traffic Flow", "Operational Databases: Process History/Live Data" ], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "spec_version": "2.1" }, { "x_mitre_platforms": [ "Field Controller/RTU/PLC/IED", "Input/Output Server", "Device Configuration/Parameters" ], "x_mitre_domains": [ "ics-attack" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "attack-pattern", "id": "attack-pattern--1c478716-71d9-46a4-9a53-fa5d576adb60", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-05-21T17:43:26.506Z", "modified": "2022-05-06T17:47:23.892Z", "name": "Block Serial COM", "description": "Adversaries may block access to serial COM to prevent instructions or configurations from reaching target devices. Serial Communication ports (COM) allow communication with control system devices. Devices can receive command and configuration messages over such serial COM. Devices also use serial COM to send command and reporting messages. Blocking device serial COM may also block command messages and block reporting messages. A serial to Ethernet converter is often connected to a serial COM to facilitate communication between serial and Ethernet devices. One approach to blocking a serial COM would be to create and hold open a TCP session with the Ethernet side of the converter. A serial to Ethernet converter may have a few ports open to facilitate multiple communications. For example, if there are three serial COM available -- 1, 2 and 3 --, the converter might be listening on the corresponding ports 20001, 20002, and 20003. If a TCP/IP connection is opened with one of these ports and held open, then the port will be unavailable for use by another party. One way the adversary could achieve this would be to initiate a TCP session with the serial to Ethernet converter at 10.0.0.1 via Telnet on serial port 1 with the following command: telnet 10.0.0.1 20001.", "kill_chain_phases": [ { "kill_chain_name": "mitre-ics-attack", "phase_name": "inhibit-response-function" } ], "external_references": [ { "source_name": "mitre-ics-attack", "url": "https://attack.mitre.org/techniques/T0805", "external_id": "T0805" } ], "x_mitre_data_sources": [ "Network Traffic: Network Traffic Flow", "Network Traffic: Network Connection Creation", "Application Log: Application Log Content", "Process: Process Termination", "Operational Databases: Process History/Live Data", "Operational Databases: Process/Event Alarm" ], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "spec_version": "2.1" }, { "x_mitre_platforms": [ "Windows", "Human-Machine Interface", "Control Server", "Data Historian", "Field Controller/RTU/PLC/IED" ], "x_mitre_domains": [ "ics-attack" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "attack-pattern", "id": "attack-pattern--23270e54-1d68-4c3b-b763-b25607bcef80", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-05-21T17:43:26.506Z", "modified": "2022-05-24T14:00:00.188Z", "name": "Role Identification", "description": "Adversaries may perform role identification of devices involved with physical processes of interest in a target control system. Control systems devices often work in concert to control a physical process. Each device can have one or more roles that it performs within that control process. By collecting this role-based data, an adversary can construct a more targeted attack.\n\nFor example, a power generation plant may have unique devices such as one that monitors power output of a generator and another that controls the speed of a turbine. Examining devices roles allows the adversary to observe how the two devices work together to monitor and control a physical process. Understanding the role of a target device can inform the adversary's decision on what action to take, in order to cause Impact and influence or disrupt the integrity of operations. Furthermore, an adversary may be able to capture control system protocol traffic. By studying this traffic, the adversary may be able to determine which devices are outstations, and which are masters. Understanding of master devices and their role within control processes can enable the use of Rogue Master Device", "kill_chain_phases": [ { "kill_chain_name": "mitre-ics-attack", "phase_name": "collection-ics" } ], "external_references": [ { "source_name": "mitre-ics-attack", "url": "https://attack.mitre.org/techniques/T0850", "external_id": "T0850" } ], "x_mitre_deprecated": true, "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1" }, { "x_mitre_platforms": [ "Control Server", "Data Historian", "Field Controller/RTU/PLC/IED", "Human-Machine Interface", "Input/Output Server" ], "x_mitre_domains": [ "ics-attack" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "attack-pattern", "id": "attack-pattern--24a9253e-8948-4c98-b751-8e2aee53127c", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-05-21T17:43:26.506Z", "modified": "2022-05-06T17:47:23.898Z", "name": "Command-Line Interface", "description": "Adversaries may utilize command-line interfaces (CLIs) to interact with systems and execute commands. CLIs provide a means of interacting with computer systems and are a common feature across many types of platforms and devices within control systems environments. (Citation: Enterprise ATT&CK January 2018) Adversaries may also use CLIs to install and run new software, including malicious tools that may be installed over the course of an operation. CLIs are typically accessed locally, but can also be exposed via services, such as SSH, Telnet, and RDP. Commands that are executed in the CLI execute with the current permissions level of the process running the terminal emulator, unless the command specifies a change in permissions context. Many controllers have CLI interfaces for management purposes.", "kill_chain_phases": [ { "kill_chain_name": "mitre-ics-attack", "phase_name": "execution-ics" } ], "external_references": [ { "source_name": "mitre-ics-attack", "url": "https://attack.mitre.org/techniques/T0807", "external_id": "T0807" }, { "source_name": "Enterprise ATT&CK January 2018", "description": "Enterprise ATT&CK 2018, January 11 Command-Line Interface Retrieved. 2018/05/17 ", "url": "https://attack.mitre.org/wiki/Technique/T1059" } ], "x_mitre_data_sources": [ "Command: Command Execution", "Process: Process Creation", "Module: Module Load", "Process: Process Creation", "Script: Script Execution" ], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "spec_version": "2.1" }, { "x_mitre_platforms": [ "Data Historian", "Control Server", "Human-Machine Interface" ], "x_mitre_domains": [ "ics-attack" ], "x_mitre_contributors": [ "Jos Wetzels - Midnight Blue" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "attack-pattern", "id": "attack-pattern--25852363-5968-4673-b81d-341d5ed90bd1", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-05-21T17:43:26.506Z", "modified": "2022-05-06T17:47:23.960Z", "name": "Point & Tag Identification", "description": "Adversaries may collect point and tag values to gain a more comprehensive understanding of the process environment. Points may be values such as inputs, memory locations, outputs or other process specific variables. (Citation: Dennis L. Sloatman September 2016) Tags are the identifiers given to points for operator convenience. Collecting such tags provides valuable context to environmental points and enables an adversary to map inputs, outputs, and other values to their control processes. Understanding the points being collected may inform an adversary on which processes and values to keep track of over the course of an operation.", "kill_chain_phases": [ { "kill_chain_name": "mitre-ics-attack", "phase_name": "collection-ics" } ], "external_references": [ { "source_name": "mitre-ics-attack", "url": "https://attack.mitre.org/techniques/T0861", "external_id": "T0861" }, { "source_name": "Dennis L. Sloatman September 2016", "description": "Dennis L. Sloatman 2016, September 16 Understanding PLC Programming Methods and the Tag Database System Retrieved. 2017/12/19 ", "url": "https://www.radioworld.com/industry/understanding-plc-programming-methods-and-the-tag-database-system" }, { "source_name": "Benjamin Green", "description": "Benjamin Green Dennis L. Sloatman 2016, September 16 Understanding PLC Programming Methods and the Tag Database System Retrieved. 2017/12/19 On the Significance of Process Comprehension for Conducting Targeted ICS Attacks Retrieved. 2019/11/01 ", "url": "http://www.research.lancs.ac.uk/portal/files/196578358/sample_sigconf.pdf" } ], "x_mitre_data_sources": [ "Network Traffic: Network Traffic Content" ], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "spec_version": "2.1" }, { "x_mitre_platforms": [ "Field Controller/RTU/PLC/IED" ], "x_mitre_domains": [ "ics-attack" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "attack-pattern", "id": "attack-pattern--25dfc8ad-bd73-4dfd-84a9-3c3d383f76e9", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-05-21T17:43:26.506Z", "modified": "2022-05-06T17:47:23.917Z", "name": "Device Restart/Shutdown", "description": "Adversaries may forcibly restart or shutdown a device in an ICS environment to disrupt and potentially negatively impact physical processes. Methods of device restart and shutdown exist in some devices as built-in, standard functionalities. These functionalities can be executed using interactive device web interfaces, CLIs, and network protocol commands. Unexpected restart or shutdown of control system devices may prevent expected response functions happening during critical states. A device restart can also be a sign of malicious device modifications, as many updates require a shutdown in order to take effect.", "kill_chain_phases": [ { "kill_chain_name": "mitre-ics-attack", "phase_name": "inhibit-response-function" } ], "external_references": [ { "source_name": "mitre-ics-attack", "url": "https://attack.mitre.org/techniques/T0816", "external_id": "T0816" }, { "source_name": "Research - Research - Taxonomy Cyber Attacks on SCADA", "description": "Bonnie Zhu, Anthony Joseph, Shankar Sastry. (2011). A Taxonomy of Cyber Attacks on SCADA Systems. Retrieved January 12, 2018.", "url": "http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6142258" }, { "source_name": "Ukraine15 - EISAC - 201603", "description": "Electricity Information Sharing and Analysis Center; SANS Industrial Control Systems. (2016, March 18). Analysis of the Cyber Attack on the Ukranian Power Grid: Defense Use Case. Retrieved March 27, 2018.", "url": "https://ics.sans.org/media/E-ISAC%20SANS%20Ukraine%20DUC%205.pdf" } ], "x_mitre_data_sources": [ "Network Traffic: Network Traffic Content", "Application Log: Application Log Content", "Operational Databases: Device Alarm" ], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "spec_version": "2.1" }, { "x_mitre_platforms": [ "Engineering Workstation", "Human-Machine Interface" ], "x_mitre_domains": [ "ics-attack" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "attack-pattern", "id": "attack-pattern--2736b752-4ec5-4421-a230-8977dea7649c", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-05-21T17:43:26.506Z", "modified": "2022-05-24T14:00:00.188Z", "name": "User Execution", "description": "Adversaries may rely on a targeted organizations user interaction for the execution of malicious code. User interaction may consist of installing applications, opening email attachments, or granting higher permissions to documents. Adversaries may embed malicious code or visual basic code into files such as Microsoft Word and Excel documents or software installers. (Citation: Booz Allen Hamilton) Execution of this code requires that the user enable scripting or write access within the document. Embedded code may not always be noticeable to the user especially in cases of trojanized software. (Citation: Daavid Hentunen, Antti Tikkanen June 2014) A Chinese spearphishing campaign running from December 9, 2011 through February 29, 2012 delivered malware through spearphishing attachments which required user action to achieve execution. (Citation: CISA AA21-201A Pipeline Intrusion July 2021)", "kill_chain_phases": [ { "kill_chain_name": "mitre-ics-attack", "phase_name": "execution-ics" } ], "external_references": [ { "source_name": "mitre-ics-attack", "url": "https://attack.mitre.org/techniques/T0863", "external_id": "T0863" }, { "source_name": "Booz Allen Hamilton", "description": "Booz Allen Hamilton When The Lights Went Out Retrieved. 2019/10/22 ", "url": "https://www.boozallen.com/content/dam/boozallen/documents/2016/09/ukraine-report-when-the-lights-went-out.pdf" }, { "source_name": "Daavid Hentunen, Antti Tikkanen June 2014", "description": "Daavid Hentunen, Antti Tikkanen 2014, June 23 Havex Hunts For ICS/SCADA Systems Retrieved. 2019/04/01 ", "url": "https://www.f-secure.com/weblog/archives/00002718.html" }, { "source_name": "CISA AA21-201A Pipeline Intrusion July 2021", "description": "Department of Justice (DOJ), DHS Cybersecurity & Infrastructure Security Agency (CISA) 2021, July 20 Chinese Gas Pipeline Intrusion Campaign, 2011 to 2013 Retrieved. 2021/10/08 ", "url": "https://us-cert.cisa.gov/sites/default/files/publications/AA21-201A_Chinese_Gas_Pipeline_Intrusion_Campaign_2011_to_2013%20(1).pdf" } ], "x_mitre_data_sources": [ "Application Log: Application Log Content", "Command: Command Execution", "File: File Creation", "Network Traffic: Network Connection Creation", "Network Traffic: Network Traffic Content", "Process: Process Creation" ], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "spec_version": "2.1" }, { "x_mitre_platforms": [ "Control Server", "Field Controller/RTU/PLC/IED", "Input/Output Server" ], "x_mitre_domains": [ "ics-attack" ], "x_mitre_contributors": [ "Scott Dougherty" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "attack-pattern", "id": "attack-pattern--2877063e-1851-48d2-bcc6-bc1d2733157e", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-05-21T17:43:26.506Z", "modified": "2022-05-06T17:47:23.995Z", "name": "Wireless Compromise", "description": "Adversaries may perform wireless compromise as a method of gaining communications and unauthorized access to a wireless network. Access to a wireless network may be gained through the compromise of a wireless device. (Citation: Alexander Bolshev, Gleb Cherbov July 2014) (Citation: Alexander Bolshev March 2014) Adversaries may also utilize radios and other wireless communication devices on the same frequency as the wireless network. Wireless compromise can be done as an initial access vector from a remote distance. A joint case study on the Maroochy Shire Water Services event examined the attack from a cyber security perspective. (Citation: Marshall Abrams July 2008) The adversary disrupted Maroochy Shire's radio-controlled sewage system by driving around with stolen radio equipment and issuing commands with them. Boden used a two-way radio to communicate with and set the frequencies of Maroochy Shire's repeater stations. A Polish student used a modified TV remote controller to gain access to and control over the Lodz city tram system in Poland. (Citation: John Bill May 2017) (Citation: Shelley Smith February 2008) The remote controller device allowed the student to interface with the trams network to modify track settings and override operator control. The adversary may have accomplished this by aligning the controller to the frequency and amplitude of IR control protocol signals. (Citation: Bruce Schneier January 2008) The controller then enabled initial access to the network, allowing the capture and replay of tram signals. (Citation: John Bill May 2017)", "kill_chain_phases": [ { "kill_chain_name": "mitre-ics-attack", "phase_name": "initial-access-ics" } ], "external_references": [ { "source_name": "mitre-ics-attack", "url": "https://attack.mitre.org/techniques/T0860", "external_id": "T0860" }, { "source_name": "Alexander Bolshev, Gleb Cherbov July 2014", "description": "Alexander Bolshev, Gleb Cherbov 2014, July 08 ICSCorsair: How I will PWN your ERP through 4-20 mA current loop Retrieved. 2020/01/05 ", "url": "https://www.blackhat.com/docs/us-14/materials/us-14-Bolshev-ICSCorsair-How-I-Will-PWN-Your-ERP-Through-4-20mA-Current-Loop-WP.pdf" }, { "source_name": "Alexander Bolshev March 2014", "description": "Alexander Bolshev 2014, March 11 S4x14: HART As An Attack Vector Retrieved. 2020/01/05 ", "url": "https://www.slideshare.net/dgpeters/17-bolshev-1-13" }, { "source_name": "Marshall Abrams July 2008", "description": "Marshall Abrams 2008, July 23 Malicious Control System Cyber Security Attack Case Study Maroochy Water Services, Australia Retrieved. 2018/03/27 ", "url": "https://www.mitre.org/sites/default/files/pdf/08_1145.pdf" }, { "source_name": "John Bill May 2017", "description": "John Bill 2017, May 12 Hacked Cyber Security Railways Retrieved. 2019/10/17 ", "url": "https://www.londonreconnections.com/2017/hacked-cyber-security-railways/" }, { "source_name": "Shelley Smith February 2008", "description": "Shelley Smith 2008, February 12 Teen Hacker in Poland Plays Trains and Derails City Tram System Retrieved. 2019/10/17 ", "url": "https://inhomelandsecurity.com/teen_hacker_in_poland_plays_tr/" }, { "source_name": "Bruce Schneier January 2008", "description": "Bruce Schneier 2008, January 17 Hacking Polish Trams Retrieved. 2019/10/17 ", "url": "https://www.schneier.com/blog/archives/2008/01/hacking_the_pol.html" }, { "source_name": "John Bill May 2017", "description": "John Bill 2017, May 12 Hacked Cyber Security Railways Retrieved. 2019/10/17 ", "url": "https://www.londonreconnections.com/2017/hacked-cyber-security-railways/" } ], "x_mitre_data_sources": [ "Network Traffic: Network Traffic Flow", "Application Log: Application Log Content", "Logon Session: Logon Session Creation" ], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "spec_version": "2.1" }, { "x_mitre_platforms": [ "Safety Instrumented System/Protection Relay", "Field Controller/RTU/PLC/IED" ], "x_mitre_domains": [ "ics-attack" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "attack-pattern", "id": "attack-pattern--2883c520-7957-46ca-89bd-dab1ad53b601", "created": "2020-05-21T17:43:26.506Z", "x_mitre_version": "1.0", "external_references": [ { "source_name": "mitre-attack", "external_id": "T0858", "url": "https://attack.mitre.org/techniques/T0858" }, { "source_name": "Machine Information Systems 2007", "url": "http://www.machine-information-systems.com/How_PLCs_Work.html", "description": "Machine Information Systems 2007 How PLCs Work Retrieved. 2021/01/28 " }, { "source_name": "N.A. October 2017", "url": "https://forumautomation.com/t/what-are-the-different-operating-modes-in-plc/2489", "description": "N.A. 2017, October What are the different operating modes in PLC? Retrieved. 2021/01/28 " }, { "source_name": "Omron", "url": "https://www.omron-ap.com/service_support/FAQ/FAQ00002/index.asp#:~:text=In%20PROGRAM%20mode%2C%20the%20CPU,can%20be%20created%20or%20modified.", "description": "Omron Machine Information Systems 2007 How PLCs Work Retrieved. 2021/01/28 PLC Different Operating Modes Retrieved. 2021/01/28 " }, { "source_name": "PLCgurus 2021", "url": "https://www.plcgurus.net/plc-basics/", "description": "PLCgurus 2021 PLC Basics Modes Of Operation Retrieved. 2021/01/28 " } ], "x_mitre_deprecated": false, "revoked": false, "description": "Adversaries may change the operating mode of a controller to gain additional access to engineering functions such as Program Download. Programmable controllers typically have several modes of operation that control the state of the user program and control access to the controllers API. Operating modes can be physically selected using a key switch on the face of the controller but may also be selected with calls to the controllers API. Operating modes and the mechanisms by which they are selected often vary by vendor and product line. Some commonly implemented operating modes are described below: \n\n* Program - This mode must be enabled before changes can be made to a devices program. This allows program uploads and downloads between the device and an engineering workstation. Often the PLCs logic Is halted, and all outputs may be forced off. (Citation: N.A. October 2017) \n* Run - Execution of the devices program occurs in this mode. Input and output (values, points, tags, elements, etc.) are monitored and used according to the programs logic. [Program Upload](https://attack.mitre.org/techniques/T0845) and [Program Download](https://attack.mitre.org/techniques/T0843) are disabled while in this mode. (Citation: Omron) (Citation: Machine Information Systems 2007) (Citation: N.A. October 2017) (Citation: PLCgurus 2021) \n* Remote - Allows for remote changes to a PLCs operation mode. (Citation: PLCgurus 2021) \n* Stop - The PLC and program is stopped, while in this mode, outputs are forced off. (Citation: Machine Information Systems 2007) \n* Reset - Conditions on the PLC are reset to their original states. Warm resets may retain some memory while cold resets will reset all I/O and data registers. (Citation: Machine Information Systems 2007) \n* Test / Monitor mode - Similar to run mode, I/O is processed, although this mode allows for monitoring, force set, resets, and more generally tuning or debugging of the system. Often monitor mode may be used as a trial for initialization. (Citation: Omron)", "modified": "2022-05-24T11:42:52.057Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "name": "Change Operating Mode", "x_mitre_detection": "", "kill_chain_phases": [ { "kill_chain_name": "mitre-ics-attack", "phase_name": "execution-ics" }, { "kill_chain_name": "mitre-ics-attack", "phase_name": "evasion-ics" } ], "x_mitre_is_subtechnique": false, "x_mitre_data_sources": [ "Network Traffic: Network Traffic Content", "Application Log: Application Log Content", "Operational Databases: Device Alarm" ], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "spec_version": "2.1" }, { "x_mitre_platforms": [ "Field Controller/RTU/PLC/IED", "Safety Instrumented System/Protection Relay", "Device Configuration/Parameters" ], "x_mitre_domains": [ "ics-attack" ], "x_mitre_contributors": [ "Marina Krotofil", "Jos Wetzels - Midnight Blue" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "attack-pattern", "id": "attack-pattern--2900bbd8-308a-4274-b074-5b8bde8347bc", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-05-21T17:43:26.506Z", "modified": "2022-05-06T17:47:23.889Z", "name": "Alarm Suppression", "description": "Adversaries may target protection function alarms to prevent them from notifying operators of critical conditions. Alarm messages may be a part of an overall reporting system and of particular interest for adversaries. Disruption of the alarm system does not imply the disruption of the reporting system as a whole. In the Maroochy Attack, the adversary suppressed alarm reporting to the central computer. (Citation: Marshall Abrams July 2008) A Secura presentation on targeting OT notes a dual fold goal for adversaries attempting alarm suppression: prevent outgoing alarms from being raised and prevent incoming alarms from being responded to. (Citation: Jos Wetzels, Marina Krotofil 2019) The method of suppression may greatly depend on the type of alarm in question: * An alarm raised by a protocol message * An alarm signaled with I/O * An alarm bit set in a flag (and read) In ICS environments, the adversary may have to suppress or contend with multiple alarms and/or alarm propagation to achieve a specific goal to evade detection or prevent intended responses from occurring. (Citation: Jos Wetzels, Marina Krotofil 2019) Methods of suppression may involve tampering or altering device displays and logs, modifying in memory code to fixed values, or even tampering with assembly level instruction code.", "kill_chain_phases": [ { "kill_chain_name": "mitre-ics-attack", "phase_name": "inhibit-response-function" } ], "external_references": [ { "source_name": "mitre-ics-attack", "url": "https://attack.mitre.org/techniques/T0878", "external_id": "T0878" }, { "source_name": "Marshall Abrams July 2008", "description": "Marshall Abrams 2008, July 23 Malicious Control System Cyber Security Attack Case Study Maroochy Water Services, Australia Retrieved. 2018/03/27 ", "url": "https://www.mitre.org/sites/default/files/pdf/08_1145.pdf" }, { "source_name": "Jos Wetzels, Marina Krotofil 2019", "description": "Jos Wetzels, Marina Krotofil 2019 A Diet of Poisoned Fruit: Designing Implants & OT Payloads for ICS Embedded Devices Retrieved. 2019/11/01 ", "url": "https://troopers.de/downloads/troopers19/TROOPERS19_NGI_IoT_diet_poisoned_fruit.pdf" }, { "source_name": "Jos Wetzels, Marina Krotofil 2019", "description": "Jos Wetzels, Marina Krotofil 2019 A Diet of Poisoned Fruit: Designing Implants & OT Payloads for ICS Embedded Devices Retrieved. 2019/11/01 ", "url": "https://troopers.de/downloads/troopers19/TROOPERS19_NGI_IoT_diet_poisoned_fruit.pdf" } ], "x_mitre_data_sources": [ "Network Traffic: Network Traffic Content", "Application Log: Application Log Content", "Operational Databases: Process History/Live Data", "Operational Databases: Process/Event Alarm" ], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "spec_version": "2.1" }, { "x_mitre_platforms": [ "Field Controller/RTU/PLC/IED" ], "x_mitre_domains": [ "ics-attack" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "attack-pattern", "id": "attack-pattern--2aa406ed-81c3-4c1d-ba83-cfbee5a2847a", "created": "2020-05-21T17:43:26.506Z", "x_mitre_version": "1.0", "external_references": [ { "source_name": "mitre-attack", "external_id": "T0868", "url": "https://attack.mitre.org/techniques/T0868" }, { "source_name": "Machine Information Systems 2007", "url": "http://www.machine-information-systems.com/How_PLCs_Work.html", "description": "Machine Information Systems 2007 How PLCs Work Retrieved. 2021/01/28 " }, { "source_name": "N.A. October 2017", "url": "https://forumautomation.com/t/what-are-the-different-operating-modes-in-plc/2489", "description": "N.A. 2017, October What are the different operating modes in PLC? Retrieved. 2021/01/28 " }, { "source_name": "Omron", "url": "https://www.omron-ap.com/service_support/FAQ/FAQ00002/index.asp#:~:text=In%20PROGRAM%20mode%2C%20the%20CPU,can%20be%20created%20or%20modified.", "description": "Omron Machine Information Systems 2007 How PLCs Work Retrieved. 2021/01/28 PLC Different Operating Modes Retrieved. 2021/01/28 " }, { "source_name": "PLCgurus 2021", "url": "https://www.plcgurus.net/plc-basics/", "description": "PLCgurus 2021 PLC Basics Modes Of Operation Retrieved. 2021/01/28 " } ], "x_mitre_deprecated": false, "revoked": false, "description": "Adversaries may gather information about a PLCs or controllers current operating mode. Operating modes dictate what change or maintenance functions can be manipulated and are often controlled by a key switch on the PLC (e.g., run, prog [program], and remote). Knowledge of these states may be valuable to an adversary to determine if they are able to reprogram the PLC. Operating modes and the mechanisms by which they are selected often vary by vendor and product line. Some commonly implemented operating modes are described below: \n\n* Program - This mode must be enabled before changes can be made to a devices program. This allows program uploads and downloads between the device and an engineering workstation. Often the PLCs logic Is halted, and all outputs may be forced off. (Citation: N.A. October 2017) \n* Run - Execution of the devices program occurs in this mode. Input and output (values, points, tags, elements, etc.) are monitored and used according to the programs logic. [Program Upload](https://attack.mitre.org/techniques/T0845) and [Program Download](https://attack.mitre.org/techniques/T0843) are disabled while in this mode. (Citation: Omron) (Citation: Machine Information Systems 2007) (Citation: N.A. October 2017) (Citation: PLCgurus 2021) \n* Remote - Allows for remote changes to a PLCs operation mode. (Citation: PLCgurus 2021) \n* Stop - The PLC and program is stopped, while in this mode, outputs are forced off. (Citation: Machine Information Systems 2007) \n* Reset - Conditions on the PLC are reset to their original states. Warm resets may retain some memory while cold resets will reset all I/O and data registers. (Citation: Machine Information Systems 2007) \n* Test / Monitor mode - Similar to run mode, I/O is processed, although this mode allows for monitoring, force set, resets, and more generally tuning or debugging of the system. Often monitor mode may be used as a trial for initialization. (Citation: Omron)", "modified": "2022-05-24T11:48:05.134Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "name": "Detect Operating Mode", "x_mitre_detection": "", "kill_chain_phases": [ { "kill_chain_name": "mitre-ics-attack", "phase_name": "collection-ics" } ], "x_mitre_is_subtechnique": false, "x_mitre_data_sources": [ "Network Traffic: Network Traffic Content" ], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "spec_version": "2.1" }, { "x_mitre_platforms": [ "None" ], "x_mitre_domains": [ "ics-attack" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "attack-pattern", "id": "attack-pattern--2bb4d762-bf4a-4bc3-9318-15cc6a354163", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2021-04-12T07:57:26.506Z", "modified": "2022-05-06T17:47:23.938Z", "name": "Loss of Protection", "description": "Adversaries may compromise protective system functions designed to prevent the effects of faults and abnormal conditions. This can result in equipment damage, prolonged process disruptions and hazards to personnel. Many faults and abnormal conditions in process control happen too quickly for a human operator to react to. Speed is critical in correcting these conditions to limit serious impacts such as Loss of Control and Property Damage. Adversaries may target and disable protective system functions as a prerequisite to subsequent attack execution or to allow for future faults and abnormal conditions to go unchecked. Detection of a Loss of Protection by operators can result in the shutdown of a process due to strict policies regarding protection systems. This can cause a Loss of Productivity and Revenue and may meet the technical goals of adversaries seeking to cause process disruptions. }}\"", "kill_chain_phases": [ { "kill_chain_name": "mitre-ics-attack", "phase_name": "impact-ics" } ], "external_references": [ { "source_name": "mitre-ics-attack", "url": "https://attack.mitre.org/techniques/T0837", "external_id": "T0837" } ], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "spec_version": "2.1" }, { "x_mitre_platforms": [ "Human-Machine Interface", "Control Server", "Data Historian", "Field Controller/RTU/PLC/IED", "Safety Instrumented System/Protection Relay" ], "x_mitre_domains": [ "ics-attack" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "attack-pattern", "id": "attack-pattern--2d0d40ad-22fa-4cc8-b264-072557e1364b", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-05-21T17:43:26.506Z", "modified": "2022-05-06T17:47:23.955Z", "name": "Monitor Process State", "description": "Adversaries may gather information about the physical process state. This information may be used to gain more information about the process itself or used as a trigger for malicious actions. The sources of process state information may vary such as, OPC tags, historian data, specific PLC block information, or network traffic.", "kill_chain_phases": [ { "kill_chain_name": "mitre-ics-attack", "phase_name": "collection-ics" } ], "external_references": [ { "source_name": "mitre-ics-attack", "url": "https://attack.mitre.org/techniques/T0801", "external_id": "T0801" } ], "x_mitre_data_sources": [ "Network Traffic: Network Traffic Content" ], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "spec_version": "2.1" }, { "x_mitre_platforms": [ "Engineering Workstation" ], "x_mitre_domains": [ "ics-attack" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "attack-pattern", "id": "attack-pattern--2dc2b567-8821-49f9-9045-8740f3d0b958", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-05-21T17:43:26.506Z", "modified": "2022-05-06T17:47:23.977Z", "name": "Scripting", "description": "Adversaries may use scripting languages to execute arbitrary code in the form of a pre-written script or in the form of user-supplied code to an interpreter. Scripting languages are programming languages that differ from compiled languages, in that scripting languages use an interpreter, instead of a compiler. These interpreters read and compile part of the source code just before it is executed, as opposed to compilers, which compile each and every line of code to an executable file. Scripting allows software developers to run their code on any system where the interpreter exists. This way, they can distribute one package, instead of precompiling executables for many different systems. Scripting languages, such as Python, have their interpreters shipped as a default with many Linux distributions. In addition to being a useful tool for developers and administrators, scripting language interpreters may be abused by the adversary to execute code in the target environment. Due to the nature of scripting languages, this allows for weaponized code to be deployed to a target easily, and leaves open the possibility of on-the-fly scripting to perform a task.", "kill_chain_phases": [ { "kill_chain_name": "mitre-ics-attack", "phase_name": "execution-ics" } ], "external_references": [ { "source_name": "mitre-ics-attack", "url": "https://attack.mitre.org/techniques/T0853", "external_id": "T0853" } ], "x_mitre_data_sources": [ "Command: Command Execution", "Module: Module Load", "Process: Process Creation", "Script: Script Execution" ], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "spec_version": "2.1" }, { "x_mitre_platforms": [ "Field Controller/RTU/PLC/IED", "Safety Instrumented System/Protection Relay" ], "x_mitre_domains": [ "ics-attack" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "attack-pattern", "id": "attack-pattern--2fedbe69-581f-447d-8a78-32ee7db939a9", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2021-04-13T12:45:26.506Z", "modified": "2022-05-06T17:47:23.968Z", "name": "Remote System Information Discovery", "description": "An adversary may attempt to get detailed information about remote systems and their peripherals, such as make/model, role, and configuration. Adversaries may use information from Remote System Information Discovery to aid in targeting and shaping follow-on behaviors. For example, the systems operational role and model information can dictate whether it is a relevant target for the adversarys operational objectives. In addition, the systems configuration may be used to scope subsequent technique usage. Requests for system information are typically implemented using automation and management protocols and are often automatically requested by vendor software during normal operation. This information may be used to tailor management actions, such as program download and system or module firmware. An adversary may leverage this same information by issuing calls directly to the systems API.", "kill_chain_phases": [ { "kill_chain_name": "mitre-ics-attack", "phase_name": "discovery-ics" } ], "external_references": [ { "source_name": "mitre-ics-attack", "url": "https://attack.mitre.org/techniques/T0888", "external_id": "T0888" } ], "x_mitre_data_sources": [ "Network Traffic: Network Traffic Content", "Application Log: Application Log Content" ], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "spec_version": "2.1" }, { "x_mitre_platforms": [ "Safety Instrumented System/Protection Relay", "Field Controller/RTU/PLC/IED" ], "x_mitre_domains": [ "ics-attack" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "attack-pattern", "id": "attack-pattern--3067b85e-271e-4bc5-81ad-ab1a81d411e3", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-05-21T17:43:26.506Z", "modified": "2022-05-06T17:47:23.960Z", "name": "Program Upload", "description": "Adversaries may attempt to upload a program from a PLC to gather information about an industrial process. Uploading a program may allow them to acquire and study the underlying logic. Methods of program upload include vendor software, which enables the user to upload and read a program running on a PLC. This software can be used to upload the target program to a workstation, jump box, or an interfacing device.", "kill_chain_phases": [ { "kill_chain_name": "mitre-ics-attack", "phase_name": "collection-ics" } ], "external_references": [ { "source_name": "mitre-ics-attack", "url": "https://attack.mitre.org/techniques/T0845", "external_id": "T0845" } ], "x_mitre_data_sources": [ "Application Log: Application Log Content", "Network Traffic: Network Traffic Content" ], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "spec_version": "2.1" }, { "x_mitre_platforms": [ "Human-Machine Interface" ], "x_mitre_domains": [ "ics-attack" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "attack-pattern", "id": "attack-pattern--32632a95-6856-47b9-9ab7-fea5cd7dce00", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-05-21T17:43:26.506Z", "modified": "2022-05-06T17:47:23.919Z", "name": "Exploit Public-Facing Application", "description": "Adversaries may leverage weaknesses to exploit internet-facing software for initial access into an industrial network. Internet-facing software may be user applications, underlying networking implementations, an assets operating system, weak defenses, etc. Targets of this technique may be intentionally exposed for the purpose of remote management and visibility. An adversary may seek to target public-facing applications as they may provide direct access into an ICS environment or the ability to move into the ICS network. Publicly exposed applications may be found through online tools that scan the internet for open ports and services. Version numbers for the exposed application may provide adversaries an ability to target specific known vulnerabilities. Exposed control protocol or remote access ports found in Commonly Used Port may be of interest by adversaries.", "kill_chain_phases": [ { "kill_chain_name": "mitre-ics-attack", "phase_name": "initial-access-ics" } ], "external_references": [ { "source_name": "mitre-ics-attack", "url": "https://attack.mitre.org/techniques/T0819", "external_id": "T0819" }, { "source_name": "ICS CERT 14-281", "description": "ICS-CERT. (2014, December 10). ICS Alert (ICS-ALERT-14-281-01E) Ongoing Sophisticated Malware Campaign Compromising ICS (Update E). Retrieved October 11, 2019.", "url": "https://www.us-cert.gov/ics/alerts/ICS-ALERT-14-281-01B" } ], "x_mitre_data_sources": [ "Application Log: Application Log Content", "Network Traffic: Network Traffic Content" ], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "spec_version": "2.1" }, { "x_mitre_platforms": [ "Control Server", "Data Historian", "Engineering Workstation", "Human-Machine Interface" ], "x_mitre_domains": [ "ics-attack" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "attack-pattern", "id": "attack-pattern--3405891b-16aa-4bd7-bd7c-733501f9b20f", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-05-21T17:43:26.506Z", "modified": "2022-05-24T14:00:00.188Z", "name": "Data from Information Repositories", "description": "Adversaries may target and collect data from information repositories. This can include sensitive data such as specifications, schematics, or diagrams of control system layouts, devices, and processes. Examples of information repositories include reference databases or local machines in the process environment, as well as workstations and databases in the corporate network that might contain information about the ICS. (Citation: Cybersecurity & Infrastructure Security Agency March 2018) Information collected from these systems may provide the adversary with a better understanding of the operational environment, vendors used, processes, or procedures of the ICS. In a campaign between 2011 and 2013 against ONG organizations, Chinese state-sponsored actors searched document repositories for specific information such as, system manuals, remote terminal unit (RTU) sites, personnel lists, documents that included the string SCAD*, user credentials, and remote dial-up access information. (Citation: CISA AA21-201A Pipeline Intrusion July 2021)", "kill_chain_phases": [ { "kill_chain_name": "mitre-ics-attack", "phase_name": "collection-ics" } ], "external_references": [ { "source_name": "mitre-ics-attack", "url": "https://attack.mitre.org/techniques/T0811", "external_id": "T0811" }, { "source_name": "Cybersecurity & Infrastructure Security Agency March 2018", "description": "Cybersecurity & Infrastructure Security Agency 2018, March 15 Alert (TA18-074A) Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors Retrieved. 2019/10/11 ", "url": "https://us-cert.cisa.gov/ncas/alerts/TA18-074A" }, { "source_name": "CISA AA21-201A Pipeline Intrusion July 2021", "description": "Department of Justice (DOJ), DHS Cybersecurity & Infrastructure Security Agency (CISA) 2021, July 20 Chinese Gas Pipeline Intrusion Campaign, 2011 to 2013 Retrieved. 2021/10/08 ", "url": "https://us-cert.cisa.gov/sites/default/files/publications/AA21-201A_Chinese_Gas_Pipeline_Intrusion_Campaign_2011_to_2013%20(1).pdf" } ], "x_mitre_data_sources": [ "Application Log: Application Log Content", "Logon Session: Logon Session Creation", "File: File Access" ], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "spec_version": "2.1" }, { "x_mitre_platforms": [ "Engineering Workstation" ], "x_mitre_domains": [ "ics-attack" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "attack-pattern", "id": "attack-pattern--35392fb4-a31d-4c6a-b9f2-1c65b7f5e6b9", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2021-10-14T15:25:32.143Z", "modified": "2022-05-24T14:00:00.188Z", "name": "Transient Cyber Asset", "description": "Adversaries may target devices that are transient across ICS networks and external networks. Normally, transient assets are brought into an environment by authorized personnel and do not remain in that environment on a permanent basis. (Citation: North American Electric Reliability Corporation June 2021) Transient assets are commonly needed to support management functions and may be more common in systems where a remotely managed asset is not feasible, external connections for remote access do not exist, or 3rd party contractor/vendor access is required. Adversaries may take advantage of transient assets in different ways. For instance, adversaries may target a transient asset when it is connected to an external network and then leverage its trusted access in another environment to launch an attack. They may also take advantage of installed applications and libraries that are used by legitimate end-users to interact with control system devices. Transient assets, in some cases, may not be deployed with a secure configuration leading to weaknesses that could allow an adversary to propagate malicious executable code, e.g., the transient asset may be infected by malware and when connected to an ICS environment the malware propagates onto other systems. In the Maroochy attack, the adversary utilized a computer, possibly stolen, with proprietary engineering software to communicate with a wastewater system. (Citation: Marshall Abrams July 2008)", "kill_chain_phases": [ { "kill_chain_name": "mitre-ics-attack", "phase_name": "initial-access-ics" } ], "external_references": [ { "source_name": "mitre-ics-attack", "url": "https://attack.mitre.org/techniques/T0864", "external_id": "T0864" }, { "source_name": "North American Electric Reliability Corporation June 2021", "description": "North American Electric Reliability Corporation 2021, June 28 Glossary of Terms Used in NERC Reliability Standards Retrieved. 2021/10/11 ", "url": "https://www.nerc.com/files/glossary_of_terms.pdf" }, { "source_name": "Marshall Abrams July 2008", "description": "Marshall Abrams 2008, July 23 Malicious Control System Cyber Security Attack Case Study Maroochy Water Services, Australia Retrieved. 2018/03/27 ", "url": "https://www.mitre.org/sites/default/files/pdf/08_1145.pdf" } ], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "spec_version": "2.1" }, { "x_mitre_platforms": [ "Field Controller/RTU/PLC/IED" ], "x_mitre_domains": [ "ics-attack" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "attack-pattern", "id": "attack-pattern--36e9f5bc-ac13-4da4-a2f4-01f4877d9004", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-05-21T17:43:26.506Z", "modified": "2022-05-06T17:47:23.943Z", "name": "Manipulate I/O Image", "description": "Adversaries may manipulate the I/O image of PLCs through various means to prevent them from functioning as expected. Methods of I/O image manipulation may include overriding the I/O table via direct memory manipulation or using the override function used for testing PLC programs. (Citation: Dr. Kelvin T. Erickson December 2010) During the scan cycle, a PLC reads the status of all inputs and stores them in an image table. (Citation: Nanjundaiah, Vaidyanath) The image table is the PLCs internal storage location where values of inputs/outputs for one scan are stored while it executes the user program. After the PLC has solved the entire logic program, it updates the output image table. The contents of this output image table are written to the corresponding output points in I/O Modules. One of the unique characteristics of PLCs is their ability to override the status of a physical discrete input or to override the logic driving a physical output coil and force the output to a desired status.", "kill_chain_phases": [ { "kill_chain_name": "mitre-ics-attack", "phase_name": "inhibit-response-function" } ], "external_references": [ { "source_name": "mitre-ics-attack", "url": "https://attack.mitre.org/techniques/T0835", "external_id": "T0835" }, { "source_name": "Dr. Kelvin T. Erickson December 2010", "description": "Dr. Kelvin T. Erickson 2010, December Programmable logic controller hardware Retrieved. 2018/03/29 ", "url": "https://www.isa.org/standards-and-publications/isa-publications/intech/2010/december/programmable-logic-controller-hardware/" }, { "source_name": "Nanjundaiah, Vaidyanath", "description": "Nanjundaiah, Vaidyanath Dr. Kelvin T. Erickson 2010, December Programmable logic controller hardware Retrieved. 2018/03/29 PLC Ladder Logic Basics Retrieved. 2021/10/11 ", "url": "https://www.ezautomation.net/industry-articles/plc-ladder-logic-basics.htm" } ], "x_mitre_data_sources": [ "Operational Databases: Process History/Live Data", "Operational Databases: Device Alarm" ], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "spec_version": "2.1" }, { "x_mitre_platforms": [ "Field Controller/RTU/PLC/IED" ], "x_mitre_domains": [ "ics-attack" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "attack-pattern", "id": "attack-pattern--38213338-1aab-479d-949b-c81b66ccca5c", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-05-21T17:43:26.506Z", "modified": "2022-05-06T17:47:23.958Z", "name": "Network Sniffing", "description": "Network sniffing is the practice of using a network interface on a computer system to monitor or capture information (Citation: Enterprise ATT&CK January 2018) regardless of whether it is the specified destination for the information. An adversary may attempt to sniff the traffic to gain information about the target. This information can vary in the level of importance. Relatively unimportant information is general communications to and from machines. Relatively important information would be login information. User credentials may be sent over an unencrypted protocol, such as [https://tools.ietf.org/html/rfc854 Telnet], that can be captured and obtained through network packet analysis. In addition, ARP and Domain Name Service (DNS) poisoning can be used to capture credentials to websites, proxies, and internal systems by redirecting traffic to an adversary.", "kill_chain_phases": [ { "kill_chain_name": "mitre-ics-attack", "phase_name": "discovery-ics" } ], "external_references": [ { "source_name": "mitre-ics-attack", "url": "https://attack.mitre.org/techniques/T0842", "external_id": "T0842" }, { "source_name": "Enterprise ATT&CK January 2018", "description": "Enterprise ATT&CK 2018, January 11 Network Sniffing Retrieved. 2018/05/17 ", "url": "https://attack.mitre.org/wiki/Technique/T1040" } ], "x_mitre_data_sources": [ "Command: Command Execution", "Process: Process Creation" ], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "spec_version": "2.1" }, { "x_mitre_platforms": [ "Field Controller/RTU/PLC/IED" ], "x_mitre_domains": [ "ics-attack" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "attack-pattern", "id": "attack-pattern--3b6b9246-43f8-4c69-ad7a-2b11cfe0a0d9", "created": "2020-05-21T17:43:26.506Z", "x_mitre_version": "1.0", "external_references": [ { "source_name": "mitre-attack", "external_id": "T0851", "url": "https://attack.mitre.org/techniques/T0851" }, { "source_name": "Enterprise ATT&CK January 2018", "url": "https://attack.mitre.org/wiki/Technique/T1014", "description": "Enterprise ATT&CK 2018, January 11 Rootkit Retrieved. 2018/05/16 " } ], "x_mitre_deprecated": false, "revoked": false, "description": "Adversaries may deploy rootkits to hide the presence of programs, files, network connections, services, drivers, and other system components. Rootkits are programs that hide the existence of malware by intercepting and modifying operating-system API calls that supply system information. Rootkits or rootkit-enabling functionality may reside at the user or kernel level in the operating system, or lower. (Citation: Enterprise ATT&CK January 2018) \n\nFirmware rootkits that affect the operating system yield nearly full control of the system. While firmware rootkits are normally developed for the main processing board, they can also be developed for I/O T1109 that can be attached to the asset. Compromise of this firmware allows the modification of all of the process variables and functions the module engages in. This may result in commands being disregarded and false information being fed to the main device. By tampering with device processes, an adversary may inhibit its expected response functions and possibly enable [Impact](https://attack.mitre.org/tactics/TA0105).", "modified": "2022-05-24T12:13:28.790Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "name": "Rootkit", "x_mitre_detection": "", "kill_chain_phases": [ { "kill_chain_name": "mitre-ics-attack", "phase_name": "evasion-ics" }, { "kill_chain_name": "mitre-ics-attack", "phase_name": "inhibit-response-function" } ], "x_mitre_is_subtechnique": false, "x_mitre_data_sources": [ "Drive: Drive Modification", "Firmware: Firmware Modification", "Module: Module Load" ], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "spec_version": "2.1" }, { "x_mitre_platforms": [ "Field Controller/RTU/PLC/IED", "Safety Instrumented System/Protection Relay", "Control Server" ], "x_mitre_domains": [ "ics-attack" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "attack-pattern", "id": "attack-pattern--3de230d4-3e42-4041-b089-17e1128feded", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-05-21T17:43:26.506Z", "modified": "2022-05-06T17:47:23.889Z", "name": "Automated Collection", "description": "Adversaries may automate collection of industrial environment information using tools or scripts. This automated collection may leverage native control protocols and tools available in the control systems environment. For example, the OPC protocol may be used to enumerate and gather information. Access to a system or interface with these native protocols may allow collection and enumeration of other attached, communicating servers and devices.", "kill_chain_phases": [ { "kill_chain_name": "mitre-ics-attack", "phase_name": "collection-ics" } ], "external_references": [ { "source_name": "mitre-ics-attack", "url": "https://attack.mitre.org/techniques/T0802", "external_id": "T0802" } ], "x_mitre_data_sources": [ "Command: Command Execution", "File: File Access", "Script: Script Execution", "Network Traffic: Network Traffic Content" ], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "spec_version": "2.1" }, { "x_mitre_platforms": [ "Field Controller/RTU/PLC/IED", "Input/Output Server", "Device Configuration/Parameters" ], "x_mitre_domains": [ "ics-attack" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "attack-pattern", "id": "attack-pattern--3f1f4ccb-9be2-4ff8-8f69-dd972221169b", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-05-21T17:43:26.506Z", "modified": "2022-05-06T17:47:23.892Z", "name": "Block Reporting Message", "description": "Adversaries may block or prevent a reporting message from reaching its intended target. In control systems, reporting messages contain telemetry data (e.g., I/O values) pertaining to the current state of equipment and the industrial process. By blocking these reporting messages, an adversary can potentially hide their actions from an operator. Blocking reporting messages in control systems that manage physical processes may contribute to system impact, causing inhibition of a response function. A control system may not be able to respond in a proper or timely manner to an event, such as a dangerous fault, if its corresponding reporting message is blocked. (Citation: Bonnie Zhu, Anthony Joseph, Shankar Sastry 2011) (Citation: Electricity Information Sharing and Analysis Center; SANS Industrial Control Systems March 2016)", "kill_chain_phases": [ { "kill_chain_name": "mitre-ics-attack", "phase_name": "inhibit-response-function" } ], "external_references": [ { "source_name": "mitre-ics-attack", "url": "https://attack.mitre.org/techniques/T0804", "external_id": "T0804" }, { "source_name": "Bonnie Zhu, Anthony Joseph, Shankar Sastry 2011", "description": "Bonnie Zhu, Anthony Joseph, Shankar Sastry 2011 A Taxonomy of Cyber Attacks on SCADA Systems Retrieved. 2018/01/12 ", "url": "http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6142258" }, { "source_name": "Electricity Information Sharing and Analysis Center; SANS Industrial Control Systems March 2016", "description": "Electricity Information Sharing and Analysis Center; SANS Industrial Control Systems 2016, March 18 Analysis of the Cyber Attack on the Ukranian Power Grid: Defense Use Case Retrieved. 2018/03/27 ", "url": "https://assets.contentstack.io/v3/assets/blt36c2e63521272fdc/blt6a77276749b76a40/607f235992f0063e5c070fff/E-ISAC_SANS_Ukraine_DUC_5%5b73%5d.pdf" } ], "x_mitre_data_sources": [ "Network Traffic: Network Traffic Flow", "Network Traffic: Network Connection Creation", "Application Log: Application Log Content", "Process: Process Termination", "Operational Databases: Process History/Live Data", "Operational Databases: Process/Event Alarm" ], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "spec_version": "2.1" }, { "x_mitre_platforms": [ "Field Controller/RTU/PLC/IED" ], "x_mitre_domains": [ "ics-attack" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "attack-pattern", "id": "attack-pattern--40b300ba-f553-48bf-862e-9471b220d455", "created": "2020-05-21T17:43:26.506Z", "x_mitre_version": "1.0", "external_references": [ { "source_name": "mitre-attack", "external_id": "T0855", "url": "https://attack.mitre.org/techniques/T0855" }, { "source_name": "Benjamin Freed March 2019", "url": "https://statescoop.com/tornado-sirens-in-dallas-suburbs-deactivated-after-being-hacked-and-set-off/", "description": "Benjamin Freed 2019, March 13 Tornado sirens in Dallas suburbs deactivated after being hacked and set off Retrieved. 2020/11/06 " }, { "source_name": "Bonnie Zhu, Anthony Joseph, Shankar Sastry 2011", "url": "http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6142258", "description": "Bonnie Zhu, Anthony Joseph, Shankar Sastry 2011 A Taxonomy of Cyber Attacks on SCADA Systems Retrieved. 2018/01/12 " }, { "source_name": "Marshall Abrams July 2008", "url": "https://www.mitre.org/sites/default/files/pdf/08_1145.pdf", "description": "Marshall Abrams 2008, July 23 Malicious Control System Cyber Security Attack Case Study Maroochy Water Services, Australia Retrieved. 2018/03/27 " }, { "source_name": "Zack Whittaker April 2017", "url": "https://www.zdnet.com/article/experts-think-they-know-how-dallas-emergency-sirens-were-hacked/", "description": "Zack Whittaker 2017, April 12 Dallas' emergency sirens were hacked with a rogue radio signal Retrieved. 2020/11/06 " } ], "x_mitre_deprecated": false, "revoked": false, "description": "Adversaries may send unauthorized command messages to instruct control system assets to perform actions outside of their intended functionality, or without the logical preconditions to trigger their expected function. Command messages are used in ICS networks to give direct instructions to control systems devices. If an adversary can send an unauthorized command message to a control system, then it can instruct the control systems device to perform an action outside the normal bounds of the device's actions. An adversary could potentially instruct a control systems device to perform an action that will cause an [Impact](https://attack.mitre.org/tactics/TA0105). (Citation: Bonnie Zhu, Anthony Joseph, Shankar Sastry 2011) \n\nIn the Maroochy Attack, the adversary used a dedicated analog two-way radio system to send false data and instructions to pumping stations and the central computer. (Citation: Marshall Abrams July 2008) \n\nIn the Dallas Siren incident, adversaries were able to send command messages to activate tornado alarm systems across the city without an impending tornado or other disaster. (Citation: Zack Whittaker April 2017) (Citation: Benjamin Freed March 2019)", "modified": "2022-05-24T12:18:48.810Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "name": "Unauthorized Command Message", "x_mitre_detection": "", "kill_chain_phases": [ { "kill_chain_name": "mitre-ics-attack", "phase_name": "impair-process-control" } ], "x_mitre_is_subtechnique": false, "x_mitre_data_sources": [ "Network Traffic: Network Traffic Content", "Application Log: Application Log Content", "Operational Databases: Process History/Live Data", "Operational Databases: Process/Event Alarm" ], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "spec_version": "2.1" }, { "x_mitre_platforms": [ "Control Server", "Human-Machine Interface", "Field Controller/RTU/PLC/IED" ], "x_mitre_domains": [ "ics-attack" ], "x_mitre_contributors": [ "Matan Dobrushin - Otorio" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "attack-pattern", "id": "attack-pattern--493832d9-cea6-4b63-abe7-9a65a6473675", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-05-21T17:43:26.506Z", "modified": "2022-05-06T17:47:23.904Z", "name": "Data Destruction", "description": "Adversaries may perform data destruction over the course of an operation. The adversary may drop or create malware, tools, or other non-native files on a target system to accomplish this, potentially leaving behind traces of malicious activities. Such non-native files and other data may be removed over the course of an intrusion to maintain a small footprint or as a standard part of the post-intrusion cleanup process. (Citation: Enterprise ATT&CK January 2018) Data destruction may also be used to render operator interfaces unable to respond and to disrupt response functions from occurring as expected. An adversary may also destroy data backups that are vital to recovery after an incident. Standard file deletion commands are available on most operating system and device interfaces to perform cleanup, but adversaries may use other tools as well. Two examples are Windows Sysinternals SDelete and Active@ Killdisk.", "kill_chain_phases": [ { "kill_chain_name": "mitre-ics-attack", "phase_name": "inhibit-response-function" } ], "external_references": [ { "source_name": "mitre-ics-attack", "url": "https://attack.mitre.org/techniques/T0809", "external_id": "T0809" }, { "source_name": "Enterprise ATT&CK January 2018", "description": "Enterprise ATT&CK 2018, January 11 File Deletion Retrieved. 2018/05/17 ", "url": "https://attack.mitre.org/wiki/Technique/T1107" } ], "x_mitre_data_sources": [ "Command: Command Execution", "File: File Deletion", "File: File Modification", "Process: Process Creation" ], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "spec_version": "2.1" }, { "x_mitre_platforms": [ "Engineering Workstation", "Human-Machine Interface", "Field Controller/RTU/PLC/IED" ], "x_mitre_domains": [ "ics-attack" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "attack-pattern", "id": "attack-pattern--4c2e1408-9d68-4187-8e6b-a77bc52700ec", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-05-21T17:43:26.506Z", "modified": "2022-05-06T17:47:23.947Z", "name": "Manipulation of View", "description": "Adversaries may attempt to manipulate the information reported back to operators or controllers. This manipulation may be short term or sustained. During this time the process itself could be in a much different state than what is reported. (Citation: Corero) (Citation: Michael J. Assante and Robert M. Lee) (Citation: Tyson Macaulay) Operators may be fooled into doing something that is harmful to the system in a loss of view situation. With a manipulated view into the systems, operators may issue inappropriate control sequences that introduce faults or catastrophic failures into the system. Business analysis systems can also be provided with inaccurate data leading to bad management decisions.", "kill_chain_phases": [ { "kill_chain_name": "mitre-ics-attack", "phase_name": "impact-ics" } ], "external_references": [ { "source_name": "mitre-ics-attack", "url": "https://attack.mitre.org/techniques/T0832", "external_id": "T0832" }, { "source_name": "Corero", "description": "Corero Industrial Control System (ICS) Security Retrieved. 2019/11/04 ", "url": "https://www.corero.com/resources/files/whitepapers/cns_whitepaper_ics.pdf" }, { "source_name": "Michael J. Assante and Robert M. Lee", "description": "Michael J. Assante and Robert M. Lee Corero Industrial Control System (ICS) Security Retrieved. 2019/11/04 The Industrial Control System Cyber Kill Chain Retrieved. 2019/11/04 ", "url": "https://www.sans.org/reading-room/whitepapers/ICS/industrial-control-system-cyber-kill-chain-36297" }, { "source_name": "Tyson Macaulay", "description": "Tyson Macaulay Michael J. Assante and Robert M. Lee Corero Industrial Control System (ICS) Security Retrieved. 2019/11/04 The Industrial Control System Cyber Kill Chain Retrieved. 2019/11/04 RIoT Control: Understanding and Managing Risks and the Internet of Things Retrieved. 2019/11/04 ", "url": "https://books.google.com/books?id=oXIYBAAAQBAJ&pg=PA249&lpg=PA249&dq=loss+denial+manipulation+of+view&source=bl&ots=dV1uQ8IUff&sig=ACfU3U2NIwGjhg051D_Ytw6npyEk9xcf4w&hl=en&sa=X&ved=2ahUKEwj2wJ7y4tDlAhVmplkKHSTaDnQQ6AEwAHoECAgQAQ#v=onepage&q=loss%20denial%20manipulation%20of%20view&f=false" } ], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "spec_version": "2.1" }, { "x_mitre_platforms": [ "Windows" ], "x_mitre_domains": [ "ics-attack" ], "x_mitre_contributors": [ "Joe Slowik - Dragos" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "attack-pattern", "id": "attack-pattern--50d3222f-7550-4a3c-94e1-78cb6c81d064", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-05-21T17:43:26.506Z", "modified": "2022-05-06T17:47:24.397Z", "name": "Data Historian Compromise", "description": "Adversaries may compromise and gain control of a data historian to gain a foothold into the control system environment. Access to a data historian may be used to learn stored database archival and analysis information on the control system. A dual-homed data historian may provide adversaries an interface from the IT environment to the OT environment. \n\nDragos has released an updated analysis on CrashOverride that outlines the attack from the ICS network breach to payload delivery and execution. (Citation: Industroyer - Dragos - 201810) The report summarized that CrashOverride represents a new application of malware, but relied on standard intrusion techniques. In particular, new artifacts include references to a Microsoft Windows Server 2003 host, with a SQL Server. Within the ICS environment, such a database server can act as a data historian. Dragos noted a device with this role should be \"expected to have extensive connections\" within the ICS environment. Adversary activity leveraged database capabilities to perform reconnaissance, including directory queries and network connectivity checks.\n\nPermissions Required: Administrator\n\nContributors: Joe Slowik - Dragos", "kill_chain_phases": [ { "kill_chain_name": "mitre-ics-attack", "phase_name": "initial-access-ics" } ], "external_references": [ { "source_name": "mitre-ics-attack", "url": "https://attack.mitre.org/techniques/T0810", "external_id": "T0810" }, { "source_name": "Industroyer - Dragos - 201810", "description": "Dragos. (2018, October 12). Anatomy of an Attack: Detecting and Defeating CRASHOVERRIDE. Retrieved October 14, 2019.", "url": "https://dragos.com/wp-content/uploads/CRASHOVERRIDE2018.pdf" } ], "x_mitre_deprecated": true, "x_mitre_permissions_required": [ "Administrator" ], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1" }, { "x_mitre_platforms": [ "Windows", "Field Controller/RTU/PLC/IED" ], "x_mitre_domains": [ "ics-attack" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "attack-pattern", "id": "attack-pattern--539d0484-fe95-485a-b654-86991c0d0d00", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-05-21T17:43:26.506Z", "modified": "2022-05-24T14:00:00.188Z", "name": "Network Service Scanning", "description": "Network Service Scanning is the process of discovering services on networked systems. This can be achieved through a technique called port scanning or probing. Port scanning interacts with the TCP/IP ports on a target system to determine whether ports are open, closed, or filtered by a firewall. This does not reveal the service that is running behind the port, but since many common services are run on [https://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.xhtml specific port numbers], the type of service can be assumed. More in-depth testing includes interaction with the actual service to determine the service type and specific version. One of the most-popular tools to use for Network Service Scanning is [https://nmap.org/ Nmap].\n\nAn adversary may attempt to gain information about a target device and its role on the network via Network Service Scanning techniques, such as port scanning. Network Service Scanning is useful for determining potential vulnerabilities in services on target devices. Network Service Scanning is closely tied to .\n\nScanning ports can be noisy on a network. In some attacks, adversaries probe for specific ports using custom tools. This was specifically seen in the Triton and PLC-Blaster attacks.", "kill_chain_phases": [ { "kill_chain_name": "mitre-ics-attack", "phase_name": "discovery-ics" } ], "external_references": [ { "source_name": "mitre-ics-attack", "url": "https://attack.mitre.org/techniques/T0841", "external_id": "T0841" } ], "x_mitre_deprecated": true, "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1" }, { "x_mitre_platforms": [ "Human-Machine Interface", "Safety Instrumented System/Protection Relay" ], "x_mitre_domains": [ "ics-attack" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "attack-pattern", "id": "attack-pattern--53a26eee-1080-4d17-9762-2027d5a1b805", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-05-21T17:43:26.506Z", "modified": "2022-05-06T17:47:23.927Z", "name": "Indicator Removal on Host", "description": "Adversaries may attempt to remove indicators of their presence on a system in an effort to cover their tracks. In cases where an adversary may feel detection is imminent, they may try to overwrite, delete, or cover up changes they have made to the device.", "kill_chain_phases": [ { "kill_chain_name": "mitre-ics-attack", "phase_name": "evasion-ics" } ], "external_references": [ { "source_name": "mitre-ics-attack", "url": "https://attack.mitre.org/techniques/T0872", "external_id": "T0872" } ], "x_mitre_data_sources": [ "Command: Command Execution", "File: File Deletion", "File: File Metadata", "File: File Modification", "Network Traffic: Network Traffic Content", "Process: OS API Execution", "Process: Process Creation", "User Account: User Account Authentication", "Windows Registry: Windows Registry Key Deletion", "Windows Registry: Windows Registry Key Modification" ], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "spec_version": "2.1" }, { "x_mitre_platforms": [ "Field Controller/RTU/PLC/IED" ], "x_mitre_domains": [ "ics-attack" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "attack-pattern", "id": "attack-pattern--53a48c74-0025-45f4-b04a-baa853df8204", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-05-21T17:43:26.506Z", "modified": "2022-05-06T17:47:23.927Z", "name": "I/O Image", "description": "Adversaries may seek to capture process values related to the inputs and outputs of a PLC. During the scan cycle, a PLC reads the status of all inputs and stores them in an image table. (Citation: Nanjundaiah, Vaidyanath) The image table is the PLCs internal storage location where values of inputs/outputs for one scan are stored while it executes the user program. After the PLC has solved the entire logic program, it updates the output image table. The contents of this output image table are written to the corresponding output points in I/O Modules. The Input and Output Image tables described above make up the I/O Image on a PLC. This image is used by the user program instead of directly interacting with physical I/O. (Citation: Spenneberg, Ralf 2016) Adversaries may collect the I/O Image state of a PLC by utilizing a devices [Native API](https://attack.mitre.org/techniques/T0834) to access the memory regions directly. The collection of the PLCs I/O state could be used to replace values or inform future stages of an attack.", "kill_chain_phases": [ { "kill_chain_name": "mitre-ics-attack", "phase_name": "collection-ics" } ], "external_references": [ { "source_name": "mitre-ics-attack", "url": "https://attack.mitre.org/techniques/T0877", "external_id": "T0877" }, { "source_name": "Nanjundaiah, Vaidyanath", "description": "Nanjundaiah, Vaidyanath PLC Ladder Logic Basics Retrieved. 2021/10/11 ", "url": "https://www.ezautomation.net/industry-articles/plc-ladder-logic-basics.htm" }, { "source_name": "Spenneberg, Ralf 2016", "description": "Spenneberg, Ralf 2016 PLC-Blaster Retrieved. 2019/06/06 ", "url": "https://www.blackhat.com/docs/asia-16/materials/asia-16-Spenneberg-PLC-Blaster-A-Worm-Living-Solely-In-The-PLC.pdf" } ], "x_mitre_data_sources": [ "Asset: Software/Firmware" ], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "spec_version": "2.1" }, { "x_mitre_platforms": [ "None" ], "x_mitre_domains": [ "ics-attack" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "attack-pattern", "id": "attack-pattern--56ddc820-6cfb-407f-850b-52c035d123ac", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-05-21T17:43:26.506Z", "modified": "2022-05-06T17:47:23.912Z", "name": "Denial of View", "description": "Adversaries may cause a denial of view in attempt to disrupt and prevent operator oversight on the status of an ICS environment. This may manifest itself as a temporary communication failure between a device and its control source, where the interface recovers and becomes available once the interference ceases. (Citation: Corero) (Citation: Michael J. Assante and Robert M. Lee) (Citation: Tyson Macaulay) An adversary may attempt to deny operator visibility by preventing them from receiving status and reporting messages. Denying this view may temporarily block and prevent operators from noticing a change in state or anomalous behavior. The environment's data and processes may still be operational, but functioning in an unintended or adversarial manner. In the Maroochy attack, the adversary was able to temporarily shut an investigator out of the network, preventing them from viewing the state of the system.", "kill_chain_phases": [ { "kill_chain_name": "mitre-ics-attack", "phase_name": "impact-ics" } ], "external_references": [ { "source_name": "mitre-ics-attack", "url": "https://attack.mitre.org/techniques/T0815", "external_id": "T0815" }, { "source_name": "Corero", "description": "Corero Industrial Control System (ICS) Security Retrieved. 2019/11/04 ", "url": "https://www.corero.com/resources/files/whitepapers/cns_whitepaper_ics.pdf" }, { "source_name": "Michael J. Assante and Robert M. Lee", "description": "Michael J. Assante and Robert M. Lee Corero Industrial Control System (ICS) Security Retrieved. 2019/11/04 The Industrial Control System Cyber Kill Chain Retrieved. 2019/11/04 ", "url": "https://www.sans.org/reading-room/whitepapers/ICS/industrial-control-system-cyber-kill-chain-36297" }, { "source_name": "Tyson Macaulay", "description": "Tyson Macaulay Michael J. Assante and Robert M. Lee Corero Industrial Control System (ICS) Security Retrieved. 2019/11/04 The Industrial Control System Cyber Kill Chain Retrieved. 2019/11/04 RIoT Control: Understanding and Managing Risks and the Internet of Things Retrieved. 2019/11/04 ", "url": "https://books.google.com/books?id=oXIYBAAAQBAJ&pg=PA249&lpg=PA249&dq=loss+denial+manipulation+of+view&source=bl&ots=dV1uQ8IUff&sig=ACfU3U2NIwGjhg051D_Ytw6npyEk9xcf4w&hl=en&sa=X&ved=2ahUKEwj2wJ7y4tDlAhVmplkKHSTaDnQQ6AEwAHoECAgQAQ#v=onepage&q=loss%20denial%20manipulation%20of%20view&f=false" } ], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "spec_version": "2.1" }, { "x_mitre_platforms": [ "Field Controller/RTU/PLC/IED" ], "x_mitre_domains": [ "ics-attack" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "attack-pattern", "id": "attack-pattern--5a2610f6-9fff-41e1-bc27-575ca20383d4", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-05-21T17:43:26.506Z", "modified": "2022-05-06T17:47:23.918Z", "name": "Execution through API", "description": "Adversaries may attempt to leverage Application Program Interfaces (APIs) used for communication between control software and the hardware. Specific functionality is often coded into APIs which can be called by software to engage specific functions on a device or other software.", "kill_chain_phases": [ { "kill_chain_name": "mitre-ics-attack", "phase_name": "execution-ics" } ], "external_references": [ { "source_name": "mitre-ics-attack", "url": "https://attack.mitre.org/techniques/T0871", "external_id": "T0871" } ], "x_mitre_data_sources": [ "Module: Module Load", "Network Traffic: Network Traffic Content" ], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "spec_version": "2.1" }, { "x_mitre_platforms": [ "Control Server", "Data Historian", "Field Controller/RTU/PLC/IED", "Human-Machine Interface", "Input/Output Server", "Safety Instrumented System/Protection Relay" ], "x_mitre_domains": [ "ics-attack" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "attack-pattern", "id": "attack-pattern--5e0f75da-e108-4688-a6de-a4f07cc2cbe3", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-05-21T17:43:26.506Z", "modified": "2022-05-06T17:47:23.983Z", "name": "Supply Chain Compromise", "description": "Adversaries may perform supply chain compromise to gain control systems environment access by means of infected products, software, and workflows. Supply chain compromise is the manipulation of products, such as devices or software, or their delivery mechanisms before receipt by the end consumer. Adversary compromise of these products and mechanisms is done for the goal of data or system compromise, once infected products are introduced to the target environment. Supply chain compromise can occur at all stages of the supply chain, from manipulation of development tools and environments to manipulation of developed products and tools distribution mechanisms. This may involve the compromise and replacement of legitimate software and patches, such as on third party or vendor websites. Targeting of supply chain compromise can be done in attempts to infiltrate the environments of a specific audience. In control systems environments with assets in both the IT and OT networks, it is possible a supply chain compromise affecting the IT environment could enable further access to the OT environment. Counterfeit devices may be introduced to the global supply chain posing safety and cyber risks to asset owners and operators. These devices may not meet the safety, engineering and manufacturing requirements of regulatory bodies but may feature tagging indicating conformance with industry standards. Due to the lack of adherence to standards and overall lesser quality, the counterfeit products may pose a serious safety and operational risk. (Citation: Control Global May 2019) Yokogawa identified instances in which their customers received counterfeit differential pressure transmitters using the Yokogawa logo. The counterfeit transmitters were nearly indistinguishable with a semblance of functionality and interface that mimics the genuine product. (Citation: Control Global May 2019) F-Secure Labs analyzed the approach the adversary used to compromise victim systems with Havex. (Citation: Daavid Hentunen, Antti Tikkanen June 2014) The adversary planted trojanized software installers available on legitimate ICS/SCADA vendor websites. After being downloaded, this software infected the host computer with a Remote Access Trojan (RAT).", "kill_chain_phases": [ { "kill_chain_name": "mitre-ics-attack", "phase_name": "initial-access-ics" } ], "external_references": [ { "source_name": "mitre-ics-attack", "url": "https://attack.mitre.org/techniques/T0862", "external_id": "T0862" }, { "source_name": "Control Global May 2019", "description": "Control Global 2019, May 29 Yokogawa announcement warns of counterfeit transmitters Retrieved. 2021/04/09 ", "url": "https://www.controlglobal.com/industrynews/2019/yokogawa-announcement-warns-of-counterfeit-transmitters/" }, { "source_name": "Control Global May 2019", "description": "Control Global 2019, May 29 Yokogawa announcement warns of counterfeit transmitters Retrieved. 2021/04/09 ", "url": "https://www.controlglobal.com/industrynews/2019/yokogawa-announcement-warns-of-counterfeit-transmitters/" }, { "source_name": "Daavid Hentunen, Antti Tikkanen June 2014", "description": "Daavid Hentunen, Antti Tikkanen 2014, June 23 Havex Hunts For ICS/SCADA Systems Retrieved. 2019/04/01 ", "url": "https://www.f-secure.com/weblog/archives/00002718.html" }, { "source_name": "F-Secure Labs June 2014", "description": "F-Secure Labs 2014, June 23 Havex Hunts For ICS/SCADA Systems Retrieved. 2019/10/21 ", "url": "https://www.f-secure.com/weblog/archives/00002718.html" } ], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "spec_version": "2.1" }, { "x_mitre_platforms": [ "Windows", "Input/Output Server", "Field Controller/RTU/PLC/IED" ], "x_mitre_domains": [ "ics-attack" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "attack-pattern", "id": "attack-pattern--5f3da2f3-91c8-4d8b-a02f-bf43a11def55", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-05-21T17:43:26.506Z", "modified": "2022-05-24T14:00:00.188Z", "name": "Serial Connection Enumeration", "description": "Adversaries may perform serial connection enumeration to gather situational awareness after gaining access to devices in the OT network. Control systems devices often communicate to each other via various types of serial communication mediums. These serial communications are used to facilitate informational communication, as well as commands. Serial Connection Enumeration differs from I/O Module Discovery, as I/O modules are auxiliary systems to the main system, and devices that are connected via serial connection are normally discrete systems.\n\nWhile IT and OT networks may work in tandem, the exact structure of the OT network may not be discernible from the IT network alone. After gaining access to a device on the OT network, an adversary may be able to enumerate the serial connections. From this perspective, the adversary can see the specific physical devices to which the compromised device is connected to. This gives the adversary greater situational awareness and can influence the actions that the adversary can take in an attack.", "kill_chain_phases": [ { "kill_chain_name": "mitre-ics-attack", "phase_name": "discovery-ics" } ], "external_references": [ { "source_name": "mitre-ics-attack", "url": "https://attack.mitre.org/techniques/T0854", "external_id": "T0854" } ], "x_mitre_deprecated": true, "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1" }, { "x_mitre_platforms": [ "None" ], "x_mitre_domains": [ "ics-attack" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "attack-pattern", "id": "attack-pattern--5fa00fdd-4a55-4191-94a0-564181d7fec2", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-05-21T17:43:26.506Z", "modified": "2022-05-06T17:47:23.939Z", "name": "Loss of Safety", "description": "Adversaries may compromise safety system functions designed to maintain safe operation of a process when unacceptable or dangerous conditions occur. Safety systems are often composed of the same elements as control systems but have the sole purpose of ensuring the process fails in a predetermined safe manner. Many unsafe conditions in process control happen too quickly for a human operator to react to. Speed is critical in correcting these conditions to limit serious impacts such as Loss of Control and Property Damage. Adversaries may target and disable safety system functions as a prerequisite to subsequent attack execution or to allow for future unsafe conditionals to go unchecked. Detection of a Loss of Safety by operators can result in the shutdown of a process due to strict policies regarding safety systems. This can cause a Loss of Productivity and Revenue and may meet the technical goals of adversaries seeking to cause process disruptions.", "kill_chain_phases": [ { "kill_chain_name": "mitre-ics-attack", "phase_name": "impact-ics" } ], "external_references": [ { "source_name": "mitre-ics-attack", "url": "https://attack.mitre.org/techniques/T0880", "external_id": "T0880" } ], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "spec_version": "2.1" }, { "x_mitre_platforms": [ "None" ], "x_mitre_domains": [ "ics-attack" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "attack-pattern", "id": "attack-pattern--63b6942d-8359-4506-bfb3-cf87aa8120ee", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-05-21T17:43:26.506Z", "modified": "2022-05-06T17:47:23.938Z", "name": "Loss of Productivity and Revenue", "description": "Adversaries may cause loss of productivity and revenue through disruption and even damage to the availability and integrity of control system operations, devices, and related processes. This technique may manifest as a direct effect of an ICS-targeting attack or tangentially, due to an IT-targeting attack against non-segregated environments. In cases where these operations or services are brought to a halt, the loss of productivity may eventually present an impact for the end-users or consumers of products and services. The disrupted supply-chain may result in supply shortages and increased prices, among other consequences. A ransomware attack on an Australian beverage company resulted in the shutdown of some manufacturing sites, including precautionary halts to protect key systems. (Citation: Paganini, Pierluigi June 2020) The company announced the potential for temporary shortages of their products following the attack. (Citation: Paganini, Pierluigi June 2020) (Citation: Lion Corporation June 2020) In the 2021 Colonial Pipeline ransomware incident, the pipeline was unable to transport approximately 2.5 million barrels of fuel per day to the East Coast. (Citation: Colonial Pipeline Company May 2021)", "kill_chain_phases": [ { "kill_chain_name": "mitre-ics-attack", "phase_name": "impact-ics" } ], "external_references": [ { "source_name": "mitre-ics-attack", "url": "https://attack.mitre.org/techniques/T0828", "external_id": "T0828" }, { "source_name": "Paganini, Pierluigi June 2020", "description": "Paganini, Pierluigi 2020, June 14 Ransomware attack disrupts operations at Australian beverage company Lion Retrieved. 2021/10/08 ", "url": "https://securityaffairs.co/wordpress/104749/cyber-crime/ransomware-attack-hit-lion.html" }, { "source_name": "Paganini, Pierluigi June 2020", "description": "Paganini, Pierluigi 2020, June 14 Ransomware attack disrupts operations at Australian beverage company Lion Retrieved. 2021/10/08 ", "url": "https://securityaffairs.co/wordpress/104749/cyber-crime/ransomware-attack-hit-lion.html" }, { "source_name": "Lion Corporation June 2020", "description": "Lion Corporation 2020, June 26 Lion Cyber incident update: 26 June 2020 Retrieved. 2021/10/08 ", "url": "https://lionco.com/2020/06/26/lion-update-re-cyber-issue/" }, { "source_name": "Colonial Pipeline Company May 2021", "description": "Colonial Pipeline Company 2021, May Media Statement Update: Colonial Pipeline System Disruption Retrieved. 2021/10/08 ", "url": "https://www.colpipe.com/news/press-releases/media-statement-colonial-pipeline-system-disruption" } ], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "spec_version": "2.1" }, { "x_mitre_platforms": [ "Engineering Workstation", "Human-Machine Interface", "Control Server", "Data Historian" ], "x_mitre_domains": [ "ics-attack" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "attack-pattern", "id": "attack-pattern--648f995e-9c3a-41e4-aeee-98bb41037426", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-05-21T17:43:26.506Z", "modified": "2022-05-24T14:00:00.188Z", "name": "Spearphishing Attachment", "description": "Adversaries may use a spearphishing attachment, a variant of spearphishing, as a form of a social engineering attack against specific targets. Spearphishing attachments are different from other forms of spearphishing in that they employ malware attached to an email. All forms of spearphishing are electronically delivered and target a specific individual, company, or industry. In this scenario, adversaries attach a file to the spearphishing email and usually rely upon [User Execution](https://attack.mitre.org/techniques/T0863) to gain execution and access. (Citation: Enterprise ATT&CK October 2019) A Chinese spearphishing campaign running from December 9, 2011 through February 29, 2012, targeted ONG organizations and their employees. The emails were constructed with a high level of sophistication to convince employees to open the malicious file attachments. (Citation: CISA AA21-201A Pipeline Intrusion July 2021)", "kill_chain_phases": [ { "kill_chain_name": "mitre-ics-attack", "phase_name": "initial-access-ics" } ], "external_references": [ { "source_name": "mitre-ics-attack", "url": "https://attack.mitre.org/techniques/T0865", "external_id": "T0865" }, { "source_name": "Enterprise ATT&CK October 2019", "description": "Enterprise ATT&CK 2019, October 25 Spearphishing Attachment Retrieved. 2019/10/25 ", "url": "https://attack.mitre.org/techniques/T1193/" }, { "source_name": "CISA AA21-201A Pipeline Intrusion July 2021", "description": "Department of Justice (DOJ), DHS Cybersecurity & Infrastructure Security Agency (CISA) 2021, July 20 Chinese Gas Pipeline Intrusion Campaign, 2011 to 2013 Retrieved. 2021/10/08 ", "url": "https://us-cert.cisa.gov/sites/default/files/publications/AA21-201A_Chinese_Gas_Pipeline_Intrusion_Campaign_2011_to_2013%20(1).pdf" } ], "x_mitre_data_sources": [ "Application Log: Application Log Content", "Network Traffic: Network Traffic Content" ], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "spec_version": "2.1" }, { "x_mitre_platforms": [ "Windows", "Control Server" ], "x_mitre_domains": [ "ics-attack" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "attack-pattern", "id": "attack-pattern--7374ab87-0782-41f8-b415-678c0950bb2a", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-05-21T17:43:26.506Z", "modified": "2022-05-24T14:00:00.188Z", "name": "Location Identification", "description": "Adversaries may perform location identification using device data to inform operations and targeted impact for attacks. Location identification data can come in a number of forms, including geographic location, location relative to other control system devices, time zone, and current time. An adversary may use an embedded global positioning system (GPS) module in a device to figure out the physical coordinates of a device. NIST SP800-82 recommends that devices utilize GPS or another location determining mechanism to attach appropriate timestamps to log entries (Citation: Guidance - NIST SP800-82). While this assists in logging and event tracking, an adversary could use the underlying positioning mechanism to determine the general location of a device. An adversary can also infer the physical location of serially connected devices by using serial connection enumeration. \n\nAn adversary attempt to attack and cause Impact could potentially affect other control system devices in close proximity. Device local-time and time-zone settings can also provide adversaries a rough indicator of device location, when specific geographic identifiers cannot be determined from the system.", "kill_chain_phases": [ { "kill_chain_name": "mitre-ics-attack", "phase_name": "collection-ics" } ], "external_references": [ { "source_name": "mitre-ics-attack", "url": "https://attack.mitre.org/techniques/T0825", "external_id": "T0825" }, { "source_name": "Guidance - NIST SP800-82", "description": "Keith Stouffer. (2015, May). Guide to Industrial Control Systems (ICS) Security. Retrieved March 28, 2018.", "url": "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf" } ], "x_mitre_deprecated": true, "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1" }, { "x_mitre_platforms": [ "None" ], "x_mitre_domains": [ "ics-attack" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "attack-pattern", "id": "attack-pattern--7830cfcf-b268-4ac0-a69e-73c6affbae9a", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-05-21T17:43:26.506Z", "modified": "2022-05-06T17:47:23.918Z", "name": "Drive-by Compromise", "description": "Adversaries may gain access to a system during a drive-by compromise, when a user visits a website as part of a regular browsing session.With this technique, the user's web browser is targeted and exploited simply by visiting the compromised website. The adversary may target a specific community, such as trusted third party suppliers or other industry specific groups, which often visit the target website. This kind of targeted attack relies on a common interest, and is known as a strategic web compromise or watering hole attack. The National Cyber Awareness System (NCAS) has issued a Technical Alert (TA) regarding Russian government cyber activity targeting critical infrastructure sectors. (Citation: Cybersecurity & Infrastructure Security Agency March 2018) Analysis by DHS and FBI has noted two distinct categories of victims in the Dragonfly campaign on the Western energy sector: staging and intended targets. The adversary targeted the less secure networks of staging targets, including trusted third-party suppliers and related peripheral organizations. Initial access to the intended targets used watering hole attacks to target process control, ICS, and critical infrastructure related trade publications and informational websites.", "kill_chain_phases": [ { "kill_chain_name": "mitre-ics-attack", "phase_name": "initial-access-ics" } ], "external_references": [ { "source_name": "mitre-ics-attack", "url": "https://attack.mitre.org/techniques/T0817", "external_id": "T0817" }, { "source_name": "Cybersecurity & Infrastructure Security Agency March 2018", "description": "Cybersecurity & Infrastructure Security Agency 2018, March 15 Alert (TA18-074A) Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors Retrieved. 2019/10/11 ", "url": "https://us-cert.cisa.gov/ncas/alerts/TA18-074A" } ], "x_mitre_data_sources": [ "Application Log: Application Log Content", "File: File Creation", "Network Traffic: Network Connection Creation", "Network Traffic: Network Traffic Content", "Process: Process Creation" ], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "spec_version": "2.1" }, { "x_mitre_platforms": [ "None" ], "x_mitre_domains": [ "ics-attack" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "attack-pattern", "id": "attack-pattern--83ebd22f-b401-4d59-8219-2294172cf916", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-05-21T17:43:26.506Z", "modified": "2022-05-24T14:00:00.188Z", "name": "Damage to Property", "description": "Adversaries may cause damage and destruction of property to infrastructure, equipment, and the surrounding environment when attacking control systems. This technique may result in device and operational equipment breakdown, or represent tangential damage from other techniques used in an attack. Depending on the severity of physical damage and disruption caused to control processes and systems, this technique may result in [Loss of Safety](https://attack.mitre.org/techniques/T0880). Operations that result in [Loss of Control](https://attack.mitre.org/techniques/T0827) may also cause damage to property, which may be directly or indirectly motivated by an adversary seeking to cause impact in the form of [Loss of Productivity and Revenue](https://attack.mitre.org/techniques/T0828). The German Federal Office for Information Security (BSI) reported a targeted attack on a steel mill under an incidents affecting business section of its 2014 IT Security Report. (Citation: BSI State of IT Security 2014) These targeted attacks affected industrial operations and resulted in breakdowns of control system components and even entire installations. As a result of these breakdowns, massive impact and damage resulted from the uncontrolled shutdown of a blast furnace. In the Maroochy Attack, Vitek Boden gained remote computer access to the control system and altered data so that whatever function should have occurred at affected pumping stations did not occur or occurred in a different way. This ultimately led to 800,000 liters of raw sewage being spilled out into the community. The raw sewage affected local parks, rivers, and even a local hotel. This resulted in harm to marine life and produced a sickening stench from the community's now blackened rivers. (Citation: Marshall Abrams July 2008) A Polish student used a remote controller device to interface with the Lodz city tram system in Poland. (Citation: John Bill May 2017) (Citation: Shelley Smith February 2008) (Citation: Bruce Schneier January 2008) Using this remote, the student was able to capture and replay legitimate tram signals. This resulted in damage to impacted trams, people, and the surrounding property. Reportedly, four trams were derailed and were forced to make emergency stops. (Citation: Shelley Smith February 2008) Commands issued by the student may have also resulted in tram collisions, causing harm to those on board and the environment outside. (Citation: Bruce Schneier January 2008)", "kill_chain_phases": [ { "kill_chain_name": "mitre-ics-attack", "phase_name": "impact-ics" } ], "external_references": [ { "source_name": "mitre-ics-attack", "url": "https://attack.mitre.org/techniques/T0879", "external_id": "T0879" }, { "source_name": "BSI State of IT Security 2014", "description": "Bundesamt fr Sicherheit in der Informationstechnik (BSI) (German Federal Office for Information Security) 2014 Die Lage der IT-Sicherheit in Deutschland 2014 (The State of IT Security in Germany) Retrieved. 2019/10/30 ", "url": "https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Publications/Securitysituation/IT-Security-Situation-in-Germany-2014.pdf?__blob=publicationFile&v=3" }, { "source_name": "Marshall Abrams July 2008", "description": "Marshall Abrams 2008, July 23 Malicious Control System Cyber Security Attack Case Study Maroochy Water Services, Australia Retrieved. 2018/03/27 ", "url": "https://www.mitre.org/sites/default/files/pdf/08_1145.pdf" }, { "source_name": "John Bill May 2017", "description": "John Bill 2017, May 12 Hacked Cyber Security Railways Retrieved. 2019/10/17 ", "url": "https://www.londonreconnections.com/2017/hacked-cyber-security-railways/" }, { "source_name": "Shelley Smith February 2008", "description": "Shelley Smith 2008, February 12 Teen Hacker in Poland Plays Trains and Derails City Tram System Retrieved. 2019/10/17 ", "url": "https://inhomelandsecurity.com/teen_hacker_in_poland_plays_tr/" }, { "source_name": "Bruce Schneier January 2008", "description": "Bruce Schneier 2008, January 17 Hacking Polish Trams Retrieved. 2019/10/17 ", "url": "https://www.schneier.com/blog/archives/2008/01/hacking_the_pol.html" }, { "source_name": "Shelley Smith February 2008", "description": "Shelley Smith 2008, February 12 Teen Hacker in Poland Plays Trains and Derails City Tram System Retrieved. 2019/10/17 ", "url": "https://inhomelandsecurity.com/teen_hacker_in_poland_plays_tr/" }, { "source_name": "Bruce Schneier January 2008", "description": "Bruce Schneier 2008, January 17 Hacking Polish Trams Retrieved. 2019/10/17 ", "url": "https://www.schneier.com/blog/archives/2008/01/hacking_the_pol.html" } ], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "spec_version": "2.1" }, { "x_mitre_platforms": [ "Control Server" ], "x_mitre_domains": [ "ics-attack" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "attack-pattern", "id": "attack-pattern--8535b71e-3c12-4258-a4ab-40257a1becc4", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-05-21T17:43:26.506Z", "modified": "2022-05-06T17:47:23.981Z", "name": "Spoof Reporting Message", "description": "Adversaries may spoof reporting messages in control system environments for evasion and to impair process control. In control systems, reporting messages contain telemetry data (e.g., I/O values) pertaining to the current state of equipment and the industrial process. Reporting messages are important for monitoring the normal operation of a system or identifying important events such as deviations from expected values. If an adversary has the ability to Spoof Reporting Messages, they can impact the control system in many ways. The adversary can Spoof Reporting Messages that state that the process is operating normally, as a form of evasion. The adversary could also Spoof Reporting Messages to make the defenders and operators think that other errors are occurring in order to distract them from the actual source of a problem. (Citation: Bonnie Zhu, Anthony Joseph, Shankar Sastry 2011) In the Maroochy Attack, the adversary used a dedicated analog two-way radio system to send false data and instructions to pumping stations and the central computer. (Citation: Marshall Abrams July 2008)", "kill_chain_phases": [ { "kill_chain_name": "mitre-ics-attack", "phase_name": "evasion-ics" }, { "kill_chain_name": "mitre-ics-attack", "phase_name": "impair-process-control" } ], "external_references": [ { "source_name": "mitre-ics-attack", "url": "https://attack.mitre.org/techniques/T0856", "external_id": "T0856" }, { "source_name": "Bonnie Zhu, Anthony Joseph, Shankar Sastry 2011", "description": "Bonnie Zhu, Anthony Joseph, Shankar Sastry 2011 A Taxonomy of Cyber Attacks on SCADA Systems Retrieved. 2018/01/12 ", "url": "http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6142258" }, { "source_name": "Marshall Abrams July 2008", "description": "Marshall Abrams 2008, July 23 Malicious Control System Cyber Security Attack Case Study Maroochy Water Services, Australia Retrieved. 2018/03/27 ", "url": "https://www.mitre.org/sites/default/files/pdf/08_1145.pdf" } ], "x_mitre_data_sources": [ "Network Traffic: Network Traffic Content", "Application Log: Application Log Content" ], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "spec_version": "2.1" }, { "x_mitre_platforms": [ "Human-Machine Interface", "Data Historian", "Engineering Workstation" ], "x_mitre_domains": [ "ics-attack" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "attack-pattern", "id": "attack-pattern--85a45294-08f1-4539-bf00-7da08aa7b0ee", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-05-21T17:43:26.506Z", "modified": "2022-05-06T17:47:23.922Z", "name": "Exploitation of Remote Services", "description": "Adversaries may exploit a software vulnerability to take advantage of a programming error in a program, service, or within the operating system software or kernel itself to enable remote service abuse. A common goal for post-compromise exploitation of remote services is for initial access into and lateral movement throughout the ICS environment to enable access to targeted systems. (Citation: Enterprise ATT&CK) ICS asset owners and operators have been affected by ransomware (or disruptive malware masquerading as ransomware) migrating from enterprise IT to ICS environments: WannaCry, NotPetya, and BadRabbit. In each of these cases, self-propagating (wormable) malware initially infected IT networks, but through exploit (particularly the SMBv1-targeting MS17-010 vulnerability) spread to industrial networks, producing significant impacts. (Citation: Joe Slowik April 2019)", "kill_chain_phases": [ { "kill_chain_name": "mitre-ics-attack", "phase_name": "initial-access-ics" }, { "kill_chain_name": "mitre-ics-attack", "phase_name": "lateral-movement-ics" } ], "external_references": [ { "source_name": "mitre-ics-attack", "url": "https://attack.mitre.org/techniques/T0866", "external_id": "T0866" }, { "source_name": "Enterprise ATT&CK", "description": "Enterprise ATT&CK Exploitation of Remote Services Retrieved. 2019/10/27 ", "url": "https://attack.mitre.org/techniques/T1210/" }, { "source_name": "Joe Slowik April 2019", "description": "Joe Slowik 2019, April 10 Implications of IT Ransomware for ICS Environments Retrieved. 2019/10/27 ", "url": "https://dragos.com/blog/industry-news/implications-of-it-ransomware-for-ics-environments/" } ], "x_mitre_data_sources": [ "Application Log: Application Log Content", "Network Traffic: Network Traffic Content" ], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "spec_version": "2.1" }, { "x_mitre_platforms": [ "Human-Machine Interface", "Field Controller/RTU/PLC/IED", "Safety Instrumented System/Protection Relay", "Control Server", "Engineering Workstation" ], "x_mitre_domains": [ "ics-attack" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "attack-pattern", "id": "attack-pattern--8bb4538f-f16f-49f0-a431-70b5444c7349", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-05-21T17:43:26.506Z", "modified": "2022-05-06T17:47:23.906Z", "name": "Default Credentials", "description": "Adversaries may leverage manufacturer or supplier set default credentials on control system devices. These default credentials may have administrative permissions and may be necessary for initial configuration of the device. It is general best practice to change the passwords for these accounts as soon as possible, but some manufacturers may have devices that have passwords or usernames that cannot be changed. (Citation: Keith Stouffer May 2015) Default credentials are normally documented in an instruction manual that is either packaged with the device, published online through official means, or published online through unofficial means. Adversaries may leverage default credentials that have not been properly modified or disabled.", "kill_chain_phases": [ { "kill_chain_name": "mitre-ics-attack", "phase_name": "lateral-movement-ics" } ], "external_references": [ { "source_name": "mitre-ics-attack", "url": "https://attack.mitre.org/techniques/T0812", "external_id": "T0812" }, { "source_name": "Keith Stouffer May 2015", "description": "Keith Stouffer 2015, May Guide to Industrial Control Systems (ICS) Security Retrieved. 2018/03/28 ", "url": "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf" } ], "x_mitre_data_sources": [ "Network Traffic: Network Traffic Content", "Logon Session: Logon Session Creation" ], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "spec_version": "2.1" }, { "x_mitre_platforms": [ "Control Server", "Input/Output Server" ], "x_mitre_domains": [ "ics-attack" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "attack-pattern", "id": "attack-pattern--8d2f3bab-507c-4424-b58b-edc977bd215c", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-05-21T17:43:26.506Z", "modified": "2022-05-06T17:47:23.923Z", "name": "External Remote Services", "description": "Adversaries may leverage external remote services as a point of initial access into your network. These services allow users to connect to internal network resources from external locations. Examples are VPNs, Citrix, and other access mechanisms. Remote service gateways often manage connections and credential authentication for these services. (Citation: Daniel Oakley, Travis Smith, Tripwire) External remote services allow administration of a control system from outside the system. Often, vendors and internal engineering groups have access to external remote services to control system networks via the corporate network. In some cases, this access is enabled directly from the internet. While remote access enables ease of maintenance when a control system is in a remote area, compromise of remote access solutions is a liability. The adversary may use these services to gain access to and execute attacks against a control system network. Access to valid accounts is often a requirement. As they look for an entry point into the control system network, adversaries may begin searching for existing pointtopoint VPN implementations at trusted third party networks or through remote support employee connections where split tunneling is enabled. (Citation: Electricity Information Sharing and Analysis Center; SANS Industrial Control Systems March 2016) In the Maroochy Attack, the adversary was able to gain remote computer access to the system over radio.", "kill_chain_phases": [ { "kill_chain_name": "mitre-ics-attack", "phase_name": "initial-access-ics" } ], "external_references": [ { "source_name": "mitre-ics-attack", "url": "https://attack.mitre.org/techniques/T0822", "external_id": "T0822" }, { "source_name": "Daniel Oakley, Travis Smith, Tripwire", "description": "Daniel Oakley, Travis Smith, Tripwire Retrieved. 2018/05/30 ", "url": "https://attack.mitre.org/wiki/Technique/T1133" }, { "source_name": "Electricity Information Sharing and Analysis Center; SANS Industrial Control Systems March 2016", "description": "Electricity Information Sharing and Analysis Center; SANS Industrial Control Systems 2016, March 18 Analysis of the Cyber Attack on the Ukranian Power Grid: Defense Use Case Retrieved. 2018/03/27 ", "url": "https://assets.contentstack.io/v3/assets/blt36c2e63521272fdc/blt6a77276749b76a40/607f235992f0063e5c070fff/E-ISAC_SANS_Ukraine_DUC_5%5b73%5d.pdf" } ], "x_mitre_data_sources": [ "Application Log: Application Log Content", "Logon Session: Logon Session Metadata", "Network Traffic: Network Traffic Flow" ], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "spec_version": "2.1" }, { "x_mitre_platforms": [ "Control Server", "Field Controller/RTU/PLC/IED" ], "x_mitre_domains": [ "ics-attack" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "attack-pattern", "id": "attack-pattern--8e7089d3-fba2-44f8-94a8-9a79c53920c4", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-05-21T17:43:26.506Z", "modified": "2022-05-06T17:47:23.893Z", "name": "Brute Force I/O", "description": "Adversaries may repetitively or successively change I/O point values to perform an action. Brute Force I/O may be achieved by changing either a range of I/O point values or a single point value repeatedly to manipulate a process function. The adversarys goal and the information they have about the target environment will influence which of the options they choose. In the case of brute forcing a range of point values, the adversary may be able to achieve an impact without targeting a specific point. In the case where a single point is targeted, the adversary may be able to generate instability on the process function associated with that particular point. Adversaries may use Brute Force I/O to cause failures within various industrial processes. These failures could be the result of wear on equipment or damage to downstream equipment.", "kill_chain_phases": [ { "kill_chain_name": "mitre-ics-attack", "phase_name": "impair-process-control" } ], "external_references": [ { "source_name": "mitre-ics-attack", "url": "https://attack.mitre.org/techniques/T0806", "external_id": "T0806" } ], "x_mitre_data_sources": [ "Network Traffic: Network Traffic Content", "Application Log: Application Log Content", "Operational Databases: Process History/Live Data" ], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "spec_version": "2.1" }, { "x_mitre_platforms": [ "Windows", "Field Controller/RTU/PLC/IED" ], "x_mitre_domains": [ "ics-attack" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "attack-pattern", "id": "attack-pattern--94f042ae-3033-4a8d-9ec3-26396533a541", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-05-21T17:43:26.506Z", "modified": "2022-05-24T14:00:00.188Z", "name": "Detect Program State", "description": "Adversaries may seek to gather information about the current state of a program on a PLC. State information reveals information about the program, including whether it's running, halted, stopped, or has generated an exception. This information may be leveraged as a verification of malicious program execution or to determine if a PLC is ready to download a new program.", "kill_chain_phases": [ { "kill_chain_name": "mitre-ics-attack", "phase_name": "collection-ics" } ], "external_references": [ { "source_name": "mitre-ics-attack", "url": "https://attack.mitre.org/techniques/T0870", "external_id": "T0870" } ], "x_mitre_deprecated": true, "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1" }, { "x_mitre_platforms": [ "Control Server", "Field Controller/RTU/PLC/IED", "Human-Machine Interface" ], "x_mitre_domains": [ "ics-attack" ], "x_mitre_contributors": [ "Conrad Layne - GE Digital" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "attack-pattern", "id": "attack-pattern--9a505987-ab05-4f46-a9a6-6441442eec3b", "created": "2020-05-21T17:43:26.506Z", "x_mitre_version": "1.0", "external_references": [ { "source_name": "mitre-attack", "external_id": "T0830", "url": "https://attack.mitre.org/techniques/T0830" }, { "source_name": "Bonnie Zhu, Anthony Joseph, Shankar Sastry 2011", "url": "http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6142258", "description": "Bonnie Zhu, Anthony Joseph, Shankar Sastry 2011 A Taxonomy of Cyber Attacks on SCADA Systems Retrieved. 2018/01/12 " }, { "source_name": "Gabriel Sanchez October 2017", "url": "https://www.sans.org/reading-room/whitepapers/ICS/man-in-the-middle-attack-modbus-tcp-illustrated-wireshark-38095", "description": "Gabriel Sanchez 2017, October Man-In-The-Middle Attack Against Modbus TCP Illustrated with Wireshark Retrieved. 2020/01/05 " } ], "x_mitre_deprecated": false, "revoked": false, "description": "Adversaries with privileged network access may seek to modify network traffic in real time using man-in-the-middle (MITM) attacks. (Citation: Gabriel Sanchez October 2017) This type of attack allows the adversary to intercept traffic to and/or from a particular device on the network. If a MITM attack is established, then the adversary has the ability to block, log, modify, or inject traffic into the communication stream. There are several ways to accomplish this attack, but some of the most-common are Address Resolution Protocol (ARP) poisoning and the use of a proxy. (Citation: Bonnie Zhu, Anthony Joseph, Shankar Sastry 2011) \n\nA MITM attack may allow an adversary to perform the following attacks: \n[Block Reporting Message](https://attack.mitre.org/techniques/T0804), [Spoof Reporting Message](https://attack.mitre.org/techniques/T0856), [Modify Parameter](https://attack.mitre.org/techniques/T0836), [Unauthorized Command Message](https://attack.mitre.org/techniques/T0855)", "modified": "2022-05-24T19:32:27.175Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "name": "Man in the Middle", "x_mitre_detection": "", "kill_chain_phases": [ { "kill_chain_name": "mitre-ics-attack", "phase_name": "collection-ics" } ], "x_mitre_is_subtechnique": false, "x_mitre_data_sources": [ "Network Traffic: Network Traffic Flow", "Network Traffic: Network Traffic Content", "Process: OS API Execution", "Process: Process Creation", "Command: Command Execution" ], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "spec_version": "2.1" }, { "x_mitre_platforms": [ "Safety Instrumented System/Protection Relay", "Field Controller/RTU/PLC/IED" ], "x_mitre_domains": [ "ics-attack" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "attack-pattern", "id": "attack-pattern--9f947a1c-3860-48a8-8af0-a2dfa3efde03", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-05-21T17:43:26.506Z", "modified": "2022-05-06T17:47:23.919Z", "name": "Exploitation for Evasion", "description": "Adversaries may exploit a software vulnerability to take advantage of a programming error in a program, service, or within the operating system software or kernel itself to evade detection. Vulnerabilities may exist in software that can be used to disable or circumvent security features. Adversaries may have prior knowledge through [Remote System Information Discovery](https://attack.mitre.org/techniques/T0888) about security features implemented on control devices. These device security features will likely be targeted directly for exploitation. There are examples of firmware RAM/ROM consistency checks on control devices being targeted by adversaries to enable the installation of malicious [System Firmware](https://attack.mitre.org/techniques/T0857).", "kill_chain_phases": [ { "kill_chain_name": "mitre-ics-attack", "phase_name": "evasion-ics" } ], "external_references": [ { "source_name": "mitre-ics-attack", "url": "https://attack.mitre.org/techniques/T0820", "external_id": "T0820" } ], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "spec_version": "2.1" }, { "x_mitre_platforms": [ "None" ], "x_mitre_domains": [ "ics-attack" ], "x_mitre_contributors": [ "Dragos Threat Intelligence" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "attack-pattern", "id": "attack-pattern--a81696ef-c106-482c-8f80-59c30f2569fb", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-05-21T17:43:26.506Z", "modified": "2022-05-24T14:00:00.188Z", "name": "Loss of Control", "description": "Adversaries may seek to achieve a sustained loss of control or a runaway condition in which operators cannot issue any commands even if the malicious interference has subsided. (Citation: Corero) (Citation: Michael J. Assante and Robert M. Lee) (Citation: Tyson Macaulay) The German Federal Office for Information Security (BSI) reported a targeted attack on a steel mill in its 2014 IT Security Report. (Citation: BSI State of IT Security 2014) These targeted attacks affected industrial operations and resulted in breakdowns of control system components and even entire installations. As a result of these breakdowns, massive impact resulted in damage and unsafe conditions from the uncontrolled shutdown of a blast furnace.", "kill_chain_phases": [ { "kill_chain_name": "mitre-ics-attack", "phase_name": "impact-ics" } ], "external_references": [ { "source_name": "mitre-ics-attack", "url": "https://attack.mitre.org/techniques/T0827", "external_id": "T0827" }, { "source_name": "Corero", "description": "Corero Industrial Control System (ICS) Security Retrieved. 2019/11/04 ", "url": "https://www.corero.com/resources/files/whitepapers/cns_whitepaper_ics.pdf" }, { "source_name": "Michael J. Assante and Robert M. Lee", "description": "Michael J. Assante and Robert M. Lee Corero Industrial Control System (ICS) Security Retrieved. 2019/11/04 The Industrial Control System Cyber Kill Chain Retrieved. 2019/11/04 ", "url": "https://www.sans.org/reading-room/whitepapers/ICS/industrial-control-system-cyber-kill-chain-36297" }, { "source_name": "Tyson Macaulay", "description": "Tyson Macaulay Michael J. Assante and Robert M. Lee Corero Industrial Control System (ICS) Security Retrieved. 2019/11/04 The Industrial Control System Cyber Kill Chain Retrieved. 2019/11/04 RIoT Control: Understanding and Managing Risks and the Internet of Things Retrieved. 2019/11/04 ", "url": "https://books.google.com/books?id=oXIYBAAAQBAJ&pg=PA249&lpg=PA249&dq=loss+denial+manipulation+of+view&source=bl&ots=dV1uQ8IUff&sig=ACfU3U2NIwGjhg051D_Ytw6npyEk9xcf4w&hl=en&sa=X&ved=2ahUKEwj2wJ7y4tDlAhVmplkKHSTaDnQQ6AEwAHoECAgQAQ#v=onepage&q=loss%20denial%20manipulation%20of%20view&f=false" }, { "source_name": "BSI State of IT Security 2014", "description": "Bundesamt fr Sicherheit in der Informationstechnik (BSI) (German Federal Office for Information Security) 2014 Die Lage der IT-Sicherheit in Deutschland 2014 (The State of IT Security in Germany) Retrieved. 2019/10/30 ", "url": "https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Publications/Securitysituation/IT-Security-Situation-in-Germany-2014.pdf?__blob=publicationFile&v=3" } ], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "spec_version": "2.1" }, { "x_mitre_platforms": [ "Field Controller/RTU/PLC/IED" ], "x_mitre_domains": [ "ics-attack" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "attack-pattern", "id": "attack-pattern--a8cfd474-9358-464f-a169-9c6f099a8e8a", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-05-21T17:43:26.506Z", "modified": "2022-05-24T14:00:00.188Z", "name": "Change Program State", "description": "Adversaries may attempt to change the state of the current program on a control device. Program state changes may be used to allow for another program to take over control or be loaded onto the device.", "kill_chain_phases": [ { "kill_chain_name": "mitre-ics-attack", "phase_name": "execution-ics" }, { "kill_chain_name": "mitre-ics-attack", "phase_name": "impair-process-control" } ], "external_references": [ { "source_name": "mitre-ics-attack", "url": "https://attack.mitre.org/techniques/T0875", "external_id": "T0875" } ], "x_mitre_deprecated": true, "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1" }, { "x_mitre_platforms": [ "Engineering Workstation" ], "x_mitre_domains": [ "ics-attack" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "attack-pattern", "id": "attack-pattern--ab390887-afc0-4715-826d-b1b167d522ae", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-05-21T17:43:26.506Z", "modified": "2022-05-24T14:00:00.188Z", "name": "Hooking", "description": "Adversaries may hook into application programming interface (API) functions used by processes to redirect calls for execution and privilege escalation means. Windows processes often leverage these API functions to perform tasks that require reusable system resources. Windows API functions are typically stored in dynamic-link libraries (DLLs) as exported functions. (Citation: Enterprise ATT&CK) One type of hooking seen in ICS involves redirecting calls to these functions via import address table (IAT) hooking. IAT hooking uses modifications to a processs IAT, where pointers to imported API functions are stored. (Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011)", "kill_chain_phases": [ { "kill_chain_name": "mitre-ics-attack", "phase_name": "execution-ics" }, { "kill_chain_name": "mitre-ics-attack", "phase_name": "privilege-escalation" } ], "external_references": [ { "source_name": "mitre-ics-attack", "url": "https://attack.mitre.org/techniques/T0874", "external_id": "T0874" }, { "source_name": "Enterprise ATT&CK", "description": "Enterprise ATT&CK Hooking Retrieved. 2019/10/27 ", "url": "https://attack.mitre.org/techniques/T1179/" }, { "source_name": "Nicolas Falliere, Liam O Murchu, Eric Chien February 2011", "description": "Nicolas Falliere, Liam O Murchu, Eric Chien 2011, February W32.Stuxnet Dossier (Version 1.4) Retrieved. 2017/09/22 ", "url": "https://www.wired.com/images_blogs/threatlevel/2011/02/Symantec-Stuxnet-Update-Feb-2011.pdf" } ], "x_mitre_data_sources": [ "File: File Modification", "Module: Module Load" ], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "spec_version": "2.1" }, { "x_mitre_platforms": [ "Windows", "Field Controller/RTU/PLC/IED" ], "x_mitre_domains": [ "ics-attack" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "attack-pattern", "id": "attack-pattern--abb0a255-eb9c-48d0-8f5c-874bb84c0e45", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-05-21T17:43:26.506Z", "modified": "2022-05-24T14:00:00.188Z", "name": "Control Device Identification", "description": "Adversaries may perform control device identification to determine the make and model of a target device. Management software and device APIs may be utilized by the adversary to gain this information. By identifying and obtaining device specifics, the adversary may be able to determine device vulnerabilities. This device information can also be used to understand device functionality and inform the decision to target the environment.", "kill_chain_phases": [ { "kill_chain_name": "mitre-ics-attack", "phase_name": "discovery-ics" } ], "external_references": [ { "source_name": "mitre-ics-attack", "url": "https://attack.mitre.org/techniques/T0808", "external_id": "T0808" } ], "x_mitre_deprecated": true, "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1" }, { "x_mitre_platforms": [ "Windows", "Safety Instrumented System/Protection Relay", "Field Controller/RTU/PLC/IED" ], "x_mitre_domains": [ "ics-attack" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "attack-pattern", "id": "attack-pattern--ae62fe1a-ea1a-479b-8dc0-65d250bd8bc7", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-05-21T17:43:26.506Z", "modified": "2022-05-06T17:47:24.400Z", "name": "Program Organization Units", "description": "Program Organizational Units (POUs) are block structures used within PLC programming to create programs and projects. (Citation: Guidance - IEC61131) POUs can be used to hold user programs written in IEC 61131-3 languages: Structured text, Instruction list, Function block, and Ladder logic. (Citation: Guidance - IEC61131) Application - 201203 They can also provide additional functionality, such as establishing connections between the PLC and other devices using TCON. (Citation: PLCBlaster - Spenneberg)\n \nStuxnet uses a simple code-prepending infection technique to infect Organization Blocks (OB). For example, the following sequence of actions is performed when OB1 is infected (Citation: Stuxnet - Symantec - 201102):\n*Increase the size of the original block.\n*Write malicious code to the beginning of the block.\n*Insert the original OB1 code after the malicious code.", "kill_chain_phases": [ { "kill_chain_name": "mitre-ics-attack", "phase_name": "lateral-movement-ics" }, { "kill_chain_name": "mitre-ics-attack", "phase_name": "execution-ics" } ], "external_references": [ { "source_name": "mitre-ics-attack", "url": "https://attack.mitre.org/techniques/T0844", "external_id": "T0844" }, { "source_name": "Guidance - IEC61131", "description": "John Karl-Heinz. (n.d.). Programming Industrial Automation Systems. Retrieved October 22, 2019.", "url": "http://www.dee.ufrj.br/controle%20automatico/cursos/IEC61131-3%20Programming%20Industrial%20Automation%20Systems.pdf" }, { "source_name": "PLCBlaster - Spenneberg", "description": "Spenneberg, Ralf, Maik Br\u00fcggemann, and Hendrik Schwartke. (2016, March 31). Plc-blaster: A worm living solely in the plc.. Retrieved September 19, 2017.", "url": "https://www.blackhat.com/docs/asia-16/materials/asia-16-Spenneberg-PLC-Blaster-A-Worm-Living-Solely-In-The-PLC-wp.pdf" }, { "source_name": "Stuxnet - Symantec - 201102", "description": "Nicolas Falliere, Liam O Murchu, Eric Chien. (2011, February). W32.Stuxnet Dossier (Version 1.4). Retrieved September 22, 2017.", "url": "https://www.symantec.com/content/en/us/enterprise/media/security%20response/whitepapers/w32%20stuxnet%20dossier.pdf" } ], "x_mitre_deprecated": true, "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1" }, { "x_mitre_platforms": [ "Human-Machine Interface" ], "x_mitre_domains": [ "ics-attack" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "attack-pattern", "id": "attack-pattern--b0628bfc-5376-4a38-9182-f324501cb4cf", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-05-21T17:43:26.506Z", "modified": "2022-05-06T17:47:23.924Z", "name": "Graphical User Interface", "description": "Adversaries may attempt to gain access to a machine via a Graphical User Interface (GUI) to enhance execution capabilities. Access to a GUI allows a user to interact with a computer in a more visual manner than a CLI. A GUI allows users to move a cursor and click on interface objects, with a mouse and keyboard as the main input devices, as opposed to just using the keyboard. If physical access is not an option, then access might be possible via protocols such as VNC on Linux-based and Unix-based operating systems, and RDP on Windows operating systems. An adversary can use this access to execute programs and applications on the target machine. In the Oldsmar water treatment attack, adversaries utilized the operator HMI interface through the graphical user interface. This action led to immediate operator detection as they were able to see the adversary making changes on their screen. (Citation: Pinellas County Sheriffs Office February 2021)", "kill_chain_phases": [ { "kill_chain_name": "mitre-ics-attack", "phase_name": "execution-ics" } ], "external_references": [ { "source_name": "mitre-ics-attack", "url": "https://attack.mitre.org/techniques/T0823", "external_id": "T0823" }, { "source_name": "Pinellas County Sheriffs Office February 2021", "description": "Pinellas County Sheriffs Office 2021, February 8 Treatment Plant Intrusion Press Conference Retrieved. 2021/10/08 ", "url": "https://www.youtube.com/watch?v=MkXDSOgLQ6M" } ], "x_mitre_data_sources": [ "Network Traffic: Network Traffic Flow", "Network Traffic: Network Traffic Content", "Process: Process Creation" ], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "spec_version": "2.1" }, { "x_mitre_platforms": [ "Human-Machine Interface", "Control Server", "Engineering Workstation" ], "x_mitre_domains": [ "ics-attack" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "attack-pattern", "id": "attack-pattern--b14395bd-5419-4ef4-9bd8-696936f509bb", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-05-21T17:43:26.506Z", "modified": "2022-05-06T17:47:23.975Z", "name": "Rogue Master", "description": "Adversaries may setup a rogue master to leverage control server functions to communicate with outstations. A rogue master can be used to send legitimate control messages to other control system devices, affecting processes in unintended ways. It may also be used to disrupt network communications by capturing and receiving the network traffic meant for the actual master. Impersonating a master may also allow an adversary to avoid detection. In the Maroochy Attack, Vitek Boden falsified network addresses in order to send false data and instructions to pumping stations. (Citation: Marshall Abrams July 2008) In the case of the 2017 Dallas Siren incident, adversaries used a rogue master to send command messages to the 156 distributed sirens across the city, either through a single rogue transmitter with a strong signal, or using many distributed repeaters. (Citation: Bastille April 2017) (Citation: Zack Whittaker April 2017)", "kill_chain_phases": [ { "kill_chain_name": "mitre-ics-attack", "phase_name": "initial-access-ics" } ], "external_references": [ { "source_name": "mitre-ics-attack", "url": "https://attack.mitre.org/techniques/T0848", "external_id": "T0848" }, { "source_name": "Marshall Abrams July 2008", "description": "Marshall Abrams 2008, July 23 Malicious Control System Cyber Security Attack Case Study Maroochy Water Services, Australia Retrieved. 2018/03/27 ", "url": "https://www.mitre.org/sites/default/files/pdf/08_1145.pdf" }, { "source_name": "Bastille April 2017", "description": "Bastille 2017, April 17 Dallas Siren Attack Retrieved. 2020/11/06 ", "url": "https://www.bastille.net/blogs/2017/4/17/dallas-siren-attack" }, { "source_name": "Zack Whittaker April 2017", "description": "Zack Whittaker 2017, April 12 Dallas' emergency sirens were hacked with a rogue radio signal Retrieved. 2020/11/06 ", "url": "https://www.zdnet.com/article/experts-think-they-know-how-dallas-emergency-sirens-were-hacked/" } ], "x_mitre_data_sources": [ "Network Traffic: Network Traffic Content", "Network Traffic: Network Traffic Flow", "Application Log: Application Log Content", "Operational Databases: Process/Event Alarm" ], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "spec_version": "2.1" }, { "x_mitre_platforms": [ "Control Server", "Data Historian", "Field Controller/RTU/PLC/IED", "Human-Machine Interface", "Input/Output Server", "Safety Instrumented System/Protection Relay" ], "x_mitre_domains": [ "ics-attack" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "attack-pattern", "id": "attack-pattern--b52870cc-83f3-473c-b895-72d91751030b", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2021-04-13T12:36:26.506Z", "modified": "2022-05-06T17:47:23.956Z", "name": "Native API", "description": "Adversaries may directly interact with the native OS application programming interface (API) to access system functions. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes. (Citation: The MITRE Corporation May 2017) These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations. Functionality provided by native APIs are often also exposed to user-mode applications via interfaces and libraries. For example, functions such as memcpy and direct operations on memory registers can be used to modify user and system memory space.", "kill_chain_phases": [ { "kill_chain_name": "mitre-ics-attack", "phase_name": "execution-ics" } ], "external_references": [ { "source_name": "mitre-ics-attack", "url": "https://attack.mitre.org/techniques/T0834", "external_id": "T0834" }, { "source_name": "The MITRE Corporation May 2017", "description": "The MITRE Corporation 2017, May 31 ATT&CK T1106: Native API Retrieved. 2021/04/26 ", "url": "https://attack.mitre.org/techniques/T1106/" } ], "x_mitre_data_sources": [ "Process: OS API Execution" ], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "spec_version": "2.1" }, { "x_mitre_platforms": [ "None" ], "x_mitre_domains": [ "ics-attack" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "attack-pattern", "id": "attack-pattern--b5b9bacb-97f2-4249-b804-47fd44de1f95", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-05-21T17:43:26.506Z", "modified": "2022-05-06T17:47:23.934Z", "name": "Loss of Availability", "description": "Adversaries may attempt to disrupt essential components or systems to prevent owner and operator from delivering products or services. (Citation: Corero) (Citation: Michael J. Assante and Robert M. Lee) (Citation: Tyson Macaulay) Adversaries may leverage malware to delete or encrypt critical data on HMIs, workstations, or databases. In the 2021 Colonial Pipeline ransomware incident, pipeline operations were temporally halted on May 7th and were not fully restarted until May 12th. (Citation: Colonial Pipeline Company May 2021)", "kill_chain_phases": [ { "kill_chain_name": "mitre-ics-attack", "phase_name": "impact-ics" } ], "external_references": [ { "source_name": "mitre-ics-attack", "url": "https://attack.mitre.org/techniques/T0826", "external_id": "T0826" }, { "source_name": "Corero", "description": "Corero Industrial Control System (ICS) Security Retrieved. 2019/11/04 ", "url": "https://www.corero.com/resources/files/whitepapers/cns_whitepaper_ics.pdf" }, { "source_name": "Michael J. Assante and Robert M. Lee", "description": "Michael J. Assante and Robert M. Lee Corero Industrial Control System (ICS) Security Retrieved. 2019/11/04 The Industrial Control System Cyber Kill Chain Retrieved. 2019/11/04 ", "url": "https://www.sans.org/reading-room/whitepapers/ICS/industrial-control-system-cyber-kill-chain-36297" }, { "source_name": "Tyson Macaulay", "description": "Tyson Macaulay Michael J. Assante and Robert M. Lee Corero Industrial Control System (ICS) Security Retrieved. 2019/11/04 The Industrial Control System Cyber Kill Chain Retrieved. 2019/11/04 RIoT Control: Understanding and Managing Risks and the Internet of Things Retrieved. 2019/11/04 ", "url": "https://books.google.com/books?id=oXIYBAAAQBAJ&pg=PA249&lpg=PA249&dq=loss+denial+manipulation+of+view&source=bl&ots=dV1uQ8IUff&sig=ACfU3U2NIwGjhg051D_Ytw6npyEk9xcf4w&hl=en&sa=X&ved=2ahUKEwj2wJ7y4tDlAhVmplkKHSTaDnQQ6AEwAHoECAgQAQ#v=onepage&q=loss%20denial%20manipulation%20of%20view&f=false" }, { "source_name": "Colonial Pipeline Company May 2021", "description": "Colonial Pipeline Company 2021, May Media Statement Update: Colonial Pipeline System Disruption Retrieved. 2021/10/08 ", "url": "https://www.colpipe.com/news/press-releases/media-statement-colonial-pipeline-system-disruption" } ], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "spec_version": "2.1" }, { "x_mitre_platforms": [ "None" ], "x_mitre_domains": [ "ics-attack" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "attack-pattern", "id": "attack-pattern--b7e13ee8-182c-4f19-92a4-a88d7d855d54", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-05-21T17:43:26.506Z", "modified": "2022-05-06T17:47:23.985Z", "name": "Theft of Operational Information", "description": "Adversaries may steal operational information on a production environment as a direct mission outcome for personal gain or to inform future operations. This information may include design documents, schedules, rotational data, or similar artifacts that provide insight on operations. In the Bowman Dam incident, adversaries probed systems for operational data. (Citation: Mark Thompson March 2016) (Citation: Danny Yadron December 2015)", "kill_chain_phases": [ { "kill_chain_name": "mitre-ics-attack", "phase_name": "impact-ics" } ], "external_references": [ { "source_name": "mitre-ics-attack", "url": "https://attack.mitre.org/techniques/T0882", "external_id": "T0882" }, { "source_name": "Mark Thompson March 2016", "description": "Mark Thompson 2016, March 24 Iranian Cyber Attack on New York Dam Shows Future of War Retrieved. 2019/11/07 ", "url": "https://time.com/4270728/iran-cyber-attack-dam-fbi/" }, { "source_name": "Danny Yadron December 2015", "description": "Danny Yadron 2015, December 20 Iranian Hackers Infiltrated New York Dam in 2013 Retrieved. 2019/11/07 ", "url": "https://www.wsj.com/articles/iranian-hackers-infiltrated-new-york-dam-in-2013-1450662559" } ], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "spec_version": "2.1" }, { "x_mitre_platforms": [ "Safety Instrumented System/Protection Relay", "Field Controller/RTU/PLC/IED", "Input/Output Server" ], "x_mitre_domains": [ "ics-attack" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "attack-pattern", "id": "attack-pattern--b9160e77-ea9e-4ba9-b1c8-53a3c466b13d", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-05-21T17:43:26.506Z", "modified": "2022-05-06T17:47:23.984Z", "name": "System Firmware", "description": "System firmware on modern assets is often designed with an update feature. Older device firmware may be factory installed and require special reprograming equipment. When available, the firmware update feature enables vendors to remotely patch bugs and perform upgrades. Device firmware updates are often delegated to the user and may be done using a software update package. It may also be possible to perform this task over the network. An adversary may exploit the firmware update feature on accessible devices to upload malicious or out-of-date firmware. Malicious modification of device firmware may provide an adversary with root access to a device, given firmware is one of the lowest programming abstraction layers. (Citation: Basnight, Zachry, et al.)", "kill_chain_phases": [ { "kill_chain_name": "mitre-ics-attack", "phase_name": "persistence-ics" }, { "kill_chain_name": "mitre-ics-attack", "phase_name": "inhibit-response-function" } ], "external_references": [ { "source_name": "mitre-ics-attack", "url": "https://attack.mitre.org/techniques/T0857", "external_id": "T0857" }, { "source_name": "Basnight, Zachry, et al.", "description": "Basnight, Zachry, et al. 2013 Retrieved. 2017/10/17 ", "url": "http://www.sciencedirect.com/science/article/pii/S1874548213000231" } ], "x_mitre_data_sources": [ "Firmware: Firmware Modification", "Network Traffic: Network Traffic Content", "Network Traffic: Network Traffic Flow" ], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "spec_version": "2.1" }, { "x_mitre_platforms": [ "Human-Machine Interface", "Control Server" ], "x_mitre_domains": [ "ics-attack" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "attack-pattern", "id": "attack-pattern--ba203963-3182-41ac-af14-7e7ebc83cd61", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-05-21T17:43:26.506Z", "modified": "2022-05-24T14:00:00.188Z", "name": "Masquerading", "description": "Adversaries may use masquerading to disguise a malicious application or executable as another file, to avoid operator and engineer suspicion. Possible disguises of these masquerading files can include commonly found programs, expected vendor executables and configuration files, and other commonplace application and naming conventions. By impersonating expected and vendor-relevant files and applications, operators and engineers may not notice the presence of the underlying malicious content and possibly end up running those masquerading as legitimate functions. Applications and other files commonly found on Windows systems or in engineering workstations have been impersonated before. This can be as simple as renaming a file to effectively disguise it in the ICS environment.", "kill_chain_phases": [ { "kill_chain_name": "mitre-ics-attack", "phase_name": "evasion-ics" } ], "external_references": [ { "source_name": "mitre-ics-attack", "url": "https://attack.mitre.org/techniques/T0849", "external_id": "T0849" } ], "x_mitre_data_sources": [ "Command: Command Execution", "File: File Metadata", "File: File Modification", "Scheduled Job: Scheduled Job Metadata", "Scheduled Job: Scheduled Job Modification", "Service: Service Creation", "Service: Service Metadata" ], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "spec_version": "2.1" }, { "x_mitre_platforms": [ "Field Controller/RTU/PLC/IED", "Safety Instrumented System/Protection Relay" ], "x_mitre_domains": [ "ics-attack" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "attack-pattern", "id": "attack-pattern--be69c571-d746-4b1f-bdd0-c0c9817e9068", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-05-21T17:43:26.506Z", "modified": "2022-05-06T17:47:23.960Z", "name": "Program Download", "description": "Adversaries may perform a program download to transfer a user program to a controller. Variations of program download, such as online edit and program append, allow a controller to continue running during the transfer and reconfiguration process without interruption to process control. However, before starting a full program download (i.e., download all) a controller may need to go into a stop state. This can have negative consequences on the physical process, especially if the controller is not able to fulfill a time-sensitive action. Adversaries may choose to avoid a download all in favor of an online edit or program append to avoid disrupting the physical process. An adversary may need to use the technique Detect Operating Mode or Change Operating Mode to make sure the controller is in the proper mode to accept a program download. The granularity of control to transfer a user program in whole or parts is dictated by the management protocol (e.g., S7CommPlus, TriStation) and underlying controller API. Thus, program download is a high-level term for the suite of vendor-specific API calls used to configure a controllers user program memory space. [Modify Controller Tasking](https://attack.mitre.org/techniques/T0821) and [Modify Program](https://attack.mitre.org/techniques/T0889) represent the configuration changes that are transferred to a controller via a program download.", "kill_chain_phases": [ { "kill_chain_name": "mitre-ics-attack", "phase_name": "lateral-movement-ics" } ], "external_references": [ { "source_name": "mitre-ics-attack", "url": "https://attack.mitre.org/techniques/T0843", "external_id": "T0843" } ], "x_mitre_data_sources": [ "Network Traffic: Network Traffic Content", "Application Log: Application Log Content", "Operational Databases: Device Alarm" ], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "spec_version": "2.1" }, { "x_mitre_platforms": [ "Human-Machine Interface", "Data Historian", "Control Server" ], "x_mitre_domains": [ "ics-attack" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "attack-pattern", "id": "attack-pattern--c267bbee-bb59-47fe-85e0-3ed210337c21", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-05-21T17:43:26.506Z", "modified": "2022-05-06T17:47:23.973Z", "name": "Replication Through Removable Media", "description": "Adversaries may move onto systems, such as those separated from the enterprise network, by copying malware to removable media which is inserted into the control systems environment. The adversary may rely on unknowing trusted third parties, such as suppliers or contractors with access privileges, to introduce the removable media. This technique enables initial access to target devices that never connect to untrusted networks, but are physically accessible. Operators of the German nuclear power plant, Gundremmingen, discovered malware on a facility computer not connected to the internet. (Citation: Kernkraftwerk Gundremmingen April 2016) (Citation: Trend Micro April 2016) The malware included Conficker and W32.Ramnit, which were also found on eighteen removable disk drives in the facility. (Citation: Christoph Steitz, Eric Auchard April 2016) (Citation: Catalin Cimpanu April 2016) (Citation: Peter Dockrill April 2016) (Citation: Lee Mathews April 2016) (Citation: Sean Gallagher April 2016) (Citation: Dark Reading Staff April 2016) The plant has since checked for infection and cleaned up more than 1,000 computers. (Citation: BBC April 2016) An ESET researcher commented that internet disconnection does not guarantee system safety from infection or payload execution. (Citation: ESET April 2016)", "kill_chain_phases": [ { "kill_chain_name": "mitre-ics-attack", "phase_name": "initial-access-ics" } ], "external_references": [ { "source_name": "mitre-ics-attack", "url": "https://attack.mitre.org/techniques/T0847", "external_id": "T0847" }, { "source_name": "Kernkraftwerk Gundremmingen April 2016", "description": "Kernkraftwerk Gundremmingen 2016, April 25 Detektion von Bro-Schadsoftware an mehreren Rechnern Retrieved. 2019/10/14 ", "url": "https://www.kkw-gundremmingen.de/presse.php?id=571" }, { "source_name": "Trend Micro April 2016", "description": "Trend Micro 2016, April 27 Malware Discovered in German Nuclear Power Plant Retrieved. 2019/10/14 ", "url": "https://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/malware-discovered-in-german-nuclear-power-plant" }, { "source_name": "Christoph Steitz, Eric Auchard April 2016", "description": "Christoph Steitz, Eric Auchard 2016, April 26 German nuclear plant infected with computer viruses, operator says Retrieved. 2019/10/14 ", "url": "https://www.reuters.com/article/us-nuclearpower-cyber-germany/german-nuclear-plant-infected-with-computer-viruses-operator-says-idUSKCN0XN2OS" }, { "source_name": "Catalin Cimpanu April 2016", "description": "Catalin Cimpanu 2016, April 26 Malware Shuts Down German Nuclear Power Plant on Chernobyl's 30th Anniversary Retrieved. 2019/10/14 ", "url": "https://news.softpedia.com/news/on-chernobyl-s-30th-anniversary-malware-shuts-down-german-nuclear-power-plant-503429.shtml" }, { "source_name": "Peter Dockrill April 2016", "description": "Peter Dockrill 2016, April 28 Multiple Computer Viruses Have Been Discovered in This German Nuclear Plant Retrieved. 2019/10/14 ", "url": "https://www.sciencealert.com/multiple-computer-viruses-have-been-discovered-in-this-german-nuclear-plant" }, { "source_name": "Lee Mathews April 2016", "description": "Lee Mathews 2016, April 27 German nuclear plant found riddled with Conficker, other viruses Retrieved. 2019/10/14 ", "url": "https://www.geek.com/apps/german-nuclear-plant-found-riddled-with-conficker-other-viruses-1653415/" }, { "source_name": "Sean Gallagher April 2016", "description": "Sean Gallagher 2016, April 27 German nuclear plants fuel rod system swarming with old malware Retrieved. 2019/10/14 ", "url": "https://arstechnica.com/information-technology/2016/04/german-nuclear-plants-fuel-rod-system-swarming-with-old-malware/" }, { "source_name": "Dark Reading Staff April 2016", "description": "Dark Reading Staff 2016, April 28 German Nuclear Power Plant Infected With Malware Retrieved. 2019/10/14 ", "url": "https://www.darkreading.com/endpoint/german-nuclear-power-plant-infected-with-malware/d/d-id/1325298" }, { "source_name": "BBC April 2016", "description": "BBC 2016, April 28 German nuclear plant hit by computer viruses Retrieved. 2019/10/14 ", "url": "https://www.bbc.com/news/technology-36158606" }, { "source_name": "ESET April 2016", "description": "ESET 2016, April 28 Malware found at a German nuclear power plant Retrieved. 2019/10/14 ", "url": "https://www.welivesecurity.com/2016/04/28/malware-found-german-nuclear-power-plant/" } ], "x_mitre_data_sources": [ "Drive: Drive Creation", "File: File Access", "File: File Creation", "Process: Process Creation" ], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "spec_version": "2.1" }, { "x_mitre_platforms": [ "Human-Machine Interface" ], "x_mitre_domains": [ "ics-attack" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "attack-pattern", "id": "attack-pattern--c5e3cdbc-0387-4be9-8f83-ff5c0865f377", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-05-21T17:43:26.506Z", "modified": "2022-05-06T17:47:23.976Z", "name": "Screen Capture", "description": "Adversaries may attempt to perform screen capture of devices in the control system environment. Screenshots may be taken of workstations, HMIs, or other devices that display environment-relevant process, device, reporting, alarm, or related data. These device displays may reveal information regarding the ICS process, layout, control, and related schematics. In particular, an HMI can provide a lot of important industrial process information. (Citation: ICS-CERT October 2017) Analysis of screen captures may provide the adversary with an understanding of intended operations and interactions between critical devices.", "kill_chain_phases": [ { "kill_chain_name": "mitre-ics-attack", "phase_name": "collection-ics" } ], "external_references": [ { "source_name": "mitre-ics-attack", "url": "https://attack.mitre.org/techniques/T0852", "external_id": "T0852" }, { "source_name": "ICS-CERT October 2017", "description": "ICS-CERT 2017, October 21 Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors Retrieved. 2017/10/23 ", "url": "https://www.us-cert.gov/ncas/alerts/TA17-293A" } ], "x_mitre_data_sources": [ "Command: Command Execution", "Process: OS API Execution" ], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "spec_version": "2.1" }, { "x_mitre_platforms": [ "Control Server", "Data Historian", "Engineering Workstation", "Field Controller/RTU/PLC/IED", "Human-Machine Interface", "Input/Output Server", "Safety Instrumented System/Protection Relay" ], "x_mitre_domains": [ "ics-attack" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "attack-pattern", "id": "attack-pattern--cd2c76a4-5e23-4ca5-9c40-d5e0604f7101", "created": "2020-05-21T17:43:26.506Z", "x_mitre_version": "1.0", "external_references": [ { "source_name": "mitre-attack", "external_id": "T0859", "url": "https://attack.mitre.org/techniques/T0859" }, { "source_name": "Booz Allen Hamilton", "url": "https://www.boozallen.com/content/dam/boozallen/documents/2016/09/ukraine-report-when-the-lights-went-out.pdf", "description": "Booz Allen Hamilton When The Lights Went Out Retrieved. 2019/10/22 " } ], "x_mitre_deprecated": false, "revoked": false, "description": "Adversaries may steal the credentials of a specific user or service account using credential access techniques. In some cases, default credentials for control system devices may be publicly available. Compromised credentials may be used to bypass access controls placed on various resources on hosts and within the network, and may even be used for persistent access to remote systems. Compromised and default credentials may also grant an adversary increased privilege to specific systems and devices or access to restricted areas of the network. Adversaries may choose not to use malware or tools, in conjunction with the legitimate access those credentials provide, to make it harder to detect their presence or to control devices and send legitimate commands in an unintended way. \n\nAdversaries may also create accounts, sometimes using predefined account names and passwords, to provide a means of backup access for persistence. (Citation: Booz Allen Hamilton) \n\nThe overlap of credentials and permissions across a network of systems is of concern because the adversary may be able to pivot across accounts and systems to reach a high level of access (i.e., domain or enterprise administrator) and possibly between the enterprise and operational technology environments. Adversaries may be able to leverage valid credentials from one system to gain access to another system.", "modified": "2022-05-24T11:56:16.241Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "name": "Valid Accounts", "x_mitre_detection": "", "kill_chain_phases": [ { "kill_chain_name": "mitre-ics-attack", "phase_name": "persistence-ics" }, { "kill_chain_name": "mitre-ics-attack", "phase_name": "lateral-movement-ics" } ], "x_mitre_is_subtechnique": false, "x_mitre_data_sources": [ "Logon Session: Logon Session Creation", "User Account: User Account Authentication" ], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "spec_version": "2.1" }, { "x_mitre_platforms": [ "Human-Machine Interface", "Safety Instrumented System/Protection Relay" ], "x_mitre_domains": [ "ics-attack" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "attack-pattern", "id": "attack-pattern--cfe68e93-ce94-4c0f-a57d-3aa72cedd618", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2021-04-13T12:08:26.506Z", "modified": "2022-05-24T14:00:00.188Z", "name": "Exploitation for Privilege Escalation", "description": "Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions. (Citation: The MITRE Corporation) When initially gaining access to a system, an adversary may be operating within a lower privileged process which will prevent them from accessing certain resources on the system. Vulnerabilities may exist, usually in operating system components and software commonly running at higher permissions, that can be exploited to gain higher levels of access on the system. This could enable someone to move from unprivileged or user level permissions to SYSTEM or root permissions depending on the component that is vulnerable. This may be a necessary step for an adversary compromising an endpoint system that has been properly configured and limits other privilege escalation methods. (Citation: The MITRE Corporation)", "kill_chain_phases": [ { "kill_chain_name": "mitre-ics-attack", "phase_name": "privilege-escalation" } ], "external_references": [ { "source_name": "mitre-ics-attack", "url": "https://attack.mitre.org/techniques/T0890", "external_id": "T0890" }, { "source_name": "The MITRE Corporation", "description": "The MITRE Corporation ATT&CK T1068: Exploitation for Privilege Escalation Retrieved. 2021/04/12 ", "url": "https://attack.mitre.org/techniques/T1068/" }, { "source_name": "The MITRE Corporation", "description": "The MITRE Corporation The MITRE Corporation ATT&CK T1068: Exploitation for Privilege Escalation Retrieved. 2021/04/12 ATT&CK T1068: Exploitation for Privilege Escalation Retrieved. 2021/04/12 ", "url": "https://attack.mitre.org/techniques/T1068/" } ], "x_mitre_data_sources": [ "Process: OS API Execution" ], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "spec_version": "2.1" }, { "x_mitre_platforms": [ "Control Server", "Data Historian", "Safety Instrumented System/Protection Relay", "Field Controller/RTU/PLC/IED", "Human-Machine Interface" ], "x_mitre_domains": [ "ics-attack" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "attack-pattern", "id": "attack-pattern--d5a69cfb-fc2a-46cb-99eb-74b236db5061", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-05-21T17:43:26.506Z", "modified": "2022-05-06T17:47:23.968Z", "name": "Remote System Discovery", "description": "Adversaries may attempt to get a listing of other systems by IP address, hostname, or other logical identifier on a network that may be used for subsequent Lateral Movement or Discovery techniques. Functionality could exist within adversary tools to enable this, but utilities available on the operating system or vendor software could also be used. (Citation: Enterprise ATT&CK January 2018)", "kill_chain_phases": [ { "kill_chain_name": "mitre-ics-attack", "phase_name": "discovery-ics" } ], "external_references": [ { "source_name": "mitre-ics-attack", "url": "https://attack.mitre.org/techniques/T0846", "external_id": "T0846" }, { "source_name": "Enterprise ATT&CK January 2018", "description": "Enterprise ATT&CK 2018, January 11 Remote System Discovery Retrieved. 2018/05/17 ", "url": "https://attack.mitre.org/wiki/Technique/T1018" } ], "x_mitre_data_sources": [ "Command: Command Execution", "File: File Access", "Network Traffic: Network Connection Creation", "Process: Process Creation" ], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "spec_version": "2.1" }, { "x_mitre_platforms": [ "Engineering Workstation" ], "x_mitre_domains": [ "ics-attack" ], "x_mitre_contributors": [ "Joe Slowik - Dragos" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "attack-pattern", "id": "attack-pattern--d614a9cf-18eb-4800-81e4-ab8ddf0baa73", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-05-21T17:43:26.506Z", "modified": "2022-05-24T14:00:00.188Z", "name": "Engineering Workstation Compromise", "description": "Adversaries will compromise and gain control of an engineering workstation for Initial Access into the control system environment. Access to an engineering workstation may occur through or physical means, such as a Valid Accounts with privileged access or infection by removable media. A dual-homed engineering workstation may allow the adversary access into multiple networks. For example, unsegregated process control, safety system, or information system networks. An Engineering Workstation is designed as a reliable computing platform that configures, maintains, and diagnoses control system equipment and applications. Compromise of an engineering workstation may provide access to, and control of, other control system applications and equipment. In the Maroochy attack, the adversary utilized a computer, possibly stolen, with proprietary engineering software to communicate with a wastewater system.", "kill_chain_phases": [ { "kill_chain_name": "mitre-ics-attack", "phase_name": "initial-access-ics" } ], "external_references": [ { "source_name": "mitre-ics-attack", "url": "https://attack.mitre.org/techniques/T0818", "external_id": "T0818" } ], "x_mitre_deprecated": true, "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1" }, { "x_mitre_platforms": [ "None" ], "x_mitre_domains": [ "ics-attack" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "attack-pattern", "id": "attack-pattern--d67adac8-e3b9-44f9-9e6d-6c2a7d69dbe4", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-05-21T17:43:26.506Z", "modified": "2022-05-06T17:47:23.900Z", "name": "Connection Proxy", "description": "Adversaries may use a connection proxy to direct network traffic between systems or act as an intermediary for network communications. The definition of a proxy can also be expanded to encompass trust relationships between networks in peer-to-peer, mesh, or trusted connections between networks consisting of hosts or systems that regularly communicate with each other. The network may be within a single organization or across multiple organizations with trust relationships. Adversaries could use these types of relationships to manage command and control communications, to reduce the number of simultaneous outbound network connections, to provide resiliency in the face of connection loss, or to ride over existing trusted communications paths between victims to avoid suspicion. (Citation: Enterprise ATT&CK January 2018)", "kill_chain_phases": [ { "kill_chain_name": "mitre-ics-attack", "phase_name": "command-and-control-ics" } ], "external_references": [ { "source_name": "mitre-ics-attack", "url": "https://attack.mitre.org/techniques/T0884", "external_id": "T0884" }, { "source_name": "Enterprise ATT&CK January 2018", "description": "Enterprise ATT&CK 2018, January 11 Connection Proxy Retrieved. 2018/05/17 ", "url": "https://attack.mitre.org/wiki/Technique/T1090" } ], "x_mitre_data_sources": [ "Network Traffic: Network Connection Creation", "Network Traffic: Network Traffic Content", "Network Traffic: Network Traffic Flow" ], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "spec_version": "2.1" }, { "x_mitre_platforms": [ "Human-Machine Interface", "Control Server", "Data Historian", "Engineering Workstation" ], "x_mitre_domains": [ "ics-attack" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "attack-pattern", "id": "attack-pattern--e076cca8-2f08-45c9-aff7-ea5ac798b387", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-05-21T17:43:26.506Z", "modified": "2022-05-06T17:47:23.981Z", "name": "Standard Application Layer Protocol", "description": "Adversaries may establish command and control capabilities over commonly used application layer protocols such as HTTP(S), OPC, RDP, telnet, DNP3, and modbus. These protocols may be used to disguise adversary actions as benign network traffic. Standard protocols may be seen on their associated port or in some cases over a non-standard port. Adversaries may use these protocols to reach out of the network for command and control, or in some cases to other infected devices within the network.", "kill_chain_phases": [ { "kill_chain_name": "mitre-ics-attack", "phase_name": "command-and-control-ics" } ], "external_references": [ { "source_name": "mitre-ics-attack", "url": "https://attack.mitre.org/techniques/T0869", "external_id": "T0869" } ], "x_mitre_data_sources": [ "Network Traffic: Network Traffic Flow", "Network Traffic: Network Traffic Content" ], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "spec_version": "2.1" }, { "x_mitre_platforms": [ "Safety Instrumented System/Protection Relay", "Field Controller/RTU/PLC/IED" ], "x_mitre_domains": [ "ics-attack" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "attack-pattern", "id": "attack-pattern--e0d74479-86d2-465d-bf36-903ebecef43e", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-05-21T17:43:26.506Z", "modified": "2022-05-24T14:00:00.188Z", "name": "Modify Control Logic", "description": "Adversaries may place malicious code in a system, which can cause the system to malfunction by modifying its control logic. Control system devices use programming languages (e.g. relay ladder logic) to control physical processes by affecting actuators, which cause machines to operate, based on environment sensor readings. These devices often include the ability to perform remote control logic updates. \n\nProgram code is normally edited in a vendor-specific Integrated Development Environment (IDE) that relies on proprietary tools and features. These IDEs allow an engineer to perform host target development and may have the ability to run the code on the machine it is programmed for. The IDE will transmit the control logic to the testing device, and will perform the required device-specific functions to apply the changes and make them active.\n\nAn adversary may attempt to use this host target IDE to modify device control logic. Even though proprietary tools are often used to edit and update control logic, the process can usually be reverse-engineered and reproduced with open-source tools.\n\nAn adversary can de-calibrate a sensor by removing functions in control logic that account for sensor error. This can be used to change a control process without actually spoofing command messages to a controller or device. \n\nIt is believed this process happened in the lesser known over-pressurizer attacks build into Stuxnet. Pressure sensors are not perfect at translating pressure into an analog output signal, but their errors can be corrected by calibration. The pressure controller can be told what the \u201creal\u201d pressure is for given analog signals and then automatically linearize the measurement to what would be the \u201creal\u201d pressure. If the linearization is overwritten by malicious code on the S7-417 controller, analog pressure readings will be \u201ccorrected\u201d during the attack by the pressure controller, which then interprets all analog pressure readings as perfectly normal pressure no matter how high or low their analog values are. The pressure controller then acts accordingly by never opening the stage exhaust valves. In the meantime, actual pressure keeps rising. (Citation: Stuxnet - Langner - 201311)\n\nIn the Maroochy Attack, Vitek Boden gained remote computer access to the control system and altered data so that whatever function should have occurred at affected pumping stations did not occur or occurred in a different way. The software program installed in the laptop was one developed by Hunter Watertech for its use in changing configurations in the PDS computers. This ultimately led to 800,000 liters of raw sewage being spilled out into the community. (Citation: Maroochy - MITRE - 200808)", "kill_chain_phases": [ { "kill_chain_name": "mitre-ics-attack", "phase_name": "impair-process-control" }, { "kill_chain_name": "mitre-ics-attack", "phase_name": "inhibit-response-function" } ], "external_references": [ { "source_name": "mitre-ics-attack", "url": "https://attack.mitre.org/techniques/T0833", "external_id": "T0833" }, { "source_name": "Stuxnet - Langner - 201311", "description": "Ralph Langner. (2013, November). To Kill a Centrifuge: A Technical Analysis of What Stuxnet's Creators Tried to Achieve. Retrieved March 27, 2018.", "url": "https://www.langner.com/wp-content/uploads/2017/03/to-kill-a-centrifuge.pdf" }, { "source_name": "Maroochy - MITRE - 200808", "description": "Marshall Abrams. (2008, July 23). Malicious Control System Cyber Security Attack Case Study\u2013 Maroochy Water Services, Australia. Retrieved March 27, 2018.", "url": "https://www.mitre.org/sites/default/files/pdf/08%201145.pdf" } ], "x_mitre_deprecated": true, "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1" }, { "x_mitre_platforms": [ "Engineering Workstation", "Human-Machine Interface", "Control Server" ], "x_mitre_domains": [ "ics-attack" ], "x_mitre_contributors": [ "Daisuke Suzuki" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "attack-pattern", "id": "attack-pattern--e1f9cdd2-9511-4fca-90d7-f3e92cfdd0bf", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2021-04-12T19:26:26.506Z", "modified": "2022-05-24T14:00:00.188Z", "name": "Remote Services", "description": "Adversaries may leverage remote services to move between assets and network segments. These services are often used to allow operators to interact with systems remotely within the network, some examples are RDP, SMB, SSH, and other similar mechanisms. (Citation: Blake Johnson, Dan Caban, Marina Krotofil, Dan Scali, Nathan Brubaker, Christopher Glyer December 2017) (Citation: Dragos December 2017) (Citation: Joe Slowik April 2019) Remote services could be used to support remote access, data transmission, authentication, name resolution, and other remote functions. Further, remote services may be necessary to allow operators and administrators to configure systems within the network from their engineering or management workstations. An adversary may use this technique to access devices which may be dual-homed (Citation: Blake Johnson, Dan Caban, Marina Krotofil, Dan Scali, Nathan Brubaker, Christopher Glyer December 2017) to multiple network segments, and can be used for [Program Download](https://attack.mitre.org/techniques/T0843) or to execute attacks on control devices directly through [Valid Accounts](https://attack.mitre.org/techniques/T0859). Specific remote services (RDP & VNC) may be a precursor to enable [Graphical User Interface](https://attack.mitre.org/techniques/T0823) execution on devices such as HMIs or engineering workstation software. In the Oldsmar water treatment attack, adversaries gained access to the system through remote access software, allowing for the use of the standard operator HMI interface. (Citation: Pinellas County Sheriffs Office February 2021) Based on incident data, CISA and FBI assessed that Chinese state-sponsored actors also compromised various authorized remote access channels, including systems designed to transfer data and/or allow access between corporate and ICS networks. (Citation: CISA AA21-201A Pipeline Intrusion July 2021)", "kill_chain_phases": [ { "kill_chain_name": "mitre-ics-attack", "phase_name": "initial-access-ics" }, { "kill_chain_name": "mitre-ics-attack", "phase_name": "lateral-movement-ics" } ], "external_references": [ { "source_name": "mitre-ics-attack", "url": "https://attack.mitre.org/techniques/T0886", "external_id": "T0886" }, { "source_name": "Blake Johnson, Dan Caban, Marina Krotofil, Dan Scali, Nathan Brubaker, Christopher Glyer December 2017", "description": "Blake Johnson, Dan Caban, Marina Krotofil, Dan Scali, Nathan Brubaker, Christopher Glyer 2017, December 14 Attackers Deploy New ICS Attack Framework TRITON and Cause Operational Disruption to Critical Infrastructure Retrieved. 2018/01/12 ", "url": "https://www.fireeye.com/blog/threat-research/2017/12/attackers-deploy-new-ics-attack-framework-triton.html" }, { "source_name": "Dragos December 2017", "description": "Dragos 2017, December 13 TRISIS Malware Analysis of Safety System Targeted Malware Retrieved. 2018/01/12 ", "url": "https://dragos.com/blog/trisis/TRISIS-01.pdf" }, { "source_name": "Joe Slowik April 2019", "description": "Joe Slowik 2019, April 10 Implications of IT Ransomware for ICS Environments Retrieved. 2019/10/27 ", "url": "https://dragos.com/blog/industry-news/implications-of-it-ransomware-for-ics-environments/" }, { "source_name": "Blake Johnson, Dan Caban, Marina Krotofil, Dan Scali, Nathan Brubaker, Christopher Glyer December 2017", "description": "Blake Johnson, Dan Caban, Marina Krotofil, Dan Scali, Nathan Brubaker, Christopher Glyer 2017, December 14 Attackers Deploy New ICS Attack Framework TRITON and Cause Operational Disruption to Critical Infrastructure Retrieved. 2018/01/12 ", "url": "https://www.fireeye.com/blog/threat-research/2017/12/attackers-deploy-new-ics-attack-framework-triton.html" }, { "source_name": "Pinellas County Sheriffs Office February 2021", "description": "Pinellas County Sheriffs Office 2021, February 8 Treatment Plant Intrusion Press Conference Retrieved. 2021/10/08 ", "url": "https://www.youtube.com/watch?v=MkXDSOgLQ6M" }, { "source_name": "CISA AA21-201A Pipeline Intrusion July 2021", "description": "Department of Justice (DOJ), DHS Cybersecurity & Infrastructure Security Agency (CISA) 2021, July 20 Chinese Gas Pipeline Intrusion Campaign, 2011 to 2013 Retrieved. 2021/10/08 ", "url": "https://us-cert.cisa.gov/sites/default/files/publications/AA21-201A_Chinese_Gas_Pipeline_Intrusion_Campaign_2011_to_2013%20(1).pdf" } ], "x_mitre_data_sources": [ "Command: Command Execution", "Logon Session: Logon Session Creation", "Network Share: Network Share Access", "Network Traffic: Network Connection Creation", "Network Traffic: Network Traffic Flow", "Network Traffic: Network Traffic Content", "Process: Process Creation" ], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "spec_version": "2.1" }, { "x_mitre_platforms": [ "Windows", "Field Controller/RTU/PLC/IED" ], "x_mitre_domains": [ "ics-attack" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "attack-pattern", "id": "attack-pattern--e2994b6a-122b-4043-b654-7411c5198ec0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-05-21T17:43:26.506Z", "modified": "2022-05-24T14:00:00.188Z", "name": "I/O Module Discovery", "description": "Adversaries may use input/output (I/O) module discovery to gather key information about a control system device. An I/O module is a device that allows the control system device to either receive or send signals to other devices. These signals can be analog or digital, and may support a number of different protocols. Devices are often able to use attachable I/O modules to increase the number of inputs and outputs that it can utilize. An adversary with access to a device can use native device functions to enumerate I/O modules that are connected to the device. Information regarding the I/O modules can aid the adversary in understanding related control processes.", "kill_chain_phases": [ { "kill_chain_name": "mitre-ics-attack", "phase_name": "discovery-ics" } ], "external_references": [ { "source_name": "mitre-ics-attack", "url": "https://attack.mitre.org/techniques/T0824", "external_id": "T0824" } ], "x_mitre_deprecated": true, "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1" }, { "x_mitre_platforms": [ "None" ], "x_mitre_domains": [ "ics-attack" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "attack-pattern", "id": "attack-pattern--e33c7ecc-5a38-497f-beb2-a9a2049a4c20", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-05-21T17:43:26.506Z", "modified": "2022-05-06T17:47:23.908Z", "name": "Denial of Control", "description": "Adversaries may cause a denial of control to temporarily prevent operators and engineers from interacting with process controls. An adversary may attempt to deny process control access to cause a temporary loss of communication with the control device or to prevent operator adjustment of process controls. An affected process may still be operating during the period of control loss, but not necessarily in a desired state. (Citation: Corero) (Citation: Michael J. Assante and Robert M. Lee) (Citation: Tyson Macaulay) In the Maroochy attack, the adversary was able to temporarily shut an investigator out of the network preventing them from issuing any controls. In the 2017 Dallas Siren incident operators were unable to disable the false alarms from the Office of Emergency Management headquarters. (Citation: Mark Loveless April 2017)", "kill_chain_phases": [ { "kill_chain_name": "mitre-ics-attack", "phase_name": "impact-ics" } ], "external_references": [ { "source_name": "mitre-ics-attack", "url": "https://attack.mitre.org/techniques/T0813", "external_id": "T0813" }, { "source_name": "Corero", "description": "Corero Industrial Control System (ICS) Security Retrieved. 2019/11/04 ", "url": "https://www.corero.com/resources/files/whitepapers/cns_whitepaper_ics.pdf" }, { "source_name": "Michael J. Assante and Robert M. Lee", "description": "Michael J. Assante and Robert M. Lee Corero Industrial Control System (ICS) Security Retrieved. 2019/11/04 The Industrial Control System Cyber Kill Chain Retrieved. 2019/11/04 ", "url": "https://www.sans.org/reading-room/whitepapers/ICS/industrial-control-system-cyber-kill-chain-36297" }, { "source_name": "Tyson Macaulay", "description": "Tyson Macaulay Michael J. Assante and Robert M. Lee Corero Industrial Control System (ICS) Security Retrieved. 2019/11/04 The Industrial Control System Cyber Kill Chain Retrieved. 2019/11/04 RIoT Control: Understanding and Managing Risks and the Internet of Things Retrieved. 2019/11/04 ", "url": "https://books.google.com/books?id=oXIYBAAAQBAJ&pg=PA249&lpg=PA249&dq=loss+denial+manipulation+of+view&source=bl&ots=dV1uQ8IUff&sig=ACfU3U2NIwGjhg051D_Ytw6npyEk9xcf4w&hl=en&sa=X&ved=2ahUKEwj2wJ7y4tDlAhVmplkKHSTaDnQQ6AEwAHoECAgQAQ#v=onepage&q=loss%20denial%20manipulation%20of%20view&f=false" }, { "source_name": "Mark Loveless April 2017", "description": "Mark Loveless 2017, April 11 THE DALLAS COUNTY SIREN HACK Retrieved. 2020/11/06 ", "url": "https://duo.com/decipher/the-dallas-county-siren-hack" } ], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "spec_version": "2.1" }, { "x_mitre_platforms": [ "Human-Machine Interface", "Control Server", "Safety Instrumented System/Protection Relay", "Field Controller/RTU/PLC/IED", "Device Configuration/Parameters" ], "x_mitre_domains": [ "ics-attack" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "attack-pattern", "id": "attack-pattern--e5de767e-f513-41cd-aa15-33f6ce5fbf92", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-05-21T17:43:26.506Z", "modified": "2022-05-06T17:47:23.949Z", "name": "Modify Alarm Settings", "description": "Adversaries may modify alarm settings to prevent alerts that may inform operators of their presence or to prevent responses to dangerous and unintended scenarios. Reporting messages are a standard part of data acquisition in control systems. Reporting messages are used as a way to transmit system state information and acknowledgements that specific actions have occurred. These messages provide vital information for the management of a physical process, and keep operators, engineers, and administrators aware of the state of system devices and physical processes. If an adversary is able to change the reporting settings, certain events could be prevented from being reported. This type of modification can also prevent operators or devices from performing actions to keep the system in a safe state. If critical reporting messages cannot trigger these actions then a [[Impact]] could occur. In ICS environments, the adversary may have to use [Alarm Suppression](https://attack.mitre.org/techniques/T0878) or contend with multiple alarms and/or alarm propagation to achieve a specific goal to evade detection or prevent intended responses from occurring. (Citation: Jos Wetzels, Marina Krotofil 2019) Methods of suppression often rely on modification of alarm settings, such as modifying in memory code to fixed values or tampering with assembly level instruction code. In the Maroochy Attack, the adversary disabled alarms at four pumping stations. This caused alarms to not be reported to the central computer. (Citation: Marshall Abrams July 2008)", "kill_chain_phases": [ { "kill_chain_name": "mitre-ics-attack", "phase_name": "inhibit-response-function" } ], "external_references": [ { "source_name": "mitre-ics-attack", "url": "https://attack.mitre.org/techniques/T0838", "external_id": "T0838" }, { "source_name": "Jos Wetzels, Marina Krotofil 2019", "description": "Jos Wetzels, Marina Krotofil 2019 A Diet of Poisoned Fruit: Designing Implants & OT Payloads for ICS Embedded Devices Retrieved. 2019/11/01 ", "url": "https://troopers.de/downloads/troopers19/TROOPERS19_NGI_IoT_diet_poisoned_fruit.pdf" }, { "source_name": "Marshall Abrams July 2008", "description": "Marshall Abrams 2008, July 23 Malicious Control System Cyber Security Attack Case Study Maroochy Water Services, Australia Retrieved. 2018/03/27 ", "url": "https://www.mitre.org/sites/default/files/pdf/08_1145.pdf" } ], "x_mitre_data_sources": [ "Network Traffic: Network Traffic Content", "Application Log: Application Log Content", "Operational Databases: Process History/Live Data" ], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "spec_version": "2.1" }, { "x_mitre_platforms": [ "Safety Instrumented System/Protection Relay", "Field Controller/RTU/PLC/IED", "Human-Machine Interface", "Control Server", "Engineering Workstation" ], "x_mitre_domains": [ "ics-attack" ], "x_mitre_contributors": [ "Matan Dobrushin - Otorio" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "attack-pattern", "id": "attack-pattern--e6c31185-8040-4267-83d3-b217b8a92f07", "created": "2020-05-21T17:43:26.506Z", "x_mitre_version": "1.0", "external_references": [ { "source_name": "mitre-attack", "external_id": "T0885", "url": "https://attack.mitre.org/techniques/T0885" } ], "x_mitre_deprecated": false, "revoked": false, "description": "Adversaries may communicate over a commonly used port to bypass firewalls or network detection systems and to blend in with normal network activity, to avoid more detailed inspection. They may use the protocol associated with the port, or a completely different protocol. They may use commonly open ports, such as the examples provided below. \n \n * TCP:80 (HTTP) \n * TCP:443 (HTTPS) \n * TCP/UDP:53 (DNS) \n * TCP:1024-4999 (OPC on XP/Win2k3) \n * TCP:49152-65535 (OPC on Vista and later) \n * TCP:23 (TELNET) \n * UDP:161 (SNMP) \n * TCP:502 (MODBUS) \n * TCP:102 (S7comm/ISO-TSAP) \n * TCP:20000 (DNP3) \n * TCP:44818 (Ethernet/IP)", "modified": "2022-05-24T14:31:04.264Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "name": "Commonly Used Port", "x_mitre_detection": "", "kill_chain_phases": [ { "kill_chain_name": "mitre-ics-attack", "phase_name": "command-and-control-ics" } ], "x_mitre_is_subtechnique": false, "x_mitre_data_sources": [ "Network Traffic: Network Traffic Flow" ], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "spec_version": "2.1" }, { "x_mitre_platforms": [ "Engineering Workstation", "Human-Machine Interface" ], "x_mitre_domains": [ "ics-attack" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "attack-pattern", "id": "attack-pattern--e72425f8-9ae6-41d3-bfdb-e1b865e60722", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-05-21T17:43:26.506Z", "modified": "2022-05-06T17:47:23.963Z", "name": "Project File Infection", "description": "Adversaries may attempt to infect project files with malicious code. These project files may consist of objects, program organization units, variables such as tags, documentation, and other configurations needed for PLC programs to function. (Citation: Beckhoff) Using built in functions of the engineering software, adversaries may be able to download an infected program to a PLC in the operating environment enabling further [[execution]] and [[persistence]] techniques. (Citation: PLCdev) Adversaries may export their own code into project files with conditions to execute at specific intervals. (Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011) Malicious programs allow adversaries control of all aspects of the process enabled by the PLC. Once the project file is downloaded to a PLC the workstation device may be disconnected with the infected project file still executing. (Citation: PLCdev)", "kill_chain_phases": [ { "kill_chain_name": "mitre-ics-attack", "phase_name": "persistence-ics" } ], "external_references": [ { "source_name": "mitre-ics-attack", "url": "https://attack.mitre.org/techniques/T0873", "external_id": "T0873" }, { "source_name": "Beckhoff", "description": "Beckhoff TwinCAT 3 Source Control: Project Files Retrieved. 2019/11/21 ", "url": "https://infosys.beckhoff.com/english.php?content=../content/1033/tc3_sourcecontrol/18014398915785483.html&id=" }, { "source_name": "PLCdev", "description": "PLCdev Beckhoff TwinCAT 3 Source Control: Project Files Retrieved. 2019/11/21 Siemens SIMATIC Step 7 Programmer's Handbook Retrieved. 2019/11/21 ", "url": "http://www.plcdev.com/book/export/html/373" }, { "source_name": "Nicolas Falliere, Liam O Murchu, Eric Chien February 2011", "description": "Nicolas Falliere, Liam O Murchu, Eric Chien 2011, February W32.Stuxnet Dossier (Version 1.4) Retrieved. 2017/09/22 ", "url": "https://www.wired.com/images_blogs/threatlevel/2011/02/Symantec-Stuxnet-Update-Feb-2011.pdf" }, { "source_name": "PLCdev", "description": "PLCdev Nicolas Falliere, Liam O Murchu, Eric Chien 2011, February W32.Stuxnet Dossier (Version 1.4) Retrieved. 2017/09/22 Siemens SIMATIC Step 7 Programmer's Handbook Retrieved. 2019/11/21 ", "url": "http://www.plcdev.com/book/export/html/373" } ], "x_mitre_data_sources": [ "File: File Modification" ], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "spec_version": "2.1" }, { "x_mitre_platforms": [ "Human-Machine Interface" ], "x_mitre_domains": [ "ics-attack" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "attack-pattern", "id": "attack-pattern--ea0c980c-5cf0-43a7-a049-59c4c207566e", "created": "2020-05-21T17:43:26.506Z", "x_mitre_version": "1.0", "external_references": [ { "source_name": "mitre-attack", "external_id": "T0840", "url": "https://attack.mitre.org/techniques/T0840" }, { "source_name": "MITRE", "url": "https://attack.mitre.org/wiki/Technique/T1049", "description": "MITRE System Network Connections Discovery Retrieved. 2018/05/31 " }, { "source_name": "Netstat", "url": "https://en.wikipedia.org/wiki/Netstat", "description": "Wikipedia. (n.d.). Netstat. Retrieved May 23, 2022." } ], "x_mitre_deprecated": false, "revoked": false, "description": "Adversaries may perform network connection enumeration to discover information about device communication patterns. If an adversary can inspect the state of a network connection with tools, such as Netstat(Citation: Netstat), in conjunction with [System Firmware](https://attack.mitre.org/techniques/T0857), then they can determine the role of certain devices on the network (Citation: MITRE). The adversary can also use [Network Sniffing](https://attack.mitre.org/techniques/T0842) to watch network traffic for details about the source, destination, protocol, and content.", "modified": "2022-05-23T21:24:49.040Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "name": "Network Connection Enumeration", "x_mitre_detection": "", "kill_chain_phases": [ { "kill_chain_name": "mitre-ics-attack", "phase_name": "discovery-ics" } ], "x_mitre_is_subtechnique": false, "x_mitre_data_sources": [ "Command: Command Execution", "Process: OS API Execution", "Process: Process Creation" ], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "spec_version": "2.1" }, { "x_mitre_platforms": [ "Human-Machine Interface", "Control Server", "Data Historian" ], "x_mitre_domains": [ "ics-attack" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "attack-pattern", "id": "attack-pattern--ead7bd34-186e-4c79-9a4d-b65bcce6ed9d", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-05-21T17:43:26.506Z", "modified": "2022-05-06T17:47:23.932Z", "name": "Lateral Tool Transfer", "description": "Adversaries may transfer tools or other files from one system to another to stage adversary tools or other files over the course of an operation. (Citation: Enterprise ATT&CK) Copying of files may also be performed laterally between internal victim systems to support Lateral Movement with remote Execution using inherent file sharing protocols such as file sharing over SMB to connected network shares. (Citation: Enterprise ATT&CK) In control systems environments, malware may use SMB and other file sharing protocols to move laterally through industrial networks.", "kill_chain_phases": [ { "kill_chain_name": "mitre-ics-attack", "phase_name": "lateral-movement-ics" } ], "external_references": [ { "source_name": "mitre-ics-attack", "url": "https://attack.mitre.org/techniques/T0867", "external_id": "T0867" }, { "source_name": "Enterprise ATT&CK", "description": "Enterprise ATT&CK Lateral Tool Transfer Retrieved. 2019/10/27 ", "url": "https://attack.mitre.org/techniques/T1570/" }, { "source_name": "Enterprise ATT&CK", "description": "Enterprise ATT&CK Enterprise ATT&CK Lateral Tool Transfer Retrieved. 2019/10/27 Lateral Tool Transfer Retrieved. 2019/10/27 ", "url": "https://attack.mitre.org/techniques/T1570/" } ], "x_mitre_data_sources": [ "Command: Command Execution", "File: File Creation", "File: File Metadata", "Network Traffic: Network Traffic Content", "Network Traffic: Network Traffic Flow", "Process: Process Creation" ], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "spec_version": "2.1" }, { "x_mitre_platforms": [ "Field Controller/RTU/PLC/IED", "Safety Instrumented System/Protection Relay" ], "x_mitre_domains": [ "ics-attack" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "attack-pattern", "id": "attack-pattern--efbf7888-f61b-4572-9c80-7e2965c60707", "created": "2020-05-21T17:43:26.506Z", "x_mitre_version": "1.0", "external_references": [ { "source_name": "mitre-attack", "external_id": "T0839", "url": "https://attack.mitre.org/techniques/T0839" }, { "source_name": "Daniel Peck, Dale Peterson January 2009", "url": "https://www.researchgate.net/publication/228849043_Leveraging_ethernet_card_vulnerabilities_in_field_devices", "description": "Daniel Peck, Dale Peterson 2009, January 28 Leveraging Ethernet Card Vulnerabilities in Field Devices Retrieved. 2017/12/19 " } ], "x_mitre_deprecated": false, "revoked": false, "description": "Adversaries may install malicious or vulnerable firmware onto modular hardware devices. Control system devices often contain modular hardware devices. These devices may have their own set of firmware that is separate from the firmware of the main control system equipment. \n\nThis technique is similar to [System Firmware](https://attack.mitre.org/techniques/T0857), but is conducted on other system components that may not have the same capabilities or level of integrity checking. Although it results in a device re-image, malicious device firmware may provide persistent access to remaining devices. (Citation: Daniel Peck, Dale Peterson January 2009) \n\nAn easy point of access for an adversary is the Ethernet card, which may have its own CPU, RAM, and operating system. The adversary may attack and likely exploit the computer on an Ethernet card. Exploitation of the Ethernet card computer may enable the adversary to accomplish additional attacks, such as the following: (Citation: Daniel Peck, Dale Peterson January 2009) \n\n* Delayed Attack - The adversary may stage an attack in advance and choose when to launch it, such as at a particularly damaging time. \n* Brick the Ethernet Card - Malicious firmware may be programmed to result in an Ethernet card failure, requiring a factory return. \n* Random Attack or Failure - The adversary may load malicious firmware onto multiple field devices. Execution of an attack and the time it occurs is generated by a pseudo-random number generator. \n* A Field Device Worm - The adversary may choose to identify all field devices of the same model, with the end goal of performing a device-wide compromise. \n* Attack Other Cards on the Field Device - Although it is not the most important module in a field device, the Ethernet card is most accessible to the adversary and malware. Compromise of the Ethernet card may provide a more direct route to compromising other modules, such as the CPU module.", "modified": "2022-05-24T11:51:30.717Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "name": "Module Firmware", "x_mitre_detection": "", "kill_chain_phases": [ { "kill_chain_name": "mitre-ics-attack", "phase_name": "persistence-ics" }, { "kill_chain_name": "mitre-ics-attack", "phase_name": "impair-process-control" } ], "x_mitre_is_subtechnique": false, "x_mitre_data_sources": [ "Firmware: Firmware Modification", "Network Traffic: Network Traffic Content", "Network Traffic: Network Traffic Flow" ], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "spec_version": "2.1" }, { "x_mitre_platforms": [ "Control Server", "Data Historian", "Field Controller/RTU/PLC/IED", "Human-Machine Interface", "Input/Output Server", "Safety Instrumented System/Protection Relay" ], "x_mitre_domains": [ "ics-attack" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "attack-pattern", "id": "attack-pattern--f8df6b57-14bc-425f-9a91-6f59f6799307", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-05-21T17:43:26.506Z", "modified": "2022-05-06T17:47:23.930Z", "name": "Internet Accessible Device", "description": "Adversaries may gain access into industrial environments through systems exposed directly to the internet for remote access rather than through [External Remote Services](https://attack.mitre.org/techniques/T0822). Internet Accessible Devices are exposed to the internet unintentionally or intentionally without adequate protections. This may allow for adversaries to move directly into the control system network. Access onto these devices is accomplished without the use of exploits, these would be represented within the [Exploit Public-Facing Application](https://attack.mitre.org/techniques/T0819) technique. Adversaries may leverage built in functions for remote access which may not be protected or utilize minimal legacy protections that may be targeted. (Citation: NCCIC January 2014) These services may be discoverable through the use of online scanning tools. In the case of the Bowman dam incident, adversaries leveraged access to the dam control network through a cellular modem. Access to the device was protected by password authentication, although the application was vulnerable to brute forcing. (Citation: NCCIC January 2014) (Citation: Danny Yadron December 2015) (Citation: Mark Thompson March 2016) In Trend Micros manufacturing deception operations adversaries were detected leveraging direct internet access to an ICS environment through the exposure of operational protocols such as Siemens S7, Omron FINS, and EtherNet/IP, in addition to misconfigured VNC access. (Citation: Stephen Hilt, Federico Maggi, Charles Perine, Lord Remorin, Martin Rsler, and Rainer Vosseler)", "kill_chain_phases": [ { "kill_chain_name": "mitre-ics-attack", "phase_name": "initial-access-ics" } ], "external_references": [ { "source_name": "mitre-ics-attack", "url": "https://attack.mitre.org/techniques/T0883", "external_id": "T0883" }, { "source_name": "NCCIC January 2014", "description": "NCCIC 2014, January 1 Internet Accessible Control Systems At Risk Retrieved. 2019/11/07 ", "url": "https://www.us-cert.gov/sites/default/files/Monitors/ICS-CERT_Monitor_Jan-April2014.pdf" }, { "source_name": "NCCIC January 2014", "description": "NCCIC 2014, January 1 Internet Accessible Control Systems At Risk Retrieved. 2019/11/07 ", "url": "https://www.us-cert.gov/sites/default/files/Monitors/ICS-CERT_Monitor_Jan-April2014.pdf" }, { "source_name": "Danny Yadron December 2015", "description": "Danny Yadron 2015, December 20 Iranian Hackers Infiltrated New York Dam in 2013 Retrieved. 2019/11/07 ", "url": "https://www.wsj.com/articles/iranian-hackers-infiltrated-new-york-dam-in-2013-1450662559" }, { "source_name": "Mark Thompson March 2016", "description": "Mark Thompson 2016, March 24 Iranian Cyber Attack on New York Dam Shows Future of War Retrieved. 2019/11/07 ", "url": "https://time.com/4270728/iran-cyber-attack-dam-fbi/" }, { "source_name": "Stephen Hilt, Federico Maggi, Charles Perine, Lord Remorin, Martin Rsler, and Rainer Vosseler", "description": "Stephen Hilt, Federico Maggi, Charles Perine, Lord Remorin, Martin Rsler, and Rainer Vosseler Mark Thompson 2016, March 24 Iranian Cyber Attack on New York Dam Shows Future of War Retrieved. 2019/11/07 Caught in the Act: Running a Realistic Factory Honeypot to Capture Real Threats Retrieved. 2021/04/12 ", "url": "https://documents.trendmicro.com/assets/white_papers/wp-caught-in-the-act-running-a-realistic-factory-honeypot-to-capture-real-threats.pdf" } ], "x_mitre_data_sources": [ "Network Traffic: Network Traffic Flow", "Network Traffic: Network Traffic Content", "Logon Session: Logon Session Metadata" ], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "spec_version": "2.1" }, { "x_mitre_platforms": [ "Field Controller/RTU/PLC/IED" ], "x_mitre_domains": [ "ics-attack" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "attack-pattern", "id": "attack-pattern--fc5fda7e-6b2c-4457-b036-759896a2efa2", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2021-04-13T11:15:26.506Z", "modified": "2022-05-06T17:47:23.953Z", "name": "Modify Program", "description": "Adversaries may modify or add a program on a controller to affect how it interacts with the physical process, peripheral devices and other hosts on the network. Modification to controller programs can be accomplished using a Program Download in addition to other types of program modification such as online edit and program append. Program modification encompasses the addition and modification of instructions and logic contained in Program Organization Units (POU) (Citation: IEC February 2013) and similar programming elements found on controllers. This can include, for example, adding new functions to a controller, modifying the logic in existing functions and making new calls from one function to another. Some programs may allow an adversary to interact directly with the native API of the controller to take advantage of obscure features or vulnerabilities.", "kill_chain_phases": [ { "kill_chain_name": "mitre-ics-attack", "phase_name": "persistence-ics" } ], "external_references": [ { "source_name": "mitre-ics-attack", "url": "https://attack.mitre.org/techniques/T0889", "external_id": "T0889" }, { "source_name": "IEC February 2013", "description": "IEC 2013, February 20 IEC 61131-3:2013 Programmable controllers - Part 3: Programming languages Retrieved. 2019/10/22 ", "url": "https://webstore.iec.ch/publication/4552" } ], "x_mitre_data_sources": [ "File: File Modification", "Asset: Software/Firmware" ], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "spec_version": "2.1" }, { "x_mitre_domains": [ "ics-attack" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "course-of-action", "id": "course-of-action--059ba11e-e3dc-49aa-84ca-88197f40d4ea", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2019-06-11T17:06:56.230Z", "modified": "2022-05-06T17:47:24.036Z", "name": "Application Isolation and Sandboxing", "description": "Restrict the execution of code to a virtual environment on or in-transit to an endpoint system.", "external_references": [ { "source_name": "mitre-ics-attack", "url": "https://attack.mitre.org/mitigations/M0948", "external_id": "M0948" } ], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "spec_version": "2.1" }, { "x_mitre_domains": [ "ics-attack" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "course-of-action", "id": "course-of-action--11f242bc-3121-438c-84b2-5cbd46a4bb17", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2019-06-11T16:33:55.337Z", "modified": "2022-05-06T17:47:24.043Z", "name": "Filter Network Traffic", "description": "Use network appliances to filter ingress or egress traffic and perform protocol-based filtering. Configure software on endpoints to filter network traffic. Perform inline allow/denylisting of network messages based on the application layer (OSI Layer 7) protocol, especially for automation protocols. Application allowlists are beneficial when there are well-defined communication sequences, types, rates, or patterns needed during expected system operations. Application denylists may be needed if all acceptable communication sequences cannot be defined, but instead a set of known malicious uses can be denied (e.g., excessive communication attempts, shutdown messages, invalid commands). Devices performing these functions are often referred to as deep-packet inspection (DPI) firewalls, context-aware firewalls, or firewalls blocking specific automation/SCADA protocol aware firewalls. (Citation: Centre for the Protection of National Infrastructure February 2005)", "external_references": [ { "source_name": "mitre-ics-attack", "url": "https://attack.mitre.org/mitigations/M0937", "external_id": "M0937" }, { "source_name": "Centre for the Protection of National Infrastructure February 2005", "description": "Centre for the Protection of National Infrastructure 2005, February FIREWALL DEPLOYMENT FOR SCADA AND PROCESS CONTROL NETWORKS Retrieved. 2020/09/17 ", "url": "https://www.energy.gov/sites/prod/files/Good%20Practices%20Guide%20for%20Firewall%20Deployment.pdf" } ], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "spec_version": "2.1" }, { "x_mitre_domains": [ "ics-attack" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "course-of-action", "id": "course-of-action--143b4398-3222-480a-b6a4-e131bc2d3144", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2019-06-06T20:52:59.206Z", "modified": "2022-05-06T17:47:24.055Z", "name": "Restrict Web-Based Content", "description": "Restrict use of certain websites, block downloads/attachments, block Javascript, restrict browser extensions, etc.", "external_references": [ { "source_name": "mitre-ics-attack", "url": "https://attack.mitre.org/mitigations/M0921", "external_id": "M0921" } ], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "spec_version": "2.1" }, { "x_mitre_domains": [ "ics-attack" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "course-of-action", "id": "course-of-action--1e7ccfc0-94c8-496e-8d27-032120892291", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2019-06-10T20:41:03.271Z", "modified": "2022-05-06T17:47:24.051Z", "name": "Network Segmentation", "description": "Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network. Restrict network access to only required systems and services. In addition, prevent systems from other networks or business functions (e.g., enterprise) from accessing critical process control systems. For example, in IEC 62443, systems within the same secure level should be grouped into a zone, and access to that zone is restricted by a conduit, or mechanism to restrict data flows between zones by segmenting the network. (Citation: IEC February 2019) (Citation: IEC August 2013)", "external_references": [ { "source_name": "mitre-ics-attack", "url": "https://attack.mitre.org/mitigations/M0930", "external_id": "M0930" }, { "source_name": "IEC February 2019", "description": "IEC 2019, February Security for industrial automation and control systems - Part 4-2: Technical security requirements for IACS components Retrieved. 2020/09/25 ", "url": "https://webstore.iec.ch/publication/34421" }, { "source_name": "IEC August 2013", "description": "IEC 2013, August Industrial communication networks - Network and system security - Part 3-3: System security requirements and security levels Retrieved. 2020/09/25 ", "url": "https://webstore.iec.ch/publication/7033" } ], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "spec_version": "2.1" }, { "x_mitre_domains": [ "ics-attack" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "course-of-action", "id": "course-of-action--2ab9fc6d-3cf6-4d7b-85f1-3ad6949233b3", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2019-06-11T17:00:01.740Z", "modified": "2022-05-06T17:47:24.054Z", "name": "Restrict Library Loading", "description": "Prevent abuse of library loading mechanisms in the operating system and software to load untrusted code by configuring appropriate library loading mechanisms and investigating potential vulnerable software.", "external_references": [ { "source_name": "mitre-ics-attack", "url": "https://attack.mitre.org/mitigations/M0944", "external_id": "M0944" } ], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "spec_version": "2.1" }, { "x_mitre_domains": [ "ics-attack" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "course-of-action", "id": "course-of-action--2f0160b7-e982-49d7-9612-f19b810f1722", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2019-06-06T16:39:58.291Z", "modified": "2022-05-06T17:47:24.035Z", "name": "Active Directory Configuration", "description": "Configure Active Directory to prevent use of certain techniques; use security identifier (SID) Filtering, etc.", "external_references": [ { "source_name": "mitre-ics-attack", "url": "https://attack.mitre.org/mitigations/M0915", "external_id": "M0915" } ], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "spec_version": "2.1" }, { "x_mitre_domains": [ "ics-attack" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "course-of-action", "id": "course-of-action--3172222b-4983-43f7-8983-753ded4f13bc", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2019-06-10T20:46:02.263Z", "modified": "2022-05-06T17:47:24.049Z", "name": "Network Intrusion Prevention", "description": "Use intrusion detection signatures to block traffic at network boundaries. In industrial control environments, network intrusion prevention should be configured so it will not disrupt protocols and communications responsible for real-time functions related to control or safety.", "external_references": [ { "source_name": "mitre-ics-attack", "url": "https://attack.mitre.org/mitigations/M0931", "external_id": "M0931" } ], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "spec_version": "2.1" }, { "x_mitre_domains": [ "ics-attack" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "course-of-action", "id": "course-of-action--3222a807-521b-4a1a-aa13-f1cda45734b3", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2019-06-06T20:58:59.577Z", "modified": "2022-05-06T17:47:24.055Z", "name": "Restrict Registry Permissions", "description": "Restrict the ability to modify certain hives or keys in the Windows Registry.", "external_references": [ { "source_name": "mitre-ics-attack", "url": "https://attack.mitre.org/mitigations/M0924", "external_id": "M0924" } ], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "spec_version": "2.1" }, { "x_mitre_domains": [ "ics-attack" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "course-of-action", "id": "course-of-action--337c4e2a-21a7-4d9a-bfee-9efd6cebf0e5", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-11T16:32:21.854Z", "modified": "2022-05-06T17:47:24.040Z", "name": "Data Loss Prevention", "description": "Data Loss Prevention (DLP) technologies can be used to help identify adversarial attempts to exfiltrate operational information, such as engineering plans, trade secrets, recipes, intellectual property, or process telemetry. DLP functionality may be built into other security products such as firewalls or standalone suites running on the network and host-based agents. DLP may be configured to prevent the transfer of information through corporate resources such as email, web, and physical media such as USB for host-based solutions.", "external_references": [ { "source_name": "mitre-ics-attack", "url": "https://attack.mitre.org/mitigations/M0803", "external_id": "M0803" } ], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "spec_version": "2.1" }, { "x_mitre_domains": [ "ics-attack" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "course-of-action", "id": "course-of-action--3992ce42-43e9-4bea-b8db-a102ec3ec1e3", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-11T16:32:21.854Z", "modified": "2022-05-06T17:47:24.034Z", "name": "Access Management", "description": "Access Management technologies can be used to enforce authorization polices and decisions, especially when existing field devices do not provided sufficient capabilities to support user identification and authentication. (Citation: McCarthy, J et al. July 2018) These technologies typically utilize an in-line network device or gateway system to prevent access to unauthenticated users, while also integrating with an authentication service to first verify user credentials. (Citation: Centre for the Protection of National Infrastructure November 2010)", "external_references": [ { "source_name": "mitre-ics-attack", "url": "https://attack.mitre.org/mitigations/M0801", "external_id": "M0801" }, { "source_name": "McCarthy, J et al. July 2018", "description": "McCarthy, J et al. 2018, July NIST SP 1800-2 Identity and Access Management for Electric Utilities Retrieved. 2020/09/17 ", "url": "https://doi.org/10.6028/NIST.SP.1800-2" }, { "source_name": "Centre for the Protection of National Infrastructure November 2010", "description": "Centre for the Protection of National Infrastructure 2010, November Configuring and Managing Remote Access for Industrial Control Systems Retrieved. 2020/09/25 ", "url": "https://us-cert.cisa.gov/sites/default/files/recommended_practices/RP_Managing_Remote_Access_S508NC.pdf" } ], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "spec_version": "2.1" }, { "x_mitre_domains": [ "ics-attack" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "course-of-action", "id": "course-of-action--469b78dd-a54d-4f7c-8c3b-4a1dd916b433", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-11T16:32:21.854Z", "modified": "2022-05-06T17:47:24.048Z", "name": "Mitigation Limited or Not Effective", "description": "This type of attack technique cannot be easily mitigated with preventative controls since it is based on the abuse of system features.", "external_references": [ { "source_name": "mitre-ics-attack", "url": "https://attack.mitre.org/mitigations/M0816", "external_id": "M0816" } ], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "spec_version": "2.1" }, { "x_mitre_domains": [ "ics-attack" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "course-of-action", "id": "course-of-action--49363b74-d506-4342-bd63-320586ebadb9", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2019-06-11T17:10:57.070Z", "modified": "2022-05-06T17:47:24.042Z", "name": "Exploit Protection", "description": "Use capabilities to detect and block conditions that may lead to or be indicative of a software exploit occurring.", "external_references": [ { "source_name": "mitre-ics-attack", "url": "https://attack.mitre.org/mitigations/M0950", "external_id": "M0950" } ], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "spec_version": "2.1" }, { "x_mitre_domains": [ "ics-attack" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "course-of-action", "id": "course-of-action--49b306c1-a046-42c5-a4d2-30f264ada110", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2019-06-11T16:30:16.672Z", "modified": "2022-05-06T17:47:24.044Z", "name": "Limit Access to Resource Over Network", "description": "Prevent access to file shares, remote access to systems, unnecessary services. Mechanisms to limit access may include use of network concentrators, RDP gateways, etc.", "external_references": [ { "source_name": "mitre-ics-attack", "url": "https://attack.mitre.org/mitigations/M0935", "external_id": "M0935" } ], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "spec_version": "2.1" }, { "x_mitre_domains": [ "ics-attack" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "course-of-action", "id": "course-of-action--4fa717d9-cabe-47c8-8cdd-86e9e2e37f30", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2019-06-11T16:35:25.488Z", "modified": "2022-05-06T17:47:24.042Z", "name": "Execution Prevention", "description": "Block execution of code on a system through application control, and/or script blocking.", "external_references": [ { "source_name": "mitre-ics-attack", "url": "https://attack.mitre.org/mitigations/M0938", "external_id": "M0938" } ], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "spec_version": "2.1" }, { "x_mitre_domains": [ "ics-attack" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "course-of-action", "id": "course-of-action--52c7a1a9-3a78-4528-a44f-cd7b0fa3541a", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2019-06-06T21:16:18.709Z", "modified": "2022-05-06T17:47:24.057Z", "name": "Static Network Configuration", "description": "Configure hosts and devices to use static network configurations when possible, protocols that require dynamic discovery/addressing (e.g., ARP, DHCP, DNS) can be used to manipulate network message forwarding and enable various MitM attacks. This mitigation may not always be usable due to limited device features or challenges introduced with different network configurations.", "external_references": [ { "source_name": "mitre-ics-attack", "url": "https://attack.mitre.org/mitigations/M0814", "external_id": "M0814" } ], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "spec_version": "2.1" }, { "x_mitre_domains": [ "ics-attack" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "course-of-action", "id": "course-of-action--5d97c693-e054-48ba-a3a3-eaf6942dfb65", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2019-06-06T21:10:35.792Z", "modified": "2022-05-06T17:47:24.053Z", "name": "Password Policies", "description": "Set and enforce secure password policies for accounts.", "external_references": [ { "source_name": "mitre-ics-attack", "url": "https://attack.mitre.org/mitigations/M0927", "external_id": "M0927" } ], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "spec_version": "2.1" }, { "x_mitre_domains": [ "ics-attack" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "course-of-action", "id": "course-of-action--622fe4d4-0e8e-4d17-9c25-6c9cef1f15d5", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2019-06-06T21:09:47.115Z", "modified": "2022-05-06T17:47:24.053Z", "name": "Privileged Account Management", "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", "external_references": [ { "source_name": "mitre-ics-attack", "url": "https://attack.mitre.org/mitigations/M0926", "external_id": "M0926" } ], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "spec_version": "2.1" }, { "x_mitre_domains": [ "ics-attack" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "course-of-action", "id": "course-of-action--66cfe23e-34b6-4583-b178-ed6a412db2b0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-11T16:32:21.854Z", "modified": "2022-05-06T17:47:24.060Z", "name": "Human User Authentication", "description": "Require user authentication before allowing access to data or accepting commands to a device. While strong multi-factor authentication is preferable, it is not always feasible within ICS environments. Performing strong user authentication also requires additional security controls and processes which are often the target of related adversarial techniques (e.g., Valid Accounts, Default Credentials). Therefore, associated ATT&CK mitigations should be considered in addition to this, including [Multi-factor Authentication](https://attack.mitre.org/mitigations/M0932), [Account Use Policies](https://attack.mitre.org/mitigations/M0936), [Password Policies](https://attack.mitre.org/mitigations/M0927), [User Account Management](https://attack.mitre.org/mitigations/M0918), [Privileged Account Management](https://attack.mitre.org/mitigations/M0926), and [https://attack.mitre.org/mitigations/M1052/ User Account Control].", "external_references": [ { "source_name": "mitre-ics-attack", "url": "https://attack.mitre.org/mitigations/M0804", "external_id": "M0804" } ], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "spec_version": "2.1" }, { "x_mitre_domains": [ "ics-attack" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "course-of-action", "id": "course-of-action--6a02e38a-9629-40c0-8c7d-e98e3470315c", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2019-06-06T20:15:34.146Z", "modified": "2022-05-06T17:47:24.055Z", "name": "SSL/TLS Inspection", "description": "Break and inspect SSL/TLS sessions to look at encrypted web traffic for adversary activity.", "external_references": [ { "source_name": "mitre-ics-attack", "url": "https://attack.mitre.org/mitigations/M0920", "external_id": "M0920" } ], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "spec_version": "2.1" }, { "x_mitre_domains": [ "ics-attack" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "course-of-action", "id": "course-of-action--71eb7dad-07eb-4bbc-9df0-ac57bf2fba4a", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2019-06-11T17:01:25.405Z", "modified": "2022-05-06T17:47:24.039Z", "name": "Code Signing", "description": "Enforce binary and application integrity with digital signature verification to prevent untrusted code from executing.", "external_references": [ { "source_name": "mitre-ics-attack", "url": "https://attack.mitre.org/mitigations/M0945", "external_id": "M0945" } ], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "spec_version": "2.1" }, { "x_mitre_domains": [ "ics-attack" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "course-of-action", "id": "course-of-action--72e46e53-e12d-4106-9c70-33241b6ed549", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2019-06-06T21:16:18.709Z", "modified": "2022-05-06T17:47:24.057Z", "name": "Software Process and Device Authentication", "description": "Require the authentication of devices and software processes where appropriate. Devices that connect remotely to other systems should require strong authentication to prevent spoofing of communications. Furthermore, software processes should also require authentication when accessing APIs.", "external_references": [ { "source_name": "mitre-ics-attack", "url": "https://attack.mitre.org/mitigations/M0813", "external_id": "M0813" } ], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "spec_version": "2.1" }, { "x_mitre_domains": [ "ics-attack" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "course-of-action", "id": "course-of-action--7f153c28-e5f1-4764-88fb-eea1d9b0ad4a", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-11T16:32:21.854Z", "modified": "2022-05-06T17:47:24.041Z", "name": "Encrypt Network Traffic", "description": "Utilize strong cryptographic techniques and protocols to prevent eavesdropping on network communications.", "external_references": [ { "source_name": "mitre-ics-attack", "url": "https://attack.mitre.org/mitigations/M0808", "external_id": "M0808" } ], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "spec_version": "2.1" }, { "x_mitre_domains": [ "ics-attack" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "course-of-action", "id": "course-of-action--86b455f2-fb63-4043-93a8-32a3a7703a02", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2019-06-11T16:32:21.854Z", "modified": "2022-05-06T17:47:24.034Z", "name": "Account Use Policies", "description": "Configure features related to account use like login attempt lockouts, specific login times, etc.", "external_references": [ { "source_name": "mitre-ics-attack", "url": "https://attack.mitre.org/mitigations/M0936", "external_id": "M0936" } ], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "spec_version": "2.1" }, { "x_mitre_domains": [ "ics-attack" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "course-of-action", "id": "course-of-action--8a3aadd0-b5f4-433a-800e-4893e4196bb7", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2017-10-25T14:48:53.732Z", "modified": "2022-05-06T17:47:24.036Z", "name": "Application Developer Guidance", "description": "This mitigation describes any guidance or training given to developers of applications to avoid introducing security weaknesses that an adversary may be able to take advantage of.", "external_references": [ { "source_name": "mitre-ics-attack", "url": "https://attack.mitre.org/mitigations/M0913", "external_id": "M0913" } ], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "spec_version": "2.1" }, { "x_mitre_domains": [ "ics-attack" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "course-of-action", "id": "course-of-action--8ac1d6e1-b07f-476a-9732-84984ebc2405", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2019-06-11T17:02:36.984Z", "modified": "2022-05-06T17:47:24.038Z", "name": "Boot Integrity", "description": "Use secure methods to boot a system and verify the integrity of the operating system and loading mechanisms.", "external_references": [ { "source_name": "mitre-ics-attack", "url": "https://attack.mitre.org/mitigations/M0946", "external_id": "M0946" } ], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "spec_version": "2.1" }, { "x_mitre_domains": [ "ics-attack" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "course-of-action", "id": "course-of-action--8bc4a54e-810c-4600-8b6c-08fa8413a401", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-11T16:32:21.854Z", "modified": "2022-05-06T17:47:24.046Z", "name": "Mechanical Protection Layers", "description": "Utilize a layered protection design based on physical or mechanical protection systems to prevent damage to property, equipment, human safety, or the environment. Examples include interlocks, rupture disk, release values, etc. (Citation: A G Foord, W G Gulland, C R Howard, T Kellacher, W H Smith 2004) ", "external_references": [ { "source_name": "mitre-ics-attack", "url": "https://attack.mitre.org/mitigations/M0805", "external_id": "M0805" }, { "source_name": "A G Foord, W G Gulland, C R Howard, T Kellacher, W H Smith 2004", "description": "A G Foord, W G Gulland, C R Howard, T Kellacher, W H Smith 2004 APPLYING THE LATEST STANDARD FOR FUNCTIONAL SAFETY IEC 61511 Retrieved. 2020/09/17 ", "url": "https://www.icheme.org/media/9906/xviii-paper-23.pdf" } ], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "spec_version": "2.1" }, { "x_mitre_domains": [ "ics-attack" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "course-of-action", "id": "course-of-action--97f33c84-8508-45b9-8a1d-cac921828c9e", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2019-06-11T17:12:55.207Z", "modified": "2022-05-06T17:47:24.058Z", "name": "Update Software", "description": "Perform regular software updates to mitigate exploitation risk. Software updates may need to be scheduled around operational down times.", "external_references": [ { "source_name": "mitre-ics-attack", "url": "https://attack.mitre.org/mitigations/M0951", "external_id": "M0951" } ], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "spec_version": "2.1" }, { "x_mitre_domains": [ "ics-attack" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "course-of-action", "id": "course-of-action--98aa0d61-fc9d-4b2d-8f18-b25d03549f53", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2019-06-06T21:16:18.709Z", "modified": "2022-05-06T17:47:24.060Z", "name": "Watchdog Timers", "description": "Utilize watchdog timers to ensure devices can quickly detect whether a system is unresponsive.", "external_references": [ { "source_name": "mitre-ics-attack", "url": "https://attack.mitre.org/mitigations/M0815", "external_id": "M0815" } ], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "spec_version": "2.1" }, { "x_mitre_domains": [ "ics-attack" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "course-of-action", "id": "course-of-action--99c746d7-a08a-4169-94f9-b8c0dad716fa", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2019-06-06T21:16:18.709Z", "modified": "2022-05-06T17:47:24.051Z", "name": "Operational Information Confidentiality", "description": "Deploy mechanisms to protect the confidentiality of information related to operational processes, facility locations, device configurations, programs, or databases that may have information that can be used to infer organizational trade-secrets, recipes, and other intellectual property (IP).", "external_references": [ { "source_name": "mitre-ics-attack", "url": "https://attack.mitre.org/mitigations/M0809", "external_id": "M0809" } ], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "spec_version": "2.1" }, { "x_mitre_domains": [ "ics-attack" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "course-of-action", "id": "course-of-action--9a945a29-5233-4422-a9e3-3e957b0e8bce", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2019-06-06T21:16:18.709Z", "modified": "2022-05-06T17:47:24.051Z", "name": "Operating System Configuration", "description": "Make configuration changes related to the operating system or a common feature of the operating system that result in system hardening against techniques.", "external_references": [ { "source_name": "mitre-ics-attack", "url": "https://attack.mitre.org/mitigations/M0928", "external_id": "M0928" } ], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "spec_version": "2.1" }, { "x_mitre_domains": [ "ics-attack" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "course-of-action", "id": "course-of-action--9e3adcad-0b8f-4ecc-a2f3-06f607f53bf0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2019-06-11T16:28:41.809Z", "modified": "2022-05-06T17:47:24.045Z", "name": "Limit Hardware Installation", "description": "Block users or groups from installing or using unapproved hardware on systems, including USB devices.", "external_references": [ { "source_name": "mitre-ics-attack", "url": "https://attack.mitre.org/mitigations/M0934", "external_id": "M0934" } ], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "spec_version": "2.1" }, { "x_mitre_domains": [ "ics-attack" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "course-of-action", "id": "course-of-action--9f99fcfd-772e-4e63-9d39-e45612e546dc", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2019-06-11T16:43:44.834Z", "modified": "2022-05-06T17:47:24.041Z", "name": "Encrypt Sensitive Information", "description": "Protect sensitive data-at-rest with strong encryption.", "external_references": [ { "source_name": "mitre-ics-attack", "url": "https://attack.mitre.org/mitigations/M0941", "external_id": "M0941" } ], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "spec_version": "2.1" }, { "x_mitre_domains": [ "ics-attack" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "course-of-action", "id": "course-of-action--aadac250-bcdc-44e3-a4ae-f52bd0a7a16a", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2019-06-10T20:53:36.319Z", "modified": "2022-05-06T17:47:24.060Z", "name": "Network Allowlists", "description": "Network allowlists can be implemented through either host-based files or system hosts files to specify what connections (e.g., IP address, MAC address, port, protocol) can be made from a device. Allowlist techniques that operate at the application layer (e.g., DNP3, Modbus, HTTP) are addressed in [Filter Network Traffic](https://attack.mitre.org/mitigations/M0937) mitigation.", "external_references": [ { "source_name": "mitre-ics-attack", "url": "https://attack.mitre.org/mitigations/M0807", "external_id": "M0807" } ], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "spec_version": "2.1" }, { "x_mitre_domains": [ "ics-attack" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "course-of-action", "id": "course-of-action--ac8f3492-7fbb-4a0a-b0b4-b75ec676136c", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2021-04-12T17:00:21.233Z", "modified": "2022-05-06T17:47:24.058Z", "name": "Supply Chain Management", "description": "Implement a supply chain management program, including policies and procedures to ensure all devices and components originate from a trusted supplier and are tested to verify their integrity.", "external_references": [ { "source_name": "mitre-ics-attack", "url": "https://attack.mitre.org/mitigations/M0817", "external_id": "M0817" } ], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "spec_version": "2.1" }, { "x_mitre_domains": [ "ics-attack" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "course-of-action", "id": "course-of-action--ad12819e-3211-4291-b360-069f280cff0a", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2019-07-19T14:33:33.543Z", "modified": "2022-05-06T17:47:24.040Z", "name": "Data Backup", "description": "Take and store data backups from end user systems and critical servers. Ensure backup and storage systems are hardened and kept separate from the corporate network to prevent compromise. Maintain and exercise incident response plans (Citation: Department of Homeland Security October 2009), including the management of 'gold-copy' back-up images and configurations for key systems to enable quick recovery and response from adversarial activities that impact control, view, or availability.", "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/mitigations/M0953", "external_id": "M0953" }, { "source_name": "Department of Homeland Security October 2009", "description": "Department of Homeland Security 2009, October Developing an Industrial Control Systems Cybersecurity Incident Response Capability Retrieved. 2020/09/17 ", "url": "https://us-cert.cisa.gov/sites/default/files/recommended_practices/final-RP_ics_cybersecurity_incident_response_100609.pdf" } ], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "spec_version": "2.1" }, { "x_mitre_domains": [ "ics-attack" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "course-of-action", "id": "course-of-action--b11cad63-ef30-4eb8-af0d-6cc46eef3f3e", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2019-06-06T21:16:18.709Z", "modified": "2022-05-06T17:47:24.053Z", "name": "Out-of-Band Communications Channel", "description": "Have alternative methods to support communication requirements during communication failures and data integrity attacks. (Citation: National Institute of Standards and Technology April 2013) (Citation: Defense Advanced Research Projects Agency)", "external_references": [ { "source_name": "mitre-ics-attack", "url": "https://attack.mitre.org/mitigations/M0810", "external_id": "M0810" }, { "source_name": "National Institute of Standards and Technology April 2013", "description": "National Institute of Standards and Technology 2013, April Security and Privacy Controls for Federal Information Systems and Organizations Retrieved. 2020/09/17 ", "url": "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf" }, { "source_name": "Defense Advanced Research Projects Agency", "description": "Defense Advanced Research Projects Agency National Institute of Standards and Technology 2013, April Security and Privacy Controls for Federal Information Systems and Organizations Retrieved. 2020/09/17 Rapid Attack Detection, Isolation and Characterization Systems (RADICS) Retrieved. 2020/09/17 ", "url": "https://www.darpa.mil/program/rapid-attack-detection-isolation-and-characterization-systems" } ], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "spec_version": "2.1" }, { "x_mitre_domains": [ "ics-attack" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "course-of-action", "id": "course-of-action--bcf91ebc-f316-4e19-b2f6-444e9940c697", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2019-06-11T17:06:14.029Z", "modified": "2022-05-06T17:47:24.037Z", "name": "Audit", "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses. Perform periodic integrity checks of the device to validate the correctness of the firmware, software, programs, and configurations. Integrity checks, which typically include cryptographic hashes or digital signatures, should be compared to those obtained at known valid states, especially after events like device reboots, program downloads, or program restarts.", "external_references": [ { "source_name": "mitre-ics-attack", "url": "https://attack.mitre.org/mitigations/M0947", "external_id": "M0947" } ], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "spec_version": "2.1" }, { "x_mitre_domains": [ "ics-attack" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "course-of-action", "id": "course-of-action--c7257b6e-4159-4771-b1f3-2bb93adaecac", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-11T16:32:21.854Z", "modified": "2022-05-06T17:47:24.039Z", "name": "Communication Authenticity", "description": "When communicating over an untrusted network, utilize secure network protocols that both authenticate the message sender and can verify its integrity. This can be done either through message authentication codes (MACs) or digital signatures, to detect spoofed network messages and unauthorized connections.", "external_references": [ { "source_name": "mitre-ics-attack", "url": "https://attack.mitre.org/mitigations/M0802", "external_id": "M0802" } ], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "spec_version": "2.1" }, { "x_mitre_domains": [ "ics-attack" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "course-of-action", "id": "course-of-action--d0909119-2f71-4923-87db-b649881672d7", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2019-06-11T16:45:19.740Z", "modified": "2022-05-06T17:47:24.041Z", "name": "Disable or Remove Feature or Program", "description": "Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.", "external_references": [ { "source_name": "mitre-ics-attack", "url": "https://attack.mitre.org/mitigations/M0942", "external_id": "M0942" } ], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "spec_version": "2.1" }, { "x_mitre_domains": [ "ics-attack" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "course-of-action", "id": "course-of-action--d48b79b2-076d-483e-949c-0d38aa347499", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2019-06-06T19:55:50.927Z", "modified": "2022-05-06T17:47:24.058Z", "name": "Threat Intelligence Program", "description": "A threat intelligence program helps an organization generate their own threat intelligence information and track trends to inform defensive priorities to mitigate risk.", "external_references": [ { "source_name": "mitre-ics-attack", "url": "https://attack.mitre.org/mitigations/M0919", "external_id": "M0919" } ], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "spec_version": "2.1" }, { "x_mitre_domains": [ "ics-attack" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "course-of-action", "id": "course-of-action--da44255d-85c5-492c-baf3-ee823d44f848", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2019-06-06T21:16:18.709Z", "modified": "2022-05-06T17:47:24.056Z", "name": "Safety Instrumented Systems", "description": "Utilize Safety Instrumented Systems (SIS) to provide an additional layer of protection to hazard scenarios that may cause property damage. A SIS will typically include sensors, logic solvers, and a final control element that can be used to automatically respond to an hazardous condition (Citation: A G Foord, W G Gulland, C R Howard, T Kellacher, W H Smith 2004) . Ensure that all SISs are segmented from operational networks to prevent them from being targeted by additional adversarial behavior.", "external_references": [ { "source_name": "mitre-ics-attack", "url": "https://attack.mitre.org/mitigations/M0812", "external_id": "M0812" }, { "source_name": "A G Foord, W G Gulland, C R Howard, T Kellacher, W H Smith 2004", "description": "A G Foord, W G Gulland, C R Howard, T Kellacher, W H Smith 2004 APPLYING THE LATEST STANDARD FOR FUNCTIONAL SAFETY IEC 61511 Retrieved. 2020/09/17 ", "url": "https://www.icheme.org/media/9906/xviii-paper-23.pdf" } ], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "spec_version": "2.1" }, { "x_mitre_domains": [ "ics-attack" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "course-of-action", "id": "course-of-action--dc61c280-c29d-44e5-a960-c0dd1623d2ba", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2019-06-06T16:50:04.963Z", "modified": "2022-05-06T17:47:24.059Z", "name": "User Training", "description": "Train users to be aware of access or manipulation attempts by an adversary to reduce the risk of successful spearphishing, social engineering, and other techniques that involve user interaction.", "external_references": [ { "source_name": "mitre-ics-attack", "url": "https://attack.mitre.org/mitigations/M0917", "external_id": "M0917" } ], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "spec_version": "2.1" }, { "x_mitre_domains": [ "ics-attack" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "course-of-action", "id": "course-of-action--ddf3e568-f065-49e2-9106-42029a28ddbd", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2019-06-10T20:53:36.319Z", "modified": "2022-05-06T17:47:24.048Z", "name": "Multi-factor Authentication", "description": "Use two or more pieces of evidence to authenticate to a system; such as username and password in addition to a token from a physical smart card or token generator. Within industrial control environments assets such as low-level controllers, workstations, and HMIs have real-time operational control and safety requirements which may restrict the use of multi-factor.", "external_references": [ { "source_name": "mitre-ics-attack", "url": "https://attack.mitre.org/mitigations/M0932", "external_id": "M0932" } ], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "spec_version": "2.1" }, { "x_mitre_domains": [ "ics-attack" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "course-of-action", "id": "course-of-action--de0bc375-50e1-4e26-a342-a8ff8c9d3037", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2019-06-06T16:47:30.700Z", "modified": "2022-05-06T17:47:24.059Z", "name": "Vulnerability Scanning", "description": "Vulnerability scanning is used to find potentially exploitable software vulnerabilities to remediate them.", "external_references": [ { "source_name": "mitre-ics-attack", "url": "https://attack.mitre.org/mitigations/M0916", "external_id": "M0916" } ], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "spec_version": "2.1" }, { "x_mitre_domains": [ "ics-attack" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "course-of-action", "id": "course-of-action--e0d38502-decb-481d-ad8b-b8f0a0c330bd", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-11T16:32:21.854Z", "modified": "2022-05-06T17:47:24.038Z", "name": "Authorization Enforcement", "description": "The device or system should restrict read, manipulate, or execute privileges to only authenticated users who require access based on approved security policies. Role-based Access Control (RBAC) schemes can help reduce the overhead of assigning permissions to the large number of devices within an ICS. For example, IEC 62351 provides examples of roles used to support common system operations within the electric power sector (Citation: International Electrotechnical Commission July 2020), while IEEE 1686 defines standard permissions for users of IEDs. (Citation: Institute of Electrical and Electronics Engineers January 2014)", "external_references": [ { "source_name": "mitre-ics-attack", "url": "https://attack.mitre.org/mitigations/M0800", "external_id": "M0800" }, { "source_name": "International Electrotechnical Commission July 2020", "description": "International Electrotechnical Commission 2020, July 17 IEC 62351 - Power systems management and associated information exchange - Data and communications security Retrieved. 2020/09/17 ", "url": "https://webstore.iec.ch/publication/6912" }, { "source_name": "Institute of Electrical and Electronics Engineers January 2014", "description": "Institute of Electrical and Electronics Engineers 2014, January 1686-2013 - IEEE Standard for Intelligent Electronic Devices Cyber Security Capabilities Retrieved. 2020/09/17 ", "url": "https://standards.ieee.org/standard/1686-2013.html" } ], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "spec_version": "2.1" }, { "x_mitre_domains": [ "ics-attack" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "course-of-action", "id": "course-of-action--e57ebc6d-785f-40c8-adb1-b5b5e09b3b48", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2019-06-06T16:50:58.767Z", "modified": "2022-05-06T17:47:24.059Z", "name": "User Account Management", "description": "Manage the creation, modification, use, and permissions associated to user accounts.", "external_references": [ { "source_name": "mitre-ics-attack", "url": "https://attack.mitre.org/mitigations/M0918", "external_id": "M0918" } ], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "spec_version": "2.1" }, { "x_mitre_domains": [ "ics-attack" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "course-of-action", "id": "course-of-action--f0f5c87a-a58d-440a-b3b5-ca679d98c6dd", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2019-06-06T21:16:18.709Z", "modified": "2022-05-06T17:47:24.054Z", "name": "Redundancy of Service", "description": "Redundancy could be provided for both critical ICS devices and services, such as back-up devices or hot-standbys.", "external_references": [ { "source_name": "mitre-ics-attack", "url": "https://attack.mitre.org/mitigations/M0811", "external_id": "M0811" } ], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "spec_version": "2.1" }, { "x_mitre_domains": [ "ics-attack" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "course-of-action", "id": "course-of-action--f9fcb3ec-6de0-4559-8cd9-ef1c0c7d1971", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2019-06-06T20:54:49.964Z", "modified": "2022-05-06T17:47:24.054Z", "name": "Restrict File and Directory Permissions", "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.", "external_references": [ { "source_name": "mitre-ics-attack", "url": "https://attack.mitre.org/mitigations/M0922", "external_id": "M0922" } ], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "spec_version": "2.1" }, { "x_mitre_domains": [ "ics-attack" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "course-of-action", "id": "course-of-action--facb8840-ebe7-49f1-b464-8ef6c8131e21", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2019-07-19T14:40:23.529Z", "modified": "2022-05-06T17:47:24.057Z", "name": "Software Configuration", "description": "Implement configuration changes to software (other than the operating system) to mitigate security risks associated with how the software operates.", "external_references": [ { "source_name": "mitre-ics-attack", "url": "https://attack.mitre.org/mitigations/M0954", "external_id": "M0954" } ], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "spec_version": "2.1" }, { "x_mitre_domains": [ "ics-attack" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "course-of-action", "id": "course-of-action--faf2b40e-5981-433f-aa46-17458e0026f7", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2019-06-11T17:08:33.055Z", "modified": "2022-05-06T17:47:24.036Z", "name": "Antivirus/Antimalware", "description": "Use signatures or heuristics to detect malicious software. Within industrial control environments, antivirus/antimalware installations should be limited to assets that are not involved in critical or real-time operations. To minimize the impact to system availability, all products should first be validated within a representative test environment before deployment to production systems. (Citation: NCCIC August 2018)", "external_references": [ { "source_name": "mitre-ics-attack", "url": "https://attack.mitre.org/mitigations/M0949", "external_id": "M0949" }, { "source_name": "NCCIC August 2018", "description": "NCCIC 2018, August 2 Recommended Practice: Updating Antivirus in an Industrial Control System Retrieved. 2020/09/17 ", "url": "https://us-cert.cisa.gov/sites/default/files/recommended_practices/Recommended%20Practice%20Updating%20Antivirus%20in%20an%20Industrial%20Control%20System_S508C.pdf" } ], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "spec_version": "2.1" }, { "x_mitre_domains": [ "ics-attack" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "course-of-action", "id": "course-of-action--fce6866f-9a87-4d3e-a73c-f02d8937fe0e", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-11T16:32:21.854Z", "modified": "2022-05-06T17:47:24.048Z", "name": "Minimize Wireless Signal Propagation", "description": "Wireless signals frequently propagate outside of organizational boundaries, which provide opportunities for adversaries to monitor or gain unauthorized access to the wireless network. (Citation: CISA March 2010) To minimize this threat, organizations should implement measures to detect, understand, and reduce unnecessary RF propagation. (Citation: DHS National Urban Security Technology Laboratory April 2019)", "external_references": [ { "source_name": "mitre-ics-attack", "url": "https://attack.mitre.org/mitigations/M0806", "external_id": "M0806" }, { "source_name": "CISA March 2010", "description": "CISA 2010, March Securing Wireless Networks Retrieved. 2020/09/17 ", "url": "https://us-cert.cisa.gov/ncas/tips/ST05-003" }, { "source_name": "DHS National Urban Security Technology Laboratory April 2019", "description": "DHS National Urban Security Technology Laboratory 2019, April Radio Frequency Detection, Spectrum Analysis, and Direction Finding Equipment Retrieved. 2020/09/17 ", "url": "https://www.dhs.gov/sites/default/files/saver-msr-rf-detection_cod-508_10july2019.pdf" } ], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "spec_version": "2.1" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "type": "identity", "identity_class": "organization", "created": "2017-06-01T00:00:00.000Z", "modified": "2017-06-01T00:00:00.000Z", "name": "The MITRE Corporation", "spec_version": "2.1", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "ics-attack" ], "x_mitre_version": "1.0" }, { "aliases": [ "APT38", "NICKEL GLADSTONE", "BeagleBoyz", "Bluenoroff", "Stardust Chollima" ], "x_mitre_domains": [ "ics-attack" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "intrusion-set--00f67a77-86a4-4adf-be26-1a54fc713340", "type": "intrusion-set", "created": "2019-01-29T21:27:24.793Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "external_id": "G0082", "source_name": "mitre-attack", "url": "https://attack.mitre.org/groups/G0082" }, { "source_name": "APT38", "description": "(Citation: FireEye APT38 Oct 2018)" }, { "source_name": "NICKEL GLADSTONE", "description": "(Citation: SecureWorks NICKEL GLADSTONE profile Sept 2021)" }, { "source_name": "BeagleBoyz", "description": "(Citation: CISA AA20-239A BeagleBoyz August 2020)" }, { "source_name": "Bluenoroff", "description": "(Citation: Kaspersky Lazarus Under The Hood Blog 2017)" }, { "source_name": "Stardust Chollima", "description": "(Citation: CrowdStrike Stardust Chollima Profile April 2018)(Citation: CrowdStrike GTR 2021 June 2021)" }, { "source_name": "CISA AA20-239A BeagleBoyz August 2020", "url": "https://us-cert.cisa.gov/ncas/alerts/aa20-239a", "description": "DHS/CISA. (2020, August 26). FASTCash 2.0: North Korea's BeagleBoyz Robbing Banks. Retrieved September 29, 2021." }, { "source_name": "FireEye APT38 Oct 2018", "url": "https://content.fireeye.com/apt/rpt-apt38", "description": "FireEye. (2018, October 03). APT38: Un-usual Suspects. Retrieved November 6, 2018." }, { "source_name": "DOJ North Korea Indictment Feb 2021", "url": "https://www.justice.gov/opa/pr/three-north-korean-military-hackers-indicted-wide-ranging-scheme-commit-cyberattacks-and", "description": "Department of Justice. (2021, February 17). Three North Korean Military Hackers Indicted in Wide-Ranging Scheme to Commit Cyberattacks and Financial Crimes Across the Globe. Retrieved June 9, 2021." }, { "description": "GReAT. (2017, April 3). Lazarus Under the Hood. Retrieved April 17, 2019.", "url": "https://securelist.com/lazarus-under-the-hood/77908/", "source_name": "Kaspersky Lazarus Under The Hood Blog 2017" }, { "source_name": "SecureWorks NICKEL GLADSTONE profile Sept 2021", "url": "https://www.secureworks.com/research/threat-profiles/nickel-gladstone", "description": "SecureWorks. (2021, September 29). NICKEL GLADSTONE Threat Profile. Retrieved September 29, 2021." }, { "source_name": "CrowdStrike Stardust Chollima Profile April 2018", "url": "https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-april-stardust-chollima/", "description": "Meyers, Adam. (2018, April 6). Meet CrowdStrike\u2019s Adversary of the Month for April: STARDUST CHOLLIMA. Retrieved September 29, 2021." }, { "source_name": "CrowdStrike GTR 2021 June 2021", "url": "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf", "description": "CrowdStrike. (2021, June 7). CrowdStrike 2021 Global Threat Report. Retrieved September 29, 2021." } ], "modified": "2022-01-18T17:13:14.610Z", "name": "APT38", "description": "[APT38](https://attack.mitre.org/groups/G0082) is a North Korean state-sponsored threat group that specializes in financial cyber operations; it has been attributed to the Reconnaissance General Bureau.(Citation: CISA AA20-239A BeagleBoyz August 2020) Active since at least 2014, [APT38](https://attack.mitre.org/groups/G0082) has targeted banks, financial institutions, casinos, cryptocurrency exchanges, SWIFT system endpoints, and ATMs in at least 38 countries worldwide. Significant operations include the 2016 Bank of Bangladesh heist, during which [APT38](https://attack.mitre.org/groups/G0082) stole $81 million, as well as attacks against Bancomext (2018) and Banco de Chile (2018); some of their attacks have been destructive.(Citation: CISA AA20-239A BeagleBoyz August 2020)(Citation: FireEye APT38 Oct 2018)(Citation: DOJ North Korea Indictment Feb 2021)(Citation: Kaspersky Lazarus Under The Hood Blog 2017)\n\nNorth Korean group definitions are known to have significant overlap, and some security researchers report all North Korean state-sponsored cyber activity under the name [Lazarus Group](https://attack.mitre.org/groups/G0032) instead of tracking clusters or subgroups.", "x_mitre_version": "2.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "spec_version": "2.1", "x_mitre_attack_spec_version": "2.1.0" }, { "aliases": [ "Palmetto Fusion" ], "x_mitre_domains": [ "ics-attack" ], "x_mitre_contributors": [ "Dragos Threat Intelligence" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "intrusion-set", "id": "intrusion-set--190242d7-73fc-4738-af68-20162f7a5aae", "created": "2017-05-31T21:31:57.307Z", "x_mitre_version": "1.0", "external_references": [ { "source_name": "mitre-attack", "external_id": "G1000", "url": "https://attack.mitre.org/groups/G1000" }, { "source_name": "Dragos", "url": "https://dragos.com/resource/allanite/", "description": "Dragos Allanite Retrieved. 2019/10/27 " } ], "x_mitre_deprecated": false, "revoked": false, "description": "[ALLANITE](https://attack.mitre.org/groups/G1000) is a suspected Russian cyber espionage group, that has primarily targeted the electric utility sector within the United States and United Kingdom. The group's tactics and techniques are reportedly similar to [Dragonfly](https://attack.mitre.org/groups/G0035), although [ALLANITE](https://attack.mitre.org/groups/G1000)s technical capabilities have not exhibited disruptive or destructive abilities. It has been suggested that the group maintains a presence in ICS for the purpose of gaining understanding of processes and to maintain persistence. (Citation: Dragos)", "modified": "2022-05-24T19:26:10.721Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "name": "ALLANITE", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "spec_version": "2.1" }, { "aliases": [ "Dragonfly", "TEMP.Isotope", "DYMALLOY", "Berserk Bear", "TG-4192", "Crouching Yeti", "IRON LIBERTY", "Energetic Bear" ], "x_mitre_domains": [ "ics-attack" ], "x_mitre_contributors": [ "Dragos Threat Intelligence" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "intrusion-set", "id": "intrusion-set--1c63d4ec-0a75-4daa-b1df-0d11af3d3cc1", "created": "2017-05-31T21:32:05.217Z", "x_mitre_version": "3.0", "external_references": [ { "source_name": "mitre-attack", "external_id": "G0035", "url": "https://attack.mitre.org/groups/G0035" }, { "source_name": "DYMALLOY", "description": "(Citation: Dragos DYMALLOY )(Citation: UK GOV FSB Factsheet April 2022)" }, { "source_name": "Berserk Bear", "description": "(Citation: Gigamon Berserk Bear October 2021)(Citation: DOJ Russia Targeting Critical Infrastructure March 2022)(Citation: UK GOV FSB Factsheet April 2022)" }, { "source_name": "TEMP.Isotope", "description": "(Citation: Mandiant Ukraine Cyber Threats January 2022)(Citation: Gigamon Berserk Bear October 2021)" }, { "source_name": "Crouching Yeti", "description": "(Citation: Secureworks IRON LIBERTY July 2019)(Citation: Gigamon Berserk Bear October 2021)(Citation: DOJ Russia Targeting Critical Infrastructure March 2022)(Citation: UK GOV FSB Factsheet April 2022)" }, { "source_name": "IRON LIBERTY", "description": "(Citation: Secureworks IRON LIBERTY July 2019)(Citation: Secureworks MCMD July 2019)(Citation: Secureworks Karagany July 2019)(Citation: UK GOV FSB Factsheet April 2022)" }, { "source_name": "TG-4192", "description": "(Citation: Secureworks IRON LIBERTY July 2019)(Citation: UK GOV FSB Factsheet April 2022)" }, { "source_name": "Dragonfly", "description": "(Citation: Symantec Dragonfly)(Citation: Secureworks IRON LIBERTY July 2019)(Citation: Gigamon Berserk Bear October 2021)(Citation: DOJ Russia Targeting Critical Infrastructure March 2022)(Citation: UK GOV FSB Factsheet April 2022)" }, { "source_name": "Energetic Bear", "description": "(Citation: Symantec Dragonfly)(Citation: Secureworks IRON LIBERTY July 2019)(Citation: Secureworks MCMD July 2019)(Citation: Secureworks Karagany July 2019)(Citation: Gigamon Berserk Bear October 2021)(Citation: DOJ Russia Targeting Critical Infrastructure March 2022)(Citation: UK GOV FSB Factsheet April 2022)" }, { "source_name": "CISA AA20-296A Berserk Bear December 2020", "url": "https://www.cisa.gov/uscert/ncas/alerts/aa20-296a#revisions", "description": "CISA. (2020, December 1). Russian State-Sponsored Advanced Persistent Threat Actor Compromises U.S. Government Targets. Retrieved December 9, 2021." }, { "source_name": "DOJ Russia Targeting Critical Infrastructure March 2022", "url": "https://www.justice.gov/opa/pr/four-russian-government-employees-charged-two-historical-hacking-campaigns-targeting-critical", "description": "Department of Justice. (2022, March 24). Four Russian Government Employees Charged in Two Historical Hacking Campaigns Targeting Critical Infrastructure Worldwide. Retrieved April 5, 2022." }, { "source_name": "Dragos DYMALLOY ", "url": "https://www.dragos.com/threat/dymalloy/", "description": "Dragos. (n.d.). DYMALLOY. Retrieved August 20, 2020." }, { "source_name": "Fortune Dragonfly 2.0 Sept 2017", "url": "http://fortune.com/2017/09/06/hack-energy-grid-symantec/", "description": "Hackett, R. (2017, September 6). Hackers Have Penetrated Energy Grid, Symantec Warns. Retrieved June 6, 2018." }, { "source_name": "Mandiant Ukraine Cyber Threats January 2022", "url": "https://www.mandiant.com/resources/ukraine-crisis-cyber-threats", "description": "Hultquist, J. (2022, January 20). Anticipating Cyber Threats as the Ukraine Crisis Escalates. Retrieved January 24, 2022." }, { "source_name": "Secureworks MCMD July 2019", "url": "https://www.secureworks.com/research/mcmd-malware-analysis", "description": "Secureworks. (2019, July 24). MCMD Malware Analysis. Retrieved August 13, 2020." }, { "source_name": "Secureworks IRON LIBERTY July 2019", "url": "https://www.secureworks.com/research/resurgent-iron-liberty-targeting-energy-sector", "description": "Secureworks. (2019, July 24). Resurgent Iron Liberty Targeting Energy Sector. Retrieved August 12, 2020." }, { "source_name": "Secureworks Karagany July 2019", "url": "https://www.secureworks.com/research/updated-karagany-malware-targets-energy-sector", "description": "Secureworks. (2019, July 24). Updated Karagany Malware Targets Energy Sector. Retrieved August 12, 2020." }, { "source_name": "Gigamon Berserk Bear October 2021", "url": "https://vblocalhost.com/uploads/VB2021-Slowik.pdf", "description": "Slowik, J. (2021, October). THE BAFFLING BERSERK BEAR: A DECADE\u2019S ACTIVITY TARGETING CRITICAL INFRASTRUCTURE. Retrieved December 6, 2021." }, { "source_name": "Symantec Dragonfly Sept 2017", "url": "https://docs.broadcom.com/doc/dragonfly_threat_against_western_energy_suppliers", "description": "Symantec Security Response. (2014, July 7). Dragonfly: Western energy sector targeted by sophisticated attack group. Retrieved September 9, 2017." }, { "source_name": "Symantec Dragonfly", "url": "https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=7382dce7-0260-4782-84cc-890971ed3f17&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments", "description": "Symantec Security Response. (2014, June 30). Dragonfly: Cyberespionage Attacks Against Energy Suppliers. Retrieved April 8, 2016." }, { "source_name": "Symantec Dragonfly 2.0 October 2017", "url": "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/dragonfly-energy-sector-cyber-attacks", "description": "Symantec. (2017, October 7). Dragonfly: Western energy sector targeted by sophisticated attack group. Retrieved April 19, 2022." }, { "source_name": "UK GOV FSB Factsheet April 2022", "url": "https://www.gov.uk/government/publications/russias-fsb-malign-cyber-activity-factsheet/russias-fsb-malign-activity-factsheet", "description": "UK Gov. (2022, April 5). Russia's FSB malign activity: factsheet. Retrieved April 5, 2022." } ], "x_mitre_deprecated": false, "revoked": false, "description": "[Dragonfly](https://attack.mitre.org/groups/G0035) is a cyber espionage group that has been attributed to Russia's Federal Security Service (FSB) Center 16.(Citation: DOJ Russia Targeting Critical Infrastructure March 2022)(Citation: UK GOV FSB Factsheet April 2022) Active since at least 2010, [Dragonfly](https://attack.mitre.org/groups/G0035) has targeted defense and aviation companies, government entities, companies related to industrial control systems, and critical infrastructure sectors worldwide through supply chain, spearphishing, and drive-by compromise attacks.(Citation: Symantec Dragonfly)(Citation: Secureworks IRON LIBERTY July 2019)(Citation: Symantec Dragonfly Sept 2017)(Citation: Fortune Dragonfly 2.0 Sept 2017)(Citation: Gigamon Berserk Bear October 2021)(Citation: CISA AA20-296A Berserk Bear December 2020)(Citation: Symantec Dragonfly 2.0 October 2017)", "modified": "2022-05-24T19:21:16.242Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "name": "Dragonfly", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "spec_version": "2.1" }, { "aliases": [ "FIN6", "Magecart Group 6", "SKELETON SPIDER", "ITG08" ], "x_mitre_domains": [ "ics-attack" ], "x_mitre_contributors": [ "Center for Threat-Informed Defense (CTID)", "Drew Church, Splunk" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "intrusion-set--2a7914cf-dff3-428d-ab0f-1014d1c28aeb", "type": "intrusion-set", "created": "2017-05-31T21:32:06.015Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/groups/G0037", "external_id": "G0037" }, { "source_name": "FIN6", "description": "(Citation: FireEye FIN6 April 2016)" }, { "source_name": "Magecart Group 6", "description": "(Citation: Security Intelligence ITG08 April 2020)" }, { "source_name": "SKELETON SPIDER", "description": "(Citation: Crowdstrike Global Threat Report Feb 2018)" }, { "source_name": "ITG08", "description": "(Citation: Security Intelligence More Eggs Aug 2019)" }, { "url": "https://www2.fireeye.com/rs/848-DID-242/images/rpt-fin6.pdf", "description": "FireEye Threat Intelligence. (2016, April). Follow the Money: Dissecting the Operations of the Cyber Crime Group FIN6. Retrieved June 1, 2016.", "source_name": "FireEye FIN6 April 2016" }, { "description": "McKeague, B. et al. (2019, April 5). Pick-Six: Intercepting a FIN6 Intrusion, an Actor Recently Tied to Ryuk and LockerGoga Ransomware. Retrieved April 17, 2019.", "url": "https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html", "source_name": "FireEye FIN6 Apr 2019" }, { "source_name": "Security Intelligence ITG08 April 2020", "url": "https://securityintelligence.com/posts/itg08-aka-fin6-partners-with-trickbot-gang-uses-anchor-framework/", "description": "Villadsen, O. (2020, April 7). ITG08 (aka FIN6) Partners With TrickBot Gang, Uses Anchor Framework. Retrieved October 8, 2020." }, { "source_name": "Crowdstrike Global Threat Report Feb 2018", "description": "CrowdStrike. (2018, February 26). CrowdStrike 2018 Global Threat Report. Retrieved October 10, 2018.", "url": "https://crowdstrike.lookbookhq.com/global-threat-report-2018-web/cs-2018-global-threat-report" }, { "description": "Villadsen, O.. (2019, August 29). More_eggs, Anyone? Threat Actor ITG08 Strikes Again. Retrieved September 16, 2019.", "url": "https://securityintelligence.com/posts/more_eggs-anyone-threat-actor-itg08-strikes-again/", "source_name": "Security Intelligence More Eggs Aug 2019" } ], "modified": "2021-10-14T17:23:58.316Z", "name": "FIN6", "description": "[FIN6](https://attack.mitre.org/groups/G0037) is a cyber crime group that has stolen payment card data and sold it for profit on underground marketplaces. This group has aggressively targeted and compromised point of sale (PoS) systems in the hospitality and retail sectors.(Citation: FireEye FIN6 April 2016)(Citation: FireEye FIN6 Apr 2019)", "x_mitre_version": "3.2", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "spec_version": "2.1", "x_mitre_attack_spec_version": "2.1.0" }, { "aliases": [ "FIN7", "GOLD NIAGARA", "ITG14", "Carbon Spider" ], "x_mitre_domains": [ "ics-attack" ], "x_mitre_contributors": [ "Edward Millington" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "intrusion-set--3753cc21-2dae-4dfb-8481-d004e74502cc", "type": "intrusion-set", "created": "2017-05-31T21:32:09.460Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/groups/G0046", "external_id": "G0046" }, { "source_name": "FIN7", "description": "(Citation: FireEye FIN7 March 2017) (Citation: FireEye FIN7 April 2017) (Citation: Morphisec FIN7 June 2017) (Citation: FireEye FIN7 Shim Databases) (Citation: FireEye FIN7 Aug 2018)" }, { "source_name": "GOLD NIAGARA", "description": "(Citation: Secureworks GOLD NIAGARA Threat Profile)" }, { "source_name": "ITG14", "description": "ITG14 shares campaign overlap with [FIN7](https://attack.mitre.org/groups/G0046).(Citation: IBM Ransomware Trends September 2020)" }, { "source_name": "Carbon Spider", "description": "(Citation: CrowdStrike Carbon Spider August 2021)" }, { "source_name": "FireEye FIN7 March 2017", "description": "Miller, S., et al. (2017, March 7). FIN7 Spear Phishing Campaign Targets Personnel Involved in SEC Filings. Retrieved March 8, 2017.", "url": "https://www.fireeye.com/blog/threat-research/2017/03/fin7_spear_phishing.html" }, { "url": "https://www.fireeye.com/blog/threat-research/2017/04/fin7-phishing-lnk.html", "description": "Carr, N., et al. (2017, April 24). FIN7 Evolution and the Phishing LNK. Retrieved April 24, 2017.", "source_name": "FireEye FIN7 April 2017" }, { "source_name": "FireEye CARBANAK June 2017", "description": "Bennett, J., Vengerik, B. (2017, June 12). Behind the CARBANAK Backdoor. Retrieved June 11, 2018.", "url": "https://www.fireeye.com/blog/threat-research/2017/06/behind-the-carbanak-backdoor.html" }, { "url": "https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html", "description": "Carr, N., et al. (2018, August 01). On the Hunt for FIN7: Pursuing an Enigmatic and Evasive Global Criminal Operation. Retrieved August 23, 2018.", "source_name": "FireEye FIN7 Aug 2018" }, { "source_name": "CrowdStrike Carbon Spider August 2021", "url": "https://www.crowdstrike.com/blog/carbon-spider-embraces-big-game-hunting-part-1/", "description": "Loui, E. and Reynolds, J. (2021, August 30). CARBON SPIDER Embraces Big Game Hunting, Part 1. Retrieved September 20, 2021." }, { "source_name": "Morphisec FIN7 June 2017", "description": "Gorelik, M.. (2017, June 9). FIN7 Takes Another Bite at the Restaurant Industry. Retrieved July 13, 2017.", "url": "http://blog.morphisec.com/fin7-attacks-restaurant-industry" }, { "source_name": "FireEye FIN7 Shim Databases", "description": "Erickson, J., McWhirt, M., Palombo, D. (2017, May 3). To SDB, Or Not To SDB: FIN7 Leveraging Shim Databases for Persistence. Retrieved July 18, 2017.", "url": "https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html" }, { "source_name": "Secureworks GOLD NIAGARA Threat Profile", "url": "https://www.secureworks.com/research/threat-profiles/gold-niagara", "description": "CTU. (n.d.). GOLD NIAGARA. Retrieved September 21, 2021." }, { "source_name": "IBM Ransomware Trends September 2020", "url": "https://securityintelligence.com/posts/ransomware-2020-attack-trends-new-techniques-affecting-organizations-worldwide/", "description": "Singleton, C. and Kiefer, C. (2020, September 28). Ransomware 2020: Attack Trends Affecting Organizations Worldwide. Retrieved September 20, 2021." } ], "modified": "2022-02-02T21:32:06.214Z", "name": "FIN7", "description": "[FIN7](https://attack.mitre.org/groups/G0046) is a financially-motivated threat group that has been active since 2013 primarily targeting the U.S. retail, restaurant, and hospitality sectors, often using point-of-sale malware. A portion of [FIN7](https://attack.mitre.org/groups/G0046) was run out of a front company called Combi Security. Since 2020 [FIN7](https://attack.mitre.org/groups/G0046) shifted operations to a big game hunting (BGH) approach including use of [REvil](https://attack.mitre.org/software/S0496) ransomware and their own Ransomware as a Service (RaaS), Darkside. [FIN7](https://attack.mitre.org/groups/G0046) may be linked to the [Carbanak](https://attack.mitre.org/groups/G0008) Group, but there appears to be several groups using [Carbanak](https://attack.mitre.org/software/S0030) malware and are therefore tracked separately.(Citation: FireEye FIN7 March 2017)(Citation: FireEye FIN7 April 2017)(Citation: FireEye CARBANAK June 2017)(Citation: FireEye FIN7 Aug 2018)(Citation: CrowdStrike Carbon Spider August 2021)", "x_mitre_version": "2.1", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "spec_version": "2.1", "x_mitre_attack_spec_version": "2.1.0" }, { "aliases": [ "Sandworm Team", "ELECTRUM", "Telebots", "IRON VIKING", "BlackEnergy (Group)", "Quedagh", "VOODOO BEAR" ], "x_mitre_domains": [ "ics-attack" ], "x_mitre_contributors": [ "Dragos Threat Intelligence" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "intrusion-set", "id": "intrusion-set--381fcf73-60f6-4ab2-9991-6af3cbc35192", "created": "2017-05-31T21:32:04.588Z", "x_mitre_version": "2.2", "external_references": [ { "source_name": "mitre-attack", "external_id": "G0034", "url": "https://attack.mitre.org/groups/G0034" }, { "source_name": "VOODOO BEAR", "description": "(Citation: CrowdStrike VOODOO BEAR)(Citation: US District Court Indictment GRU Unit 74455 October 2020)(Citation: UK NCSC Olympic Attacks October 2020)" }, { "source_name": "ELECTRUM", "description": "(Citation: Dragos ELECTRUM)(Citation: UK NCSC Olympic Attacks October 2020)" }, { "source_name": "Sandworm Team", "description": "(Citation: iSIGHT Sandworm 2014) (Citation: F-Secure BlackEnergy 2014) (Citation: InfoSecurity Sandworm Oct 2014)(Citation: US District Court Indictment GRU Unit 74455 October 2020)(Citation: UK NCSC Olympic Attacks October 2020)" }, { "source_name": "Quedagh", "description": "(Citation: iSIGHT Sandworm 2014) (Citation: F-Secure BlackEnergy 2014)(Citation: UK NCSC Olympic Attacks October 2020)" }, { "source_name": "BlackEnergy (Group)", "description": "(Citation: NCSC Sandworm Feb 2020)(Citation: UK NCSC Olympic Attacks October 2020)" }, { "source_name": "Telebots", "description": "(Citation: NCSC Sandworm Feb 2020)(Citation: US District Court Indictment GRU Unit 74455 October 2020)(Citation: UK NCSC Olympic Attacks October 2020)" }, { "source_name": "IRON VIKING", "description": "(Citation: Secureworks IRON VIKING )(Citation: US District Court Indictment GRU Unit 74455 October 2020)(Citation: UK NCSC Olympic Attacks October 2020)" }, { "source_name": "US District Court Indictment GRU Oct 2018", "url": "https://www.justice.gov/opa/page/file/1098481/download", "description": "Brady, S . (2018, October 3). Indictment - United States vs Aleksei Sergeyevich Morenets, et al.. Retrieved October 1, 2020." }, { "source_name": "Dragos ELECTRUM", "url": "https://www.dragos.com/resource/electrum/", "description": "Dragos. (2017, January 1). ELECTRUM Threat Profile. Retrieved June 10, 2020." }, { "source_name": "F-Secure BlackEnergy 2014", "url": "https://blog-assets.f-secure.com/wp-content/uploads/2019/10/15163408/BlackEnergy_Quedagh.pdf", "description": "F-Secure Labs. (2014). BlackEnergy & Quedagh: The convergence of crimeware and APT attacks. Retrieved March 24, 2016." }, { "source_name": "iSIGHT Sandworm 2014", "url": "https://www.fireeye.com/blog/threat-research/2016/01/ukraine-and-sandworm-team.html", "description": "Hultquist, J.. (2016, January 7). Sandworm Team and the Ukrainian Power Authority Attacks. Retrieved October 6, 2017." }, { "source_name": "CrowdStrike VOODOO BEAR", "url": "https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-january-voodoo-bear/", "description": "Meyers, A. (2018, January 19). Meet CrowdStrike\u2019s Adversary of the Month for January: VOODOO BEAR. Retrieved May 22, 2018." }, { "source_name": "InfoSecurity Sandworm Oct 2014", "url": "https://www.infosecurity-magazine.com/news/microsoft-zero-day-traced-russian/", "description": "Muncaster, P.. (2014, October 14). Microsoft Zero Day Traced to Russian \u2018Sandworm\u2019 Hackers. Retrieved October 6, 2017." }, { "source_name": "NCSC Sandworm Feb 2020", "url": "https://www.ncsc.gov.uk/news/ncsc-supports-sandworm-advisory", "description": "NCSC. (2020, February 20). NCSC supports US advisory regarding GRU intrusion set Sandworm. Retrieved June 10, 2020." }, { "source_name": "USDOJ Sandworm Feb 2020", "url": "https://2017-2021.state.gov/the-united-states-condemns-russian-cyber-attack-against-the-country-of-georgia//index.html", "description": "Pompeo, M. (2020, February 20). The United States Condemns Russian Cyber Attack Against the Country of Georgia. Retrieved June 18, 2020." }, { "source_name": "US District Court Indictment GRU Unit 74455 October 2020", "url": "https://www.justice.gov/opa/press-release/file/1328521/download", "description": "Scott W. Brady. (2020, October 15). United States vs. Yuriy Sergeyevich Andrienko et al.. Retrieved November 25, 2020." }, { "source_name": "Secureworks IRON VIKING ", "url": "https://www.secureworks.com/research/threat-profiles/iron-viking", "description": "Secureworks. (2020, May 1). IRON VIKING Threat Profile. Retrieved June 10, 2020." }, { "source_name": "UK NCSC Olympic Attacks October 2020", "url": "https://www.gov.uk/government/news/uk-exposes-series-of-russian-cyber-attacks-against-olympic-and-paralympic-games", "description": "UK NCSC. (2020, October 19). UK exposes series of Russian cyber attacks against Olympic and Paralympic Games . Retrieved November 30, 2020." } ], "x_mitre_deprecated": false, "revoked": false, "description": "[Sandworm Team](https://attack.mitre.org/groups/G0034) is a destructive threat group that has been attributed to Russia's General Staff Main Intelligence Directorate (GRU) Main Center for Special Technologies (GTsST) military unit 74455.(Citation: US District Court Indictment GRU Unit 74455 October 2020)(Citation: UK NCSC Olympic Attacks October 2020) This group has been active since at least 2009.(Citation: iSIGHT Sandworm 2014)(Citation: CrowdStrike VOODOO BEAR)(Citation: USDOJ Sandworm Feb 2020)(Citation: NCSC Sandworm Feb 2020)\n\nIn October 2020, the US indicted six GRU Unit 74455 officers associated with [Sandworm Team](https://attack.mitre.org/groups/G0034) for the following cyber operations: the 2015 and 2016 attacks against Ukrainian electrical companies and government organizations, the 2017 worldwide [NotPetya](https://attack.mitre.org/software/S0368) attack, targeting of the 2017 French presidential campaign, the 2018 [Olympic Destroyer](https://attack.mitre.org/software/S0365) attack against the Winter Olympic Games, the 2018 operation against the Organisation for the Prohibition of Chemical Weapons, and attacks against the country of Georgia in 2018 and 2019.(Citation: US District Court Indictment GRU Unit 74455 October 2020)(Citation: UK NCSC Olympic Attacks October 2020) Some of these were conducted with the assistance of GRU Unit 26165, which is also referred to as [APT28](https://attack.mitre.org/groups/G0007).(Citation: US District Court Indictment GRU Oct 2018)", "modified": "2022-05-23T21:21:17.572Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "name": "Sandworm Team", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "spec_version": "2.1" }, { "aliases": [ "OilRig", "COBALT GYPSY", "IRN2", "HELIX KITTEN", "APT34" ], "x_mitre_domains": [ "ics-attack" ], "x_mitre_contributors": [ "Robert Falcone", "Bryan Lee", "Dragos Threat Intelligence" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "intrusion-set", "id": "intrusion-set--4ca1929c-7d64-4aab-b849-badbfc0c760d", "created": "2017-12-14T16:46:06.044Z", "x_mitre_version": "3.0", "external_references": [ { "source_name": "mitre-attack", "external_id": "G0049", "url": "https://attack.mitre.org/groups/G0049" }, { "source_name": "IRN2", "description": "(Citation: Crowdstrike Helix Kitten Nov 2018)" }, { "source_name": "OilRig", "description": "(Citation: Palo Alto OilRig April 2017) (Citation: ClearSky OilRig Jan 2017) (Citation: Palo Alto OilRig May 2016) (Citation: Palo Alto OilRig Oct 2016) (Citation: Unit 42 Playbook Dec 2017) (Citation: Unit 42 QUADAGENT July 2018)" }, { "source_name": "COBALT GYPSY", "description": "(Citation: Secureworks COBALT GYPSY Threat Profile)" }, { "source_name": "HELIX KITTEN", "description": "(Citation: Unit 42 QUADAGENT July 2018)(Citation: Crowdstrike Helix Kitten Nov 2018)" }, { "source_name": "Check Point APT34 April 2021", "url": "https://research.checkpoint.com/2021/irans-apt34-returns-with-an-updated-arsenal/", "description": "Check Point. (2021, April 8). Iran\u2019s APT34 Returns with an Updated Arsenal. Retrieved May 5, 2021." }, { "source_name": "ClearSky OilRig Jan 2017", "url": "http://www.clearskysec.com/oilrig/", "description": "ClearSky Cybersecurity. (2017, January 5). Iranian Threat Agent OilRig Delivers Digitally Signed Malware, Impersonates University of Oxford. Retrieved May 3, 2017." }, { "source_name": "Palo Alto OilRig May 2016", "url": "http://researchcenter.paloaltonetworks.com/2016/05/the-oilrig-campaign-attacks-on-saudi-arabian-organizations-deliver-helminth-backdoor/", "description": "Falcone, R. and Lee, B.. (2016, May 26). The OilRig Campaign: Attacks on Saudi Arabian Organizations Deliver Helminth Backdoor. Retrieved May 3, 2017." }, { "source_name": "Palo Alto OilRig April 2017", "url": "http://researchcenter.paloaltonetworks.com/2017/04/unit42-oilrig-actors-provide-glimpse-development-testing-efforts/", "description": "Falcone, R.. (2017, April 27). OilRig Actors Provide a Glimpse into Development and Testing Efforts. Retrieved May 3, 2017." }, { "source_name": "Palo Alto OilRig Oct 2016", "url": "http://researchcenter.paloaltonetworks.com/2016/10/unit42-oilrig-malware-campaign-updates-toolset-and-expands-targets/", "description": "Grunzweig, J. and Falcone, R.. (2016, October 4). OilRig Malware Campaign Updates Toolset and Expands Targets. Retrieved May 3, 2017." }, { "source_name": "Unit 42 QUADAGENT July 2018", "url": "https://researchcenter.paloaltonetworks.com/2018/07/unit42-oilrig-targets-technology-service-provider-government-agency-quadagent/", "description": "Lee, B., Falcone, R. (2018, July 25). OilRig Targets Technology Service Provider and Government Agency with QUADAGENT. Retrieved August 9, 2018." }, { "source_name": "Crowdstrike Helix Kitten Nov 2018", "url": "https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-november-helix-kitten/", "description": "Meyers, A. (2018, November 27). Meet CrowdStrike\u2019s Adversary of the Month for November: HELIX KITTEN. Retrieved December 18, 2018." }, { "source_name": "FireEye APT34 Dec 2017", "url": "https://www.fireeye.com/blog/threat-research/2017/12/targeted-attack-in-middle-east-by-apt34.html", "description": "Sardiwal, M, et al. (2017, December 7). New Targeted Attack in the Middle East by APT34, a Suspected Iranian Threat Group, Using CVE-2017-11882 Exploit. Retrieved December 20, 2017." }, { "source_name": "Secureworks COBALT GYPSY Threat Profile", "url": "https://www.secureworks.com/research/threat-profiles/cobalt-gypsy", "description": "Secureworks. (n.d.). COBALT GYPSY Threat Profile. Retrieved April 14, 2021." }, { "source_name": "APT34", "description": "This group was previously tracked under two distinct groups, APT34 and OilRig, but was combined due to additional reporting giving higher confidence about the overlap of the activity. (Citation: Unit 42 QUADAGENT July 2018) (Citation: FireEye APT34 Dec 2017)(Citation: Check Point APT34 April 2021)" }, { "source_name": "Unit 42 Playbook Dec 2017", "url": "https://pan-unit42.github.io/playbook_viewer/", "description": "Unit 42. (2017, December 15). Unit 42 Playbook Viewer. Retrieved December 20, 2017." } ], "x_mitre_deprecated": false, "revoked": false, "description": "[OilRig](https://attack.mitre.org/groups/G0049) is a suspected Iranian threat group that has targeted Middle Eastern and international victims since at least 2014. The group has targeted a variety of sectors, including financial, government, energy, chemical, and telecommunications. It appears the group carries out supply chain attacks, leveraging the trust relationship between organizations to attack their primary targets. FireEye assesses that the group works on behalf of the Iranian government based on infrastructure details that contain references to Iran, use of Iranian infrastructure, and targeting that aligns with nation-state interests.(Citation: Palo Alto OilRig April 2017)(Citation: ClearSky OilRig Jan 2017)(Citation: Palo Alto OilRig May 2016)(Citation: Palo Alto OilRig Oct 2016)(Citation: Unit 42 Playbook Dec 2017)(Citation: FireEye APT34 Dec 2017)(Citation: Unit 42 QUADAGENT July 2018)", "modified": "2022-05-23T21:20:37.658Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "name": "OilRig", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "spec_version": "2.1" }, { "x_mitre_domains": [ "ics-attack" ], "id": "intrusion-set--68ba94ab-78b8-43e7-83e2-aed3466882c6", "type": "intrusion-set", "created": "2018-01-16T16:13:52.465Z", "revoked": true, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/groups/G0057", "external_id": "G0057" } ], "modified": "2018-10-17T00:17:13.469Z", "name": "APT34", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_attack_spec_version": "2.1.0" }, { "aliases": [ "Dragonfly 2.0", "IRON LIBERTY", "DYMALLOY", "Berserk Bear" ], "x_mitre_domains": [ "ics-attack" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "intrusion-set", "id": "intrusion-set--76d59913-1d24-4992-a8ac-05a3eb093f71", "created": "2018-10-17T00:14:20.652Z", "x_mitre_version": "2.1", "external_references": [ { "source_name": "mitre-attack", "external_id": "G0074", "url": "https://attack.mitre.org/groups/G0074" }, { "source_name": "DYMALLOY", "description": "(Citation: Dragos DYMALLOY )" }, { "source_name": "Berserk Bear", "description": "(Citation: Fortune Dragonfly 2.0 Sept 2017)" }, { "source_name": "IRON LIBERTY", "description": "(Citation: Secureworks MCMD July 2019)(Citation: Secureworks IRON LIBERTY)" }, { "source_name": "Dragonfly 2.0", "description": "(Citation: US-CERT TA18-074A) (Citation: Symantec Dragonfly Sept 2017) (Citation: Fortune Dragonfly 2.0 Sept 2017)" }, { "source_name": "Dragos DYMALLOY ", "url": "https://www.dragos.com/threat/dymalloy/", "description": "Dragos. (n.d.). DYMALLOY. Retrieved August 20, 2020." }, { "source_name": "Fortune Dragonfly 2.0 Sept 2017", "url": "http://fortune.com/2017/09/06/hack-energy-grid-symantec/", "description": "Hackett, R. (2017, September 6). Hackers Have Penetrated Energy Grid, Symantec Warns. Retrieved June 6, 2018." }, { "source_name": "Secureworks MCMD July 2019", "url": "https://www.secureworks.com/research/mcmd-malware-analysis", "description": "Secureworks. (2019, July 24). MCMD Malware Analysis. Retrieved August 13, 2020." }, { "source_name": "Secureworks IRON LIBERTY", "url": "https://www.secureworks.com/research/threat-profiles/iron-liberty", "description": "Secureworks. (n.d.). IRON LIBERTY. Retrieved October 15, 2020." }, { "source_name": "Symantec Dragonfly Sept 2017", "url": "https://www.symantec.com/connect/blogs/dragonfly-western-energy-sector-targeted-sophisticated-attack-group", "description": "Symantec Security Response. (2017, September 6). Dragonfly: Western energy sector targeted by sophisticated attack group. Retrieved September 9, 2017." }, { "source_name": "US-CERT TA18-074A", "url": "https://www.us-cert.gov/ncas/alerts/TA18-074A", "description": "US-CERT. (2018, March 16). Alert (TA18-074A): Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors. Retrieved June 6, 2018." } ], "x_mitre_deprecated": false, "revoked": true, "description": "[Dragonfly 2.0](https://attack.mitre.org/groups/G0074) is a suspected Russian group that has targeted government entities and multiple U.S. critical infrastructure sectors since at least December 2015. (Citation: US-CERT TA18-074A) (Citation: Symantec Dragonfly Sept 2017) There is debate over the extent of overlap between [Dragonfly 2.0](https://attack.mitre.org/groups/G0074) and [Dragonfly](https://attack.mitre.org/groups/G0035), but there is sufficient evidence to lead to these being tracked as two separate groups. (Citation: Fortune Dragonfly 2.0 Sept 2017)(Citation: Dragos DYMALLOY )", "modified": "2022-05-24T14:00:00.188Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "name": "Dragonfly 2.0", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "spec_version": "2.1" }, { "aliases": [ "TEMP.Veles", "XENOTIME" ], "x_mitre_domains": [ "ics-attack" ], "x_mitre_contributors": [ "Dragos Threat Intelligence" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "intrusion-set", "id": "intrusion-set--9538b1a4-4120-4e2d-bf59-3b11fcab05a4", "created": "2019-04-16T15:14:38.533Z", "x_mitre_version": "1.3", "external_references": [ { "source_name": "mitre-attack", "external_id": "G0088", "url": "https://attack.mitre.org/groups/G0088" }, { "source_name": "TEMP.Veles", "description": "(Citation: FireEye TRITON 2019)" }, { "source_name": "Dragos Xenotime 2018", "url": "https://dragos.com/resource/xenotime/", "description": "Dragos, Inc.. (n.d.). Xenotime. Retrieved April 16, 2019." }, { "source_name": "FireEye TEMP.Veles 2018", "url": "https://www.fireeye.com/blog/threat-research/2018/10/triton-attribution-russian-government-owned-lab-most-likely-built-tools.html ", "description": "FireEye Intelligence . (2018, October 23). TRITON Attribution: Russian Government-Owned Lab Most Likely Built Custom Intrusion Tools for TRITON Attackers. Retrieved April 16, 2019." }, { "source_name": "FireEye TEMP.Veles 2018 ", "url": "https://www.fireeye.com/blog/threat-research/2018/10/triton-attribution-russian-government-owned-lab-most-likely-built-tools.html", "description": "FireEye Intelligence . (2018, October 23). TRITON Attribution: Russian Government-Owned Lab Most Likely Built Custom Intrusion Tools for TRITON Attackers. Retrieved April 16, 2019." }, { "source_name": "FireEye TRITON 2019", "url": "https://www.fireeye.com/blog/threat-research/2019/04/triton-actor-ttp-profile-custom-attack-tools-detections.html", "description": "Miller, S, et al. (2019, April 10). TRITON Actor TTP Profile, Custom Attack Tools, Detections, and ATT&CK Mapping. Retrieved April 16, 2019." }, { "source_name": "FireEye TEMP.Veles JSON April 2019", "url": "https://www.fireeye.com/content/dam/fireeye-www/blog/files/TRITON_Appendix_C.html", "description": "Miller, S., et al. (2019, April 10). TRITON Appendix C. Retrieved April 29, 2019." }, { "source_name": "Pylos Xenotime 2019", "url": "https://pylos.co/2019/04/12/a-xenotime-to-remember-veles-in-the-wild/", "description": "Slowik, J.. (2019, April 12). A XENOTIME to Remember: Veles in the Wild. Retrieved April 16, 2019." }, { "source_name": "XENOTIME", "description": "The activity group XENOTIME, as defined by Dragos, has overlaps with activity reported upon by FireEye about TEMP.Veles as well as the actors behind [TRITON](https://attack.mitre.org/software/S0609) .(Citation: Dragos Xenotime 2018)(Citation: Pylos Xenotime 2019)(Citation: FireEye TRITON 2019)(Citation: FireEye TEMP.Veles 2018 )" } ], "x_mitre_deprecated": false, "revoked": false, "description": "[TEMP.Veles](https://attack.mitre.org/groups/G0088) is a Russia-based threat group that has targeted critical infrastructure. The group has been observed utilizing [TRITON](https://attack.mitre.org/software/S0609), a malware framework designed to manipulate industrial safety systems.(Citation: FireEye TRITON 2019)(Citation: FireEye TEMP.Veles 2018)(Citation: FireEye TEMP.Veles JSON April 2019)", "modified": "2022-05-24T16:22:20.856Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "name": "TEMP.Veles", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "spec_version": "2.1" }, { "aliases": [ "GOLD SOUTHFIELD" ], "x_mitre_domains": [ "ics-attack" ], "x_mitre_contributors": [ "Thijn Bukkems, Amazon" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "intrusion-set--c77c5576-ca19-42ed-a36f-4b4486a84133", "type": "intrusion-set", "created": "2020-09-22T19:41:27.845Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "external_id": "G0115", "source_name": "mitre-attack", "url": "https://attack.mitre.org/groups/G0115" }, { "source_name": "Secureworks REvil September 2019", "url": "https://www.secureworks.com/research/revil-sodinokibi-ransomware", "description": "Counter Threat Unit Research Team. (2019, September 24). REvil/Sodinokibi Ransomware. Retrieved August 4, 2020." }, { "source_name": "Secureworks GandCrab and REvil September 2019", "url": "https://www.secureworks.com/blog/revil-the-gandcrab-connection", "description": "Secureworks . (2019, September 24). REvil: The GandCrab Connection. Retrieved August 4, 2020." }, { "source_name": "Secureworks GOLD SOUTHFIELD", "url": "https://www.secureworks.com/research/threat-profiles/gold-southfield", "description": "Secureworks. (n.d.). GOLD SOUTHFIELD. Retrieved October 6, 2020." } ], "modified": "2021-04-26T12:52:34.528Z", "name": "GOLD SOUTHFIELD", "description": "[GOLD SOUTHFIELD](https://attack.mitre.org/groups/G0115) is a financially motivated threat group active since at least 2019 that operates the [REvil](https://attack.mitre.org/software/S0496) Ransomware-as-a Service (RaaS). [GOLD SOUTHFIELD](https://attack.mitre.org/groups/G0115) provides backend infrastructure for affiliates recruited on underground forums to perpetrate high value deployments.(Citation: Secureworks REvil September 2019)(Citation: Secureworks GandCrab and REvil September 2019)(Citation: Secureworks GOLD SOUTHFIELD)", "x_mitre_version": "1.1", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "spec_version": "2.1", "x_mitre_attack_spec_version": "2.1.0" }, { "aliases": [ "Lazarus Group", "Labyrinth Chollima", "HIDDEN COBRA", "Guardians of Peace", "ZINC", "NICKEL ACADEMY" ], "x_mitre_domains": [ "ics-attack" ], "x_mitre_contributors": [ "Kyaw Pyiyt Htet, @KyawPyiytHtet", "Dragos Threat Intelligence" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "intrusion-set", "id": "intrusion-set--c93fccb1-e8e8-42cf-ae33-2ad1d183913a", "created": "2017-05-31T21:32:03.807Z", "x_mitre_version": "3.0", "external_references": [ { "source_name": "mitre-attack", "external_id": "G0032", "url": "https://attack.mitre.org/groups/G0032" }, { "source_name": "Labyrinth Chollima", "description": "(Citation: CrowdStrike Labyrinth Chollima Feb 2022)" }, { "source_name": "ZINC", "description": "(Citation: Microsoft ZINC disruption Dec 2017)" }, { "source_name": "Lazarus Group", "description": "(Citation: Novetta Blockbuster)" }, { "source_name": "NICKEL ACADEMY", "description": "(Citation: Secureworks NICKEL ACADEMY Dec 2017)" }, { "source_name": "Guardians of Peace", "description": "(Citation: US-CERT HIDDEN COBRA June 2017)" }, { "source_name": "CrowdStrike Labyrinth Chollima Feb 2022", "url": "https://adversary.crowdstrike.com/en-US/adversary/labyrinth-chollima/", "description": "CrowdStrike. (2022, February 1). CrowdStrike Adversary Labyrinth Chollima. Retrieved February 1, 2022." }, { "source_name": "Novetta Blockbuster", "url": "https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Report.pdf", "description": "Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Unraveling the Long Thread of the Sony Attack. Retrieved February 25, 2016." }, { "source_name": "Secureworks NICKEL ACADEMY Dec 2017", "url": "https://www.secureworks.com/about/press/media-alert-secureworks-discovers-north-korean-cyber-threat-group-lazarus-spearphishing", "description": "Secureworks. (2017, December 15). Media Alert - Secureworks Discovers North Korean Cyber Threat Group, Lazarus, Spearphishing Financial Executives of Cryptocurrency Companies. Retrieved December 27, 2017." }, { "source_name": "Microsoft ZINC disruption Dec 2017", "url": "https://blogs.microsoft.com/on-the-issues/2017/12/19/microsoft-facebook-disrupt-zinc-malware-attack-protect-customers-internet-ongoing-cyberthreats/", "description": "Smith, B. (2017, December 19). Microsoft and Facebook disrupt ZINC malware attack to protect customers and the internet from ongoing cyberthreats. Retrieved December 20, 2017." }, { "source_name": "HIDDEN COBRA", "description": "The U.S. Government refers to malicious cyber activity by the North Korean government as HIDDEN COBRA.(Citation: US-CERT HIDDEN COBRA June 2017)(Citation: US-CERT HOPLIGHT Apr 2019)" }, { "source_name": "Treasury North Korean Cyber Groups September 2019", "url": "https://home.treasury.gov/news/press-releases/sm774", "description": "US Treasury . (2019, September 13). Treasury Sanctions North Korean State-Sponsored Malicious Cyber Groups. Retrieved September 29, 2021." }, { "source_name": "US-CERT HIDDEN COBRA June 2017", "url": "https://www.us-cert.gov/ncas/alerts/TA17-164A", "description": "US-CERT. (2017, June 13). Alert (TA17-164A) HIDDEN COBRA \u2013 North Korea\u2019s DDoS Botnet Infrastructure. Retrieved July 13, 2017." }, { "source_name": "US-CERT HOPLIGHT Apr 2019", "url": "https://www.us-cert.gov/ncas/analysis-reports/AR19-100A", "description": "US-CERT. (2019, April 10). MAR-10135536-8 \u2013 North Korean Trojan: HOPLIGHT. Retrieved April 19, 2019." } ], "x_mitre_deprecated": false, "revoked": false, "description": "[Lazarus Group](https://attack.mitre.org/groups/G0032) is a North Korean state-sponsored cyber threat group that has been attributed to the Reconnaissance General Bureau.(Citation: US-CERT HIDDEN COBRA June 2017)(Citation: Treasury North Korean Cyber Groups September 2019) The group has been active since at least 2009 and was reportedly responsible for the November 2014 destructive wiper attack against Sony Pictures Entertainment as part of a campaign named Operation Blockbuster by Novetta. Malware used by [Lazarus Group](https://attack.mitre.org/groups/G0032) correlates to other reported campaigns, including Operation Flame, Operation 1Mission, Operation Troy, DarkSeoul, and Ten Days of Rain. (Citation: Novetta Blockbuster)\n\nNorth Korean group definitions are known to have significant overlap, and some security researchers report all North Korean state-sponsored cyber activity under the name [Lazarus Group](https://attack.mitre.org/groups/G0032) instead of tracking clusters or subgroups, such as [Andariel](https://attack.mitre.org/groups/G0138), [APT37](https://attack.mitre.org/groups/G0067), [APT38](https://attack.mitre.org/groups/G0082), and [Kimsuky](https://attack.mitre.org/groups/G0094). ", "modified": "2022-05-23T21:20:57.634Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "name": "Lazarus Group", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "spec_version": "2.1" }, { "aliases": [ "Wizard Spider", "UNC1878", "TEMP.MixMaster", "Grim Spider" ], "x_mitre_domains": [ "ics-attack" ], "x_mitre_contributors": [ "Edward Millington", "Oleksiy Gayda" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "intrusion-set--dd2d9ca6-505b-4860-a604-233685b802c7", "type": "intrusion-set", "created": "2020-05-12T18:15:29.396Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "external_id": "G0102", "source_name": "mitre-attack", "url": "https://attack.mitre.org/groups/G0102" }, { "source_name": "UNC1878", "description": "(Citation: FireEye KEGTAP SINGLEMALT October 2020)" }, { "source_name": "TEMP.MixMaster", "description": "(Citation: FireEye Ryuk and Trickbot January 2019)" }, { "source_name": "Grim Spider", "description": "(Citation: CrowdStrike Ryuk January 2019)(Citation: CrowdStrike Grim Spider May 2019)" }, { "source_name": "CrowdStrike Ryuk January 2019", "url": "https://www.crowdstrike.com/blog/big-game-hunting-with-ryuk-another-lucrative-targeted-ransomware/", "description": "Hanel, A. (2019, January 10). Big Game Hunting with Ryuk: Another Lucrative Targeted Ransomware. Retrieved May 12, 2020." }, { "source_name": "DHS/CISA Ransomware Targeting Healthcare October 2020", "url": "https://us-cert.cisa.gov/ncas/alerts/aa20-302a", "description": "DHS/CISA. (2020, October 28). Ransomware Activity Targeting the Healthcare and Public Health Sector. Retrieved October 28, 2020." }, { "source_name": "CrowdStrike Wizard Spider October 2020", "url": "https://www.crowdstrike.com/blog/wizard-spider-adversary-update/", "description": "Podlosky, A., Hanel, A. et al. (2020, October 16). WIZARD SPIDER Update: Resilient, Reactive and Resolute. Retrieved June 15, 2021." }, { "source_name": "FireEye KEGTAP SINGLEMALT October 2020", "url": "https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html", "description": "Kimberly Goody, Jeremy Kennelly, Joshua Shilko, Steve Elovitz, Douglas Bienstock. (2020, October 28). Unhappy Hour Special: KEGTAP and SINGLEMALT With a Ransomware Chaser. Retrieved October 28, 2020." }, { "source_name": "FireEye Ryuk and Trickbot January 2019", "url": "https://www.fireeye.com/blog/threat-research/2019/01/a-nasty-trick-from-credential-theft-malware-to-business-disruption.html", "description": "Goody, K., et al (2019, January 11). A Nasty Trick: From Credential Theft Malware to Business Disruption. Retrieved May 12, 2020." }, { "source_name": "CrowdStrike Grim Spider May 2019", "url": "https://www.crowdstrike.com/blog/timelining-grim-spiders-big-game-hunting-tactics/", "description": "John, E. and Carvey, H. (2019, May 30). Unraveling the Spiderweb: Timelining ATT&CK Artifacts Used by GRIM SPIDER. Retrieved May 12, 2020." } ], "modified": "2021-10-14T17:27:41.194Z", "name": "Wizard Spider", "description": "[Wizard Spider](https://attack.mitre.org/groups/G0102) is a Russia-based financially motivated threat group originally known for the creation and deployment of [TrickBot](https://attack.mitre.org/software/S0266) since at least 2016. [Wizard Spider](https://attack.mitre.org/groups/G0102) possesses a diverse arsenal of tools and has conducted ransomware campaigns against a variety of organizations, ranging from major corporations to hospitals.(Citation: CrowdStrike Ryuk January 2019)(Citation: DHS/CISA Ransomware Targeting Healthcare October 2020)(Citation: CrowdStrike Wizard Spider October 2020)", "x_mitre_version": "2.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "spec_version": "2.1", "x_mitre_attack_spec_version": "2.1.0" }, { "aliases": [ "Lyceum" ], "x_mitre_domains": [ "ics-attack" ], "x_mitre_contributors": [ "Dragos Threat Intelligence" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "intrusion-set", "id": "intrusion-set--f29b7c5e-2439-42ad-a86f-9f8984fafae3", "created": "2018-10-17T00:14:20.652Z", "x_mitre_version": "1.0", "external_references": [ { "source_name": "mitre-attack", "external_id": "G1001", "url": "https://attack.mitre.org/groups/G1001" }, { "source_name": "Dragos", "url": "https://dragos.com/resource/hexane/", "description": "Dragos Hexane Retrieved. 2019/10/27 " } ], "x_mitre_deprecated": false, "revoked": false, "description": "[HEXANE](https://attack.mitre.org/groups/G1001) is a threat group that has targeted ICS organization within the oil & gas, and telecommunications sectors. Many of the targeted organizations have been located in the Middle East including Kuwait. [HEXANE](https://attack.mitre.org/groups/G1001)'s targeting of telecommunications has been speculated to be part of an effort to establish man-in-the-middle capabilities throughout the region. [HEXANE](https://attack.mitre.org/groups/G1001)'s TTPs appear similar to [APT33](https://attack.mitre.org/groups/G0064) and [OilRig](https://attack.mitre.org/groups/G0049) but due to differences in victims and tools it is tracked as a separate entity. (Citation: Dragos)", "modified": "2022-05-24T19:27:30.581Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "name": "HEXANE", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "spec_version": "2.1" }, { "aliases": [ "APT33", "HOLMIUM", "Elfin" ], "x_mitre_domains": [ "ics-attack" ], "x_mitre_contributors": [ "Dragos Threat Intelligence" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "intrusion-set", "id": "intrusion-set--fbd29c89-18ba-4c2d-b792-51c0adee049f", "created": "2018-04-18T17:59:24.739Z", "x_mitre_version": "1.4", "external_references": [ { "source_name": "mitre-attack", "external_id": "G0064", "url": "https://attack.mitre.org/groups/G0064" }, { "source_name": "APT33", "description": "(Citation: FireEye APT33 Sept 2017) (Citation: FireEye APT33 Webinar Sept 2017)" }, { "source_name": "HOLMIUM", "description": "(Citation: Microsoft Holmium June 2020)" }, { "source_name": "Elfin", "description": "(Citation: Symantec Elfin Mar 2019)" }, { "source_name": "FireEye APT33 Webinar Sept 2017", "url": "https://www.brighttalk.com/webcast/10703/275683", "description": "Davis, S. and Carr, N. (2017, September 21). APT33: New Insights into Iranian Cyber Espionage Group. Retrieved February 15, 2018." }, { "source_name": "Microsoft Holmium June 2020", "url": "https://www.microsoft.com/security/blog/2020/06/18/inside-microsoft-threat-protection-mapping-attack-chains-from-cloud-to-endpoint/", "description": "Microsoft Threat Protection Intelligence Team. (2020, June 18). Inside Microsoft Threat Protection: Mapping attack chains from cloud to endpoint. Retrieved June 22, 2020." }, { "source_name": "FireEye APT33 Sept 2017", "url": "https://www.fireeye.com/blog/threat-research/2017/09/apt33-insights-into-iranian-cyber-espionage.html", "description": "O'Leary, J., et al. (2017, September 20). Insights into Iranian Cyber Espionage: APT33 Targets Aerospace and Energy Sectors and has Ties to Destructive Malware. Retrieved February 15, 2018." }, { "source_name": "Symantec Elfin Mar 2019", "url": "https://www.symantec.com/blogs/threat-intelligence/elfin-apt33-espionage", "description": "Security Response attack Investigation Team. (2019, March 27). Elfin: Relentless Espionage Group Targets Multiple Organizations in Saudi Arabia and U.S.. Retrieved April 10, 2019." } ], "x_mitre_deprecated": false, "revoked": false, "description": "[APT33](https://attack.mitre.org/groups/G0064) is a suspected Iranian threat group that has carried out operations since at least 2013. The group has targeted organizations across multiple industries in the United States, Saudi Arabia, and South Korea, with a particular interest in the aviation and energy sectors. (Citation: FireEye APT33 Sept 2017) (Citation: FireEye APT33 Webinar Sept 2017)", "modified": "2022-05-23T21:22:08.170Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "name": "APT33", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "spec_version": "2.1" }, { "x_mitre_platforms": [ "Windows" ], "x_mitre_domains": [ "enterprise-attack", "ics-attack" ], "x_mitre_aliases": [ "EKANS", "SNAKEHOSE" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "malware", "id": "malware--00e7d565-9883-4ee5-b642-8fd17fd6a3f5", "created": "2021-02-12T20:07:42.883Z", "x_mitre_version": "2.0", "external_references": [ { "source_name": "mitre-attack", "external_id": "S0605", "url": "https://attack.mitre.org/software/S0605" }, { "source_name": "EKANS", "description": "(Citation: Dragos EKANS)(Citation: Palo Alto Unit 42 EKANS)(Citation: FireEye Ransomware Feb 2020)" }, { "source_name": "SNAKEHOSE", "description": "(Citation: FireEye Ransomware Feb 2020)" }, { "source_name": "Dragos EKANS", "url": "https://www.dragos.com/blog/industry-news/ekans-ransomware-and-ics-operations/", "description": "Dragos. (2020, February 3). EKANS Ransomware and ICS Operations. Retrieved February 9, 2021." }, { "source_name": "Palo Alto Unit 42 EKANS", "url": "https://unit42.paloaltonetworks.com/threat-assessment-ekans-ransomware/", "description": "Hinchliffe, A. Santos, D. (2020, June 26). Threat Assessment: EKANS Ransomware. Retrieved February 9, 2021." }, { "source_name": "FireEye Ransomware Feb 2020", "url": "https://www.fireeye.com/blog/threat-research/2020/02/ransomware-against-machine-learning-to-disrupt-industrial-production.html", "description": "Zafra, D., et al. (2020, February 24). Ransomware Against the Machine: How Adversaries are Learning to Disrupt Industrial Production by Targeting IT and OT. Retrieved March 2, 2021." } ], "x_mitre_deprecated": false, "revoked": false, "description": "[EKANS](https://attack.mitre.org/software/S0605) is ransomware variant written in Golang that first appeared in mid-December 2019 and has been used against multiple sectors, including energy, healthcare, and automotive manufacturing, which in some cases resulted in significant operational disruptions. [EKANS](https://attack.mitre.org/software/S0605) has used a hard-coded kill-list of processes, including some associated with common ICS software platforms (e.g., GE Proficy, Honeywell HMIWeb, etc), similar to those defined in [MegaCortex](https://attack.mitre.org/software/S0576).(Citation: Dragos EKANS)(Citation: Palo Alto Unit 42 EKANS)", "modified": "2022-05-11T14:00:00.188Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "name": "EKANS", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "spec_version": "2.1", "is_family": true }, { "x_mitre_platforms": [ "Windows" ], "x_mitre_domains": [ "enterprise-attack", "ics-attack" ], "x_mitre_aliases": [ "Backdoor.Oldrea", "Havex" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "malware", "id": "malware--083bb47b-02c8-4423-81a2-f9ef58572974", "created": "2017-05-31T21:32:59.661Z", "x_mitre_version": "2.0", "external_references": [ { "source_name": "mitre-attack", "external_id": "S0093", "url": "https://attack.mitre.org/software/S0093" }, { "source_name": "Gigamon Berserk Bear October 2021", "url": "https://vblocalhost.com/uploads/VB2021-Slowik.pdf", "description": "Slowik, J. (2021, October). THE BAFFLING BERSERK BEAR: A DECADE\u2019S ACTIVITY TARGETING CRITICAL INFRASTRUCTURE. Retrieved December 6, 2021." }, { "source_name": "Symantec Dragonfly Sept 2017", "url": "https://docs.broadcom.com/doc/dragonfly_threat_against_western_energy_suppliers", "description": "Symantec Security Response. (2014, July 7). Dragonfly: Western energy sector targeted by sophisticated attack group. Retrieved September 9, 2017." }, { "source_name": "Symantec Dragonfly", "url": "https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=7382dce7-0260-4782-84cc-890971ed3f17&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments", "description": "Symantec Security Response. (2014, June 30). Dragonfly: Cyberespionage Attacks Against Energy Suppliers. Retrieved April 8, 2016." } ], "x_mitre_deprecated": false, "revoked": false, "description": "[Backdoor.Oldrea](https://attack.mitre.org/software/S0093) is a modular backdoor that used by [Dragonfly](https://attack.mitre.org/groups/G0035) against energy companies since at least 2013. [Backdoor.Oldrea](https://attack.mitre.org/software/S0093) was distributed via supply chain compromise, and included specialized modules to enumerate and map ICS-specific systems, processes, and protocols.(Citation: Symantec Dragonfly)(Citation: Gigamon Berserk Bear October 2021)(Citation: Symantec Dragonfly Sept 2017)", "modified": "2022-05-11T14:00:00.188Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "name": "Backdoor.Oldrea", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "spec_version": "2.1", "is_family": true }, { "x_mitre_platforms": [ "Windows" ], "x_mitre_domains": [ "enterprise-attack", "ics-attack" ], "x_mitre_aliases": [ "Stuxnet", "W32.Stuxnet" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "malware", "id": "malware--088f1d6e-0783-47c6-9923-9c79b2af43d4", "created": "2020-12-14T17:34:58.457Z", "x_mitre_version": "1.1", "external_references": [ { "source_name": "mitre-attack", "external_id": "S0603", "url": "https://attack.mitre.org/software/S0603" }, { "source_name": "W32.Stuxnet", "description": "(Citation: Symantec W.32 Stuxnet Dossier)" }, { "source_name": "CISA ICS Advisory ICSA-10-272-01", "url": "https://us-cert.cisa.gov/ics/advisories/ICSA-10-272-01", "description": "CISA. (2010, September 10). ICS Advisory (ICSA-10-272-01). Retrieved December 7, 2020." }, { "source_name": "ESET Stuxnet Under the Microscope", "url": "https://www.esetnod32.ru/company/viruslab/analytics/doc/Stuxnet_Under_the_Microscope.pdf", "description": "Matrosov, A., Rodionov, E., Harley, D., Malcho, J.. (n.d.). Stuxnet Under the Microscope. Retrieved December 7, 2020." }, { "source_name": "Symantec W.32 Stuxnet Dossier", "url": "https://www.wired.com/images_blogs/threatlevel/2010/11/w32_stuxnet_dossier.pdf", "description": "Nicolas Falliere, Liam O. Murchu, Eric Chien. (2011, February). W32.Stuxnet Dossier. Retrieved December 7, 2020." }, { "source_name": "Langer Stuxnet", "url": "https://www.langner.com/wp-content/uploads/2017/03/to-kill-a-centrifuge.pdf", "description": "Ralph Langner. (2013, November). Ralph Langner. (2013, November). To Kill a Centrifuge: A Technical Analysis of What Stuxnet's Creators Tried to Achieve. Retrieved December 7, 2020." } ], "x_mitre_deprecated": false, "revoked": false, "description": "[Stuxnet](https://attack.mitre.org/software/S0603) was the first publicly reported piece of malware to specifically target industrial control systems devices. [Stuxnet](https://attack.mitre.org/software/S0603) is a large and complex piece of malware that utilized multiple different behaviors including multiple zero-day vulnerabilities, a sophisticated Windows rootkit, and network infection routines.(Citation: Symantec W.32 Stuxnet Dossier)(Citation: CISA ICS Advisory ICSA-10-272-01)(Citation: ESET Stuxnet Under the Microscope)(Citation: Langer Stuxnet) [Stuxnet](https://attack.mitre.org/software/S0603) was discovered in 2010, with some components being used as early as November 2008.(Citation: Symantec W.32 Stuxnet Dossier)", "modified": "2022-05-20T16:22:32.608Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "name": "Stuxnet", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "spec_version": "2.1", "is_family": true }, { "x_mitre_platforms": [ "Windows" ], "x_mitre_domains": [ "ics-attack" ], "x_mitre_aliases": [ "Industroyer", "CRASHOVERRIDE" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "name": "Industroyer", "description": "[Industroyer](https://collaborate.mitre.org/attackics/index.php/Software/S0001) is a sophisticated piece of malware designed to cause an [Impact](https://collaborate.mitre.org/attackics/index.php/Impact) to the working processes of Industrial Control Systems (ICS), specifically ICSs used in electrical substations.(Citation: ESET Win32/Industroyer) Industroyer was alleged to be used in the attacks on the Ukrainian power grid in December 2016.(Citation: Dragos Crashoverride)(Citation: CISA Alert (TA17-163A))(Citation: Dragos Crashoverride 2018)(Citation: Dragos Crashoverride 2019)", "id": "malware--1d8dccb3-e779-4702-aeb1-6627a22cc585", "type": "malware", "x_mitre_version": "1.0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2017-05-31T21:33:21.973Z", "modified": "2022-05-24T14:00:00.188Z", "external_references": [ { "external_id": "S1004", "source_name": "mitre-ics-attack", "url": "https://collaborate.mitre.org/attackics/index.php/Software/S0001" }, { "source_name": "ESET Win32/Industroyer", "description": "Anton Cherepanov, ESET. (2017, June 12). Win32/Industroyer: A new threat for industrial control systems. Retrieved September 15, 2017.", "url": "https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf" }, { "source_name": "Dragos Crashoverride", "description": "Dragos Inc.. (2017, June 13). Industroyer - Dragos - 201706: Analysis of the Threat to Electic Grid Operations. Retrieved September 18, 2017.", "url": "https://www.dragos.com/wp-content/uploads/CrashOverride-01.pdf" }, { "source_name": "CISA Alert TA17-163A CrashOverride June 2017", "description": "CISA. (2017, June 12). Alert (TA17-163A). Retrieved October 22, 2019.", "url": "https://us-cert.cisa.gov/ncas/alerts/TA17-163A" }, { "source_name": "Dragos Crashoverride 2018", "description": "Dragos. (2018, October 12). Anatomy of an Attack: Detecting and Defeating CRASHOVERRIDE. Retrieved October 14, 2019.", "url": "https://www.dragos.com/wp-content/uploads/CRASHOVERRIDE2018.pdf" }, { "source_name": "Dragos Crashoverride 2019", "description": "Joe Slowik. (2019, August 15). CRASHOVERRIDE: Reassessing the 2016 Ukraine Electric Power Event as a Protection-Focused Attack. Retrieved October 22, 2019.", "url": "https://dragos.com/wp-content/uploads/CRASHOVERRIDE.pdf" } ], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": true, "spec_version": "2.1", "is_family": true }, { "x_mitre_platforms": [ "Windows" ], "x_mitre_domains": [ "ics-attack" ], "x_mitre_aliases": [ "Bad Rabbit", "Diskcoder.D" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "name": "Bad Rabbit", "description": "[Bad Rabbit](https://collaborate.mitre.org/attackics/index.php/Software/S0005) is a self-propagating (\u201cwormable\u201d) ransomware that affected the transportation sector in Ukraine. (Citation: ESET Bad Rabbit Oct 2017)", "type": "malware", "x_mitre_version": "1.0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "id": "malware--242622ca-3903-43d5-8aa0-3bbdaa3020ec", "created": "2017-05-31T21:32:59.661Z", "modified": "2021-10-21T14:00:00.188Z", "external_references": [ { "external_id": "S1001", "source_name": "mitre-ics-attack", "url": "https://collaborate.mitre.org/attackics/index.php/Software/S0005" }, { "description": "https://www.welivesecurity.com/2017/10/24/bad-rabbit-not-petya-back/", "source_name": "ESET Bad Rabbit Oct 2017", "url": "https://www.welivesecurity.com/2017/10/24/bad-rabbit-not-petya-back/" }, { "description": "Orkhan Mamedov, Fedor Sinitsyn, Anton Ivanov. (2017, October 27). Bad Rabbit Ransomware. Retrieved October 27, 2019.", "source_name": "Kaspersky Bad Rabbit Oct 2017", "url": "https://securelist.com/bad-rabbit-ransomware/82851/" }, { "description": "Joe Slowik. (2019, April 10). Implications of IT Ransomware for ICS Environments. Retrieved October 27, 2019.", "source_name": "Dragos IT Ransomware for ICS Environments Apr 2019", "url": "https://dragos.com/blog/industry-news/implications-of-it-ransomware-for-ics-environments/" } ], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": true, "spec_version": "2.1", "is_family": true }, { "x_mitre_platforms": [ "Windows" ], "x_mitre_domains": [ "enterprise-attack", "ics-attack" ], "x_mitre_aliases": [ "Bad Rabbit", "Win32/Diskcoder.D" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "malware--2eaa5319-5e1e-4dd7-bbc4-566fced3964a", "type": "malware", "created": "2021-02-09T14:35:39.455Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "external_id": "S0606", "source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0606" }, { "source_name": "Secure List Bad Rabbit", "url": "https://securelist.com/bad-rabbit-ransomware/82851/", "description": "Mamedov, O. Sinitsyn, F. Ivanov, A.. (2017, October 24). Bad Rabbit ransomware. Retrieved January 28, 2021." }, { "source_name": "ESET Bad Rabbit", "url": "https://www.welivesecurity.com/2017/10/24/bad-rabbit-not-petya-back/", "description": "M.L\u00e9veille, M-E.. (2017, October 24). Bad Rabbit: Not\u2011Petya is back with improved ransomware. Retrieved January 28, 2021." }, { "source_name": "Dragos IT ICS Ransomware", "url": "https://www.dragos.com/blog/industry-news/implications-of-it-ransomware-for-ics-environments/", "description": "Slowik, J.. (2019, April 10). Implications of IT Ransomware for ICS Environments. Retrieved January 28, 2021." } ], "modified": "2022-04-25T14:00:00.188Z", "name": "Bad Rabbit", "description": "[Bad Rabbit](https://attack.mitre.org/software/S0606) is a self-propagating ransomware that affected the Ukrainian transportation sector in 2017. [Bad Rabbit](https://attack.mitre.org/software/S0606) has also targeted organizations and consumers in Russia. (Citation: Secure List Bad Rabbit)(Citation: ESET Bad Rabbit)(Citation: Dragos IT ICS Ransomware) ", "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "spec_version": "2.1", "is_family": true }, { "x_mitre_platforms": [ "Windows" ], "x_mitre_domains": [ "ics-attack" ], "x_mitre_aliases": [ "Stuxnet" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "name": "Stuxnet", "description": "[Stuxnet](https://collaborate.mitre.org/attackics/index.php/Software/S0010) was the first publicly reported piece of malware to specifically target industrial control systems devices. Stuxnet is a large and complex piece of malware that utilized multiple different complex tactics including multiple zero-day vulnerabilites, a sophisticated Windows rootkit, and network infection routines.(Citation: Wired W32.Stuxnet Dossier Feb 2011)(Citation: Symantec W32.Stuxnet Writeup)(Citation: CISA ICS Advisory (ICSA-10-238-01B))(Citation: SCADAhacker Stuxnet Mitigation Jan 2014)", "id": "malware--496bff4d-0700-4b28-b06f-f30a63002be7", "x_mitre_version": "1.0", "type": "malware", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2019-03-26T15:02:14.907Z", "modified": "2022-05-24T14:00:00.188Z", "external_references": [ { "source_name": "mitre-ics-attack", "external_id": "S1008", "url": "https://collaborate.mitre.org/attackics/index.php/Software/S0010" }, { "source_name": "Wired W32.Stuxnet Dossier Feb 2011", "description": "Nicolas Falliere, Liam O Murchu, Eric Chien. (2011, February). W32.Stuxnet Dossier (Version 1.4). Retrieved September 22, 2017.", "url": "https://www.wired.com/images_blogs/threatlevel/2010/11/w32_stuxnet_dossier.pdf" }, { "source_name": "Symantec W32.Stuxnet Writeup", "description": "Jarrad Shearer. (n.d.). W32.Stuxnet Writeup. Retrieved October 22, 2019.", "url": "https://www.symantec.com/security-center/writeup/2010-071400-3123-99" }, { "source_name": "CISA ICS Advisory ICSA-10-238-01B Stuxnet January 2014", "description": "CISA. (2014, January 08). Stuxnet Malware Mitigation (Update B). Retrieved October 22, 2019.", "url": "https://www.us-cert.gov/ics/advisories/ICSA-10-238-01B" }, { "source_name": "SCADAhacker Stuxnet Mitigation Jan 2014", "description": "Joel Langill. (2014, January 21). Stuxnet Mitigation. Retrieved October 22, 2019.", "url": "https://scadahacker.com/resources/stuxnet-mitigation.html" }, { "source_name": "Langer Stuxnet Analysis Nov 2013", "description": "Ralph Langner. (2013, November). To Kill a Centrifuge: A Technical Analysis of What Stuxnet's Creators Tried to Achieve. Retrieved March 27, 2018.", "url": "https://www.langner.com/wp-content/uploads/2017/03/to-kill-a-centrifuge.pdf" } ], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": true, "spec_version": "2.1", "is_family": true }, { "x_mitre_platforms": [ "Windows" ], "x_mitre_domains": [ "ics-attack" ], "x_mitre_aliases": [ "Conficker", "Downadup", "Kido" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "name": "Conficker", "description": "[Conficker](https://collaborate.mitre.org/attackics/index.php/Software/S0012) is a computer worm that targets Microsoft Windows and was first detected in November 2008. It targets a vulnerability (MS08-067) in Windows OS software and dictionary attacks on administrator passwords to propagate while forming a botnet. Conficker made its way onto computers and removable disk drives in a nuclear power plant. (Citation: Malware Shuts Down German Nuclear Power Plant on Chernobyl's 30th Anniversary)", "type": "malware", "x_mitre_version": "1.0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "id": "malware--49c04994-1035-4b58-89b7-cf8956e3b423", "created": "2017-05-31T21:32:59.661Z", "modified": "2021-10-21T14:00:00.188Z", "external_references": [ { "external_id": "S1003", "source_name": "mitre-ics-attack", "url": "https://collaborate.mitre.org/attackics/index.php/Software/S0012" }, { "description": "Catalin Cimpanu. (2016, April 26). Malware Shuts Down German Nuclear Power Plant on Chernobyl's 30th Anniversary. Retrieved October 14, 2019.", "source_name": "Malware Shuts Down German Nuclear Power Plant on Chernobyl's 30th Anniversary", "url": "https://news.softpedia.com/news/on-chernobyl-s-30th-anniversary-malware-shuts-down-german-nuclear-power-plant-503429.shtml" }, { "description": "Symantec. (2015, June 30). Simple steps to protect yourself from the Conficker Worm. Retrieved December 5, 2019.", "source_name": "Symantec Conficker Jun 2015", "url": "https://support.symantec.com/us/en/article.tech93179.html" } ], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": true, "spec_version": "2.1", "is_family": true }, { "x_mitre_domains": [ "ics-attack" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "malware", "id": "malware--4dcff507-5af8-47ce-964a-8d9569e9ccfe", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2019-03-26T15:02:14.907Z", "modified": "2022-05-24T14:00:00.188Z", "name": "PLC-Blaster", "description": "[PLC-Blaster](https://attack.mitre.org/software/S0009) is a piece of proof-of-concept malware that runs on Siemens S7 PLCs. This worm locates other Siemens S7 PLCs on the network and attempts to infect them. Once this worm has infected its target and attempted to infect other devices on the network, the worm can then run one of many modules. (Citation: Spenneberg, Ralf, Maik Brggemann, and Hendrik Schwartke March 2016) (Citation: Spenneberg, Ralf 2016) ", "external_references": [ { "source_name": "mitre-ics-attack", "url": "https://attack.mitre.org/software/S0009", "external_id": "S1006" }, { "source_name": "Spenneberg, Ralf, Maik Brggemann, and Hendrik Schwartke March 2016", "description": "Spenneberg, Ralf, Maik Brggemann, and Hendrik Schwartke 2016, March 31 Plc-blaster: A worm living solely in the plc. Retrieved. 2017/09/19 ", "url": "https://www.blackhat.com/docs/asia-16/materials/asia-16-Spenneberg-PLC-Blaster-A-Worm-Living-Solely-In-The-PLC-wp.pdf" }, { "source_name": "Spenneberg, Ralf 2016", "description": "Spenneberg, Ralf 2016 PLC-Blaster Retrieved. 2019/06/06 ", "url": "https://www.blackhat.com/docs/asia-16/materials/asia-16-Spenneberg-PLC-Blaster-A-Worm-Living-Solely-In-The-PLC.pdf" } ], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "spec_version": "2.1", "is_family": true }, { "x_mitre_platforms": [ "Windows" ], "x_mitre_domains": [ "enterprise-attack", "ics-attack" ], "x_mitre_aliases": [ "BlackEnergy", "Black Energy" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "malware--54cc1d4f-5c53-4f0e-9ef5-11b4998e82e4", "type": "malware", "created": "2017-05-31T21:32:57.807Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0089", "external_id": "S0089" }, { "url": "https://blog-assets.f-secure.com/wp-content/uploads/2019/10/15163408/BlackEnergy_Quedagh.pdf", "description": "F-Secure Labs. (2014). BlackEnergy & Quedagh: The convergence of crimeware and APT attacks. Retrieved March 24, 2016.", "source_name": "F-Secure BlackEnergy 2014" } ], "modified": "2022-04-25T14:00:00.188Z", "name": "BlackEnergy", "description": "[BlackEnergy](https://attack.mitre.org/software/S0089) is a malware toolkit that has been used by both criminal and APT actors. It dates back to at least 2007 and was originally designed to create botnets for use in conducting Distributed Denial of Service (DDoS) attacks, but its use has evolved to support various plug-ins. It is well known for being used during the confrontation between Georgia and Russia in 2008, as well as in targeting Ukrainian institutions. Variants include BlackEnergy 2 and BlackEnergy 3. (Citation: F-Secure BlackEnergy 2014)", "x_mitre_version": "1.3", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "spec_version": "2.1", "is_family": true }, { "x_mitre_platforms": [ "Windows" ], "x_mitre_domains": [ "enterprise-attack", "ics-attack" ], "x_mitre_aliases": [ "NotPetya", "ExPetr", "Diskcoder.C", "GoldenEye", "Petrwrap", "Nyetya" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "malware--5719af9d-6b16-46f9-9b28-fb019541ddbb", "type": "malware", "created": "2019-03-26T15:02:14.907Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "external_id": "S0368", "source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0368" }, { "source_name": "ExPetr", "description": "(Citation: ESET Telebots June 2017)" }, { "source_name": "Diskcoder.C", "description": "(Citation: ESET Telebots June 2017)" }, { "source_name": "GoldenEye", "description": "(Citation: Talos Nyetya June 2017)" }, { "source_name": "Petrwrap", "description": "(Citation: Talos Nyetya June 2017)(Citation: ESET Telebots June 2017)" }, { "source_name": "Nyetya", "description": "(Citation: Talos Nyetya June 2017)" }, { "description": "Chiu, A. (2016, June 27). New Ransomware Variant \"Nyetya\" Compromises Systems Worldwide. Retrieved March 26, 2019.", "url": "https://blog.talosintelligence.com/2017/06/worldwide-ransomware-variant.html", "source_name": "Talos Nyetya June 2017" }, { "source_name": "US-CERT NotPetya 2017", "url": "https://www.us-cert.gov/ncas/alerts/TA17-181A", "description": "US-CERT. (2017, July 1). Alert (TA17-181A): Petya Ransomware. Retrieved March 15, 2019." }, { "source_name": "ESET Telebots June 2017", "url": "https://www.welivesecurity.com/2017/06/30/telebots-back-supply-chain-attacks-against-ukraine/", "description": "Cherepanov, A.. (2017, June 30). TeleBots are back: Supply chain attacks against Ukraine. Retrieved June 11, 2020." }, { "source_name": "US District Court Indictment GRU Unit 74455 October 2020", "url": "https://www.justice.gov/opa/press-release/file/1328521/download", "description": "Scott W. Brady. (2020, October 15). United States vs. Yuriy Sergeyevich Andrienko et al.. Retrieved November 25, 2020." } ], "modified": "2022-04-25T14:00:00.188Z", "name": "NotPetya", "description": "[NotPetya](https://attack.mitre.org/software/S0368) is malware that was used by [Sandworm Team](https://attack.mitre.org/groups/G0034) in a worldwide attack starting on June 27, 2017. While [NotPetya](https://attack.mitre.org/software/S0368) appears as a form of ransomware, its main purpose was to destroy data and disk structures on compromised systems; the attackers never intended to make the encrypted data recoverable. As such, [NotPetya](https://attack.mitre.org/software/S0368) may be more appropriately thought of as a form of wiper malware. [NotPetya](https://attack.mitre.org/software/S0368) contains worm-like features to spread itself across a computer network using the SMBv1 exploits EternalBlue and EternalRomance.(Citation: Talos Nyetya June 2017)(Citation: US-CERT NotPetya 2017)(Citation: ESET Telebots June 2017)(Citation: US District Court Indictment GRU Unit 74455 October 2020)", "x_mitre_version": "2.0", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "spec_version": "2.1", "is_family": true }, { "x_mitre_platforms": [ "Windows" ], "x_mitre_domains": [ "enterprise-attack", "ics-attack" ], "x_mitre_aliases": [ "Conficker", "Kido", "Downadup" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "malware--58eddbaf-7416-419a-ad7b-e65b9d4c3b55", "type": "malware", "created": "2021-02-23T20:50:32.845Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "external_id": "S0608", "source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0608" }, { "source_name": "Kido", "description": "(Citation: SANS Conficker) " }, { "source_name": "Downadup", "description": "(Citation: SANS Conficker) " }, { "source_name": "SANS Conficker", "url": "https://web.archive.org/web/20200125132645/https://www.sans.org/security-resources/malwarefaq/conficker-worm", "description": "Burton, K. (n.d.). The Conficker Worm. Retrieved February 18, 2021." }, { "source_name": "Conficker Nuclear Power Plant", "url": "https://news.softpedia.com/news/on-chernobyl-s-30th-anniversary-malware-shuts-down-german-nuclear-power-plant-503429.shtml", "description": "Cimpanu, C. (2016, April 26). Malware Shuts Down German Nuclear Power Plant on Chernobyl's 30th Anniversary. Retrieved February 18, 2021." } ], "modified": "2022-04-25T14:00:00.188Z", "name": "Conficker", "description": "[Conficker](https://attack.mitre.org/software/S0608) is a computer worm first detected in October 2008 that targeted Microsoft Windows using the MS08-067 Windows vulnerability to spread.(Citation: SANS Conficker) In 2016, a variant of [Conficker](https://attack.mitre.org/software/S0608) made its way on computers and removable disk drives belonging to a nuclear power plant.(Citation: Conficker Nuclear Power Plant)", "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "spec_version": "2.1", "is_family": true }, { "x_mitre_platforms": [ "Windows" ], "x_mitre_domains": [ "enterprise-attack", "ics-attack" ], "x_mitre_contributors": [ "Joe Slowik - Dragos" ], "x_mitre_aliases": [ "LockerGoga" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "malware", "id": "malware--5af7a825-2d9f-400d-931a-e00eb9e27f48", "created": "2019-04-16T19:00:49.435Z", "x_mitre_version": "2.0", "external_references": [ { "source_name": "mitre-attack", "external_id": "S0372", "url": "https://attack.mitre.org/software/S0372" }, { "source_name": "CarbonBlack LockerGoga 2019", "url": "https://www.carbonblack.com/2019/03/22/tau-threat-intelligence-notification-lockergoga-ransomware/", "description": "CarbonBlack Threat Analysis Unit. (2019, March 22). TAU Threat Intelligence Notification \u2013 LockerGoga Ransomware. Retrieved April 16, 2019." }, { "source_name": "Unit42 LockerGoga 2019", "url": "https://unit42.paloaltonetworks.com/born-this-way-origins-of-lockergoga/", "description": "Harbison, M. (2019, March 26). Born This Way? Origins of LockerGoga. Retrieved April 16, 2019." } ], "x_mitre_deprecated": false, "revoked": false, "description": "[LockerGoga](https://attack.mitre.org/software/S0372) is ransomware that was first reported in January 2019, and has been tied to various attacks on European companies, including industrial and manufacturing firms.(Citation: Unit42 LockerGoga 2019)(Citation: CarbonBlack LockerGoga 2019)", "modified": "2022-05-23T21:22:58.477Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "name": "LockerGoga", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "spec_version": "2.1", "is_family": true }, { "x_mitre_domains": [ "ics-attack" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "malware", "id": "malware--6108f800-10b8-4090-944e-be579f01263d", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2019-03-26T15:02:14.907Z", "modified": "2022-05-24T14:00:00.188Z", "name": "VPNFilter", "description": "[VPNFilter](https://attack.mitre.org/software/S0002) is a multi-stage, modular platform with versatile capabilities to support both intelligence-collection and destructive cyber attack operations. [VPNFilter](https://attack.mitre.org/software/S0002) modules such as its packet sniffer ('ps') can collect traffic that passes through an infected device, allowing the theft of website credentials and monitoring of Modbus SCADA protocols. (Citation: William Largent June 2018) (Citation: Carl Hurd March 2019)", "external_references": [ { "source_name": "mitre-ics-attack", "url": "https://attack.mitre.org/software/S0002", "external_id": "S1010" }, { "source_name": "William Largent June 2018", "description": "William Largent 2018, June 06 VPNFilter Update - VPNFilter exploits endpoints, targets new devices Retrieved. 2019/03/28 ", "url": "https://blog.talosintelligence.com/2018/06/vpnfilter-update.html" }, { "source_name": "Carl Hurd March 2019", "description": "Carl Hurd 2019, March 26 VPNFilter Deep Dive Retrieved. 2019/03/28 ", "url": "https://www.youtube.com/watch?v=yuZazP22rpI" } ], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "spec_version": "2.1", "is_family": true }, { "x_mitre_platforms": [ "Windows" ], "x_mitre_domains": [ "enterprise-attack", "ics-attack" ], "x_mitre_aliases": [ "Duqu" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "malware--68dca94f-c11d-421e-9287-7c501108e18c", "type": "malware", "created": "2017-05-31T21:32:31.188Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0038", "external_id": "S0038" }, { "url": "https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_duqu_the_precursor_to_the_next_stuxnet.pdf", "description": "Symantec Security Response. (2011, November). W32.Duqu: The precursor to the next Stuxnet. Retrieved September 17, 2015.", "source_name": "Symantec W32.Duqu" } ], "modified": "2022-04-25T14:00:00.188Z", "name": "Duqu", "description": "[Duqu](https://attack.mitre.org/software/S0038) is a malware platform that uses a modular approach to extend functionality after deployment within a target network. (Citation: Symantec W32.Duqu)", "x_mitre_version": "1.2", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "spec_version": "2.1", "is_family": true }, { "x_mitre_platforms": [ "Windows" ], "x_mitre_domains": [ "ics-attack" ], "x_mitre_aliases": [ "Killdisk" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "name": "Killdisk", "description": "In 2015 the BlackEnergy malware contained a component called KillDisk. KillDisk's main functionality is to overwrite files with random data, rendering the OS unbootable. (Citation: ESET BlackEnergy Jan 2016)", "id": "malware--736a3b71-eccc-48b7-b5ed-adb2b74ca830", "type": "malware", "x_mitre_version": "1.0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2017-05-31T21:33:21.973Z", "modified": "2021-10-21T14:00:00.188Z", "external_references": [ { "external_id": "S1005", "source_name": "mitre-ics-attack", "url": "https://collaborate.mitre.org/attackics/index.php/Software/S0016" }, { "source_name": "ESET BlackEnergy Jan 2016", "description": "Anton Cherepanov. (n.d.). BlackEnergy by the SSHBearDoor: attacks against Ukrainian news media and electric industry. Retrieved October 29, 2019.", "url": "https://www.welivesecurity.com/2016/01/03/blackenergy-sshbeardoor-details-2015-attacks-ukrainian-news-media-electric-industry/" }, { "source_name": "Booz Allen Hamilton", "description": "Booz Allen Hamilton. (n.d.). When The Lights Went Out. Retrieved October 22, 2019.", "url": "https://www.boozallen.com/content/dam/boozallen/documents/2016/09/ukraine-report-when-the-lights-went-out.pdf" } ], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": true, "spec_version": "2.1", "is_family": true }, { "x_mitre_platforms": [ "Windows" ], "x_mitre_domains": [ "enterprise-attack", "ics-attack" ], "x_mitre_contributors": [ "Jan Miller, CrowdStrike" ], "x_mitre_aliases": [ "WannaCry", "WanaCry", "WanaCrypt", "WanaCrypt0r", "WCry" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "malware--75ecdbf1-c2bb-4afc-a3f9-c8da4de8c661", "type": "malware", "created": "2019-03-25T17:30:17.004Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "external_id": "S0366", "source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0366" }, { "source_name": "WanaCry", "description": "(Citation: SecureWorks WannaCry Analysis)" }, { "source_name": "WanaCrypt", "description": "(Citation: SecureWorks WannaCry Analysis)" }, { "source_name": "WanaCrypt0r", "description": "(Citation: LogRhythm WannaCry)" }, { "source_name": "WCry", "description": "(Citation: LogRhythm WannaCry)(Citation: SecureWorks WannaCry Analysis)" }, { "description": "Noerenberg, E., Costis, A., and Quist, N. (2017, May 16). A Technical Analysis of WannaCry Ransomware. Retrieved March 25, 2019.", "url": "https://logrhythm.com/blog/a-technical-analysis-of-wannacry-ransomware/", "source_name": "LogRhythm WannaCry" }, { "source_name": "US-CERT WannaCry 2017", "url": "https://www.us-cert.gov/ncas/alerts/TA17-132A", "description": "US-CERT. (2017, May 12). Alert (TA17-132A): Indicators Associated With WannaCry Ransomware. Retrieved March 25, 2019." }, { "description": "Dwoskin, E. and Adam, K. (2017, May 14). More than 150 countries affected by massive cyberattack, Europol says. Retrieved March 25, 2019.", "url": "https://www.washingtonpost.com/business/economy/more-than-150-countries-affected-by-massive-cyberattack-europol-says/2017/05/14/5091465e-3899-11e7-9e48-c4f199710b69_story.html?utm_term=.7fa16b41cad4", "source_name": "Washington Post WannaCry 2017" }, { "source_name": "FireEye WannaCry 2017", "url": "https://www.fireeye.com/blog/threat-research/2017/05/wannacry-malware-profile.html", "description": "Berry, A., Homan, J., and Eitzman, R. (2017, May 23). WannaCry Malware Profile. Retrieved March 15, 2019." }, { "source_name": "SecureWorks WannaCry Analysis", "url": "https://www.secureworks.com/research/wcry-ransomware-analysis", "description": "Counter Threat Unit Research Team. (2017, May 18). WCry Ransomware Analysis. Retrieved March 26, 2019." } ], "modified": "2022-04-25T14:00:00.188Z", "name": "WannaCry", "description": "[WannaCry](https://attack.mitre.org/software/S0366) is ransomware that was first seen in a global attack during May 2017, which affected more than 150 countries. It contains worm-like features to spread itself across a computer network using the SMBv1 exploit EternalBlue.(Citation: LogRhythm WannaCry)(Citation: US-CERT WannaCry 2017)(Citation: Washington Post WannaCry 2017)(Citation: FireEye WannaCry 2017)", "x_mitre_version": "1.1", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "spec_version": "2.1", "is_family": true }, { "x_mitre_domains": [ "ics-attack" ], "x_mitre_aliases": [ "TRISIS", "HatMan" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "malware", "id": "malware--80099a91-4c86-4bea-9ccb-dac55d61960e", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2019-03-26T15:02:14.907Z", "modified": "2022-05-24T14:00:00.188Z", "name": "Triton", "description": "[Triton](https://attack.mitre.org/software/S0013) is an attack framework built to interact with Triconex Safety Instrumented System (SIS) controllers. (Citation: Blake Johnson, Dan Caban, Marina Krotofil, Dan Scali, Nathan Brubaker, Christopher Glyer December 2017) (Citation: Dragos December 2017) (Citation: DHS CISA February 2019) (Citation: Schneider Electric January 2018) (Citation: Julian Gutmanis March 2019) (Citation: Schneider December 2018) (Citation: Jos Wetzels January 2018)", "external_references": [ { "source_name": "mitre-ics-attack", "url": "https://attack.mitre.org/software/S0013", "external_id": "S1009" }, { "source_name": "Blake Johnson, Dan Caban, Marina Krotofil, Dan Scali, Nathan Brubaker, Christopher Glyer December 2017", "description": "Blake Johnson, Dan Caban, Marina Krotofil, Dan Scali, Nathan Brubaker, Christopher Glyer 2017, December 14 Attackers Deploy New ICS Attack Framework TRITON and Cause Operational Disruption to Critical Infrastructure Retrieved. 2018/01/12 ", "url": "https://www.fireeye.com/blog/threat-research/2017/12/attackers-deploy-new-ics-attack-framework-triton.html" }, { "source_name": "Dragos December 2017", "description": "Dragos 2017, December 13 TRISIS Malware Analysis of Safety System Targeted Malware Retrieved. 2018/01/12 ", "url": "https://dragos.com/blog/trisis/TRISIS-01.pdf" }, { "source_name": "DHS CISA February 2019", "description": "DHS CISA 2019, February 27 MAR-17-352-01 HatManSafety System Targeted Malware (Update B) Retrieved. 2019/03/08 ", "url": "https://ics-cert.us-cert.gov/sites/default/files/documents/MAR-17-352-01%20HatMan%20-%20Safety%20System%20Targeted%20Malware%20%28Update%20B%29.pdf" }, { "source_name": "Schneider Electric January 2018", "description": "Schneider Electric 2018, January 23 TRITON - Schneider Electric Analysis and Disclosure Retrieved. 2019/03/14 ", "url": "https://www.youtube.com/watch?v=f09E75bWvkk&index=3&list=PL8OWO1qWXF4qYG19p7An4Vw3N2YZ86aRS&t=0s" }, { "source_name": "Julian Gutmanis March 2019", "description": "Julian Gutmanis 2019, March 11 Triton - A Report From The Trenches Retrieved. 2019/03/11 ", "url": "https://www.youtube.com/watch?v=XwSJ8hloGvY" }, { "source_name": "Schneider December 2018", "description": "Schneider 2018, December 14 Security Notification EcoStruxure Triconex Tricon V3 Retrieved. 2019/03/08 ", "url": "https://download.schneider-electric.com/files?p_enDocType=Technical+leaflet&p_File_Name=SEVD-2017-347-01+Triconex+V3.pdf&p_Doc_Ref=SEVD-2017-347-01" }, { "source_name": "Schneider Electric December 2018", "description": "Schneider Electric 2018, December 14 Security Notification - EcoStruxure Triconex Tricon V3 Retrieved. 2019/08/26 ", "url": "https://download.schneider-electric.com/files?p_enDocType=Technical+leaflet&p_File_Name=SEVD-2017-347-01+Triconex+V3.pdf&p_Doc_Ref=SEVD-2017-347-01" }, { "source_name": "Jos Wetzels January 2018", "description": "Jos Wetzels 2018, January 16 Analyzing the TRITON industrial malware Retrieved. 2019/10/22 ", "url": "https://www.midnightbluelabs.com/blog/2018/1/16/analyzing-the-triton-industrial-malware" } ], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "spec_version": "2.1", "is_family": true }, { "x_mitre_platforms": [ "Windows" ], "x_mitre_domains": [ "ics-attack" ], "x_mitre_aliases": [ "BlackEnergy 3" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "name": "BlackEnergy 3", "description": "[BlackEnergy 3](https://collaborate.mitre.org/attackics/index.php/Software/S0004) is a malware toolkit that has been used by both criminal and APT actors. It support various plug-ins including a variant of KillDisk. It is known to have been used against the Ukrainian power grid. (Citation: Booz Allen Hamilton)", "type": "malware", "x_mitre_version": "1.0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "id": "malware--89ab0ca5-f7e0-4d16-bf2a-17d68117fa4b", "created": "2017-05-31T21:32:59.661Z", "modified": "2021-04-29T14:49:39.188Z", "external_references": [ { "external_id": "S1002", "source_name": "mitre-ics-attack", "url": "https://collaborate.mitre.org/attackics/index.php/Software/S0004" }, { "description": "Booz Allen Hamilton. (n.d.). When The Lights Went Out. Retrieved October 22, 2019.", "source_name": "Booz Allen Hamilton", "url": "https://www.boozallen.com/content/dam/boozallen/documents/2016/09/ukraine-report-when-the-lights-went-out.pdf" } ], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": true, "spec_version": "2.1", "is_family": true }, { "x_mitre_platforms": [ "Windows" ], "x_mitre_domains": [ "ics-attack" ], "x_mitre_aliases": [ "EKANS", "SNAKEHOSE" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_version": "1.0", "type": "malware", "modified": "2021-10-21T14:00:00.188Z", "created": "2021-04-13T12:28:31.188Z", "description": "[EKANS](https://collaborate.mitre.org/attackics/index.php/Software/S0017) is ransomware that was first seen December 2019 and later reported to have impacted operations at Honda automotive production facilities.(Citation: Forbes Snake Ransomware June 2020)(Citation: MalwareByes Honda and Enel Ransomware June 2020)(Citation: Dragos EKANS February 2020) EKANS has a hard-coded kill-list of processes, including some associated with common ICS software platforms (e.g., GE Proficy historian, Honeywell HMIWeb).(Citation: Dragos EKANS February 2020) If the malware discovers these processes on the target system, it will stop, encrypt, and rename the process to prevent the program from restarting. This malware should not be confused with the \u201cSnake\u201d malware associated with the Turla group. The ICS processes documented within the malware\u2019s kill-list is similar to those defined by the MEGACORTEX software.(Citation: FireEye OT Ransomware July 2020)(Citation: Pylos January 2020)(Citation: Dragos EKANS June 2020)The ransomware was initially reported as \u201cSnake\u201d, however, to avoid confusion with the unrelated Turla APT group security researchers spelled it backwards as EKANS.", "external_references": [ { "source_name": "mitre-ics-attack", "external_id": "S0017", "url": "https://collaborate.mitre.org/attackics/index.php/Software/S0017" }, { "source_name": "Forbes Snake Ransomware June 2020", "description": "Davey Winder. (2020, June 10). Honda Hacked: Japanese Car Giant Confirms Cyber Attack On Global Operations. Retrieved April 12, 2021.", "url": "https://www.forbes.com/sites/daveywinder/2020/06/10/honda-hacked-japanese-car-giant-confirms-cyber-attack-on-global-operations-snake-ransomware/?sh=2725c35753ad" }, { "source_name": "MalwareByes Honda and Enel Ransomware June 2020", "description": "MalwareBytes. (2020, June 09). Honda and Enel impacted by cyber attack suspected to be ransomware. Retrieved April 12, 2021.", "url": "https://blog.malwarebytes.com/threat-analysis/2020/06/honda-and-enel-impacted-by-cyber-attack-suspected-to-be-ransomware/" }, { "source_name": "Dragos EKANS February 2020", "description": "Dragos Threat Intelligence. (2020, February 03). EKANS Ransomware and ICS Operations. Retrieved April 12, 2021.", "url": "https://www.dragos.com/blog/industry-news/ekans-ransomware-and-ics-operations/" }, { "source_name": "FireEye OT Ransomware July 2020", "description": "Nathan Brubaker, Daniel Kapellmann Zafra, Keith Lunden, Ken Proska, Corey Hildebrandt. (2020, July 15). Financially Motivated Actors Are Expanding Access Into OT: Analysis of Kill Lists That Include OT Processes Used With Seven Malware Families. Retrieved April 12, 2021.", "url": "https://www.fireeye.com/blog/threat-research/2020/07/financially-motivated-actors-are-expanding-access-into-ot.html" }, { "source_name": "Pylos January 2020", "description": "Joe Slowik. (2020, January 28). Getting the Story Right, and Why It Matters. Retrieved April 12, 2021.", "url": "https://pylos.co/2020/01/28/getting-the-story-right-and-why-it-matters/" }, { "source_name": "Dragos EKANS June 2020", "description": "Joe Slowik. (2020, June 18). EKANS Ransomware Misconceptions and Misunderstandings. Retrieved April 12, 2021.", "url": "https://www.dragos.com/blog/industry-news/ekans-ransomware-misconceptions-and-misunderstandings/#_edn7" } ], "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "id": "malware--9e3c9495-5fbd-4676-b3ac-ddecceb57b8f", "name": "EKANS", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": true, "spec_version": "2.1", "is_family": true }, { "x_mitre_platforms": [ "Windows" ], "x_mitre_domains": [ "enterprise-attack", "ics-attack" ], "x_mitre_contributors": [ "The DFIR Report, @TheDFIRReport", "Matt Brenton, Zurich Insurance Group" ], "x_mitre_aliases": [ "Ryuk" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "malware", "id": "malware--a020a61c-423f-4195-8c46-ba1d21abba37", "created": "2020-05-13T20:14:53.171Z", "x_mitre_version": "1.3", "external_references": [ { "source_name": "mitre-attack", "external_id": "S0446", "url": "https://attack.mitre.org/software/S0446" }, { "source_name": "Ryuk", "description": "(Citation: CrowdStrike Ryuk January 2019) (Citation: Bleeping Computer - Ryuk WoL) " }, { "source_name": "Bleeping Computer - Ryuk WoL", "url": "https://www.bleepingcomputer.com/news/security/ryuk-ransomware-uses-wake-on-lan-to-encrypt-offline-devices/", "description": "Abrams, L. (2021, January 14). Ryuk Ransomware Uses Wake-on-Lan To Encrypt Offline Devices. Retrieved February 11, 2021." }, { "source_name": "FireEye Ryuk and Trickbot January 2019", "url": "https://www.fireeye.com/blog/threat-research/2019/01/a-nasty-trick-from-credential-theft-malware-to-business-disruption.html", "description": "Goody, K., et al (2019, January 11). A Nasty Trick: From Credential Theft Malware to Business Disruption. Retrieved May 12, 2020." }, { "source_name": "CrowdStrike Ryuk January 2019", "url": "https://www.crowdstrike.com/blog/big-game-hunting-with-ryuk-another-lucrative-targeted-ransomware/", "description": "Hanel, A. (2019, January 10). Big Game Hunting with Ryuk: Another Lucrative Targeted Ransomware. Retrieved May 12, 2020." }, { "source_name": "FireEye FIN6 Apr 2019", "url": "https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html", "description": "McKeague, B. et al. (2019, April 5). Pick-Six: Intercepting a FIN6 Intrusion, an Actor Recently Tied to Ryuk and LockerGoga Ransomware. Retrieved April 17, 2019." } ], "x_mitre_deprecated": false, "revoked": false, "description": "[Ryuk](https://attack.mitre.org/software/S0446) is a ransomware designed to target enterprise environments that has been used in attacks since at least 2018. [Ryuk](https://attack.mitre.org/software/S0446) shares code similarities with Hermes ransomware.(Citation: CrowdStrike Ryuk January 2019)(Citation: FireEye Ryuk and Trickbot January 2019)(Citation: FireEye FIN6 Apr 2019)", "modified": "2022-05-24T21:10:44.381Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "name": "Ryuk", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "spec_version": "2.1", "is_family": true }, { "x_mitre_domains": [ "ics-attack" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "malware", "id": "malware--a4a98eab-b691-45d9-8c48-869ef8fefd57", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2017-05-31T21:32:59.661Z", "modified": "2022-05-24T14:00:00.188Z", "name": "ACAD/Medre.A", "description": "[ACAD/Medre.A](https://attack.mitre.org/software/S0018) is a worm that steals operational information. The worm collects AutoCAD files with drawings. [ACAD/Medre.A](https://attack.mitre.org/software/S0018) has the capability to be used for industrial espionage. (Citation: ESET)", "external_references": [ { "source_name": "mitre-ics-attack", "url": "https://attack.mitre.org/software/S0018", "external_id": "S1000" }, { "source_name": "ESET", "description": "ESET ACAD/Medre.A: 10000s of AutoCAD Designs Leaked in Suspected Industrial Espionage Retrieved. 2021/04/13 ", "url": "https://www.welivesecurity.com/wp-content/uploads/200x/white-papers/ESET_ACAD_Medre_A_whitepaper.pdf" } ], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "spec_version": "2.1", "is_family": true }, { "x_mitre_platforms": [ "Windows" ], "x_mitre_domains": [ "enterprise-attack", "ics-attack" ], "x_mitre_contributors": [ "Edward Millington" ], "x_mitre_aliases": [ "REvil", "Sodin", "Sodinokibi" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "malware", "id": "malware--ac61f1f9-7bb1-465e-9b8a-c2ce8e88baf5", "created": "2020-08-04T15:06:14.796Z", "x_mitre_version": "2.0", "external_references": [ { "source_name": "mitre-attack", "external_id": "S0496", "url": "https://attack.mitre.org/software/S0496" }, { "source_name": "Sodin", "description": "(Citation: Intel 471 REvil March 2020)(Citation: Kaspersky Sodin July 2019)" }, { "source_name": "Sodinokibi", "description": "(Citation: Secureworks REvil September 2019)(Citation: Intel 471 REvil March 2020)(Citation: G Data Sodinokibi June 2019)(Citation: Kaspersky Sodin July 2019)(Citation: Cylance Sodinokibi July 2019)(Citation: Secureworks GandCrab and REvil September 2019)(Citation: Talos Sodinokibi April 2019)(Citation: McAfee Sodinokibi October 2019)(Citation: McAfee REvil October 2019)(Citation: Picus Sodinokibi January 2020)(Citation: Secureworks REvil September 2019)(Citation: Tetra Defense Sodinokibi March 2020)" }, { "source_name": "Talos Sodinokibi April 2019", "url": "https://blog.talosintelligence.com/2019/04/sodinokibi-ransomware-exploits-weblogic.html", "description": "Cadieux, P, et al (2019, April 30). Sodinokibi ransomware exploits WebLogic Server vulnerability. Retrieved August 4, 2020." }, { "source_name": "Secureworks REvil September 2019", "url": "https://www.secureworks.com/research/revil-sodinokibi-ransomware", "description": "Counter Threat Unit Research Team. (2019, September 24). REvil/Sodinokibi Ransomware. Retrieved August 4, 2020." }, { "source_name": "Cylance Sodinokibi July 2019", "url": "https://threatvector.cylance.com/en_us/home/threat-spotlight-sodinokibi-ransomware.html", "description": "Cylance. (2019, July 3). hreat Spotlight: Sodinokibi Ransomware. Retrieved August 4, 2020." }, { "source_name": "Group IB Ransomware May 2020", "url": "https://www.group-ib.com/whitepapers/ransomware-uncovered.html", "description": "Group IB. (2020, May). Ransomware Uncovered: Attackers\u2019 Latest Methods. Retrieved August 5, 2020." }, { "source_name": "G Data Sodinokibi June 2019", "url": "https://www.gdatasoftware.com/blog/2019/06/31724-strange-bits-sodinokibi-spam-cinarat-and-fake-g-data", "description": "Han, Karsten. (2019, June 4). Strange Bits: Sodinokibi Spam, CinaRAT, and Fake G DATA. Retrieved August 4, 2020." }, { "source_name": "Intel 471 REvil March 2020", "url": "https://intel471.com/blog/revil-ransomware-as-a-service-an-analysis-of-a-ransomware-affiliate-operation/", "description": "Intel 471 Malware Intelligence team. (2020, March 31). REvil Ransomware-as-a-Service \u2013 An analysis of a ransomware affiliate operation. Retrieved August 4, 2020." }, { "source_name": "Kaspersky Sodin July 2019", "url": "https://securelist.com/sodin-ransomware/91473/", "description": "Mamedov, O, et al. (2019, July 3). Sodin ransomware exploits Windows vulnerability and processor architecture. Retrieved August 4, 2020." }, { "source_name": "McAfee Sodinokibi October 2019", "url": "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/mcafee-atr-analyzes-sodinokibi-aka-revil-ransomware-as-a-service-what-the-code-tells-us/", "description": "McAfee. (2019, October 2). McAfee ATR Analyzes Sodinokibi aka REvil Ransomware-as-a-Service \u2013 What The Code Tells Us. Retrieved August 4, 2020." }, { "source_name": "Picus Sodinokibi January 2020", "url": "https://www.picussecurity.com/blog/a-brief-history-and-further-technical-analysis-of-sodinokibi-ransomware", "description": "Ozarslan, S. (2020, January 15). A Brief History of Sodinokibi. Retrieved August 5, 2020." }, { "source_name": "McAfee REvil October 2019", "url": "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/mcafee-atr-analyzes-sodinokibi-aka-revil-ransomware-as-a-service-crescendo/", "description": "Saavedra-Morales, J, et al. (2019, October 20). McAfee ATR Analyzes Sodinokibi aka REvil Ransomware-as-a-Service \u2013 Crescendo. Retrieved August 5, 2020." }, { "source_name": "Secureworks GandCrab and REvil September 2019", "url": "https://www.secureworks.com/blog/revil-the-gandcrab-connection", "description": "Secureworks . (2019, September 24). REvil: The GandCrab Connection. Retrieved August 4, 2020." }, { "source_name": "Tetra Defense Sodinokibi March 2020", "url": "https://www.tetradefense.com/incident-response-services/cause-and-effect-sodinokibi-ransomware-analysis", "description": "Tetra Defense. (2020, March). CAUSE AND EFFECT: SODINOKIBI RANSOMWARE ANALYSIS. Retrieved December 14, 2020." } ], "x_mitre_deprecated": false, "revoked": false, "description": "[REvil](https://attack.mitre.org/software/S0496) is a ransomware family that has been linked to the [GOLD SOUTHFIELD](https://attack.mitre.org/groups/G0115) group and operated as ransomware-as-a-service (RaaS) since at least April 2019. [REvil](https://attack.mitre.org/software/S0496), which as been used against organizations in the manufacturing, transportation, and electric sectors, is highly configurable and shares code similarities with the GandCrab RaaS.(Citation: Secureworks REvil September 2019)(Citation: Intel 471 REvil March 2020)(Citation: Group IB Ransomware May 2020)", "modified": "2022-05-24T21:09:01.019Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "name": "REvil", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "spec_version": "2.1", "is_family": true }, { "x_mitre_platforms": [ "Linux", "Windows" ], "x_mitre_domains": [ "enterprise-attack", "ics-attack" ], "x_mitre_aliases": [ "KillDisk", "Win32/KillDisk.NBI", "Win32/KillDisk.NBH", "Win32/KillDisk.NBD", "Win32/KillDisk.NBC", "Win32/KillDisk.NBB" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "malware", "id": "malware--e221eb77-1502-4129-af1d-fe1ad55e7ec6", "created": "2021-01-20T18:05:07.059Z", "x_mitre_version": "1.1", "external_references": [ { "source_name": "mitre-attack", "external_id": "S0607", "url": "https://attack.mitre.org/software/S0607" }, { "source_name": "KillDisk Ransomware", "url": "https://www.bleepingcomputer.com/news/security/killdisk-disk-wiping-malware-adds-ransomware-component/", "description": "Catalin Cimpanu. (2016, December 29). KillDisk Disk-Wiping Malware Adds Ransomware Component. Retrieved January 12, 2021." }, { "source_name": "ESEST Black Energy Jan 2016", "url": "http://www.welivesecurity.com/2016/01/03/blackenergy-sshbeardoor-details-2015-attacks-ukrainian-news-media-electric-industry/", "description": "Cherepanov, A.. (2016, January 3). BlackEnergy by the SSHBearDoor: attacks against Ukrainian news media and electric industry. Retrieved May 18, 2016." }, { "source_name": "Trend Micro KillDisk 1", "url": "https://www.trendmicro.com/en_us/research/18/f/new-killdisk-variant-hits-latin-american-financial-organizations-again.html", "description": "Fernando Merces, Byron Gelera, Martin Co. (2018, June 7). KillDisk Variant Hits Latin American Finance Industry. Retrieved January 12, 2021." }, { "source_name": "Trend Micro KillDisk 2", "url": "https://www.trendmicro.com/en_us/research/18/a/new-killdisk-variant-hits-financial-organizations-in-latin-america.html", "description": "Gilbert Sison, Rheniel Ramos, Jay Yaneza, Alfredo Oliveira. (2018, January 15). KillDisk Variant Hits Latin American Financial Groups. Retrieved January 12, 2021." } ], "x_mitre_deprecated": false, "revoked": false, "description": "[KillDisk](https://attack.mitre.org/software/S0607) is a disk-wiping tool designed to overwrite files with random data to render the OS unbootable. It was first observed as a component of [BlackEnergy](https://attack.mitre.org/software/S0089) malware during cyber attacks against Ukraine in 2015. [KillDisk](https://attack.mitre.org/software/S0607) has since evolved into stand-alone malware used by a variety of threat actors against additional targets in Europe and Latin America; in 2016 a ransomware component was also incorporated into some [KillDisk](https://attack.mitre.org/software/S0607) variants.(Citation: KillDisk Ransomware)(Citation: ESEST Black Energy Jan 2016)(Citation: Trend Micro KillDisk 1)(Citation: Trend Micro KillDisk 2)", "modified": "2022-05-11T14:00:00.188Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "name": "KillDisk", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "spec_version": "2.1", "is_family": true }, { "x_mitre_platforms": [ "Windows" ], "x_mitre_domains": [ "enterprise-attack", "ics-attack" ], "x_mitre_contributors": [ "Dragos Threat Intelligence", "Joe Slowik - Dragos" ], "x_mitre_aliases": [ "Industroyer", "CRASHOVERRIDE", "Win32/Industroyer" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "malware", "id": "malware--e401d4fe-f0c9-44f0-98e6-f93487678808", "created": "2021-01-04T20:42:21.997Z", "x_mitre_version": "1.0", "external_references": [ { "source_name": "mitre-attack", "external_id": "S0604", "url": "https://attack.mitre.org/software/S0604" }, { "source_name": "CRASHOVERRIDE", "description": "(Citation: Dragos Crashoverride 2017)" }, { "source_name": "Win32/Industroyer", "description": "(Citation: ESET Industroyer)" }, { "source_name": "ESET Industroyer", "url": "https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf", "description": "Anton Cherepanov. (2017, June 12). Win32/Industroyer: A new threat for industrial controls systems. Retrieved December 18, 2020." }, { "source_name": "Dragos Crashoverride 2017", "url": "https://dragos.com/blog/crashoverride/CrashOverride-01.pdf", "description": "Dragos Inc.. (2017, June 13). CRASHOVERRIDE Analysis of the Threat to Electric Grid Operations. Retrieved December 18, 2020." }, { "source_name": "Dragos Crashoverride 2018", "url": "https://www.dragos.com/wp-content/uploads/CRASHOVERRIDE2018.pdf", "description": "Joe Slowik. (2018, October 12). Anatomy of an Attack: Detecting and Defeating CRASHOVERRIDE. Retrieved December 18, 2020." } ], "x_mitre_deprecated": false, "revoked": false, "description": "[Industroyer](https://attack.mitre.org/software/S0604) is a sophisticated malware framework designed to cause an impact to the working processes of Industrial Control Systems (ICS), specifically components used in electrical substations.(Citation: ESET Industroyer) [Industroyer](https://attack.mitre.org/software/S0604) was used in the attacks on the Ukrainian power grid in December 2016.(Citation: Dragos Crashoverride 2017) This is the first publicly known malware specifically designed to target and impact operations in the electric grid.(Citation: Dragos Crashoverride 2018)", "modified": "2022-05-23T21:22:34.355Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "name": "Industroyer", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "spec_version": "2.1", "is_family": true }, { "x_mitre_platforms": [ "Windows" ], "x_mitre_domains": [ "enterprise-attack", "ics-attack" ], "x_mitre_aliases": [ "Flame", "Flamer", "sKyWIper" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "malware--ff6840c9-4c87-4d07-bbb6-9f50aa33d498", "type": "malware", "created": "2017-05-31T21:33:21.973Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0143", "external_id": "S0143" }, { "source_name": "Flame", "description": "(Citation: Kaspersky Flame)" }, { "source_name": "Flamer", "description": "(Citation: Kaspersky Flame) (Citation: Symantec Beetlejuice)" }, { "source_name": "sKyWIper", "description": "(Citation: Kaspersky Flame) (Citation: Crysys Skywiper)" }, { "source_name": "Kaspersky Flame", "description": "Gostev, A. (2012, May 28). The Flame: Questions and Answers. Retrieved March 1, 2017.", "url": "https://securelist.com/the-flame-questions-and-answers-51/34344/" }, { "source_name": "Symantec Beetlejuice", "description": "Symantec Security Response. (2012, May 31). Flamer: A Recipe for Bluetoothache. Retrieved February 25, 2017.", "url": "https://www.symantec.com/connect/blogs/flamer-recipe-bluetoothache" }, { "source_name": "Crysys Skywiper", "description": "sKyWIper Analysis Team. (2012, May 31). sKyWIper (a.k.a. Flame a.k.a. Flamer): A complex malware for targeted attacks. Retrieved September 6, 2018.", "url": "https://www.crysys.hu/publications/files/skywiper.pdf" } ], "modified": "2022-04-25T14:00:00.188Z", "name": "Flame", "description": "Flame is a sophisticated toolkit that has been used to collect information since at least 2010, largely targeting Middle East countries. (Citation: Kaspersky Flame)", "x_mitre_version": "1.1", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "spec_version": "2.1", "is_family": true }, { "definition": { "statement": "Copyright 2015-2022, The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation." }, "id": "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168", "type": "marking-definition", "created": "2017-06-01T00:00:00.000Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "definition_type": "statement", "x_mitre_attack_spec_version": "2.1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "modified": "2022-05-24T14:00:00.188Z", "created": "2022-05-11T16:22:58.806Z", "id": "relationship--00b98fa6-4913-40a4-8920-befed8621c41", "type": "relationship", "source_ref": "x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa", "relationship_type": "detects", "target_ref": "attack-pattern--e5de767e-f513-41cd-aa15-33f6ce5fbf92", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--00e6c22b-9275-4039-b6d4-2ac0680325d6", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-21T17:59:24.739Z", "modified": "2022-05-06T17:47:24.104Z", "relationship_type": "mitigates", "description": "Use host-based allowlists to prevent devices from accepting connections from unauthorized systems. For example, allowlists can be used to ensure devices can only connect with master stations or known management/engineering workstations. (Citation: Department of Homeland Security September 2016)\n", "source_ref": "course-of-action--aadac250-bcdc-44e3-a4ae-f52bd0a7a16a", "target_ref": "attack-pattern--25dfc8ad-bd73-4dfd-84a9-3c3d383f76e9", "external_references": [ { "source_name": "Department of Homeland Security September 2016", "description": "Department of Homeland Security 2016, September Retrieved. 2020/09/25 ", "url": "https://us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf" } ], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--01b4a92f-da42-4dfa-8d59-53709b65940e", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-21T17:59:24.739Z", "modified": "2022-05-06T17:47:24.203Z", "relationship_type": "mitigates", "description": "Limit privileges of user accounts and groups so that only authorized administrators can change service states and configurations.\n", "source_ref": "course-of-action--e57ebc6d-785f-40c8-adb1-b5b5e09b3b48", "target_ref": "attack-pattern--063b5b92-5361-481a-9c3f-95492ed9a2d8", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "modified": "2022-05-24T14:00:00.188Z", "created": "2022-05-11T16:22:58.808Z", "id": "relationship--0278ddbc-67d5-444d-8082-bf9974dee920", "type": "relationship", "source_ref": "x-mitre-data-component--a953ca55-921a-44f7-9b8d-3d40141aa17e", "relationship_type": "detects", "target_ref": "attack-pattern--cd2c76a4-5e23-4ca5-9c40-d5e0604f7101", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--028a3bcc-f299-4061-a0f2-8da85e0a3c81", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-21T17:59:24.739Z", "modified": "2022-05-06T17:47:24.177Z", "relationship_type": "mitigates", "description": "Authenticate connections from software and devices to prevent unauthorized systems from accessing protected management functions.\n", "source_ref": "course-of-action--72e46e53-e12d-4106-9c70-33241b6ed549", "target_ref": "attack-pattern--be69c571-d746-4b1f-bdd0-c0c9817e9068", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--03a9cdc7-3cc5-43e3-9a9c-97d1c4310e35", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-21T17:59:24.739Z", "modified": "2022-05-06T17:47:24.148Z", "relationship_type": "mitigates", "description": "All field controllers should require users to authenticate for all remote or local management sessions. The authentication mechanisms should also support [Account Use Policies](https://attack.mitre.org/mitigations/M0936), [Password Policies](https://attack.mitre.org/mitigations/M0927), and [User Account Management](https://attack.mitre.org/mitigations/M0918).", "source_ref": "course-of-action--66cfe23e-34b6-4583-b178-ed6a412db2b0", "target_ref": "attack-pattern--e5de767e-f513-41cd-aa15-33f6ce5fbf92", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--03d44496-7a15-4e23-820f-b6f1079dbbd3", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-21T17:59:24.739Z", "modified": "2022-05-06T17:47:24.209Z", "relationship_type": "mitigates", "description": "A patch management process should be implemented to check unused dependencies, unmaintained and/or previously vulnerable dependencies, unnecessary features, components, files, and documentation.\n", "source_ref": "course-of-action--97f33c84-8508-45b9-8a1d-cac921828c9e", "target_ref": "attack-pattern--5e0f75da-e108-4688-a6de-a4f07cc2cbe3", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--042243fd-bfe0-4961-96de-a36232d3ff74", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2018-04-18T17:59:24.739Z", "modified": "2022-05-06T17:47:24.358Z", "relationship_type": "uses", "description": "[Dragonfly](https://attack.mitre.org/groups/G0002) utilized watering hole attacks on energy sector websites by injecting a redirect iframe to deliver [Backdoor.Oldrea](https://attack.mitre.org/software/S0003) or [https://attack.mitre.org/software/S0094/ Trojan.Karagany]. (Citation: Symantec Security Response July 2014)", "source_ref": "intrusion-set--1c63d4ec-0a75-4daa-b1df-0d11af3d3cc1", "target_ref": "attack-pattern--7830cfcf-b268-4ac0-a69e-73c6affbae9a", "external_references": [ { "source_name": "Symantec Security Response July 2014", "description": "Symantec Security Response 2014, July 7 Dragonfly: Cyberespionage Attacks Against Energy Suppliers Retrieved. 2016/04/08 ", "url": "https://docs.broadcom.com/doc/dragonfly_threat_against_western_energy_suppliers#:~:text=The%20attackers%2C%20known%20to%20Symantec,supply%20in%20the%20affected%20countries." } ], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--04882fef-2a6b-40d0-a101-da9c76a3572e", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-21T17:59:24.739Z", "modified": "2022-05-06T17:47:24.128Z", "relationship_type": "mitigates", "description": "Restrict the use of untrusted or unknown libraries, such as remote or unknown DLLs.\n", "source_ref": "course-of-action--2ab9fc6d-3cf6-4d7b-85f1-3ad6949233b3", "target_ref": "attack-pattern--ab390887-afc0-4715-826d-b1b167d522ae", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--0491ef92-2941-4841-9fe6-2e1809788b52", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-21T17:59:24.739Z", "modified": "2022-05-06T17:47:24.210Z", "relationship_type": "mitigates", "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses. Perform periodic integrity checks of the device to validate the correctness of the firmware, software, programs, and configurations. Integrity checks, which typically include cryptographic hashes or digital signatures, should be compared to those obtained at known valid states, especially after events like device reboots, program downloads, or program restarts.\n", "source_ref": "course-of-action--bcf91ebc-f316-4e19-b2f6-444e9940c697", "target_ref": "attack-pattern--5e0f75da-e108-4688-a6de-a4f07cc2cbe3", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--04bf72de-75ba-4d95-ad24-f93ad835180c", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2017-12-14T16:46:06.044Z", "modified": "2022-05-06T17:47:24.291Z", "relationship_type": "uses", "description": "[KillDisk](https://attack.mitre.org/software/S0016) erases the master boot record (MBR) and system logs, leaving the system unusable. (Citation: Booz Allen Hamilton)", "source_ref": "malware--e221eb77-1502-4129-af1d-fe1ad55e7ec6", "target_ref": "attack-pattern--138979ba-0430-4de6-a128-2fc0b056ba36", "external_references": [ { "source_name": "Booz Allen Hamilton", "description": "Booz Allen Hamilton When The Lights Went Out Retrieved. 2019/10/22 ", "url": "https://www.boozallen.com/content/dam/boozallen/documents/2016/09/ukraine-report-when-the-lights-went-out.pdf" } ], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--04fa6b94-d633-40ff-9ab2-88f58c07c3e1", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-21T17:59:24.739Z", "modified": "2022-05-06T17:47:24.218Z", "relationship_type": "mitigates", "description": "Perform integrity checks of firmware before uploading it on a device. Utilize cryptographic hashes to verify the firmware has not been tampered with by comparing it to a trusted hash of the firmware. This could be from trusted data sources (e.g., vendor site) or through a third-party verification service.\n", "source_ref": "course-of-action--bcf91ebc-f316-4e19-b2f6-444e9940c697", "target_ref": "attack-pattern--b9160e77-ea9e-4ba9-b1c8-53a3c466b13d", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--052a20b2-6d57-42f6-b3cd-bbc508a0c969", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2018-10-17T00:14:20.652Z", "modified": "2022-05-06T17:47:24.371Z", "relationship_type": "uses", "description": "[HEXANE](https://attack.mitre.org/groups/G1001) has used malicious documents to drop malware and gain access into an environment. (Citation: Dragos)", "source_ref": "intrusion-set--f29b7c5e-2439-42ad-a86f-9f8984fafae3", "target_ref": "attack-pattern--648f995e-9c3a-41e4-aeee-98bb41037426", "external_references": [ { "source_name": "Dragos", "description": "Dragos Hexane Retrieved. 2019/10/27 ", "url": "https://dragos.com/resource/hexane/" } ], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--058396ca-3af4-444b-b261-74485c47e68c", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2017-05-31T21:33:27.074Z", "modified": "2022-05-06T17:47:24.256Z", "relationship_type": "uses", "description": "[Bad Rabbit](https://attack.mitre.org/software/S0005) initially infected IT networks, but by means of an exploit (particularly the SMBv1-targeting MS17-010 vulnerability) spread to industrial networks. (Citation: Joe Slowik April 2019)", "source_ref": "malware--2eaa5319-5e1e-4dd7-bbc4-566fced3964a", "target_ref": "attack-pattern--85a45294-08f1-4539-bf00-7da08aa7b0ee", "external_references": [ { "source_name": "Joe Slowik April 2019", "description": "Joe Slowik 2019, April 10 Implications of IT Ransomware for ICS Environments Retrieved. 2019/10/27 ", "url": "https://dragos.com/blog/industry-news/implications-of-it-ransomware-for-ics-environments/" } ], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "modified": "2022-05-24T14:00:00.188Z", "created": "2022-05-11T16:22:58.806Z", "id": "relationship--06006cdb-688e-4632-91d5-a0340349048b", "type": "relationship", "source_ref": "x-mitre-data-component--84572de3-9583-4c73-aabd-06ea88123dd8", "relationship_type": "detects", "target_ref": "attack-pattern--09a61657-46e1-439e-b3ed-3e4556a78243", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--067932c3-0011-4ca2-9bbe-721c631e4e41", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2021-04-13T12:45:26.506Z", "modified": "2022-05-06T17:47:24.254Z", "relationship_type": "uses", "description": "The [Backdoor.Oldrea](https://attack.mitre.org/software/S0003) payload gathers server information that includes CLSID, server name, Program ID, OPC version, vendor information, running state, group count, and server bandwidth. This information helps indicate the role the server has in the control process. (Citation: ICS-CERT August 2018) (Citation: Daavid Hentunen, Antti Tikkanen June 2014)", "source_ref": "malware--083bb47b-02c8-4423-81a2-f9ef58572974", "target_ref": "attack-pattern--2fedbe69-581f-447d-8a78-32ee7db939a9", "external_references": [ { "source_name": "ICS-CERT August 2018", "description": "ICS-CERT 2018, August 22 Advisory (ICSA-14-178-01) Retrieved. 2019/04/01 ", "url": "https://ics-cert.us-cert.gov/advisories/ICSA-14-178-01" }, { "source_name": "Daavid Hentunen, Antti Tikkanen June 2014", "description": "Daavid Hentunen, Antti Tikkanen 2014, June 23 Havex Hunts For ICS/SCADA Systems Retrieved. 2019/04/01 ", "url": "https://www.f-secure.com/weblog/archives/00002718.html" } ], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--06c663f8-fcf1-47eb-ab79-284e93eafa6b", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-21T17:59:24.739Z", "modified": "2022-05-06T17:47:24.183Z", "relationship_type": "mitigates", "description": "Authenticate connections from software and devices to prevent unauthorized systems from accessing protected management functions.\n", "source_ref": "course-of-action--72e46e53-e12d-4106-9c70-33241b6ed549", "target_ref": "attack-pattern--3067b85e-271e-4bc5-81ad-ab1a81d411e3", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "modified": "2022-05-24T14:00:00.188Z", "created": "2022-05-11T16:22:58.806Z", "id": "relationship--06c9c355-e0f0-488a-b7b0-5674877c19d6", "type": "relationship", "source_ref": "x-mitre-data-component--74fa567d-bc90-425c-8a41-3c703abb221c", "relationship_type": "detects", "target_ref": "attack-pattern--ba203963-3182-41ac-af14-7e7ebc83cd61", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "modified": "2022-05-24T14:00:00.188Z", "created": "2022-05-11T16:22:58.804Z", "id": "relationship--06fc6ec4-7857-4f59-9bbf-df373152bcfd", "type": "relationship", "source_ref": "x-mitre-data-component--4c12c1c8-bcef-4daf-8e5b-fca235f71d9e", "relationship_type": "detects", "target_ref": "attack-pattern--1c478716-71d9-46a4-9a53-fa5d576adb60", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--07f4d65d-4572-450f-8cb2-908fee97bd67", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-21T17:59:24.739Z", "modified": "2022-05-06T17:47:24.228Z", "relationship_type": "mitigates", "description": "Application control may be able to prevent the running of executables masquerading as other files.\n", "source_ref": "course-of-action--4fa717d9-cabe-47c8-8cdd-86e9e2e37f30", "target_ref": "attack-pattern--2736b752-4ec5-4421-a230-8977dea7649c", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--08302021-aacf-428f-a0ce-e1034d925fb0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-21T17:59:24.739Z", "modified": "2022-05-06T17:47:24.115Z", "relationship_type": "mitigates", "description": "Develop a robust cyber threat intelligence capability to determine what types and levels of threat may use software exploits and 0-days against a particular organization.\n", "source_ref": "course-of-action--d48b79b2-076d-483e-949c-0d38aa347499", "target_ref": "attack-pattern--9f947a1c-3860-48a8-8af0-a2dfa3efde03", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--088580e9-ccea-426e-9411-c1de60de650d", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-21T17:59:24.739Z", "modified": "2022-05-06T17:47:24.206Z", "relationship_type": "mitigates", "description": "Devices should authenticate all messages between master and outstation assets.\n", "source_ref": "course-of-action--72e46e53-e12d-4106-9c70-33241b6ed549", "target_ref": "attack-pattern--8535b71e-3c12-4258-a4ab-40257a1becc4", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "modified": "2022-05-24T14:00:00.188Z", "created": "2022-05-11T16:22:58.804Z", "id": "relationship--08a4f730-bc3f-4050-973f-1ef2847db4e7", "type": "relationship", "source_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c", "relationship_type": "detects", "target_ref": "attack-pattern--d67adac8-e3b9-44f9-9e6d-6c2a7d69dbe4", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--09977105-562f-4f45-a151-27a11a18031e", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-21T17:59:24.739Z", "modified": "2022-05-06T17:47:24.164Z", "relationship_type": "mitigates", "description": "The encryption of firmware should be considered to prevent adversaries from identifying possible vulnerabilities within the firmware.\n", "source_ref": "course-of-action--9f99fcfd-772e-4e63-9d39-e45612e546dc", "target_ref": "attack-pattern--efbf7888-f61b-4572-9c80-7e2965c60707", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "modified": "2022-05-24T14:00:00.188Z", "created": "2022-05-11T16:22:58.806Z", "id": "relationship--09fe4b04-b1d2-492c-9b10-59b94807ccf9", "type": "relationship", "source_ref": "x-mitre-data-component--5297a638-1382-4f0c-8472-0d21830bf705", "relationship_type": "detects", "target_ref": "attack-pattern--ba203963-3182-41ac-af14-7e7ebc83cd61", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--0a5d2136-e1f5-4a54-be64-a558f918bf0d", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-21T17:59:24.739Z", "modified": "2022-05-06T17:47:24.081Z", "relationship_type": "mitigates", "description": "All field controllers should require users to authenticate for all remote or local management sessions. The authentication mechanisms should also support [Account Use Policies](https://attack.mitre.org/mitigations/M0936), [Password Policies](https://attack.mitre.org/mitigations/M0927), and [User Account Management](https://attack.mitre.org/mitigations/M0918).", "source_ref": "course-of-action--66cfe23e-34b6-4583-b178-ed6a412db2b0", "target_ref": "attack-pattern--e6c31185-8040-4267-83d3-b217b8a92f07", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "modified": "2022-05-24T14:00:00.188Z", "created": "2022-05-11T16:22:58.805Z", "id": "relationship--0a9292b6-3697-49bc-b41a-1c10853ae585", "type": "relationship", "source_ref": "x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e", "relationship_type": "detects", "target_ref": "attack-pattern--9a505987-ab05-4f46-a9a6-6441442eec3b", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "modified": "2022-05-24T14:00:00.188Z", "created": "2022-05-11T16:22:58.806Z", "id": "relationship--0b7f643e-8975-4998-acbb-7405fa944a68", "type": "relationship", "source_ref": "x-mitre-data-component--685f917a-e95e-4ba0-ade1-c7d354dae6e0", "relationship_type": "detects", "target_ref": "attack-pattern--ea0c980c-5cf0-43a7-a049-59c4c207566e", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--0beb0088-3bea-4612-b2d9-ff9988f829ae", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2018-04-18T17:59:24.739Z", "modified": "2022-05-06T17:47:24.355Z", "relationship_type": "uses", "description": "[APT33](https://attack.mitre.org/groups/G0003) utilize backdoors capable of capturing screenshots once installed on a system. (Citation: Jacqueline O'Leary et al. September 2017) (Citation: Junnosuke Yagi March 2017)", "source_ref": "intrusion-set--fbd29c89-18ba-4c2d-b792-51c0adee049f", "target_ref": "attack-pattern--c5e3cdbc-0387-4be9-8f83-ff5c0865f377", "external_references": [ { "source_name": "Jacqueline O'Leary et al. September 2017", "description": "Jacqueline O'Leary et al. 2017, September 20 Insights into Iranian Cyber Espionage: APT33 Targets Aerospace and Energy Sectors and has Ties to Destructive Malware Retrieved. 2019/12/02 ", "url": "https://www.fireeye.com/blog/threat-research/2017/09/apt33-insights-into-iranian-cyber-espionage.html" }, { "source_name": "Junnosuke Yagi March 2017", "description": "Junnosuke Yagi 2017, March 07 Trojan.Stonedrill Retrieved. 2019/12/05 ", "url": "https://www.symantec.com/security-center/writeup/2017-030708-4403-99" } ], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--0c1fe5fc-3bdc-4d0e-94a0-6564f2ce4444", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2017-05-31T21:33:27.074Z", "modified": "2022-05-06T17:47:24.255Z", "relationship_type": "uses", "description": "[Bad Rabbit](https://attack.mitre.org/software/S0005) ransomware spreads through drive-by attacks where insecure websites are compromised. While the target is visiting a legitimate website, a malware dropper is being downloaded from the threat actors infrastructure. (Citation: Orkhan Mamedov, Fedor Sinitsyn, Anton Ivanov October 2017)", "source_ref": "malware--2eaa5319-5e1e-4dd7-bbc4-566fced3964a", "target_ref": "attack-pattern--7830cfcf-b268-4ac0-a69e-73c6affbae9a", "external_references": [ { "source_name": "Orkhan Mamedov, Fedor Sinitsyn, Anton Ivanov October 2017", "description": "Orkhan Mamedov, Fedor Sinitsyn, Anton Ivanov 2017, October 27 Bad Rabbit Ransomware Retrieved. 2019/10/27 ", "url": "https://securelist.com/bad-rabbit-ransomware/82851/" } ], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--0c284ce0-0be2-4164-b686-7c383b246aec", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-21T17:59:24.739Z", "modified": "2022-05-06T17:47:24.164Z", "relationship_type": "mitigates", "description": "Check the integrity of the existing BIOS or EFI to determine if it is vulnerable to modification. Use Trusted Platform Module technology. (Citation: N/A)Move system's root of trust to hardware to prevent tampering with the SPI flash memory. (Citation: ESET Research Whitepapers September 2018)Technologies such as Intel Boot Guard can assist with this. (Citation: Intel)\n", "source_ref": "course-of-action--8ac1d6e1-b07f-476a-9732-84984ebc2405", "target_ref": "attack-pattern--efbf7888-f61b-4572-9c80-7e2965c60707", "external_references": [ { "source_name": "N/A", "description": "N/A Trusted Platform Module (TPM) Summary Retrieved. 2020/09/25 ", "url": "https://www.trustedcomputinggroup.org/wp-content/uploads/Trusted-Platform-Module-Summary_04292008.pdf" }, { "source_name": "ESET Research Whitepapers September 2018", "description": "ESET Research Whitepapers 2018, September LOJAX First UEFI rootkit found in the wild, courtesy of the Sednit group Retrieved. 2020/09/25 ", "url": "https://www.welivesecurity.com/wp-content/uploads/2018/09/ESET-LoJax.pdf" }, { "source_name": "Intel", "description": "Intel ESET Research Whitepapers 2018, September LOJAX First UEFI rootkit found in the wild, courtesy of the Sednit group Retrieved. 2020/09/25 Intel Hardware-based Security Technologies for Intelligent Retail Devices Retrieved. 2020/09/25 ", "url": "https://www.intel.com/content/dam/www/public/us/en/documents/white-papers/security-technologies-4th-gen-core-retail-paper.pdf" } ], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--0c9ed09d-4ce3-4e65-845a-c21dcc5d956f", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-21T17:59:24.739Z", "modified": "2022-05-06T17:47:24.070Z", "relationship_type": "mitigates", "description": "Provide an alternative method for sending critical commands message to outstations, this could include using radio/cell communication to send messages to a field technician that physically performs the control function.\n", "source_ref": "course-of-action--b11cad63-ef30-4eb8-af0d-6cc46eef3f3e", "target_ref": "attack-pattern--008b8f56-6107-48be-aa9f-746f927dbb61", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "modified": "2022-05-24T14:00:00.188Z", "created": "2022-05-11T16:22:58.804Z", "id": "relationship--0d305450-d5ca-46fe-8583-36c983dd0a88", "type": "relationship", "source_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c", "relationship_type": "detects", "target_ref": "attack-pattern--2883c520-7957-46ca-89bd-dab1ad53b601", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "modified": "2022-05-24T14:00:00.188Z", "created": "2022-05-11T16:22:58.806Z", "id": "relationship--0d540b53-6a5d-4f56-9dee-47707443b149", "type": "relationship", "source_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c", "relationship_type": "detects", "target_ref": "attack-pattern--2d0d40ad-22fa-4cc8-b264-072557e1364b", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--0df0cb6d-0067-48b2-a33e-495415713ab7", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-21T17:59:24.739Z", "modified": "2022-05-06T17:47:24.181Z", "relationship_type": "mitigates", "description": "Protocols used for device management should authenticate all network messages to prevent unauthorized system changes.\n", "source_ref": "course-of-action--c7257b6e-4159-4771-b1f3-2bb93adaecac", "target_ref": "attack-pattern--3067b85e-271e-4bc5-81ad-ab1a81d411e3", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "modified": "2022-05-24T14:00:00.188Z", "created": "2022-05-11T16:22:58.807Z", "id": "relationship--0e275c19-7688-47f8-8cd5-85eaacec465b", "type": "relationship", "source_ref": "x-mitre-data-component--931b3fc6-ad68-42a8-9018-e98515eedc95", "relationship_type": "detects", "target_ref": "attack-pattern--40b300ba-f553-48bf-862e-9471b220d455", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--0e29f62d-4ffc-47ec-9623-72f874fbe905", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2017-12-14T16:46:06.044Z", "modified": "2022-05-06T17:47:24.319Z", "relationship_type": "uses", "description": "[Stuxnet](https://attack.mitre.org/software/S0010) renames s7otbxdx.dll, a dll responsible for handling communications with a PLC. It replaces this dll file with its own version that allows it to intercept any calls that are made to access the PLC. (Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011)", "source_ref": "malware--088f1d6e-0783-47c6-9923-9c79b2af43d4", "target_ref": "attack-pattern--ba203963-3182-41ac-af14-7e7ebc83cd61", "external_references": [ { "source_name": "Nicolas Falliere, Liam O Murchu, Eric Chien February 2011", "description": "Nicolas Falliere, Liam O Murchu, Eric Chien 2011, February W32.Stuxnet Dossier (Version 1.4) Retrieved. 2017/09/22 ", "url": "https://www.wired.com/images_blogs/threatlevel/2011/02/Symantec-Stuxnet-Update-Feb-2011.pdf" } ], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--0e4f272b-d744-4feb-9f3f-c24c3598538f", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-21T17:59:24.739Z", "modified": "2022-05-06T17:47:24.202Z", "relationship_type": "mitigates", "description": "Ensure proper registry permissions are in place to inhibit adversaries from disabling or interfering with critical services.\n", "source_ref": "course-of-action--3222a807-521b-4a1a-aa13-f1cda45734b3", "target_ref": "attack-pattern--063b5b92-5361-481a-9c3f-95492ed9a2d8", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--0eb112f6-c1cb-4843-93f5-f668aa0e9bd8", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2018-04-18T17:59:24.739Z", "modified": "2022-05-06T17:47:24.354Z", "relationship_type": "uses", "description": "[ALLANITE](https://attack.mitre.org/groups/G1000) utilized credentials collected through phishing and watering hole attacks. (Citation: Dragos)", "source_ref": "intrusion-set--190242d7-73fc-4738-af68-20162f7a5aae", "target_ref": "attack-pattern--cd2c76a4-5e23-4ca5-9c40-d5e0604f7101", "external_references": [ { "source_name": "Dragos", "description": "Dragos Allanite Retrieved. 2019/10/27 ", "url": "https://dragos.com/resource/allanite/" } ], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--0f18b876-b698-4f70-aa98-50e8b5a7eae2", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2018-04-18T17:59:24.739Z", "modified": "2022-05-06T17:47:24.357Z", "relationship_type": "uses", "description": "[APT33](https://attack.mitre.org/groups/G0003) sent spear phishing emails containing links to HTML application files, which were embedded with malicious code. (Citation: Jacqueline O'Leary et al. September 2017) [APT33](https://attack.mitre.org/groups/G0003) has conducted targeted spear phishing campaigns against U.S. government agencies and private sector companies. (Citation: Andy Greenburg June 2019)", "source_ref": "intrusion-set--fbd29c89-18ba-4c2d-b792-51c0adee049f", "target_ref": "attack-pattern--648f995e-9c3a-41e4-aeee-98bb41037426", "external_references": [ { "source_name": "Jacqueline O'Leary et al. September 2017", "description": "Jacqueline O'Leary et al. 2017, September 20 Insights into Iranian Cyber Espionage: APT33 Targets Aerospace and Energy Sectors and has Ties to Destructive Malware Retrieved. 2019/12/02 ", "url": "https://www.fireeye.com/blog/threat-research/2017/09/apt33-insights-into-iranian-cyber-espionage.html" }, { "source_name": "Andy Greenburg June 2019", "description": "Andy Greenburg 2019, June 20 Iranian Hackers Launch a New US-Targeted Campaign as Tensions Mount Retrieved. 2020/01/03 ", "url": "https://www.wired.com/story/iran-hackers-us-phishing-tensions/" } ], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--0f8a6c14-1050-404a-bb6e-4fe107d5b6cd", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-21T17:59:24.739Z", "modified": "2022-05-06T17:47:24.197Z", "relationship_type": "mitigates", "description": "Devices should authenticate all messages between master and outstation assets.\n", "source_ref": "course-of-action--72e46e53-e12d-4106-9c70-33241b6ed549", "target_ref": "attack-pattern--b14395bd-5419-4ef4-9bd8-696936f509bb", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--0ff88ef7-44fd-4307-b381-2e0bc76ce83b", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-21T17:59:24.739Z", "modified": "2022-05-06T17:47:24.209Z", "relationship_type": "mitigates", "description": "Ensure proper network segmentation between higher level corporate resources and the control process environment.\n", "source_ref": "course-of-action--1e7ccfc0-94c8-496e-8d27-032120892291", "target_ref": "attack-pattern--e076cca8-2f08-45c9-aff7-ea5ac798b387", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--0ffdee1a-1e83-4506-aba2-38c55812abb3", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-21T17:59:24.739Z", "modified": "2022-05-06T17:47:24.137Z", "relationship_type": "mitigates", "description": "Ensure that all SIS are segmented from operational networks to prevent them from being targeted by additional adversarial behavior.\n", "source_ref": "course-of-action--da44255d-85c5-492c-baf3-ee823d44f848", "target_ref": "attack-pattern--5fa00fdd-4a55-4191-94a0-564181d7fec2", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--104b4f25-d0a9-41f6-94b3-fa85ee8b1523", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-21T17:59:24.739Z", "modified": "2022-05-06T17:47:24.229Z", "relationship_type": "mitigates", "description": "Authenticate all access to field controllers before authorizing access to, or modification of, a device's state, logic, or programs. Centralized authentication techniques can help manage the large number of field controller accounts needed across the ICS.\n", "source_ref": "course-of-action--3992ce42-43e9-4bea-b8db-a102ec3ec1e3", "target_ref": "attack-pattern--cd2c76a4-5e23-4ca5-9c40-d5e0604f7101", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--10626671-941d-4a82-a835-56059058ef87", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-21T17:59:24.739Z", "modified": "2022-05-06T17:47:24.065Z", "relationship_type": "mitigates", "description": "Use host-based allowlists to prevent devices from accepting connections from unauthorized systems. For example, allowlists can be used to ensure devices can only connect with master stations or known management/engineering workstations. (Citation: Department of Homeland Security September 2016)\n", "source_ref": "course-of-action--aadac250-bcdc-44e3-a4ae-f52bd0a7a16a", "target_ref": "attack-pattern--19a71d1e-6334-4233-8260-b749cae37953", "external_references": [ { "source_name": "Department of Homeland Security September 2016", "description": "Department of Homeland Security 2016, September Retrieved. 2020/09/25 ", "url": "https://us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf" } ], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--107d9a23-991b-44f5-97f6-7f6983c7013a", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-21T17:59:24.739Z", "modified": "2022-05-06T17:47:24.099Z", "relationship_type": "mitigates", "description": "Authenticate connections from software and devices to prevent unauthorized systems from accessing protected management functions.\n", "source_ref": "course-of-action--72e46e53-e12d-4106-9c70-33241b6ed549", "target_ref": "attack-pattern--2aa406ed-81c3-4c1d-ba83-cfbee5a2847a", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--10e3816e-8ee2-4dcf-81b7-a22ec0b6fda5", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2021-04-11T14:06:54.109Z", "modified": "2022-05-06T17:47:24.385Z", "relationship_type": "uses", "description": "In the Ukraine 2015 incident, [Sandworm Team](https://attack.mitre.org/groups/G0007) sent spearphishing attachments to three energy distribution companies containing malware to gain access to victim systems. (Citation: UNITED STATES DISTRICT COURT WESTERN DISTRICT OF PENNSYLVANIA October 2020)", "source_ref": "intrusion-set--381fcf73-60f6-4ab2-9991-6af3cbc35192", "target_ref": "attack-pattern--648f995e-9c3a-41e4-aeee-98bb41037426", "external_references": [ { "source_name": "UNITED STATES DISTRICT COURT WESTERN DISTRICT OF PENNSYLVANIA October 2020", "description": "UNITED STATES DISTRICT COURT WESTERN DISTRICT OF PENNSYLVANIA 2020, October 15 Indictment: Conspiracy to Commit an Offense Against the United States Retrieved. 2021/04/07 ", "url": "https://www.justice.gov/opa/press-release/file/1328521/download" } ], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "modified": "2022-05-24T14:00:00.188Z", "created": "2022-05-11T16:22:58.806Z", "id": "relationship--10f8af1d-3a16-450d-bc42-28c2ccb1b20a", "type": "relationship", "source_ref": "x-mitre-data-component--7b375092-3a61-448d-900a-77c9a4bde4dc", "relationship_type": "detects", "target_ref": "attack-pattern--ba203963-3182-41ac-af14-7e7ebc83cd61", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "modified": "2022-05-24T14:00:00.188Z", "created": "2022-05-11T16:22:58.803Z", "id": "relationship--1110814e-81ff-4a23-9988-4b93e6f68a2b", "type": "relationship", "source_ref": "x-mitre-data-component--4c12c1c8-bcef-4daf-8e5b-fca235f71d9e", "relationship_type": "detects", "target_ref": "attack-pattern--3f1f4ccb-9be2-4ff8-8f69-dd972221169b", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--111f437a-c67d-40e4-9515-7e9b22e65eff", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-21T17:59:24.739Z", "modified": "2022-05-06T17:47:24.234Z", "relationship_type": "mitigates", "description": "Audit domain and local accounts and their permission levels routinely to look for situations that could allow an adversary to gain system wide access with stolen privileged account credentials. (Citation: Microsoft May 2017) (Citation: Microsoft August 2018)These audits should also identify if default accounts have been enabled, or if new local accounts are created that have not be authorized. Follow best practices for design and administration of an enterprise network to limit privileged account use across administrative tiers. (Citation: Microsoft February 2019)\n", "source_ref": "course-of-action--622fe4d4-0e8e-4d17-9c25-6c9cef1f15d5", "target_ref": "attack-pattern--cd2c76a4-5e23-4ca5-9c40-d5e0604f7101", "external_references": [ { "source_name": "Microsoft May 2017", "description": "Microsoft 2017, May Attractive Accounts for Credential Theft Retrieved. 2020/09/25 ", "url": "https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/attractive-accounts-for-credential-theft" }, { "source_name": "Microsoft August 2018", "description": "Microsoft 2018, August Implementing Least-Privilege Administrative Models Retrieved. 2020/09/25 ", "url": "https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/implementing-least-privilege-administrative-models" }, { "source_name": "Microsoft February 2019", "description": "Microsoft 2019, February Active Directory administrative tier model Retrieved. 2020/09/25 ", "url": "https://docs.microsoft.com/en-us/windows-server/identity/securing-privileged-access/securing-privileged-access-reference-material#a-nameesaebmaesae-administrative-forest-design-approach" } ], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "modified": "2022-05-24T14:00:00.188Z", "created": "2022-05-11T16:22:58.805Z", "id": "relationship--1125d38f-3169-4d3f-8a0e-ec9ca51b6853", "type": "relationship", "source_ref": "x-mitre-data-component--685f917a-e95e-4ba0-ade1-c7d354dae6e0", "relationship_type": "detects", "target_ref": "attack-pattern--9a505987-ab05-4f46-a9a6-6441442eec3b", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "modified": "2022-05-24T14:00:00.188Z", "created": "2022-05-11T16:22:58.806Z", "id": "relationship--11ab5b1a-b7b3-43bb-bc19-d65bf4ed89f3", "type": "relationship", "source_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c", "relationship_type": "detects", "target_ref": "attack-pattern--3067b85e-271e-4bc5-81ad-ab1a81d411e3", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--11e4eb54-b0b3-4f67-a93f-28cc10df00ab", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2021-04-13T12:28:20.652Z", "modified": "2022-05-06T17:47:24.266Z", "relationship_type": "uses", "description": "Before encrypting the process, [EKANS](https://attack.mitre.org/software/S0017) first kills the process if its name matches one of the processes defined on the kill-list. (Citation: Daniel Kapellmann Zafra, Keith Lunden, Nathan Brubaker, Jeremy Kennelly July 2020) (Citation: Daniel Kapellmann Zafra, Keith Lunden, Nathan Brubaker, Jeremy Kennelly July 2020) EKANS also utilizes netsh commands to implement firewall rules that blocks any remote communication with the device. (Citation: Ben Hunter and Fred Gutierrez July 2020)", "source_ref": "malware--00e7d565-9883-4ee5-b642-8fd17fd6a3f5", "target_ref": "attack-pattern--063b5b92-5361-481a-9c3f-95492ed9a2d8", "external_references": [ { "source_name": "Daniel Kapellmann Zafra, Keith Lunden, Nathan Brubaker, Jeremy Kennelly July 2020", "description": "Daniel Kapellmann Zafra, Keith Lunden, Nathan Brubaker, Jeremy Kennelly 2020, July 15 Ransomware Against the Machine: How Adversaries are Learning to Disrupt Industrial Production by Targeting IT and OT Retrieved. 2021/04/12 ", "url": "https://www.fireeye.com/blog/threat-research/2020/02/ransomware-against-machine-learning-to-disrupt-industrial-production.html" }, { "source_name": "Daniel Kapellmann Zafra, Keith Lunden, Nathan Brubaker, Jeremy Kennelly July 2020", "description": "Daniel Kapellmann Zafra, Keith Lunden, Nathan Brubaker, Jeremy Kennelly 2020, July 15 Ransomware Against the Machine: How Adversaries are Learning to Disrupt Industrial Production by Targeting IT and OT Retrieved. 2021/04/12 ", "url": "https://www.fireeye.com/blog/threat-research/2020/02/ransomware-against-machine-learning-to-disrupt-industrial-production.html" }, { "source_name": "Nathan Brubaker, Daniel Kapellmann Zafra, Keith Lunden, Ken Proska, Corey Hildebrandt July 2020", "description": "Nathan Brubaker, Daniel Kapellmann Zafra, Keith Lunden, Ken Proska, Corey Hildebrandt 2020, July 15 Financially Motivated Actors Are Expanding Access Into OT: Analysis of Kill Lists That Include OT Processes Used With Seven Malware Families Retrieved. 2021/04/12 ", "url": "https://www.fireeye.com/blog/threat-research/2020/07/financially-motivated-actors-are-expanding-access-into-ot.html" }, { "source_name": "Ben Hunter and Fred Gutierrez July 2020", "description": "Ben Hunter and Fred Gutierrez 2020, July 01 EKANS Ransomware Targeting OT ICS Systems Retrieved. 2021/04/12 ", "url": "https://www.fortinet.com/blog/threat-research/ekans-ransomware-targeting-ot-ics-systems" } ], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "modified": "2022-05-24T14:00:00.188Z", "created": "2022-05-11T16:22:58.803Z", "id": "relationship--1299dd2d-4f42-4f5f-876b-bf7dacd17c79", "type": "relationship", "source_ref": "x-mitre-data-component--a7f22107-02e5-4982-9067-6625d4a1765a", "relationship_type": "detects", "target_ref": "attack-pattern--1c478716-71d9-46a4-9a53-fa5d576adb60", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--129a4d3f-fa4a-42c3-833e-8f15155b9693", "type": "relationship", "created": "2022-03-09T23:42:34.056Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Secureworks IRON VIKING ", "url": "https://www.secureworks.com/research/threat-profiles/iron-viking", "description": "Secureworks. (2020, May 1). IRON VIKING Threat Profile. Retrieved June 10, 2020." } ], "modified": "2022-03-09T23:42:34.056Z", "description": "(Citation: Secureworks IRON VIKING )", "relationship_type": "uses", "source_ref": "intrusion-set--381fcf73-60f6-4ab2-9991-6af3cbc35192", "target_ref": "malware--2eaa5319-5e1e-4dd7-bbc4-566fced3964a", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "spec_version": "2.1", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--12a6c5bc-c685-4249-b8c6-e6d49aa2b9ed", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-21T17:59:24.739Z", "modified": "2022-05-06T17:47:24.077Z", "relationship_type": "mitigates", "description": "Protocols used for device management should authenticate all network messages to prevent unauthorized system changes.\n", "source_ref": "course-of-action--c7257b6e-4159-4771-b1f3-2bb93adaecac", "target_ref": "attack-pattern--2883c520-7957-46ca-89bd-dab1ad53b601", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--13809e98-1d74-4c39-b882-9d523c76cbde", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2021-04-13T12:36:26.506Z", "modified": "2022-05-06T17:47:24.343Z", "relationship_type": "uses", "description": "[Triton](https://attack.mitre.org/software/S0013)'s imain.bin payload takes commands from the TsHi.ExplReadRam(Ex), TsHi.ExplWriteRam(Ex) and TsHi.ExplExec functions to perform operations on controller memory and registers using syscalls written in PowerPC shellcode. (Citation: Jos Wetzels January 2018)", "source_ref": "malware--80099a91-4c86-4bea-9ccb-dac55d61960e", "target_ref": "attack-pattern--b52870cc-83f3-473c-b895-72d91751030b", "external_references": [ { "source_name": "Jos Wetzels January 2018", "description": "Jos Wetzels 2018, January 16 Analyzing the TRITON industrial malware Retrieved. 2019/10/22 ", "url": "https://www.midnightbluelabs.com/blog/2018/1/16/analyzing-the-triton-industrial-malware" } ], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--139bb9e7-e5fd-4366-b2e6-4f74a73ec984", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-21T17:59:24.739Z", "modified": "2022-05-06T17:47:24.071Z", "relationship_type": "mitigates", "description": "Unauthorized connections can be prevented by statically defining the hosts and ports used for automation protocol connections.\n", "source_ref": "course-of-action--52c7a1a9-3a78-4528-a44f-cd7b0fa3541a", "target_ref": "attack-pattern--3f1f4ccb-9be2-4ff8-8f69-dd972221169b", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "modified": "2022-05-24T14:00:00.188Z", "created": "2022-05-11T16:22:58.807Z", "id": "relationship--13fb2612-7c23-4b9d-a6e1-76f78062fc52", "type": "relationship", "source_ref": "x-mitre-data-component--685f917a-e95e-4ba0-ade1-c7d354dae6e0", "relationship_type": "detects", "target_ref": "attack-pattern--c5e3cdbc-0387-4be9-8f83-ff5c0865f377", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--147c2158-b2af-4d88-9d59-594c67a9200e", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-21T17:59:24.739Z", "modified": "2022-05-06T17:47:24.204Z", "relationship_type": "mitigates", "description": "Protocols used for control functions should provide authenticity through MAC functions or digital signatures. If not, utilize bump-in-the-wire devices or VPNs to enforce communication authenticity between devices that are not capable of supporting this (e.g., legacy controllers, RTUs).\n", "source_ref": "course-of-action--c7257b6e-4159-4771-b1f3-2bb93adaecac", "target_ref": "attack-pattern--8535b71e-3c12-4258-a4ab-40257a1becc4", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "modified": "2022-05-24T14:00:00.188Z", "created": "2022-05-11T16:22:58.805Z", "id": "relationship--15188683-7ded-4578-9102-73459ecbe095", "type": "relationship", "source_ref": "x-mitre-data-component--3d20385b-24ef-40e1-9f56-f39750379077", "relationship_type": "detects", "target_ref": "attack-pattern--b0628bfc-5376-4a38-9182-f324501cb4cf", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "modified": "2022-05-24T14:00:00.188Z", "created": "2022-05-11T16:22:58.803Z", "id": "relationship--154de746-5ea2-43b4-97b2-221b2433cbde", "type": "relationship", "source_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c", "relationship_type": "detects", "target_ref": "attack-pattern--19a71d1e-6334-4233-8260-b749cae37953", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "modified": "2022-05-24T14:00:00.188Z", "created": "2022-05-11T16:22:58.807Z", "id": "relationship--15a39e3b-124e-4e68-95b5-7b8020225c12", "type": "relationship", "source_ref": "x-mitre-data-component--685f917a-e95e-4ba0-ade1-c7d354dae6e0", "relationship_type": "detects", "target_ref": "attack-pattern--2dc2b567-8821-49f9-9045-8740f3d0b958", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--17525989-242e-4960-b59d-9ea62172263f", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2018-10-17T00:14:20.652Z", "modified": "2022-05-06T17:47:24.366Z", "relationship_type": "uses", "description": "[Dragonfly 2.0](https://attack.mitre.org/groups/G0035) used the Phishery tool kit to conduct spear phishing attacks and gather credentials. (Citation: Symantec September 2017) (Citation: Sean Baird, Earl Carter, Erick Galinkin, Christopher Marczewski & Joe Marshall July 2017) [Dragonfly 2.0](https://attack.mitre.org/groups/G0035) conducted a targeted spear phishing campaign against multiple electric utilities in the North America. (Citation: Dragos Threat Intelligence September 2018) (Citation: Dragos Threat Intelligence 2018) ", "source_ref": "intrusion-set--76d59913-1d24-4992-a8ac-05a3eb093f71", "target_ref": "attack-pattern--648f995e-9c3a-41e4-aeee-98bb41037426", "external_references": [ { "source_name": "Symantec September 2017", "description": "Symantec 2017, September 6 Dragonfly: Western energy sector targeted by sophisticated attack group Retrieved. 2017/09/14 ", "url": "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/dragonfly-energy-sector-cyber-attacks" }, { "source_name": "Sean Baird, Earl Carter, Erick Galinkin, Christopher Marczewski & Joe Marshall July 2017", "description": "Sean Baird, Earl Carter, Erick Galinkin, Christopher Marczewski & Joe Marshall 2017, July 07 Attack on Critical Infrastructure Leverages Template Injection Retrieved. 2019/12/05 ", "url": "https://blog.talosintelligence.com/2017/07/template-injection.html" }, { "source_name": "Dragos Threat Intelligence September 2018", "description": "Dragos Threat Intelligence 2018, September 17 THREAT INTELLIGENCE SUMMARY TR-2018-25: Phishing Campaign Targeting Electric Utility Companies Retrieved. 2020/01/03 ", "url": "https://dragos.com/wp-content/uploads/Sample-WorldView-Report.pdf" }, { "source_name": "Dragos Threat Intelligence 2018", "description": "Dragos Threat Intelligence 2018 ICS Activity Groups and Threat Landscape Retrieved. 2020/01/03 ", "url": "https://dragos.com/wp-content/uploads/yir-ics-activity-groups-threat-landscape-2018.pdf" } ], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--17ae41a5-cb45-4935-bec1-ea0c8bfb2f34", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-21T17:59:24.739Z", "modified": "2022-05-06T17:47:24.128Z", "relationship_type": "mitigates", "description": "This technique may not be effectively mitigated against, consider controls for assets and processes that lead to the use of this technique.\n", "source_ref": "course-of-action--469b78dd-a54d-4f7c-8c3b-4a1dd916b433", "target_ref": "attack-pattern--53a48c74-0025-45f4-b04a-baa853df8204", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--17fdec71-98e8-4314-a1be-037edede58bd", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-21T17:59:24.739Z", "modified": "2022-05-06T17:47:24.212Z", "relationship_type": "mitigates", "description": "Devices that allow remote management of firmware should require authentication before allowing any changes. The authentication mechanisms should also support [Account Use Policies](https://attack.mitre.org/mitigations/M0936), [Password Policies](https://attack.mitre.org/mitigations/M0927), and [User Account Management](https://attack.mitre.org/mitigations/M0918).", "source_ref": "course-of-action--66cfe23e-34b6-4583-b178-ed6a412db2b0", "target_ref": "attack-pattern--b9160e77-ea9e-4ba9-b1c8-53a3c466b13d", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--18ef2d69-d11a-4d31-a803-da989c4073f7", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-21T17:59:24.739Z", "modified": "2022-05-06T17:47:24.096Z", "relationship_type": "mitigates", "description": "Provide operators with redundant, out-of-band communication to support monitoring and control of the operational processes, especially when recovering from a network outage (Citation: National Institute of Standards and Technology April 2013). Out-of-band communication should utilize diverse systems and technologies to minimize common failure modes and vulnerabilities within the communications infrastructure. For example, wireless networks (e.g., 3G, 4G) can be used to provide diverse and redundant delivery of data.\n", "source_ref": "course-of-action--b11cad63-ef30-4eb8-af0d-6cc46eef3f3e", "target_ref": "attack-pattern--56ddc820-6cfb-407f-850b-52c035d123ac", "external_references": [ { "source_name": "National Institute of Standards and Technology April 2013", "description": "National Institute of Standards and Technology 2013, April Security and Privacy Controls for Federal Information Systems and Organizations Retrieved. 2020/09/17 ", "url": "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf" } ], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "modified": "2022-05-24T14:00:00.188Z", "created": "2022-05-11T16:22:58.807Z", "id": "relationship--193c3cd3-0b22-4839-a1fa-413aee61e882", "type": "relationship", "source_ref": "x-mitre-data-component--3d20385b-24ef-40e1-9f56-f39750379077", "relationship_type": "detects", "target_ref": "attack-pattern--2dc2b567-8821-49f9-9045-8740f3d0b958", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--19ab6776-42de-48af-975a-568d31a3bb66", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-21T17:59:24.739Z", "modified": "2022-05-06T17:47:24.152Z", "relationship_type": "mitigates", "description": "Segment operational network and systems to restrict access to critical system functions to predetermined management systems. (Citation: Department of Homeland Security September 2016) (Citation: N/A)\n", "source_ref": "course-of-action--1e7ccfc0-94c8-496e-8d27-032120892291", "target_ref": "attack-pattern--e5de767e-f513-41cd-aa15-33f6ce5fbf92", "external_references": [ { "source_name": "Department of Homeland Security September 2016", "description": "Department of Homeland Security 2016, September Retrieved. 2020/09/25 ", "url": "https://us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf" }, { "source_name": "N/A", "description": "N/A Department of Homeland Security 2016, September Retrieved. 2020/09/25 Alarm Management for Process Control Retrieved. 2020/09/25 ", "url": "https://www.exida.com/images/uploads/18492275-Alarm-Management-for-Process-Control.pdf" } ], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--1a40cec9-47c3-404e-b039-b7ae83ffaf68", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-21T17:59:24.739Z", "modified": "2022-05-06T17:47:24.106Z", "relationship_type": "mitigates", "description": "Ensure all browsers and plugins are kept updated to help prevent the exploit phase of this technique. Use modern browsers with security features enabled.\n", "source_ref": "course-of-action--97f33c84-8508-45b9-8a1d-cac921828c9e", "target_ref": "attack-pattern--7830cfcf-b268-4ac0-a69e-73c6affbae9a", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--1aa02c37-973e-46bd-ab45-609463e514e9", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-21T17:59:24.739Z", "modified": "2022-05-06T17:47:24.228Z", "relationship_type": "mitigates", "description": "If a link is being visited by a user, block unknown or unused files in transit by default that should not be downloaded or by policy from suspicious sites as a best practice to prevent some vectors, such as .scr, .exe, .pif, .cpl, etc. Some download scanning devices can open and analyze compressed and encrypted formats, such as zip and rar that may be used to conceal malicious files.\n", "source_ref": "course-of-action--143b4398-3222-480a-b6a4-e131bc2d3144", "target_ref": "attack-pattern--2736b752-4ec5-4421-a230-8977dea7649c", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "modified": "2022-05-24T14:00:00.188Z", "created": "2022-05-11T16:22:58.806Z", "id": "relationship--1acccbe8-64e1-49ad-87df-215d5c87f050", "type": "relationship", "source_ref": "x-mitre-data-component--84572de3-9583-4c73-aabd-06ea88123dd8", "relationship_type": "detects", "target_ref": "attack-pattern--ba203963-3182-41ac-af14-7e7ebc83cd61", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "modified": "2022-05-24T14:00:00.188Z", "created": "2022-05-11T16:22:58.804Z", "id": "relationship--1c12b1d6-d636-45c6-98f4-947ddb502cb0", "type": "relationship", "source_ref": "x-mitre-data-component--931b3fc6-ad68-42a8-9018-e98515eedc95", "relationship_type": "detects", "target_ref": "attack-pattern--1c478716-71d9-46a4-9a53-fa5d576adb60", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--1c3d966a-5995-48ed-919d-25b972010fe9", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-21T17:59:24.739Z", "modified": "2022-05-06T17:47:24.180Z", "relationship_type": "mitigates", "description": "Provide the ability to verify the integrity of control logic or programs loaded on a controller. While techniques like CRCs and checksums are commonly used, they are not cryptographically strong and can be vulnerable to collisions. Preferably cryptographic hash functions (e.g., SHA-2, SHA-3) should be used. (Citation: IEC February 2019)\n", "source_ref": "course-of-action--bcf91ebc-f316-4e19-b2f6-444e9940c697", "target_ref": "attack-pattern--be69c571-d746-4b1f-bdd0-c0c9817e9068", "external_references": [ { "source_name": "IEC February 2019", "description": "IEC 2019, February Security for industrial automation and control systems - Part 4-2: Technical security requirements for IACS components Retrieved. 2020/09/25 ", "url": "https://webstore.iec.ch/publication/34421" } ], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--1c831708-28c2-47ae-a158-39f1f7b73406", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2018-10-17T00:14:20.652Z", "modified": "2022-05-06T17:47:24.285Z", "relationship_type": "uses", "description": "The [Industroyer](https://attack.mitre.org/software/S0001) IEC 61850 payload component has the ability to discover relevant devices in the infected host's network subnet by attempting to connect on port 102. (Citation: Anton Cherepanov, ESET June 2017)", "source_ref": "malware--e401d4fe-f0c9-44f0-98e6-f93487678808", "target_ref": "attack-pattern--d5a69cfb-fc2a-46cb-99eb-74b236db5061", "external_references": [ { "source_name": "Anton Cherepanov, ESET June 2017", "description": "Anton Cherepanov, ESET 2017, June 12 Win32/Industroyer: A new threat for industrial control systems Retrieved. 2017/09/15 ", "url": "https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf" } ], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--1d35c947-447f-4693-9ab0-32dff56e664e", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2021-04-13T12:45:26.506Z", "modified": "2022-05-06T17:47:24.326Z", "relationship_type": "uses", "description": "[Stuxnet](https://attack.mitre.org/software/S0010) enumerates and parses the System Data Blocks (SDB) using the s7blk_findfirst and s7blk_findnext API calls in s7otbxdx.dll. Stuxnet must find an SDB with the DWORD at offset 50h equal to 0100CB2Ch. This specifies that the system uses the Profibus communications processor module CP 342-5. In addition, specific values are searched for and counted: 7050h and 9500h. 7050h is assigned to part number KFC750V3 which appears to be a frequency converter drive (also known as variable frequency drive) manufactured by Fararo Paya in Teheran, Iran. 9500h is assigned to Vacon NX frequency converter drives manufactured by Vacon based in Finland. (Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011)", "source_ref": "malware--088f1d6e-0783-47c6-9923-9c79b2af43d4", "target_ref": "attack-pattern--2fedbe69-581f-447d-8a78-32ee7db939a9", "external_references": [ { "source_name": "Nicolas Falliere, Liam O Murchu, Eric Chien February 2011", "description": "Nicolas Falliere, Liam O Murchu, Eric Chien 2011, February W32.Stuxnet Dossier (Version 1.4) Retrieved. 2017/09/22 ", "url": "https://www.wired.com/images_blogs/threatlevel/2011/02/Symantec-Stuxnet-Update-Feb-2011.pdf" } ], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--1dc35f79-0ada-4342-bd13-10d10c1b0335", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2021-04-13T12:28:20.652Z", "modified": "2022-05-06T17:47:24.267Z", "relationship_type": "uses", "description": "[EKANS](https://attack.mitre.org/software/S0017) performs a DNS lookup of an internal domain name associated with its target network to identify if it was deployed on the intended system. (Citation: Ben Hunter and Fred Gutierrez July 2020)", "source_ref": "malware--00e7d565-9883-4ee5-b642-8fd17fd6a3f5", "target_ref": "attack-pattern--ea0c980c-5cf0-43a7-a049-59c4c207566e", "external_references": [ { "source_name": "Ben Hunter and Fred Gutierrez July 2020", "description": "Ben Hunter and Fred Gutierrez 2020, July 01 EKANS Ransomware Targeting OT ICS Systems Retrieved. 2021/04/12 ", "url": "https://www.fortinet.com/blog/threat-research/ekans-ransomware-targeting-ot-ics-systems" } ], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--1dfe3095-7c2e-4eba-ac4d-f9206b5ab7ad", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2018-10-17T00:14:20.652Z", "modified": "2022-05-06T17:47:24.373Z", "relationship_type": "uses", "description": "[HEXANE](https://attack.mitre.org/groups/G1001) has used valid IT accounts to extend their spearphishing campaign within an organization. (Citation: SecureWorks August 2019)", "source_ref": "intrusion-set--f29b7c5e-2439-42ad-a86f-9f8984fafae3", "target_ref": "attack-pattern--cd2c76a4-5e23-4ca5-9c40-d5e0604f7101", "external_references": [ { "source_name": "SecureWorks August 2019", "description": "SecureWorks 2019, August 27 LYCEUM Takes Center Stage in Middle East Campaign Retrieved. 2019/11/19 ", "url": "https://www.secureworks.com/blog/lyceum-takes-center-stage-in-middle-east-campaign" } ], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "modified": "2022-05-24T14:00:00.188Z", "created": "2022-05-11T16:22:58.804Z", "id": "relationship--1ed4d007-6d30-4d5d-8df9-3800ed56e042", "type": "relationship", "source_ref": "x-mitre-data-component--a7f22107-02e5-4982-9067-6625d4a1765a", "relationship_type": "detects", "target_ref": "attack-pattern--e6c31185-8040-4267-83d3-b217b8a92f07", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "modified": "2022-05-24T14:00:00.188Z", "created": "2022-05-11T16:22:58.805Z", "id": "relationship--1f6b87f3-6749-4caa-98d3-265ebbe0ecbe", "type": "relationship", "source_ref": "x-mitre-data-component--639e87f3-acb6-448a-9645-258f20da4bc5", "relationship_type": "detects", "target_ref": "attack-pattern--ead7bd34-186e-4c79-9a4d-b65bcce6ed9d", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "modified": "2022-05-24T14:00:00.188Z", "created": "2022-05-11T16:22:58.807Z", "id": "relationship--1f804c9f-3b65-47eb-89f3-83edd0422fdc", "type": "relationship", "source_ref": "x-mitre-data-component--84572de3-9583-4c73-aabd-06ea88123dd8", "relationship_type": "detects", "target_ref": "attack-pattern--063b5b92-5361-481a-9c3f-95492ed9a2d8", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--1f87378c-49fb-4da5-8ed3-3672633d3713", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-21T17:59:24.739Z", "modified": "2022-05-06T17:47:24.123Z", "relationship_type": "mitigates", "description": "Regularly scan the internal network for available services to identify new and potentially vulnerable services.\n", "source_ref": "course-of-action--de0bc375-50e1-4e26-a342-a8ff8c9d3037", "target_ref": "attack-pattern--85a45294-08f1-4539-bf00-7da08aa7b0ee", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--1f8abf6f-0dd0-4449-b555-733fe7296177", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2018-04-18T17:59:24.739Z", "modified": "2022-05-06T17:47:24.344Z", "relationship_type": "uses", "description": "[Triton](https://attack.mitre.org/software/S0013) leveraged the TriStation protocol to download programs onto Triconex Safety Instrumented System. (Citation: Jos Wetzels January 2018)", "source_ref": "malware--80099a91-4c86-4bea-9ccb-dac55d61960e", "target_ref": "attack-pattern--be69c571-d746-4b1f-bdd0-c0c9817e9068", "external_references": [ { "source_name": "Jos Wetzels January 2018", "description": "Jos Wetzels 2018, January 16 Analyzing the TRITON industrial malware Retrieved. 2019/10/22 ", "url": "https://www.midnightbluelabs.com/blog/2018/1/16/analyzing-the-triton-industrial-malware" } ], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--1fc147bd-d6ab-4beb-908b-0fbe8e125b76", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-21T17:59:24.739Z", "modified": "2022-05-06T17:47:24.235Z", "relationship_type": "mitigates", "description": "Ensure users and user groups have appropriate permissions for their roles through Identity and Access Management (IAM) controls. Implement strict IAM controls to prevent access to systems except for the applications, users, and services that require access. Implement user accounts for each individual for enforcement and non-repudiation of actions.\n", "source_ref": "course-of-action--e57ebc6d-785f-40c8-adb1-b5b5e09b3b48", "target_ref": "attack-pattern--cd2c76a4-5e23-4ca5-9c40-d5e0604f7101", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--1fd4cf4e-a26c-4fe5-a7fd-f49b8aea8437", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2021-04-12T18:49:06.044Z", "modified": "2022-05-06T17:47:24.305Z", "relationship_type": "uses", "description": "[REvil](https://attack.mitre.org/software/S0019) initially executes when the user clicks on a JavaScript file included in the phishing emails .zip attachment. (Citation: Tom Fakterman August 2019)", "source_ref": "malware--ac61f1f9-7bb1-465e-9b8a-c2ce8e88baf5", "target_ref": "attack-pattern--2736b752-4ec5-4421-a230-8977dea7649c", "external_references": [ { "source_name": "Tom Fakterman August 2019", "description": "Tom Fakterman 2019, August 05 Sodinokibi: The Crown Prince of Ransomware Retrieved. 2021/04/12 ", "url": "https://www.cybereason.com/blog/the-sodinokibi-ransomware-attack" } ], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "modified": "2022-05-24T14:00:00.188Z", "created": "2022-05-11T16:22:58.804Z", "id": "relationship--2057ec71-a94f-49cc-b348-2eeb44899afd", "type": "relationship", "source_ref": "x-mitre-data-component--84572de3-9583-4c73-aabd-06ea88123dd8", "relationship_type": "detects", "target_ref": "attack-pattern--493832d9-cea6-4b63-abe7-9a65a6473675", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--206cc4c8-797e-427b-86f1-4c81df391c6e", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-21T17:59:24.739Z", "modified": "2022-05-06T17:47:24.224Z", "relationship_type": "mitigates", "description": "Segment operational assets and their management devices based on their functional role within the process. Enabling more strict isolation to more critical control and operational information within the control environment. (Citation: Karen Scarfone; Paul Hoffman September 2009) (Citation: Keith Stouffer May 2015) (Citation: Department of Homeland Security September 2016) (Citation: Dwight Anderson 2014) \n", "source_ref": "course-of-action--1e7ccfc0-94c8-496e-8d27-032120892291", "target_ref": "attack-pattern--40b300ba-f553-48bf-862e-9471b220d455", "external_references": [ { "source_name": "Karen Scarfone; Paul Hoffman September 2009", "description": "Karen Scarfone; Paul Hoffman 2009, September Guidelines on Firewalls and Firewall Policy Retrieved. 2020/09/25 ", "url": "https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-41r1.pdf" }, { "source_name": "Keith Stouffer May 2015", "description": "Keith Stouffer 2015, May Guide to Industrial Control Systems (ICS) Security Retrieved. 2018/03/28 ", "url": "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf" }, { "source_name": "Department of Homeland Security September 2016", "description": "Department of Homeland Security 2016, September Retrieved. 2020/09/25 ", "url": "https://us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf" }, { "source_name": "Dwight Anderson 2014", "description": "Dwight Anderson 2014 Protect Critical Infrastructure Systems With Whitelisting Retrieved. 2020/09/25 ", "url": "https://www.sans.org/reading-room/whitepapers/ICS/protect-critical-infrastructure-systems-whitelisting-35312" } ], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--2089201c-c1c6-4d92-a737-a6499e26ee7f", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-21T17:59:24.739Z", "modified": "2022-05-06T17:47:24.094Z", "relationship_type": "mitigates", "description": "Provide operators with redundant, out-of-band communication to support monitoring and control of the operational processes, especially when recovering from a network outage (Citation: National Institute of Standards and Technology April 2013). Out-of-band communication should utilize diverse systems and technologies to minimize common failure modes and vulnerabilities within the communications infrastructure. For example, wireless networks (e.g., 3G, 4G) can be used to provide diverse and redundant delivery of data.\n", "source_ref": "course-of-action--b11cad63-ef30-4eb8-af0d-6cc46eef3f3e", "target_ref": "attack-pattern--e33c7ecc-5a38-497f-beb2-a9a2049a4c20", "external_references": [ { "source_name": "National Institute of Standards and Technology April 2013", "description": "National Institute of Standards and Technology 2013, April Security and Privacy Controls for Federal Information Systems and Organizations Retrieved. 2020/09/17 ", "url": "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf" } ], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--20a0d820-59ef-42fc-9f56-7a93d1ce7a84", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-21T17:59:24.739Z", "modified": "2022-05-06T17:47:24.084Z", "relationship_type": "mitigates", "description": "If it is possible to inspect HTTPS traffic, the captures can be analyzed for connections that appear to be domain fronting.\n", "source_ref": "course-of-action--6a02e38a-9629-40c0-8c7d-e98e3470315c", "target_ref": "attack-pattern--d67adac8-e3b9-44f9-9e6d-6c2a7d69dbe4", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--20f66fab-7a08-4707-ac79-92dac5acd11d", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2021-04-13T11:15:26.506Z", "modified": "2022-05-06T17:47:24.303Z", "relationship_type": "uses", "description": "[PLC-Blaster](https://attack.mitre.org/software/S0009)'s code is stored in OB9999. The original code on the target is untouched. The OB is automatically detected by the PLC and executed. (Citation: Spenneberg, Ralf, Maik Brggemann, and Hendrik Schwartke March 2016)", "source_ref": "malware--4dcff507-5af8-47ce-964a-8d9569e9ccfe", "target_ref": "attack-pattern--09a61657-46e1-439e-b3ed-3e4556a78243", "external_references": [ { "source_name": "Spenneberg, Ralf, Maik Brggemann, and Hendrik Schwartke March 2016", "description": "Spenneberg, Ralf, Maik Brggemann, and Hendrik Schwartke 2016, March 31 Plc-blaster: A worm living solely in the plc. Retrieved. 2017/09/19 ", "url": "https://www.blackhat.com/docs/asia-16/materials/asia-16-Spenneberg-PLC-Blaster-A-Worm-Living-Solely-In-The-PLC-wp.pdf" } ], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--21041206-da58-45c7-adb0-db07caebdcb6", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2021-04-13T12:36:26.506Z", "modified": "2022-05-06T17:47:24.301Z", "relationship_type": "uses", "description": "[PLC-Blaster](https://attack.mitre.org/software/S0009) uses the system function blocks TCON and TDISCON to initiate and destroy TCP connections to arbitrary systems. Buffers may be sent and received on these connections with TRCV und TSEND system function blocks. (Citation: Spenneberg, Ralf, Maik Brggemann, and Hendrik Schwartke March 2016)", "source_ref": "malware--4dcff507-5af8-47ce-964a-8d9569e9ccfe", "target_ref": "attack-pattern--b52870cc-83f3-473c-b895-72d91751030b", "external_references": [ { "source_name": "Spenneberg, Ralf, Maik Brggemann, and Hendrik Schwartke March 2016", "description": "Spenneberg, Ralf, Maik Brggemann, and Hendrik Schwartke 2016, March 31 Plc-blaster: A worm living solely in the plc. Retrieved. 2017/09/19 ", "url": "https://www.blackhat.com/docs/asia-16/materials/asia-16-Spenneberg-PLC-Blaster-A-Worm-Living-Solely-In-The-PLC-wp.pdf" } ], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "modified": "2022-05-24T14:00:00.188Z", "created": "2022-05-11T16:22:58.807Z", "id": "relationship--214eb531-411c-4b90-9dbf-dc0183cbb919", "type": "relationship", "source_ref": "x-mitre-data-component--685f917a-e95e-4ba0-ade1-c7d354dae6e0", "relationship_type": "detects", "target_ref": "attack-pattern--063b5b92-5361-481a-9c3f-95492ed9a2d8", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--21b6ec9c-8779-49db-bf19-90e81893a6e4", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-21T17:59:24.739Z", "modified": "2022-05-06T17:47:24.089Z", "relationship_type": "mitigates", "description": "Protect files stored locally with proper permissions to limit opportunities for adversaries to impact data storage. (Citation: National Institute of Standards and Technology April 2013)\n", "source_ref": "course-of-action--f9fcb3ec-6de0-4559-8cd9-ef1c0c7d1971", "target_ref": "attack-pattern--493832d9-cea6-4b63-abe7-9a65a6473675", "external_references": [ { "source_name": "National Institute of Standards and Technology April 2013", "description": "National Institute of Standards and Technology 2013, April Security and Privacy Controls for Federal Information Systems and Organizations Retrieved. 2020/09/17 ", "url": "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf" } ], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--220140ac-d927-4d86-9335-c04aa6ee3c61", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-21T17:59:24.739Z", "modified": "2022-05-06T17:47:24.126Z", "relationship_type": "mitigates", "description": "Deny direct remote access to internal systems through the use of network proxies, gateways, and firewalls. Consider a jump server or host into the DMZ for greater access control. Leverage this DMZ or corporate resources for vendor access. (Citation: Keith Stouffer May 2015)\n", "source_ref": "course-of-action--1e7ccfc0-94c8-496e-8d27-032120892291", "target_ref": "attack-pattern--8d2f3bab-507c-4424-b58b-edc977bd215c", "external_references": [ { "source_name": "Keith Stouffer May 2015", "description": "Keith Stouffer 2015, May Guide to Industrial Control Systems (ICS) Security Retrieved. 2018/03/28 ", "url": "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf" } ], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--22448288-32d9-4d2c-be16-0784e119fff1", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-21T17:59:24.739Z", "modified": "2022-05-06T17:47:24.077Z", "relationship_type": "mitigates", "description": "All field controllers should require users to authenticate for all remote or local management sessions. The authentication mechanisms should also support [Account Use Policies](https://attack.mitre.org/mitigations/M0936), [Password Policies](https://attack.mitre.org/mitigations/M0927), and [User Account Management](https://attack.mitre.org/mitigations/M0918).", "source_ref": "course-of-action--66cfe23e-34b6-4583-b178-ed6a412db2b0", "target_ref": "attack-pattern--2883c520-7957-46ca-89bd-dab1ad53b601", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--228b9a13-0545-4ecf-99ff-be02addaf7fe", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2018-10-17T00:14:20.652Z", "modified": "2022-05-06T17:47:24.247Z", "relationship_type": "uses", "description": "[ACAD/Medre.A](https://attack.mitre.org/software/S0018) can collect AutoCad files with drawings. These drawings may contain operational information. (Citation: ESET)\n", "source_ref": "malware--a4a98eab-b691-45d9-8c48-869ef8fefd57", "target_ref": "attack-pattern--b7e13ee8-182c-4f19-92a4-a88d7d855d54", "external_references": [ { "source_name": "ESET", "description": "ESET ACAD/Medre.A: 10000s of AutoCAD Designs Leaked in Suspected Industrial Espionage Retrieved. 2021/04/13 ", "url": "https://www.welivesecurity.com/wp-content/uploads/200x/white-papers/ESET_ACAD_Medre_A_whitepaper.pdf" } ], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--234da455-b795-4788-bc5d-22b4b58b2dc7", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-21T17:59:24.739Z", "modified": "2022-05-06T17:47:24.212Z", "relationship_type": "mitigates", "description": "Protocols used for device management should authenticate all network messages to prevent unauthorized system changes.\n", "source_ref": "course-of-action--c7257b6e-4159-4771-b1f3-2bb93adaecac", "target_ref": "attack-pattern--b9160e77-ea9e-4ba9-b1c8-53a3c466b13d", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--238f967a-0c29-4aa3-bbb5-3dc593473bbf", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-21T17:59:24.739Z", "modified": "2022-05-06T17:47:24.115Z", "relationship_type": "mitigates", "description": "Security applications that look for behavior used during exploitation such as Windows Defender Exploit Guard (WDEG) and the Enhanced Mitigation Experience Toolkit (EMET) can be used to mitigate some exploitation behavior. (Citation: Microsoft Security Response Center August 2017)Control flow integrity checking is another way to potentially identify and stop a software exploit from occurring. (Citation: Wikipedia)Many of these protections depend on the architecture and target application binary for compatibility and may not work for all software or services targeted.\n", "source_ref": "course-of-action--49363b74-d506-4342-bd63-320586ebadb9", "target_ref": "attack-pattern--9f947a1c-3860-48a8-8af0-a2dfa3efde03", "external_references": [ { "source_name": "Microsoft Security Response Center August 2017", "description": "Microsoft Security Response Center 2017, August Moving Beyond EMET II Windows Defender Exploit Guard Retrieved. 2020/09/25 ", "url": "https://msrc-blog.microsoft.com/2017/08/09/moving-beyond-emet-ii-windows-defender-exploit-guard/" }, { "source_name": "Wikipedia", "description": "Wikipedia Microsoft Security Response Center 2017, August Moving Beyond EMET II Windows Defender Exploit Guard Retrieved. 2020/09/25 Control-flow integrity Retrieved. 2020/09/25 ", "url": "https://en.wikipedia.org/wiki/Control-flow_integrity" } ], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "modified": "2022-05-24T14:00:00.188Z", "created": "2022-05-11T16:22:58.806Z", "id": "relationship--23fea80c-51fa-420b-bb5b-48c9a5766b1a", "type": "relationship", "source_ref": "x-mitre-data-component--9d56be63-3501-4dd3-bb5f-63c580833298", "relationship_type": "detects", "target_ref": "attack-pattern--36e9f5bc-ac13-4da4-a2f4-01f4877d9004", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--242b5a0d-e4e8-4ceb-a975-cf8efd64e981", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-21T17:59:24.739Z", "modified": "2022-05-06T17:47:24.138Z", "relationship_type": "mitigates", "description": "Protection devices should have minimal digital components to prevent exposure to related adversarial techniques. Examples include interlocks, rupture disks, release valves, etc. (Citation: A G Foord, W G Gulland, C R Howard, T Kellacher, W H Smith 2004) \n", "source_ref": "course-of-action--8bc4a54e-810c-4600-8b6c-08fa8413a401", "target_ref": "attack-pattern--5fa00fdd-4a55-4191-94a0-564181d7fec2", "external_references": [ { "source_name": "A G Foord, W G Gulland, C R Howard, T Kellacher, W H Smith 2004", "description": "A G Foord, W G Gulland, C R Howard, T Kellacher, W H Smith 2004 APPLYING THE LATEST STANDARD FOR FUNCTIONAL SAFETY IEC 61511 Retrieved. 2020/09/17 ", "url": "https://www.icheme.org/media/9906/xviii-paper-23.pdf" } ], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--243ad7b2-546c-4bf2-a3c0-1438b13e197d", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-21T17:59:24.739Z", "modified": "2022-05-06T17:47:24.169Z", "relationship_type": "mitigates", "description": "Systems and devices should restrict access to any data with potential confidentiality concerns, including point and tag information.\n", "source_ref": "course-of-action--e0d38502-decb-481d-ad8b-b8f0a0c330bd", "target_ref": "attack-pattern--25852363-5968-4673-b81d-341d5ed90bd1", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--25e7ca82-2784-433a-90a9-a3483615a655", "type": "relationship", "created": "2019-04-12T17:01:01.255Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "description": "FireEye. (2018, October 03). APT38: Un-usual Suspects. Retrieved November 6, 2018.", "url": "https://content.fireeye.com/apt/rpt-apt38", "source_name": "FireEye APT38 Oct 2018" }, { "description": "Noerenberg, E., Costis, A., and Quist, N. (2017, May 16). A Technical Analysis of WannaCry Ransomware. Retrieved March 25, 2019.", "url": "https://logrhythm.com/blog/a-technical-analysis-of-wannacry-ransomware/", "source_name": "LogRhythm WannaCry" }, { "description": "Berry, A., Homan, J., and Eitzman, R. (2017, May 23). WannaCry Malware Profile. Retrieved March 15, 2019.", "url": "https://www.fireeye.com/blog/threat-research/2017/05/wannacry-malware-profile.html", "source_name": "FireEye WannaCry 2017" }, { "source_name": "SecureWorks WannaCry Analysis", "url": "https://www.secureworks.com/research/wcry-ransomware-analysis", "description": "Counter Threat Unit Research Team. (2017, May 18). WCry Ransomware Analysis. Retrieved March 26, 2019." } ], "modified": "2019-09-09T19:15:45.677Z", "description": "(Citation: FireEye APT38 Oct 2018)(Citation: LogRhythm WannaCry)(Citation: FireEye WannaCry 2017)(Citation: SecureWorks WannaCry Analysis)", "relationship_type": "uses", "source_ref": "intrusion-set--c93fccb1-e8e8-42cf-ae33-2ad1d183913a", "target_ref": "malware--75ecdbf1-c2bb-4afc-a3f9-c8da4de8c661", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "spec_version": "2.1", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "modified": "2022-05-24T14:00:00.188Z", "created": "2022-05-11T16:22:58.807Z", "id": "relationship--26254163-4f25-4d30-8456-ca093459ff32", "type": "relationship", "source_ref": "x-mitre-data-component--3d20385b-24ef-40e1-9f56-f39750379077", "relationship_type": "detects", "target_ref": "attack-pattern--c267bbee-bb59-47fe-85e0-3ed210337c21", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--26d68f5d-6ee5-4d98-b175-943366ccc038", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-10-14T21:33:27.046Z", "modified": "2022-05-06T17:47:24.390Z", "relationship_type": "uses", "description": "[Sandworm Team](https://attack.mitre.org/groups/G0007) uses the MS-SQL server xp_cmdshell command, and PowerShell to execute commands. (Citation: Dragos October 2018)", "source_ref": "intrusion-set--381fcf73-60f6-4ab2-9991-6af3cbc35192", "target_ref": "attack-pattern--24a9253e-8948-4c98-b751-8e2aee53127c", "external_references": [ { "source_name": "Dragos October 2018", "description": "Dragos 2018, October 12 Anatomy of an Attack: Detecting and Defeating CRASHOVERRIDE Retrieved. 2019/10/14 ", "url": "https://dragos.com/wp-content/uploads/CRASHOVERRIDE2018.pdf" } ], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--26e58427-a2bd-4e77-9939-16ef60a072e7", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-21T17:59:24.739Z", "modified": "2022-05-06T17:47:24.160Z", "relationship_type": "mitigates", "description": "Authenticateconnections fromsoftware and devices to prevent unauthorized systems from accessing protected management functions.\n", "source_ref": "course-of-action--72e46e53-e12d-4106-9c70-33241b6ed549", "target_ref": "attack-pattern--efbf7888-f61b-4572-9c80-7e2965c60707", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--26fdd07e-d194-4f8e-a9af-d5b2f1d0222e", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-21T17:59:24.739Z", "modified": "2022-05-06T17:47:24.170Z", "relationship_type": "mitigates", "description": "Restrict root or administrator access on user accounts to limit the ability to capture promiscuous traffic on a network through common packet capture tools. (Citation: National Institute of Standards and Technology April 2013)\n", "source_ref": "course-of-action--622fe4d4-0e8e-4d17-9c25-6c9cef1f15d5", "target_ref": "attack-pattern--38213338-1aab-479d-949b-c81b66ccca5c", "external_references": [ { "source_name": "National Institute of Standards and Technology April 2013", "description": "National Institute of Standards and Technology 2013, April Security and Privacy Controls for Federal Information Systems and Organizations Retrieved. 2020/09/17 ", "url": "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf" } ], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--276aa6a6-e700-470a-8f72-02537ba7be9d", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-21T17:59:24.739Z", "modified": "2022-05-06T17:47:24.128Z", "relationship_type": "mitigates", "description": "Configure features related to account use like login attempt lockouts, specific login times, and password strength requirements as examples. Consider these features as they relate to assets which may impact safety and availability. (Citation: Keith Stouffer May 2015)\n", "source_ref": "course-of-action--86b455f2-fb63-4043-93a8-32a3a7703a02", "target_ref": "attack-pattern--8d2f3bab-507c-4424-b58b-edc977bd215c", "external_references": [ { "source_name": "Keith Stouffer May 2015", "description": "Keith Stouffer 2015, May Guide to Industrial Control Systems (ICS) Security Retrieved. 2018/03/28 ", "url": "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf" } ], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--28afd84d-a53e-4b2f-9bee-133f7da6982a", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2017-12-14T16:46:06.044Z", "modified": "2022-05-06T17:47:24.315Z", "relationship_type": "uses", "description": "[Stuxnet](https://attack.mitre.org/software/S0010) copies the input area of an I/O image into data blocks with a one second interval between copies, forming a 21 second recording of the input area. The input area contains information being passed to the PLC from a peripheral. For example, the current state of a valve or the temperature of a device. (Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011)", "source_ref": "malware--088f1d6e-0783-47c6-9923-9c79b2af43d4", "target_ref": "attack-pattern--53a48c74-0025-45f4-b04a-baa853df8204", "external_references": [ { "source_name": "Nicolas Falliere, Liam O Murchu, Eric Chien February 2011", "description": "Nicolas Falliere, Liam O Murchu, Eric Chien 2011, February W32.Stuxnet Dossier (Version 1.4) Retrieved. 2017/09/22 ", "url": "https://www.wired.com/images_blogs/threatlevel/2011/02/Symantec-Stuxnet-Update-Feb-2011.pdf" } ], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--2916cd9c-32d5-463a-a83b-448ef7720192", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2021-04-21T14:04:49.301Z", "modified": "2022-05-06T17:47:24.364Z", "relationship_type": "uses", "description": "[Dragonfly 2.0](https://attack.mitre.org/groups/G0035) has been reported to take screenshots of the GUI for ICS equipment, such as HMIs. (Citation: Cybersecurity & Infrastructure Security Agency March 2018)", "source_ref": "intrusion-set--76d59913-1d24-4992-a8ac-05a3eb093f71", "target_ref": "attack-pattern--c5e3cdbc-0387-4be9-8f83-ff5c0865f377", "external_references": [ { "source_name": "Cybersecurity & Infrastructure Security Agency March 2018", "description": "Cybersecurity & Infrastructure Security Agency 2018, March 15 Alert (TA18-074A) Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors Retrieved. 2019/10/11 ", "url": "https://us-cert.cisa.gov/ncas/alerts/TA18-074A" } ], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--2971151c-0e8a-4567-84dc-01cf5dd35005", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-21T17:59:24.739Z", "modified": "2022-05-06T17:47:24.199Z", "relationship_type": "mitigates", "description": "Digital signatures may be used to ensure application DLLs are authentic prior to execution.\n", "source_ref": "course-of-action--71eb7dad-07eb-4bbc-9df0-ac57bf2fba4a", "target_ref": "attack-pattern--3b6b9246-43f8-4c69-ad7a-2b11cfe0a0d9", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--2b62e4c0-9267-47bd-8f4d-0394b13fb566", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-21T17:59:24.739Z", "modified": "2022-05-06T17:47:24.127Z", "relationship_type": "mitigates", "description": "Once an adversary has access to a remote GUI they can abuse system features, such as required HMI functions.\n", "source_ref": "course-of-action--469b78dd-a54d-4f7c-8c3b-4a1dd916b433", "target_ref": "attack-pattern--b0628bfc-5376-4a38-9182-f324501cb4cf", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--2c6f9c9e-efa9-4a87-aadf-64b2aeeaa09a", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2021-04-11T14:06:54.109Z", "modified": "2022-05-06T17:47:24.380Z", "relationship_type": "uses", "description": "In the 2015 attack on the Ukrainian power grid, the [Sandworm Team](https://attack.mitre.org/groups/G0007) scheduled disconnects of uninterruptable power supply (UPS) systems so that when power was disconnected from the substations, the devices would shut down and service could not be recovered. (Citation: Electricity Information Sharing and Analysis Center; SANS Industrial Control Systems March 2016)", "source_ref": "intrusion-set--381fcf73-60f6-4ab2-9991-6af3cbc35192", "target_ref": "attack-pattern--25dfc8ad-bd73-4dfd-84a9-3c3d383f76e9", "external_references": [ { "source_name": "Electricity Information Sharing and Analysis Center; SANS Industrial Control Systems March 2016", "description": "Electricity Information Sharing and Analysis Center; SANS Industrial Control Systems 2016, March 18 Analysis of the Cyber Attack on the Ukranian Power Grid: Defense Use Case Retrieved. 2018/03/27 ", "url": "https://assets.contentstack.io/v3/assets/blt36c2e63521272fdc/blt6a77276749b76a40/607f235992f0063e5c070fff/E-ISAC_SANS_Ukraine_DUC_5%5b73%5d.pdf" } ], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--2c8dd182-e0a1-469d-aa65-7a1f734d9b46", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-21T17:59:24.739Z", "modified": "2022-05-06T17:47:24.071Z", "relationship_type": "mitigates", "description": "Provide an alternative method for sending critical report messages to operators, this could include using radio/cell communication to obtain messages from field technicians that can locally obtain telemetry and status data.\n", "source_ref": "course-of-action--b11cad63-ef30-4eb8-af0d-6cc46eef3f3e", "target_ref": "attack-pattern--3f1f4ccb-9be2-4ff8-8f69-dd972221169b", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--2cd79563-0f5a-44a1-9be4-6dc330855d64", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-21T17:59:24.739Z", "modified": "2022-05-06T17:47:24.150Z", "relationship_type": "mitigates", "description": "Use host-based allowlists to prevent devices from accepting connections from unauthorized systems. For example, allowlists can be used to ensure devices can only connect with master stations or known management/engineering workstations. (Citation: Department of Homeland Security September 2016)\n", "source_ref": "course-of-action--aadac250-bcdc-44e3-a4ae-f52bd0a7a16a", "target_ref": "attack-pattern--e5de767e-f513-41cd-aa15-33f6ce5fbf92", "external_references": [ { "source_name": "Department of Homeland Security September 2016", "description": "Department of Homeland Security 2016, September Retrieved. 2020/09/25 ", "url": "https://us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf" } ], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "modified": "2022-05-24T14:00:00.188Z", "created": "2022-05-11T16:22:58.803Z", "id": "relationship--2d65925e-f437-4557-bd8b-4c0d14ffd0b0", "type": "relationship", "source_ref": "x-mitre-data-component--61f1d40e-f3d0-4cc6-aa2d-937b6204194f", "relationship_type": "detects", "target_ref": "attack-pattern--008b8f56-6107-48be-aa9f-746f927dbb61", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--2daeeaaa-5b4b-4bb7-a94d-78a5749027ca", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-21T17:59:24.739Z", "modified": "2022-05-06T17:47:24.126Z", "relationship_type": "mitigates", "description": "Limit access to remote services through centrally managed concentrators such as VPNs and other managed remote access systems.\n", "source_ref": "course-of-action--49b306c1-a046-42c5-a4d2-30f264ada110", "target_ref": "attack-pattern--8d2f3bab-507c-4424-b58b-edc977bd215c", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "modified": "2022-05-24T14:00:00.188Z", "created": "2022-05-11T16:22:58.807Z", "id": "relationship--2e0769d7-088e-45d5-a262-6dbc91a95073", "type": "relationship", "source_ref": "x-mitre-data-component--235b7491-2d2b-4617-9a52-3c0783680f71", "relationship_type": "detects", "target_ref": "attack-pattern--d5a69cfb-fc2a-46cb-99eb-74b236db5061", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "modified": "2022-05-24T14:00:00.188Z", "created": "2022-05-11T16:22:58.803Z", "id": "relationship--2e377016-bb23-481e-b72b-a2ace8c72eb7", "type": "relationship", "source_ref": "x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa", "relationship_type": "detects", "target_ref": "attack-pattern--1c478716-71d9-46a4-9a53-fa5d576adb60", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--2e5f338d-92c4-4647-8fef-7c901ff774f5", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-21T17:59:24.739Z", "modified": "2022-05-06T17:47:24.220Z", "relationship_type": "mitigates", "description": "Protect files stored locally with proper permissions to limit opportunities for adversaries to interact and collect information from databases. (Citation: Keith Stouffer May 2015) (Citation: National Institute of Standards and Technology April 2013)\n", "source_ref": "course-of-action--f9fcb3ec-6de0-4559-8cd9-ef1c0c7d1971", "target_ref": "attack-pattern--b7e13ee8-182c-4f19-92a4-a88d7d855d54", "external_references": [ { "source_name": "Keith Stouffer May 2015", "description": "Keith Stouffer 2015, May Guide to Industrial Control Systems (ICS) Security Retrieved. 2018/03/28 ", "url": "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf" }, { "source_name": "National Institute of Standards and Technology April 2013", "description": "National Institute of Standards and Technology 2013, April Security and Privacy Controls for Federal Information Systems and Organizations Retrieved. 2020/09/17 ", "url": "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf" } ], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--2ecc567f-3aaa-4bd8-935f-4808d177a552", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-21T17:59:24.739Z", "modified": "2022-05-06T17:47:24.173Z", "relationship_type": "mitigates", "description": "Use host-based allowlists to prevent devices from accepting connections from unauthorized systems. For example, allowlists can be used to ensure devices can only connect with master stations or known management/engineering workstations. (Citation: Department of Homeland Security September 2016)\n", "source_ref": "course-of-action--aadac250-bcdc-44e3-a4ae-f52bd0a7a16a", "target_ref": "attack-pattern--25852363-5968-4673-b81d-341d5ed90bd1", "external_references": [ { "source_name": "Department of Homeland Security September 2016", "description": "Department of Homeland Security 2016, September Retrieved. 2020/09/25 ", "url": "https://us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf" } ], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--2f64b5aa-7e4d-4a5e-9960-69a63ad25083", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-21T17:59:24.739Z", "modified": "2022-05-06T17:47:24.201Z", "relationship_type": "mitigates", "description": "Execution prevention may prevent malicious scripts from accessing protected resources.\n", "source_ref": "course-of-action--4fa717d9-cabe-47c8-8cdd-86e9e2e37f30", "target_ref": "attack-pattern--2dc2b567-8821-49f9-9045-8740f3d0b958", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--2f6b635b-1441-4ef0-9289-1ed6b9098d4a", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-21T17:59:24.739Z", "modified": "2022-05-06T17:47:24.240Z", "relationship_type": "mitigates", "description": "Reduce the range of RF communications to their intended operating range when possible. Propagation reduction methods may include (i) reducing transmission power on wireless signals, (ii) adjusting antenna gain to prevent extensions beyond organizational boundaries, and (iii) employing RF shielding techniques to block excessive signal propagation. (Citation: DHS National Urban Security Technology Laboratory April 2019)\n", "source_ref": "course-of-action--fce6866f-9a87-4d3e-a73c-f02d8937fe0e", "target_ref": "attack-pattern--0fe075d5-beac-4d02-b93e-0f874997db72", "external_references": [ { "source_name": "DHS National Urban Security Technology Laboratory April 2019", "description": "DHS National Urban Security Technology Laboratory 2019, April Radio Frequency Detection, Spectrum Analysis, and Direction Finding Equipment Retrieved. 2020/09/17 ", "url": "https://www.dhs.gov/sites/default/files/saver-msr-rf-detection_cod-508_10july2019.pdf" } ], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--2fbb7867-79c5-4d45-9876-98c4041dd72e", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2021-10-14T17:59:24.739Z", "modified": "2022-05-06T17:47:24.226Z", "relationship_type": "mitigates", "description": "Consider implementing full disk encryption, especially if engineering workstations are transient assets that are more likely to be lost, stolen, or tampered with. (Citation: National Institute of Standards and Technology April 2013)\n", "source_ref": "course-of-action--9f99fcfd-772e-4e63-9d39-e45612e546dc", "target_ref": "attack-pattern--35392fb4-a31d-4c6a-b9f2-1c65b7f5e6b9", "external_references": [ { "source_name": "National Institute of Standards and Technology April 2013", "description": "National Institute of Standards and Technology 2013, April Security and Privacy Controls for Federal Information Systems and Organizations Retrieved. 2020/09/17 ", "url": "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf" } ], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--2fd13fc0-e3f0-4099-ab20-d19ba6bcd4e0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2017-12-14T16:46:06.044Z", "modified": "2022-05-06T17:47:24.322Z", "relationship_type": "uses", "description": "[Stuxnet](https://attack.mitre.org/software/S0010) examines fields recorded by the DP_RECV monitor to determine if the target system is in a particular state of operation. (Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011)", "source_ref": "malware--088f1d6e-0783-47c6-9923-9c79b2af43d4", "target_ref": "attack-pattern--2d0d40ad-22fa-4cc8-b264-072557e1364b", "external_references": [ { "source_name": "Nicolas Falliere, Liam O Murchu, Eric Chien February 2011", "description": "Nicolas Falliere, Liam O Murchu, Eric Chien 2011, February W32.Stuxnet Dossier (Version 1.4) Retrieved. 2017/09/22 ", "url": "https://www.wired.com/images_blogs/threatlevel/2011/02/Symantec-Stuxnet-Update-Feb-2011.pdf" } ], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--2ff82993-5010-4450-89e7-341f449f3263", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-21T17:59:24.739Z", "modified": "2022-05-06T17:47:24.092Z", "relationship_type": "mitigates", "description": "Consider periodic reviews of accounts and privileges for critical and sensitive repositories.\n", "source_ref": "course-of-action--bcf91ebc-f316-4e19-b2f6-444e9940c697", "target_ref": "attack-pattern--3405891b-16aa-4bd7-bd7c-733501f9b20f", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--2fffbea8-c031-4de8-a451-447bbbe3e224", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-21T17:59:24.739Z", "modified": "2022-05-06T17:47:24.201Z", "relationship_type": "mitigates", "description": "Consider the use of application isolation and sandboxing to restrict specific operating system interactions such as access through user accounts, services, system calls, registry, and network access. This may be even more useful in cases where the source of the executed script is unknown.\n", "source_ref": "course-of-action--059ba11e-e3dc-49aa-84ca-88197f40d4ea", "target_ref": "attack-pattern--2dc2b567-8821-49f9-9045-8740f3d0b958", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--309e4558-e591-4d03-9bb9-07d30acf011f", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2021-04-12T18:49:06.044Z", "modified": "2022-05-06T17:47:24.309Z", "relationship_type": "uses", "description": "[REvil](https://attack.mitre.org/software/S0019) searches for all processes listed in the prc field within its configuration file and then terminates each process. (Citation: McAfee Labs October 2019)", "source_ref": "malware--ac61f1f9-7bb1-465e-9b8a-c2ce8e88baf5", "target_ref": "attack-pattern--063b5b92-5361-481a-9c3f-95492ed9a2d8", "external_references": [ { "source_name": "McAfee Labs October 2019", "description": "McAfee Labs 2019, October 02 McAfee ATR Analyzes Sodinokibi aka REvil Ransomware-as-a-Service What The Code Tells Us Retrieved. 2021/04/12 ", "url": "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/mcafee-atr-analyzes-sodinokibi-aka-revil-ransomware-as-a-service-what-the-code-tells-us" } ], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "modified": "2022-05-24T14:00:00.188Z", "created": "2022-05-11T16:22:58.806Z", "id": "relationship--31203165-79d0-42e5-81f1-62150dea2c43", "type": "relationship", "source_ref": "x-mitre-data-component--a7f22107-02e5-4982-9067-6625d4a1765a", "relationship_type": "detects", "target_ref": "attack-pattern--e1f9cdd2-9511-4fca-90d7-f3e92cfdd0bf", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--3168a905-f398-403f-9345-de5893de1326", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2021-04-21T14:04:49.301Z", "modified": "2022-05-06T17:47:24.363Z", "relationship_type": "uses", "description": "[Dragonfly 2.0](https://attack.mitre.org/groups/G0035) deleted indicators on staging and target devices by uninstalling software, removing event logs, batch scripts, screenshots, registry keys, documents, and tools they brought into the target networks. (Citation: Cybersecurity & Infrastructure Security Agency March 2018)", "source_ref": "intrusion-set--76d59913-1d24-4992-a8ac-05a3eb093f71", "target_ref": "attack-pattern--53a26eee-1080-4d17-9762-2027d5a1b805", "external_references": [ { "source_name": "Cybersecurity & Infrastructure Security Agency March 2018", "description": "Cybersecurity & Infrastructure Security Agency 2018, March 15 Alert (TA18-074A) Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors Retrieved. 2019/10/11 ", "url": "https://us-cert.cisa.gov/ncas/alerts/TA18-074A" } ], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--31897c41-1d47-4a34-b531-21c3f74651a8", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2021-04-13T11:15:26.506Z", "modified": "2022-05-06T17:47:24.302Z", "relationship_type": "uses", "description": "[PLC-Blaster](https://attack.mitre.org/software/S0009) utilizes the PLC communication and management API to load executable Program Organization Units. (Citation: Spenneberg, Ralf, Maik Brggemann, and Hendrik Schwartke March 2016)", "source_ref": "malware--4dcff507-5af8-47ce-964a-8d9569e9ccfe", "target_ref": "attack-pattern--be69c571-d746-4b1f-bdd0-c0c9817e9068", "external_references": [ { "source_name": "Spenneberg, Ralf, Maik Brggemann, and Hendrik Schwartke March 2016", "description": "Spenneberg, Ralf, Maik Brggemann, and Hendrik Schwartke 2016, March 31 Plc-blaster: A worm living solely in the plc. Retrieved. 2017/09/19 ", "url": "https://www.blackhat.com/docs/asia-16/materials/asia-16-Spenneberg-PLC-Blaster-A-Worm-Living-Solely-In-The-PLC-wp.pdf" } ], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--31bf1721-78a2-4b6c-b325-5c44dc02ea33", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2017-12-14T16:46:06.044Z", "modified": "2022-05-06T17:47:24.374Z", "relationship_type": "uses", "description": "[Lazarus Group](https://attack.mitre.org/groups/G0008) has been observed targeting organizations using spearphishing documents with embedded malicious payloads. (Citation: Novetta Threat Research Group February 2016) Highly targeted spear phishing campaigns have been conducted against a U.S. electric grid company. (Citation: Eduard Kovacs March 2018)", "source_ref": "intrusion-set--c93fccb1-e8e8-42cf-ae33-2ad1d183913a", "target_ref": "attack-pattern--648f995e-9c3a-41e4-aeee-98bb41037426", "external_references": [ { "source_name": "Novetta Threat Research Group February 2016", "description": "Novetta Threat Research Group 2016, February 24 Operation Blockbuster: Unraveling the Long Thread of the Sony Attack Retrieved. 2016/02/25 ", "url": "https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Report.pdf" }, { "source_name": "Eduard Kovacs March 2018", "description": "Eduard Kovacs 2018, March 1 Five Threat Groups Target Industrial Systems: Dragos Retrieved. 2020/01/03 ", "url": "https://www.securityweek.com/five-threat-groups-target-industrial-systems-dragos" } ], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "modified": "2022-05-24T14:00:00.188Z", "created": "2022-05-11T16:22:58.807Z", "id": "relationship--321fc522-bc6b-4975-bee4-9098624d1e8c", "type": "relationship", "source_ref": "x-mitre-data-component--a7f22107-02e5-4982-9067-6625d4a1765a", "relationship_type": "detects", "target_ref": "attack-pattern--b14395bd-5419-4ef4-9bd8-696936f509bb", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--327916f7-fe5d-4858-adeb-f72f74c60c25", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2021-10-08T15:25:32.143Z", "modified": "2022-05-06T17:47:24.332Z", "relationship_type": "uses", "description": "[Stuxnet](https://attack.mitre.org/software/S0010) sends an SQL statement that creates a table and inserts a binary value into the table. The binary value is a hex string representation of the main Stuxnet DLL as an executable file (formed using resource 210) and an updated configuration data block. (Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011)", "source_ref": "malware--088f1d6e-0783-47c6-9923-9c79b2af43d4", "target_ref": "attack-pattern--ead7bd34-186e-4c79-9a4d-b65bcce6ed9d", "external_references": [ { "source_name": "Nicolas Falliere, Liam O Murchu, Eric Chien February 2011", "description": "Nicolas Falliere, Liam O Murchu, Eric Chien 2011, February W32.Stuxnet Dossier (Version 1.4) Retrieved. 2017/09/22 ", "url": "https://www.wired.com/images_blogs/threatlevel/2011/02/Symantec-Stuxnet-Update-Feb-2011.pdf" } ], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--32dbed4e-4dbe-4872-a013-c96111ed102e", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2021-04-11T14:06:54.109Z", "modified": "2022-05-06T17:47:24.383Z", "relationship_type": "uses", "description": "In the Ukraine 2015 Incident, [Sandworm Team](https://attack.mitre.org/groups/G0007) harvested VPN worker credentials and used them to remotely log into control system networks. (Citation: Electricity Information Sharing and Analysis Center; SANS Industrial Control Systems March 2016) (Citation: Zetter, Kim March 2016) (Citation: ICS-CERT February 2016) (Citation: John Hultquist January 2016)", "source_ref": "intrusion-set--381fcf73-60f6-4ab2-9991-6af3cbc35192", "target_ref": "attack-pattern--8d2f3bab-507c-4424-b58b-edc977bd215c", "external_references": [ { "source_name": "Electricity Information Sharing and Analysis Center; SANS Industrial Control Systems March 2016", "description": "Electricity Information Sharing and Analysis Center; SANS Industrial Control Systems 2016, March 18 Analysis of the Cyber Attack on the Ukranian Power Grid: Defense Use Case Retrieved. 2018/03/27 ", "url": "https://assets.contentstack.io/v3/assets/blt36c2e63521272fdc/blt6a77276749b76a40/607f235992f0063e5c070fff/E-ISAC_SANS_Ukraine_DUC_5%5b73%5d.pdf" }, { "source_name": "Zetter, Kim March 2016", "description": "Zetter, Kim 2016, March 03 INSIDE THE CUNNING, UNPRECEDENTED HACK OF UKRAINE'S POWER GRID Retrieved. 2019/03/08 ", "url": "https://www.wired.com/2016/03/inside-cunning-unprecedented-hack-ukraines-power-grid/" }, { "source_name": "ICS-CERT February 2016", "description": "ICS-CERT 2016, February 25 Cyber-Attack Against Ukrainian Critical Infrastructure Retrieved. 2019/03/08 ", "url": "https://ics-cert.us-cert.gov/alerts/IR-ALERT-H-16-056-01" }, { "source_name": "John Hultquist January 2016", "description": "John Hultquist 2016, January 07 Sandworm Team and the Ukrainian Power Authority Attacks Retrieved. 2019/03/08 ", "url": "https://www.fireeye.com/blog/threat-research/2016/01/ukraine-and-sandworm-team.html" } ], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--33215dfa-53d0-4bd7-a15d-cec9315c7c4d", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-21T17:59:24.739Z", "modified": "2022-05-06T17:47:24.130Z", "relationship_type": "mitigates", "description": "Deny direct remote access to internal systems through the use of network proxies, gateways, and firewalls. Steps should be taken to periodically inventory internet accessible devices to determine if it differs from the expected.\n", "source_ref": "course-of-action--1e7ccfc0-94c8-496e-8d27-032120892291", "target_ref": "attack-pattern--f8df6b57-14bc-425f-9a91-6f59f6799307", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--33486e89-f0f4-4507-9f13-48a8f22c8ac8", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-21T17:59:24.739Z", "modified": "2022-05-06T17:47:24.092Z", "relationship_type": "mitigates", "description": "Review vendor documents and security alerts for potentially unknown or overlooked default credentials within existing devices\n", "source_ref": "course-of-action--5d97c693-e054-48ba-a3a3-eaf6942dfb65", "target_ref": "attack-pattern--8bb4538f-f16f-49f0-a431-70b5444c7349", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "modified": "2022-05-24T14:00:00.188Z", "created": "2022-05-11T16:22:58.803Z", "id": "relationship--3439d550-61d5-40b4-a514-341509d3f701", "type": "relationship", "source_ref": "x-mitre-data-component--61f1d40e-f3d0-4cc6-aa2d-937b6204194f", "relationship_type": "detects", "target_ref": "attack-pattern--3f1f4ccb-9be2-4ff8-8f69-dd972221169b", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--3478c49c-594b-4224-b7f9-2b0b09c67288", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-21T17:59:24.739Z", "modified": "2022-05-06T17:47:24.239Z", "relationship_type": "mitigates", "description": "Utilize strong cryptographic techniques and protocols to prevent eavesdropping on network communications. (Citation: Bastille April 2017)\n", "source_ref": "course-of-action--7f153c28-e5f1-4764-88fb-eea1d9b0ad4a", "target_ref": "attack-pattern--0fe075d5-beac-4d02-b93e-0f874997db72", "external_references": [ { "source_name": "Bastille April 2017", "description": "Bastille 2017, April 17 Dallas Siren Attack Retrieved. 2020/11/06 ", "url": "https://www.bastille.net/blogs/2017/4/17/dallas-siren-attack" } ], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--34ac1b1b-1103-4fc9-a62e-f1dd1451b28b", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2021-04-13T11:15:26.506Z", "modified": "2022-05-06T17:47:24.156Z", "relationship_type": "mitigates", "description": "Provide the ability to verify the integrity of control logic or programs loaded on a controller. While techniques like CRCs and checksums are commonly used, they are not cryptographically strong and can be vulnerable to collisions. Preferably cryptographic hash functions (e.g., SHA-2, SHA-3) should be used. (Citation: IEC February 2019)\n", "source_ref": "course-of-action--bcf91ebc-f316-4e19-b2f6-444e9940c697", "target_ref": "attack-pattern--fc5fda7e-6b2c-4457-b036-759896a2efa2", "external_references": [ { "source_name": "IEC February 2019", "description": "IEC 2019, February Security for industrial automation and control systems - Part 4-2: Technical security requirements for IACS components Retrieved. 2020/09/25 ", "url": "https://webstore.iec.ch/publication/34421" } ], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--34d4101b-b4c9-4ea3-a84d-81e84e7f5033", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-21T17:59:24.739Z", "modified": "2022-05-06T17:47:24.168Z", "relationship_type": "mitigates", "description": "Segment networks and systems appropriately to reduce access to critical system and services communications.\n", "source_ref": "course-of-action--1e7ccfc0-94c8-496e-8d27-032120892291", "target_ref": "attack-pattern--38213338-1aab-479d-949b-c81b66ccca5c", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--350814da-5c36-42f9-8e58-8f9534e6ce0a", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2018-04-18T17:59:24.739Z", "modified": "2022-05-06T17:47:24.341Z", "relationship_type": "uses", "description": "[Triton](https://attack.mitre.org/software/S0013)'s injector, inject.bin, masquerades as a standard compiled PowerPC program for the Tricon. (Citation: DHS CISA February 2019)", "source_ref": "malware--80099a91-4c86-4bea-9ccb-dac55d61960e", "target_ref": "attack-pattern--ba203963-3182-41ac-af14-7e7ebc83cd61", "external_references": [ { "source_name": "DHS CISA February 2019", "description": "DHS CISA 2019, February 27 MAR-17-352-01 HatManSafety System Targeted Malware (Update B) Retrieved. 2019/03/08 ", "url": "https://ics-cert.us-cert.gov/sites/default/files/documents/MAR-17-352-01%20HatMan%20-%20Safety%20System%20Targeted%20Malware%20%28Update%20B%29.pdf" } ], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--351e19c4-c16e-493a-9800-a433107aacf1", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2018-04-18T17:59:24.739Z", "modified": "2022-05-06T17:47:24.345Z", "relationship_type": "uses", "description": "[Triton](https://attack.mitre.org/software/S0013) uses a Python script that is capable of detecting Triconex controllers on the network by sending a specific UDP broadcast packet over port 1502. (Citation: DHS CISA February 2019)", "source_ref": "malware--80099a91-4c86-4bea-9ccb-dac55d61960e", "target_ref": "attack-pattern--d5a69cfb-fc2a-46cb-99eb-74b236db5061", "external_references": [ { "source_name": "DHS CISA February 2019", "description": "DHS CISA 2019, February 27 MAR-17-352-01 HatManSafety System Targeted Malware (Update B) Retrieved. 2019/03/08 ", "url": "https://ics-cert.us-cert.gov/sites/default/files/documents/MAR-17-352-01%20HatMan%20-%20Safety%20System%20Targeted%20Malware%20%28Update%20B%29.pdf" } ], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--35cf6922-d48f-42ea-b7f5-f0258892bd52", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-21T17:59:24.739Z", "modified": "2022-05-06T17:47:24.142Z", "relationship_type": "mitigates", "description": "Network segmentation can be used to isolate infrastructure components that do not require broad network access. This may mitigate, or at least alleviate, the scope of MiTM activity.\n", "source_ref": "course-of-action--1e7ccfc0-94c8-496e-8d27-032120892291", "target_ref": "attack-pattern--9a505987-ab05-4f46-a9a6-6441442eec3b", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--3618a010-b94b-4974-b1be-7630d5c853c1", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2018-10-17T00:14:20.652Z", "modified": "2022-05-06T17:47:24.376Z", "relationship_type": "uses", "description": "[OilRig](https://attack.mitre.org/groups/G0010) used spearphishing emails with malicious Microsoft Excel spreadsheet attachments. (Citation: Robert Falcone, Bryan Lee May 2016)", "source_ref": "intrusion-set--4ca1929c-7d64-4aab-b849-badbfc0c760d", "target_ref": "attack-pattern--648f995e-9c3a-41e4-aeee-98bb41037426", "external_references": [ { "source_name": "Robert Falcone, Bryan Lee May 2016", "description": "Robert Falcone, Bryan Lee 2016, May 26 The OilRig Campaign: Attacks on Saudi Arabian Organizations Deliver Helminth Backdoor Retrieved. 2019/11/19 ", "url": "https://unit42.paloaltonetworks.com/the-oilrig-campaign-attacks-on-saudi-arabian-organizations-deliver-helminth-backdoor/" } ], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "modified": "2022-05-24T14:00:00.188Z", "created": "2022-05-11T16:22:58.808Z", "id": "relationship--3663f10d-4a2c-4d37-bf5f-337c9891c2f4", "type": "relationship", "source_ref": "x-mitre-data-component--685f917a-e95e-4ba0-ade1-c7d354dae6e0", "relationship_type": "detects", "target_ref": "attack-pattern--2736b752-4ec5-4421-a230-8977dea7649c", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--366a4cd1-aa95-4985-9d80-b45a2551e298", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-21T17:59:24.739Z", "modified": "2022-05-06T17:47:24.179Z", "relationship_type": "mitigates", "description": "Filter for protocols and payloads associated with program download activity to prevent unauthorized device configurations.\n", "source_ref": "course-of-action--11f242bc-3121-438c-84b2-5cbd46a4bb17", "target_ref": "attack-pattern--be69c571-d746-4b1f-bdd0-c0c9817e9068", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "modified": "2022-05-24T14:00:00.188Z", "created": "2022-05-11T16:22:58.805Z", "id": "relationship--375b7e67-8b3f-4102-9e3e-7e356b6c8bf4", "type": "relationship", "source_ref": "x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa", "relationship_type": "detects", "target_ref": "attack-pattern--32632a95-6856-47b9-9ab7-fea5cd7dce00", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "modified": "2022-05-24T14:00:00.188Z", "created": "2022-05-11T16:22:58.807Z", "id": "relationship--37abb3d5-24fc-4397-844e-07548d324729", "type": "relationship", "source_ref": "x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa", "relationship_type": "detects", "target_ref": "attack-pattern--40b300ba-f553-48bf-862e-9471b220d455", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--383e242a-72d4-4b40-8905-888595c34919", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2017-12-14T16:46:06.044Z", "modified": "2022-05-06T17:47:24.311Z", "relationship_type": "uses", "description": "An enterprise resource planning (ERP) manufacturing server was lost to the [Ryuk](https://attack.mitre.org/software/S0011) attack. The manufacturing process had to rely on paper and existing orders to keep the shop floor open. (Citation: Kelly Jackson Higgins)", "source_ref": "malware--a020a61c-423f-4195-8c46-ba1d21abba37", "target_ref": "attack-pattern--63b6942d-8359-4506-bfb3-cf87aa8120ee", "external_references": [ { "source_name": "Kelly Jackson Higgins", "description": "Kelly Jackson Higgins How a Manufacturing Firm Recovered from a Devastating Ransomware Attack Retrieved. 2019/11/03 ", "url": "https://www.darkreading.com/attacks-breaches/how-a-manufacturing-firm-recovered-from-a-devastating-ransomware-attack/d/d-id/1334760" } ], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--3858ec3b-5814-4515-9dda-f8009fbf4cd3", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2017-12-14T16:46:06.044Z", "modified": "2022-05-06T17:47:24.268Z", "relationship_type": "uses", "description": "[Flame](https://attack.mitre.org/software/S0015) has built-in modules to gather information from compromised computers. (Citation: Kevin Savage and Branko Spasojevic)", "source_ref": "malware--ff6840c9-4c87-4d07-bbb6-9f50aa33d498", "target_ref": "attack-pattern--3405891b-16aa-4bd7-bd7c-733501f9b20f", "external_references": [ { "source_name": "Kevin Savage and Branko Spasojevic", "description": "Kevin Savage and Branko Spasojevic W32.Flamer Retrieved. 2019/11/03 ", "url": "https://web.archive.org/web/20190930124504/https://www.symantec.com/security-center/writeup/2012-052811-0308-99" } ], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "modified": "2022-05-24T14:00:00.188Z", "created": "2022-05-11T16:22:58.807Z", "id": "relationship--38a3c86b-c9bb-4a65-87c9-55429c68684f", "type": "relationship", "source_ref": "x-mitre-data-component--2b3bfe19-d59a-460d-93bb-2f546adc2d2c", "relationship_type": "detects", "target_ref": "attack-pattern--c267bbee-bb59-47fe-85e0-3ed210337c21", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "modified": "2022-05-24T14:00:00.188Z", "created": "2022-05-11T16:22:58.807Z", "id": "relationship--39963a04-9675-4fa4-87ea-1b34145cc569", "type": "relationship", "source_ref": "x-mitre-data-component--3d20385b-24ef-40e1-9f56-f39750379077", "relationship_type": "detects", "target_ref": "attack-pattern--d5a69cfb-fc2a-46cb-99eb-74b236db5061", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--3a6cd53d-0d4e-4cf8-8edf-f9ebde4faac4", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-21T17:59:24.739Z", "modified": "2022-05-06T17:47:24.102Z", "relationship_type": "mitigates", "description": "All field controllers should require users to authenticate for all remote or local management sessions. The authentication mechanisms should also support [Account Use Policies](https://attack.mitre.org/mitigations/M0936), [Password Policies](https://attack.mitre.org/mitigations/M0927), and [User Account Management](https://attack.mitre.org/mitigations/M0918).", "source_ref": "course-of-action--66cfe23e-34b6-4583-b178-ed6a412db2b0", "target_ref": "attack-pattern--25dfc8ad-bd73-4dfd-84a9-3c3d383f76e9", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--3a7d1db3-9383-4171-8938-382e9b0375c6", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2017-12-14T16:46:06.044Z", "modified": "2022-05-06T17:47:24.259Z", "relationship_type": "uses", "description": "[Sandworm Team](https://attack.mitre.org/groups/G0034) uses HTTP POST request to contact external command and control servers. (Citation: Booz Allen Hamilton)\n", "source_ref": "malware--54cc1d4f-5c53-4f0e-9ef5-11b4998e82e4", "target_ref": "attack-pattern--e076cca8-2f08-45c9-aff7-ea5ac798b387", "external_references": [ { "source_name": "Booz Allen Hamilton", "description": "Booz Allen Hamilton When The Lights Went Out Retrieved. 2019/10/22 ", "url": "https://www.boozallen.com/content/dam/boozallen/documents/2016/09/ukraine-report-when-the-lights-went-out.pdf" } ], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "modified": "2022-05-24T14:00:00.188Z", "created": "2022-05-11T16:22:58.804Z", "id": "relationship--3aa69e19-f55f-4531-a26e-eb67d6ea24ee", "type": "relationship", "source_ref": "x-mitre-data-component--61f1d40e-f3d0-4cc6-aa2d-937b6204194f", "relationship_type": "detects", "target_ref": "attack-pattern--1c478716-71d9-46a4-9a53-fa5d576adb60", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--3ab912a4-70aa-45f8-b2ef-57113dde2cfa", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-21T17:59:24.739Z", "modified": "2022-05-06T17:47:24.237Z", "relationship_type": "mitigates", "description": "Do not inherently rely on the authenticity provided by the network/link layer (e.g., 802.11, LTE, 802.15.4), as link layer equipment may have long lifespans and protocol vulnerabilities may not be easily patched. Provide defense-in-depth by implementing authenticity within the associated application-layer protocol, or through a network-layer VPN. (Citation: CISA March 2010) Furthermore, ensure communication schemes provide strong replay protection, employing techniques such as timestamps or cryptographic nonces.\n", "source_ref": "course-of-action--c7257b6e-4159-4771-b1f3-2bb93adaecac", "target_ref": "attack-pattern--2877063e-1851-48d2-bcc6-bc1d2733157e", "external_references": [ { "source_name": "CISA March 2010", "description": "CISA 2010, March 11 https://us-cert.cisa.gov/ncas/tips/ST05-003 Retrieved. 2020/09/25 ", "url": "https://us-cert.cisa.gov/ncas/tips/ST05-003" } ], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--3b6567a9-6213-4db4-a069-1a86b1098b63", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2021-04-13T12:08:26.506Z", "modified": "2022-05-06T17:47:24.119Z", "relationship_type": "mitigates", "description": "Security applications that look for behavior used during exploitation such as Windows Defender Exploit Guard (WDEG) and the Enhanced Mitigation Experience Toolkit (EMET) can be used to mitigate some exploitation behavior. (Citation: Microsoft Security Response Center August 2017)Control flow integrity checking is another way to potentially identify and stop a software exploit from occurring. (Citation: Wikipedia)Many of these protections depend on the architecture and target application binary for compatibility and may not work for all software or services targeted.\n", "source_ref": "course-of-action--49363b74-d506-4342-bd63-320586ebadb9", "target_ref": "attack-pattern--cfe68e93-ce94-4c0f-a57d-3aa72cedd618", "external_references": [ { "source_name": "Microsoft Security Response Center August 2017", "description": "Microsoft Security Response Center 2017, August Moving Beyond EMET II Windows Defender Exploit Guard Retrieved. 2020/09/25 ", "url": "https://msrc-blog.microsoft.com/2017/08/09/moving-beyond-emet-ii-windows-defender-exploit-guard/" }, { "source_name": "Wikipedia", "description": "Wikipedia Microsoft Security Response Center 2017, August Moving Beyond EMET II Windows Defender Exploit Guard Retrieved. 2020/09/25 Control-flow integrity Retrieved. 2020/09/25 ", "url": "https://en.wikipedia.org/wiki/Control-flow_integrity" } ], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "modified": "2022-05-24T14:00:00.188Z", "created": "2022-05-11T16:22:58.805Z", "id": "relationship--3b8cbbbf-a2a9-45a8-90bc-e8b5977fd91b", "type": "relationship", "source_ref": "x-mitre-data-component--c0a4a086-cc20-4e1e-b7cb-29d99dfa3fb1", "relationship_type": "detects", "target_ref": "attack-pattern--ab390887-afc0-4715-826d-b1b167d522ae", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--3be8045a-1f0d-4460-a76b-ae830e74c1e0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2018-10-17T00:14:20.652Z", "modified": "2022-05-06T17:47:24.274Z", "relationship_type": "uses", "description": "The name of the [Industroyer](https://attack.mitre.org/software/S0001) payload DLL is supplied by the attackers via a command line parameter supplied in one of the main backdoors execute a shell command commands. (Citation: Anton Cherepanov, ESET June 2017)", "source_ref": "malware--e401d4fe-f0c9-44f0-98e6-f93487678808", "target_ref": "attack-pattern--24a9253e-8948-4c98-b751-8e2aee53127c", "external_references": [ { "source_name": "Anton Cherepanov, ESET June 2017", "description": "Anton Cherepanov, ESET 2017, June 12 Win32/Industroyer: A new threat for industrial control systems Retrieved. 2017/09/15 ", "url": "https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf" } ], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--3be9d4d1-17e1-4f3e-b22a-edad8cf0c343", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-21T17:59:24.739Z", "modified": "2022-05-06T17:47:24.216Z", "relationship_type": "mitigates", "description": "Devices should verify that firmware has been properly signed by the vendor before allowing installation.\n", "source_ref": "course-of-action--71eb7dad-07eb-4bbc-9df0-ac57bf2fba4a", "target_ref": "attack-pattern--b9160e77-ea9e-4ba9-b1c8-53a3c466b13d", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "modified": "2022-05-24T14:00:00.188Z", "created": "2022-05-11T16:22:58.804Z", "id": "relationship--3bff265f-7ab9-4dae-b7a3-a5d9bc586f35", "type": "relationship", "source_ref": "x-mitre-data-component--a7f22107-02e5-4982-9067-6625d4a1765a", "relationship_type": "detects", "target_ref": "attack-pattern--d67adac8-e3b9-44f9-9e6d-6c2a7d69dbe4", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "modified": "2022-05-24T14:00:00.188Z", "created": "2022-05-11T16:22:58.808Z", "id": "relationship--3c341d13-938e-4535-ac75-10a79abc7017", "type": "relationship", "source_ref": "x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa", "relationship_type": "detects", "target_ref": "attack-pattern--2736b752-4ec5-4421-a230-8977dea7649c", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "modified": "2022-05-24T14:00:00.188Z", "created": "2022-05-11T16:22:58.804Z", "id": "relationship--3c5bc8de-a7a4-4bda-a82f-8d149ec927f1", "type": "relationship", "source_ref": "x-mitre-data-component--931b3fc6-ad68-42a8-9018-e98515eedc95", "relationship_type": "detects", "target_ref": "attack-pattern--8e7089d3-fba2-44f8-94a8-9a79c53920c4", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--3d005ed8-77d3-4fed-9dd5-7e39ba8cb50a", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2021-04-13T12:45:26.506Z", "modified": "2022-05-06T17:47:24.323Z", "relationship_type": "uses", "description": "[Stuxnet](https://attack.mitre.org/software/S0010) calls system function blocks which are part of the operating system running on the PLC. Theyre used to execute system tasks, such as reading the system clock (SFC1) and generating data blocks on the fly. (Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011)", "source_ref": "malware--088f1d6e-0783-47c6-9923-9c79b2af43d4", "target_ref": "attack-pattern--b52870cc-83f3-473c-b895-72d91751030b", "external_references": [ { "source_name": "Nicolas Falliere, Liam O Murchu, Eric Chien February 2011", "description": "Nicolas Falliere, Liam O Murchu, Eric Chien 2011, February W32.Stuxnet Dossier (Version 1.4) Retrieved. 2017/09/22 ", "url": "https://www.wired.com/images_blogs/threatlevel/2011/02/Symantec-Stuxnet-Update-Feb-2011.pdf" } ], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "modified": "2022-05-24T14:00:00.188Z", "created": "2022-05-11T16:22:58.804Z", "id": "relationship--3d20dad6-fb53-4d74-bc7e-54b9b88e1529", "type": "relationship", "source_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c", "relationship_type": "detects", "target_ref": "attack-pattern--1b22b676-9347-4c55-9a35-ef0dc653db5b", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "modified": "2022-05-24T14:00:00.188Z", "created": "2022-05-11T16:22:58.805Z", "id": "relationship--3d4ea0e2-9f51-40f9-a22b-8265f696fd83", "type": "relationship", "source_ref": "x-mitre-data-component--39b9db72-8b48-4595-a18d-db5bbba3091b", "relationship_type": "detects", "target_ref": "attack-pattern--f8df6b57-14bc-425f-9a91-6f59f6799307", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--3d676c1b-2650-4599-8a57-790c55f9977d", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-21T17:59:24.739Z", "modified": "2022-05-06T17:47:24.109Z", "relationship_type": "mitigates", "description": "Minimize the exposure of API calls that allow the execution of code.\n", "source_ref": "course-of-action--4fa717d9-cabe-47c8-8cdd-86e9e2e37f30", "target_ref": "attack-pattern--5a2610f6-9fff-41e1-bc27-575ca20383d4", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "modified": "2022-05-24T14:00:00.188Z", "created": "2022-05-11T16:22:58.807Z", "id": "relationship--3d97d618-71bd-4b48-8cd2-e7d57ef205dd", "type": "relationship", "source_ref": "x-mitre-data-component--4dcd8ba3-2075-4f8b-941e-39884ffaac08", "relationship_type": "detects", "target_ref": "attack-pattern--3b6b9246-43f8-4c69-ad7a-2b11cfe0a0d9", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--3da977ab-c863-4e6f-a5b7-68173160da00", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-21T17:59:24.739Z", "modified": "2022-05-06T17:47:24.166Z", "relationship_type": "mitigates", "description": "Filter for protocols and payloads associated with firmware activation or updating activity.\n", "source_ref": "course-of-action--11f242bc-3121-438c-84b2-5cbd46a4bb17", "target_ref": "attack-pattern--efbf7888-f61b-4572-9c80-7e2965c60707", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--3dde2b07-7c30-4a18-a9df-f85db84f9b14", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-21T17:59:24.739Z", "modified": "2022-05-06T17:47:24.214Z", "relationship_type": "mitigates", "description": "Use host-based allowlists to prevent devices from accepting connections from unauthorized systems. For example, allowlists can be used to ensure devices can only connect with master stations or known management/engineering workstations. (Citation: Department of Homeland Security September 2016)\n", "source_ref": "course-of-action--aadac250-bcdc-44e3-a4ae-f52bd0a7a16a", "target_ref": "attack-pattern--b9160e77-ea9e-4ba9-b1c8-53a3c466b13d", "external_references": [ { "source_name": "Department of Homeland Security September 2016", "description": "Department of Homeland Security 2016, September Retrieved. 2020/09/25 ", "url": "https://us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf" } ], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--3ed98d8c-de30-499e-9a62-eae0207519f4", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-21T17:59:24.739Z", "modified": "2022-05-06T17:47:24.092Z", "relationship_type": "mitigates", "description": "Ensure embedded controls and network devices are protected through access management, as these devices often have unknown default accounts which could be used to gain unauthorized access.\n", "source_ref": "course-of-action--3992ce42-43e9-4bea-b8db-a102ec3ec1e3", "target_ref": "attack-pattern--8bb4538f-f16f-49f0-a431-70b5444c7349", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--3f335e8f-68da-4b06-9d96-f371ddaf23e6", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-21T17:59:24.739Z", "modified": "2022-05-06T17:47:24.236Z", "relationship_type": "mitigates", "description": "Ensure wireless networks require the authentication of all devices, and that all wireless devices also authenticate network infrastructure devices (i.e., mutual authentication). For defense-in-depth purposes, utilize VPNs or ensure that application-layer protocols also authenticate the system or device. Use protocols that provide strong authentication (e.g., IEEE 802.1X), and enforce basic protections, such as MAC filtering, when stronger cryptographic techniques are not available.\n", "source_ref": "course-of-action--72e46e53-e12d-4106-9c70-33241b6ed549", "target_ref": "attack-pattern--2877063e-1851-48d2-bcc6-bc1d2733157e", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "modified": "2022-05-24T14:00:00.188Z", "created": "2022-05-11T16:22:58.805Z", "id": "relationship--3f5f9f9d-9bb3-4461-b85b-501f6077e7b8", "type": "relationship", "source_ref": "x-mitre-data-component--685f917a-e95e-4ba0-ade1-c7d354dae6e0", "relationship_type": "detects", "target_ref": "attack-pattern--53a26eee-1080-4d17-9762-2027d5a1b805", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--3f76d408-be8a-478e-8a5a-aab1d1f96572", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2018-04-18T17:59:24.739Z", "modified": "2022-05-06T17:47:24.251Z", "relationship_type": "uses", "description": "The [Backdoor.Oldrea](https://attack.mitre.org/software/S0003) ICS malware plugin relies on Windows networking (WNet) to discover all the servers, including OPC servers, that are reachable by the compromised machine over the network. (Citation: Julian Rrushi, Hassan Farhangi, Clay Howey, Kelly Carmichael, Joey Dabell December 2015)", "source_ref": "malware--083bb47b-02c8-4423-81a2-f9ef58572974", "target_ref": "attack-pattern--d5a69cfb-fc2a-46cb-99eb-74b236db5061", "external_references": [ { "source_name": "Julian Rrushi, Hassan Farhangi, Clay Howey, Kelly Carmichael, Joey Dabell December 2015", "description": "Julian Rrushi, Hassan Farhangi, Clay Howey, Kelly Carmichael, Joey Dabell 2015, December 08 A Quantitative Evaluation of the Target Selection of Havex ICS Malware Plugin Retrieved. 2019/04/01 ", "url": "https://pdfs.semanticscholar.org/18df/43ef1690b0fae15a36f770001160aefbc6c5.pdf" } ], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "modified": "2022-05-24T14:00:00.188Z", "created": "2022-05-11T16:22:58.805Z", "id": "relationship--40f63b01-dc59-475d-826a-74f38c6e81b9", "type": "relationship", "source_ref": "x-mitre-data-component--3d20385b-24ef-40e1-9f56-f39750379077", "relationship_type": "detects", "target_ref": "attack-pattern--9a505987-ab05-4f46-a9a6-6441442eec3b", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "modified": "2022-05-24T14:00:00.188Z", "created": "2022-05-11T16:22:58.804Z", "id": "relationship--4122cdb6-09a4-4b68-b0d1-5d880cf5a4ef", "type": "relationship", "source_ref": "x-mitre-data-component--235b7491-2d2b-4617-9a52-3c0783680f71", "relationship_type": "detects", "target_ref": "attack-pattern--3405891b-16aa-4bd7-bd7c-733501f9b20f", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--41adaf0b-b7ae-4bdb-9a5b-567fd0911d7a", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-21T17:59:24.739Z", "modified": "2022-05-06T17:47:24.145Z", "relationship_type": "mitigates", "description": "Protocols used for control functions should provide authenticity through MAC functions or digital signatures. If not, utilize bump-in-the-wire devices or VPNs to enforce communication authenticity between devices that are not capable of supporting this (e.g., legacy controllers, RTUs).\n", "source_ref": "course-of-action--c7257b6e-4159-4771-b1f3-2bb93adaecac", "target_ref": "attack-pattern--4c2e1408-9d68-4187-8e6b-a77bc52700ec", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--41b87fd8-6e4d-4e53-a282-c85292fdaa22", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-21T17:59:24.739Z", "modified": "2022-05-06T17:47:24.160Z", "relationship_type": "mitigates", "description": "The encryption of firmware should be considered to prevent adversaries from identifying possible vulnerabilities within the firmware.\n", "source_ref": "course-of-action--7f153c28-e5f1-4764-88fb-eea1d9b0ad4a", "target_ref": "attack-pattern--efbf7888-f61b-4572-9c80-7e2965c60707", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--41ff63a3-ddb9-47fb-8d92-bed74ed0d41d", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2021-04-11T14:06:54.109Z", "modified": "2022-05-06T17:47:24.379Z", "relationship_type": "uses", "description": "In the Ukraine 2015 Incident, [Sandworm Team](https://attack.mitre.org/groups/G0007) blocked reporting messages by using malicious firmware to render communication devices inoperable. (Citation: Electricity Information Sharing and Analysis Center; SANS Industrial Control Systems March 2016)", "source_ref": "intrusion-set--381fcf73-60f6-4ab2-9991-6af3cbc35192", "target_ref": "attack-pattern--3f1f4ccb-9be2-4ff8-8f69-dd972221169b", "external_references": [ { "source_name": "Electricity Information Sharing and Analysis Center; SANS Industrial Control Systems March 2016", "description": "Electricity Information Sharing and Analysis Center; SANS Industrial Control Systems 2016, March 18 Analysis of the Cyber Attack on the Ukranian Power Grid: Defense Use Case Retrieved. 2018/03/27 ", "url": "https://assets.contentstack.io/v3/assets/blt36c2e63521272fdc/blt6a77276749b76a40/607f235992f0063e5c070fff/E-ISAC_SANS_Ukraine_DUC_5%5b73%5d.pdf" } ], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--4211c12a-57cf-4ebb-910a-6af7aa09cf34", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2021-04-12T17:59:24.739Z", "modified": "2022-05-06T17:47:24.187Z", "relationship_type": "mitigates", "description": "All communication sessions to remote services should be authenticated to prevent unauthorized access.\n", "source_ref": "course-of-action--72e46e53-e12d-4106-9c70-33241b6ed549", "target_ref": "attack-pattern--e1f9cdd2-9511-4fca-90d7-f3e92cfdd0bf", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--4256a0c2-437d-4a4c-88ac-d08d3041b8c1", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-21T17:59:24.739Z", "modified": "2022-05-06T17:47:24.178Z", "relationship_type": "mitigates", "description": "Use host-based allowlists to prevent devices from accepting connections from unauthorized systems. For example, allowlists can be used to ensure devices can only connect with master stations or known management/engineering workstations. (Citation: Department of Homeland Security September 2016)\n", "source_ref": "course-of-action--aadac250-bcdc-44e3-a4ae-f52bd0a7a16a", "target_ref": "attack-pattern--be69c571-d746-4b1f-bdd0-c0c9817e9068", "external_references": [ { "source_name": "Department of Homeland Security September 2016", "description": "Department of Homeland Security 2016, September Retrieved. 2020/09/25 ", "url": "https://us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf" } ], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--42ab7d24-8286-4a7a-8cd7-02e54a80e13f", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-21T17:59:24.739Z", "modified": "2022-05-06T17:47:24.185Z", "relationship_type": "mitigates", "description": "Ensure permissions restrict project file access to only engineer and technician user groups and accounts.\n", "source_ref": "course-of-action--f9fcb3ec-6de0-4559-8cd9-ef1c0c7d1971", "target_ref": "attack-pattern--e72425f8-9ae6-41d3-bfdb-e1b865e60722", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--433539bf-cb17-4de1-9c0f-e579b041514f", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2018-10-17T00:14:20.652Z", "modified": "2022-05-06T17:47:24.289Z", "relationship_type": "uses", "description": "[Industroyer](https://attack.mitre.org/software/S0001) attempts to connect with a hardcoded internal proxy on TCP 3128 [default Squid proxy]. If established, the backdoor attempts to reach an external C2 server via the internal proxy. (Citation: Dragos Inc. June 2017)", "source_ref": "malware--e401d4fe-f0c9-44f0-98e6-f93487678808", "target_ref": "attack-pattern--d67adac8-e3b9-44f9-9e6d-6c2a7d69dbe4", "external_references": [ { "source_name": "Dragos Inc. June 2017", "description": "Dragos Inc. 2017, June 13 Industroyer - Dragos - 201706: Analysis of the Threat to Electic Grid Operations Retrieved. 2017/09/18 ", "url": "https://dragos.com/blog/crashoverride/CrashOverride-01.pdf" } ], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--4369da69-bb09-4cc8-8600-081a450f50e0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-21T17:59:24.739Z", "modified": "2022-05-06T17:47:24.120Z", "relationship_type": "mitigates", "description": "Ensure that unnecessary ports and services are closed to prevent risk of discovery and potential exploitation.\n", "source_ref": "course-of-action--d0909119-2f71-4923-87db-b649881672d7", "target_ref": "attack-pattern--85a45294-08f1-4539-bf00-7da08aa7b0ee", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "modified": "2022-05-24T14:00:00.188Z", "created": "2022-05-11T16:22:58.806Z", "id": "relationship--43777394-ff59-4261-b1cf-b41a1f4f4d8b", "type": "relationship", "source_ref": "x-mitre-data-component--9d56be63-3501-4dd3-bb5f-63c580833298", "relationship_type": "detects", "target_ref": "attack-pattern--be69c571-d746-4b1f-bdd0-c0c9817e9068", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--43bdf580-b98f-49cf-92d5-3dac50450c86", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-21T17:59:24.739Z", "modified": "2022-05-06T17:47:24.214Z", "relationship_type": "mitigates", "description": "The encryption of firmware should be considered to prevent adversaries from identifying possible vulnerabilities within the firmware.\n", "source_ref": "course-of-action--7f153c28-e5f1-4764-88fb-eea1d9b0ad4a", "target_ref": "attack-pattern--b9160e77-ea9e-4ba9-b1c8-53a3c466b13d", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "modified": "2022-05-24T14:00:00.188Z", "created": "2022-05-11T16:22:58.805Z", "id": "relationship--4432dcbe-54ac-41cb-a50d-484a742f3583", "type": "relationship", "source_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c", "relationship_type": "detects", "target_ref": "attack-pattern--53a26eee-1080-4d17-9762-2027d5a1b805", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--446c95ea-5178-4ae9-8f92-cb20dd50f7de", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2021-04-13T12:36:26.506Z", "modified": "2022-05-06T17:47:24.166Z", "relationship_type": "mitigates", "description": "Minimize the exposure of API calls that allow the execution of code.\n", "source_ref": "course-of-action--4fa717d9-cabe-47c8-8cdd-86e9e2e37f30", "target_ref": "attack-pattern--b52870cc-83f3-473c-b895-72d91751030b", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--44c857cf-7a4e-405a-87ca-7f6d79000589", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-21T17:59:24.739Z", "modified": "2022-05-06T17:47:24.095Z", "relationship_type": "mitigates", "description": "Take and store data backups from end user systems and critical servers. Ensure backup and storage systems are hardened and kept separate from the corporate network to prevent compromise. Maintain and exercise incident response plans (Citation: Department of Homeland Security October 2009), including the management of \\gold-copy\\ back-up images and configurations for key systems to enable quick recovery and response from adversarial activities that impact control, view, or availability.\n", "source_ref": "course-of-action--ad12819e-3211-4291-b360-069f280cff0a", "target_ref": "attack-pattern--e33c7ecc-5a38-497f-beb2-a9a2049a4c20", "external_references": [ { "source_name": "Department of Homeland Security October 2009", "description": "Department of Homeland Security 2009, October Developing an Industrial Control Systems Cybersecurity Incident Response Capability Retrieved. 2020/09/17 ", "url": "https://us-cert.cisa.gov/sites/default/files/recommended_practices/final-RP_ics_cybersecurity_incident_response_100609.pdf" } ], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--45ee1822-71e4-4d92-976d-306561b70555", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-21T17:59:24.739Z", "modified": "2022-05-06T17:47:24.106Z", "relationship_type": "mitigates", "description": "Segment operational network and systems to restrict access to critical system functions to predetermined management systems. (Citation: Department of Homeland Security September 2016)\n", "source_ref": "course-of-action--1e7ccfc0-94c8-496e-8d27-032120892291", "target_ref": "attack-pattern--25dfc8ad-bd73-4dfd-84a9-3c3d383f76e9", "external_references": [ { "source_name": "Department of Homeland Security September 2016", "description": "Department of Homeland Security 2016, September Retrieved. 2020/09/25 ", "url": "https://us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf" } ], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--461e81a2-c7ad-499e-908d-05ef2f7bd9cd", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-21T17:59:24.739Z", "modified": "2022-05-06T17:47:24.073Z", "relationship_type": "mitigates", "description": "Utilize network allowlists to restrict unnecessary connections to network devices (e.g., comm servers, serial to ethernet converters) and services, especially in cases when devices have limits on the number of simultaneous sessions they support.\n", "source_ref": "course-of-action--aadac250-bcdc-44e3-a4ae-f52bd0a7a16a", "target_ref": "attack-pattern--8e7089d3-fba2-44f8-94a8-9a79c53920c4", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "modified": "2022-05-24T14:00:00.188Z", "created": "2022-05-11T16:22:58.806Z", "id": "relationship--4631bf49-da0b-4415-a226-112c99ff0f64", "type": "relationship", "source_ref": "x-mitre-data-component--9ce98c86-8d30-4043-ba54-0784d478d0b5", "relationship_type": "detects", "target_ref": "attack-pattern--e1f9cdd2-9511-4fca-90d7-f3e92cfdd0bf", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--46332a77-2fd6-4033-96cf-6163172775ec", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-21T17:59:24.739Z", "modified": "2022-05-06T17:47:24.164Z", "relationship_type": "mitigates", "description": "Devices should verify that firmware has been properly signed by the vendor before allowing installation.\n", "source_ref": "course-of-action--71eb7dad-07eb-4bbc-9df0-ac57bf2fba4a", "target_ref": "attack-pattern--efbf7888-f61b-4572-9c80-7e2965c60707", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--46bc86e4-e20b-4778-80d2-8891039e6fb4", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2017-12-14T16:46:06.044Z", "modified": "2022-05-06T17:47:24.294Z", "relationship_type": "uses", "description": "While Norsk Hydro attempted to recover from a [LockerGoga](https://attack.mitre.org/software/S0008) infection, most of its 160 manufacturing locations switched to manual (non-IT driven) operations. Manual operations can result in a loss of productivity. (Citation: Kevin Beaumont) (Citation: Hydro)", "source_ref": "malware--5af7a825-2d9f-400d-931a-e00eb9e27f48", "target_ref": "attack-pattern--63b6942d-8359-4506-bfb3-cf87aa8120ee", "external_references": [ { "source_name": "Kevin Beaumont", "description": "Kevin Beaumont How Lockergoga took down Hydro ransomware used in targeted attacks aimed at big business Retrieved. 2019/10/16 ", "url": "https://doublepulsar.com/how-lockergoga-took-down-hydro-ransomware-used-in-targeted-attacks-aimed-at-big-business-c666551f5880" }, { "source_name": "Hydro", "description": "Hydro Kevin Beaumont How Lockergoga took down Hydro ransomware used in targeted attacks aimed at big business Retrieved. 2019/10/16 Retrieved. 2019/10/16 ", "url": "https://www.hydro.com/en/media/on-the-agenda/cyber-attack/" } ], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--46edf5ba-ebd3-4976-9cdc-1276ba253c98", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2021-04-21T14:04:49.301Z", "modified": "2022-05-06T17:47:24.364Z", "relationship_type": "uses", "description": "[Dragonfly 2.0](https://attack.mitre.org/groups/G0035) deleted indicators on staging and target devices by uninstalling software, removing event logs, batch scripts, screenshots, registry keys, documents, and tools they brought into the target networks. (Citation: Cybersecurity & Infrastructure Security Agency March 2018)", "source_ref": "intrusion-set--76d59913-1d24-4992-a8ac-05a3eb093f71", "target_ref": "attack-pattern--2dc2b567-8821-49f9-9045-8740f3d0b958", "external_references": [ { "source_name": "Cybersecurity & Infrastructure Security Agency March 2018", "description": "Cybersecurity & Infrastructure Security Agency 2018, March 15 Alert (TA18-074A) Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors Retrieved. 2019/10/11 ", "url": "https://us-cert.cisa.gov/ncas/alerts/TA18-074A" } ], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--47f15a06-8675-4698-833d-bd141ed9e755", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-21T17:59:24.739Z", "modified": "2022-05-06T17:47:24.122Z", "relationship_type": "mitigates", "description": "Security applications that look for behavior used during exploitation such as Windows Defender Exploit Guard (WDEG) and the Enhanced Mitigation Experience Toolkit (EMET) can be used to mitigate some exploitation behavior. (Citation: Microsoft Security Response Center August 2017)Control flow integrity checking is another way to potentially identify and stop a software exploit from occurring. (Citation: Wikipedia)Many of these protections depend on the architecture and target application binary for compatibility and may not work for all software or services targeted.\n", "source_ref": "course-of-action--49363b74-d506-4342-bd63-320586ebadb9", "target_ref": "attack-pattern--85a45294-08f1-4539-bf00-7da08aa7b0ee", "external_references": [ { "source_name": "Microsoft Security Response Center August 2017", "description": "Microsoft Security Response Center 2017, August Moving Beyond EMET II Windows Defender Exploit Guard Retrieved. 2020/09/25 ", "url": "https://msrc-blog.microsoft.com/2017/08/09/moving-beyond-emet-ii-windows-defender-exploit-guard/" }, { "source_name": "Wikipedia", "description": "Wikipedia Microsoft Security Response Center 2017, August Moving Beyond EMET II Windows Defender Exploit Guard Retrieved. 2020/09/25 Control-flow integrity Retrieved. 2020/09/25 ", "url": "https://en.wikipedia.org/wiki/Control-flow_integrity" } ], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--48489baf-56c2-423e-964a-0a61688e4a19", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-21T17:59:24.739Z", "modified": "2022-05-06T17:47:24.224Z", "relationship_type": "mitigates", "description": "Perform inline allowlisting of automation protocol commands to prevent devices from sending unauthorized command or reporting messages. Allow/denylist techniques need to be designed with sufficient accuracy to prevent the unintended blocking of valid messages.\n", "source_ref": "course-of-action--11f242bc-3121-438c-84b2-5cbd46a4bb17", "target_ref": "attack-pattern--40b300ba-f553-48bf-862e-9471b220d455", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--491455dc-f7c8-4e12-811b-b8c5c041b4c3", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-21T17:59:24.739Z", "modified": "2022-05-06T17:47:24.102Z", "relationship_type": "mitigates", "description": "Protocols used for control functions should provide authenticity through MAC functions or digital signatures. If not, utilize bump-in-the-wire devices or VPNs to enforce communication authenticity between devices that are not capable of supporting this (e.g., legacy controllers, RTUs).\n", "source_ref": "course-of-action--c7257b6e-4159-4771-b1f3-2bb93adaecac", "target_ref": "attack-pattern--25dfc8ad-bd73-4dfd-84a9-3c3d383f76e9", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--4966e63c-ca05-466d-91f9-41d799a54471", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2021-04-12T18:59:17.429Z", "modified": "2022-05-06T17:47:24.186Z", "relationship_type": "mitigates", "description": "Provide privileges corresponding to the restriction of a GUI session to control system operations (examples include HMI read-only vs. read-write modes). Ensure local users, such as operators and engineers, are giving prioritization over remote sessions and have the authority to regain control over a remote session if needed. Prevent remote access sessions (e.g., RDP, VNC) from taking over local sessions, especially those used for ICS control, especially HMIs.\n", "source_ref": "course-of-action--e0d38502-decb-481d-ad8b-b8f0a0c330bd", "target_ref": "attack-pattern--e1f9cdd2-9511-4fca-90d7-f3e92cfdd0bf", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--49d38b21-5ce5-48d9-a356-639fc6c7a53d", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-21T17:59:24.739Z", "modified": "2022-05-06T17:47:24.097Z", "relationship_type": "mitigates", "description": "All field controllers should require users to authenticate for all remote or local management sessions. The authentication mechanisms should also support [Account Use Policies](https://attack.mitre.org/mitigations/M0936), [Password Policies](https://attack.mitre.org/mitigations/M0927), and [User Account Management](https://attack.mitre.org/mitigations/M0918).", "source_ref": "course-of-action--66cfe23e-34b6-4583-b178-ed6a412db2b0", "target_ref": "attack-pattern--2aa406ed-81c3-4c1d-ba83-cfbee5a2847a", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "modified": "2022-05-24T14:00:00.188Z", "created": "2022-05-11T16:22:58.803Z", "id": "relationship--49d941a6-4da2-4516-92d0-1bc64554b2f2", "type": "relationship", "source_ref": "x-mitre-data-component--9f387817-df83-432a-b56b-a8fb7f71eedd", "relationship_type": "detects", "target_ref": "attack-pattern--3de230d4-3e42-4041-b089-17e1128feded", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "modified": "2022-05-24T14:00:00.188Z", "created": "2022-05-11T16:22:58.807Z", "id": "relationship--4a2f8d80-8098-482b-a4fb-b308b1f4cc99", "type": "relationship", "source_ref": "x-mitre-data-component--4c12c1c8-bcef-4daf-8e5b-fca235f71d9e", "relationship_type": "detects", "target_ref": "attack-pattern--b14395bd-5419-4ef4-9bd8-696936f509bb", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "modified": "2022-05-24T14:00:00.188Z", "created": "2022-05-11T16:22:58.805Z", "id": "relationship--4aa52c52-d5ec-4a54-97e3-db00bde08446", "type": "relationship", "source_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c", "relationship_type": "detects", "target_ref": "attack-pattern--b0628bfc-5376-4a38-9182-f324501cb4cf", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--4b34b947-ed1b-4aae-a2a9-5c1373760255", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2018-04-18T17:59:24.739Z", "modified": "2022-05-06T17:47:24.341Z", "relationship_type": "uses", "description": "[Triton](https://attack.mitre.org/software/S0013) was configured to masquerade as trilog.exe, which is the Triconex software for analyzing SIS logs. (Citation: Blake Johnson, Dan Caban, Marina Krotofil, Dan Scali, Nathan Brubaker, Christopher Glyer December 2017)", "source_ref": "malware--80099a91-4c86-4bea-9ccb-dac55d61960e", "target_ref": "attack-pattern--ba203963-3182-41ac-af14-7e7ebc83cd61", "external_references": [ { "source_name": "Blake Johnson, Dan Caban, Marina Krotofil, Dan Scali, Nathan Brubaker, Christopher Glyer December 2017", "description": "Blake Johnson, Dan Caban, Marina Krotofil, Dan Scali, Nathan Brubaker, Christopher Glyer 2017, December 14 Attackers Deploy New ICS Attack Framework TRITON and Cause Operational Disruption to Critical Infrastructure Retrieved. 2018/01/12 ", "url": "https://www.fireeye.com/blog/threat-research/2017/12/attackers-deploy-new-ics-attack-framework-triton.html" } ], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "modified": "2022-05-24T14:00:00.188Z", "created": "2022-05-11T16:22:58.804Z", "id": "relationship--4cce6bf1-1aa9-483d-a733-d6e52e091419", "type": "relationship", "source_ref": "x-mitre-data-component--9ce98c86-8d30-4043-ba54-0784d478d0b5", "relationship_type": "detects", "target_ref": "attack-pattern--3405891b-16aa-4bd7-bd7c-733501f9b20f", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--502a0b7e-048a-468a-b888-e91fde47c6eb", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2021-04-12T18:59:17.429Z", "modified": "2022-05-06T17:47:24.189Z", "relationship_type": "mitigates", "description": "Segment and control software movement between business and OT environments by way of one directional DMZs. Web access should be restricted from the OT environment. Engineering workstations, including transient cyber assets (TCAs) should have minimal connectivity to external networks, including Internet and email, further limit the extent to which these devices are dual-homed to multiple networks. (Citation: North America Transmission Forum December 2019)\n", "source_ref": "course-of-action--1e7ccfc0-94c8-496e-8d27-032120892291", "target_ref": "attack-pattern--e1f9cdd2-9511-4fca-90d7-f3e92cfdd0bf", "external_references": [ { "source_name": "North America Transmission Forum December 2019", "description": "North America Transmission Forum 2019, December NATF Transient Cyber Asset Guidance Retrieved. 2020/09/25 ", "url": "https://www.natf.net/docs/natf/documents/resources/security/natf-transient-cyber-asset-guidance.pdf" } ], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--5041e17d-6349-4589-8c61-7b43964b5f9b", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2021-10-14T17:59:24.739Z", "modified": "2022-05-06T17:47:24.227Z", "relationship_type": "mitigates", "description": "Integrity checking of transient assets can include performing the validation of the booted operating system and programs using TPM-based technologies, such as Secure Boot and Trusted Boot. (Citation: Emerson Exchange) It can also include verifying filesystem changes, such as programs and configuration files stored on the system, executing processes, libraries, accounts, and open ports. (Citation: National Security Agency February 2016)\n", "source_ref": "course-of-action--bcf91ebc-f316-4e19-b2f6-444e9940c697", "target_ref": "attack-pattern--35392fb4-a31d-4c6a-b9f2-1c65b7f5e6b9", "external_references": [ { "source_name": "Emerson Exchange", "description": "Emerson Exchange Increase Security with TPM, Secure Boot, and Trusted Boot Retrieved. 2020/09/25 ", "url": "https://emersonexchange365.com/products/control-safety-systems/f/plc-pac-systems-industrial-computing-forum/8383/increase-security-with-tpm-secure-boot-and-trusted-boot" }, { "source_name": "National Security Agency February 2016", "description": "National Security Agency 2016, February Position Zero: Integrity Checking Windows-Based ICS/SCADA Systems Retrieved. 2020/09/25 ", "url": "https://apps.nsa.gov/iaarchive/library/ia-guidance/security-configuration/industrial-control-systems/position-zero-integrity-checking-windows-based-ics-scada-systems.cfm" } ], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--50a2b289-7bce-405d-8515-c2b5424cce5c", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-21T17:59:24.739Z", "modified": "2022-05-06T17:47:24.090Z", "relationship_type": "mitigates", "description": "Information which is sensitive to the operation and architecture of the process environment may be encrypted to ensure confidentiality and restrict access to only those who need to know. (Citation: Keith Stouffer May 2015) (Citation: National Institute of Standards and Technology April 2013)\n", "source_ref": "course-of-action--9f99fcfd-772e-4e63-9d39-e45612e546dc", "target_ref": "attack-pattern--3405891b-16aa-4bd7-bd7c-733501f9b20f", "external_references": [ { "source_name": "Keith Stouffer May 2015", "description": "Keith Stouffer 2015, May Guide to Industrial Control Systems (ICS) Security Retrieved. 2018/03/28 ", "url": "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf" }, { "source_name": "National Institute of Standards and Technology April 2013", "description": "National Institute of Standards and Technology 2013, April Security and Privacy Controls for Federal Information Systems and Organizations Retrieved. 2020/09/17 ", "url": "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf" } ], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--50b3247a-ea71-455e-b299-f00666c05146", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2017-12-14T16:46:06.044Z", "modified": "2022-05-06T17:47:24.321Z", "relationship_type": "uses", "description": "In states 3 and 4 [Stuxnet](https://attack.mitre.org/software/S0010) sends two network bursts (done through the DP_SEND primitive). The data in the frames are instructions for the frequency converter drives. For example one of the frames contains records that change the maximum frequency (the speed at which the motor will operate). The frequency converter drives consist of parameters, which can be remotely configured via Profibus. One can write new values to these parameters changing the behavior of the device. (Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011)", "source_ref": "malware--088f1d6e-0783-47c6-9923-9c79b2af43d4", "target_ref": "attack-pattern--097924ce-a9a9-4039-8591-e0deedfb8722", "external_references": [ { "source_name": "Nicolas Falliere, Liam O Murchu, Eric Chien February 2011", "description": "Nicolas Falliere, Liam O Murchu, Eric Chien 2011, February W32.Stuxnet Dossier (Version 1.4) Retrieved. 2017/09/22 ", "url": "https://www.wired.com/images_blogs/threatlevel/2011/02/Symantec-Stuxnet-Update-Feb-2011.pdf" } ], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--50c20664-75dc-451e-b026-67b1d309e4b5", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2018-10-17T00:14:20.652Z", "modified": "2022-05-06T17:47:24.277Z", "relationship_type": "uses", "description": "The [Industroyer](https://attack.mitre.org/software/S0001) SIPROTEC DoS module exploits the CVE-2015-5374 vulnerability in order to render a Siemens SIPROTEC device unresponsive. Once this vulnerability is successfully exploited, the target device stops responding to any commands until it is rebooted manually. (Citation: Anton Cherepanov, ESET June 2017) Once the tool is executed it sends specifically crafted packets to port 50,000 of the target IP addresses using UDP. The UDP packet contains the following 18 byte payload: 0x11 49 00 00 00 00 00 00 00 00 00 00 00 00 00 00 28 9E. (Citation: Anton Cherepanov, ESET June 2017)", "source_ref": "malware--e401d4fe-f0c9-44f0-98e6-f93487678808", "target_ref": "attack-pattern--1b22b676-9347-4c55-9a35-ef0dc653db5b", "external_references": [ { "source_name": "Anton Cherepanov, ESET June 2017", "description": "Anton Cherepanov, ESET 2017, June 12 Win32/Industroyer: A new threat for industrial control systems Retrieved. 2017/09/15 ", "url": "https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf" }, { "source_name": "Anton Cherepanov, ESET June 2017", "description": "Anton Cherepanov, ESET 2017, June 12 Win32/Industroyer: A new threat for industrial control systems Retrieved. 2017/09/15 ", "url": "https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf" } ], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--51eca7b9-6330-48a8-badd-65ed3e9d3639", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-21T17:59:24.739Z", "modified": "2022-05-06T17:47:24.072Z", "relationship_type": "mitigates", "description": "Restrict unauthorized devices from accessing serial comm ports.\n", "source_ref": "course-of-action--1e7ccfc0-94c8-496e-8d27-032120892291", "target_ref": "attack-pattern--1c478716-71d9-46a4-9a53-fa5d576adb60", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--51f9963c-c041-4bec-b482-5fda2fb5bca4", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2019-06-24T17:20:24.258Z", "modified": "2022-05-06T17:47:24.261Z", "relationship_type": "uses", "description": "A [Conficker](https://attack.mitre.org/software/S0012) infection at a nuclear power plant forced the facility to shutdown and go through security procedures involved with such events, with its staff scanning computer systems and going through all the regular checks and motions before putting the plant back into production. (Citation: Catalin Cimpanu April 2016)", "source_ref": "malware--58eddbaf-7416-419a-ad7b-e65b9d4c3b55", "target_ref": "attack-pattern--63b6942d-8359-4506-bfb3-cf87aa8120ee", "external_references": [ { "source_name": "Catalin Cimpanu April 2016", "description": "Catalin Cimpanu 2016, April 26 Malware Shuts Down German Nuclear Power Plant on Chernobyl's 30th Anniversary Retrieved. 2019/10/14 ", "url": "https://news.softpedia.com/news/on-chernobyl-s-30th-anniversary-malware-shuts-down-german-nuclear-power-plant-503429.shtml" } ], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--520aad6a-2483-45bc-a172-2417137f6ca0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-21T17:59:24.739Z", "modified": "2022-05-06T17:47:24.143Z", "relationship_type": "mitigates", "description": "Utilize out-of-band communication to validate the integrity of data from the primary channel.\n", "source_ref": "course-of-action--b11cad63-ef30-4eb8-af0d-6cc46eef3f3e", "target_ref": "attack-pattern--1af9e3fd-2bcc-414d-adbd-fe3b95c02ca1", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--5212f36b-216f-4e32-8b64-3b4c94dfada5", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2021-04-10T14:13:17.429Z", "modified": "2022-05-06T17:47:24.188Z", "relationship_type": "mitigates", "description": "Enforce strong password requirements to prevent password brute force methods for lateral movement.\n", "source_ref": "course-of-action--5d97c693-e054-48ba-a3a3-eaf6942dfb65", "target_ref": "attack-pattern--e1f9cdd2-9511-4fca-90d7-f3e92cfdd0bf", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--52855d5d-e835-470f-a675-751c2779c861", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-21T17:59:24.739Z", "modified": "2022-05-06T17:47:24.140Z", "relationship_type": "mitigates", "description": "Utilize out-of-band communication to validate the integrity of data from the primary channel.\n", "source_ref": "course-of-action--b11cad63-ef30-4eb8-af0d-6cc46eef3f3e", "target_ref": "attack-pattern--9a505987-ab05-4f46-a9a6-6441442eec3b", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--52c7176b-431d-44a6-8c03-7c15a8cf6ce1", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-21T17:59:24.739Z", "modified": "2022-05-06T17:47:24.133Z", "relationship_type": "mitigates", "description": "Provide operators with redundant, out-of-band communication to support monitoring and control of the operational processes, especially when recovering from a network outage (Citation: National Institute of Standards and Technology April 2013). Out-of-band communication should utilize diverse systems and technologies to minimize common failure modes and vulnerabilities within the communications infrastructure. For example, wireless networks (e.g., 3G, 4G) can be used to provide diverse and redundant delivery of data.\n", "source_ref": "course-of-action--b11cad63-ef30-4eb8-af0d-6cc46eef3f3e", "target_ref": "attack-pattern--b5b9bacb-97f2-4249-b804-47fd44de1f95", "external_references": [ { "source_name": "National Institute of Standards and Technology April 2013", "description": "National Institute of Standards and Technology 2013, April Security and Privacy Controls for Federal Information Systems and Organizations Retrieved. 2020/09/17 ", "url": "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf" } ], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--531e0589-0dad-444d-aca4-6198ba5d9fcd", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-21T17:59:24.739Z", "modified": "2022-05-06T17:47:24.208Z", "relationship_type": "mitigates", "description": "Segment operational assets and their management devices based on their functional role within the process. Enabling more strict isolation to more critical control and operational information within the control environment. (Citation: Karen Scarfone; Paul Hoffman September 2009) (Citation: Keith Stouffer May 2015) (Citation: Department of Homeland Security September 2016) (Citation: Dwight Anderson 2014) \n", "source_ref": "course-of-action--1e7ccfc0-94c8-496e-8d27-032120892291", "target_ref": "attack-pattern--8535b71e-3c12-4258-a4ab-40257a1becc4", "external_references": [ { "source_name": "Karen Scarfone; Paul Hoffman September 2009", "description": "Karen Scarfone; Paul Hoffman 2009, September Guidelines on Firewalls and Firewall Policy Retrieved. 2020/09/25 ", "url": "https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-41r1.pdf" }, { "source_name": "Keith Stouffer May 2015", "description": "Keith Stouffer 2015, May Guide to Industrial Control Systems (ICS) Security Retrieved. 2018/03/28 ", "url": "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf" }, { "source_name": "Department of Homeland Security September 2016", "description": "Department of Homeland Security 2016, September Retrieved. 2020/09/25 ", "url": "https://us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf" }, { "source_name": "Dwight Anderson 2014", "description": "Dwight Anderson 2014 Protect Critical Infrastructure Systems With Whitelisting Retrieved. 2020/09/25 ", "url": "https://www.sans.org/reading-room/whitepapers/ICS/protect-critical-infrastructure-systems-whitelisting-35312" } ], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--535c5160-17e0-44eb-9f4b-1a8e216b56a2", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2018-10-17T00:14:20.652Z", "modified": "2022-05-06T17:47:24.299Z", "relationship_type": "uses", "description": "The execution on the PLC can be stopped by violating the cycle time limit. The [PLC-Blaster](https://attack.mitre.org/software/S0009) implements an endless loop triggering an error condition within the PLC with the impact of a DoS. (Citation: Spenneberg, Ralf, Maik Brggemann, and Hendrik Schwartke March 2016)", "source_ref": "malware--4dcff507-5af8-47ce-964a-8d9569e9ccfe", "target_ref": "attack-pattern--1b22b676-9347-4c55-9a35-ef0dc653db5b", "external_references": [ { "source_name": "Spenneberg, Ralf, Maik Brggemann, and Hendrik Schwartke March 2016", "description": "Spenneberg, Ralf, Maik Brggemann, and Hendrik Schwartke 2016, March 31 Plc-blaster: A worm living solely in the plc. Retrieved. 2017/09/19 ", "url": "https://www.blackhat.com/docs/asia-16/materials/asia-16-Spenneberg-PLC-Blaster-A-Worm-Living-Solely-In-The-PLC-wp.pdf" } ], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--53a54e4a-2b38-4b0c-8f60-252a68767443", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2017-12-14T16:46:06.044Z", "modified": "2022-05-06T17:47:24.315Z", "relationship_type": "uses", "description": "[Stuxnet](https://attack.mitre.org/software/S0010) modifies the Import Address Tables DLLs to hook specific APIs that are used to open project files. (Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011)", "source_ref": "malware--088f1d6e-0783-47c6-9923-9c79b2af43d4", "target_ref": "attack-pattern--ab390887-afc0-4715-826d-b1b167d522ae", "external_references": [ { "source_name": "Nicolas Falliere, Liam O Murchu, Eric Chien February 2011", "description": "Nicolas Falliere, Liam O Murchu, Eric Chien 2011, February W32.Stuxnet Dossier (Version 1.4) Retrieved. 2017/09/22 ", "url": "https://www.wired.com/images_blogs/threatlevel/2011/02/Symantec-Stuxnet-Update-Feb-2011.pdf" } ], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--5424e327-396f-4b07-94a3-408ffc915686", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2018-04-18T17:59:24.739Z", "modified": "2022-05-06T17:47:24.352Z", "relationship_type": "uses", "description": "[ALLANITE](https://attack.mitre.org/groups/G1000) has been identified to collect and distribute screenshots of ICS systems such as HMIs. (Citation: Dragos) (Citation: ICS-CERT October 2017)", "source_ref": "intrusion-set--190242d7-73fc-4738-af68-20162f7a5aae", "target_ref": "attack-pattern--c5e3cdbc-0387-4be9-8f83-ff5c0865f377", "external_references": [ { "source_name": "Dragos", "description": "Dragos Allanite Retrieved. 2019/10/27 ", "url": "https://dragos.com/resource/allanite/" }, { "source_name": "ICS-CERT October 2017", "description": "ICS-CERT 2017, October 21 Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors Retrieved. 2017/10/23 ", "url": "https://www.us-cert.gov/ncas/alerts/TA17-293A" } ], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "modified": "2022-05-24T14:00:00.188Z", "created": "2022-05-11T16:22:58.806Z", "id": "relationship--54e73627-95de-4e6e-abf0-d93e20a1fe8f", "type": "relationship", "source_ref": "x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa", "relationship_type": "detects", "target_ref": "attack-pattern--3067b85e-271e-4bc5-81ad-ab1a81d411e3", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "modified": "2022-05-24T14:00:00.188Z", "created": "2022-05-11T16:22:58.805Z", "id": "relationship--54f6293a-1ccb-4dcb-b85c-9a2a57daddb9", "type": "relationship", "source_ref": "x-mitre-data-component--a7f22107-02e5-4982-9067-6625d4a1765a", "relationship_type": "detects", "target_ref": "attack-pattern--f8df6b57-14bc-425f-9a91-6f59f6799307", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "modified": "2022-05-24T14:00:00.188Z", "created": "2022-05-11T16:22:58.804Z", "id": "relationship--55f3dd59-08be-4e23-a680-b6db7850b399", "type": "relationship", "source_ref": "x-mitre-data-component--3d20385b-24ef-40e1-9f56-f39750379077", "relationship_type": "detects", "target_ref": "attack-pattern--493832d9-cea6-4b63-abe7-9a65a6473675", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--55fe102a-d32b-4a73-85b1-14a02d0e552f", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2018-10-17T00:14:20.652Z", "modified": "2022-05-06T17:47:24.362Z", "relationship_type": "uses", "description": "[Dragonfly 2.0](https://attack.mitre.org/groups/G0035) utilized watering hole attacks to gather credentials, by compromising websites that energy sector organizations might access. (Citation: Symantec September 2017) A line of code is injected into the header.php file, this is used to redirect the visitors to an adversary controlled IP. (Citation: Cybersecurity & Infrastructure Security Agency March 2018)", "source_ref": "intrusion-set--76d59913-1d24-4992-a8ac-05a3eb093f71", "target_ref": "attack-pattern--7830cfcf-b268-4ac0-a69e-73c6affbae9a", "external_references": [ { "source_name": "Symantec September 2017", "description": "Symantec 2017, September 6 Dragonfly: Western energy sector targeted by sophisticated attack group Retrieved. 2017/09/14 ", "url": "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/dragonfly-energy-sector-cyber-attacks" }, { "source_name": "Cybersecurity & Infrastructure Security Agency March 2018", "description": "Cybersecurity & Infrastructure Security Agency 2018, March 15 Alert (TA18-074A) Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors Retrieved. 2019/10/11 ", "url": "https://us-cert.cisa.gov/ncas/alerts/TA18-074A" } ], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--56672ea4-cbf0-4a3e-8aed-edcc7d33133b", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-21T17:59:24.739Z", "modified": "2022-05-06T17:47:24.075Z", "relationship_type": "mitigates", "description": "Segment operational assets and their management devices based on their functional role within the process. Enabling more strict isolation to more critical control and operational information within the control environment. (Citation: Karen Scarfone; Paul Hoffman September 2009) (Citation: Keith Stouffer May 2015) (Citation: Department of Homeland Security September 2016) (Citation: Dwight Anderson 2014) \n", "source_ref": "course-of-action--1e7ccfc0-94c8-496e-8d27-032120892291", "target_ref": "attack-pattern--8e7089d3-fba2-44f8-94a8-9a79c53920c4", "external_references": [ { "source_name": "Karen Scarfone; Paul Hoffman September 2009", "description": "Karen Scarfone; Paul Hoffman 2009, September Guidelines on Firewalls and Firewall Policy Retrieved. 2020/09/25 ", "url": "https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-41r1.pdf" }, { "source_name": "Keith Stouffer May 2015", "description": "Keith Stouffer 2015, May Guide to Industrial Control Systems (ICS) Security Retrieved. 2018/03/28 ", "url": "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf" }, { "source_name": "Department of Homeland Security September 2016", "description": "Department of Homeland Security 2016, September Retrieved. 2020/09/25 ", "url": "https://us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf" }, { "source_name": "Dwight Anderson 2014", "description": "Dwight Anderson 2014 Protect Critical Infrastructure Systems With Whitelisting Retrieved. 2020/09/25 ", "url": "https://www.sans.org/reading-room/whitepapers/ICS/protect-critical-infrastructure-systems-whitelisting-35312" } ], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "modified": "2022-05-24T14:00:00.188Z", "created": "2022-05-11T16:22:58.803Z", "id": "relationship--567acebd-4ba2-4723-a74d-514992321ccc", "type": "relationship", "source_ref": "x-mitre-data-component--931b3fc6-ad68-42a8-9018-e98515eedc95", "relationship_type": "detects", "target_ref": "attack-pattern--008b8f56-6107-48be-aa9f-746f927dbb61", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--56dcc2d7-5243-4a5d-a556-8723642e98a4", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2018-04-18T17:59:24.739Z", "modified": "2022-05-06T17:47:24.339Z", "relationship_type": "uses", "description": "[Triton](https://attack.mitre.org/software/S0013) would reset the controller to the previous state over TriStation and if this failed it would write a dummy program to memory in what was likely an attempt at anti-forensics. (Citation: Jos Wetzels January 2018)", "source_ref": "malware--80099a91-4c86-4bea-9ccb-dac55d61960e", "target_ref": "attack-pattern--53a26eee-1080-4d17-9762-2027d5a1b805", "external_references": [ { "source_name": "Jos Wetzels January 2018", "description": "Jos Wetzels 2018, January 16 Analyzing the TRITON industrial malware Retrieved. 2019/10/22 ", "url": "https://www.midnightbluelabs.com/blog/2018/1/16/analyzing-the-triton-industrial-malware" } ], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--575f0e0b-d68d-432b-abb3-cbd3e641fc88", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-21T17:59:24.739Z", "modified": "2022-05-06T17:47:24.199Z", "relationship_type": "mitigates", "description": "Perform inline allowlisting of automation protocol commands to prevent devices from sending unauthorized command or reporting messages. Allow/denylist techniques need to be designed with sufficient accuracy to prevent the unintended blocking of valid reporting messages.\n", "source_ref": "course-of-action--11f242bc-3121-438c-84b2-5cbd46a4bb17", "target_ref": "attack-pattern--b14395bd-5419-4ef4-9bd8-696936f509bb", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "modified": "2022-05-24T14:00:00.188Z", "created": "2022-05-11T16:22:58.806Z", "id": "relationship--5771ce27-7cc7-4144-8c11-c1a6d2ac3e2c", "type": "relationship", "source_ref": "x-mitre-data-component--84572de3-9583-4c73-aabd-06ea88123dd8", "relationship_type": "detects", "target_ref": "attack-pattern--e72425f8-9ae6-41d3-bfdb-e1b865e60722", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--578117b2-0f4b-4d75-a2dc-3ee45976e616", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-21T17:59:24.739Z", "modified": "2022-05-06T17:47:24.145Z", "relationship_type": "mitigates", "description": "Take and store data backups from end user systems and critical servers. Ensure backup and storage systems are hardened and kept separate from the corporate network to prevent compromise. Maintain and exercise incident response plans (Citation: Department of Homeland Security October 2009), including the management of \\gold-copy\\ back-up images and configurations for key systems to enable quick recovery and response from adversarial activities that impact control, view, or availability.\n", "source_ref": "course-of-action--ad12819e-3211-4291-b360-069f280cff0a", "target_ref": "attack-pattern--1af9e3fd-2bcc-414d-adbd-fe3b95c02ca1", "external_references": [ { "source_name": "Department of Homeland Security October 2009", "description": "Department of Homeland Security 2009, October Developing an Industrial Control Systems Cybersecurity Incident Response Capability Retrieved. 2020/09/17 ", "url": "https://us-cert.cisa.gov/sites/default/files/recommended_practices/final-RP_ics_cybersecurity_incident_response_100609.pdf" } ], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--5804ae3d-0daf-47a5-b026-d42878f55803", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-21T17:59:24.739Z", "modified": "2022-05-06T17:47:24.166Z", "relationship_type": "mitigates", "description": "This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.\n", "source_ref": "course-of-action--469b78dd-a54d-4f7c-8c3b-4a1dd916b433", "target_ref": "attack-pattern--2d0d40ad-22fa-4cc8-b264-072557e1364b", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--58269882-7e8d-4d24-b7a3-dbef6196cb61", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-21T17:59:24.739Z", "modified": "2022-05-06T17:47:24.086Z", "relationship_type": "mitigates", "description": "Use host-based allowlists to prevent devices from accepting connections from unauthorized systems. For example, allowlists can be used to ensure devices can only connect with master stations or known management/engineering workstations. (Citation: Department of Homeland Security September 2016)\n", "source_ref": "course-of-action--aadac250-bcdc-44e3-a4ae-f52bd0a7a16a", "target_ref": "attack-pattern--83ebd22f-b401-4d59-8219-2294172cf916", "external_references": [ { "source_name": "Department of Homeland Security September 2016", "description": "Department of Homeland Security 2016, September Retrieved. 2020/09/25 ", "url": "https://us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf" } ], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--58a0fd57-ea5f-46b0-84ac-c5b963fb7e94", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-21T17:59:24.739Z", "modified": "2022-05-06T17:47:24.168Z", "relationship_type": "mitigates", "description": "Use multi-factor authentication wherever possible.\n", "source_ref": "course-of-action--ddf3e568-f065-49e2-9106-42029a28ddbd", "target_ref": "attack-pattern--38213338-1aab-479d-949b-c81b66ccca5c", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--58aa90a7-886b-4f37-ab16-a0beb0e64877", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2021-04-21T14:04:49.301Z", "modified": "2022-05-06T17:47:24.368Z", "relationship_type": "uses", "description": "[Dragonfly 2.0](https://attack.mitre.org/groups/G0035) captured ICS vendor names, reference documents, wiring diagrams, and panel layouts about the process environment. (Citation: Cybersecurity & Infrastructure Security Agency March 2018)", "source_ref": "intrusion-set--76d59913-1d24-4992-a8ac-05a3eb093f71", "target_ref": "attack-pattern--b7e13ee8-182c-4f19-92a4-a88d7d855d54", "external_references": [ { "source_name": "Cybersecurity & Infrastructure Security Agency March 2018", "description": "Cybersecurity & Infrastructure Security Agency 2018, March 15 Alert (TA18-074A) Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors Retrieved. 2019/10/11 ", "url": "https://us-cert.cisa.gov/ncas/alerts/TA18-074A" } ], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--58cb4cb5-4b0f-4ce0-b3f9-5deb9de31c52", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-21T17:59:24.739Z", "modified": "2022-05-06T17:47:24.145Z", "relationship_type": "mitigates", "description": "Utilize out-of-band communication to validate the integrity of data from the primary channel.\n", "source_ref": "course-of-action--b11cad63-ef30-4eb8-af0d-6cc46eef3f3e", "target_ref": "attack-pattern--4c2e1408-9d68-4187-8e6b-a77bc52700ec", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "modified": "2022-05-24T14:00:00.188Z", "created": "2022-05-11T16:22:58.806Z", "id": "relationship--5901e8b3-7df0-43e0-bdc5-f4fd2792a572", "type": "relationship", "source_ref": "x-mitre-data-component--3d20385b-24ef-40e1-9f56-f39750379077", "relationship_type": "detects", "target_ref": "attack-pattern--e1f9cdd2-9511-4fca-90d7-f3e92cfdd0bf", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--590bdd67-31ef-4edd-b2ac-2bd1b98da19c", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-21T17:59:24.739Z", "modified": "2022-05-06T17:47:24.201Z", "relationship_type": "mitigates", "description": "Consider removal or disabling of programs and features which may be used to run malicious scripts (e.g., scripting language IDEs, PowerShell, visual studio).\n", "source_ref": "course-of-action--d0909119-2f71-4923-87db-b649881672d7", "target_ref": "attack-pattern--2dc2b567-8821-49f9-9045-8740f3d0b958", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--5914a482-dbb7-429d-96f3-77f0588ac12d", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-21T17:59:24.739Z", "modified": "2022-05-06T17:47:24.123Z", "relationship_type": "mitigates", "description": "Develop a robust cyber threat intelligence capability to determine what types and levels of threat may use software exploits and 0-days against a particular organization.\n", "source_ref": "course-of-action--d48b79b2-076d-483e-949c-0d38aa347499", "target_ref": "attack-pattern--85a45294-08f1-4539-bf00-7da08aa7b0ee", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--591620d3-5549-49db-9080-43f86a68a590", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2021-04-13T12:08:26.506Z", "modified": "2022-05-06T17:47:24.338Z", "relationship_type": "uses", "description": "[Triton](https://attack.mitre.org/software/S0013) leverages a previously-unknown vulnerability affecting Tricon MP3008 firmware versions 10.010.4 allows an insecurely-written system call to be exploited to achieve an arbitrary 2-byte write primitive, which is then used to gain supervisor privileges. (Citation: DHS CISA February 2019)", "source_ref": "malware--80099a91-4c86-4bea-9ccb-dac55d61960e", "target_ref": "attack-pattern--cfe68e93-ce94-4c0f-a57d-3aa72cedd618", "external_references": [ { "source_name": "DHS CISA February 2019", "description": "DHS CISA 2019, February 27 MAR-17-352-01 HatManSafety System Targeted Malware (Update B) Retrieved. 2019/03/08 ", "url": "https://ics-cert.us-cert.gov/sites/default/files/documents/MAR-17-352-01%20HatMan%20-%20Safety%20System%20Targeted%20Malware%20%28Update%20B%29.pdf" } ], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "modified": "2022-05-24T14:00:00.188Z", "created": "2022-05-11T16:22:58.807Z", "id": "relationship--59c65014-1fee-4c2e-9ece-9883159bbed2", "type": "relationship", "source_ref": "x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e", "relationship_type": "detects", "target_ref": "attack-pattern--063b5b92-5361-481a-9c3f-95492ed9a2d8", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "modified": "2022-05-24T14:00:00.188Z", "created": "2022-05-11T16:22:58.805Z", "id": "relationship--5a16cecc-4017-4ce8-97db-01cb66a1528e", "type": "relationship", "source_ref": "x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e", "relationship_type": "detects", "target_ref": "attack-pattern--53a26eee-1080-4d17-9762-2027d5a1b805", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--5ae1cf3a-2603-4bf9-ace3-5b1ee5d8d757", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-21T17:59:24.739Z", "modified": "2022-05-06T17:47:24.180Z", "relationship_type": "mitigates", "description": "All field controllers should restrict program uploads to only certain users (e.g., engineers, field technician), preferably through implementing a role-based access mechanism.\n", "source_ref": "course-of-action--e0d38502-decb-481d-ad8b-b8f0a0c330bd", "target_ref": "attack-pattern--3067b85e-271e-4bc5-81ad-ab1a81d411e3", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--5bb313a8-8407-4ec1-a4b0-683ded7f3302", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2018-04-18T17:59:24.739Z", "modified": "2022-05-06T17:47:24.253Z", "relationship_type": "uses", "description": "Execution of [Backdoor.Oldrea](https://attack.mitre.org/software/S0003) relies on a user opening a trojanized installer attached to an email. (Citation: Daavid Hentunen, Antti Tikkanen June 2014) (Citation: Kyle Wilhoit)", "source_ref": "malware--083bb47b-02c8-4423-81a2-f9ef58572974", "target_ref": "attack-pattern--2736b752-4ec5-4421-a230-8977dea7649c", "external_references": [ { "source_name": "Daavid Hentunen, Antti Tikkanen June 2014", "description": "Daavid Hentunen, Antti Tikkanen 2014, June 23 Havex Hunts For ICS/SCADA Systems Retrieved. 2019/04/01 ", "url": "https://www.f-secure.com/weblog/archives/00002718.html" }, { "source_name": "Kyle Wilhoit", "description": "Kyle Wilhoit Daavid Hentunen, Antti Tikkanen 2014, June 23 Havex Hunts For ICS/SCADA Systems Retrieved. 2019/04/01 ICS Malware: Havex and Black Energy Retrieved. 2019/10/22 ", "url": "https://www.youtube.com/watch?v=eywmb7UDODY&feature=youtu.be&t=939" } ], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--5be1f2b1-75fd-4e7e-901b-495cee4ab5ad", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-21T17:59:24.739Z", "modified": "2022-05-06T17:47:24.209Z", "relationship_type": "mitigates", "description": "Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level.\n", "source_ref": "course-of-action--3172222b-4983-43f7-8983-753ded4f13bc", "target_ref": "attack-pattern--e076cca8-2f08-45c9-aff7-ea5ac798b387", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--5bf8473c-3c60-4a8a-8514-c2b50ab8a92d", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-21T17:59:24.739Z", "modified": "2022-05-06T17:47:24.156Z", "relationship_type": "mitigates", "description": "Provide the ability to verify the integrity of control logic or programs loaded on a controller. While techniques like CRCs and checksums are commonly used, they are not cryptographically strong and can be vulnerable to collisions. Preferably cryptographic hash functions (e.g., SHA-2, SHA-3) should be used. (Citation: IEC February 2019)\n", "source_ref": "course-of-action--bcf91ebc-f316-4e19-b2f6-444e9940c697", "target_ref": "attack-pattern--097924ce-a9a9-4039-8591-e0deedfb8722", "external_references": [ { "source_name": "IEC February 2019", "description": "IEC 2019, February Security for industrial automation and control systems - Part 4-2: Technical security requirements for IACS components Retrieved. 2020/09/25 ", "url": "https://webstore.iec.ch/publication/34421" } ], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--5c0bdf4c-233f-42cd-8900-2a5cc8c9387c", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2018-10-17T00:14:20.652Z", "modified": "2022-05-06T17:47:24.303Z", "relationship_type": "uses", "description": "[PLC-Blaster](https://attack.mitre.org/software/S0009) scans the network to find other Siemens S7 PLC devices to infect. It locates these devices by checking for a service listening on TCP port 102. (Citation: Spenneberg, Ralf, Maik Brggemann, and Hendrik Schwartke March 2016)", "source_ref": "malware--4dcff507-5af8-47ce-964a-8d9569e9ccfe", "target_ref": "attack-pattern--d5a69cfb-fc2a-46cb-99eb-74b236db5061", "external_references": [ { "source_name": "Spenneberg, Ralf, Maik Brggemann, and Hendrik Schwartke March 2016", "description": "Spenneberg, Ralf, Maik Brggemann, and Hendrik Schwartke 2016, March 31 Plc-blaster: A worm living solely in the plc. Retrieved. 2017/09/19 ", "url": "https://www.blackhat.com/docs/asia-16/materials/asia-16-Spenneberg-PLC-Blaster-A-Worm-Living-Solely-In-The-PLC-wp.pdf" } ], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "modified": "2022-05-24T14:00:00.188Z", "created": "2022-05-11T16:22:58.805Z", "id": "relationship--5c695f49-6c76-4818-88b6-4db2bf029e43", "type": "relationship", "source_ref": "x-mitre-data-component--2b3bfe19-d59a-460d-93bb-2f546adc2d2c", "relationship_type": "detects", "target_ref": "attack-pattern--ead7bd34-186e-4c79-9a4d-b65bcce6ed9d", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--5ca1d677-b41f-4f1e-b86b-f5637a418829", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-21T17:59:24.739Z", "modified": "2022-05-06T17:47:24.182Z", "relationship_type": "mitigates", "description": "Authenticate all access to field controllers before authorizing access to, or modification of, a device's state, logic, or programs. Centralized authentication techniques can help manage the large number of field controller accounts needed across the ICS.\n", "source_ref": "course-of-action--3992ce42-43e9-4bea-b8db-a102ec3ec1e3", "target_ref": "attack-pattern--3067b85e-271e-4bc5-81ad-ab1a81d411e3", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--5d0a7979-0420-4fd1-b5ad-cb5565cbdf9d", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-21T17:59:24.739Z", "modified": "2022-05-06T17:47:24.094Z", "relationship_type": "mitigates", "description": "System and process restarts should be performed when a timeout condition occurs.\n", "source_ref": "course-of-action--98aa0d61-fc9d-4b2d-8f18-b25d03549f53", "target_ref": "attack-pattern--1b22b676-9347-4c55-9a35-ef0dc653db5b", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--5d33de22-35b0-47fa-bc63-f984522340b7", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-21T17:59:24.739Z", "modified": "2022-05-06T17:47:24.068Z", "relationship_type": "mitigates", "description": "Unauthorized connections can be prevented by statically defining the hosts and ports used for automation protocol connections.\n", "source_ref": "course-of-action--52c7a1a9-3a78-4528-a44f-cd7b0fa3541a", "target_ref": "attack-pattern--2900bbd8-308a-4274-b074-5b8bde8347bc", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--5d4b3eb8-5ed5-43ca-ac71-42f4a461b435", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2018-10-17T00:14:20.652Z", "modified": "2022-05-06T17:47:24.372Z", "relationship_type": "uses", "description": "[HEXANE](https://attack.mitre.org/groups/G1001) communicated with command and control over HTTP and DNS. (Citation: Dragos)", "source_ref": "intrusion-set--f29b7c5e-2439-42ad-a86f-9f8984fafae3", "target_ref": "attack-pattern--e076cca8-2f08-45c9-aff7-ea5ac798b387", "external_references": [ { "source_name": "Dragos", "description": "Dragos Hexane Retrieved. 2019/10/27 ", "url": "https://dragos.com/resource/hexane/" } ], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--5d4f6aff-650c-45fe-a9d8-2080d3ea02d7", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-21T17:59:24.739Z", "modified": "2022-05-06T17:47:24.150Z", "relationship_type": "mitigates", "description": "Authenticateconnections fromsoftware and devices to prevent unauthorized systems from accessing protected management functions.\n", "source_ref": "course-of-action--72e46e53-e12d-4106-9c70-33241b6ed549", "target_ref": "attack-pattern--e5de767e-f513-41cd-aa15-33f6ce5fbf92", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--5de6bf53-0a02-439b-a8d0-248fa9640a36", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-21T17:59:24.739Z", "modified": "2022-05-06T17:47:24.201Z", "relationship_type": "mitigates", "description": "Audit the integrity of PLC system and application code functionality, such as the manipulation of standard function blocks (e.g., Organizational Blocks) that manage the execution of application logic programs. (Citation: IEC February 2019)\n", "source_ref": "course-of-action--bcf91ebc-f316-4e19-b2f6-444e9940c697", "target_ref": "attack-pattern--3b6b9246-43f8-4c69-ad7a-2b11cfe0a0d9", "external_references": [ { "source_name": "IEC February 2019", "description": "IEC 2019, February Security for industrial automation and control systems - Part 4-2: Technical security requirements for IACS components Retrieved. 2020/09/25 ", "url": "https://webstore.iec.ch/publication/34421" } ], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--5dfa5bad-8b0b-4884-bf01-04ea89e3ccf7", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-21T17:59:24.739Z", "modified": "2022-05-06T17:47:24.235Z", "relationship_type": "mitigates", "description": "Consider using IP allowlisting along with user account management to ensure that data access is restricted not only to valid users but only from expected IP ranges to mitigate the use of stolen credentials to access data.\n", "source_ref": "course-of-action--11f242bc-3121-438c-84b2-5cbd46a4bb17", "target_ref": "attack-pattern--cd2c76a4-5e23-4ca5-9c40-d5e0604f7101", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--5e099568-fb5c-4f58-af7e-4e1b7a9d1128", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2021-04-12T18:49:06.044Z", "modified": "2022-05-06T17:47:24.305Z", "relationship_type": "uses", "description": "[REvil](https://attack.mitre.org/software/S0019) searches for whether the Ahnlab autoup.exe service is running on the target system and injects its payload into this existing process. (Citation: Tom Fakterman August 2019)", "source_ref": "malware--ac61f1f9-7bb1-465e-9b8a-c2ce8e88baf5", "target_ref": "attack-pattern--ba203963-3182-41ac-af14-7e7ebc83cd61", "external_references": [ { "source_name": "Tom Fakterman August 2019", "description": "Tom Fakterman 2019, August 05 Sodinokibi: The Crown Prince of Ransomware Retrieved. 2021/04/12 ", "url": "https://www.cybereason.com/blog/the-sodinokibi-ransomware-attack" } ], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--5f03ee5d-534c-454c-aae3-b41130b00286", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2021-04-13T12:08:26.506Z", "modified": "2022-05-06T17:47:24.117Z", "relationship_type": "mitigates", "description": "Make it difficult for adversaries to advance their operation through exploitation of undiscovered or unpatched vulnerabilities by using sandboxing. Other types of virtualization and application microsegmentation may also mitigate the impact of some types of exploitation. Risks of additional exploits and weaknesses in these systems may still exist. (Citation: Dan Goodin March 2017)\n", "source_ref": "course-of-action--059ba11e-e3dc-49aa-84ca-88197f40d4ea", "target_ref": "attack-pattern--cfe68e93-ce94-4c0f-a57d-3aa72cedd618", "external_references": [ { "source_name": "Dan Goodin March 2017", "description": "Dan Goodin 2017, March Virtual machine escape fetches $105,000 at Pwn2Own hacking contest Retrieved. 2020/09/25 ", "url": "https://arstechnica.com/information-technology/2017/03/hack-that-escapes-vm-by-exploiting-edge-browser-fetches-105000-at-pwn2own/" } ], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--604a9bf0-81a3-425b-9005-779c4f0f749d", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-21T17:59:24.739Z", "modified": "2022-05-06T17:47:24.195Z", "relationship_type": "mitigates", "description": "Harden the system through operating system controls to prevent the known or unknown use of malicious removable media.\n", "source_ref": "course-of-action--9a945a29-5233-4422-a9e3-3e957b0e8bce", "target_ref": "attack-pattern--c267bbee-bb59-47fe-85e0-3ed210337c21", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--61668e93-6d9d-418d-9fbd-2d88c3a66544", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-21T17:59:24.739Z", "modified": "2022-05-06T17:47:24.199Z", "relationship_type": "mitigates", "description": "Segment operational assets and their management devices based on their functional role within the process. Enabling more strict isolation to more critical control and operational information within the control environment. (Citation: Karen Scarfone; Paul Hoffman September 2009) (Citation: Keith Stouffer May 2015) (Citation: Department of Homeland Security September 2016) (Citation: Dwight Anderson 2014) \n", "source_ref": "course-of-action--1e7ccfc0-94c8-496e-8d27-032120892291", "target_ref": "attack-pattern--b14395bd-5419-4ef4-9bd8-696936f509bb", "external_references": [ { "source_name": "Karen Scarfone; Paul Hoffman September 2009", "description": "Karen Scarfone; Paul Hoffman 2009, September Guidelines on Firewalls and Firewall Policy Retrieved. 2020/09/25 ", "url": "https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-41r1.pdf" }, { "source_name": "Keith Stouffer May 2015", "description": "Keith Stouffer 2015, May Guide to Industrial Control Systems (ICS) Security Retrieved. 2018/03/28 ", "url": "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf" }, { "source_name": "Department of Homeland Security September 2016", "description": "Department of Homeland Security 2016, September Retrieved. 2020/09/25 ", "url": "https://us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf" }, { "source_name": "Dwight Anderson 2014", "description": "Dwight Anderson 2014 Protect Critical Infrastructure Systems With Whitelisting Retrieved. 2020/09/25 ", "url": "https://www.sans.org/reading-room/whitepapers/ICS/protect-critical-infrastructure-systems-whitelisting-35312" } ], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--6258c355-677c-452d-b1fc-27767232437b", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2019-03-26T16:19:52.358Z", "modified": "2022-05-06T17:47:24.297Z", "relationship_type": "uses", "description": "[NotPetya](https://attack.mitre.org/software/S0006) can move laterally through industrial networks by means of the SMB service. (Citation: Joe Slowik April 2019)", "source_ref": "malware--5719af9d-6b16-46f9-9b28-fb019541ddbb", "target_ref": "attack-pattern--ead7bd34-186e-4c79-9a4d-b65bcce6ed9d", "external_references": [ { "source_name": "Joe Slowik April 2019", "description": "Joe Slowik 2019, April 10 Implications of IT Ransomware for ICS Environments Retrieved. 2019/10/27 ", "url": "https://dragos.com/blog/industry-news/implications-of-it-ransomware-for-ics-environments/" } ], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--632ca9a0-a9f3-4b27-96e1-9fcb8bab11cb", "type": "relationship", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "modified": "2018-10-17T00:14:20.652Z", "relationship_type": "revoked-by", "source_ref": "intrusion-set--68ba94ab-78b8-43e7-83e2-aed3466882c6", "target_ref": "intrusion-set--4ca1929c-7d64-4aab-b849-badbfc0c760d", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "spec_version": "2.1", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--63323b12-86db-4b91-a701-90daf3f98f7c", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-21T17:59:24.739Z", "modified": "2022-05-06T17:47:24.122Z", "relationship_type": "mitigates", "description": "Segment networks and systems appropriately to reduce access to critical system and services communications.\n", "source_ref": "course-of-action--1e7ccfc0-94c8-496e-8d27-032120892291", "target_ref": "attack-pattern--85a45294-08f1-4539-bf00-7da08aa7b0ee", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--63453d2f-30f6-40ab-b32c-506d940ecd20", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-21T17:59:24.739Z", "modified": "2022-05-06T17:47:24.061Z", "relationship_type": "mitigates", "description": "Devices that allow remote management of firmware should require authentication before allowing any changes. The authentication mechanisms should also support [Account Use Policies](https://attack.mitre.org/mitigations/M0936), [Password Policies](https://attack.mitre.org/mitigations/M0927), and [User Account Management](https://attack.mitre.org/mitigations/M0918)", "source_ref": "course-of-action--66cfe23e-34b6-4583-b178-ed6a412db2b0", "target_ref": "attack-pattern--19a71d1e-6334-4233-8260-b749cae37953", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "modified": "2022-05-24T14:00:00.188Z", "created": "2022-05-11T16:22:58.806Z", "id": "relationship--636baf5a-1a1c-476b-bc54-fb27b27b58a2", "type": "relationship", "source_ref": "x-mitre-data-component--ee575f4a-2d4f-48f6-b18b-89067760adc1", "relationship_type": "detects", "target_ref": "attack-pattern--ba203963-3182-41ac-af14-7e7ebc83cd61", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--63ca148e-12c9-4090-b51e-a8fb7a847a2a", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2021-04-13T11:15:26.506Z", "modified": "2022-05-06T17:47:24.342Z", "relationship_type": "uses", "description": "[Triton](https://attack.mitre.org/software/S0013)'s \\argument-setting\\ and inject.bin shellcode are added to the program table on the Tricon so that they are executed by the firmware once each cycle. (Citation: DHS CISA February 2019) (Citation: Jos Wetzels January 2018)", "source_ref": "malware--80099a91-4c86-4bea-9ccb-dac55d61960e", "target_ref": "attack-pattern--09a61657-46e1-439e-b3ed-3e4556a78243", "external_references": [ { "source_name": "DHS CISA February 2019", "description": "DHS CISA 2019, February 27 MAR-17-352-01 HatManSafety System Targeted Malware (Update B) Retrieved. 2019/03/08 ", "url": "https://ics-cert.us-cert.gov/sites/default/files/documents/MAR-17-352-01%20HatMan%20-%20Safety%20System%20Targeted%20Malware%20%28Update%20B%29.pdf" }, { "source_name": "Jos Wetzels January 2018", "description": "Jos Wetzels 2018, January 16 Analyzing the TRITON industrial malware Retrieved. 2019/10/22 ", "url": "https://www.midnightbluelabs.com/blog/2018/1/16/analyzing-the-triton-industrial-malware" } ], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--641813ea-66a9-4949-848f-db83420aac39", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2021-04-11T14:06:54.109Z", "modified": "2022-05-06T17:47:24.387Z", "relationship_type": "uses", "description": "In the Ukraine 2015 Incident, [Sandworm Team](https://attack.mitre.org/groups/G0007) issued unauthorized commands to substation breakers after gaining control of operator workstations and accessing a distribution management system (DMS) client application. (Citation: Electricity Information Sharing and Analysis Center; SANS Industrial Control Systems March 2016)", "source_ref": "intrusion-set--381fcf73-60f6-4ab2-9991-6af3cbc35192", "target_ref": "attack-pattern--40b300ba-f553-48bf-862e-9471b220d455", "external_references": [ { "source_name": "Electricity Information Sharing and Analysis Center; SANS Industrial Control Systems March 2016", "description": "Electricity Information Sharing and Analysis Center; SANS Industrial Control Systems 2016, March 18 Analysis of the Cyber Attack on the Ukranian Power Grid: Defense Use Case Retrieved. 2018/03/27 ", "url": "https://assets.contentstack.io/v3/assets/blt36c2e63521272fdc/blt6a77276749b76a40/607f235992f0063e5c070fff/E-ISAC_SANS_Ukraine_DUC_5%5b73%5d.pdf" } ], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "modified": "2022-05-24T14:00:00.188Z", "created": "2022-05-11T16:22:58.806Z", "id": "relationship--6424de09-251d-4936-98fe-876fad2a713b", "type": "relationship", "source_ref": "x-mitre-data-component--931b3fc6-ad68-42a8-9018-e98515eedc95", "relationship_type": "detects", "target_ref": "attack-pattern--36e9f5bc-ac13-4da4-a2f4-01f4877d9004", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--648c6649-5861-4b43-a7e5-a9665bafb576", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2018-10-17T00:14:20.652Z", "modified": "2022-05-06T17:47:24.272Z", "relationship_type": "uses", "description": "[Industroyer](https://attack.mitre.org/software/S0001) uses the first COM port from the configuration file for the communication and the other two COM ports are opened to prevent other processes accessing them. This may block processes or operators from getting reporting messages from a device. (Citation: Anton Cherepanov, ESET June 2017)", "source_ref": "malware--e401d4fe-f0c9-44f0-98e6-f93487678808", "target_ref": "attack-pattern--3f1f4ccb-9be2-4ff8-8f69-dd972221169b", "external_references": [ { "source_name": "Anton Cherepanov, ESET June 2017", "description": "Anton Cherepanov, ESET 2017, June 12 Win32/Industroyer: A new threat for industrial control systems Retrieved. 2017/09/15 ", "url": "https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf" } ], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--64db6a39-64d2-4999-97d7-91c28c32f42e", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-21T17:59:24.739Z", "modified": "2022-05-06T17:47:24.101Z", "relationship_type": "mitigates", "description": "Perform inline allowlisting of automation protocol commands to prevent devices from sending unauthorized command or reporting messages. Allow/denylist techniques need to be designed with sufficient accuracy to prevent the unintended blocking of valid messages.\n", "source_ref": "course-of-action--11f242bc-3121-438c-84b2-5cbd46a4bb17", "target_ref": "attack-pattern--2aa406ed-81c3-4c1d-ba83-cfbee5a2847a", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--652a68a2-a26b-4e8c-86dd-fd83187ed043", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-21T17:59:24.739Z", "modified": "2022-05-06T17:47:24.198Z", "relationship_type": "mitigates", "description": "Use host-based allowlists to prevent devices from accepting connections from unauthorized systems. For example, allowlists can be used to ensure devices can only connect with master stations or known management/engineering workstations. (Citation: Department of Homeland Security September 2016)\n", "source_ref": "course-of-action--aadac250-bcdc-44e3-a4ae-f52bd0a7a16a", "target_ref": "attack-pattern--b14395bd-5419-4ef4-9bd8-696936f509bb", "external_references": [ { "source_name": "Department of Homeland Security September 2016", "description": "Department of Homeland Security 2016, September Retrieved. 2020/09/25 ", "url": "https://us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf" } ], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "modified": "2022-05-24T14:00:00.188Z", "created": "2022-05-11T16:22:58.803Z", "id": "relationship--655e2f91-5d43-4c47-b7e0-8248b351f3ba", "type": "relationship", "source_ref": "x-mitre-data-component--9d56be63-3501-4dd3-bb5f-63c580833298", "relationship_type": "detects", "target_ref": "attack-pattern--19a71d1e-6334-4233-8260-b749cae37953", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--65a45501-10de-46a2-89bf-03bbf17aba33", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-21T17:59:24.739Z", "modified": "2022-05-06T17:47:24.166Z", "relationship_type": "mitigates", "description": "Perform integrity checks of firmware before uploading it on a device. Utilize cryptographic hashes to verify the firmware has not been tampered with by comparing it to a trusted hash of the firmware. This could be from trusted data sources (e.g., vendor site) or through a third-party verification service.\n", "source_ref": "course-of-action--bcf91ebc-f316-4e19-b2f6-444e9940c697", "target_ref": "attack-pattern--efbf7888-f61b-4572-9c80-7e2965c60707", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--65adbdda-7069-40ed-9825-b79ec87e4916", "type": "relationship", "created": "2021-09-21T15:47:37.522Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "IBM Ransomware Trends September 2020", "url": "https://securityintelligence.com/posts/ransomware-2020-attack-trends-new-techniques-affecting-organizations-worldwide/", "description": "Singleton, C. and Kiefer, C. (2020, September 28). Ransomware 2020: Attack Trends Affecting Organizations Worldwide. Retrieved September 20, 2021." }, { "source_name": "CrowdStrike Carbon Spider August 2021", "url": "https://www.crowdstrike.com/blog/carbon-spider-embraces-big-game-hunting-part-1/", "description": "Loui, E. and Reynolds, J. (2021, August 30). CARBON SPIDER Embraces Big Game Hunting, Part 1. Retrieved September 20, 2021." }, { "source_name": "FBI Flash FIN7 USB", "url": "https://therecord.media/fbi-fin7-hackers-target-us-companies-with-badusb-devices-to-install-ransomware/", "description": "The Record. (2022, January 7). FBI: FIN7 hackers target US companies with BadUSB devices to install ransomware. Retrieved January 14, 2022." } ], "modified": "2022-01-14T17:29:16.633Z", "description": "(Citation: IBM Ransomware Trends September 2020)(Citation: CrowdStrike Carbon Spider August 2021)(Citation: FBI Flash FIN7 USB)", "relationship_type": "uses", "source_ref": "intrusion-set--3753cc21-2dae-4dfb-8481-d004e74502cc", "target_ref": "malware--ac61f1f9-7bb1-465e-9b8a-c2ce8e88baf5", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "spec_version": "2.1", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--6603a100-d655-4e6b-8d38-73c11b89dde4", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2019-03-26T16:19:52.358Z", "modified": "2022-05-06T17:47:24.296Z", "relationship_type": "uses", "description": "[NotPetya](https://attack.mitre.org/software/S0006) initially infected IT networks, but by means of an exploit (particularly the SMBv1-targeting MS17-010 vulnerability) spread to industrial networks. (Citation: Joe Slowik April 2019)", "source_ref": "malware--5719af9d-6b16-46f9-9b28-fb019541ddbb", "target_ref": "attack-pattern--85a45294-08f1-4539-bf00-7da08aa7b0ee", "external_references": [ { "source_name": "Joe Slowik April 2019", "description": "Joe Slowik 2019, April 10 Implications of IT Ransomware for ICS Environments Retrieved. 2019/10/27 ", "url": "https://dragos.com/blog/industry-news/implications-of-it-ransomware-for-ics-environments/" } ], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--6637d8e6-6578-4d15-a993-d63ced4c4464", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-21T17:59:24.739Z", "modified": "2022-05-06T17:47:24.099Z", "relationship_type": "mitigates", "description": "Authenticate all access to field controllers before authorizing access to, or modification of, a device's state, logic, or programs. Centralized authentication techniques can help manage the large number of field controller accounts needed across the ICS.\n", "source_ref": "course-of-action--3992ce42-43e9-4bea-b8db-a102ec3ec1e3", "target_ref": "attack-pattern--2aa406ed-81c3-4c1d-ba83-cfbee5a2847a", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--667df0e0-0995-4213-a98e-7efe7fa6b88e", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2021-04-13T12:45:26.506Z", "modified": "2022-05-06T17:47:24.286Z", "relationship_type": "uses", "description": "The [Industroyer](https://attack.mitre.org/software/S0001)IEC 61850 componentsends the domain-specific MMSgetNameListrequest to determine what logical nodes the device supports. It then searches the logical nodes for the CSW value, which indicates the device performs a circuit breaker or switch control function. (Citation: Anton Cherepanov, ESET June 2017)", "source_ref": "malware--e401d4fe-f0c9-44f0-98e6-f93487678808", "target_ref": "attack-pattern--2fedbe69-581f-447d-8a78-32ee7db939a9", "external_references": [ { "source_name": "Anton Cherepanov, ESET June 2017", "description": "Anton Cherepanov, ESET 2017, June 12 Win32/Industroyer: A new threat for industrial control systems Retrieved. 2017/09/15 ", "url": "https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf" } ], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "modified": "2022-05-24T14:00:00.188Z", "created": "2022-05-11T16:22:58.806Z", "id": "relationship--66d637a0-4874-4b12-bd3a-b408acb06d26", "type": "relationship", "source_ref": "x-mitre-data-component--3d20385b-24ef-40e1-9f56-f39750379077", "relationship_type": "detects", "target_ref": "attack-pattern--ea0c980c-5cf0-43a7-a049-59c4c207566e", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--66f79019-d52c-46a6-b605-c2335d1d3d20", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2018-10-17T00:14:20.652Z", "modified": "2022-05-06T17:47:24.288Z", "relationship_type": "uses", "description": "[Industroyer](https://attack.mitre.org/software/S0001) has the capability to stop a service itself, or to login as a user and stop a service as that user. (Citation: Anton Cherepanov, ESET June 2017)", "source_ref": "malware--e401d4fe-f0c9-44f0-98e6-f93487678808", "target_ref": "attack-pattern--063b5b92-5361-481a-9c3f-95492ed9a2d8", "external_references": [ { "source_name": "Anton Cherepanov, ESET June 2017", "description": "Anton Cherepanov, ESET 2017, June 12 Win32/Industroyer: A new threat for industrial control systems Retrieved. 2017/09/15 ", "url": "https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf" } ], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--671043a9-337f-411a-9ca9-3112e897ab09", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-21T17:59:24.739Z", "modified": "2022-05-06T17:47:24.184Z", "relationship_type": "mitigates", "description": "Segment operational network and systems to restrict access to critical system functions to predetermined management systems. (Citation: Department of Homeland Security September 2016)\n", "source_ref": "course-of-action--1e7ccfc0-94c8-496e-8d27-032120892291", "target_ref": "attack-pattern--3067b85e-271e-4bc5-81ad-ab1a81d411e3", "external_references": [ { "source_name": "Department of Homeland Security September 2016", "description": "Department of Homeland Security 2016, September Retrieved. 2020/09/25 ", "url": "https://us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf" } ], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--679e7b8d-57d7-4c1d-8f42-1496606ea666", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2018-04-18T17:59:24.739Z", "modified": "2022-05-06T17:47:24.353Z", "relationship_type": "uses", "description": "[ALLANITE](https://attack.mitre.org/groups/G1000) utilized spear phishing to gain access into energy sector environments. (Citation: Jeff Jones May 2018)", "source_ref": "intrusion-set--190242d7-73fc-4738-af68-20162f7a5aae", "target_ref": "attack-pattern--648f995e-9c3a-41e4-aeee-98bb41037426", "external_references": [ { "source_name": "Jeff Jones May 2018", "description": "Jeff Jones 2018, May 10 Dragos Releases Details on Suspected Russian Infrastructure Hacking Team ALLANITE Retrieved. 2020/01/03 ", "url": "https://www.eisac.com/public-news-detail?id=115909" } ], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "modified": "2022-05-24T14:00:00.188Z", "created": "2022-05-11T16:22:58.805Z", "id": "relationship--67abd801-72e2-4269-a063-cbd89d3c8f22", "type": "relationship", "source_ref": "x-mitre-data-component--84572de3-9583-4c73-aabd-06ea88123dd8", "relationship_type": "detects", "target_ref": "attack-pattern--ab390887-afc0-4715-826d-b1b167d522ae", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--6833d534-9cbb-4b9f-85b6-93d3d2d6faca", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-21T17:59:24.739Z", "modified": "2022-05-06T17:47:24.202Z", "relationship_type": "mitigates", "description": "Ensure proper process and file permissions are in place to inhibit adversaries from disabling or interfering with critical services.\n", "source_ref": "course-of-action--f9fcb3ec-6de0-4559-8cd9-ef1c0c7d1971", "target_ref": "attack-pattern--063b5b92-5361-481a-9c3f-95492ed9a2d8", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--686cbd74-ef49-4e77-9599-21777d3a4738", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-21T17:59:24.739Z", "modified": "2022-05-06T17:47:24.174Z", "relationship_type": "mitigates", "description": "Perform inline allowlisting of automation protocol commands to prevent devices from sending unauthorized command or reporting messages. Allow/denylist techniques need to be designed with sufficient accuracy to prevent the unintended blocking of valid messages.\n", "source_ref": "course-of-action--11f242bc-3121-438c-84b2-5cbd46a4bb17", "target_ref": "attack-pattern--25852363-5968-4673-b81d-341d5ed90bd1", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--6895e54e-3968-41a9-9013-a082cd46fa44", "created": "2020-05-14T14:40:26.221Z", "x_mitre_version": "1.0", "external_references": [ { "source_name": "Red Canary Hospital Thwarted Ryuk October 2020", "url": "https://redcanary.com/blog/how-one-hospital-thwarted-a-ryuk-ransomware-outbreak/", "description": "Brian Donohue, Katie Nickels, Paul Michaud, Adina Bodkins, Taylor Chapman, Tony Lambert, Jeff Felling, Kyle Rainey, Mike Haag, Matt Graeber, Aaron Didier.. (2020, October 29). A Bazar start: How one hospital thwarted a Ryuk ransomware outbreak. Retrieved October 30, 2020." }, { "source_name": "DHS/CISA Ransomware Targeting Healthcare October 2020", "url": "https://us-cert.cisa.gov/ncas/alerts/aa20-302a", "description": "DHS/CISA. (2020, October 28). Ransomware Activity Targeting the Healthcare and Public Health Sector. Retrieved October 28, 2020." }, { "source_name": "CrowdStrike Ryuk January 2019", "url": "https://www.crowdstrike.com/blog/big-game-hunting-with-ryuk-another-lucrative-targeted-ransomware/", "description": "Hanel, A. (2019, January 10). Big Game Hunting with Ryuk: Another Lucrative Targeted Ransomware. Retrieved May 12, 2020." }, { "source_name": "FireEye KEGTAP SINGLEMALT October 2020", "url": "https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html", "description": "Kimberly Goody, Jeremy Kennelly, Joshua Shilko, Steve Elovitz, Douglas Bienstock. (2020, October 28). Unhappy Hour Special: KEGTAP and SINGLEMALT With a Ransomware Chaser. Retrieved October 28, 2020." }, { "source_name": "CrowdStrike Wizard Spider October 2020", "url": "https://www.crowdstrike.com/blog/wizard-spider-adversary-update/", "description": "Podlosky, A., Hanel, A. et al. (2020, October 16). WIZARD SPIDER Update: Resilient, Reactive and Resolute. Retrieved June 15, 2021." }, { "source_name": "Sophos New Ryuk Attack October 2020", "url": "https://news.sophos.com/en-us/2020/10/14/inside-a-new-ryuk-ransomware-attack/", "description": "Sean Gallagher, Peter Mackenzie, Elida Leite, Syed Shahram, Bill Kearney, Anand Aijan, Sivagnanam Gn, Suraj Mundalik. (2020, October 14). They\u2019re back: inside a new Ryuk ransomware attack. Retrieved October 14, 2020." }, { "source_name": "DFIR Ryuk 2 Hour Speed Run November 2020", "url": "https://thedfirreport.com/2020/11/05/ryuk-speed-run-2-hours-to-ransom/", "description": "The DFIR Report. (2020, November 5). Ryuk Speed Run, 2 Hours to Ransom. Retrieved November 6, 2020." }, { "source_name": "DFIR Ryuk in 5 Hours October 2020", "url": "https://thedfirreport.com/2020/10/18/ryuk-in-5-hours/", "description": "The DFIR Report. (2020, October 18). Ryuk in 5 Hours. Retrieved October 19, 2020." }, { "source_name": "DFIR Ryuk's Return October 2020", "url": "https://thedfirreport.com/2020/10/08/ryuks-return/", "description": "The DFIR Report. (2020, October 8). Ryuk\u2019s Return. Retrieved October 9, 2020." } ], "x_mitre_deprecated": false, "revoked": false, "description": "(Citation: CrowdStrike Ryuk January 2019)(Citation: Red Canary Hospital Thwarted Ryuk October 2020)(Citation: DHS/CISA Ransomware Targeting Healthcare October 2020)(Citation: FireEye KEGTAP SINGLEMALT October 2020)(Citation: DFIR Ryuk's Return October 2020)(Citation: DFIR Ryuk 2 Hour Speed Run November 2020)(Citation: DFIR Ryuk in 5 Hours October 2020)(Citation: Sophos New Ryuk Attack October 2020)(Citation: CrowdStrike Wizard Spider October 2020)", "modified": "2022-05-20T17:07:10.940Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "relationship_type": "uses", "source_ref": "intrusion-set--dd2d9ca6-505b-4860-a604-233685b802c7", "target_ref": "malware--a020a61c-423f-4195-8c46-ba1d21abba37", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--68d30c45-766f-48b6-9405-0c969243332b", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-21T17:59:24.739Z", "modified": "2022-05-06T17:47:24.214Z", "relationship_type": "mitigates", "description": "All devices or systems changes, including all administrative functions, should require authentication. Consider using access management technologies to enforce authorization on all management interface access attempts, especially when the device does not inherently provide strong authentication and authorization functions.\n", "source_ref": "course-of-action--3992ce42-43e9-4bea-b8db-a102ec3ec1e3", "target_ref": "attack-pattern--b9160e77-ea9e-4ba9-b1c8-53a3c466b13d", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "modified": "2022-05-24T14:00:00.188Z", "created": "2022-05-11T16:22:58.806Z", "id": "relationship--69146c10-d3d0-4f69-8164-9c21a1a4e10b", "type": "relationship", "source_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c", "relationship_type": "detects", "target_ref": "attack-pattern--25852363-5968-4673-b81d-341d5ed90bd1", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--692324b4-064a-430c-8ffc-7f7acd537778", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2018-10-17T00:14:20.652Z", "modified": "2022-05-06T17:47:24.263Z", "relationship_type": "uses", "description": "[Duqu](https://attack.mitre.org/software/S0014) downloads additional modules for the collection of data in information repositories. The modules are named: infostealer 1, infostealer 2 and reconnaissance. (Citation: Symantec)", "source_ref": "malware--68dca94f-c11d-421e-9287-7c501108e18c", "target_ref": "attack-pattern--3405891b-16aa-4bd7-bd7c-733501f9b20f", "external_references": [ { "source_name": "Symantec", "description": "Symantec W32.Duqu The precursor to the next Stuxnet Retrieved. 2019/11/03 ", "url": "https://docs.broadcom.com/doc/w32-duqu-11-en" } ], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--69576d3c-d0e8-459e-9f2e-0b9c560b2e04", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-21T17:59:24.739Z", "modified": "2022-05-06T17:47:24.218Z", "relationship_type": "mitigates", "description": "Example mitigations could include minimizing its distribution/storage or obfuscating the information (e.g., facility coverterms, codenames). In many cases this information may be necessary to support critical engineering, maintenance, or operational functions, therefore, it may not be feasible to implement.\n", "source_ref": "course-of-action--99c746d7-a08a-4169-94f9-b8c0dad716fa", "target_ref": "attack-pattern--b7e13ee8-182c-4f19-92a4-a88d7d855d54", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--698d7c50-daab-4087-a7b4-b2bc8dfd81a7", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2021-04-13T11:15:26.506Z", "modified": "2022-05-06T17:47:24.154Z", "relationship_type": "mitigates", "description": "Provide the ability to verify the integrity of control logic or programs loaded on a controller. While techniques like CRCs and checksums are commonly used, they are not cryptographically strong and can be vulnerable to collisions. Preferably cryptographic hash functions (e.g., SHA-2, SHA-3) should be used. (Citation: IEC February 2019)\n", "source_ref": "course-of-action--bcf91ebc-f316-4e19-b2f6-444e9940c697", "target_ref": "attack-pattern--09a61657-46e1-439e-b3ed-3e4556a78243", "external_references": [ { "source_name": "IEC February 2019", "description": "IEC 2019, February Security for industrial automation and control systems - Part 4-2: Technical security requirements for IACS components Retrieved. 2020/09/25 ", "url": "https://webstore.iec.ch/publication/34421" } ], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "modified": "2022-05-24T14:00:00.188Z", "created": "2022-05-11T16:22:58.804Z", "id": "relationship--6a906975-390b-45f6-a81c-9ffeeb5ba327", "type": "relationship", "source_ref": "x-mitre-data-component--9f387817-df83-432a-b56b-a8fb7f71eedd", "relationship_type": "detects", "target_ref": "attack-pattern--24a9253e-8948-4c98-b751-8e2aee53127c", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "modified": "2022-05-24T14:00:00.188Z", "created": "2022-05-11T16:22:58.804Z", "id": "relationship--6aa080d0-6e25-46e5-91d8-4af11f01ceef", "type": "relationship", "source_ref": "x-mitre-data-component--a7f22107-02e5-4982-9067-6625d4a1765a", "relationship_type": "detects", "target_ref": "attack-pattern--1b22b676-9347-4c55-9a35-ef0dc653db5b", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--6ad39b3a-a962-457f-852c-be7fc615e22f", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-21T17:59:24.739Z", "modified": "2022-05-06T17:47:24.136Z", "relationship_type": "mitigates", "description": "Take and store data backups from end user systems and critical servers. Ensure backup and storage systems are hardened and kept separate from the corporate network to prevent compromise. Maintain and exercise incident response plans (Citation: Department of Homeland Security October 2009), including the management of \\gold-copy\\ back-up images and configurations for key systems to enable quick recovery and response from adversarial activities that impact control, view, or availability.\n", "source_ref": "course-of-action--ad12819e-3211-4291-b360-069f280cff0a", "target_ref": "attack-pattern--a81696ef-c106-482c-8f80-59c30f2569fb", "external_references": [ { "source_name": "Department of Homeland Security October 2009", "description": "Department of Homeland Security 2009, October Developing an Industrial Control Systems Cybersecurity Incident Response Capability Retrieved. 2020/09/17 ", "url": "https://us-cert.cisa.gov/sites/default/files/recommended_practices/final-RP_ics_cybersecurity_incident_response_100609.pdf" } ], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--6b5d2643-b399-43aa-8ab1-7557a0446b07", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-21T17:59:24.739Z", "modified": "2022-05-06T17:47:24.147Z", "relationship_type": "mitigates", "description": "Only authorized personnel should be able to change settings for alarms.\n", "source_ref": "course-of-action--e0d38502-decb-481d-ad8b-b8f0a0c330bd", "target_ref": "attack-pattern--e5de767e-f513-41cd-aa15-33f6ce5fbf92", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--6b5fd6d8-ef70-4896-b1a4-7b6c29c3a0d4", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-21T17:59:24.739Z", "modified": "2022-05-06T17:47:24.101Z", "relationship_type": "mitigates", "description": "All field controllers should restrict the modification of programs to only certain users (e.g., engineers, field technician), preferably through implementing a role-based access mechanism.\n", "source_ref": "course-of-action--e0d38502-decb-481d-ad8b-b8f0a0c330bd", "target_ref": "attack-pattern--25dfc8ad-bd73-4dfd-84a9-3c3d383f76e9", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "modified": "2022-05-24T14:00:00.188Z", "created": "2022-05-11T16:22:58.805Z", "id": "relationship--6b987f2a-3d07-4791-9c1c-e4f6818521e8", "type": "relationship", "source_ref": "x-mitre-data-component--da85d358-741a-410d-9433-20d6269a6170", "relationship_type": "detects", "target_ref": "attack-pattern--53a26eee-1080-4d17-9762-2027d5a1b805", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--6baa9172-04e4-416d-a009-668cda23fd5d", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2021-10-08T15:25:32.143Z", "modified": "2022-05-06T17:47:24.331Z", "relationship_type": "uses", "description": "[Stuxnet](https://attack.mitre.org/software/S0010) will store and execute SQL code that will extract and execute Stuxnet from the saved CAB file using xp_cmdshell with the following command: set @s = master..xp _ cmdshell extrac32 /y +@t+ +@t+x; exec(@s); (Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011)", "source_ref": "malware--088f1d6e-0783-47c6-9923-9c79b2af43d4", "target_ref": "attack-pattern--24a9253e-8948-4c98-b751-8e2aee53127c", "external_references": [ { "source_name": "Nicolas Falliere, Liam O Murchu, Eric Chien February 2011", "description": "Nicolas Falliere, Liam O Murchu, Eric Chien 2011, February W32.Stuxnet Dossier (Version 1.4) Retrieved. 2017/09/22 ", "url": "https://www.wired.com/images_blogs/threatlevel/2011/02/Symantec-Stuxnet-Update-Feb-2011.pdf" } ], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "modified": "2022-05-24T14:00:00.188Z", "created": "2022-05-11T16:22:58.805Z", "id": "relationship--6be102a8-5d9c-494e-a8ce-7b0a1c86a863", "type": "relationship", "source_ref": "x-mitre-data-component--639e87f3-acb6-448a-9645-258f20da4bc5", "relationship_type": "detects", "target_ref": "attack-pattern--53a26eee-1080-4d17-9762-2027d5a1b805", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--6be4cef2-3d54-4cd8-97df-8a8b37c03605", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-21T17:59:24.739Z", "modified": "2022-05-06T17:47:24.089Z", "relationship_type": "mitigates", "description": "Utilize central storage servers for critical operations where possible (e.g., historians) and keep remote backups. For outstations, use local redundant storage for event recorders. Have backup control system platforms, preferably as hot-standbys to respond immediately to data destruction events. (Citation: National Institute of Standards and Technology April 2013)\n", "source_ref": "course-of-action--ad12819e-3211-4291-b360-069f280cff0a", "target_ref": "attack-pattern--493832d9-cea6-4b63-abe7-9a65a6473675", "external_references": [ { "source_name": "National Institute of Standards and Technology April 2013", "description": "National Institute of Standards and Technology 2013, April Security and Privacy Controls for Federal Information Systems and Organizations Retrieved. 2020/09/17 ", "url": "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf" } ], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "modified": "2022-05-24T14:00:00.188Z", "created": "2022-05-11T16:22:58.807Z", "id": "relationship--6bf14e79-3287-4b9e-b222-9d527530df1e", "type": "relationship", "source_ref": "x-mitre-data-component--a7f22107-02e5-4982-9067-6625d4a1765a", "relationship_type": "detects", "target_ref": "attack-pattern--e076cca8-2f08-45c9-aff7-ea5ac798b387", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--6c15ec9f-2b48-419c-adc1-f989833f6187", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2021-10-14T17:59:24.739Z", "modified": "2022-05-06T17:47:24.224Z", "relationship_type": "mitigates", "description": "Install anti-virus software on all workstation and transient assets that may have external access, such as to web, email, or remote file shares.\n", "source_ref": "course-of-action--faf2b40e-5981-433f-aa46-17458e0026f7", "target_ref": "attack-pattern--35392fb4-a31d-4c6a-b9f2-1c65b7f5e6b9", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--6d1906b4-e815-4688-86f1-ce61d403f8c6", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-21T17:59:24.739Z", "modified": "2022-05-06T17:47:24.186Z", "relationship_type": "mitigates", "description": "All remote services should require strong authentication before providing user access.\n", "source_ref": "course-of-action--66cfe23e-34b6-4583-b178-ed6a412db2b0", "target_ref": "attack-pattern--e1f9cdd2-9511-4fca-90d7-f3e92cfdd0bf", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--6d822f86-5793-403a-b176-5d533f6b81b3", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2018-04-18T17:59:24.739Z", "modified": "2022-05-06T17:47:24.252Z", "relationship_type": "uses", "description": "The [Backdoor.Oldrea](https://attack.mitre.org/software/S0003) RAT is distributed through trojanized installers planted on compromised vendor sites. (Citation: Daavid Hentunen, Antti Tikkanen June 2014)", "source_ref": "malware--083bb47b-02c8-4423-81a2-f9ef58572974", "target_ref": "attack-pattern--5e0f75da-e108-4688-a6de-a4f07cc2cbe3", "external_references": [ { "source_name": "Daavid Hentunen, Antti Tikkanen June 2014", "description": "Daavid Hentunen, Antti Tikkanen 2014, June 23 Havex Hunts For ICS/SCADA Systems Retrieved. 2019/04/01 ", "url": "https://www.f-secure.com/weblog/archives/00002718.html" } ], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--6e3c2c04-0838-4863-80a7-d73ef5ac6a64", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-21T17:59:24.739Z", "modified": "2022-05-06T17:47:24.220Z", "relationship_type": "mitigates", "description": "Protocols used for control functions should provide authenticity through MAC functions or digital signatures. If not, utilize bump-in-the-wire devices or VPNs to enforce communication authenticity between devices that are not capable of supporting this (e.g., legacy controllers, RTUs).\n", "source_ref": "course-of-action--c7257b6e-4159-4771-b1f3-2bb93adaecac", "target_ref": "attack-pattern--40b300ba-f553-48bf-862e-9471b220d455", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--6ed07095-c23a-4676-807f-a544deaeb274", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2021-04-12T18:49:06.044Z", "modified": "2022-05-06T17:47:24.310Z", "relationship_type": "uses", "description": "[REvil](https://attack.mitre.org/software/S0019) sends exfiltrated data from the victims system using HTTPS POST messages sent to the C2 system. (Citation: McAfee Labs October 2019) (Citation: SecureWorks September 2019)", "source_ref": "malware--ac61f1f9-7bb1-465e-9b8a-c2ce8e88baf5", "target_ref": "attack-pattern--b7e13ee8-182c-4f19-92a4-a88d7d855d54", "external_references": [ { "source_name": "McAfee Labs October 2019", "description": "McAfee Labs 2019, October 02 McAfee ATR Analyzes Sodinokibi aka REvil Ransomware-as-a-Service What The Code Tells Us Retrieved. 2021/04/12 ", "url": "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/mcafee-atr-analyzes-sodinokibi-aka-revil-ransomware-as-a-service-what-the-code-tells-us" }, { "source_name": "SecureWorks September 2019", "description": "SecureWorks 2019, September 24 REvil/Sodinokibi Ransomware Retrieved. 2021/04/12 ", "url": "https://www.secureworks.com/research/revil-sodinokibi-ransomware" } ], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--6f0384e6-73c8-4fc7-bc0c-0a8c2bfa473d", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-21T17:59:24.739Z", "modified": "2022-05-06T17:47:24.069Z", "relationship_type": "mitigates", "description": "Utilize network allowlists to restrict unnecessary connections to network devices (e.g., comm servers, serial to ethernet converters) and services, especially in cases when devices have limits on the number of simultaneous sessions they support.\n", "source_ref": "course-of-action--aadac250-bcdc-44e3-a4ae-f52bd0a7a16a", "target_ref": "attack-pattern--3de230d4-3e42-4041-b089-17e1128feded", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--6f2c2043-6487-467a-bb49-e8cd2509ae9f", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-21T17:59:24.739Z", "modified": "2022-05-06T17:47:24.112Z", "relationship_type": "mitigates", "description": "Regularly scan externally facing systems for vulnerabilities and establish procedures to rapidly patch systems when critical vulnerabilities are discovered through scanning and public disclosure.\n", "source_ref": "course-of-action--97f33c84-8508-45b9-8a1d-cac921828c9e", "target_ref": "attack-pattern--32632a95-6856-47b9-9ab7-fea5cd7dce00", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--6fa3aee4-2a29-4c0f-9e61-1f7df5eccc00", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2018-10-17T00:14:20.652Z", "modified": "2022-05-06T17:47:24.300Z", "relationship_type": "uses", "description": "[PLC-Blaster](https://attack.mitre.org/software/S0009) may manipulate any outputs of the PLC. Using the POU POKE any value within the process image may be modified. (Citation: Spenneberg, Ralf, Maik Brggemann, and Hendrik Schwartke March 2016)", "source_ref": "malware--4dcff507-5af8-47ce-964a-8d9569e9ccfe", "target_ref": "attack-pattern--36e9f5bc-ac13-4da4-a2f4-01f4877d9004", "external_references": [ { "source_name": "Spenneberg, Ralf, Maik Brggemann, and Hendrik Schwartke March 2016", "description": "Spenneberg, Ralf, Maik Brggemann, and Hendrik Schwartke 2016, March 31 Plc-blaster: A worm living solely in the plc. Retrieved. 2017/09/19 ", "url": "https://www.blackhat.com/docs/asia-16/materials/asia-16-Spenneberg-PLC-Blaster-A-Worm-Living-Solely-In-The-PLC-wp.pdf" } ], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "modified": "2022-05-24T14:00:00.188Z", "created": "2022-05-11T16:22:58.807Z", "id": "relationship--70113c21-85f2-4232-8755-233f93864277", "type": "relationship", "source_ref": "x-mitre-data-component--61f1d40e-f3d0-4cc6-aa2d-937b6204194f", "relationship_type": "detects", "target_ref": "attack-pattern--063b5b92-5361-481a-9c3f-95492ed9a2d8", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--7041d8e5-3b74-402a-86b3-fd59def80632", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-21T17:59:24.739Z", "modified": "2022-05-06T17:47:24.135Z", "relationship_type": "mitigates", "description": "Hot-standbys in diverse locations can ensure continued operations if the primarily system are compromised or unavailable. At the network layer, protocols such as the Parallel Redundancy Protocol can be used to simultaneously use redundant and diverse communication over a local network. (Citation: M. Rentschler and H. Heine)\n", "source_ref": "course-of-action--f0f5c87a-a58d-440a-b3b5-ca679d98c6dd", "target_ref": "attack-pattern--a81696ef-c106-482c-8f80-59c30f2569fb", "external_references": [ { "source_name": "M. Rentschler and H. Heine", "description": "M. Rentschler and H. Heine The Parallel Redundancy Protocol for industrial IP networks Retrieved. 2020/09/25 ", "url": "https://ieeexplore.ieee.org/document/6505877" } ], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--709c4e40-c5c6-405b-bc3d-0adfea40ccd4", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2018-04-18T17:59:24.739Z", "modified": "2022-05-06T17:47:24.346Z", "relationship_type": "uses", "description": "[Triton](https://attack.mitre.org/software/S0013) communicates with Triconex controllers using a custom component framework written entirely in Python. The modules that implement the TriStation communication protocol and other supporting components are found in a separate file -- library.zip -- the main script that employs this functionality is compiled into a standalone py2exe Windows executable -- trilog.exe which includes a Python environment. (Citation: DHS CISA February 2019)", "source_ref": "malware--80099a91-4c86-4bea-9ccb-dac55d61960e", "target_ref": "attack-pattern--2dc2b567-8821-49f9-9045-8740f3d0b958", "external_references": [ { "source_name": "DHS CISA February 2019", "description": "DHS CISA 2019, February 27 MAR-17-352-01 HatManSafety System Targeted Malware (Update B) Retrieved. 2019/03/08 ", "url": "https://ics-cert.us-cert.gov/sites/default/files/documents/MAR-17-352-01%20HatMan%20-%20Safety%20System%20Targeted%20Malware%20%28Update%20B%29.pdf" } ], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "modified": "2022-05-24T14:00:00.188Z", "created": "2022-05-11T16:22:58.806Z", "id": "relationship--70a9010c-6943-4274-b854-50901c3e5a0e", "type": "relationship", "source_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c", "relationship_type": "detects", "target_ref": "attack-pattern--be69c571-d746-4b1f-bdd0-c0c9817e9068", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "modified": "2022-05-24T14:00:00.188Z", "created": "2022-05-11T16:22:58.804Z", "id": "relationship--711f17c2-c9f6-4d8d-bf79-117fcdc592c0", "type": "relationship", "source_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c", "relationship_type": "detects", "target_ref": "attack-pattern--8bb4538f-f16f-49f0-a431-70b5444c7349", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--71422483-33e4-4131-a4ec-40322d91d8a0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2019-06-24T17:20:24.258Z", "modified": "2022-05-06T17:47:24.262Z", "relationship_type": "uses", "description": "[Conficker](https://attack.mitre.org/software/S0012) exploits Windows drive shares. Once it has infected a computer, [Conficker](https://attack.mitre.org/software/S0012) automatically copies itself to all visible open drive shares on other computers inside the network. (Citation: Symantec June 2015) Nuclear power plant officials suspect someone brought in [Conficker](https://attack.mitre.org/software/S0012) by accident on a USB thumb drive, either from home or computers found in the power plant's facility. (Citation: Catalin Cimpanu April 2016)", "source_ref": "malware--58eddbaf-7416-419a-ad7b-e65b9d4c3b55", "target_ref": "attack-pattern--c267bbee-bb59-47fe-85e0-3ed210337c21", "external_references": [ { "source_name": "Symantec June 2015", "description": "Symantec 2015, June 30 Simple steps to protect yourself from the Conficker Worm Retrieved. 2019/12/05 ", "url": "https://support.symantec.com/us/en/article.tech93179.html" }, { "source_name": "Catalin Cimpanu April 2016", "description": "Catalin Cimpanu 2016, April 26 Malware Shuts Down German Nuclear Power Plant on Chernobyl's 30th Anniversary Retrieved. 2019/10/14 ", "url": "https://news.softpedia.com/news/on-chernobyl-s-30th-anniversary-malware-shuts-down-german-nuclear-power-plant-503429.shtml" } ], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--71c81024-ea36-4853-940a-cd9d4cbcabed", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2021-04-11T14:06:54.109Z", "modified": "2022-05-06T17:47:24.394Z", "relationship_type": "uses", "description": "[TEMP.Veles](https://attack.mitre.org/groups/G0001) utilized remote desktop protocol (RDP) jump boxes to move into the ICS environment. (Citation: Dragos December 2017)", "source_ref": "intrusion-set--9538b1a4-4120-4e2d-bf59-3b11fcab05a4", "target_ref": "attack-pattern--e1f9cdd2-9511-4fca-90d7-f3e92cfdd0bf", "external_references": [ { "source_name": "Dragos December 2017", "description": "Dragos 2017, December 13 TRISIS Malware Analysis of Safety System Targeted Malware Retrieved. 2018/01/12 ", "url": "https://dragos.com/blog/trisis/TRISIS-01.pdf" } ], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--71c9db9c-6f0c-4e33-a20a-dcd5b791a49a", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-21T17:59:24.739Z", "modified": "2022-05-06T17:47:24.228Z", "relationship_type": "mitigates", "description": "Use user training as a way to bring awareness to common phishing and spearphishing techniques and how to raise suspicion for potentially malicious events.\n", "source_ref": "course-of-action--dc61c280-c29d-44e5-a960-c0dd1623d2ba", "target_ref": "attack-pattern--2736b752-4ec5-4421-a230-8977dea7649c", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--71e9230d-eec8-4ce1-bc96-9288bacc8b13", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-21T17:59:24.739Z", "modified": "2022-05-06T17:47:24.140Z", "relationship_type": "mitigates", "description": "To protect against MITM, authentication mechanisms should not send credentials across the network in plaintext and should also implement mechanisms to prevent replay attacks (such as nonces or timestamps). Challenge-response based authentication techniques that do not directly send credentials over the network provide better protection from MITM.\n", "source_ref": "course-of-action--72e46e53-e12d-4106-9c70-33241b6ed549", "target_ref": "attack-pattern--9a505987-ab05-4f46-a9a6-6441442eec3b", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--7258c355-677c-452d-b1fc-27767232437b", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2019-03-26T16:19:52.358Z", "modified": "2022-05-06T17:47:24.297Z", "relationship_type": "uses", "description": "[NotPetya](https://attack.mitre.org/software/S0006) disrupted manufacturing facilities supplying vaccines, resulting in a halt of production and the inability to meet demand for specific vaccines. (Citation: David Voreacos, Katherine Chinglinsky, Riley Griffin December 2019)", "source_ref": "malware--5719af9d-6b16-46f9-9b28-fb019541ddbb", "target_ref": "attack-pattern--63b6942d-8359-4506-bfb3-cf87aa8120ee", "external_references": [ { "source_name": "David Voreacos, Katherine Chinglinsky, Riley Griffin December 2019", "description": "David Voreacos, Katherine Chinglinsky, Riley Griffin 2019, December 03 Merck Cyberattacks $1.3 Billion Question: Was It an Act of War? Retrieved. 2019/12/06 ", "url": "https://www.bloomberg.com/news/features/2019-12-03/merck-cyberattack-s-1-3-billion-question-was-it-an-act-of-war" } ], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--739e7b8d-57d7-4c1d-8f42-1496606ea666", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2018-04-18T17:59:24.739Z", "modified": "2022-05-06T17:47:24.356Z", "relationship_type": "uses", "description": "[APT33](https://attack.mitre.org/groups/G0003) utilized PowerShell scripts to establish command and control and install files for execution. (Citation: Symantec March 2019) (Citation: Dragos)", "source_ref": "intrusion-set--fbd29c89-18ba-4c2d-b792-51c0adee049f", "target_ref": "attack-pattern--2dc2b567-8821-49f9-9045-8740f3d0b958", "external_references": [ { "source_name": "Symantec March 2019", "description": "Symantec 2019, March 27 Elfin: Relentless Espionage Group Targets Multiple Organizations in Saudi Arabia and U.S. Retrieved. 2019/12/02 ", "url": "https://www.symantec.com/blogs/threat-intelligence/elfin-apt33-espionage" }, { "source_name": "Dragos", "description": "Dragos Symantec 2019, March 27 Elfin: Relentless Espionage Group Targets Multiple Organizations in Saudi Arabia and U.S. Retrieved. 2019/12/02 Magnallium Retrieved. 2019/10/27 ", "url": "https://dragos.com/resource/magnallium/" } ], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "modified": "2022-05-24T14:00:00.188Z", "created": "2022-05-11T16:22:58.806Z", "id": "relationship--73a48431-3597-4a72-acb8-c1e5019073e2", "type": "relationship", "source_ref": "x-mitre-data-component--685f917a-e95e-4ba0-ade1-c7d354dae6e0", "relationship_type": "detects", "target_ref": "attack-pattern--ba203963-3182-41ac-af14-7e7ebc83cd61", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--7411b05d-209a-4907-83ce-00ab1538fbac", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-21T17:59:24.739Z", "modified": "2022-05-06T17:47:24.084Z", "relationship_type": "mitigates", "description": "Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level. Signatures are often for unique indicators within protocols and may be based on the specific C2 protocol used by a particular adversary or tool and will likely be different across various malware families and versions. Adversaries will likely change tool C2 signatures over time or construct protocols in such a way as to avoid detection by common defensive tools. (Citation: Gardiner, J., Cova, M., Nagaraja, S February 2014)\n", "source_ref": "course-of-action--3172222b-4983-43f7-8983-753ded4f13bc", "target_ref": "attack-pattern--d67adac8-e3b9-44f9-9e6d-6c2a7d69dbe4", "external_references": [ { "source_name": "Gardiner, J., Cova, M., Nagaraja, S February 2014", "description": "Gardiner, J., Cova, M., Nagaraja, S 2014, February Command & Control Understanding, Denying and Detecting Retrieved. 2016/04/20 ", "url": "https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf" } ], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--74b66248-2cb6-46ea-b52c-c7d60c170f3f", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2018-04-18T17:59:24.739Z", "modified": "2022-05-06T17:47:24.333Z", "relationship_type": "uses", "description": "[Triton](https://attack.mitre.org/software/S0013) has the ability to halt or run a program through the TriStation protocol. TsHi.py contains instances of halt and run functions being executed. (Citation: MDudek-ICS)", "source_ref": "malware--80099a91-4c86-4bea-9ccb-dac55d61960e", "target_ref": "attack-pattern--2883c520-7957-46ca-89bd-dab1ad53b601", "external_references": [ { "source_name": "MDudek-ICS", "description": "MDudek-ICS TRISIS-TRITON-HATMAN Retrieved. 2019/11/03 ", "url": "https://github.com/MDudek-ICS/TRISIS-TRITON-HATMAN/tree/master/decompiled_code/library" } ], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--74ec9ce5-3155-488c-ae56-570c47a1d207", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2021-04-13T12:45:26.506Z", "modified": "2022-05-06T17:47:24.194Z", "relationship_type": "mitigates", "description": "ICS environments typically have more statically defined devices, therefore minimize the use of both IT discovery protocols (e.g., DHCP, LLDP) and discovery functions in automation protocols. (Citation: D. Parsons and D. Wylie September 2019) (Citation: Colin Gray) Examples of automation protocols with discovery capabilities include OPC UA Device Discovery (Citation: Josh Rinaldi April 2016), BACnet (Citation: Aditya K Sood July 2019), and Ethernet/IP. (Citation: Langner November 2018)\n", "source_ref": "course-of-action--52c7a1a9-3a78-4528-a44f-cd7b0fa3541a", "target_ref": "attack-pattern--2fedbe69-581f-447d-8a78-32ee7db939a9", "external_references": [ { "source_name": "D. Parsons and D. Wylie September 2019", "description": "D. Parsons and D. Wylie 2019, September Practical Industrial Control System (ICS) Cybersecurity: IT and OT Have Converged Discover and Defend Your Assets Retrieved. 2020/09/25 ", "url": "https://www.csiac.org/journal-article/practical-industrial-control-system-ics-cybersecurity-it-and-ot-have-converged-discover-and-defend-your-assets/" }, { "source_name": "Colin Gray", "description": "Colin Gray D. Parsons and D. Wylie 2019, September Practical Industrial Control System (ICS) Cybersecurity: IT and OT Have Converged Discover and Defend Your Assets Retrieved. 2020/09/25 How SDN Can Improve Cybersecurity in OT Networks Retrieved. 2020/09/25 ", "url": "https://cdn.selinc.com/assets/Literature/Publications/Technical%20Papers/6891_HowSDN_CG_20180720_Web2.pdf?v=20190312-231901" }, { "source_name": "Josh Rinaldi April 2016", "description": "Josh Rinaldi 2016, April Still a Thrill: OPC UA Device Discovery Retrieved. 2020/09/25 ", "url": "https://www.rtautomation.com/rtas-blog/still-a-thrill-opc-ua-device-discovery/" }, { "source_name": "Aditya K Sood July 2019", "description": "Aditya K Sood 2019, July Discovering and fingerprinting BACnet devices Retrieved. 2020/09/25 ", "url": "https://www.helpnetsecurity.com/2019/07/10/bacnet-devices/" }, { "source_name": "Langner November 2018", "description": "Langner 2018, November Why Ethernet/IP changes the OT asset discovery game Retrieved. 2020/09/25 ", "url": "https://www.langner.com/2018/11/why-ethernet-ip-changes-the-ot-asset-discovery-game/" } ], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--75366cbf-e45f-4cfd-9e76-5af4dfe10766", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-21T17:59:24.739Z", "modified": "2022-05-06T17:47:24.080Z", "relationship_type": "mitigates", "description": "Execution prevention may block malicious software from accessing protected resources through the command line interface.\n", "source_ref": "course-of-action--4fa717d9-cabe-47c8-8cdd-86e9e2e37f30", "target_ref": "attack-pattern--24a9253e-8948-4c98-b751-8e2aee53127c", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--754521fc-4306-4daa-831b-6b6fb45847e2", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-21T17:59:24.739Z", "modified": "2022-05-06T17:47:24.108Z", "relationship_type": "mitigates", "description": "All APIs used to perform execution, especially those hosted on embedded controllers (e.g., PLCs), should provide adequate authorization enforcement of user access. Minimize user's access to only required API calls. (Citation: MITRE June 2020)\n", "source_ref": "course-of-action--e0d38502-decb-481d-ad8b-b8f0a0c330bd", "target_ref": "attack-pattern--5a2610f6-9fff-41e1-bc27-575ca20383d4", "external_references": [ { "source_name": "MITRE June 2020", "description": "MITRE 2020, June CWE CATEGORY: 7PK - API Abuse Retrieved. 2020/09/25 ", "url": "https://cwe.mitre.org/data/definitions/227.html" } ], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--758d5818-f919-4a6b-9dc2-a212595a11bd", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-21T17:59:24.739Z", "modified": "2022-05-06T17:47:24.062Z", "relationship_type": "mitigates", "description": "Authenticateconnections fromsoftware and devices to prevent unauthorized systems from accessing protected management functions.\n", "source_ref": "course-of-action--72e46e53-e12d-4106-9c70-33241b6ed549", "target_ref": "attack-pattern--19a71d1e-6334-4233-8260-b749cae37953", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "modified": "2022-05-24T14:00:00.188Z", "created": "2022-05-11T16:22:58.805Z", "id": "relationship--75a60046-c4d7-498a-b256-9a93b5992dcc", "type": "relationship", "source_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c", "relationship_type": "detects", "target_ref": "attack-pattern--ead7bd34-186e-4c79-9a4d-b65bcce6ed9d", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "modified": "2022-05-24T14:00:00.188Z", "created": "2022-05-11T16:22:58.805Z", "id": "relationship--7656e5bd-3b46-4acd-a2d0-250cc7075ddc", "type": "relationship", "source_ref": "x-mitre-data-component--c0a4a086-cc20-4e1e-b7cb-29d99dfa3fb1", "relationship_type": "detects", "target_ref": "attack-pattern--5a2610f6-9fff-41e1-bc27-575ca20383d4", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "modified": "2022-05-24T14:00:00.188Z", "created": "2022-05-11T16:22:58.805Z", "id": "relationship--76b8bbce-1c65-4337-a4d7-320c594dc29e", "type": "relationship", "source_ref": "x-mitre-data-component--a7f22107-02e5-4982-9067-6625d4a1765a", "relationship_type": "detects", "target_ref": "attack-pattern--9a505987-ab05-4f46-a9a6-6441442eec3b", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "modified": "2022-05-24T14:00:00.188Z", "created": "2022-05-11T16:22:58.804Z", "id": "relationship--78972893-5d8c-480f-a05d-481adc0c8bb0", "type": "relationship", "source_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c", "relationship_type": "detects", "target_ref": "attack-pattern--2aa406ed-81c3-4c1d-ba83-cfbee5a2847a", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--792324b4-064a-430c-8ffc-7f7acd537778", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2018-10-17T00:14:20.652Z", "modified": "2022-05-06T17:47:24.264Z", "relationship_type": "uses", "description": "[Duqu](https://attack.mitre.org/software/S0014)s purpose is to \\gather intelligence data and assets from entities such as industrial infrastructure and system manufacturers, amongst others not in the industrial sector, in order to more easily conduct a future attack against another third party.\\ (Citation: Symantec)", "source_ref": "malware--68dca94f-c11d-421e-9287-7c501108e18c", "target_ref": "attack-pattern--b7e13ee8-182c-4f19-92a4-a88d7d855d54", "external_references": [ { "source_name": "Symantec", "description": "Symantec W32.Duqu The precursor to the next Stuxnet Retrieved. 2019/11/03 ", "url": "https://docs.broadcom.com/doc/w32-duqu-11-en" } ], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--79324bdd-cdab-4d0a-af60-af1047c1d117", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-21T17:59:24.739Z", "modified": "2022-05-06T17:47:24.170Z", "relationship_type": "mitigates", "description": "All field controllers should require users to authenticate for all remote or local management sessions. The authentication mechanisms should also support [Account Use Policies](https://attack.mitre.org/mitigations/M0936), [Password Policies](https://attack.mitre.org/mitigations/M0927), and [User Account Management](https://attack.mitre.org/mitigations/M0918).", "source_ref": "course-of-action--66cfe23e-34b6-4583-b178-ed6a412db2b0", "target_ref": "attack-pattern--25852363-5968-4673-b81d-341d5ed90bd1", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--798919d3-df8b-463f-b2be-4c1aa8089384", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2021-10-14T17:59:24.739Z", "modified": "2022-05-06T17:47:24.226Z", "relationship_type": "mitigates", "description": "Segment and control software movement between business and OT environments by way of one directional DMZs. Web access should be restricted from the OT environment. Engineering workstations, including transient cyber assets (TCAs) should have minimal connectivity to external networks, including Internet and email, further limit the extent to which these devices are dual-homed to multiple networks. (Citation: North America Transmission Forum December 2019)\n", "source_ref": "course-of-action--1e7ccfc0-94c8-496e-8d27-032120892291", "target_ref": "attack-pattern--35392fb4-a31d-4c6a-b9f2-1c65b7f5e6b9", "external_references": [ { "source_name": "North America Transmission Forum December 2019", "description": "North America Transmission Forum 2019, December NATF Transient Cyber Asset Guidance Retrieved. 2020/09/25 ", "url": "https://www.natf.net/docs/natf/documents/resources/security/natf-transient-cyber-asset-guidance.pdf" } ], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "modified": "2022-05-24T14:00:00.188Z", "created": "2022-05-11T16:22:58.807Z", "id": "relationship--79bca627-3c39-4e2f-86e2-5006cecc1d23", "type": "relationship", "source_ref": "x-mitre-data-component--685f917a-e95e-4ba0-ade1-c7d354dae6e0", "relationship_type": "detects", "target_ref": "attack-pattern--d5a69cfb-fc2a-46cb-99eb-74b236db5061", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--79d05cb2-ded0-4847-b52e-af7af421f303", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2017-12-14T16:46:06.044Z", "modified": "2022-05-06T17:47:24.269Z", "relationship_type": "uses", "description": "[Flame](https://attack.mitre.org/software/S0015) can collect AutoCAD design data and visio diagrams as well as other documents that may contain operational information. (Citation: Kevin Savage and Branko Spasojevic)", "source_ref": "malware--ff6840c9-4c87-4d07-bbb6-9f50aa33d498", "target_ref": "attack-pattern--b7e13ee8-182c-4f19-92a4-a88d7d855d54", "external_references": [ { "source_name": "Kevin Savage and Branko Spasojevic", "description": "Kevin Savage and Branko Spasojevic W32.Flamer Retrieved. 2019/11/03 ", "url": "https://web.archive.org/web/20190930124504/https://www.symantec.com/security-center/writeup/2012-052811-0308-99" } ], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "modified": "2022-05-24T14:00:00.188Z", "created": "2022-05-11T16:22:58.808Z", "id": "relationship--79fccaf1-3592-4af0-8a47-1d325b9fd5a4", "type": "relationship", "source_ref": "x-mitre-data-component--181a9f8c-c780-4f1f-91a8-edb770e904ba", "relationship_type": "detects", "target_ref": "attack-pattern--2736b752-4ec5-4421-a230-8977dea7649c", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--7a55fc66-0d5c-4ef6-af28-d4a4bb84381d", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2017-12-14T16:46:06.044Z", "modified": "2022-05-06T17:47:24.295Z", "relationship_type": "uses", "description": "Some of Norsk Hydro's production systems were impacted by a [LockerGoga](https://attack.mitre.org/software/S0008) infection. This resulted in a loss of view which forced the company to switch to manual operations. (Citation: Kevin Beaumont) (Citation: Hydro)", "source_ref": "malware--5af7a825-2d9f-400d-931a-e00eb9e27f48", "target_ref": "attack-pattern--138979ba-0430-4de6-a128-2fc0b056ba36", "external_references": [ { "source_name": "Kevin Beaumont", "description": "Kevin Beaumont How Lockergoga took down Hydro ransomware used in targeted attacks aimed at big business Retrieved. 2019/10/16 ", "url": "https://doublepulsar.com/how-lockergoga-took-down-hydro-ransomware-used-in-targeted-attacks-aimed-at-big-business-c666551f5880" }, { "source_name": "Hydro", "description": "Hydro Kevin Beaumont How Lockergoga took down Hydro ransomware used in targeted attacks aimed at big business Retrieved. 2019/10/16 Retrieved. 2019/10/16 ", "url": "https://www.hydro.com/en/media/on-the-agenda/cyber-attack/" } ], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--7aa93b40-80da-4bb6-8a7c-88e5f5e44669", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-21T17:59:24.739Z", "modified": "2022-05-06T17:47:24.157Z", "relationship_type": "mitigates", "description": "Protocols used for device management should authenticate all network messages to prevent unauthorized system changes.\n", "source_ref": "course-of-action--c7257b6e-4159-4771-b1f3-2bb93adaecac", "target_ref": "attack-pattern--efbf7888-f61b-4572-9c80-7e2965c60707", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--7bfaf0ff-6d88-460f-aa32-3fb0267b4f20", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-21T17:59:24.739Z", "modified": "2022-05-06T17:47:24.084Z", "relationship_type": "mitigates", "description": "Traffic to known anonymity networks and C2 infrastructure can be blocked through the use of network allow and block lists. It should be noted that this kind of blocking may be circumvented by other techniques likeDomain Fronting.\n", "source_ref": "course-of-action--11f242bc-3121-438c-84b2-5cbd46a4bb17", "target_ref": "attack-pattern--d67adac8-e3b9-44f9-9e6d-6c2a7d69dbe4", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--7c2edd6c-5189-4ba9-af3d-bdaff4a699ca", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-21T17:59:24.739Z", "modified": "2022-05-06T17:47:24.080Z", "relationship_type": "mitigates", "description": "Consider removing or restricting features that are unnecessary to an asset's intended function within the control environment.\n", "source_ref": "course-of-action--d0909119-2f71-4923-87db-b649881672d7", "target_ref": "attack-pattern--24a9253e-8948-4c98-b751-8e2aee53127c", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "modified": "2022-05-24T14:00:00.188Z", "created": "2022-05-11T16:22:58.805Z", "id": "relationship--7c329018-b591-42c4-8806-4d02ccd47476", "type": "relationship", "source_ref": "x-mitre-data-component--685f917a-e95e-4ba0-ade1-c7d354dae6e0", "relationship_type": "detects", "target_ref": "attack-pattern--ead7bd34-186e-4c79-9a4d-b65bcce6ed9d", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--7c3b65e8-e8b7-4c3b-b27b-e216986d8976", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2018-10-17T00:14:20.652Z", "modified": "2022-05-06T17:47:24.281Z", "relationship_type": "uses", "description": "[Industroyer](https://attack.mitre.org/software/S0001) toggles breakers to the open state utilizing unauthorized command messages. (Citation: Anton Cherepanov, ESET June 2017)", "source_ref": "malware--e401d4fe-f0c9-44f0-98e6-f93487678808", "target_ref": "attack-pattern--1af9e3fd-2bcc-414d-adbd-fe3b95c02ca1", "external_references": [ { "source_name": "Anton Cherepanov, ESET June 2017", "description": "Anton Cherepanov, ESET 2017, June 12 Win32/Industroyer: A new threat for industrial control systems Retrieved. 2017/09/15 ", "url": "https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf" } ], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--7c893581-c847-495a-aa93-9d98c516e1ae", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2017-12-14T16:46:06.044Z", "modified": "2022-05-06T17:47:24.324Z", "relationship_type": "uses", "description": "[Stuxnet](https://attack.mitre.org/software/S0010)'s infection sequence consists of code blocks and data blocks that will be downloaded to the PLC to alter its behavior. (Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011)", "source_ref": "malware--088f1d6e-0783-47c6-9923-9c79b2af43d4", "target_ref": "attack-pattern--be69c571-d746-4b1f-bdd0-c0c9817e9068", "external_references": [ { "source_name": "Nicolas Falliere, Liam O Murchu, Eric Chien February 2011", "description": "Nicolas Falliere, Liam O Murchu, Eric Chien 2011, February W32.Stuxnet Dossier (Version 1.4) Retrieved. 2017/09/22 ", "url": "https://www.wired.com/images_blogs/threatlevel/2011/02/Symantec-Stuxnet-Update-Feb-2011.pdf" } ], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--7d0ec383-4c5d-474d-9262-3f3c0d6c05b1", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-21T17:59:24.739Z", "modified": "2022-05-06T17:47:24.072Z", "relationship_type": "mitigates", "description": "Ensure devices have an alternative method for communicating in the event that a valid COM port is unavailable.\n", "source_ref": "course-of-action--b11cad63-ef30-4eb8-af0d-6cc46eef3f3e", "target_ref": "attack-pattern--1c478716-71d9-46a4-9a53-fa5d576adb60", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "modified": "2022-05-24T14:00:00.188Z", "created": "2022-05-11T16:22:58.807Z", "id": "relationship--7d2db896-3051-483c-bc53-ca21832ee085", "type": "relationship", "source_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c", "relationship_type": "detects", "target_ref": "attack-pattern--648f995e-9c3a-41e4-aeee-98bb41037426", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "modified": "2022-05-24T14:00:00.188Z", "created": "2022-05-11T16:22:58.807Z", "id": "relationship--7d3ef0e3-560c-4e46-a0b4-dd1efc29e835", "type": "relationship", "source_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c", "relationship_type": "detects", "target_ref": "attack-pattern--2fedbe69-581f-447d-8a78-32ee7db939a9", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "modified": "2022-05-24T14:00:00.188Z", "created": "2022-05-11T16:22:58.807Z", "id": "relationship--7d48e930-61c3-48e2-974e-a29d303c968f", "type": "relationship", "source_ref": "x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa", "relationship_type": "detects", "target_ref": "attack-pattern--8535b71e-3c12-4258-a4ab-40257a1becc4", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--7d5759cd-890e-4ec5-b92b-aba225d52960", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-21T17:59:24.739Z", "modified": "2022-05-06T17:47:24.079Z", "relationship_type": "mitigates", "description": "Authenticateconnections fromsoftware and devices to prevent unauthorized systems from accessing protected management functions.\n", "source_ref": "course-of-action--72e46e53-e12d-4106-9c70-33241b6ed549", "target_ref": "attack-pattern--2883c520-7957-46ca-89bd-dab1ad53b601", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "modified": "2022-05-24T14:00:00.188Z", "created": "2022-05-11T16:22:58.806Z", "id": "relationship--7d66eae7-0dd4-4d21-ab07-8f7e350a7105", "type": "relationship", "source_ref": "x-mitre-data-component--685f917a-e95e-4ba0-ade1-c7d354dae6e0", "relationship_type": "detects", "target_ref": "attack-pattern--e1f9cdd2-9511-4fca-90d7-f3e92cfdd0bf", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--7d6c4a00-acde-40af-bf91-a4ef009cf135", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-21T17:59:24.739Z", "modified": "2022-05-06T17:47:24.156Z", "relationship_type": "mitigates", "description": "Devices that allow remote management of firmware should require authentication before allowing any changes. The authentication mechanisms should also support [Account Use Policies](https://attack.mitre.org/mitigations/M0936), [Password Policies](https://attack.mitre.org/mitigations/M0927), and [User Account Management](https://attack.mitre.org/mitigations/M0918).", "source_ref": "course-of-action--66cfe23e-34b6-4583-b178-ed6a412db2b0", "target_ref": "attack-pattern--efbf7888-f61b-4572-9c80-7e2965c60707", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "modified": "2022-05-24T14:00:00.188Z", "created": "2022-05-11T16:22:58.806Z", "id": "relationship--7dad75e6-f569-4bb9-ad75-5eda55dff0b1", "type": "relationship", "source_ref": "x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e", "relationship_type": "detects", "target_ref": "attack-pattern--ea0c980c-5cf0-43a7-a049-59c4c207566e", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--7db9687b-7099-4cb6-a040-bc32fc549a81", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-21T17:59:24.739Z", "modified": "2022-05-06T17:47:24.195Z", "relationship_type": "mitigates", "description": "Protocols used for control functions should provide authenticity through MAC functions or digital signatures. If not, utilize bump-in-the-wire devices or VPNs to enforce communication authenticity between devices that are not capable of supporting this (e.g., legacy controllers, RTUs).\n", "source_ref": "course-of-action--c7257b6e-4159-4771-b1f3-2bb93adaecac", "target_ref": "attack-pattern--b14395bd-5419-4ef4-9bd8-696936f509bb", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--7dedeb73-ef90-4282-a635-cc37326773af", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-21T17:59:24.739Z", "modified": "2022-05-06T17:47:24.083Z", "relationship_type": "mitigates", "description": "Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level. Signatures are often for unique indicators within protocols and may be based on the specific protocol used by a particular adversary or tool and will likely be different across various malware families and versions. Adversaries will likely change tool C2 signatures over time or construct protocols in such a way as to avoid detection by common defensive tools. (Citation: Gardiner, J., Cova, M., Nagaraja, S February 2014)\n", "source_ref": "course-of-action--3172222b-4983-43f7-8983-753ded4f13bc", "target_ref": "attack-pattern--e6c31185-8040-4267-83d3-b217b8a92f07", "external_references": [ { "source_name": "Gardiner, J., Cova, M., Nagaraja, S February 2014", "description": "Gardiner, J., Cova, M., Nagaraja, S 2014, February Command & Control Understanding, Denying and Detecting Retrieved. 2016/04/20 ", "url": "https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf" } ], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "modified": "2022-05-24T14:00:00.188Z", "created": "2022-05-11T16:22:58.803Z", "id": "relationship--7e87ce08-a428-4e55-876e-80d2760121a5", "type": "relationship", "source_ref": "x-mitre-data-component--685f917a-e95e-4ba0-ade1-c7d354dae6e0", "relationship_type": "detects", "target_ref": "attack-pattern--3de230d4-3e42-4041-b089-17e1128feded", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "modified": "2022-05-24T14:00:00.188Z", "created": "2022-05-11T16:22:58.804Z", "id": "relationship--7f1e688d-65f7-4737-a4ba-ee482710f8ec", "type": "relationship", "source_ref": "x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa", "relationship_type": "detects", "target_ref": "attack-pattern--1b22b676-9347-4c55-9a35-ef0dc653db5b", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--7fc9fbfc-ab9f-4189-bc1f-d473e9ef36b5", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-21T17:59:24.739Z", "modified": "2022-05-06T17:47:24.071Z", "relationship_type": "mitigates", "description": "Utilize network allowlists to restrict unnecessary connections to network devices (e.g., comm servers, serial to ethernet converters) and services, especially in cases when devices have limits on the number of simultaneous sessions they support.\n", "source_ref": "course-of-action--aadac250-bcdc-44e3-a4ae-f52bd0a7a16a", "target_ref": "attack-pattern--3f1f4ccb-9be2-4ff8-8f69-dd972221169b", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--7fdaa9be-aecf-459f-b028-7c35dc8b6451", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-21T17:59:24.739Z", "modified": "2022-05-06T17:47:24.152Z", "relationship_type": "mitigates", "description": "Limit privileges of user accounts and groups so that only designated administrators or engineers can interact with alarm management and alarm configuration thresholds.\n", "source_ref": "course-of-action--e57ebc6d-785f-40c8-adb1-b5b5e09b3b48", "target_ref": "attack-pattern--e5de767e-f513-41cd-aa15-33f6ce5fbf92", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--7ff12adb-bc9a-42e5-9cbf-613b200c36dc", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-21T17:59:24.739Z", "modified": "2022-05-06T17:47:24.114Z", "relationship_type": "mitigates", "description": "Make it difficult for adversaries to advance their operation through exploitation of undiscovered or unpatched vulnerabilities by using sandboxing. Other types of virtualization and application microsegmentation may also mitigate the impact of some types of exploitation. Risks of additional exploits and weaknesses in these systems may still exist. (Citation: Dan Goodin March 2017)\n", "source_ref": "course-of-action--059ba11e-e3dc-49aa-84ca-88197f40d4ea", "target_ref": "attack-pattern--9f947a1c-3860-48a8-8af0-a2dfa3efde03", "external_references": [ { "source_name": "Dan Goodin March 2017", "description": "Dan Goodin 2017, March Virtual machine escape fetches $105,000 at Pwn2Own hacking contest Retrieved. 2020/09/25 ", "url": "https://arstechnica.com/information-technology/2017/03/hack-that-escapes-vm-by-exploiting-edge-browser-fetches-105000-at-pwn2own/" } ], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--808174b7-3ab0-45b5-963e-5c10dd749e3c", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-21T17:59:24.739Z", "modified": "2022-05-06T17:47:24.140Z", "relationship_type": "mitigates", "description": "Statically defined ARP entries can prevent manipulation and sniffing of switched network traffic, as some MitM techniques depend on sending spoofed ARP messages to manipulate network host's dynamic ARP tables.\n", "source_ref": "course-of-action--52c7a1a9-3a78-4528-a44f-cd7b0fa3541a", "target_ref": "attack-pattern--9a505987-ab05-4f46-a9a6-6441442eec3b", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--808c57e7-72ef-4860-b9ea-8ea072e2385a", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-21T17:59:24.739Z", "modified": "2022-05-06T17:47:24.098Z", "relationship_type": "mitigates", "description": "Protocols used for control functions should provide authenticity through MAC functions or digital signatures. If not, utilize bump-in-the-wire devices or VPNs to enforce communication authenticity between devices that are not capable of supporting this (e.g., legacy controllers, RTUs).\n", "source_ref": "course-of-action--c7257b6e-4159-4771-b1f3-2bb93adaecac", "target_ref": "attack-pattern--2aa406ed-81c3-4c1d-ba83-cfbee5a2847a", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "modified": "2022-05-24T14:00:00.188Z", "created": "2022-05-11T16:22:58.806Z", "id": "relationship--81add433-49d8-43ec-85d5-f48fe80e56e7", "type": "relationship", "source_ref": "x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e", "relationship_type": "detects", "target_ref": "attack-pattern--b52870cc-83f3-473c-b895-72d91751030b", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--81ca994a-b350-424d-8f39-a0b64aa76260", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-21T17:59:24.739Z", "modified": "2022-05-06T17:47:24.204Z", "relationship_type": "mitigates", "description": "Users can be trained to identify social engineering techniques and spearphishing emails.\n", "source_ref": "course-of-action--dc61c280-c29d-44e5-a960-c0dd1623d2ba", "target_ref": "attack-pattern--648f995e-9c3a-41e4-aeee-98bb41037426", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--82b20c35-88c6-49aa-8241-a59512b17b74", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2017-12-14T16:46:06.044Z", "modified": "2022-05-06T17:47:24.327Z", "relationship_type": "uses", "description": "[Stuxnet](https://attack.mitre.org/software/S0010) was able to self-replicate by being spread through removable drives. A willing insider or unknown third party, such as a contractor, may have brought the removable media into the target environment. (Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011) The earliest version of Stuxnet relied on physical installation, infecting target systems when an infected configuration file carried by a USB stick was opened. (Citation: Ralph Langner November 2013)", "source_ref": "malware--088f1d6e-0783-47c6-9923-9c79b2af43d4", "target_ref": "attack-pattern--c267bbee-bb59-47fe-85e0-3ed210337c21", "external_references": [ { "source_name": "Nicolas Falliere, Liam O Murchu, Eric Chien February 2011", "description": "Nicolas Falliere, Liam O Murchu, Eric Chien 2011, February W32.Stuxnet Dossier (Version 1.4) Retrieved. 2017/09/22 ", "url": "https://www.wired.com/images_blogs/threatlevel/2011/02/Symantec-Stuxnet-Update-Feb-2011.pdf" }, { "source_name": "Ralph Langner November 2013", "description": "Ralph Langner 2013, November To Kill a Centrifuge: A Technical Analysis of What Stuxnet's Creators Tried to Achieve Retrieved. 2018/03/27 ", "url": "https://www.langner.com/wp-content/uploads/2017/03/to-kill-a-centrifuge.pdf" } ], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "modified": "2022-05-24T14:00:00.188Z", "created": "2022-05-11T16:22:58.805Z", "id": "relationship--8334b3ab-f17f-460e-b627-ad85fc9c2409", "type": "relationship", "source_ref": "x-mitre-data-component--1177a4c5-31c8-400c-8544-9071166afa0e", "relationship_type": "detects", "target_ref": "attack-pattern--53a26eee-1080-4d17-9762-2027d5a1b805", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--83c29179-4805-403a-acf5-5151c4d2e556", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2018-10-17T00:14:20.652Z", "modified": "2022-05-06T17:47:24.283Z", "relationship_type": "uses", "description": "[Industroyer](https://attack.mitre.org/software/S0001)'s OPC and IEC 61850 protocol modules include the ability to send \\stVal\\ requests to read the status of operational variables. (Citation: Anton Cherepanov, ESET June 2017)", "source_ref": "malware--e401d4fe-f0c9-44f0-98e6-f93487678808", "target_ref": "attack-pattern--2d0d40ad-22fa-4cc8-b264-072557e1364b", "external_references": [ { "source_name": "Anton Cherepanov, ESET June 2017", "description": "Anton Cherepanov, ESET 2017, June 12 Win32/Industroyer: A new threat for industrial control systems Retrieved. 2017/09/15 ", "url": "https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf" } ], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--83c8c216-7ff7-4bd3-9db4-573469628d95", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2018-10-17T00:14:20.652Z", "modified": "2022-05-06T17:47:24.270Z", "relationship_type": "uses", "description": "The [Industroyer](https://attack.mitre.org/software/S0001) SPIROTEC DoS module places the victim device into \\firmware update\\ mode. This is a legitimate use case under normal circumstances, but in this case is used the adversary to prevent the SPIROTEC from performing its designed protective functions. As a result the normal safeguards are disabled, leaving an unprotected link in the electric transmission. (Citation: Joe Slowik August 2019)", "source_ref": "malware--e401d4fe-f0c9-44f0-98e6-f93487678808", "target_ref": "attack-pattern--19a71d1e-6334-4233-8260-b749cae37953", "external_references": [ { "source_name": "Joe Slowik August 2019", "description": "Joe Slowik 2019, August 15 CRASHOVERRIDE: Reassessing the 2016 Ukraine Electric Power Event as a Protection-Focused Attack Retrieved. 2019/10/22 ", "url": "https://dragos.com/wp-content/uploads/CRASHOVERRIDE.pdf" } ], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "modified": "2022-05-24T14:00:00.188Z", "created": "2022-05-11T16:22:58.807Z", "id": "relationship--83e5ebce-8d5d-43ca-a47f-ecb50ae8993a", "type": "relationship", "source_ref": "x-mitre-data-component--3d6e6b3b-4aa8-40e1-8c47-91db0f313d9f", "relationship_type": "detects", "target_ref": "attack-pattern--c267bbee-bb59-47fe-85e0-3ed210337c21", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--841ec349-0f4c-43fa-89b8-ef3656497fc9", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2018-10-17T00:14:20.652Z", "modified": "2022-05-06T17:47:24.284Z", "relationship_type": "uses", "description": "[Industroyer](https://attack.mitre.org/software/S0001) contains an IEC 61850 module that enumerates all connected network adapters to determine their TCP/IP subnet masks. (Citation: Anton Cherepanov, ESET June 2017)", "source_ref": "malware--e401d4fe-f0c9-44f0-98e6-f93487678808", "target_ref": "attack-pattern--ea0c980c-5cf0-43a7-a049-59c4c207566e", "external_references": [ { "source_name": "Anton Cherepanov, ESET June 2017", "description": "Anton Cherepanov, ESET 2017, June 12 Win32/Industroyer: A new threat for industrial control systems Retrieved. 2017/09/15 ", "url": "https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf" } ], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--842a2b85-4e77-4eb6-99e1-c4a231aadf48", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-21T17:59:24.739Z", "modified": "2022-05-06T17:47:24.187Z", "relationship_type": "mitigates", "description": "Network allowlists can be implemented through either host-based files or system host files to specify what external connections (e.g., IP address, MAC address, port, protocol) can be made from a device.\n", "source_ref": "course-of-action--aadac250-bcdc-44e3-a4ae-f52bd0a7a16a", "target_ref": "attack-pattern--e1f9cdd2-9511-4fca-90d7-f3e92cfdd0bf", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--84e535be-960a-450a-91f9-4dc8c5e3f69d", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2021-04-11T14:06:54.109Z", "modified": "2022-05-06T17:47:24.384Z", "relationship_type": "uses", "description": "In the Ukraine 2015 Incident, [Sandworm Team](https://attack.mitre.org/groups/G0007) utilized HMI GUIs in the SCADA environment to open breakers. (Citation: Electricity Information Sharing and Analysis Center; SANS Industrial Control Systems March 2016)", "source_ref": "intrusion-set--381fcf73-60f6-4ab2-9991-6af3cbc35192", "target_ref": "attack-pattern--b0628bfc-5376-4a38-9182-f324501cb4cf", "external_references": [ { "source_name": "Electricity Information Sharing and Analysis Center; SANS Industrial Control Systems March 2016", "description": "Electricity Information Sharing and Analysis Center; SANS Industrial Control Systems 2016, March 18 Analysis of the Cyber Attack on the Ukranian Power Grid: Defense Use Case Retrieved. 2018/03/27 ", "url": "https://assets.contentstack.io/v3/assets/blt36c2e63521272fdc/blt6a77276749b76a40/607f235992f0063e5c070fff/E-ISAC_SANS_Ukraine_DUC_5%5b73%5d.pdf" } ], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--86076ad1-8037-4dd0-88e7-9c40ec00af4a", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2018-10-17T00:14:20.652Z", "modified": "2022-05-06T17:47:24.368Z", "relationship_type": "uses", "description": "[Dragonfly 2.0](https://attack.mitre.org/groups/G0035) trojanized legitimate software to deliver malware disguised as standard windows applications. (Citation: Symantec September 2017)", "source_ref": "intrusion-set--76d59913-1d24-4992-a8ac-05a3eb093f71", "target_ref": "attack-pattern--5e0f75da-e108-4688-a6de-a4f07cc2cbe3", "external_references": [ { "source_name": "Symantec September 2017", "description": "Symantec 2017, September 6 Dragonfly: Western energy sector targeted by sophisticated attack group Retrieved. 2017/09/14 ", "url": "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/dragonfly-energy-sector-cyber-attacks" } ], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "modified": "2022-05-24T14:00:00.188Z", "created": "2022-05-11T16:22:58.803Z", "id": "relationship--86b868be-3e59-4497-9aa9-a2cd951a8f72", "type": "relationship", "source_ref": "x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa", "relationship_type": "detects", "target_ref": "attack-pattern--008b8f56-6107-48be-aa9f-746f927dbb61", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "modified": "2022-05-24T14:00:00.188Z", "created": "2022-05-11T16:22:58.804Z", "id": "relationship--86c94552-de59-453d-ac06-28a6a64db930", "type": "relationship", "source_ref": "x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa", "relationship_type": "detects", "target_ref": "attack-pattern--2883c520-7957-46ca-89bd-dab1ad53b601", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--86d45e92-80ba-4f97-b3a3-03ad3469658b", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-21T17:59:24.739Z", "modified": "2022-05-06T17:47:24.166Z", "relationship_type": "mitigates", "description": "Segment operational network and systems to restrict access to critical system functions to predetermined management systems. (Citation: Department of Homeland Security September 2016)\n", "source_ref": "course-of-action--1e7ccfc0-94c8-496e-8d27-032120892291", "target_ref": "attack-pattern--efbf7888-f61b-4572-9c80-7e2965c60707", "external_references": [ { "source_name": "Department of Homeland Security September 2016", "description": "Department of Homeland Security 2016, September Retrieved. 2020/09/25 ", "url": "https://us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf" } ], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "modified": "2022-05-24T14:00:00.188Z", "created": "2022-05-11T16:22:58.806Z", "id": "relationship--86ede365-4539-4475-b90b-9b3bfd2dbe97", "type": "relationship", "source_ref": "x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa", "relationship_type": "detects", "target_ref": "attack-pattern--be69c571-d746-4b1f-bdd0-c0c9817e9068", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--86f1655a-db46-4d49-9051-6653da83eb13", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-21T17:59:24.739Z", "modified": "2022-05-06T17:47:24.092Z", "relationship_type": "mitigates", "description": "Protect files stored locally with proper permissions to limit opportunities for adversaries to interact and collect information from databases. (Citation: Keith Stouffer May 2015) (Citation: National Institute of Standards and Technology April 2013)\n", "source_ref": "course-of-action--f9fcb3ec-6de0-4559-8cd9-ef1c0c7d1971", "target_ref": "attack-pattern--3405891b-16aa-4bd7-bd7c-733501f9b20f", "external_references": [ { "source_name": "Keith Stouffer May 2015", "description": "Keith Stouffer 2015, May Guide to Industrial Control Systems (ICS) Security Retrieved. 2018/03/28 ", "url": "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf" }, { "source_name": "National Institute of Standards and Technology April 2013", "description": "National Institute of Standards and Technology 2013, April Security and Privacy Controls for Federal Information Systems and Organizations Retrieved. 2020/09/17 ", "url": "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf" } ], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--874752f4-59a2-46e9-ae28-befe0142b223", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2017-12-14T16:46:06.044Z", "modified": "2022-05-06T17:47:24.313Z", "relationship_type": "uses", "description": "[Stuxnet](https://attack.mitre.org/software/S0010) uses a default password hardcoded the WinCC software's database server as one of the mechanisms used to propagate to nearby systems. (Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011)", "source_ref": "malware--088f1d6e-0783-47c6-9923-9c79b2af43d4", "target_ref": "attack-pattern--8bb4538f-f16f-49f0-a431-70b5444c7349", "external_references": [ { "source_name": "Nicolas Falliere, Liam O Murchu, Eric Chien February 2011", "description": "Nicolas Falliere, Liam O Murchu, Eric Chien 2011, February W32.Stuxnet Dossier (Version 1.4) Retrieved. 2017/09/22 ", "url": "https://www.wired.com/images_blogs/threatlevel/2011/02/Symantec-Stuxnet-Update-Feb-2011.pdf" } ], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--87c8ab74-576d-4962-b641-0762d374d1e8", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2018-10-17T00:14:20.652Z", "modified": "2022-05-06T17:47:24.278Z", "relationship_type": "uses", "description": "The [Industroyer](https://attack.mitre.org/software/S0001) SIPROTEC DoS module exploits the CVE-2015-5374 vulnerability in order to render a Siemens SIPROTEC device unresponsive. While the vulnerability does not directly cause the restart or shutdown of the device, the device must be restarted manually before it can resume operations. (Citation: Anton Cherepanov, ESET June 2017)", "source_ref": "malware--e401d4fe-f0c9-44f0-98e6-f93487678808", "target_ref": "attack-pattern--25dfc8ad-bd73-4dfd-84a9-3c3d383f76e9", "external_references": [ { "source_name": "Anton Cherepanov, ESET June 2017", "description": "Anton Cherepanov, ESET 2017, June 12 Win32/Industroyer: A new threat for industrial control systems Retrieved. 2017/09/15 ", "url": "https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf" } ], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "modified": "2022-05-24T14:00:00.188Z", "created": "2022-05-11T16:22:58.804Z", "id": "relationship--880161a4-d6c9-4e5b-a78d-39319cfa43ab", "type": "relationship", "source_ref": "x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa", "relationship_type": "detects", "target_ref": "attack-pattern--8e7089d3-fba2-44f8-94a8-9a79c53920c4", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "modified": "2022-05-24T14:00:00.188Z", "created": "2022-05-11T16:22:58.804Z", "id": "relationship--88da36ff-855b-4447-bfd1-3e34b30590e6", "type": "relationship", "source_ref": "x-mitre-data-component--181a9f8c-c780-4f1f-91a8-edb770e904ba", "relationship_type": "detects", "target_ref": "attack-pattern--d67adac8-e3b9-44f9-9e6d-6c2a7d69dbe4", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "modified": "2022-05-24T14:00:00.188Z", "created": "2022-05-11T16:22:58.806Z", "id": "relationship--892c0bff-17b6-447b-a213-6a3189a1df82", "type": "relationship", "source_ref": "x-mitre-data-component--3d20385b-24ef-40e1-9f56-f39750379077", "relationship_type": "detects", "target_ref": "attack-pattern--38213338-1aab-479d-949b-c81b66ccca5c", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "modified": "2022-05-24T14:00:00.188Z", "created": "2022-05-11T16:22:58.806Z", "id": "relationship--8985cd3c-1429-4681-ad2e-9b3e46588a44", "type": "relationship", "source_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c", "relationship_type": "detects", "target_ref": "attack-pattern--efbf7888-f61b-4572-9c80-7e2965c60707", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--8a06c15b-b7e5-4374-9265-8d9020e126cd", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2021-10-14T16:46:06.044Z", "modified": "2022-05-06T17:47:24.330Z", "relationship_type": "uses", "description": "[Stuxnet](https://attack.mitre.org/software/S0010) infects DLL's associated with the WinCC Simatic manager which are responsible for opening project files. If a user opens an uninfected project file using a compromised manager, the file will be infected with Stuxnet code. If an infected project is opened with the Simatic manager, the modified data file will trigger a search for the \\xyz.dll\\ file. If the \\xyz.dll\\ file is not found in any of the specified locations, the malicious DLL will be loaded and executed by the manager. (Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011)", "source_ref": "malware--088f1d6e-0783-47c6-9923-9c79b2af43d4", "target_ref": "attack-pattern--2736b752-4ec5-4421-a230-8977dea7649c", "external_references": [ { "source_name": "Nicolas Falliere, Liam O Murchu, Eric Chien February 2011", "description": "Nicolas Falliere, Liam O Murchu, Eric Chien 2011, February W32.Stuxnet Dossier (Version 1.4) Retrieved. 2017/09/22 ", "url": "https://www.wired.com/images_blogs/threatlevel/2011/02/Symantec-Stuxnet-Update-Feb-2011.pdf" } ], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--8a604466-8437-4fe6-b6db-ec8fb05d702a", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2018-10-17T00:14:20.652Z", "modified": "2022-05-06T17:47:24.273Z", "relationship_type": "uses", "description": "In [Industroyer](https://attack.mitre.org/software/S0001) the first COM port from the configuration file is used for the actual communication and the two other COM ports are just opened to prevent other processes accessing them. Thus, the IEC 101 payload component is able to take over and maintain control of the RTU device. (Citation: Anton Cherepanov, ESET June 2017)", "source_ref": "malware--e401d4fe-f0c9-44f0-98e6-f93487678808", "target_ref": "attack-pattern--1c478716-71d9-46a4-9a53-fa5d576adb60", "external_references": [ { "source_name": "Anton Cherepanov, ESET June 2017", "description": "Anton Cherepanov, ESET 2017, June 12 Win32/Industroyer: A new threat for industrial control systems Retrieved. 2017/09/15 ", "url": "https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf" } ], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "modified": "2022-05-24T14:00:00.188Z", "created": "2022-05-11T16:22:58.807Z", "id": "relationship--8b136d10-1fd7-4cd4-a3a7-b648b23adc92", "type": "relationship", "source_ref": "x-mitre-data-component--b9d031bb-d150-4fc6-8025-688201bf3ffd", "relationship_type": "detects", "target_ref": "attack-pattern--3b6b9246-43f8-4c69-ad7a-2b11cfe0a0d9", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--8b17ad46-b0cc-4766-9cae-eba32260d468", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-21T17:59:24.739Z", "modified": "2022-05-06T17:47:24.135Z", "relationship_type": "mitigates", "description": "Provide operators with redundant, out-of-band communication to support monitoring and control of the operational processes, especially when recovering from a network outage (Citation: National Institute of Standards and Technology April 2013). Out-of-band communication should utilize diverse systems and technologies to minimize common failure modes and vulnerabilities within the communications infrastructure. For example, wireless networks (e.g., 3G, 4G) can be used to provide diverse and redundant delivery of data.\n", "source_ref": "course-of-action--b11cad63-ef30-4eb8-af0d-6cc46eef3f3e", "target_ref": "attack-pattern--a81696ef-c106-482c-8f80-59c30f2569fb", "external_references": [ { "source_name": "National Institute of Standards and Technology April 2013", "description": "National Institute of Standards and Technology 2013, April Security and Privacy Controls for Federal Information Systems and Organizations Retrieved. 2020/09/17 ", "url": "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf" } ], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--8b2d82aa-75fc-4d6d-bb4b-9f600bd211fd", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2018-04-18T17:59:24.739Z", "modified": "2022-05-06T17:47:24.333Z", "relationship_type": "uses", "description": "[Triton](https://attack.mitre.org/software/S0013) uses TriStations default UDP port, 1502, to communicate with devices. (Citation: MDudek-ICS)", "source_ref": "malware--80099a91-4c86-4bea-9ccb-dac55d61960e", "target_ref": "attack-pattern--e6c31185-8040-4267-83d3-b217b8a92f07", "external_references": [ { "source_name": "MDudek-ICS", "description": "MDudek-ICS TRISIS-TRITON-HATMAN Retrieved. 2019/11/03 ", "url": "https://github.com/MDudek-ICS/TRISIS-TRITON-HATMAN/tree/master/decompiled_code/library" } ], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "modified": "2022-05-24T14:00:00.188Z", "created": "2022-05-11T16:22:58.805Z", "id": "relationship--8b491011-322d-4e0b-8f79-449e1b2ee185", "type": "relationship", "source_ref": "x-mitre-data-component--3d20385b-24ef-40e1-9f56-f39750379077", "relationship_type": "detects", "target_ref": "attack-pattern--ead7bd34-186e-4c79-9a4d-b65bcce6ed9d", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "modified": "2022-05-24T14:00:00.188Z", "created": "2022-05-11T16:22:58.803Z", "id": "relationship--8baa4d55-c235-44da-b6fe-8866cf7f9915", "type": "relationship", "source_ref": "x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa", "relationship_type": "detects", "target_ref": "attack-pattern--3f1f4ccb-9be2-4ff8-8f69-dd972221169b", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "modified": "2022-05-24T14:00:00.188Z", "created": "2022-05-11T16:22:58.804Z", "id": "relationship--8c1b22bd-7e31-427f-a9c5-085a606212ca", "type": "relationship", "source_ref": "x-mitre-data-component--e905dad2-00d6-477c-97e8-800427abd0e8", "relationship_type": "detects", "target_ref": "attack-pattern--493832d9-cea6-4b63-abe7-9a65a6473675", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--8ca2fe75-9bb3-4af5-8fee-accd33d6d2ec", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-21T17:59:24.739Z", "modified": "2022-05-06T17:47:24.101Z", "relationship_type": "mitigates", "description": "Ensure remote commands that enable device shutdown are disabled if they are not necessary. Examples include DNP3's 0x0D function code or unnecessary device management functions.\n", "source_ref": "course-of-action--d0909119-2f71-4923-87db-b649881672d7", "target_ref": "attack-pattern--25dfc8ad-bd73-4dfd-84a9-3c3d383f76e9", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "modified": "2022-05-24T14:00:00.188Z", "created": "2022-05-11T16:22:58.805Z", "id": "relationship--8da928a0-1c87-471f-aad7-5a1fdd438357", "type": "relationship", "source_ref": "x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa", "relationship_type": "detects", "target_ref": "attack-pattern--85a45294-08f1-4539-bf00-7da08aa7b0ee", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "modified": "2022-05-24T14:00:00.188Z", "created": "2022-05-11T16:22:58.804Z", "id": "relationship--8dab113a-a713-499b-ba1e-9c2cbeffb3c8", "type": "relationship", "source_ref": "x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa", "relationship_type": "detects", "target_ref": "attack-pattern--25dfc8ad-bd73-4dfd-84a9-3c3d383f76e9", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--8ecf5eac-7767-411b-b54a-b374ea51b9e9", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-21T17:59:24.739Z", "modified": "2022-05-06T17:47:24.139Z", "relationship_type": "mitigates", "description": "Hot-standbys in diverse locations can ensure continued operations if the primarily system are compromised or unavailable. At the network layer, protocols such as the Parallel Redundancy Protocol can be used to simultaneously use redundant and diverse communication over a local network. (Citation: M. Rentschler and H. Heine)\n", "source_ref": "course-of-action--f0f5c87a-a58d-440a-b3b5-ca679d98c6dd", "target_ref": "attack-pattern--138979ba-0430-4de6-a128-2fc0b056ba36", "external_references": [ { "source_name": "M. Rentschler and H. Heine", "description": "M. Rentschler and H. Heine The Parallel Redundancy Protocol for industrial IP networks Retrieved. 2020/09/25 ", "url": "https://ieeexplore.ieee.org/document/6505877" } ], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--8f76d408-be8a-478e-8a5a-aab1d1f96572", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2018-04-18T17:59:24.739Z", "modified": "2022-05-06T17:47:24.248Z", "relationship_type": "uses", "description": "Using OPC, a component of [Backdoor.Oldrea](https://attack.mitre.org/software/S0003) gathers any details about connected devices and sends them back to the C2 for the attackers to analyze. (Citation: Daavid Hentunen, Antti Tikkanen June 2014)", "source_ref": "malware--083bb47b-02c8-4423-81a2-f9ef58572974", "target_ref": "attack-pattern--3de230d4-3e42-4041-b089-17e1128feded", "external_references": [ { "source_name": "Daavid Hentunen, Antti Tikkanen June 2014", "description": "Daavid Hentunen, Antti Tikkanen 2014, June 23 Havex Hunts For ICS/SCADA Systems Retrieved. 2019/04/01 ", "url": "https://www.f-secure.com/weblog/archives/00002718.html" } ], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--8f90363e-2825-4178-807f-9268a28760fa", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-21T17:59:24.739Z", "modified": "2022-05-06T17:47:24.195Z", "relationship_type": "mitigates", "description": "Enforce system policies or physical restrictions to limit hardware such as USB devices on critical assets.\n", "source_ref": "course-of-action--9e3adcad-0b8f-4ecc-a2f3-06f607f53bf0", "target_ref": "attack-pattern--c267bbee-bb59-47fe-85e0-3ed210337c21", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--8fa6fe89-e704-4be4-a15b-50e188084aa3", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-21T17:59:24.739Z", "modified": "2022-05-06T17:47:24.120Z", "relationship_type": "mitigates", "description": "Make it difficult for adversaries to advance their operation through exploitation of undiscovered or unpatched vulnerabilities by using sandboxing. Other types of virtualization and application microsegmentation may also mitigate the impact of some types of exploitation. Risks of additional exploits and weaknesses in these systems may still exist. (Citation: Dan Goodin March 2017)\n", "source_ref": "course-of-action--059ba11e-e3dc-49aa-84ca-88197f40d4ea", "target_ref": "attack-pattern--85a45294-08f1-4539-bf00-7da08aa7b0ee", "external_references": [ { "source_name": "Dan Goodin March 2017", "description": "Dan Goodin 2017, March Virtual machine escape fetches $105,000 at Pwn2Own hacking contest Retrieved. 2020/09/25 ", "url": "https://arstechnica.com/information-technology/2017/03/hack-that-escapes-vm-by-exploiting-edge-browser-fetches-105000-at-pwn2own/" } ], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--8fcecf74-36df-41ab-9476-539c9ac0b339", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-21T17:59:24.739Z", "modified": "2022-05-06T17:47:24.179Z", "relationship_type": "mitigates", "description": "Segment operational network and systems to restrict access to critical system functions to predetermined management systems. (Citation: Department of Homeland Security September 2016)\n", "source_ref": "course-of-action--1e7ccfc0-94c8-496e-8d27-032120892291", "target_ref": "attack-pattern--be69c571-d746-4b1f-bdd0-c0c9817e9068", "external_references": [ { "source_name": "Department of Homeland Security September 2016", "description": "Department of Homeland Security 2016, September Retrieved. 2020/09/25 ", "url": "https://us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf" } ], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--90d9c8e3-0250-4096-8d98-7ca1d324d654", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2021-04-12T10:12:26.506Z", "modified": "2022-05-06T17:47:24.250Z", "relationship_type": "uses", "description": "The [Backdoor.Oldrea](https://attack.mitre.org/software/S0003) payload has the capability of enumerating OPC tags, in addition to more generic OPC server information. The server data and tag names can provide information about the names and function of control devices. (Citation: ICS-CERT August 2018) (Citation: Daavid Hentunen, Antti Tikkanen June 2014)", "source_ref": "malware--083bb47b-02c8-4423-81a2-f9ef58572974", "target_ref": "attack-pattern--25852363-5968-4673-b81d-341d5ed90bd1", "external_references": [ { "source_name": "ICS-CERT August 2018", "description": "ICS-CERT 2018, August 22 Advisory (ICSA-14-178-01) Retrieved. 2019/04/01 ", "url": "https://ics-cert.us-cert.gov/advisories/ICSA-14-178-01" }, { "source_name": "Daavid Hentunen, Antti Tikkanen June 2014", "description": "Daavid Hentunen, Antti Tikkanen 2014, June 23 Havex Hunts For ICS/SCADA Systems Retrieved. 2019/04/01 ", "url": "https://www.f-secure.com/weblog/archives/00002718.html" } ], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "modified": "2022-05-24T14:00:00.188Z", "created": "2022-05-11T16:22:58.805Z", "id": "relationship--90dcb709-8f1b-4b37-bfc6-ef52a735dd7f", "type": "relationship", "source_ref": "x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e", "relationship_type": "detects", "target_ref": "attack-pattern--cfe68e93-ce94-4c0f-a57d-3aa72cedd618", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--91f29477-2ff6-4dbf-bf68-c8825a938851", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2021-04-13T12:08:26.506Z", "modified": "2022-05-06T17:47:24.119Z", "relationship_type": "mitigates", "description": "Update software regularly by employing patch management for internal enterprise endpoints and servers.\n", "source_ref": "course-of-action--97f33c84-8508-45b9-8a1d-cac921828c9e", "target_ref": "attack-pattern--cfe68e93-ce94-4c0f-a57d-3aa72cedd618", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--92634d06-42e5-407f-bcb7-cafb1ddeafce", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2018-10-17T00:14:20.652Z", "modified": "2022-05-06T17:47:24.395Z", "relationship_type": "uses", "description": "[TEMP.Veles](https://attack.mitre.org/groups/G0001) used valid credentials when laterally moving through RDP jump boxes into the ICS environment. (Citation: Dragos December 2017)", "source_ref": "intrusion-set--9538b1a4-4120-4e2d-bf59-3b11fcab05a4", "target_ref": "attack-pattern--cd2c76a4-5e23-4ca5-9c40-d5e0604f7101", "external_references": [ { "source_name": "Dragos December 2017", "description": "Dragos 2017, December 13 TRISIS Malware Analysis of Safety System Targeted Malware Retrieved. 2018/01/12 ", "url": "https://dragos.com/blog/trisis/TRISIS-01.pdf" } ], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--92865095-f63e-461c-9e32-e202d514747d", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2018-10-17T00:14:20.652Z", "modified": "2022-05-06T17:47:24.370Z", "relationship_type": "uses", "description": "[HEXANE](https://attack.mitre.org/groups/G1001) utilizes VBA macros and Powershell scripts such as DanDrop and kl.ps1 tools. (Citation: Ionut Arghire August 2019) (Citation: Jeffery Burt August 2019)", "source_ref": "intrusion-set--f29b7c5e-2439-42ad-a86f-9f8984fafae3", "target_ref": "attack-pattern--2dc2b567-8821-49f9-9045-8740f3d0b958", "external_references": [ { "source_name": "Ionut Arghire August 2019", "description": "Ionut Arghire 2019, August 28 Researchers Analyze Tools Used by 'Hexane' Attackers Against Industrial Firms Retrieved. 2020/01/03 ", "url": "https://www.securityweek.com/researchers-analyze-tools-used-hexane-attackers-against-industrial-firms" }, { "source_name": "Jeffery Burt August 2019", "description": "Jeffery Burt 2019, August 30 Lyceum APT Group a Fresh Threat to Oil and Gas Companies Retrieved. 2020/01/03 ", "url": "https://www.bankinfosecurity.com/lyceum-apt-group-new-threat-to-oil-gas-companies-a-13003" } ], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--92d1fd4f-6cc7-4db5-82f8-f8caa5ff59f0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-21T17:59:24.739Z", "modified": "2022-05-06T17:47:24.130Z", "relationship_type": "mitigates", "description": "Protect files stored locally with proper permissions to limit opportunities for adversaries to remove indicators of their activity on the system. (Citation: Keith Stouffer May 2015) (Citation: National Institute of Standards and Technology April 2013)\n", "source_ref": "course-of-action--f9fcb3ec-6de0-4559-8cd9-ef1c0c7d1971", "target_ref": "attack-pattern--53a26eee-1080-4d17-9762-2027d5a1b805", "external_references": [ { "source_name": "Keith Stouffer May 2015", "description": "Keith Stouffer 2015, May Guide to Industrial Control Systems (ICS) Security Retrieved. 2018/03/28 ", "url": "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf" }, { "source_name": "National Institute of Standards and Technology April 2013", "description": "National Institute of Standards and Technology 2013, April Security and Privacy Controls for Federal Information Systems and Organizations Retrieved. 2020/09/17 ", "url": "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf" } ], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "modified": "2022-05-24T14:00:00.188Z", "created": "2022-05-11T16:22:58.807Z", "id": "relationship--92ea1c2a-3835-43de-bb56-24e937a6f322", "type": "relationship", "source_ref": "x-mitre-data-component--c0a4a086-cc20-4e1e-b7cb-29d99dfa3fb1", "relationship_type": "detects", "target_ref": "attack-pattern--2dc2b567-8821-49f9-9045-8740f3d0b958", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--93e24e03-6425-4ee8-99bb-c3a662c6cdce", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2018-04-18T17:59:24.739Z", "modified": "2022-05-06T17:47:24.347Z", "relationship_type": "uses", "description": "[Triton](https://attack.mitre.org/software/S0013) is able to read, write and execute code in memory on the safety controller at an arbitrary address within the devices firmware region. This allows the malware to make changes to the running firmware in memory and modify how the device operates. (Citation: DHS CISA February 2019)", "source_ref": "malware--80099a91-4c86-4bea-9ccb-dac55d61960e", "target_ref": "attack-pattern--b9160e77-ea9e-4ba9-b1c8-53a3c466b13d", "external_references": [ { "source_name": "DHS CISA February 2019", "description": "DHS CISA 2019, February 27 MAR-17-352-01 HatManSafety System Targeted Malware (Update B) Retrieved. 2019/03/08 ", "url": "https://ics-cert.us-cert.gov/sites/default/files/documents/MAR-17-352-01%20HatMan%20-%20Safety%20System%20Targeted%20Malware%20%28Update%20B%29.pdf" } ], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "modified": "2022-05-24T14:00:00.188Z", "created": "2022-05-11T16:22:58.803Z", "id": "relationship--949b498c-ca3f-4704-90bd-a22a4d34067f", "type": "relationship", "source_ref": "x-mitre-data-component--931b3fc6-ad68-42a8-9018-e98515eedc95", "relationship_type": "detects", "target_ref": "attack-pattern--2900bbd8-308a-4274-b074-5b8bde8347bc", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--9515f24c-1c33-4197-b9c9-b9992bc696ca", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2021-04-13T11:15:26.506Z", "modified": "2022-05-06T17:47:24.300Z", "relationship_type": "uses", "description": "[PLC-Blaster](https://attack.mitre.org/software/S0009) copies itself to various Program Organization Units (POU) on the target device. The POUs include the Data Block, Function, and Function Block. (Citation: Spenneberg, Ralf, Maik Brggemann, and Hendrik Schwartke March 2016)", "source_ref": "malware--4dcff507-5af8-47ce-964a-8d9569e9ccfe", "target_ref": "attack-pattern--fc5fda7e-6b2c-4457-b036-759896a2efa2", "external_references": [ { "source_name": "Spenneberg, Ralf, Maik Brggemann, and Hendrik Schwartke March 2016", "description": "Spenneberg, Ralf, Maik Brggemann, and Hendrik Schwartke 2016, March 31 Plc-blaster: A worm living solely in the plc. Retrieved. 2017/09/19 ", "url": "https://www.blackhat.com/docs/asia-16/materials/asia-16-Spenneberg-PLC-Blaster-A-Worm-Living-Solely-In-The-PLC-wp.pdf" } ], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--95b12e1a-7f21-4fa0-9b2a-c96c7c270625", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2021-10-14T21:33:27.046Z", "modified": "2022-05-06T17:47:24.388Z", "relationship_type": "uses", "description": "[Sandworm Team](https://attack.mitre.org/groups/G0007) used valid accounts to laterally move through VPN connections and dual-homed systems. (Citation: Dragos) (Citation: Dragos October 2018) In the Ukraine 2015 Incident, [Sandworm Team](https://attack.mitre.org/groups/G0007) used the credentials of valid accounts to interact with client applications and access employee workstations hosting HMI applications. (Citation: Electricity Information Sharing and Analysis Center; SANS Industrial Control Systems March 2016)", "source_ref": "intrusion-set--381fcf73-60f6-4ab2-9991-6af3cbc35192", "target_ref": "attack-pattern--cd2c76a4-5e23-4ca5-9c40-d5e0604f7101", "external_references": [ { "source_name": "Dragos", "description": "Dragos Electrum Retrieved. 2019/10/27 ", "url": "https://dragos.com/resource/electrum/" }, { "source_name": "Dragos October 2018", "description": "Dragos 2018, October 12 Anatomy of an Attack: Detecting and Defeating CRASHOVERRIDE Retrieved. 2019/10/14 ", "url": "https://dragos.com/wp-content/uploads/CRASHOVERRIDE2018.pdf" }, { "source_name": "Electricity Information Sharing and Analysis Center; SANS Industrial Control Systems March 2016", "description": "Electricity Information Sharing and Analysis Center; SANS Industrial Control Systems 2016, March 18 Analysis of the Cyber Attack on the Ukranian Power Grid: Defense Use Case Retrieved. 2018/03/27 ", "url": "https://assets.contentstack.io/v3/assets/blt36c2e63521272fdc/blt6a77276749b76a40/607f235992f0063e5c070fff/E-ISAC_SANS_Ukraine_DUC_5%5b73%5d.pdf" } ], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--966b59c0-8641-432c-84f7-b2a712004d74", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2018-10-17T00:14:20.652Z", "modified": "2022-05-06T17:47:24.274Z", "relationship_type": "uses", "description": "The [Industroyer](https://attack.mitre.org/software/S0001) IEC 104 module has 3 modes available to perform its attack. These modes are range, shift, and sequence. The range mode operates in 2 stages. The first stage of range mode gathers Information Object Addresses (IOA) and sends \\select and execute\\ packets to switch the state. The second stage of range mode has an infinite loop where it will switch the state of all of the previously discovered IOAs. Shift mode is similar to range mode, but instead of staying within the same range, it will add a shift value to the default range values. (Citation: Anton Cherepanov, ESET June 2017)", "source_ref": "malware--e401d4fe-f0c9-44f0-98e6-f93487678808", "target_ref": "attack-pattern--8e7089d3-fba2-44f8-94a8-9a79c53920c4", "external_references": [ { "source_name": "Anton Cherepanov, ESET June 2017", "description": "Anton Cherepanov, ESET 2017, June 12 Win32/Industroyer: A new threat for industrial control systems Retrieved. 2017/09/15 ", "url": "https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf" } ], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--968830b7-ee80-4a6e-96a4-9fc70470e4a9", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-21T17:59:24.739Z", "modified": "2022-05-06T17:47:24.112Z", "relationship_type": "mitigates", "description": "Regularly scan externally facing systems for vulnerabilities and establish procedures to rapidly patch systems when critical vulnerabilities are discovered through scanning and public disclosure.\n", "source_ref": "course-of-action--de0bc375-50e1-4e26-a342-a8ff8c9d3037", "target_ref": "attack-pattern--32632a95-6856-47b9-9ab7-fea5cd7dce00", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--973f5884-a076-413e-ac96-f0bd01375fb6", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2021-04-13T11:15:26.506Z", "modified": "2022-05-06T17:47:24.153Z", "relationship_type": "mitigates", "description": "Utilize code signatures to verify the integrity of the installed program on safety or control assets has not been changed.\n", "source_ref": "course-of-action--71eb7dad-07eb-4bbc-9df0-ac57bf2fba4a", "target_ref": "attack-pattern--09a61657-46e1-439e-b3ed-3e4556a78243", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "modified": "2022-05-24T14:00:00.188Z", "created": "2022-05-11T16:22:58.806Z", "id": "relationship--97538255-b049-4d15-91c4-6b227cbea476", "type": "relationship", "source_ref": "x-mitre-data-component--931b3fc6-ad68-42a8-9018-e98515eedc95", "relationship_type": "detects", "target_ref": "attack-pattern--e5de767e-f513-41cd-aa15-33f6ce5fbf92", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "modified": "2022-05-24T14:00:00.188Z", "created": "2022-05-11T16:22:58.806Z", "id": "relationship--97641754-f215-4b8f-b0cd-0d3142053c76", "type": "relationship", "source_ref": "x-mitre-data-component--b9d031bb-d150-4fc6-8025-688201bf3ffd", "relationship_type": "detects", "target_ref": "attack-pattern--efbf7888-f61b-4572-9c80-7e2965c60707", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--97c5b388-518a-46ec-b2b0-41bfa6a83204", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-21T17:59:24.739Z", "modified": "2022-05-06T17:47:24.115Z", "relationship_type": "mitigates", "description": "Update software regularly by employing patch management for internal enterprise endpoints and servers.\n", "source_ref": "course-of-action--97f33c84-8508-45b9-8a1d-cac921828c9e", "target_ref": "attack-pattern--9f947a1c-3860-48a8-8af0-a2dfa3efde03", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "modified": "2022-05-24T14:00:00.188Z", "created": "2022-05-11T16:22:58.806Z", "id": "relationship--97df42a5-e6d3-4fb7-a158-c161d14624ab", "type": "relationship", "source_ref": "x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa", "relationship_type": "detects", "target_ref": "attack-pattern--097924ce-a9a9-4039-8591-e0deedfb8722", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--984992e3-0407-406a-b8dd-c114d8b2d9a2", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-21T17:59:24.739Z", "modified": "2022-05-06T17:47:24.172Z", "relationship_type": "mitigates", "description": "Devices should authenticate all messages between master and outstation assets.\n", "source_ref": "course-of-action--72e46e53-e12d-4106-9c70-33241b6ed549", "target_ref": "attack-pattern--25852363-5968-4673-b81d-341d5ed90bd1", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "modified": "2022-05-24T14:00:00.188Z", "created": "2022-05-11T16:22:58.804Z", "id": "relationship--98b229f8-6020-4fbb-b104-54fd478c14d9", "type": "relationship", "source_ref": "x-mitre-data-component--9ce98c86-8d30-4043-ba54-0784d478d0b5", "relationship_type": "detects", "target_ref": "attack-pattern--8bb4538f-f16f-49f0-a431-70b5444c7349", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--98d447f4-397b-43e7-9740-c2e5ea6b1714", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2021-10-14T21:33:27.046Z", "modified": "2022-05-06T17:47:24.391Z", "relationship_type": "uses", "description": "[Sandworm Team](https://attack.mitre.org/groups/G0007) used a VBS script to facilitate lateral tool transfer. The VBS script was used to copy ICS-specific payloads with the following command: cscript C:\\\\Backinfo\\\\ufn.vbs C:\\\\Backinfo\\\\101.dll C:\\\\Delta\\\\101.dll (Citation: Dragos October 2018)", "source_ref": "intrusion-set--381fcf73-60f6-4ab2-9991-6af3cbc35192", "target_ref": "attack-pattern--ead7bd34-186e-4c79-9a4d-b65bcce6ed9d", "external_references": [ { "source_name": "Dragos October 2018", "description": "Dragos 2018, October 12 Anatomy of an Attack: Detecting and Defeating CRASHOVERRIDE Retrieved. 2019/10/14 ", "url": "https://dragos.com/wp-content/uploads/CRASHOVERRIDE2018.pdf" } ], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--98f1d575-a975-42ae-8b00-2c9e22d560d5", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-21T17:59:24.739Z", "modified": "2022-05-06T17:47:24.127Z", "relationship_type": "mitigates", "description": "Set and enforce secure password policies for accounts.\n", "source_ref": "course-of-action--5d97c693-e054-48ba-a3a3-eaf6942dfb65", "target_ref": "attack-pattern--8d2f3bab-507c-4424-b58b-edc977bd215c", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--9902691c-aaf2-48a1-b1ca-cd6f652ae1c6", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2018-10-17T00:14:20.652Z", "modified": "2022-05-06T17:47:24.276Z", "relationship_type": "uses", "description": "[Industroyer](https://attack.mitre.org/software/S0001) is able to block serial COM channels temporarily causing a denial of control. (Citation: Anton Cherepanov, ESET June 2017)", "source_ref": "malware--e401d4fe-f0c9-44f0-98e6-f93487678808", "target_ref": "attack-pattern--e33c7ecc-5a38-497f-beb2-a9a2049a4c20", "external_references": [ { "source_name": "Anton Cherepanov, ESET June 2017", "description": "Anton Cherepanov, ESET 2017, June 12 Win32/Industroyer: A new threat for industrial control systems Retrieved. 2017/09/15 ", "url": "https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf" } ], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--990f944f-190d-456d-b194-f5ecb17a0868", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2019-06-24T17:20:24.258Z", "modified": "2022-05-06T17:47:24.261Z", "relationship_type": "uses", "description": "A [Conficker](https://attack.mitre.org/software/S0012) infection at a nuclear power plant forced the facility to temporarily shutdown. (Citation: Catalin Cimpanu April 2016)", "source_ref": "malware--58eddbaf-7416-419a-ad7b-e65b9d4c3b55", "target_ref": "attack-pattern--b5b9bacb-97f2-4249-b804-47fd44de1f95", "external_references": [ { "source_name": "Catalin Cimpanu April 2016", "description": "Catalin Cimpanu 2016, April 26 Malware Shuts Down German Nuclear Power Plant on Chernobyl's 30th Anniversary Retrieved. 2019/10/14 ", "url": "https://news.softpedia.com/news/on-chernobyl-s-30th-anniversary-malware-shuts-down-german-nuclear-power-plant-503429.shtml" } ], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--99ec0a8e-4a4f-427c-89db-163e4b206021", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-21T17:59:24.739Z", "modified": "2022-05-06T17:47:24.094Z", "relationship_type": "mitigates", "description": "Hot-standbys in diverse locations can ensure continued operations if the primarily system are compromised or unavailable. At the network layer, protocols such as the Parallel Redundancy Protocol can be used to simultaneously use redundant and diverse communication over a local network. (Citation: M. Rentschler and H. Heine)\n", "source_ref": "course-of-action--f0f5c87a-a58d-440a-b3b5-ca679d98c6dd", "target_ref": "attack-pattern--e33c7ecc-5a38-497f-beb2-a9a2049a4c20", "external_references": [ { "source_name": "M. Rentschler and H. Heine", "description": "M. Rentschler and H. Heine The Parallel Redundancy Protocol for industrial IP networks Retrieved. 2020/09/25 ", "url": "https://ieeexplore.ieee.org/document/6505877" } ], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--9a44b2a8-9f4c-43df-9174-1cba6e165886", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-21T17:59:24.739Z", "modified": "2022-05-06T17:47:24.075Z", "relationship_type": "mitigates", "description": "Allow/denylists can be used to block access when excessive I/O connections are detected from a system or device during a specified time period.\n", "source_ref": "course-of-action--11f242bc-3121-438c-84b2-5cbd46a4bb17", "target_ref": "attack-pattern--8e7089d3-fba2-44f8-94a8-9a79c53920c4", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--9a607f89-85b8-4fba-8eb7-7e4900ea693f", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-21T17:59:24.739Z", "modified": "2022-05-06T17:47:24.203Z", "relationship_type": "mitigates", "description": "Network intrusion prevention systems and systems designed to scan and remove malicious email attachments can be used to block activity.\n", "source_ref": "course-of-action--3172222b-4983-43f7-8983-753ded4f13bc", "target_ref": "attack-pattern--648f995e-9c3a-41e4-aeee-98bb41037426", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "modified": "2022-05-24T14:00:00.188Z", "created": "2022-05-11T16:22:58.808Z", "id": "relationship--9ad74496-e164-4068-a0f5-379f507ba864", "type": "relationship", "source_ref": "x-mitre-data-component--9ce98c86-8d30-4043-ba54-0784d478d0b5", "relationship_type": "detects", "target_ref": "attack-pattern--cd2c76a4-5e23-4ca5-9c40-d5e0604f7101", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--9b412b1f-2dd0-4e7f-8364-f625181ba1db", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-21T17:59:24.739Z", "modified": "2022-05-06T17:47:24.232Z", "relationship_type": "mitigates", "description": "Integrating multi-factor authentication (MFA) as part of organizational policy can greatly reduce the risk of an adversary gaining access to valid credentials that may be used for additional tactics such as initial access, lateral movement, and collecting information. MFA can also be used to restrict access to cloud resources and APIs.\n", "source_ref": "course-of-action--ddf3e568-f065-49e2-9106-42029a28ddbd", "target_ref": "attack-pattern--cd2c76a4-5e23-4ca5-9c40-d5e0604f7101", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--9b825e77-2b18-4bc8-8e1d-5f645d570dca", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2018-10-17T00:14:20.652Z", "modified": "2022-05-06T17:47:24.246Z", "relationship_type": "uses", "description": " (Citation: Dragos)", "source_ref": "intrusion-set--9538b1a4-4120-4e2d-bf59-3b11fcab05a4", "target_ref": "malware--80099a91-4c86-4bea-9ccb-dac55d61960e", "external_references": [ { "source_name": "Dragos", "description": "Dragos Xenotime Retrieved. 2019/10/27 ", "url": "https://dragos.com/resource/xenotime/" } ], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--9cca3120-c95e-4f5e-bc4b-0521ab5cc512", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-21T17:59:24.739Z", "modified": "2022-05-06T17:47:24.203Z", "relationship_type": "mitigates", "description": "Segment operational network and systems to restrict access to critical system functions to predetermined management systems. (Citation: Department of Homeland Security September 2016)\n", "source_ref": "course-of-action--1e7ccfc0-94c8-496e-8d27-032120892291", "target_ref": "attack-pattern--063b5b92-5361-481a-9c3f-95492ed9a2d8", "external_references": [ { "source_name": "Department of Homeland Security September 2016", "description": "Department of Homeland Security 2016, September Retrieved. 2020/09/25 ", "url": "https://us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf" } ], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "modified": "2022-05-24T14:00:00.188Z", "created": "2022-05-11T16:22:58.806Z", "id": "relationship--9cf83701-a347-47b4-a67b-280df95b275d", "type": "relationship", "source_ref": "x-mitre-data-component--faa34cf6-cf32-4dc9-bd6a-8f7a606ff65b", "relationship_type": "detects", "target_ref": "attack-pattern--ba203963-3182-41ac-af14-7e7ebc83cd61", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "modified": "2022-05-24T14:00:00.188Z", "created": "2022-05-11T16:22:58.807Z", "id": "relationship--9d5b9b9c-058f-4782-80aa-9d501442a03d", "type": "relationship", "source_ref": "x-mitre-data-component--74fa567d-bc90-425c-8a41-3c703abb221c", "relationship_type": "detects", "target_ref": "attack-pattern--063b5b92-5361-481a-9c3f-95492ed9a2d8", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--9d6f9bba-dd79-4cb6-a0f3-1284e58a6236", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2018-10-17T00:14:20.652Z", "modified": "2022-05-06T17:47:24.280Z", "relationship_type": "uses", "description": "[Industroyer](https://attack.mitre.org/software/S0001)'s data wiper component removes the registry \\image path\\ throughout the system and overwrites all files, rendering the system unusable. (Citation: Anton Cherepanov, ESET June 2017)", "source_ref": "malware--e401d4fe-f0c9-44f0-98e6-f93487678808", "target_ref": "attack-pattern--138979ba-0430-4de6-a128-2fc0b056ba36", "external_references": [ { "source_name": "Anton Cherepanov, ESET June 2017", "description": "Anton Cherepanov, ESET 2017, June 12 Win32/Industroyer: A new threat for industrial control systems Retrieved. 2017/09/15 ", "url": "https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf" } ], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--9db1ecfe-72eb-42da-a09e-746663a53854", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2018-04-18T17:59:24.739Z", "modified": "2022-05-06T17:47:24.335Z", "relationship_type": "uses", "description": "[Triton](https://attack.mitre.org/software/S0013) contains a file named TS_cnames.py which contains default definitions for program state (TS_progstate). Program state is referenced in TsHi.py. (Citation: MDudek-ICS)", "source_ref": "malware--80099a91-4c86-4bea-9ccb-dac55d61960e", "target_ref": "attack-pattern--2aa406ed-81c3-4c1d-ba83-cfbee5a2847a", "external_references": [ { "source_name": "MDudek-ICS", "description": "MDudek-ICS TRISIS-TRITON-HATMAN Retrieved. 2019/11/03 ", "url": "https://github.com/MDudek-ICS/TRISIS-TRITON-HATMAN/tree/master/decompiled_code/library" } ], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "modified": "2022-05-24T14:00:00.188Z", "created": "2022-05-11T16:22:58.803Z", "id": "relationship--9e0810a5-ad02-487f-b0a8-bf07decca493", "type": "relationship", "source_ref": "x-mitre-data-component--a7f22107-02e5-4982-9067-6625d4a1765a", "relationship_type": "detects", "target_ref": "attack-pattern--3f1f4ccb-9be2-4ff8-8f69-dd972221169b", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "modified": "2022-05-24T14:00:00.188Z", "created": "2022-05-11T16:22:58.803Z", "id": "relationship--9e8990f9-475b-43fe-91fb-25cc0634f0aa", "type": "relationship", "source_ref": "x-mitre-data-component--a7f22107-02e5-4982-9067-6625d4a1765a", "relationship_type": "detects", "target_ref": "attack-pattern--008b8f56-6107-48be-aa9f-746f927dbb61", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--9ebc0cc8-7be5-4d13-9540-8f0bb531b359", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2021-04-13T12:45:26.506Z", "modified": "2022-05-06T17:47:24.286Z", "relationship_type": "uses", "description": "[Industroyer](https://attack.mitre.org/software/S0001)'s OPC DA module also uses IOPCBrowseServerAddressSpace to look for items with the following strings: \\ctlSelOn\\, \\ctlOperOn\\, \\ctlSelOff\\, \\ctlOperOff\\, \\\\\\Pos and stVal\\. (Citation: Anton Cherepanov, ESET June 2017)", "source_ref": "malware--e401d4fe-f0c9-44f0-98e6-f93487678808", "target_ref": "attack-pattern--2fedbe69-581f-447d-8a78-32ee7db939a9", "external_references": [ { "source_name": "Anton Cherepanov, ESET June 2017", "description": "Anton Cherepanov, ESET 2017, June 12 Win32/Industroyer: A new threat for industrial control systems Retrieved. 2017/09/15 ", "url": "https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf" } ], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--9f07c92a-78a0-438a-8cb2-01e2bddaeb42", "created": "2021-01-04T21:30:14.830Z", "x_mitre_version": "1.0", "external_references": [ { "source_name": "ESET Industroyer", "url": "https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf", "description": "Anton Cherepanov. (2017, June 12). Win32/Industroyer: A new threat for industrial controls systems. Retrieved December 18, 2020." }, { "source_name": "Dragos Crashoverride 2017", "url": "https://dragos.com/blog/crashoverride/CrashOverride-01.pdf", "description": "Dragos Inc.. (2017, June 13). CRASHOVERRIDE Analysis of the Threat to Electric Grid Operations. Retrieved December 18, 2020." }, { "source_name": "Dragos Crashoverride 2018", "url": "https://www.dragos.com/wp-content/uploads/CRASHOVERRIDE2018.pdf", "description": "Joe Slowik. (2018, October 12). Anatomy of an Attack: Detecting and Defeating CRASHOVERRIDE. Retrieved December 18, 2020." }, { "source_name": "Secureworks IRON VIKING ", "url": "https://www.secureworks.com/research/threat-profiles/iron-viking", "description": "Secureworks. (2020, May 1). IRON VIKING Threat Profile. Retrieved June 10, 2020." } ], "x_mitre_deprecated": false, "revoked": false, "description": "(Citation: Dragos Crashoverride 2018)(Citation: Dragos Crashoverride 2017)(Citation: ESET Industroyer)(Citation: Secureworks IRON VIKING )", "modified": "2022-05-20T16:59:02.474Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "relationship_type": "uses", "source_ref": "intrusion-set--381fcf73-60f6-4ab2-9991-6af3cbc35192", "target_ref": "malware--e401d4fe-f0c9-44f0-98e6-f93487678808", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--9fa31b58-d4f3-43e4-b5b2-cafcd0c6a99d", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2021-04-11T14:06:54.109Z", "modified": "2022-05-06T17:47:24.392Z", "relationship_type": "uses", "description": "[Sandworm Team](https://attack.mitre.org/groups/G0007) appears to use MS-SQL access to a pivot machine, allowing code execution throughout the ICS network. (Citation: Dragos October 2018)", "source_ref": "intrusion-set--381fcf73-60f6-4ab2-9991-6af3cbc35192", "target_ref": "attack-pattern--e1f9cdd2-9511-4fca-90d7-f3e92cfdd0bf", "external_references": [ { "source_name": "Dragos October 2018", "description": "Dragos 2018, October 12 Anatomy of an Attack: Detecting and Defeating CRASHOVERRIDE Retrieved. 2019/10/14 ", "url": "https://dragos.com/wp-content/uploads/CRASHOVERRIDE2018.pdf" } ], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--9fb2a9b2-3b25-4f77-9f7a-e832b2e5071a", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2018-10-17T00:14:20.652Z", "modified": "2022-05-06T17:47:24.288Z", "relationship_type": "uses", "description": "Using its protocol payloads, [Industroyer](https://attack.mitre.org/software/S0001) sends unauthorized commands to RTUs to change the state of equipment. (Citation: Anton Cherepanov, ESET June 2017)", "source_ref": "malware--e401d4fe-f0c9-44f0-98e6-f93487678808", "target_ref": "attack-pattern--40b300ba-f553-48bf-862e-9471b220d455", "external_references": [ { "source_name": "Anton Cherepanov, ESET June 2017", "description": "Anton Cherepanov, ESET 2017, June 12 Win32/Industroyer: A new threat for industrial control systems Retrieved. 2017/09/15 ", "url": "https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf" } ], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "modified": "2022-05-24T14:00:00.188Z", "created": "2022-05-11T16:22:58.805Z", "id": "relationship--9ffc1ecb-09de-4841-a1f6-ebd1f3be7cea", "type": "relationship", "source_ref": "x-mitre-data-component--e905dad2-00d6-477c-97e8-800427abd0e8", "relationship_type": "detects", "target_ref": "attack-pattern--53a26eee-1080-4d17-9762-2027d5a1b805", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--a04169ed-c16b-466b-80ef-22a11067f475", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2018-10-17T00:14:20.652Z", "modified": "2022-05-06T17:47:24.278Z", "relationship_type": "uses", "description": "[Industroyer](https://attack.mitre.org/software/S0001) is able to block serial COM channels temporarily causing a denial of view. (Citation: Anton Cherepanov, ESET June 2017)", "source_ref": "malware--e401d4fe-f0c9-44f0-98e6-f93487678808", "target_ref": "attack-pattern--56ddc820-6cfb-407f-850b-52c035d123ac", "external_references": [ { "source_name": "Anton Cherepanov, ESET June 2017", "description": "Anton Cherepanov, ESET 2017, June 12 Win32/Industroyer: A new threat for industrial control systems Retrieved. 2017/09/15 ", "url": "https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf" } ], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--a08d85dd-a8b3-4848-94aa-941c43b6d8f2", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-21T17:59:24.739Z", "modified": "2022-05-06T17:47:24.069Z", "relationship_type": "mitigates", "description": "Prevent unauthorized systems from accessing control servers or field devices containing industrial information, especially services used for common automation protocols (e.g., DNP3, OPC).\n", "source_ref": "course-of-action--1e7ccfc0-94c8-496e-8d27-032120892291", "target_ref": "attack-pattern--3de230d4-3e42-4041-b089-17e1128feded", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--a1383f2a-2ee2-47df-a661-8904a7535e0c", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-21T17:59:24.739Z", "modified": "2022-05-06T17:47:24.233Z", "relationship_type": "mitigates", "description": "Applications and appliances that utilize default username and password should be changed immediately after the installation, and before deployment to a production environment. (Citation: CISA June 2013)\n", "source_ref": "course-of-action--5d97c693-e054-48ba-a3a3-eaf6942dfb65", "target_ref": "attack-pattern--cd2c76a4-5e23-4ca5-9c40-d5e0604f7101", "external_references": [ { "source_name": "CISA June 2013", "description": "CISA 2013, June Risks of Default Passwords on the Internet Retrieved. 2020/09/25 ", "url": "https://us-cert.cisa.gov/ncas/alerts/TA13-175A" } ], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--a1cbbdb5-30ad-4139-9784-e5a134f8d405", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2018-10-17T00:14:20.652Z", "modified": "2022-05-06T17:47:24.275Z", "relationship_type": "uses", "description": "[Industroyer](https://attack.mitre.org/software/S0001) has a destructive wiper that \\overwrites all ICS configuration files across the hard drives and all mapped network drives specifically targeting ABB PCM600 configuration files\\. (Citation: Dragos Inc. June 2017)", "source_ref": "malware--e401d4fe-f0c9-44f0-98e6-f93487678808", "target_ref": "attack-pattern--493832d9-cea6-4b63-abe7-9a65a6473675", "external_references": [ { "source_name": "Dragos Inc. June 2017", "description": "Dragos Inc. 2017, June 13 Industroyer - Dragos - 201706: Analysis of the Threat to Electic Grid Operations Retrieved. 2017/09/18 ", "url": "https://dragos.com/blog/crashoverride/CrashOverride-01.pdf" } ], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "modified": "2022-05-24T14:00:00.188Z", "created": "2022-05-11T16:22:58.806Z", "id": "relationship--a2142552-6b8d-4751-a3d4-1471420c02fc", "type": "relationship", "source_ref": "x-mitre-data-component--181a9f8c-c780-4f1f-91a8-edb770e904ba", "relationship_type": "detects", "target_ref": "attack-pattern--e1f9cdd2-9511-4fca-90d7-f3e92cfdd0bf", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--a22fabd2-836e-4141-9219-c76cc10138ec", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-21T17:59:24.739Z", "modified": "2022-05-06T17:47:24.100Z", "relationship_type": "mitigates", "description": "Use host-based allowlists to prevent devices from accepting connections from unauthorized systems. For example, allowlists can be used to ensure devices can only connect with master stations or known management/engineering workstations. (Citation: Department of Homeland Security September 2016)\n", "source_ref": "course-of-action--aadac250-bcdc-44e3-a4ae-f52bd0a7a16a", "target_ref": "attack-pattern--2aa406ed-81c3-4c1d-ba83-cfbee5a2847a", "external_references": [ { "source_name": "Department of Homeland Security September 2016", "description": "Department of Homeland Security 2016, September Retrieved. 2020/09/25 ", "url": "https://us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf" } ], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "modified": "2022-05-24T14:00:00.188Z", "created": "2022-05-11T16:22:58.804Z", "id": "relationship--a28ecd81-a7dd-404c-9d7b-ce670b0fc83b", "type": "relationship", "source_ref": "x-mitre-data-component--685f917a-e95e-4ba0-ade1-c7d354dae6e0", "relationship_type": "detects", "target_ref": "attack-pattern--24a9253e-8948-4c98-b751-8e2aee53127c", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--a47cd7b9-2b73-480c-a8ab-2dfa908e02ea", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-21T17:59:24.739Z", "modified": "2022-05-06T17:47:24.216Z", "relationship_type": "mitigates", "description": "Check the integrity of the existing BIOS or EFI to determine if it is vulnerable to modification. Use Trusted Platform Module technology. (Citation: N/A)Move system's root of trust to hardware to prevent tampering with the SPI flash memory. (Citation: ESET Research Whitepapers September 2018)Technologies such as Intel Boot Guard can assist with this. (Citation: Intel)\n", "source_ref": "course-of-action--8ac1d6e1-b07f-476a-9732-84984ebc2405", "target_ref": "attack-pattern--b9160e77-ea9e-4ba9-b1c8-53a3c466b13d", "external_references": [ { "source_name": "N/A", "description": "N/A Trusted Platform Module (TPM) Summary Retrieved. 2020/09/25 ", "url": "https://www.trustedcomputinggroup.org/wp-content/uploads/Trusted-Platform-Module-Summary_04292008.pdf" }, { "source_name": "ESET Research Whitepapers September 2018", "description": "ESET Research Whitepapers 2018, September LOJAX First UEFI rootkit found in the wild, courtesy of the Sednit group Retrieved. 2020/09/25 ", "url": "https://www.welivesecurity.com/wp-content/uploads/2018/09/ESET-LoJax.pdf" }, { "source_name": "Intel", "description": "Intel ESET Research Whitepapers 2018, September LOJAX First UEFI rootkit found in the wild, courtesy of the Sednit group Retrieved. 2020/09/25 Intel Hardware-based Security Technologies for Intelligent Retail Devices Retrieved. 2020/09/25 ", "url": "https://www.intel.com/content/dam/www/public/us/en/documents/white-papers/security-technologies-4th-gen-core-retail-paper.pdf" } ], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--a4c81fe6-1ad9-4bba-a415-a3c099eaa2be", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2021-04-13T11:15:26.506Z", "modified": "2022-05-06T17:47:24.298Z", "relationship_type": "uses", "description": "[PLC-Blaster](https://attack.mitre.org/software/S0009) stops the execution of the user program on the target to enable the transfer of its own code. The worm then copies itself to the target and subsequently starts the target PLC again. (Citation: Spenneberg, Ralf, Maik Brggemann, and Hendrik Schwartke March 2016)", "source_ref": "malware--4dcff507-5af8-47ce-964a-8d9569e9ccfe", "target_ref": "attack-pattern--2883c520-7957-46ca-89bd-dab1ad53b601", "external_references": [ { "source_name": "Spenneberg, Ralf, Maik Brggemann, and Hendrik Schwartke March 2016", "description": "Spenneberg, Ralf, Maik Brggemann, and Hendrik Schwartke 2016, March 31 Plc-blaster: A worm living solely in the plc. Retrieved. 2017/09/19 ", "url": "https://www.blackhat.com/docs/asia-16/materials/asia-16-Spenneberg-PLC-Blaster-A-Worm-Living-Solely-In-The-PLC-wp.pdf" } ], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "modified": "2022-05-24T14:00:00.188Z", "created": "2022-05-11T16:22:58.806Z", "id": "relationship--a618d7e4-23f0-4b8c-9f09-78d04ea7fc55", "type": "relationship", "source_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c", "relationship_type": "detects", "target_ref": "attack-pattern--e5de767e-f513-41cd-aa15-33f6ce5fbf92", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--a6519c11-e9d4-4b6f-8d92-8efaa2144c28", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2021-04-13T12:28:20.652Z", "modified": "2022-05-06T17:47:24.268Z", "relationship_type": "uses", "description": "[EKANS](https://attack.mitre.org/software/S0017) infection resulted in a temporary production loss within a Honda manufacturing plant. (Citation: Davey Winder June 2020)", "source_ref": "malware--00e7d565-9883-4ee5-b642-8fd17fd6a3f5", "target_ref": "attack-pattern--63b6942d-8359-4506-bfb3-cf87aa8120ee", "external_references": [ { "source_name": "Davey Winder June 2020", "description": "Davey Winder 2020, June 10 Honda Hacked: Japanese Car Giant Confirms Cyber Attack On Global Operations Retrieved. 2021/04/12 ", "url": "https://www.forbes.com/sites/daveywinder/2020/06/10/honda-hacked-japanese-car-giant-confirms-cyber-attack-on-global-operations-snake-ransomware/?sh=2725c35753ad" } ], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--a6d8b66d-fc10-404f-b0ae-e8c66506b818", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2018-10-17T00:14:20.652Z", "modified": "2022-05-06T17:47:24.279Z", "relationship_type": "uses", "description": "[Industroyer](https://attack.mitre.org/software/S0001)'s data wiper component removes the registry \\image path\\ throughout the system and overwrites all files, rendering the system unusable. (Citation: Anton Cherepanov, ESET June 2017)", "source_ref": "malware--e401d4fe-f0c9-44f0-98e6-f93487678808", "target_ref": "attack-pattern--a81696ef-c106-482c-8f80-59c30f2569fb", "external_references": [ { "source_name": "Anton Cherepanov, ESET June 2017", "description": "Anton Cherepanov, ESET 2017, June 12 Win32/Industroyer: A new threat for industrial control systems Retrieved. 2017/09/15 ", "url": "https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf" } ], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "modified": "2022-05-24T14:00:00.188Z", "created": "2022-05-11T16:22:58.806Z", "id": "relationship--a731ad54-0c3c-47bb-9559-d99950782beb", "type": "relationship", "source_ref": "x-mitre-data-component--f5468e67-51c7-4756-9b4f-65707708e7fa", "relationship_type": "detects", "target_ref": "attack-pattern--e1f9cdd2-9511-4fca-90d7-f3e92cfdd0bf", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--a74c14e2-eb8a-47bb-b64d-20aad9154297", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-21T17:59:24.739Z", "modified": "2022-05-06T17:47:24.218Z", "relationship_type": "mitigates", "description": "Segment operational network and systems to restrict access to critical system functions to predetermined management systems. (Citation: Department of Homeland Security September 2016)\n", "source_ref": "course-of-action--1e7ccfc0-94c8-496e-8d27-032120892291", "target_ref": "attack-pattern--b9160e77-ea9e-4ba9-b1c8-53a3c466b13d", "external_references": [ { "source_name": "Department of Homeland Security September 2016", "description": "Department of Homeland Security 2016, September Retrieved. 2020/09/25 ", "url": "https://us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf" } ], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--a75ddacf-e87e-4a99-83f2-618486473163", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-21T17:59:24.739Z", "modified": "2022-05-06T17:47:24.217Z", "relationship_type": "mitigates", "description": "Patch the BIOS and EFI as necessary.\n", "source_ref": "course-of-action--97f33c84-8508-45b9-8a1d-cac921828c9e", "target_ref": "attack-pattern--b9160e77-ea9e-4ba9-b1c8-53a3c466b13d", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--a78e727c-8e42-448c-beb4-463804e18be0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-21T17:59:24.739Z", "modified": "2022-05-06T17:47:24.123Z", "relationship_type": "mitigates", "description": "Minimize permissions and access for service accounts to limit impact of exploitation. (Citation: Keith Stouffer May 2015)\n", "source_ref": "course-of-action--622fe4d4-0e8e-4d17-9c25-6c9cef1f15d5", "target_ref": "attack-pattern--85a45294-08f1-4539-bf00-7da08aa7b0ee", "external_references": [ { "source_name": "Keith Stouffer May 2015", "description": "Keith Stouffer 2015, May Guide to Industrial Control Systems (ICS) Security Retrieved. 2018/03/28 ", "url": "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf" } ], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "modified": "2022-05-24T14:00:00.188Z", "created": "2022-05-11T16:22:58.807Z", "id": "relationship--a7ca9443-f833-4636-9c30-fcaddd3516c6", "type": "relationship", "source_ref": "x-mitre-data-component--da85d358-741a-410d-9433-20d6269a6170", "relationship_type": "detects", "target_ref": "attack-pattern--063b5b92-5361-481a-9c3f-95492ed9a2d8", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--a7caa7f2-cfb9-4fc9-ae8d-49349b6c260f", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-21T17:59:24.739Z", "modified": "2022-05-06T17:47:24.175Z", "relationship_type": "mitigates", "description": "All field controllers should restrict the modification of programs to only certain users (e.g., engineers, field technician), preferably through implementing a role-based access mechanism.\n", "source_ref": "course-of-action--e0d38502-decb-481d-ad8b-b8f0a0c330bd", "target_ref": "attack-pattern--be69c571-d746-4b1f-bdd0-c0c9817e9068", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--a7fbe555-a61b-4b93-bfb2-8e0dd0d6323e", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-21T17:59:24.739Z", "modified": "2022-05-06T17:47:24.126Z", "relationship_type": "mitigates", "description": "Consider utilizing jump boxes for external remote access. Additionally, dynamic account management may be used to easily remove accounts when not in use.\n", "source_ref": "course-of-action--e57ebc6d-785f-40c8-adb1-b5b5e09b3b48", "target_ref": "attack-pattern--8d2f3bab-507c-4424-b58b-edc977bd215c", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "modified": "2022-05-24T14:00:00.188Z", "created": "2022-05-11T16:22:58.805Z", "id": "relationship--a82e9f8a-f81e-407a-b284-e0ae5f055c61", "type": "relationship", "source_ref": "x-mitre-data-component--84572de3-9583-4c73-aabd-06ea88123dd8", "relationship_type": "detects", "target_ref": "attack-pattern--53a26eee-1080-4d17-9762-2027d5a1b805", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--a846dbe5-9ef3-4fb6-93d5-f764671a75c8", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2021-04-11T14:06:54.109Z", "modified": "2022-05-06T17:47:24.381Z", "relationship_type": "uses", "description": "[Sandworm Team](https://attack.mitre.org/groups/G0007) actors exploited vulnerabilities in GE's Cimplicity HMI and Advantech/Broadwin WebAccess HMI software which had been directly exposed to the internet. (Citation: ICS-CERT December 2014) (Citation: ICS CERT September 2018)", "source_ref": "intrusion-set--381fcf73-60f6-4ab2-9991-6af3cbc35192", "target_ref": "attack-pattern--32632a95-6856-47b9-9ab7-fea5cd7dce00", "external_references": [ { "source_name": "ICS-CERT December 2014", "description": "ICS-CERT 2014, December 10 ICS Alert (ICS-ALERT-14-281-01E) Ongoing Sophisticated Malware Campaign Compromising ICS (Update E) Retrieved. 2019/10/11 ", "url": "https://www.us-cert.gov/ics/alerts/ICS-ALERT-14-281-01B" }, { "source_name": "ICS CERT September 2018", "description": "ICS CERT 2018, September 06 Advantech/Broadwin WebAccess RPC Vulnerability (Update B) Retrieved. 2019/12/05 ", "url": "https://www.us-cert.gov/ics/advisories/ICSA-11-094-02B" } ], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--a847aa03-ea56-47d1-8f4e-f9e0dd9707a0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-21T17:59:24.739Z", "modified": "2022-05-06T17:47:24.125Z", "relationship_type": "mitigates", "description": "Consider removal of remote services which are not regularly in use, or only enabling them when required (e.g., vendor remote access). Ensure all external remote access point (e.g., jump boxes, VPN concentrator) are configured with least functionality, especially the removal of unnecessary services. (Citation: Department of Homeland Security September 2016)\n", "source_ref": "course-of-action--d0909119-2f71-4923-87db-b649881672d7", "target_ref": "attack-pattern--8d2f3bab-507c-4424-b58b-edc977bd215c", "external_references": [ { "source_name": "Department of Homeland Security September 2016", "description": "Department of Homeland Security 2016, September Retrieved. 2020/09/25 ", "url": "https://us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf" } ], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--a86cee0a-dc49-4c95-b5dc-37405337490b", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-21T17:59:24.739Z", "modified": "2022-05-06T17:47:24.079Z", "relationship_type": "mitigates", "description": "Authenticate all access to field controllers before authorizing access to, or modification of, a device's state, logic, or programs. Centralized authentication techniques can help manage the large number of field controller accounts needed across the ICS.\n", "source_ref": "course-of-action--3992ce42-43e9-4bea-b8db-a102ec3ec1e3", "target_ref": "attack-pattern--2883c520-7957-46ca-89bd-dab1ad53b601", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--a91002fe-21b2-4417-9c23-af712a7a035c", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2021-04-13T11:15:26.506Z", "modified": "2022-05-06T17:47:24.156Z", "relationship_type": "mitigates", "description": "Utilize code signatures to verify the integrity of the installed program on safety or control assets has not been changed.\n", "source_ref": "course-of-action--71eb7dad-07eb-4bbc-9df0-ac57bf2fba4a", "target_ref": "attack-pattern--fc5fda7e-6b2c-4457-b036-759896a2efa2", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--a946c9b1-5b89-44c9-b617-3412ffda34b9", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2018-04-18T17:59:24.739Z", "modified": "2022-05-06T17:47:24.344Z", "relationship_type": "uses", "description": "[Triton](https://attack.mitre.org/software/S0013) calls the SafeAppendProgramMod to transfer its payloads to the Tricon. Part of this call includes preforming a program upload. (Citation: MDudek-ICS)", "source_ref": "malware--80099a91-4c86-4bea-9ccb-dac55d61960e", "target_ref": "attack-pattern--3067b85e-271e-4bc5-81ad-ab1a81d411e3", "external_references": [ { "source_name": "MDudek-ICS", "description": "MDudek-ICS TRISIS-TRITON-HATMAN Retrieved. 2019/11/03 ", "url": "https://github.com/MDudek-ICS/TRISIS-TRITON-HATMAN/tree/master/decompiled_code/library" } ], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "modified": "2022-05-24T14:00:00.188Z", "created": "2022-05-11T16:22:58.804Z", "id": "relationship--aa205915-7571-47ee-8bc6-5aa1ace86690", "type": "relationship", "source_ref": "x-mitre-data-component--9d56be63-3501-4dd3-bb5f-63c580833298", "relationship_type": "detects", "target_ref": "attack-pattern--25dfc8ad-bd73-4dfd-84a9-3c3d383f76e9", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "modified": "2022-05-24T14:00:00.188Z", "created": "2022-05-11T16:22:58.807Z", "id": "relationship--aae5d42f-6bfc-44b6-8ff3-4b7abb4526ca", "type": "relationship", "source_ref": "x-mitre-data-component--3d20385b-24ef-40e1-9f56-f39750379077", "relationship_type": "detects", "target_ref": "attack-pattern--063b5b92-5361-481a-9c3f-95492ed9a2d8", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--aaffd26a-728d-42a0-9d1f-423231c55f3e", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2021-04-21T14:04:49.301Z", "modified": "2022-05-06T17:47:24.361Z", "relationship_type": "uses", "description": "[Dragonfly 2.0](https://attack.mitre.org/groups/G0035) accessed workstations and servers within the corporate network that contained data from power generation control system environments. The files were related to the ICS and SCADA systems including vendor names and ICS reference documents such as wiring diagrams and panel layouts. (Citation: Cybersecurity & Infrastructure Security Agency March 2018)", "source_ref": "intrusion-set--76d59913-1d24-4992-a8ac-05a3eb093f71", "target_ref": "attack-pattern--3405891b-16aa-4bd7-bd7c-733501f9b20f", "external_references": [ { "source_name": "Cybersecurity & Infrastructure Security Agency March 2018", "description": "Cybersecurity & Infrastructure Security Agency 2018, March 15 Alert (TA18-074A) Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors Retrieved. 2019/10/11 ", "url": "https://us-cert.cisa.gov/ncas/alerts/TA18-074A" } ], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--ab306654-2abb-4983-8d30-df4058adb06c", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2021-04-12T18:49:06.044Z", "modified": "2022-05-06T17:47:24.304Z", "relationship_type": "uses", "description": "The [REvil](https://attack.mitre.org/software/S0019) malware gained access to an organizations network and encrypted sensitive files used by OT equipment. (Citation: Selena Larson, Camille Singleton December 2020)", "source_ref": "malware--ac61f1f9-7bb1-465e-9b8a-c2ce8e88baf5", "target_ref": "attack-pattern--63b6942d-8359-4506-bfb3-cf87aa8120ee", "external_references": [ { "source_name": "Selena Larson, Camille Singleton December 2020", "description": "Selena Larson, Camille Singleton 2020, December RANSOMWARE IN ICS ENVIRONMENTS Retrieved. 2021/04/12 ", "url": "https://f.hubspotusercontent10.net/hubfs/5943619/Whitepaper-Downloads/Ransomware_in_ICS_Environments_Whitepaper_10_12_20.pdf?utm_referrer=https%3A%2F%2Fwww.dragos.com%2Fresource%2Fransomware-in-ics-environments%2F" } ], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--ab60fe4a-5860-410a-8bca-2cdbea95e5f8", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-21T17:59:24.739Z", "modified": "2022-05-06T17:47:24.080Z", "relationship_type": "mitigates", "description": "Use host-based allowlists to prevent devices from accepting connections from unauthorized systems. For example, allowlists can be used to ensure devices can only connect with master stations or known management/engineering workstations. (Citation: Department of Homeland Security September 2016)\n", "source_ref": "course-of-action--aadac250-bcdc-44e3-a4ae-f52bd0a7a16a", "target_ref": "attack-pattern--2883c520-7957-46ca-89bd-dab1ad53b601", "external_references": [ { "source_name": "Department of Homeland Security September 2016", "description": "Department of Homeland Security 2016, September Retrieved. 2020/09/25 ", "url": "https://us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf" } ], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--ab8e129c-5411-4784-9194-068fa915da23", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2017-12-14T16:46:06.044Z", "modified": "2022-05-06T17:47:24.291Z", "relationship_type": "uses", "description": "[KillDisk](https://attack.mitre.org/software/S0016) deletes application, security, setup, and system event logs from Windows systems. (Citation: Anton Cherepanov)", "source_ref": "malware--e221eb77-1502-4129-af1d-fe1ad55e7ec6", "target_ref": "attack-pattern--53a26eee-1080-4d17-9762-2027d5a1b805", "external_references": [ { "source_name": "Anton Cherepanov", "description": "Anton Cherepanov BlackEnergy by the SSHBearDoor: attacks against Ukrainian news media and electric industry Retrieved. 2019/10/29 ", "url": "https://www.welivesecurity.com/2016/01/03/blackenergy-sshbeardoor-details-2015-attacks-ukrainian-news-media-electric-industry/" } ], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--ad7770c3-fe24-4285-9ce2-1616a1061472", "type": "relationship", "created": "2019-04-17T14:45:59.681Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "description": "McKeague, B. et al. (2019, April 5). Pick-Six: Intercepting a FIN6 Intrusion, an Actor Recently Tied to Ryuk and LockerGoga Ransomware. Retrieved April 17, 2019.", "url": "https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html", "source_name": "FireEye FIN6 Apr 2019" } ], "modified": "2019-06-28T14:59:17.849Z", "description": "(Citation: FireEye FIN6 Apr 2019)", "relationship_type": "uses", "source_ref": "intrusion-set--2a7914cf-dff3-428d-ab0f-1014d1c28aeb", "target_ref": "malware--5af7a825-2d9f-400d-931a-e00eb9e27f48", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "spec_version": "2.1", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "modified": "2022-05-24T14:00:00.188Z", "created": "2022-05-11T16:22:58.805Z", "id": "relationship--ad77a940-150c-4d73-bf5a-1df2d9436f9c", "type": "relationship", "source_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c", "relationship_type": "detects", "target_ref": "attack-pattern--9a505987-ab05-4f46-a9a6-6441442eec3b", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--ad7fd147-066e-4ed5-aa9d-7b2f1771150d", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-21T17:59:24.739Z", "modified": "2022-05-06T17:47:24.111Z", "relationship_type": "mitigates", "description": "Web Application Firewalls may be used to limit exposure of applications to prevent exploit traffic from reaching the application. (Citation: Karen Scarfone; Paul Hoffman September 2009)\n", "source_ref": "course-of-action--49363b74-d506-4342-bd63-320586ebadb9", "target_ref": "attack-pattern--32632a95-6856-47b9-9ab7-fea5cd7dce00", "external_references": [ { "source_name": "Karen Scarfone; Paul Hoffman September 2009", "description": "Karen Scarfone; Paul Hoffman 2009, September Guidelines on Firewalls and Firewall Policy Retrieved. 2020/09/25 ", "url": "https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-41r1.pdf" } ], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--ade12d27-13bb-4ebf-be08-7039cf699682", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-21T17:59:24.739Z", "modified": "2022-05-06T17:47:24.065Z", "relationship_type": "mitigates", "description": "Utilize network allowlists to restrict unnecessary connections to network devices (e.g., comm servers, serial to ethernet converters) and services, especially in cases when devices have limits on the number of simultaneous sessions they support.\n", "source_ref": "course-of-action--aadac250-bcdc-44e3-a4ae-f52bd0a7a16a", "target_ref": "attack-pattern--2900bbd8-308a-4274-b074-5b8bde8347bc", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--ae10e97a-90ac-498b-8601-01081dc4af8b", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2021-04-12T18:59:17.429Z", "modified": "2022-05-06T17:47:24.188Z", "relationship_type": "mitigates", "description": "Limit the accounts that may use remote services. Limit the permissions for accounts that are at higher risk of compromise; for example, configure SSH so users can only run specific programs.\n", "source_ref": "course-of-action--e57ebc6d-785f-40c8-adb1-b5b5e09b3b48", "target_ref": "attack-pattern--e1f9cdd2-9511-4fca-90d7-f3e92cfdd0bf", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--ae7487f1-a2d0-443d-b418-cd726c5ac15f", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-21T17:59:24.739Z", "modified": "2022-05-06T17:47:24.167Z", "relationship_type": "mitigates", "description": "Network connection enumeration is likely obtained by using common system tools (e.g., netstat, ipconfig).\n", "source_ref": "course-of-action--469b78dd-a54d-4f7c-8c3b-4a1dd916b433", "target_ref": "attack-pattern--ea0c980c-5cf0-43a7-a049-59c4c207566e", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "modified": "2022-05-24T14:00:00.188Z", "created": "2022-05-11T16:22:58.803Z", "id": "relationship--aed56362-d7b5-4ec9-9016-b727eafca04d", "type": "relationship", "source_ref": "x-mitre-data-component--181a9f8c-c780-4f1f-91a8-edb770e904ba", "relationship_type": "detects", "target_ref": "attack-pattern--1c478716-71d9-46a4-9a53-fa5d576adb60", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "modified": "2022-05-24T14:00:00.188Z", "created": "2022-05-11T16:22:58.805Z", "id": "relationship--af24e067-966d-41f8-b1ea-5a6e11ff1a2a", "type": "relationship", "source_ref": "x-mitre-data-component--3d20385b-24ef-40e1-9f56-f39750379077", "relationship_type": "detects", "target_ref": "attack-pattern--53a26eee-1080-4d17-9762-2027d5a1b805", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--afb0b60e-e604-4b96-abb9-57fdce4e5108", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-21T17:59:24.739Z", "modified": "2022-05-06T17:47:24.133Z", "relationship_type": "mitigates", "description": "Hot-standbys in diverse locations can ensure continued operations if the primarily system is compromised or unavailable. At the network layer, protocols such as the Parallel Redundancy Protocol can be used to simultaneously use redundant and diverse communication over a local network. (Citation: M. Rentschler and H. Heine)\n", "source_ref": "course-of-action--f0f5c87a-a58d-440a-b3b5-ca679d98c6dd", "target_ref": "attack-pattern--b5b9bacb-97f2-4249-b804-47fd44de1f95", "external_references": [ { "source_name": "M. Rentschler and H. Heine", "description": "M. Rentschler and H. Heine The Parallel Redundancy Protocol for industrial IP networks Retrieved. 2020/09/25 ", "url": "https://ieeexplore.ieee.org/document/6505877" } ], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--afd63145-6033-49e4-ad43-d0b35fa5ed88", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-21T17:59:24.739Z", "modified": "2022-05-06T17:47:24.061Z", "relationship_type": "mitigates", "description": "Protocols used for device management should authenticate all network messages to prevent unauthorized system changes.\n", "source_ref": "course-of-action--c7257b6e-4159-4771-b1f3-2bb93adaecac", "target_ref": "attack-pattern--19a71d1e-6334-4233-8260-b749cae37953", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "modified": "2022-05-24T14:00:00.188Z", "created": "2022-05-11T16:22:58.805Z", "id": "relationship--b0f137d8-3c56-4f6c-9d59-1ec231d61391", "type": "relationship", "source_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c", "relationship_type": "detects", "target_ref": "attack-pattern--32632a95-6856-47b9-9ab7-fea5cd7dce00", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "modified": "2022-05-24T14:00:00.188Z", "created": "2022-05-11T16:22:58.806Z", "id": "relationship--b0fe8a56-cb76-4d79-9ba9-9358ef08aa08", "type": "relationship", "source_ref": "x-mitre-data-component--9d56be63-3501-4dd3-bb5f-63c580833298", "relationship_type": "detects", "target_ref": "attack-pattern--097924ce-a9a9-4039-8591-e0deedfb8722", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "modified": "2022-05-24T14:00:00.188Z", "created": "2022-05-11T16:22:58.807Z", "id": "relationship--b116fcca-e872-4735-b7e2-4e4c8e34621a", "type": "relationship", "source_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c", "relationship_type": "detects", "target_ref": "attack-pattern--e076cca8-2f08-45c9-aff7-ea5ac798b387", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--b13417ea-d8da-497f-818f-d2d90562039a", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-21T17:59:24.739Z", "modified": "2022-05-06T17:47:24.142Z", "relationship_type": "mitigates", "description": "Network intrusion detection and prevention systems that can identify traffic patterns indicative of MiTM activity can be used to mitigate activity at the network level.\n", "source_ref": "course-of-action--3172222b-4983-43f7-8983-753ded4f13bc", "target_ref": "attack-pattern--9a505987-ab05-4f46-a9a6-6441442eec3b", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--b1768154-221c-48be-ab2b-549ec1eddafb", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-21T17:59:24.739Z", "modified": "2022-05-06T17:47:24.068Z", "relationship_type": "mitigates", "description": "Segment operational assets and their management devices based on their functional role within the process. Enabling more strict isolation to more critical control and operational information within the control environment. (Citation: Karen Scarfone; Paul Hoffman September 2009) (Citation: Keith Stouffer May 2015) (Citation: Department of Homeland Security September 2016) (Citation: Dwight Anderson 2014) \n", "source_ref": "course-of-action--1e7ccfc0-94c8-496e-8d27-032120892291", "target_ref": "attack-pattern--2900bbd8-308a-4274-b074-5b8bde8347bc", "external_references": [ { "source_name": "Karen Scarfone; Paul Hoffman September 2009", "description": "Karen Scarfone; Paul Hoffman 2009, September Guidelines on Firewalls and Firewall Policy Retrieved. 2020/09/25 ", "url": "https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-41r1.pdf" }, { "source_name": "Keith Stouffer May 2015", "description": "Keith Stouffer 2015, May Guide to Industrial Control Systems (ICS) Security Retrieved. 2018/03/28 ", "url": "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf" }, { "source_name": "Department of Homeland Security September 2016", "description": "Department of Homeland Security 2016, September Retrieved. 2020/09/25 ", "url": "https://us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf" }, { "source_name": "Dwight Anderson 2014", "description": "Dwight Anderson 2014 Protect Critical Infrastructure Systems With Whitelisting Retrieved. 2020/09/25 ", "url": "https://www.sans.org/reading-room/whitepapers/ICS/protect-critical-infrastructure-systems-whitelisting-35312" } ], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--b1d993d5-9e7e-4043-a651-07c7b5ad5a6b", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-21T17:59:24.739Z", "modified": "2022-05-06T17:47:24.228Z", "relationship_type": "mitigates", "description": "If a link is being visited by a user, network intrusion prevention systems and systems designed to scan and remove malicious downloads can be used to block activity.\n", "source_ref": "course-of-action--3172222b-4983-43f7-8983-753ded4f13bc", "target_ref": "attack-pattern--2736b752-4ec5-4421-a230-8977dea7649c", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--b252a076-6d4e-49f5-95ac-16264ef05b1d", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2017-12-14T16:46:06.044Z", "modified": "2022-05-06T17:47:24.290Z", "relationship_type": "uses", "description": "[KillDisk](https://attack.mitre.org/software/S0016) is able to delete system files to make the system unbootable and targets 35 different types of files for deletion. (Citation: Anton Cherepanov)", "source_ref": "malware--e221eb77-1502-4129-af1d-fe1ad55e7ec6", "target_ref": "attack-pattern--493832d9-cea6-4b63-abe7-9a65a6473675", "external_references": [ { "source_name": "Anton Cherepanov", "description": "Anton Cherepanov BlackEnergy by the SSHBearDoor: attacks against Ukrainian news media and electric industry Retrieved. 2019/10/29 ", "url": "https://www.welivesecurity.com/2016/01/03/blackenergy-sshbeardoor-details-2015-attacks-ukrainian-news-media-electric-industry/" } ], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--b2d4989c-e2d1-40c4-b1d8-07834a71f26f", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2021-04-11T14:06:54.109Z", "modified": "2022-05-06T17:47:24.385Z", "relationship_type": "uses", "description": "In the Ukraine 2015 Incident, [Sandworm Team](https://attack.mitre.org/groups/G0007) developed and used malicious firmware to render communication devices inoperable. (Citation: Electricity Information Sharing and Analysis Center; SANS Industrial Control Systems March 2016)", "source_ref": "intrusion-set--381fcf73-60f6-4ab2-9991-6af3cbc35192", "target_ref": "attack-pattern--b9160e77-ea9e-4ba9-b1c8-53a3c466b13d", "external_references": [ { "source_name": "Electricity Information Sharing and Analysis Center; SANS Industrial Control Systems March 2016", "description": "Electricity Information Sharing and Analysis Center; SANS Industrial Control Systems 2016, March 18 Analysis of the Cyber Attack on the Ukranian Power Grid: Defense Use Case Retrieved. 2018/03/27 ", "url": "https://assets.contentstack.io/v3/assets/blt36c2e63521272fdc/blt6a77276749b76a40/607f235992f0063e5c070fff/E-ISAC_SANS_Ukraine_DUC_5%5b73%5d.pdf" } ], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--b2defaaf-625d-416e-8a9d-8be6d89bacdc", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-21T17:59:24.739Z", "modified": "2022-05-06T17:47:24.192Z", "relationship_type": "mitigates", "description": "ICS environments typically have more statically defined devices, therefore minimize the use of both IT discovery protocols (e.g., DHCP, LLDP) and discovery functions in automation protocols. (Citation: D. Parsons and D. Wylie September 2019) (Citation: Colin Gray) Examples of automation protocols with discovery capabilities include OPC UA Device Discovery (Citation: Josh Rinaldi April 2016), BACnet (Citation: Aditya K Sood July 2019), and Ethernet/IP. (Citation: Langner November 2018)\n", "source_ref": "course-of-action--52c7a1a9-3a78-4528-a44f-cd7b0fa3541a", "target_ref": "attack-pattern--d5a69cfb-fc2a-46cb-99eb-74b236db5061", "external_references": [ { "source_name": "D. Parsons and D. Wylie September 2019", "description": "D. Parsons and D. Wylie 2019, September Practical Industrial Control System (ICS) Cybersecurity: IT and OT Have Converged Discover and Defend Your Assets Retrieved. 2020/09/25 ", "url": "https://www.csiac.org/journal-article/practical-industrial-control-system-ics-cybersecurity-it-and-ot-have-converged-discover-and-defend-your-assets/" }, { "source_name": "Colin Gray", "description": "Colin Gray D. Parsons and D. Wylie 2019, September Practical Industrial Control System (ICS) Cybersecurity: IT and OT Have Converged Discover and Defend Your Assets Retrieved. 2020/09/25 How SDN Can Improve Cybersecurity in OT Networks Retrieved. 2020/09/25 ", "url": "https://cdn.selinc.com/assets/Literature/Publications/Technical%20Papers/6891_HowSDN_CG_20180720_Web2.pdf?v=20190312-231901" }, { "source_name": "Josh Rinaldi April 2016", "description": "Josh Rinaldi 2016, April Still a Thrill: OPC UA Device Discovery Retrieved. 2020/09/25 ", "url": "https://www.rtautomation.com/rtas-blog/still-a-thrill-opc-ua-device-discovery/" }, { "source_name": "Aditya K Sood July 2019", "description": "Aditya K Sood 2019, July Discovering and fingerprinting BACnet devices Retrieved. 2020/09/25 ", "url": "https://www.helpnetsecurity.com/2019/07/10/bacnet-devices/" }, { "source_name": "Langner November 2018", "description": "Langner 2018, November Why Ethernet/IP changes the OT asset discovery game Retrieved. 2020/09/25 ", "url": "https://www.langner.com/2018/11/why-ethernet-ip-changes-the-ot-asset-discovery-game/" } ], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--b2e10e48-8bd9-472a-9c6f-1d38650e8df1", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-21T17:59:24.739Z", "modified": "2022-05-06T17:47:24.239Z", "relationship_type": "mitigates", "description": "Techniques can include (i) reducing transmission power on wireless signals, (ii) adjusting antenna gain to prevent extensions beyond organizational boundaries, and (iii) employing RF shielding techniques to block excessive signal propagation. (Citation: DHS National Urban Security Technology Laboratory April 2019)\n", "source_ref": "course-of-action--fce6866f-9a87-4d3e-a73c-f02d8937fe0e", "target_ref": "attack-pattern--2877063e-1851-48d2-bcc6-bc1d2733157e", "external_references": [ { "source_name": "DHS National Urban Security Technology Laboratory April 2019", "description": "DHS National Urban Security Technology Laboratory 2019, April Radio Frequency Detection, Spectrum Analysis, and Direction Finding Equipment Retrieved. 2020/09/17 ", "url": "https://www.dhs.gov/sites/default/files/saver-msr-rf-detection_cod-508_10july2019.pdf" } ], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--b343e131-e448-46c6-815b-b86e4bd6d638", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2018-10-17T00:14:20.652Z", "modified": "2022-05-06T17:47:24.394Z", "relationship_type": "uses", "description": "[TEMP.Veles](https://attack.mitre.org/groups/G0001) targeted several ICS vendors and manufacturers. (Citation: Dragos Threat Intelligence August 2019)", "source_ref": "intrusion-set--9538b1a4-4120-4e2d-bf59-3b11fcab05a4", "target_ref": "attack-pattern--5e0f75da-e108-4688-a6de-a4f07cc2cbe3", "external_references": [ { "source_name": "Dragos Threat Intelligence August 2019", "description": "Dragos Threat Intelligence 2019, August Global Oil and Gas Cyber Threat Perspective Retrieved. 2020/01/03 ", "url": "https://dragos.com/wp-content/uploads/Dragos-Oil-and-Gas-Threat-Perspective-2019.pdf" } ], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--b349ef5f-4a05-4eef-afe4-1543b8c832fa", "type": "relationship", "created": "2017-05-31T21:33:27.070Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "url": "https://www.fireeye.com/blog/threat-research/2016/01/ukraine-and-sandworm-team.html", "description": "Hultquist, J.. (2016, January 7). Sandworm Team and the Ukrainian Power Authority Attacks. Retrieved October 6, 2017.", "source_name": "iSIGHT Sandworm 2014" }, { "url": "https://blog-assets.f-secure.com/wp-content/uploads/2019/10/15163408/BlackEnergy_Quedagh.pdf", "description": "F-Secure Labs. (2014). BlackEnergy & Quedagh: The convergence of crimeware and APT attacks. Retrieved March 24, 2016.", "source_name": "F-Secure BlackEnergy 2014" }, { "source_name": "US District Court Indictment GRU Unit 74455 October 2020", "url": "https://www.justice.gov/opa/press-release/file/1328521/download", "description": "Scott W. Brady. (2020, October 15). United States vs. Yuriy Sergeyevich Andrienko et al.. Retrieved November 25, 2020." }, { "source_name": "UK NCSC Olympic Attacks October 2020", "url": "https://www.gov.uk/government/news/uk-exposes-series-of-russian-cyber-attacks-against-olympic-and-paralympic-games", "description": "UK NCSC. (2020, October 19). UK exposes series of Russian cyber attacks against Olympic and Paralympic Games . Retrieved November 30, 2020." }, { "source_name": "Secureworks IRON VIKING ", "url": "https://www.secureworks.com/research/threat-profiles/iron-viking", "description": "Secureworks. (2020, May 1). IRON VIKING Threat Profile. Retrieved June 10, 2020." } ], "modified": "2022-02-28T17:02:50.401Z", "description": "(Citation: iSIGHT Sandworm 2014)(Citation: F-Secure BlackEnergy 2014)(Citation: US District Court Indictment GRU Unit 74455 October 2020)(Citation: UK NCSC Olympic Attacks October 2020)(Citation: Secureworks IRON VIKING )", "relationship_type": "uses", "source_ref": "intrusion-set--381fcf73-60f6-4ab2-9991-6af3cbc35192", "target_ref": "malware--54cc1d4f-5c53-4f0e-9ef5-11b4998e82e4", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "spec_version": "2.1", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--b363cbbb-679c-47e0-8ad0-af98ebf51e60", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-21T17:59:24.739Z", "modified": "2022-05-06T17:47:24.236Z", "relationship_type": "mitigates", "description": "Utilize strong cryptographic techniques and protocols to prevent eavesdropping on network communications.\n", "source_ref": "course-of-action--7f153c28-e5f1-4764-88fb-eea1d9b0ad4a", "target_ref": "attack-pattern--2877063e-1851-48d2-bcc6-bc1d2733157e", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--b3862aa6-7bd0-46a4-83b6-bb687bb7caa6", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2018-10-17T00:14:20.652Z", "modified": "2022-05-06T17:47:24.393Z", "relationship_type": "uses", "description": "[TEMP.Veles](https://attack.mitre.org/groups/G0001) utilizes watering hole websites to target industrial employees. (Citation: Chris Bing May 2018)", "source_ref": "intrusion-set--9538b1a4-4120-4e2d-bf59-3b11fcab05a4", "target_ref": "attack-pattern--7830cfcf-b268-4ac0-a69e-73c6affbae9a", "external_references": [ { "source_name": "Chris Bing May 2018", "description": "Chris Bing 2018, May 24 Trisis masterminds have expanded operations to target U.S. industrial firms Retrieved. 2020/01/03 ", "url": "https://www.cyberscoop.com/xenotime-ics-cyber-attacks-trisis-dragos/" } ], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--b3b24837-83ed-46c5-ba80-66a832c7072e", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-21T17:59:24.739Z", "modified": "2022-05-06T17:47:24.062Z", "relationship_type": "mitigates", "description": "All devices or systems changes, including all administrative functions, should require authentication. Consider using access management technologies to enforce authorization on all management interface access attempts, especially when the device does not inherently provide strong authentication and authorization functions.\n", "source_ref": "course-of-action--3992ce42-43e9-4bea-b8db-a102ec3ec1e3", "target_ref": "attack-pattern--19a71d1e-6334-4233-8260-b749cae37953", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "modified": "2022-05-24T14:00:00.188Z", "created": "2022-05-11T16:22:58.808Z", "id": "relationship--b3e19503-8d9c-472c-8c1d-8564778052c1", "type": "relationship", "source_ref": "x-mitre-data-component--4c12c1c8-bcef-4daf-8e5b-fca235f71d9e", "relationship_type": "detects", "target_ref": "attack-pattern--40b300ba-f553-48bf-862e-9471b220d455", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "modified": "2022-05-24T14:00:00.188Z", "created": "2022-05-11T16:22:58.806Z", "id": "relationship--b401f65c-5324-4fc0-8fce-0aa2ebf1f919", "type": "relationship", "source_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c", "relationship_type": "detects", "target_ref": "attack-pattern--097924ce-a9a9-4039-8591-e0deedfb8722", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--b452a076-6d4e-49f5-95ac-16264ef05b1d", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2017-12-14T16:46:06.044Z", "modified": "2022-05-06T17:47:24.292Z", "relationship_type": "uses", "description": "[KillDisk](https://attack.mitre.org/software/S0016) looks for and terminates two non-standard processes, one of which is an ICS application. (Citation: Anton Cherepanov)", "source_ref": "malware--e221eb77-1502-4129-af1d-fe1ad55e7ec6", "target_ref": "attack-pattern--063b5b92-5361-481a-9c3f-95492ed9a2d8", "external_references": [ { "source_name": "Anton Cherepanov", "description": "Anton Cherepanov BlackEnergy by the SSHBearDoor: attacks against Ukrainian news media and electric industry Retrieved. 2019/10/29 ", "url": "https://www.welivesecurity.com/2016/01/03/blackenergy-sshbeardoor-details-2015-attacks-ukrainian-news-media-electric-industry/" } ], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--b47dbc50-fd8f-4e5b-bb3d-e93b68bf5497", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-21T17:59:24.739Z", "modified": "2022-05-06T17:47:24.143Z", "relationship_type": "mitigates", "description": "Limit access to network infrastructure and resources that can be used to reshape traffic or otherwise produce MiTM conditions.\n", "source_ref": "course-of-action--bcf91ebc-f316-4e19-b2f6-444e9940c697", "target_ref": "attack-pattern--9a505987-ab05-4f46-a9a6-6441442eec3b", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "modified": "2022-05-24T14:00:00.188Z", "created": "2022-05-11T16:22:58.803Z", "id": "relationship--b48be9f9-de0e-4548-ade3-09d47af52798", "type": "relationship", "source_ref": "x-mitre-data-component--4c12c1c8-bcef-4daf-8e5b-fca235f71d9e", "relationship_type": "detects", "target_ref": "attack-pattern--008b8f56-6107-48be-aa9f-746f927dbb61", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--b5ab26e2-eb90-4f19-b35a-b8a0a5438961", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2017-12-14T16:46:06.044Z", "modified": "2022-05-06T17:47:24.293Z", "relationship_type": "uses", "description": "Some of Norsk Hydro's production systems were impacted by a [LockerGoga](https://attack.mitre.org/software/S0008) infection. This resulted in a loss of control which forced the company to switch to manual operations. (Citation: Kevin Beaumont) (Citation: Hydro)", "source_ref": "malware--5af7a825-2d9f-400d-931a-e00eb9e27f48", "target_ref": "attack-pattern--a81696ef-c106-482c-8f80-59c30f2569fb", "external_references": [ { "source_name": "Kevin Beaumont", "description": "Kevin Beaumont How Lockergoga took down Hydro ransomware used in targeted attacks aimed at big business Retrieved. 2019/10/16 ", "url": "https://doublepulsar.com/how-lockergoga-took-down-hydro-ransomware-used-in-targeted-attacks-aimed-at-big-business-c666551f5880" }, { "source_name": "Hydro", "description": "Hydro Kevin Beaumont How Lockergoga took down Hydro ransomware used in targeted attacks aimed at big business Retrieved. 2019/10/16 Retrieved. 2019/10/16 ", "url": "https://www.hydro.com/en/media/on-the-agenda/cyber-attack/" } ], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--b5bb5ec3-aa3c-4734-8425-4be80c5658a9", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-21T17:59:24.739Z", "modified": "2022-05-06T17:47:24.143Z", "relationship_type": "mitigates", "description": "This technique may not be effectively mitigated against, consider controls for assets and processes that lead to the use of this technique.\n", "source_ref": "course-of-action--469b78dd-a54d-4f7c-8c3b-4a1dd916b433", "target_ref": "attack-pattern--36e9f5bc-ac13-4da4-a2f4-01f4877d9004", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--b5e52859-8dab-4e7e-af70-bb38c6993c98", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-21T17:59:24.739Z", "modified": "2022-05-06T17:47:24.200Z", "relationship_type": "mitigates", "description": "Preventing screen capture on a device may require disabling various system calls supported by the operating systems (e.g., Microsoft WindowsGraphicsCaputer APIs), however, these may be needed for other critical applications.\n", "source_ref": "course-of-action--469b78dd-a54d-4f7c-8c3b-4a1dd916b433", "target_ref": "attack-pattern--c5e3cdbc-0387-4be9-8f83-ff5c0865f377", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--b5f94430-be03-43ed-97e1-0424d783073e", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2021-10-14T21:33:27.046Z", "modified": "2022-05-06T17:47:24.392Z", "relationship_type": "uses", "description": "[Sandworm Team](https://attack.mitre.org/groups/G0007) transfers executable files as .txt. and then renames them to .exe, likely to avoid detection through extension tracking. (Citation: Dragos October 2018)", "source_ref": "intrusion-set--381fcf73-60f6-4ab2-9991-6af3cbc35192", "target_ref": "attack-pattern--ba203963-3182-41ac-af14-7e7ebc83cd61", "external_references": [ { "source_name": "Dragos October 2018", "description": "Dragos 2018, October 12 Anatomy of an Attack: Detecting and Defeating CRASHOVERRIDE Retrieved. 2019/10/14 ", "url": "https://dragos.com/wp-content/uploads/CRASHOVERRIDE2018.pdf" } ], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--b628d878-4f35-4580-8d42-26984d13821e", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-21T17:59:24.739Z", "modified": "2022-05-06T17:47:24.143Z", "relationship_type": "mitigates", "description": "Protocols used for control functions should provide authenticity through MAC functions or digital signatures. If not, utilize bump-in-the-wire devices or VPNs to enforce communication authenticity between devices that are not capable of supporting this (e.g., legacy controllers, RTUs).\n", "source_ref": "course-of-action--c7257b6e-4159-4771-b1f3-2bb93adaecac", "target_ref": "attack-pattern--1af9e3fd-2bcc-414d-adbd-fe3b95c02ca1", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--b69f31c3-6c12-4b81-8e74-9c58ea635fa4", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-21T17:59:24.739Z", "modified": "2022-05-06T17:47:24.232Z", "relationship_type": "mitigates", "description": "Ensure that applications and devices do not store sensitive data or credentials insecurely (e.g., plaintext credentials in code, published credentials in repositories, or credentials in public cloud storage). (Citation: CISA June 2013)\n", "source_ref": "course-of-action--8a3aadd0-b5f4-433a-800e-4893e4196bb7", "target_ref": "attack-pattern--cd2c76a4-5e23-4ca5-9c40-d5e0604f7101", "external_references": [ { "source_name": "CISA June 2013", "description": "CISA 2013, June Risks of Default Passwords on the Internet Retrieved. 2020/09/25 ", "url": "https://us-cert.cisa.gov/ncas/alerts/TA13-175A" } ], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--b72b7dfd-f134-4324-84b8-52ff13fc6b5c", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-21T17:59:24.739Z", "modified": "2022-05-06T17:47:24.128Z", "relationship_type": "mitigates", "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses. Perform periodic integrity checks of the device to validate the correctness of the firmware, software, programs, and configurations. Integrity checks, which typically include cryptographic hashes or digital signatures, should be compared to those obtained at known valid states, especially after events like device reboots, program downloads, or program restarts.\n", "source_ref": "course-of-action--bcf91ebc-f316-4e19-b2f6-444e9940c697", "target_ref": "attack-pattern--ab390887-afc0-4715-826d-b1b167d522ae", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "modified": "2022-05-24T14:00:00.188Z", "created": "2022-05-11T16:22:58.805Z", "id": "relationship--b778b3c3-5dd3-4c0b-b7d9-78e6bb40a544", "type": "relationship", "source_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c", "relationship_type": "detects", "target_ref": "attack-pattern--7830cfcf-b268-4ac0-a69e-73c6affbae9a", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--b7f23af2-e948-4531-af56-1a1b4d03702f", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-21T17:59:24.739Z", "modified": "2022-05-06T17:47:24.172Z", "relationship_type": "mitigates", "description": "Authenticate all access to field controllers before authorizing access to, or modification of, a device's state, logic, or programs. Centralized authentication techniques can help manage the large number of field controller accounts needed across the ICS.\n", "source_ref": "course-of-action--3992ce42-43e9-4bea-b8db-a102ec3ec1e3", "target_ref": "attack-pattern--25852363-5968-4673-b81d-341d5ed90bd1", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "modified": "2022-05-24T14:00:00.188Z", "created": "2022-05-11T16:22:58.808Z", "id": "relationship--b8b1739d-dfa2-44e9-907f-7085e262512f", "type": "relationship", "source_ref": "x-mitre-data-component--9ce98c86-8d30-4043-ba54-0784d478d0b5", "relationship_type": "detects", "target_ref": "attack-pattern--2877063e-1851-48d2-bcc6-bc1d2733157e", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "modified": "2022-05-24T14:00:00.188Z", "created": "2022-05-11T16:22:58.805Z", "id": "relationship--b8d484f3-85e7-4208-8ae4-72f0e055a290", "type": "relationship", "source_ref": "x-mitre-data-component--a7f22107-02e5-4982-9067-6625d4a1765a", "relationship_type": "detects", "target_ref": "attack-pattern--8d2f3bab-507c-4424-b58b-edc977bd215c", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--b8d6e550-18fe-49ad-9964-7802bbe0cb58", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-21T17:59:24.739Z", "modified": "2022-05-06T17:47:24.134Z", "relationship_type": "mitigates", "description": "Take and store data backups from end user systems and critical servers. Ensure backup and storage systems are hardened and kept separate from the corporate network to prevent compromise. Maintain and exercise incident response plans (Citation: Department of Homeland Security October 2009), including the management of \\gold-copy\\ back-up images and configurations for key systems to enable quick recovery and response from adversarial activities that impact control, view, or availability.\n", "source_ref": "course-of-action--ad12819e-3211-4291-b360-069f280cff0a", "target_ref": "attack-pattern--b5b9bacb-97f2-4249-b804-47fd44de1f95", "external_references": [ { "source_name": "Department of Homeland Security October 2009", "description": "Department of Homeland Security 2009, October Developing an Industrial Control Systems Cybersecurity Incident Response Capability Retrieved. 2020/09/17 ", "url": "https://us-cert.cisa.gov/sites/default/files/recommended_practices/final-RP_ics_cybersecurity_incident_response_100609.pdf" } ], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--b8edcf0a-ec53-4203-b3ad-2cc734a1f1dd", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2021-10-14T17:59:24.739Z", "modified": "2022-05-06T17:47:24.226Z", "relationship_type": "mitigates", "description": "Update software on control network assets when possible. If feasible, use modern operating systems and software to reduce exposure to known vulnerabilities.\n", "source_ref": "course-of-action--97f33c84-8508-45b9-8a1d-cac921828c9e", "target_ref": "attack-pattern--35392fb4-a31d-4c6a-b9f2-1c65b7f5e6b9", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--b8f6d6a8-e668-4596-8ec2-41c5d1bd211d", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-21T17:59:24.739Z", "modified": "2022-05-06T17:47:24.097Z", "relationship_type": "mitigates", "description": "All field controllers should restrict the modification of programs to only certain users (e.g., engineers, field technician), preferably through implementing a role-based access mechanism.\n", "source_ref": "course-of-action--e0d38502-decb-481d-ad8b-b8f0a0c330bd", "target_ref": "attack-pattern--2aa406ed-81c3-4c1d-ba83-cfbee5a2847a", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "modified": "2022-05-24T14:00:00.188Z", "created": "2022-05-11T16:22:58.805Z", "id": "relationship--b95967ff-27e6-41e8-bec4-e0ceefa7cc6c", "type": "relationship", "source_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c", "relationship_type": "detects", "target_ref": "attack-pattern--5a2610f6-9fff-41e1-bc27-575ca20383d4", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--b960c5ed-1ea8-4dde-9203-c02d291d3bc6", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-21T17:59:24.739Z", "modified": "2022-05-06T17:47:24.222Z", "relationship_type": "mitigates", "description": "Use host-based allowlists to prevent devices from accepting connections from unauthorized systems. For example, allowlists can be used to ensure devices can only connect with master stations or known management/engineering workstations. (Citation: Department of Homeland Security September 2016)\n", "source_ref": "course-of-action--aadac250-bcdc-44e3-a4ae-f52bd0a7a16a", "target_ref": "attack-pattern--40b300ba-f553-48bf-862e-9471b220d455", "external_references": [ { "source_name": "Department of Homeland Security September 2016", "description": "Department of Homeland Security 2016, September Retrieved. 2020/09/25 ", "url": "https://us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf" } ], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--b9632b4d-43c3-4bfa-88e0-629245acb8eb", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-21T17:59:24.739Z", "modified": "2022-05-06T17:47:24.091Z", "relationship_type": "mitigates", "description": "Ensure users and user groups have appropriate permissions for their roles through Identity and Access Management (IAM) controls to prevent misuse. Implement user accounts for each individual that may access the repositories for role enforcement and non-repudiation of actions.\n", "source_ref": "course-of-action--e57ebc6d-785f-40c8-adb1-b5b5e09b3b48", "target_ref": "attack-pattern--3405891b-16aa-4bd7-bd7c-733501f9b20f", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--b9e82422-b072-494f-99c1-fcab07b90133", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-21T17:59:24.739Z", "modified": "2022-05-06T17:47:24.146Z", "relationship_type": "mitigates", "description": "Require signed binaries.\n", "source_ref": "course-of-action--71eb7dad-07eb-4bbc-9df0-ac57bf2fba4a", "target_ref": "attack-pattern--ba203963-3182-41ac-af14-7e7ebc83cd61", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "modified": "2022-05-24T14:00:00.188Z", "created": "2022-05-11T16:22:58.805Z", "id": "relationship--b9f77643-782c-4df0-9f29-81323d0c05d8", "type": "relationship", "source_ref": "x-mitre-data-component--a7f22107-02e5-4982-9067-6625d4a1765a", "relationship_type": "detects", "target_ref": "attack-pattern--b0628bfc-5376-4a38-9182-f324501cb4cf", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--ba010007-6dde-4c9d-8452-69527cd1c2ba", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-21T17:59:24.739Z", "modified": "2022-05-06T17:47:24.091Z", "relationship_type": "mitigates", "description": "Minimize permissions and access for service accounts to limit the information that may be exposed or collected by malicious users or software. (Citation: National Institute of Standards and Technology April 2013)\n", "source_ref": "course-of-action--622fe4d4-0e8e-4d17-9c25-6c9cef1f15d5", "target_ref": "attack-pattern--3405891b-16aa-4bd7-bd7c-733501f9b20f", "external_references": [ { "source_name": "National Institute of Standards and Technology April 2013", "description": "National Institute of Standards and Technology 2013, April Security and Privacy Controls for Federal Information Systems and Organizations Retrieved. 2020/09/17 ", "url": "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf" } ], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--baf4bd30-4213-43c3-b70c-54418e734caf", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-21T17:59:24.739Z", "modified": "2022-05-06T17:47:24.184Z", "relationship_type": "mitigates", "description": "Filter for protocols and payloads associated with program upload activity to prevent unauthorized access to device configurations.\n", "source_ref": "course-of-action--11f242bc-3121-438c-84b2-5cbd46a4bb17", "target_ref": "attack-pattern--3067b85e-271e-4bc5-81ad-ab1a81d411e3", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--baf7daf3-2116-4051-91b5-f82e146167d0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-21T17:59:24.739Z", "modified": "2022-05-06T17:47:24.235Z", "relationship_type": "mitigates", "description": "Routinely audit source code, application configuration files, open repositories, and public cloud storage for insecure use and storage of credentials.\n", "source_ref": "course-of-action--bcf91ebc-f316-4e19-b2f6-444e9940c697", "target_ref": "attack-pattern--cd2c76a4-5e23-4ca5-9c40-d5e0604f7101", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--bbf297d3-0c3c-44be-b780-332bac17b0ba", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-21T17:59:24.739Z", "modified": "2022-05-06T17:47:24.222Z", "relationship_type": "mitigates", "description": "Devices should authenticate all messages between master and outstation assets.\n", "source_ref": "course-of-action--72e46e53-e12d-4106-9c70-33241b6ed549", "target_ref": "attack-pattern--40b300ba-f553-48bf-862e-9471b220d455", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--bc3744d6-9275-4d91-8888-16d5f4d5187b", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-21T17:59:24.739Z", "modified": "2022-05-06T17:47:24.112Z", "relationship_type": "mitigates", "description": "Use least privilege for service accounts. (Citation: Keith Stouffer May 2015) (Citation: National Institute of Standards and Technology April 2013)\n", "source_ref": "course-of-action--622fe4d4-0e8e-4d17-9c25-6c9cef1f15d5", "target_ref": "attack-pattern--32632a95-6856-47b9-9ab7-fea5cd7dce00", "external_references": [ { "source_name": "Keith Stouffer May 2015", "description": "Keith Stouffer 2015, May Guide to Industrial Control Systems (ICS) Security Retrieved. 2018/03/28 ", "url": "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf" }, { "source_name": "National Institute of Standards and Technology April 2013", "description": "National Institute of Standards and Technology 2013, April Security and Privacy Controls for Federal Information Systems and Organizations Retrieved. 2020/09/17 ", "url": "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf" } ], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--bc383819-2e40-49b4-bea9-95eb5d418877", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2017-12-14T16:46:06.044Z", "modified": "2022-05-06T17:47:24.328Z", "relationship_type": "uses", "description": "[Stuxnet](https://attack.mitre.org/software/S0010) uses a thread to monitor a data block DB890 of sequence A or B. This thread is constantly running and probing this block (every 5 minutes). On an infected PLC, if block DB890 is found and contains a special magic value (used by Stuxnet to identify his own block DB890), this blocks data can be read and written. This thread is likely used to optimize the way sequences A and B work, and modify their behavior when the Step7 editor is opened. (Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011)", "source_ref": "malware--088f1d6e-0783-47c6-9923-9c79b2af43d4", "target_ref": "attack-pattern--e076cca8-2f08-45c9-aff7-ea5ac798b387", "external_references": [ { "source_name": "Nicolas Falliere, Liam O Murchu, Eric Chien February 2011", "description": "Nicolas Falliere, Liam O Murchu, Eric Chien 2011, February W32.Stuxnet Dossier (Version 1.4) Retrieved. 2017/09/22 ", "url": "https://www.wired.com/images_blogs/threatlevel/2011/02/Symantec-Stuxnet-Update-Feb-2011.pdf" } ], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--bc74ff8f-d5fa-40fb-8c0b-f16af3ff36e3", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-21T17:59:24.739Z", "modified": "2022-05-06T17:47:24.218Z", "relationship_type": "mitigates", "description": "Apply DLP to protect the confidentiality of information related to operational processes, facility locations, device configurations, programs, or databases that may have information that can be used to infer organizational trade-secrets, recipes, and other intellectual property (IP).\n", "source_ref": "course-of-action--337c4e2a-21a7-4d9a-bfee-9efd6cebf0e5", "target_ref": "attack-pattern--b7e13ee8-182c-4f19-92a4-a88d7d855d54", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--bcaa4f7e-2e84-4bbb-9fb7-ca8fb003108f", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-21T17:59:24.739Z", "modified": "2022-05-06T17:47:24.214Z", "relationship_type": "mitigates", "description": "Authenticateconnections fromsoftware and devices to prevent unauthorized systems from accessing protected management functions.\n", "source_ref": "course-of-action--72e46e53-e12d-4106-9c70-33241b6ed549", "target_ref": "attack-pattern--b9160e77-ea9e-4ba9-b1c8-53a3c466b13d", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--bcece7ce-91b5-40b3-b87a-25cab3600e5c", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2017-12-14T16:46:06.044Z", "modified": "2022-05-06T17:47:24.311Z", "relationship_type": "uses", "description": "[Stuxnet](https://attack.mitre.org/software/S0010) attempts to contact command and control servers on port 80 to send basic information about the computer it has compromised. (Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011)", "source_ref": "malware--088f1d6e-0783-47c6-9923-9c79b2af43d4", "target_ref": "attack-pattern--e6c31185-8040-4267-83d3-b217b8a92f07", "external_references": [ { "source_name": "Nicolas Falliere, Liam O Murchu, Eric Chien February 2011", "description": "Nicolas Falliere, Liam O Murchu, Eric Chien 2011, February W32.Stuxnet Dossier (Version 1.4) Retrieved. 2017/09/22 ", "url": "https://www.wired.com/images_blogs/threatlevel/2011/02/Symantec-Stuxnet-Update-Feb-2011.pdf" } ], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--bda03e8d-5e06-4470-b786-11b11c7c97c7", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-21T17:59:24.739Z", "modified": "2022-05-06T17:47:24.203Z", "relationship_type": "mitigates", "description": "Deploy anti-virus on all systems that support external email.\n", "source_ref": "course-of-action--faf2b40e-5981-433f-aa46-17458e0026f7", "target_ref": "attack-pattern--648f995e-9c3a-41e4-aeee-98bb41037426", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--bde941c6-2ca0-4f94-9336-027e7eee15a1", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-21T17:59:24.739Z", "modified": "2022-05-06T17:47:24.082Z", "relationship_type": "mitigates", "description": "Configure internal and external firewalls to block traffic using common ports that associate to network protocols that may be unnecessary for that particular network segment.\n", "source_ref": "course-of-action--1e7ccfc0-94c8-496e-8d27-032120892291", "target_ref": "attack-pattern--e6c31185-8040-4267-83d3-b217b8a92f07", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--be532c78-daf5-431b-adae-ab11af395513", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2017-12-14T16:46:06.044Z", "modified": "2022-05-06T17:47:24.314Z", "relationship_type": "uses", "description": "[Stuxnet](https://attack.mitre.org/software/S0010) executes malicious SQL commands in the WinCC database server to propagate to remote systems. The malicious SQL commands include xp_cmdshell, sp_dumpdbilog, and sp_addextendedproc. (Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011)", "source_ref": "malware--088f1d6e-0783-47c6-9923-9c79b2af43d4", "target_ref": "attack-pattern--85a45294-08f1-4539-bf00-7da08aa7b0ee", "external_references": [ { "source_name": "Nicolas Falliere, Liam O Murchu, Eric Chien February 2011", "description": "Nicolas Falliere, Liam O Murchu, Eric Chien 2011, February W32.Stuxnet Dossier (Version 1.4) Retrieved. 2017/09/22 ", "url": "https://www.wired.com/images_blogs/threatlevel/2011/02/Symantec-Stuxnet-Update-Feb-2011.pdf" } ], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--be950e87-80ac-49ea-810a-553c7f72151b", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-21T17:59:24.739Z", "modified": "2022-05-06T17:47:24.073Z", "relationship_type": "mitigates", "description": "Devices should authenticate all messages between master and outstation assets.\n", "source_ref": "course-of-action--72e46e53-e12d-4106-9c70-33241b6ed549", "target_ref": "attack-pattern--8e7089d3-fba2-44f8-94a8-9a79c53920c4", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "modified": "2022-05-24T14:00:00.188Z", "created": "2022-05-11T16:22:58.803Z", "id": "relationship--bf75ca96-3f9d-413c-a244-888a3fbf0be3", "type": "relationship", "source_ref": "x-mitre-data-component--235b7491-2d2b-4617-9a52-3c0783680f71", "relationship_type": "detects", "target_ref": "attack-pattern--3de230d4-3e42-4041-b089-17e1128feded", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--bff99f91-e1a9-4379-a2d9-5a99615a95d1", "type": "relationship", "created": "2020-09-22T19:41:27.951Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Secureworks REvil September 2019", "url": "https://www.secureworks.com/research/revil-sodinokibi-ransomware", "description": "Counter Threat Unit Research Team. (2019, September 24). REvil/Sodinokibi Ransomware. Retrieved August 4, 2020." }, { "source_name": "Secureworks GandCrab and REvil September 2019", "url": "https://www.secureworks.com/blog/revil-the-gandcrab-connection", "description": "Secureworks . (2019, September 24). REvil: The GandCrab Connection. Retrieved August 4, 2020." } ], "modified": "2020-09-22T19:41:27.951Z", "description": "(Citation: Secureworks REvil September 2019)(Citation: Secureworks GandCrab and REvil September 2019)", "relationship_type": "uses", "source_ref": "intrusion-set--c77c5576-ca19-42ed-a36f-4b4486a84133", "target_ref": "malware--ac61f1f9-7bb1-465e-9b8a-c2ce8e88baf5", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "spec_version": "2.1", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--c0efb24a-2329-401a-bba6-817f2867bb3f", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-21T17:59:24.739Z", "modified": "2022-05-06T17:47:24.183Z", "relationship_type": "mitigates", "description": "Use host-based allowlists to prevent devices from accepting connections from unauthorized systems. For example, allowlists can be used to ensure devices can only connect with master stations or known management/engineering workstations. (Citation: Department of Homeland Security September 2016)\n", "source_ref": "course-of-action--aadac250-bcdc-44e3-a4ae-f52bd0a7a16a", "target_ref": "attack-pattern--3067b85e-271e-4bc5-81ad-ab1a81d411e3", "external_references": [ { "source_name": "Department of Homeland Security September 2016", "description": "Department of Homeland Security 2016, September Retrieved. 2020/09/25 ", "url": "https://us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf" } ], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "modified": "2022-05-24T14:00:00.188Z", "created": "2022-05-11T16:22:58.807Z", "id": "relationship--c11a95c2-6e9d-4d90-b6ab-20227869f2e4", "type": "relationship", "source_ref": "x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e", "relationship_type": "detects", "target_ref": "attack-pattern--c5e3cdbc-0387-4be9-8f83-ff5c0865f377", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--c195a0e9-d46c-487f-9a96-b138e9ca05d2", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-21T17:59:24.739Z", "modified": "2022-05-06T17:47:24.204Z", "relationship_type": "mitigates", "description": "Consider restricting access to email within critical process environments. Additionally, downloads and attachments may be disabled if email is still necessary.\n", "source_ref": "course-of-action--143b4398-3222-480a-b6a4-e131bc2d3144", "target_ref": "attack-pattern--648f995e-9c3a-41e4-aeee-98bb41037426", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "modified": "2022-05-24T14:00:00.188Z", "created": "2022-05-11T16:22:58.806Z", "id": "relationship--c26a9375-be67-4b21-b027-33812a76ed93", "type": "relationship", "source_ref": "x-mitre-data-component--a7f22107-02e5-4982-9067-6625d4a1765a", "relationship_type": "detects", "target_ref": "attack-pattern--efbf7888-f61b-4572-9c80-7e2965c60707", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--c2fe42b4-6750-4b51-86b7-6c37fbfdef2d", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-21T17:59:24.739Z", "modified": "2022-05-06T17:47:24.097Z", "relationship_type": "mitigates", "description": "Take and store data backups from end user systems and critical servers. Ensure backup and storage systems are hardened and kept separate from the corporate network to prevent compromise. Maintain and exercise incident response plans (Citation: Department of Homeland Security October 2009), including the management of \\gold-copy\\ back-up images and configurations for key systems to enable quick recovery and response from adversarial activities that impact control, view, or availability.\n", "source_ref": "course-of-action--ad12819e-3211-4291-b360-069f280cff0a", "target_ref": "attack-pattern--56ddc820-6cfb-407f-850b-52c035d123ac", "external_references": [ { "source_name": "Department of Homeland Security October 2009", "description": "Department of Homeland Security 2009, October Developing an Industrial Control Systems Cybersecurity Incident Response Capability Retrieved. 2020/09/17 ", "url": "https://us-cert.cisa.gov/sites/default/files/recommended_practices/final-RP_ics_cybersecurity_incident_response_100609.pdf" } ], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--c347b69c-e3f6-4eca-ba57-0781c7dc8eac", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2021-04-13T12:28:20.652Z", "modified": "2022-05-06T17:47:24.265Z", "relationship_type": "uses", "description": "[EKANS](https://attack.mitre.org/software/S0017) masquerades itself as a valid executable with the filename \\update.exe\\. Many valid programs use the process name \\update.exe\\ to perform background software updates. (Citation: Dragos Threat Intelligence February 2020)", "source_ref": "malware--00e7d565-9883-4ee5-b642-8fd17fd6a3f5", "target_ref": "attack-pattern--ba203963-3182-41ac-af14-7e7ebc83cd61", "external_references": [ { "source_name": "Dragos Threat Intelligence February 2020", "description": "Dragos Threat Intelligence 2020, February 03 EKANS Ransomware and ICS Operations Retrieved. 2021/04/12 ", "url": "https://www.dragos.com/blog/industry-news/ekans-ransomware-and-ics-operations/" } ], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--c4122b58-f1b2-4656-a715-55016700bf75", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2018-10-17T00:14:20.652Z", "modified": "2022-05-06T17:47:24.271Z", "relationship_type": "uses", "description": "[Industroyer](https://attack.mitre.org/software/S0001) automatically collects protocol object data to learn about control devices in the environment. (Citation: Anton Cherepanov, ESET June 2017)", "source_ref": "malware--e401d4fe-f0c9-44f0-98e6-f93487678808", "target_ref": "attack-pattern--3de230d4-3e42-4041-b089-17e1128feded", "external_references": [ { "source_name": "Anton Cherepanov, ESET June 2017", "description": "Anton Cherepanov, ESET 2017, June 12 Win32/Industroyer: A new threat for industrial control systems Retrieved. 2017/09/15 ", "url": "https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf" } ], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "modified": "2022-05-24T14:00:00.188Z", "created": "2022-05-11T16:22:58.804Z", "id": "relationship--c473686a-2452-4ee6-bf1d-54bf3e575d95", "type": "relationship", "source_ref": "x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa", "relationship_type": "detects", "target_ref": "attack-pattern--7830cfcf-b268-4ac0-a69e-73c6affbae9a", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--c4e8dd42-9855-4a36-b915-dc7e1a91e235", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2018-10-17T00:14:20.652Z", "modified": "2022-05-06T17:47:24.376Z", "relationship_type": "uses", "description": "[OilRig](https://attack.mitre.org/groups/G0010) has embedded a macro within spearphishing attachments that has been made up of both a VBScript and a PowerShell script. (Citation: Robert Falcone, Bryan Lee May 2016)", "source_ref": "intrusion-set--4ca1929c-7d64-4aab-b849-badbfc0c760d", "target_ref": "attack-pattern--2dc2b567-8821-49f9-9045-8740f3d0b958", "external_references": [ { "source_name": "Robert Falcone, Bryan Lee May 2016", "description": "Robert Falcone, Bryan Lee 2016, May 26 The OilRig Campaign: Attacks on Saudi Arabian Organizations Deliver Helminth Backdoor Retrieved. 2019/11/19 ", "url": "https://unit42.paloaltonetworks.com/the-oilrig-campaign-attacks-on-saudi-arabian-organizations-deliver-helminth-backdoor/" } ], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--c59a3d89-c8fa-4c5d-813e-f4495d892d1a", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2019-03-25T19:13:54.947Z", "modified": "2022-05-06T17:47:24.349Z", "relationship_type": "uses", "description": "[WannaCry](https://attack.mitre.org/software/S0007) initially infected IT networks, but by means of an exploit (particularly the SMBv1-targeting MS17-010 vulnerability) spread to industrial networks. (Citation: Joe Slowik April 2019)", "source_ref": "malware--75ecdbf1-c2bb-4afc-a3f9-c8da4de8c661", "target_ref": "attack-pattern--85a45294-08f1-4539-bf00-7da08aa7b0ee", "external_references": [ { "source_name": "Joe Slowik April 2019", "description": "Joe Slowik 2019, April 10 Implications of IT Ransomware for ICS Environments Retrieved. 2019/10/27 ", "url": "https://dragos.com/blog/industry-news/implications-of-it-ransomware-for-ics-environments/" } ], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--c5dd0d66-99f1-4efd-b0f9-bf9f9118ff16", "type": "relationship", "created": "2020-06-10T18:36:54.638Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "NCSC Sandworm Feb 2020", "url": "https://www.ncsc.gov.uk/news/ncsc-supports-sandworm-advisory", "description": "NCSC. (2020, February 20). NCSC supports US advisory regarding GRU intrusion set Sandworm. Retrieved June 10, 2020." }, { "source_name": "US District Court Indictment GRU Unit 74455 October 2020", "url": "https://www.justice.gov/opa/press-release/file/1328521/download", "description": "Scott W. Brady. (2020, October 15). United States vs. Yuriy Sergeyevich Andrienko et al.. Retrieved November 25, 2020." }, { "source_name": "UK NCSC Olympic Attacks October 2020", "url": "https://www.gov.uk/government/news/uk-exposes-series-of-russian-cyber-attacks-against-olympic-and-paralympic-games", "description": "UK NCSC. (2020, October 19). UK exposes series of Russian cyber attacks against Olympic and Paralympic Games . Retrieved November 30, 2020." }, { "source_name": "Secureworks IRON VIKING ", "url": "https://www.secureworks.com/research/threat-profiles/iron-viking", "description": "Secureworks. (2020, May 1). IRON VIKING Threat Profile. Retrieved June 10, 2020." }, { "source_name": "Trend Micro Cyclops Blink March 2022", "url": "https://www.trendmicro.com/en_us/research/22/c/cyclops-blink-sets-sights-on-asus-routers--.html", "description": "Haquebord, F. et al. (2022, March 17). Cyclops Blink Sets Sights on Asus Routers. Retrieved March 17, 2022." } ], "modified": "2022-03-17T15:07:01.055Z", "description": "(Citation: NCSC Sandworm Feb 2020)(Citation: US District Court Indictment GRU Unit 74455 October 2020)(Citation: UK NCSC Olympic Attacks October 2020)(Citation: Secureworks IRON VIKING )(Citation: Trend Micro Cyclops Blink March 2022)", "relationship_type": "uses", "source_ref": "intrusion-set--381fcf73-60f6-4ab2-9991-6af3cbc35192", "target_ref": "malware--5719af9d-6b16-46f9-9b28-fb019541ddbb", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "spec_version": "2.1", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--c5fd0969-c151-4849-94c2-83e2e208cff7", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-21T17:59:24.739Z", "modified": "2022-05-06T17:47:24.168Z", "relationship_type": "mitigates", "description": "Ensure that wired and/or wireless traffic is encrypted when feasible. Use best practices for authentication protocols, such as Kerberos, and ensure web traffic that may contain credentials is protected by SSL/TLS. (Citation: Keith Stouffer May 2015)\n", "source_ref": "course-of-action--7f153c28-e5f1-4764-88fb-eea1d9b0ad4a", "target_ref": "attack-pattern--38213338-1aab-479d-949b-c81b66ccca5c", "external_references": [ { "source_name": "Keith Stouffer May 2015", "description": "Keith Stouffer 2015, May Guide to Industrial Control Systems (ICS) Security Retrieved. 2018/03/28 ", "url": "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf" } ], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "modified": "2022-05-24T14:00:00.188Z", "created": "2022-05-11T16:22:58.807Z", "id": "relationship--c63c35c2-a402-4d0d-bf25-f48eb9b379c1", "type": "relationship", "source_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c", "relationship_type": "detects", "target_ref": "attack-pattern--8535b71e-3c12-4258-a4ab-40257a1becc4", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--c64f2ed2-f7a7-4333-b0d3-d687ffb7ad6b", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-21T17:59:24.739Z", "modified": "2022-05-06T17:47:24.147Z", "relationship_type": "mitigates", "description": "Take and store data backups from end user systems and critical servers. Ensure backup and storage systems are hardened and kept separate from the corporate network to prevent compromise. Maintain and exercise incident response plans (Citation: Department of Homeland Security October 2009), including the management of \\gold-copy\\ back-up images and configurations for key systems to enable quick recovery and response from adversarial activities that impact control, view, or availability.\n", "source_ref": "course-of-action--ad12819e-3211-4291-b360-069f280cff0a", "target_ref": "attack-pattern--4c2e1408-9d68-4187-8e6b-a77bc52700ec", "external_references": [ { "source_name": "Department of Homeland Security October 2009", "description": "Department of Homeland Security 2009, October Developing an Industrial Control Systems Cybersecurity Incident Response Capability Retrieved. 2020/09/17 ", "url": "https://us-cert.cisa.gov/sites/default/files/recommended_practices/final-RP_ics_cybersecurity_incident_response_100609.pdf" } ], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--c6520346-fe47-44ce-af75-d99004ac2977", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2017-12-14T16:46:06.044Z", "modified": "2022-05-06T17:47:24.317Z", "relationship_type": "uses", "description": "[Stuxnet](https://attack.mitre.org/software/S0010) can reprogram a PLC and change critical parameters in such a way that legitimate commands can be overridden or intercepted. In addition, Stuxnet can apply inappropriate command sequences or parameters to cause damage to property. (Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011)", "source_ref": "malware--088f1d6e-0783-47c6-9923-9c79b2af43d4", "target_ref": "attack-pattern--1af9e3fd-2bcc-414d-adbd-fe3b95c02ca1", "external_references": [ { "source_name": "Nicolas Falliere, Liam O Murchu, Eric Chien February 2011", "description": "Nicolas Falliere, Liam O Murchu, Eric Chien 2011, February W32.Stuxnet Dossier (Version 1.4) Retrieved. 2017/09/22 ", "url": "https://www.wired.com/images_blogs/threatlevel/2011/02/Symantec-Stuxnet-Update-Feb-2011.pdf" } ], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--c6562519-81c5-4eca-a815-f46ac0ed4bcc", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-21T17:59:24.739Z", "modified": "2022-05-06T17:47:24.070Z", "relationship_type": "mitigates", "description": "Utilize network allowlists to restrict unnecessary connections to network devices (e.g., comm servers, serial to ethernet converters) and services, especially in cases when devices have limits on the number of simultaneous sessions they support.\n", "source_ref": "course-of-action--aadac250-bcdc-44e3-a4ae-f52bd0a7a16a", "target_ref": "attack-pattern--008b8f56-6107-48be-aa9f-746f927dbb61", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "modified": "2022-05-24T14:00:00.188Z", "created": "2022-05-11T16:22:58.808Z", "id": "relationship--c664bb6c-59f0-4b31-bbb4-ef66fca933d4", "type": "relationship", "source_ref": "x-mitre-data-component--3d20385b-24ef-40e1-9f56-f39750379077", "relationship_type": "detects", "target_ref": "attack-pattern--2736b752-4ec5-4421-a230-8977dea7649c", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--c67e3535-69a9-4234-8170-4ad6efc632b7", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-21T17:59:24.739Z", "modified": "2022-05-06T17:47:24.211Z", "relationship_type": "mitigates", "description": "Implement continuous monitoring of vulnerability sources. Also, use automatic and manual code review tools. (Citation: OWASP)\n", "source_ref": "course-of-action--de0bc375-50e1-4e26-a342-a8ff8c9d3037", "target_ref": "attack-pattern--5e0f75da-e108-4688-a6de-a4f07cc2cbe3", "external_references": [ { "source_name": "OWASP", "description": "OWASP Top 10 Web Application Security Risks Retrieved. 2020/09/25 ", "url": "https://owasp.org/www-project-top-ten/" } ], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--c69eab3c-861c-45f5-8858-a595fcc7e6f6", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-21T17:59:24.739Z", "modified": "2022-05-06T17:47:24.132Z", "relationship_type": "mitigates", "description": "Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware or unusual data transfer over known tools and protocols like FTP can be used to mitigate activity at the network level. Signatures are often for unique indicators within protocols and may be based on the specific obfuscation technique used by a particular adversary or tool and will likely be different across various malware families and versions. Adversaries will likely change tool C2 signatures over time or construct protocols in such a way as to avoid detection by common defensive tools. (Citation: Gardiner, J., Cova, M., Nagaraja, S February 2014)\n", "source_ref": "course-of-action--3172222b-4983-43f7-8983-753ded4f13bc", "target_ref": "attack-pattern--ead7bd34-186e-4c79-9a4d-b65bcce6ed9d", "external_references": [ { "source_name": "Gardiner, J., Cova, M., Nagaraja, S February 2014", "description": "Gardiner, J., Cova, M., Nagaraja, S 2014, February Command & Control Understanding, Denying and Detecting Retrieved. 2016/04/20 ", "url": "https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf" } ], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--c785c026-4139-4c56-a6dd-cdd3ba75bab1", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2018-10-17T00:14:20.652Z", "modified": "2022-05-06T17:47:24.272Z", "relationship_type": "uses", "description": "In [Industroyer](https://attack.mitre.org/software/S0001) the first COM port from the configuration file is used for the actual communication and the two other COM ports are just opened to prevent other processes accessing them. Thus, the IEC 101 payload component is able to take over and maintain control of the RTU device. (Citation: Anton Cherepanov, ESET June 2017)", "source_ref": "malware--e401d4fe-f0c9-44f0-98e6-f93487678808", "target_ref": "attack-pattern--008b8f56-6107-48be-aa9f-746f927dbb61", "external_references": [ { "source_name": "Anton Cherepanov, ESET June 2017", "description": "Anton Cherepanov, ESET 2017, June 12 Win32/Industroyer: A new threat for industrial control systems Retrieved. 2017/09/15 ", "url": "https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf" } ], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--c78f497f-01c3-4efb-aa74-92b700b9c02b", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-21T17:59:24.739Z", "modified": "2022-05-06T17:47:24.186Z", "relationship_type": "mitigates", "description": "When at rest, project files should be encrypted to prevent unauthorized changes. (Citation: National Institute of Standards and Technology April 2013)\n", "source_ref": "course-of-action--9f99fcfd-772e-4e63-9d39-e45612e546dc", "target_ref": "attack-pattern--e72425f8-9ae6-41d3-bfdb-e1b865e60722", "external_references": [ { "source_name": "National Institute of Standards and Technology April 2013", "description": "National Institute of Standards and Technology 2013, April Security and Privacy Controls for Federal Information Systems and Organizations Retrieved. 2020/09/17 ", "url": "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf" } ], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "modified": "2022-05-24T14:00:00.188Z", "created": "2022-05-11T16:22:58.807Z", "id": "relationship--c7a1037f-cb28-40d4-be19-78e2f0e0aa68", "type": "relationship", "source_ref": "x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa", "relationship_type": "detects", "target_ref": "attack-pattern--648f995e-9c3a-41e4-aeee-98bb41037426", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--c7aac6c9-da16-46e2-8cfa-dca07a0a7562", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-21T17:59:24.739Z", "modified": "2022-05-06T17:47:24.174Z", "relationship_type": "mitigates", "description": "Segment operational assets and their management devices based on their functional role within the process. Enabling more strict isolation to more critical control and operational information within the control environment. (Citation: Karen Scarfone; Paul Hoffman September 2009) (Citation: Keith Stouffer May 2015) (Citation: Department of Homeland Security September 2016) (Citation: Dwight Anderson 2014) \n", "source_ref": "course-of-action--1e7ccfc0-94c8-496e-8d27-032120892291", "target_ref": "attack-pattern--25852363-5968-4673-b81d-341d5ed90bd1", "external_references": [ { "source_name": "Karen Scarfone; Paul Hoffman September 2009", "description": "Karen Scarfone; Paul Hoffman 2009, September Guidelines on Firewalls and Firewall Policy Retrieved. 2020/09/25 ", "url": "https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-41r1.pdf" }, { "source_name": "Keith Stouffer May 2015", "description": "Keith Stouffer 2015, May Guide to Industrial Control Systems (ICS) Security Retrieved. 2018/03/28 ", "url": "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf" }, { "source_name": "Department of Homeland Security September 2016", "description": "Department of Homeland Security 2016, September Retrieved. 2020/09/25 ", "url": "https://us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf" }, { "source_name": "Dwight Anderson 2014", "description": "Dwight Anderson 2014 Protect Critical Infrastructure Systems With Whitelisting Retrieved. 2020/09/25 ", "url": "https://www.sans.org/reading-room/whitepapers/ICS/protect-critical-infrastructure-systems-whitelisting-35312" } ], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--c848b096-3703-4962-b8a2-57682e26f31b", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2021-04-11T14:06:54.109Z", "modified": "2022-05-06T17:47:24.389Z", "relationship_type": "uses", "description": "[Sandworm Team](https://attack.mitre.org/groups/G0007) utilized VBS and batch scripts for file movement and as wrappers for PowerShell execution. (Citation: Dragos October 2018)", "source_ref": "intrusion-set--381fcf73-60f6-4ab2-9991-6af3cbc35192", "target_ref": "attack-pattern--2dc2b567-8821-49f9-9045-8740f3d0b958", "external_references": [ { "source_name": "Dragos October 2018", "description": "Dragos 2018, October 12 Anatomy of an Attack: Detecting and Defeating CRASHOVERRIDE Retrieved. 2019/10/14 ", "url": "https://dragos.com/wp-content/uploads/CRASHOVERRIDE2018.pdf" } ], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--c84e39ab-30c1-40e3-95a8-fcbb271e913c", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2022-05-06T17:47:21.168Z", "modified": "2022-05-06T17:47:24.348Z", "relationship_type": "uses", "description": "The [VPNFilter](https://attack.mitre.org/software/S0002)'s ssler module configures the device's iptables to redirect all traffic destined for port 80 to its local service listening on port 8888. Any outgoing web requests on port 80 are now intercepted by ssler and can be inspected by the ps module and manipulated before being sent to the legitimate HTTP service. (Citation: William Largent June 2018) (Citation: Carl Hurd March 2019)", "source_ref": "malware--6108f800-10b8-4090-944e-be579f01263d", "target_ref": "attack-pattern--9a505987-ab05-4f46-a9a6-6441442eec3b", "external_references": [ { "source_name": "William Largent June 2018", "description": "William Largent 2018, June 06 VPNFilter Update - VPNFilter exploits endpoints, targets new devices Retrieved. 2019/03/28 ", "url": "https://blog.talosintelligence.com/2018/06/vpnfilter-update.html" }, { "source_name": "Carl Hurd March 2019", "description": "Carl Hurd 2019, March 26 VPNFilter Deep Dive Retrieved. 2019/03/28 ", "url": "https://www.youtube.com/watch?v=yuZazP22rpI" } ], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--c8a40335-90d6-496a-b4f9-1cc93d3fffc6", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2021-04-12T17:00:17.249Z", "modified": "2022-05-06T17:47:24.212Z", "relationship_type": "mitigates", "description": "A supply chain management program should include methods the assess the trustworthiness and technical maturity of a supplier, along with technical methods (e.g., code-signing, bill of materials) needed to validate the integrity of newly obtained devices and components. Develop procurement language that emphasizes the expectations for suppliers regarding the artifacts, audit records, and technical capabilities needed to validate the integrity of the devices supply chain. (Citation: Robert A. Martin January 2021)\n", "source_ref": "course-of-action--ac8f3492-7fbb-4a0a-b0b4-b75ec676136c", "target_ref": "attack-pattern--5e0f75da-e108-4688-a6de-a4f07cc2cbe3", "external_references": [ { "source_name": "Robert A. Martin January 2021", "description": "Robert A. Martin 2021, January TRUSTING OUR SUPPLY CHAINS: A COMPREHENSIVE DATA-DRIVEN APPROACH Retrieved. 2021/04/12 ", "url": "https://www.mitre.org/sites/default/files/publications/pr-20-01465-37-trusting-our-supply-chains-a-comprehensive-data-driven-approach.pdf" } ], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--c8dd2735-bd04-4413-847d-316b77c6de19", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-21T17:59:24.739Z", "modified": "2022-05-06T17:47:24.083Z", "relationship_type": "mitigates", "description": "Network allowlists can be implemented through either host-based files or system host files to specify what external connections (e.g., IP address, MAC address, port, protocol) can be made from a device. Allowlist techniques that operate at the application layer (e.g., DNP3, Modbus, HTTP) are addressed in the [Filter Network Traffic](https://attack.mitre.org/mitigations/M0937) mitigation.", "source_ref": "course-of-action--aadac250-bcdc-44e3-a4ae-f52bd0a7a16a", "target_ref": "attack-pattern--d67adac8-e3b9-44f9-9e6d-6c2a7d69dbe4", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--c9065f74-556d-4728-8072-f96642e70316", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2021-04-12T18:59:24.739Z", "modified": "2022-05-06T17:47:24.187Z", "relationship_type": "mitigates", "description": "Access Management technologies can help enforce authentication on critical remote service, examples include, but are not limited to, device management services (e.g., telnet, SSH), data access servers (e.g., HTTP, Historians), and HMI sessions (e.g., RDP, VNC).\n", "source_ref": "course-of-action--3992ce42-43e9-4bea-b8db-a102ec3ec1e3", "target_ref": "attack-pattern--e1f9cdd2-9511-4fca-90d7-f3e92cfdd0bf", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--c90cfddb-253b-41c8-9057-2abde6f8aa6d", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2021-04-12T18:49:06.044Z", "modified": "2022-05-06T17:47:24.308Z", "relationship_type": "uses", "description": "[REvil](https://attack.mitre.org/software/S0019) sends HTTPS POST messages with randomly generated URLs to communicate with a remote server. (Citation: Tom Fakterman August 2019) (Citation: SecureWorks September 2019)", "source_ref": "malware--ac61f1f9-7bb1-465e-9b8a-c2ce8e88baf5", "target_ref": "attack-pattern--e076cca8-2f08-45c9-aff7-ea5ac798b387", "external_references": [ { "source_name": "Tom Fakterman August 2019", "description": "Tom Fakterman 2019, August 05 Sodinokibi: The Crown Prince of Ransomware Retrieved. 2021/04/12 ", "url": "https://www.cybereason.com/blog/the-sodinokibi-ransomware-attack" }, { "source_name": "SecureWorks September 2019", "description": "SecureWorks 2019, September 24 REvil/Sodinokibi Ransomware Retrieved. 2021/04/12 ", "url": "https://www.secureworks.com/research/revil-sodinokibi-ransomware" } ], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--c9395e2a-afaf-427c-bcb2-ae663d72c05c", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-21T17:59:24.739Z", "modified": "2022-05-06T17:47:24.068Z", "relationship_type": "mitigates", "description": "Provide an alternative method for alarms to be reported in the event of a communication failure.\n", "source_ref": "course-of-action--b11cad63-ef30-4eb8-af0d-6cc46eef3f3e", "target_ref": "attack-pattern--2900bbd8-308a-4274-b074-5b8bde8347bc", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--c9c1c589-b5c6-4231-982f-cae0aa41f349", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2018-10-17T00:14:20.652Z", "modified": "2022-05-06T17:47:24.247Z", "relationship_type": "uses", "description": "[ACAD/Medre.A](https://attack.mitre.org/software/S0018) collects information related to the AutoCAD application. The worm collects AutoCAD (*.dwg) files with drawings from information repositories. (Citation: ESET)\n", "source_ref": "malware--a4a98eab-b691-45d9-8c48-869ef8fefd57", "target_ref": "attack-pattern--3405891b-16aa-4bd7-bd7c-733501f9b20f", "external_references": [ { "source_name": "ESET", "description": "ESET ACAD/Medre.A: 10000s of AutoCAD Designs Leaked in Suspected Industrial Espionage Retrieved. 2021/04/13 ", "url": "https://www.welivesecurity.com/wp-content/uploads/200x/white-papers/ESET_ACAD_Medre_A_whitepaper.pdf" } ], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "modified": "2022-05-24T14:00:00.188Z", "created": "2022-05-11T16:22:58.804Z", "id": "relationship--ca0c26d7-c4a9-4c4a-bbd4-f3df4b1f5f69", "type": "relationship", "source_ref": "x-mitre-data-component--3d20385b-24ef-40e1-9f56-f39750379077", "relationship_type": "detects", "target_ref": "attack-pattern--24a9253e-8948-4c98-b751-8e2aee53127c", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--ca3c4d4b-cf53-4489-904f-8a220e421aeb", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2018-10-17T00:14:20.652Z", "modified": "2022-05-06T17:47:24.282Z", "relationship_type": "uses", "description": "[Industroyer](https://attack.mitre.org/software/S0001)'s OPC module can brute force values and will send out a 0x01 status which for the target systems equates to a Primary Variable Out of Limits misdirecting operators from understanding protective relay status. (Citation: Anton Cherepanov, ESET June 2017)", "source_ref": "malware--e401d4fe-f0c9-44f0-98e6-f93487678808", "target_ref": "attack-pattern--4c2e1408-9d68-4187-8e6b-a77bc52700ec", "external_references": [ { "source_name": "Anton Cherepanov, ESET June 2017", "description": "Anton Cherepanov, ESET 2017, June 12 Win32/Industroyer: A new threat for industrial control systems Retrieved. 2017/09/15 ", "url": "https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf" } ], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--ca5c7ae7-5273-4888-bc50-183d6e200972", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-21T17:59:24.739Z", "modified": "2022-05-06T17:47:24.105Z", "relationship_type": "mitigates", "description": "Built-in browser sandboxes and application isolation may be used to contain web-based malware.\n", "source_ref": "course-of-action--059ba11e-e3dc-49aa-84ca-88197f40d4ea", "target_ref": "attack-pattern--7830cfcf-b268-4ac0-a69e-73c6affbae9a", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--ca64a927-f050-41b3-80d3-93d22cdef26a", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-21T17:59:24.739Z", "modified": "2022-05-06T17:47:24.081Z", "relationship_type": "mitigates", "description": "Ensure that unnecessary ports and services are closed to prevent risk of discovery and potential exploitation.\n", "source_ref": "course-of-action--d0909119-2f71-4923-87db-b649881672d7", "target_ref": "attack-pattern--e6c31185-8040-4267-83d3-b217b8a92f07", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--ca768c2a-0f14-471c-90a5-bce649e88d51", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-21T17:59:24.739Z", "modified": "2022-05-06T17:47:24.105Z", "relationship_type": "mitigates", "description": "Application denylists can be used to block automation protocol functions used to initiate device shutdowns or restarts, such as DNP3's 0x0D function code, or vulnerabilities that can be used to trigger device shutdowns (e.g., CVE-2014-9195, CVE-2015-5374).\n", "source_ref": "course-of-action--11f242bc-3121-438c-84b2-5cbd46a4bb17", "target_ref": "attack-pattern--25dfc8ad-bd73-4dfd-84a9-3c3d383f76e9", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--cad91f87-7cc7-4771-8c7b-1599793ed3c1", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2018-10-17T00:14:20.652Z", "modified": "2022-05-06T17:47:24.349Z", "relationship_type": "uses", "description": "The [VPNFilter](https://attack.mitre.org/software/S0002) packet sniffer looks for basic authentication as well as monitors ICS traffic, and is specific to the TP-LINK R600-VPN. The malware uses a raw socket to look for connections to a pre-specified IP address, only looking at TCP packets that are 150 bytes or larger. Packets that are not on port 502, are scanned for BasicAuth, and that information is logged. This may have allowed credential harvesting from communications between devices accessing a modbus-enabled HMI. (Citation: William Largent June 2018) (Citation: Carl Hurd March 2019)", "source_ref": "malware--6108f800-10b8-4090-944e-be579f01263d", "target_ref": "attack-pattern--38213338-1aab-479d-949b-c81b66ccca5c", "external_references": [ { "source_name": "William Largent June 2018", "description": "William Largent 2018, June 06 VPNFilter Update - VPNFilter exploits endpoints, targets new devices Retrieved. 2019/03/28 ", "url": "https://blog.talosintelligence.com/2018/06/vpnfilter-update.html" }, { "source_name": "Carl Hurd March 2019", "description": "Carl Hurd 2019, March 26 VPNFilter Deep Dive Retrieved. 2019/03/28 ", "url": "https://www.youtube.com/watch?v=yuZazP22rpI" } ], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--cb1037c1-4b83-4a79-ba12-00558bb6b42b", "type": "relationship", "created": "2021-10-04T20:52:20.304Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "ESET Lazarus KillDisk April 2018", "description": "K\u00e1lnai, P., Cherepanov A. (2018, April 03). Lazarus KillDisks Central American casino. Retrieved May 17, 2018.", "url": "https://www.welivesecurity.com/2018/04/03/lazarus-killdisk-central-american-casino/" } ], "modified": "2021-10-04T20:54:09.057Z", "description": "(Citation: ESET Lazarus KillDisk April 2018)", "relationship_type": "uses", "source_ref": "intrusion-set--00f67a77-86a4-4adf-be26-1a54fc713340", "target_ref": "malware--e221eb77-1502-4129-af1d-fe1ad55e7ec6", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "spec_version": "2.1", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--cb30d507-edc6-4197-947c-7b3a6e395c0d", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-21T17:59:24.739Z", "modified": "2022-05-06T17:47:24.178Z", "relationship_type": "mitigates", "description": "Utilize code signatures to verify the integrity of the installed program on safety or control assets has not been changed.\n", "source_ref": "course-of-action--71eb7dad-07eb-4bbc-9df0-ac57bf2fba4a", "target_ref": "attack-pattern--be69c571-d746-4b1f-bdd0-c0c9817e9068", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--cb38425c-646d-4bc8-bdea-e6cc630c3034", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2021-04-13T11:15:26.506Z", "modified": "2022-05-06T17:47:24.321Z", "relationship_type": "uses", "description": "[Stuxnet](https://attack.mitre.org/software/S0010) infects PLCs with different code depending on the characteristics of the target system. An infection sequence consists of code blocks and data blocks that will be downloaded to the PLC to alter its behavior. (Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011)", "source_ref": "malware--088f1d6e-0783-47c6-9923-9c79b2af43d4", "target_ref": "attack-pattern--fc5fda7e-6b2c-4457-b036-759896a2efa2", "external_references": [ { "source_name": "Nicolas Falliere, Liam O Murchu, Eric Chien February 2011", "description": "Nicolas Falliere, Liam O Murchu, Eric Chien 2011, February W32.Stuxnet Dossier (Version 1.4) Retrieved. 2017/09/22 ", "url": "https://www.wired.com/images_blogs/threatlevel/2011/02/Symantec-Stuxnet-Update-Feb-2011.pdf" } ], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--cb4d802e-df5b-4017-81dd-47f65fff23a3", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-21T17:59:24.739Z", "modified": "2022-05-06T17:47:24.219Z", "relationship_type": "mitigates", "description": "Encrypt any operational data with strong confidentiality requirements, including organizational trade-secrets, recipes, and other intellectual property (IP).\n", "source_ref": "course-of-action--9f99fcfd-772e-4e63-9d39-e45612e546dc", "target_ref": "attack-pattern--b7e13ee8-182c-4f19-92a4-a88d7d855d54", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--cca191a1-3c50-4d4f-8f79-4247e58af610", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-21T17:59:24.739Z", "modified": "2022-05-06T17:47:24.146Z", "relationship_type": "mitigates", "description": "Use tools that restrict program execution via application control by attributes other than file name for common system and application utilities.\n", "source_ref": "course-of-action--4fa717d9-cabe-47c8-8cdd-86e9e2e37f30", "target_ref": "attack-pattern--ba203963-3182-41ac-af14-7e7ebc83cd61", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--ccae6e5d-8a9e-4bab-ae77-26a2bd722f67", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2021-04-13T11:15:26.506Z", "modified": "2022-05-06T17:47:24.320Z", "relationship_type": "uses", "description": "[Stuxnet](https://attack.mitre.org/software/S0010) infects OB1 so that its malicious code sequence is executed at the start of a cycle. It also infects OB35. OB35 acts as a watchdog, and on certain conditions, it can stop the execution of OB1. (Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011)", "source_ref": "malware--088f1d6e-0783-47c6-9923-9c79b2af43d4", "target_ref": "attack-pattern--09a61657-46e1-439e-b3ed-3e4556a78243", "external_references": [ { "source_name": "Nicolas Falliere, Liam O Murchu, Eric Chien February 2011", "description": "Nicolas Falliere, Liam O Murchu, Eric Chien 2011, February W32.Stuxnet Dossier (Version 1.4) Retrieved. 2017/09/22 ", "url": "https://www.wired.com/images_blogs/threatlevel/2011/02/Symantec-Stuxnet-Update-Feb-2011.pdf" } ], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--ccc67bb3-acc3-4294-81b3-4a0d972f2dd7", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2021-04-13T12:08:26.506Z", "modified": "2022-05-06T17:47:24.338Z", "relationship_type": "uses", "description": "[Triton](https://attack.mitre.org/software/S0013)'s injector, inject.bin, changes the function pointer of the 'get main processor diagnostic data' TriStation command to the address of imain.bin so that it is executed prior to the normal handler. (Citation: Jos Wetzels January 2018)", "source_ref": "malware--80099a91-4c86-4bea-9ccb-dac55d61960e", "target_ref": "attack-pattern--ab390887-afc0-4715-826d-b1b167d522ae", "external_references": [ { "source_name": "Jos Wetzels January 2018", "description": "Jos Wetzels 2018, January 16 Analyzing the TRITON industrial malware Retrieved. 2019/10/22 ", "url": "https://www.midnightbluelabs.com/blog/2018/1/16/analyzing-the-triton-industrial-malware" } ], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--cd297a7b-4b02-407e-a798-e36fef4cf3a1", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-21T17:59:24.739Z", "modified": "2022-05-06T17:47:24.072Z", "relationship_type": "mitigates", "description": "Implement network allowlists to minimize serial comm port access to only authorized hosts, such as comm servers and RTUs.\n", "source_ref": "course-of-action--aadac250-bcdc-44e3-a4ae-f52bd0a7a16a", "target_ref": "attack-pattern--1c478716-71d9-46a4-9a53-fa5d576adb60", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "modified": "2022-05-24T14:00:00.188Z", "created": "2022-05-11T16:22:58.804Z", "id": "relationship--ce0d3a3a-9c62-4bfb-a47a-7b1b23e9f035", "type": "relationship", "source_ref": "x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa", "relationship_type": "detects", "target_ref": "attack-pattern--3405891b-16aa-4bd7-bd7c-733501f9b20f", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--ce64ed04-f0ff-4897-b636-3177c9c5d9bb", "type": "relationship", "created": "2021-01-20T21:03:13.436Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "US District Court Indictment GRU Unit 74455 October 2020", "url": "https://www.justice.gov/opa/press-release/file/1328521/download", "description": "Scott W. Brady. (2020, October 15). United States vs. Yuriy Sergeyevich Andrienko et al.. Retrieved November 25, 2020." }, { "source_name": "Secureworks IRON VIKING ", "url": "https://www.secureworks.com/research/threat-profiles/iron-viking", "description": "Secureworks. (2020, May 1). IRON VIKING Threat Profile. Retrieved June 10, 2020." } ], "modified": "2022-02-28T17:02:50.467Z", "description": "(Citation: US District Court Indictment GRU Unit 74455 October 2020)(Citation: Secureworks IRON VIKING )", "relationship_type": "uses", "source_ref": "intrusion-set--381fcf73-60f6-4ab2-9991-6af3cbc35192", "target_ref": "malware--e221eb77-1502-4129-af1d-fe1ad55e7ec6", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "spec_version": "2.1", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--ce7c17b7-b60d-4ebd-9014-2c421a64d70a", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-21T17:59:24.739Z", "modified": "2022-05-06T17:47:24.207Z", "relationship_type": "mitigates", "description": "Use host-based allowlists to prevent devices from accepting connections from unauthorized systems. For example, allowlists can be used to ensure devices can only connect with master stations or known management/engineering workstations. (Citation: Department of Homeland Security September 2016)\n", "source_ref": "course-of-action--aadac250-bcdc-44e3-a4ae-f52bd0a7a16a", "target_ref": "attack-pattern--8535b71e-3c12-4258-a4ab-40257a1becc4", "external_references": [ { "source_name": "Department of Homeland Security September 2016", "description": "Department of Homeland Security 2016, September Retrieved. 2020/09/25 ", "url": "https://us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf" } ], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "modified": "2022-05-24T14:00:00.188Z", "created": "2022-05-11T16:22:58.807Z", "id": "relationship--cf703ecc-e9f5-4d56-94d4-8fda9837e614", "type": "relationship", "source_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c", "relationship_type": "detects", "target_ref": "attack-pattern--b14395bd-5419-4ef4-9bd8-696936f509bb", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--cf8ac499-8c1c-4615-b933-7587f1b9488b", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-21T17:59:24.739Z", "modified": "2022-05-06T17:47:24.216Z", "relationship_type": "mitigates", "description": "The encryption of firmware should be considered to prevent adversaries from identifying possible vulnerabilities within the firmware.\n", "source_ref": "course-of-action--9f99fcfd-772e-4e63-9d39-e45612e546dc", "target_ref": "attack-pattern--b9160e77-ea9e-4ba9-b1c8-53a3c466b13d", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "modified": "2022-05-24T14:00:00.188Z", "created": "2022-05-11T16:22:58.808Z", "id": "relationship--cfcbca89-8912-40c0-ac15-47882162b132", "type": "relationship", "source_ref": "x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa", "relationship_type": "detects", "target_ref": "attack-pattern--2877063e-1851-48d2-bcc6-bc1d2733157e", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--d08fdedd-12f6-4681-9167-70d070432dee", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-21T17:59:24.739Z", "modified": "2022-05-06T17:47:24.208Z", "relationship_type": "mitigates", "description": "Perform inline allowlisting of automation protocol commands to prevent devices from sending unauthorized command or reporting messages. Allow/denylist techniques need to be designed with sufficient accuracy to prevent the unintended blocking of valid reporting messages.\n", "source_ref": "course-of-action--11f242bc-3121-438c-84b2-5cbd46a4bb17", "target_ref": "attack-pattern--8535b71e-3c12-4258-a4ab-40257a1becc4", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--d16e8909-d055-4174-aeb1-22c0613b2f73", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-21T17:59:24.739Z", "modified": "2022-05-06T17:47:24.141Z", "relationship_type": "mitigates", "description": "Disable unnecessary legacy network protocols that may be used for MiTM if applicable.\n", "source_ref": "course-of-action--d0909119-2f71-4923-87db-b649881672d7", "target_ref": "attack-pattern--9a505987-ab05-4f46-a9a6-6441442eec3b", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--d1971b32-3a15-4544-9f36-80c05121deb6", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-21T17:59:24.739Z", "modified": "2022-05-06T17:47:24.160Z", "relationship_type": "mitigates", "description": "All devices or systems changes, including all administrative functions, should require authentication. Consider using access management technologies to enforce authorization on all management interface access attempts, especially when the device does not inherently provide strong authentication and authorization functions.\n", "source_ref": "course-of-action--3992ce42-43e9-4bea-b8db-a102ec3ec1e3", "target_ref": "attack-pattern--efbf7888-f61b-4572-9c80-7e2965c60707", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--d1d98f8c-aea2-4f06-9b0d-c543ed42c6a4", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-21T17:59:24.739Z", "modified": "2022-05-06T17:47:24.086Z", "relationship_type": "mitigates", "description": "Ensure that all SIS are segmented from operational networks to prevent them from being targeted by additional adversarial behavior.\n", "source_ref": "course-of-action--da44255d-85c5-492c-baf3-ee823d44f848", "target_ref": "attack-pattern--83ebd22f-b401-4d59-8219-2294172cf916", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--d2dc57eb-5be2-4f9c-a4f7-18d2085ff412", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2018-10-17T00:14:20.652Z", "modified": "2022-05-06T17:47:24.377Z", "relationship_type": "uses", "description": "[OilRig](https://attack.mitre.org/groups/G0010) communicated with its command and control using HTTP requests. (Citation: Robert Falcone, Bryan Lee May 2016)", "source_ref": "intrusion-set--4ca1929c-7d64-4aab-b849-badbfc0c760d", "target_ref": "attack-pattern--e076cca8-2f08-45c9-aff7-ea5ac798b387", "external_references": [ { "source_name": "Robert Falcone, Bryan Lee May 2016", "description": "Robert Falcone, Bryan Lee 2016, May 26 The OilRig Campaign: Attacks on Saudi Arabian Organizations Deliver Helminth Backdoor Retrieved. 2019/11/19 ", "url": "https://unit42.paloaltonetworks.com/the-oilrig-campaign-attacks-on-saudi-arabian-organizations-deliver-helminth-backdoor/" } ], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--d3c94120-e6b5-4bd2-88f0-9c73f76b0104", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-21T17:59:24.739Z", "modified": "2022-05-06T17:47:24.227Z", "relationship_type": "mitigates", "description": "Ensure anti-virus solution can detect malicious files that allow user execution (e.g., Microsoft Office Macros, program installers).\n", "source_ref": "course-of-action--faf2b40e-5981-433f-aa46-17458e0026f7", "target_ref": "attack-pattern--2736b752-4ec5-4421-a230-8977dea7649c", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "modified": "2022-05-24T14:00:00.188Z", "created": "2022-05-11T16:22:58.803Z", "id": "relationship--d406671b-4d22-4cd5-8568-d04b0b70b51c", "type": "relationship", "source_ref": "x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa", "relationship_type": "detects", "target_ref": "attack-pattern--19a71d1e-6334-4233-8260-b749cae37953", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--d464d443-6298-47eb-b767-8f1136f6b6b5", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2018-10-17T00:14:20.652Z", "modified": "2022-05-06T17:47:24.369Z", "relationship_type": "uses", "description": "[Dragonfly 2.0](https://attack.mitre.org/groups/G0035) leveraged compromised user credentials to access the targets networks and download tools from a remote server. (Citation: Dragos) (Citation: Cybersecurity & Infrastructure Security Agency March 2018)", "source_ref": "intrusion-set--76d59913-1d24-4992-a8ac-05a3eb093f71", "target_ref": "attack-pattern--cd2c76a4-5e23-4ca5-9c40-d5e0604f7101", "external_references": [ { "source_name": "Dragos", "description": "Dragos Dymalloy Retrieved. 2019/10/27 ", "url": "https://dragos.com/resource/dymalloy/" }, { "source_name": "Cybersecurity & Infrastructure Security Agency March 2018", "description": "Cybersecurity & Infrastructure Security Agency 2018, March 15 Alert (TA18-074A) Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors Retrieved. 2019/10/11 ", "url": "https://us-cert.cisa.gov/ncas/alerts/TA18-074A" } ], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--d4968f45-d06b-4843-8f72-6e08beb94cab", "type": "relationship", "created": "2017-05-31T21:33:27.070Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Symantec Dragonfly", "description": "Symantec Security Response. (2014, June 30). Dragonfly: Cyberespionage Attacks Against Energy Suppliers. Retrieved April 8, 2016.", "url": "https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=7382dce7-0260-4782-84cc-890971ed3f17&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments" }, { "source_name": "Gigamon Berserk Bear October 2021", "url": "https://vblocalhost.com/uploads/VB2021-Slowik.pdf", "description": "Slowik, J. (2021, October). THE BAFFLING BERSERK BEAR: A DECADE\u2019S ACTIVITY TARGETING CRITICAL INFRASTRUCTURE. Retrieved December 6, 2021." } ], "modified": "2021-12-07T18:39:07.922Z", "description": "(Citation: Symantec Dragonfly)(Citation: Gigamon Berserk Bear October 2021)", "relationship_type": "uses", "source_ref": "intrusion-set--1c63d4ec-0a75-4daa-b1df-0d11af3d3cc1", "target_ref": "malware--083bb47b-02c8-4423-81a2-f9ef58572974", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "spec_version": "2.1", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--d50a3d89-c8fa-4c5d-813e-f4495d892d1a", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2019-03-25T19:13:54.947Z", "modified": "2022-05-06T17:47:24.350Z", "relationship_type": "uses", "description": "[WannaCry](https://attack.mitre.org/software/S0007) can move laterally through industrial networks by means of the SMB service. (Citation: Joe Slowik April 2019)", "source_ref": "malware--75ecdbf1-c2bb-4afc-a3f9-c8da4de8c661", "target_ref": "attack-pattern--ead7bd34-186e-4c79-9a4d-b65bcce6ed9d", "external_references": [ { "source_name": "Joe Slowik April 2019", "description": "Joe Slowik 2019, April 10 Implications of IT Ransomware for ICS Environments Retrieved. 2019/10/27 ", "url": "https://dragos.com/blog/industry-news/implications-of-it-ransomware-for-ics-environments/" } ], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--d6a2a1a8-8f5b-4e94-8fce-8edd8a17627a", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-21T17:59:24.739Z", "modified": "2022-05-06T17:47:24.209Z", "relationship_type": "mitigates", "description": "When available utilize hardware and software root-of-trust to verify the authenticity of a system. This may be achieved through cryptographic means, such as digital signatures or hashes, of critical software and firmware throughout the supply chain.\n", "source_ref": "course-of-action--71eb7dad-07eb-4bbc-9df0-ac57bf2fba4a", "target_ref": "attack-pattern--5e0f75da-e108-4688-a6de-a4f07cc2cbe3", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "modified": "2022-05-24T14:00:00.188Z", "created": "2022-05-11T16:22:58.807Z", "id": "relationship--d6a8b25c-53d4-4df1-8728-20ed4ba5ddab", "type": "relationship", "source_ref": "x-mitre-data-component--9f387817-df83-432a-b56b-a8fb7f71eedd", "relationship_type": "detects", "target_ref": "attack-pattern--2dc2b567-8821-49f9-9045-8740f3d0b958", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--d72e7d01-56be-4fbd-8957-3384533ba83b", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2018-04-18T17:59:24.739Z", "modified": "2022-05-06T17:47:24.335Z", "relationship_type": "uses", "description": "[Triton](https://attack.mitre.org/software/S0013) leverages a reconstructed TriStation protocol within its framework to trigger APIs related to program download, program allocation, and program changes. (Citation: Jos Wetzels January 2018)", "source_ref": "malware--80099a91-4c86-4bea-9ccb-dac55d61960e", "target_ref": "attack-pattern--5a2610f6-9fff-41e1-bc27-575ca20383d4", "external_references": [ { "source_name": "Jos Wetzels January 2018", "description": "Jos Wetzels 2018, January 16 Analyzing the TRITON industrial malware Retrieved. 2019/10/22 ", "url": "https://www.midnightbluelabs.com/blog/2018/1/16/analyzing-the-triton-industrial-malware" } ], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "modified": "2022-05-24T14:00:00.188Z", "created": "2022-05-11T16:22:58.807Z", "id": "relationship--d73dd5b6-5c66-405c-831f-fc020cdb1df1", "type": "relationship", "source_ref": "x-mitre-data-component--181a9f8c-c780-4f1f-91a8-edb770e904ba", "relationship_type": "detects", "target_ref": "attack-pattern--d5a69cfb-fc2a-46cb-99eb-74b236db5061", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--d7ea83fa-87c7-4d36-96d5-aee554504040", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2017-05-31T21:33:27.074Z", "modified": "2022-05-06T17:47:24.257Z", "relationship_type": "uses", "description": "Several transportation organizations in Ukraine have suffered from being infected by [Bad Rabbit](https://attack.mitre.org/software/S0005), resulting in some computers becoming encrypted, according to media reports. (Citation: Marc-Etienne M.Lveill October 2017)", "source_ref": "malware--2eaa5319-5e1e-4dd7-bbc4-566fced3964a", "target_ref": "attack-pattern--63b6942d-8359-4506-bfb3-cf87aa8120ee", "external_references": [ { "source_name": "Marc-Etienne M.Lveill October 2017", "description": "Marc-Etienne M.Lveill 2017, October 24 Bad Rabbit: NotPetya is back with improved ransomware Retrieved. 2019/10/27 ", "url": "https://www.welivesecurity.com/2017/10/24/bad-rabbit-not-petya-back/" } ], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--d8354850-bd4c-4bd9-a585-b107f5f1398f", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2018-04-18T17:59:24.739Z", "modified": "2022-05-06T17:47:24.340Z", "relationship_type": "uses", "description": "[Triton](https://attack.mitre.org/software/S0013) has the capability to reprogram the SIS logic to allow unsafe conditions to persist or reprogram the SIS to allow an unsafe state while using the DCS to create an unsafe state or hazard. (Citation: Blake Johnson, Dan Caban, Marina Krotofil, Dan Scali, Nathan Brubaker, Christopher Glyer December 2017)", "source_ref": "malware--80099a91-4c86-4bea-9ccb-dac55d61960e", "target_ref": "attack-pattern--5fa00fdd-4a55-4191-94a0-564181d7fec2", "external_references": [ { "source_name": "Blake Johnson, Dan Caban, Marina Krotofil, Dan Scali, Nathan Brubaker, Christopher Glyer December 2017", "description": "Blake Johnson, Dan Caban, Marina Krotofil, Dan Scali, Nathan Brubaker, Christopher Glyer 2017, December 14 Attackers Deploy New ICS Attack Framework TRITON and Cause Operational Disruption to Critical Infrastructure Retrieved. 2018/01/12 ", "url": "https://www.fireeye.com/blog/threat-research/2017/12/attackers-deploy-new-ics-attack-framework-triton.html" } ], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--d854cc38-adf7-485d-96b5-70606f6cb87e", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-21T17:59:24.739Z", "modified": "2022-05-06T17:47:24.208Z", "relationship_type": "mitigates", "description": "Network allowlists can be implemented through either host-based files or system host files to specify what external connections (e.g., IP address, MAC address, port, protocol) can be made from a device. Allowlist techniques that operate at the application layer (e.g., DNP3, Modbus, HTTP) are addressed in the [Filter Network Traffic](https://attack.mitre.org/mitigations/M0937) mitigation.", "source_ref": "course-of-action--aadac250-bcdc-44e3-a4ae-f52bd0a7a16a", "target_ref": "attack-pattern--e076cca8-2f08-45c9-aff7-ea5ac798b387", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "modified": "2022-05-24T14:00:00.188Z", "created": "2022-05-11T16:22:58.808Z", "id": "relationship--d86e88d9-cfcb-4a0c-b60f-cb43afaf792d", "type": "relationship", "source_ref": "x-mitre-data-component--2b3bfe19-d59a-460d-93bb-2f546adc2d2c", "relationship_type": "detects", "target_ref": "attack-pattern--2736b752-4ec5-4421-a230-8977dea7649c", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--d8f45959-e0fc-4b4f-a074-a3acea926300", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-21T17:59:24.739Z", "modified": "2022-05-06T17:47:24.194Z", "relationship_type": "mitigates", "description": "Consider the disabling of features such as AutoRun.\n", "source_ref": "course-of-action--d0909119-2f71-4923-87db-b649881672d7", "target_ref": "attack-pattern--c267bbee-bb59-47fe-85e0-3ed210337c21", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--d90aeeb6-3686-483a-8403-6514ecfe1a50", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2018-04-18T17:59:24.739Z", "modified": "2022-05-06T17:47:24.249Z", "relationship_type": "uses", "description": "The [Backdoor.Oldrea](https://attack.mitre.org/software/S0003) payload has caused multiple common OPC platforms to intermittently crash. This could cause a denial of service effect on applications reliant on OPC communications. (Citation: ICS-CERT August 2018)", "source_ref": "malware--083bb47b-02c8-4423-81a2-f9ef58572974", "target_ref": "attack-pattern--1b22b676-9347-4c55-9a35-ef0dc653db5b", "external_references": [ { "source_name": "ICS-CERT August 2018", "description": "ICS-CERT 2018, August 22 Advisory (ICSA-14-178-01) Retrieved. 2019/04/01 ", "url": "https://ics-cert.us-cert.gov/advisories/ICSA-14-178-01" } ], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--d9165ecb-bc10-4189-a7e4-057bdf05bf3f", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2017-12-14T16:46:06.044Z", "modified": "2022-05-06T17:47:24.259Z", "relationship_type": "uses", "description": "[Sandworm Team](https://attack.mitre.org/groups/G0034) targeted energy sector organizations in a wide reaching email spearphishing campaign. Adversaries utilized malicious Microsoft Word documents attachments. (Citation: Booz Allen Hamilton)\n", "source_ref": "malware--54cc1d4f-5c53-4f0e-9ef5-11b4998e82e4", "target_ref": "attack-pattern--648f995e-9c3a-41e4-aeee-98bb41037426", "external_references": [ { "source_name": "Booz Allen Hamilton", "description": "Booz Allen Hamilton When The Lights Went Out Retrieved. 2019/10/22 ", "url": "https://www.boozallen.com/content/dam/boozallen/documents/2016/09/ukraine-report-when-the-lights-went-out.pdf" } ], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "modified": "2022-05-24T14:00:00.188Z", "created": "2022-05-11T16:22:58.805Z", "id": "relationship--dadfed22-d70c-482b-9026-964396d75484", "type": "relationship", "source_ref": "x-mitre-data-component--3d20385b-24ef-40e1-9f56-f39750379077", "relationship_type": "detects", "target_ref": "attack-pattern--7830cfcf-b268-4ac0-a69e-73c6affbae9a", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "modified": "2022-05-24T14:00:00.188Z", "created": "2022-05-11T16:22:58.806Z", "id": "relationship--dbc7ce23-f51a-4f87-b024-8b9109b8bba7", "type": "relationship", "source_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c", "relationship_type": "detects", "target_ref": "attack-pattern--e1f9cdd2-9511-4fca-90d7-f3e92cfdd0bf", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--dbdd9a97-81df-40b8-b72d-ac67d121b8b3", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-21T17:59:24.739Z", "modified": "2022-05-06T17:47:24.170Z", "relationship_type": "mitigates", "description": "Protocols used for control functions should provide authenticity through MAC functions or digital signatures. If not, utilize bump-in-the-wire devices or VPNs to enforce communication authenticity between devices that are not capable of supporting this (e.g., legacy controllers, RTUs).\n", "source_ref": "course-of-action--c7257b6e-4159-4771-b1f3-2bb93adaecac", "target_ref": "attack-pattern--25852363-5968-4673-b81d-341d5ed90bd1", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--dc15440d-6683-435a-8c87-64daea29bcaa", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2021-04-11T14:06:54.109Z", "modified": "2022-05-06T17:47:24.379Z", "relationship_type": "uses", "description": "In the Ukraine 2015 Incident, [Sandworm Team](https://attack.mitre.org/groups/G0007) blocked command messages by using malicious firmware to render communication devices inoperable. (Citation: Electricity Information Sharing and Analysis Center; SANS Industrial Control Systems March 2016)", "source_ref": "intrusion-set--381fcf73-60f6-4ab2-9991-6af3cbc35192", "target_ref": "attack-pattern--008b8f56-6107-48be-aa9f-746f927dbb61", "external_references": [ { "source_name": "Electricity Information Sharing and Analysis Center; SANS Industrial Control Systems March 2016", "description": "Electricity Information Sharing and Analysis Center; SANS Industrial Control Systems 2016, March 18 Analysis of the Cyber Attack on the Ukranian Power Grid: Defense Use Case Retrieved. 2018/03/27 ", "url": "https://assets.contentstack.io/v3/assets/blt36c2e63521272fdc/blt6a77276749b76a40/607f235992f0063e5c070fff/E-ISAC_SANS_Ukraine_DUC_5%5b73%5d.pdf" } ], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--dc35c44a-a90c-48a1-8811-af2618216e42", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-21T17:59:24.739Z", "modified": "2022-05-06T17:47:24.124Z", "relationship_type": "mitigates", "description": "Use strong multi-factor authentication for remote service accounts to mitigate an adversary's ability to leverage stolen credentials. Be aware ofmulti-factor authentication interceptiontechniques for some implementations.\n", "source_ref": "course-of-action--ddf3e568-f065-49e2-9106-42029a28ddbd", "target_ref": "attack-pattern--8d2f3bab-507c-4424-b58b-edc977bd215c", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--dc46ffc2-eac7-4491-8d2a-46cf8e2e963f", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-21T17:59:24.739Z", "modified": "2022-05-06T17:47:24.218Z", "relationship_type": "mitigates", "description": "Filter for protocols and payloads associated with firmware activation or updating activity.\n", "source_ref": "course-of-action--11f242bc-3121-438c-84b2-5cbd46a4bb17", "target_ref": "attack-pattern--b9160e77-ea9e-4ba9-b1c8-53a3c466b13d", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--dda89758-9d0b-446d-b594-85acc7f9cb90", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-21T17:59:24.739Z", "modified": "2022-05-06T17:47:24.137Z", "relationship_type": "mitigates", "description": "Take and store data backups from end user systems and critical servers. Ensure backup and storage systems are hardened and kept separate from the corporate network to prevent compromise. Maintain and exercise incident response plans (Citation: Department of Homeland Security October 2009), including the management of \\gold-copy\\ back-up images and configurations for key systems to enable quick recovery and response from adversarial activities that impact control, view, or availability.\n", "source_ref": "course-of-action--ad12819e-3211-4291-b360-069f280cff0a", "target_ref": "attack-pattern--63b6942d-8359-4506-bfb3-cf87aa8120ee", "external_references": [ { "source_name": "Department of Homeland Security October 2009", "description": "Department of Homeland Security 2009, October Developing an Industrial Control Systems Cybersecurity Incident Response Capability Retrieved. 2020/09/17 ", "url": "https://us-cert.cisa.gov/sites/default/files/recommended_practices/final-RP_ics_cybersecurity_incident_response_100609.pdf" } ], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--dded2d68-35c7-42c4-af10-efe7731673e3", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-21T17:59:24.739Z", "modified": "2022-05-06T17:47:24.108Z", "relationship_type": "mitigates", "description": "All APIs on remote systems or local processes should require the authentication of users before executing any code or system changes.\n", "source_ref": "course-of-action--66cfe23e-34b6-4583-b178-ed6a412db2b0", "target_ref": "attack-pattern--5a2610f6-9fff-41e1-bc27-575ca20383d4", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "modified": "2022-05-24T14:00:00.188Z", "created": "2022-05-11T16:22:58.808Z", "id": "relationship--de8b8a69-5f08-421a-96f0-2bed5707508d", "type": "relationship", "source_ref": "x-mitre-data-component--a7f22107-02e5-4982-9067-6625d4a1765a", "relationship_type": "detects", "target_ref": "attack-pattern--2877063e-1851-48d2-bcc6-bc1d2733157e", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--df6da4ec-cbe8-4f93-a41f-3726a9491938", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-21T17:59:24.739Z", "modified": "2022-05-06T17:47:24.168Z", "relationship_type": "mitigates", "description": "Statically defined ARP entries can prevent manipulation and sniffing of switched network traffic, as some MitM techniques depend on sending spoofed ARP messages to manipulate network host's dynamic ARP tables.\n", "source_ref": "course-of-action--52c7a1a9-3a78-4528-a44f-cd7b0fa3541a", "target_ref": "attack-pattern--38213338-1aab-479d-949b-c81b66ccca5c", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "modified": "2022-05-24T14:00:00.188Z", "created": "2022-05-11T16:22:58.805Z", "id": "relationship--df95c619-33ee-4484-934a-78857717323e", "type": "relationship", "source_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c", "relationship_type": "detects", "target_ref": "attack-pattern--f8df6b57-14bc-425f-9a91-6f59f6799307", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--dfd0dc6c-33ad-44a4-9def-1d8e23e278fb", "created": "2022-04-15T22:05:32.209Z", "x_mitre_version": "0.1", "x_mitre_deprecated": false, "revoked": false, "description": "", "modified": "2022-04-15T22:05:32.209Z", "relationship_type": "revoked-by", "source_ref": "intrusion-set--76d59913-1d24-4992-a8ac-05a3eb093f71", "target_ref": "intrusion-set--1c63d4ec-0a75-4daa-b1df-0d11af3d3cc1", "x_mitre_attack_spec_version": "2.1.0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--dfe43fa1-ffc2-4c6c-a91d-f2ca55f21ccb", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2017-12-14T16:46:06.044Z", "modified": "2022-05-06T17:47:24.325Z", "relationship_type": "uses", "description": "[Stuxnet](https://attack.mitre.org/software/S0010) copies itself into Step 7 projects in such a way that it automatically executes when the Step 7 project is loaded. (Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011)", "source_ref": "malware--088f1d6e-0783-47c6-9923-9c79b2af43d4", "target_ref": "attack-pattern--e72425f8-9ae6-41d3-bfdb-e1b865e60722", "external_references": [ { "source_name": "Nicolas Falliere, Liam O Murchu, Eric Chien February 2011", "description": "Nicolas Falliere, Liam O Murchu, Eric Chien 2011, February W32.Stuxnet Dossier (Version 1.4) Retrieved. 2017/09/22 ", "url": "https://www.wired.com/images_blogs/threatlevel/2011/02/Symantec-Stuxnet-Update-Feb-2011.pdf" } ], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "modified": "2022-05-24T14:00:00.188Z", "created": "2022-05-11T16:22:58.805Z", "id": "relationship--e02565fe-65ff-4b70-8a8d-b0abf6d9a9f4", "type": "relationship", "source_ref": "x-mitre-data-component--39b9db72-8b48-4595-a18d-db5bbba3091b", "relationship_type": "detects", "target_ref": "attack-pattern--8d2f3bab-507c-4424-b58b-edc977bd215c", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--e09e253c-fd28-49ae-988e-1f80d769e8b8", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-21T17:59:24.739Z", "modified": "2022-05-06T17:47:24.227Z", "relationship_type": "mitigates", "description": "Prevent the use of unsigned executables, such as installers and scripts.\n", "source_ref": "course-of-action--71eb7dad-07eb-4bbc-9df0-ac57bf2fba4a", "target_ref": "attack-pattern--2736b752-4ec5-4421-a230-8977dea7649c", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--e0aee02c-b424-4781-be10-793d71594c31", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2018-04-18T17:59:24.739Z", "modified": "2022-05-06T17:47:24.251Z", "relationship_type": "uses", "description": "The [Backdoor.Oldrea](https://attack.mitre.org/software/S0003) RAT is distributed through a trojanized installer attached to emails. (Citation: Daavid Hentunen, Antti Tikkanen June 2014)", "source_ref": "malware--083bb47b-02c8-4423-81a2-f9ef58572974", "target_ref": "attack-pattern--648f995e-9c3a-41e4-aeee-98bb41037426", "external_references": [ { "source_name": "Daavid Hentunen, Antti Tikkanen June 2014", "description": "Daavid Hentunen, Antti Tikkanen 2014, June 23 Havex Hunts For ICS/SCADA Systems Retrieved. 2019/04/01 ", "url": "https://www.f-secure.com/weblog/archives/00002718.html" } ], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--e0d101cc-1284-4e88-82d6-227fe5d19d8a", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-21T17:59:24.739Z", "modified": "2022-05-06T17:47:24.123Z", "relationship_type": "mitigates", "description": "Update software regularly by employing patch management for internal enterprise endpoints and servers.\n", "source_ref": "course-of-action--97f33c84-8508-45b9-8a1d-cac921828c9e", "target_ref": "attack-pattern--85a45294-08f1-4539-bf00-7da08aa7b0ee", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "modified": "2022-05-24T14:00:00.188Z", "created": "2022-05-11T16:22:58.806Z", "id": "relationship--e1461f8d-6a16-4526-ac0b-0acd27ae8065", "type": "relationship", "source_ref": "x-mitre-data-component--639e87f3-acb6-448a-9645-258f20da4bc5", "relationship_type": "detects", "target_ref": "attack-pattern--ba203963-3182-41ac-af14-7e7ebc83cd61", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "modified": "2022-05-24T14:00:00.188Z", "created": "2022-05-11T16:22:58.804Z", "id": "relationship--e18af08c-3953-4b1d-b46c-45572fdb5187", "type": "relationship", "source_ref": "x-mitre-data-component--931b3fc6-ad68-42a8-9018-e98515eedc95", "relationship_type": "detects", "target_ref": "attack-pattern--1b22b676-9347-4c55-9a35-ef0dc653db5b", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "modified": "2022-05-24T14:00:00.188Z", "created": "2022-05-11T16:22:58.803Z", "id": "relationship--e1fed66a-fa4e-4d65-abfb-b01e2744e6c9", "type": "relationship", "source_ref": "x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa", "relationship_type": "detects", "target_ref": "attack-pattern--2900bbd8-308a-4274-b074-5b8bde8347bc", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "modified": "2022-05-24T14:00:00.188Z", "created": "2022-05-11T16:22:58.807Z", "id": "relationship--e21525ba-bf4d-4b50-8833-61ac1dd32f4d", "type": "relationship", "source_ref": "x-mitre-data-component--c0a4a086-cc20-4e1e-b7cb-29d99dfa3fb1", "relationship_type": "detects", "target_ref": "attack-pattern--3b6b9246-43f8-4c69-ad7a-2b11cfe0a0d9", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--e257913e-40ba-4a05-ba97-0c3175c966b5", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2017-12-14T16:46:06.044Z", "modified": "2022-05-06T17:47:24.318Z", "relationship_type": "uses", "description": "[Stuxnet](https://attack.mitre.org/software/S0010) manipulates the view of operators replaying process input and manipulating the I/O image to evade detection and inhibit protection functions. (Citation: Ralph Langner November 2013) (Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011)", "source_ref": "malware--088f1d6e-0783-47c6-9923-9c79b2af43d4", "target_ref": "attack-pattern--4c2e1408-9d68-4187-8e6b-a77bc52700ec", "external_references": [ { "source_name": "Ralph Langner November 2013", "description": "Ralph Langner 2013, November To Kill a Centrifuge: A Technical Analysis of What Stuxnet's Creators Tried to Achieve Retrieved. 2018/03/27 ", "url": "https://www.langner.com/wp-content/uploads/2017/03/to-kill-a-centrifuge.pdf" }, { "source_name": "Nicolas Falliere, Liam O Murchu, Eric Chien February 2011", "description": "Nicolas Falliere, Liam O Murchu, Eric Chien 2011, February W32.Stuxnet Dossier (Version 1.4) Retrieved. 2017/09/22 ", "url": "https://www.wired.com/images_blogs/threatlevel/2011/02/Symantec-Stuxnet-Update-Feb-2011.pdf" } ], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--e323dee4-a896-4a82-85f5-d51d311b0437", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2021-04-12T18:49:06.044Z", "modified": "2022-05-06T17:47:24.307Z", "relationship_type": "uses", "description": "[REvil](https://attack.mitre.org/software/S0019) uses the SMB protocol to encrypt files located on remotely connected file shares. (Citation: Max Heinemeyer February 2020)", "source_ref": "malware--ac61f1f9-7bb1-465e-9b8a-c2ce8e88baf5", "target_ref": "attack-pattern--e1f9cdd2-9511-4fca-90d7-f3e92cfdd0bf", "external_references": [ { "source_name": "Max Heinemeyer February 2020", "description": "Max Heinemeyer 2020, February 21 Post-mortem of a targeted Sodinokibi ransomware attack Retrieved. 2021/04/12 ", "url": "https://www.darktrace.com/en/blog/post-mortem-of-a-targeted-sodinokibi-ransomware-attack/" } ], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "modified": "2022-05-24T14:00:00.188Z", "created": "2022-05-11T16:22:58.807Z", "id": "relationship--e32f18e1-f88f-4af7-a798-0774bb646ab2", "type": "relationship", "source_ref": "x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa", "relationship_type": "detects", "target_ref": "attack-pattern--2fedbe69-581f-447d-8a78-32ee7db939a9", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--e5afc447-a241-4773-9a8a-3d6fd205d926", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-21T17:59:24.739Z", "modified": "2022-05-06T17:47:24.106Z", "relationship_type": "mitigates", "description": "Utilize exploit protection to prevent activities which may be exploited through malicious web sites.\n", "source_ref": "course-of-action--49363b74-d506-4342-bd63-320586ebadb9", "target_ref": "attack-pattern--7830cfcf-b268-4ac0-a69e-73c6affbae9a", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "modified": "2022-05-24T14:00:00.188Z", "created": "2022-05-11T16:22:58.806Z", "id": "relationship--e5b62475-bd08-4ac6-a6f7-78f1843bf506", "type": "relationship", "source_ref": "x-mitre-data-component--685f917a-e95e-4ba0-ade1-c7d354dae6e0", "relationship_type": "detects", "target_ref": "attack-pattern--38213338-1aab-479d-949b-c81b66ccca5c", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--e607bb66-e53f-4684-b3f1-36a997e27d01", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-21T17:59:24.739Z", "modified": "2022-05-06T17:47:24.087Z", "relationship_type": "mitigates", "description": "Protection devices should have minimal digital components to prevent exposure to related adversarial techniques. Examples include interlocks, rupture disks, release valves, etc. (Citation: A G Foord, W G Gulland, C R Howard, T Kellacher, W H Smith 2004) \n", "source_ref": "course-of-action--8bc4a54e-810c-4600-8b6c-08fa8413a401", "target_ref": "attack-pattern--83ebd22f-b401-4d59-8219-2294172cf916", "external_references": [ { "source_name": "A G Foord, W G Gulland, C R Howard, T Kellacher, W H Smith 2004", "description": "A G Foord, W G Gulland, C R Howard, T Kellacher, W H Smith 2004 APPLYING THE LATEST STANDARD FOR FUNCTIONAL SAFETY IEC 61511 Retrieved. 2020/09/17 ", "url": "https://www.icheme.org/media/9906/xviii-paper-23.pdf" } ], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--e6be2fb4-3815-4e52-8dec-2aed1dc3b7cf", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-21T17:59:24.739Z", "modified": "2022-05-06T17:47:24.154Z", "relationship_type": "mitigates", "description": "All field controllers should restrict the modification of programs to only certain users (e.g., engineers, field technician), preferably through implementing a role-based access mechanism.\n", "source_ref": "course-of-action--e0d38502-decb-481d-ad8b-b8f0a0c330bd", "target_ref": "attack-pattern--097924ce-a9a9-4039-8591-e0deedfb8722", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--e6e0ef82-2cb6-43fe-8f4a-b9e4d5a57b13", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-21T17:59:24.739Z", "modified": "2022-05-06T17:47:24.081Z", "relationship_type": "mitigates", "description": "Segment operational network and systems to restrict access to critical system functions to predetermined management systems. (Citation: Department of Homeland Security September 2016)\n", "source_ref": "course-of-action--1e7ccfc0-94c8-496e-8d27-032120892291", "target_ref": "attack-pattern--2883c520-7957-46ca-89bd-dab1ad53b601", "external_references": [ { "source_name": "Department of Homeland Security September 2016", "description": "Department of Homeland Security 2016, September Retrieved. 2020/09/25 ", "url": "https://us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf" } ], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "modified": "2022-05-24T14:00:00.188Z", "created": "2022-05-11T16:22:58.807Z", "id": "relationship--e6f65513-facb-4e55-82e4-1d012a7173ec", "type": "relationship", "source_ref": "x-mitre-data-component--235b7491-2d2b-4617-9a52-3c0783680f71", "relationship_type": "detects", "target_ref": "attack-pattern--c267bbee-bb59-47fe-85e0-3ed210337c21", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--e767c178-e4b2-490a-b544-bb1b2d6c7de4", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-21T17:59:24.739Z", "modified": "2022-05-06T17:47:24.109Z", "relationship_type": "mitigates", "description": "Application isolation will limit the other processes and system features an exploited target can access. Examples of built in features are software restriction policies, AppLocker for Windows, and SELinux or AppArmor for Linux.\n", "source_ref": "course-of-action--059ba11e-e3dc-49aa-84ca-88197f40d4ea", "target_ref": "attack-pattern--32632a95-6856-47b9-9ab7-fea5cd7dce00", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--e852e64c-b5e0-4e7f-a189-bbc7aa7932c7", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-21T17:59:24.739Z", "modified": "2022-05-06T17:47:24.097Z", "relationship_type": "mitigates", "description": "Hot-standbys in diverse locations can ensure continued operations if the primarily system are compromised or unavailable. At the network layer, protocols such as the Parallel Redundancy Protocol can be used to simultaneously use redundant and diverse communication over a local network. (Citation: M. Rentschler and H. Heine)\n", "source_ref": "course-of-action--f0f5c87a-a58d-440a-b3b5-ca679d98c6dd", "target_ref": "attack-pattern--56ddc820-6cfb-407f-850b-52c035d123ac", "external_references": [ { "source_name": "M. Rentschler and H. Heine", "description": "M. Rentschler and H. Heine The Parallel Redundancy Protocol for industrial IP networks Retrieved. 2020/09/25 ", "url": "https://ieeexplore.ieee.org/document/6505877" } ], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--e8af0b34-4a67-4966-a34a-c4d1b346ea15", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-21T17:59:24.739Z", "modified": "2022-05-06T17:47:24.104Z", "relationship_type": "mitigates", "description": "All devices or systems changes, including all administrative functions, should require authentication. Consider using access management technologies to enforce authorization on all management interface access attempts, especially when the device does not inherently provide strong authentication and authorization functions.\n", "source_ref": "course-of-action--3992ce42-43e9-4bea-b8db-a102ec3ec1e3", "target_ref": "attack-pattern--25dfc8ad-bd73-4dfd-84a9-3c3d383f76e9", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "modified": "2022-05-24T14:00:00.188Z", "created": "2022-05-11T16:22:58.805Z", "id": "relationship--e8d5ee60-952f-42ff-bf48-7da9cd0fdb23", "type": "relationship", "source_ref": "x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa", "relationship_type": "detects", "target_ref": "attack-pattern--8d2f3bab-507c-4424-b58b-edc977bd215c", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--e8eaac2d-a4bf-408f-b24f-14471db7059b", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-21T17:59:24.739Z", "modified": "2022-05-06T17:47:24.088Z", "relationship_type": "mitigates", "description": "Minimize permissions and access for service accounts to limit the information that may be impacted by malicious users or software. (Citation: National Institute of Standards and Technology April 2013)\n", "source_ref": "course-of-action--622fe4d4-0e8e-4d17-9c25-6c9cef1f15d5", "target_ref": "attack-pattern--493832d9-cea6-4b63-abe7-9a65a6473675", "external_references": [ { "source_name": "National Institute of Standards and Technology April 2013", "description": "National Institute of Standards and Technology 2013, April Security and Privacy Controls for Federal Information Systems and Organizations Retrieved. 2020/09/17 ", "url": "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf" } ], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "modified": "2022-05-24T14:00:00.188Z", "created": "2022-05-11T16:22:58.807Z", "id": "relationship--e95531d9-93df-46be-a580-21b0c571186a", "type": "relationship", "source_ref": "x-mitre-data-component--a7f22107-02e5-4982-9067-6625d4a1765a", "relationship_type": "detects", "target_ref": "attack-pattern--b9160e77-ea9e-4ba9-b1c8-53a3c466b13d", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--e9f5096e-b9fc-459a-a303-88763b1269cc", "type": "relationship", "created": "2020-05-14T14:41:42.975Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "description": "McKeague, B. et al. (2019, April 5). Pick-Six: Intercepting a FIN6 Intrusion, an Actor Recently Tied to Ryuk and LockerGoga Ransomware. Retrieved April 17, 2019.", "url": "https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html", "source_name": "FireEye FIN6 Apr 2019" } ], "modified": "2020-05-15T19:15:35.568Z", "description": "(Citation: FireEye FIN6 Apr 2019)", "relationship_type": "uses", "source_ref": "intrusion-set--2a7914cf-dff3-428d-ab0f-1014d1c28aeb", "target_ref": "malware--a020a61c-423f-4195-8c46-ba1d21abba37", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "spec_version": "2.1", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--ea50253a-3220-458b-b810-ad032f2b182f", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2018-04-18T17:59:24.739Z", "modified": "2022-05-06T17:47:24.336Z", "relationship_type": "uses", "description": "[Triton](https://attack.mitre.org/software/S0013) disables a firmware RAM/ROM consistency check after injects a payload (imain.bin) into the firmware memory region. (Citation: DHS CISA February 2019) (Citation: ICS-CERT December 2018) (Citation: Schneider Electric January 2018) Triconex systems include continuous means of detection including checksums for firmware and program integrity, memory and memory reference integrity, and configuration. (Citation: The Office of Nuclear Reactor Regulation)", "source_ref": "malware--80099a91-4c86-4bea-9ccb-dac55d61960e", "target_ref": "attack-pattern--9f947a1c-3860-48a8-8af0-a2dfa3efde03", "external_references": [ { "source_name": "DHS CISA February 2019", "description": "DHS CISA 2019, February 27 MAR-17-352-01 HatManSafety System Targeted Malware (Update B) Retrieved. 2019/03/08 ", "url": "https://ics-cert.us-cert.gov/sites/default/files/documents/MAR-17-352-01%20HatMan%20-%20Safety%20System%20Targeted%20Malware%20%28Update%20B%29.pdf" }, { "source_name": "ICS-CERT December 2018", "description": "ICS-CERT 2018, December 18 Advisory (ICSA-18-107-02) - Schneider Electric Triconex Tricon (Update B) Retrieved. 2019/03/08 ", "url": "https://ics-cert.us-cert.gov/advisories/ICSA-18-107-02" }, { "source_name": "Schneider Electric January 2018", "description": "Schneider Electric 2018, January 23 TRITON - Schneider Electric Analysis and Disclosure Retrieved. 2019/03/14 ", "url": "https://www.youtube.com/watch?v=f09E75bWvkk&index=3&list=PL8OWO1qWXF4qYG19p7An4Vw3N2YZ86aRS&t=0s" }, { "source_name": "The Office of Nuclear Reactor Regulation", "description": "The Office of Nuclear Reactor Regulation Schneider Electric 2018, January 23 TRITON - Schneider Electric Analysis and Disclosure Retrieved. 2019/03/14 Triconex Topical Report 7286-545-1 Retrieved. 2018/05/30 ", "url": "https://www.nrc.gov/docs/ML1209/ML120900890.pdf" } ], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "modified": "2022-05-24T14:00:00.188Z", "created": "2022-05-11T16:22:58.804Z", "id": "relationship--ea5828bb-5da7-4ed8-83b8-8d3b0e51cb3a", "type": "relationship", "source_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c", "relationship_type": "detects", "target_ref": "attack-pattern--25dfc8ad-bd73-4dfd-84a9-3c3d383f76e9", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--ea7c032f-da08-4c6f-b74e-0565dc5be02e", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2021-04-13T12:45:26.506Z", "modified": "2022-05-06T17:47:24.287Z", "relationship_type": "uses", "description": "[Industroyer](https://attack.mitre.org/software/S0001) IEC 60870-5-104 module includes a range mode to discover Information Object Addresses (IOAs) by enumerating through each. (Citation: Anton Cherepanov, ESET June 2017)", "source_ref": "malware--e401d4fe-f0c9-44f0-98e6-f93487678808", "target_ref": "attack-pattern--2fedbe69-581f-447d-8a78-32ee7db939a9", "external_references": [ { "source_name": "Anton Cherepanov, ESET June 2017", "description": "Anton Cherepanov, ESET 2017, June 12 Win32/Industroyer: A new threat for industrial control systems Retrieved. 2017/09/15 ", "url": "https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf" } ], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--ea817c7a-9424-4204-90a5-6f8fb86037be", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-21T17:59:24.739Z", "modified": "2022-05-06T17:47:24.230Z", "relationship_type": "mitigates", "description": "Configure features related to account use like login attempt lockouts, specific login times, and password strength requirements as examples. Consider these features as they relate to assets which may impact safety and availability. (Citation: Keith Stouffer May 2015)\n", "source_ref": "course-of-action--86b455f2-fb63-4043-93a8-32a3a7703a02", "target_ref": "attack-pattern--cd2c76a4-5e23-4ca5-9c40-d5e0604f7101", "external_references": [ { "source_name": "Keith Stouffer May 2015", "description": "Keith Stouffer 2015, May Guide to Industrial Control Systems (ICS) Security Retrieved. 2018/03/28 ", "url": "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf" } ], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--eac550b4-3bd2-4309-8b37-b797dd0bd8a7", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-21T17:59:24.739Z", "modified": "2022-05-06T17:47:24.101Z", "relationship_type": "mitigates", "description": "Segment operational network and systems to restrict access to critical system functions to predetermined management systems. (Citation: Department of Homeland Security September 2016)\n", "source_ref": "course-of-action--1e7ccfc0-94c8-496e-8d27-032120892291", "target_ref": "attack-pattern--2aa406ed-81c3-4c1d-ba83-cfbee5a2847a", "external_references": [ { "source_name": "Department of Homeland Security September 2016", "description": "Department of Homeland Security 2016, September Retrieved. 2020/09/25 ", "url": "https://us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf" } ], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--eaeb3c8d-9d91-4eb0-8049-5cb99e141026", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2021-10-08T15:25:32.143Z", "modified": "2022-05-06T17:47:24.331Z", "relationship_type": "uses", "description": "[Stuxnet](https://attack.mitre.org/software/S0010)executes malicious SQL commands in the WinCC database server to propagate to remote systems. The malicious SQL commands include xp_cmdshell, sp_dumpdbilog, and sp_addextendedproc. (Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011)", "source_ref": "malware--088f1d6e-0783-47c6-9923-9c79b2af43d4", "target_ref": "attack-pattern--e1f9cdd2-9511-4fca-90d7-f3e92cfdd0bf", "external_references": [ { "source_name": "Nicolas Falliere, Liam O Murchu, Eric Chien February 2011", "description": "Nicolas Falliere, Liam O Murchu, Eric Chien 2011, February W32.Stuxnet Dossier (Version 1.4) Retrieved. 2017/09/22 ", "url": "https://www.wired.com/images_blogs/threatlevel/2011/02/Symantec-Stuxnet-Update-Feb-2011.pdf" } ], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "modified": "2022-05-24T14:00:00.188Z", "created": "2022-05-11T16:22:58.804Z", "id": "relationship--eaffb916-14cc-4c88-a943-0e6402ccc9e1", "type": "relationship", "source_ref": "x-mitre-data-component--c0a4a086-cc20-4e1e-b7cb-29d99dfa3fb1", "relationship_type": "detects", "target_ref": "attack-pattern--24a9253e-8948-4c98-b751-8e2aee53127c", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "modified": "2022-05-24T14:00:00.188Z", "created": "2022-05-11T16:22:58.804Z", "id": "relationship--eb06ac7d-117a-48ab-ae3b-8bfa8f332f60", "type": "relationship", "source_ref": "x-mitre-data-component--2b3bfe19-d59a-460d-93bb-2f546adc2d2c", "relationship_type": "detects", "target_ref": "attack-pattern--7830cfcf-b268-4ac0-a69e-73c6affbae9a", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--eb1e05ef-58df-4c6d-acd7-5cc63ff7f44f", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2021-10-08T15:42:24.739Z", "modified": "2022-05-06T17:47:24.389Z", "relationship_type": "uses", "description": "[Sandworm Team](https://attack.mitre.org/groups/G0007) establishes an internal proxy prior to the installation of backdoors within the network. (Citation: Dragos Inc. June 2017)", "source_ref": "intrusion-set--381fcf73-60f6-4ab2-9991-6af3cbc35192", "target_ref": "attack-pattern--d67adac8-e3b9-44f9-9e6d-6c2a7d69dbe4", "external_references": [ { "source_name": "Dragos Inc. June 2017", "description": "Dragos Inc. 2017, June 13 Industroyer - Dragos - 201706: Analysis of the Threat to Electic Grid Operations Retrieved. 2017/09/18 ", "url": "https://dragos.com/blog/crashoverride/CrashOverride-01.pdf" } ], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--ebc34374-2dee-4dc1-b0b7-f31ae94dab11", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-21T17:59:24.739Z", "modified": "2022-05-06T17:47:24.175Z", "relationship_type": "mitigates", "description": "Protocols used for device management should authenticate all network messages to prevent unauthorized system changes.\n", "source_ref": "course-of-action--c7257b6e-4159-4771-b1f3-2bb93adaecac", "target_ref": "attack-pattern--be69c571-d746-4b1f-bdd0-c0c9817e9068", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--ec105f62-2552-41fa-8b07-619dc1bf9b19", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-21T17:59:24.739Z", "modified": "2022-05-06T17:47:24.177Z", "relationship_type": "mitigates", "description": "Authenticate all access to field controllers before authorizing access to, or modification of, a device's state, logic, or programs. Centralized authentication techniques can help manage the large number of field controller accounts needed across the ICS.\n", "source_ref": "course-of-action--3992ce42-43e9-4bea-b8db-a102ec3ec1e3", "target_ref": "attack-pattern--be69c571-d746-4b1f-bdd0-c0c9817e9068", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--ecf39e19-439f-4e9a-97c2-673ce4eb0a1a", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-21T17:59:24.739Z", "modified": "2022-05-06T17:47:24.139Z", "relationship_type": "mitigates", "description": "Provide operators with redundant, out-of-band communication to support monitoring and control of the operational processes, especially when recovering from a network outage (Citation: National Institute of Standards and Technology April 2013). Out-of-band communication should utilize diverse systems and technologies to minimize common failure modes and vulnerabilities within the communications infrastructure. For example, wireless networks (e.g., 3G, 4G) can be used to provide diverse and redundant delivery of data.\n", "source_ref": "course-of-action--b11cad63-ef30-4eb8-af0d-6cc46eef3f3e", "target_ref": "attack-pattern--138979ba-0430-4de6-a128-2fc0b056ba36", "external_references": [ { "source_name": "National Institute of Standards and Technology April 2013", "description": "National Institute of Standards and Technology 2013, April Security and Privacy Controls for Federal Information Systems and Organizations Retrieved. 2020/09/17 ", "url": "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf" } ], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "modified": "2022-05-24T14:00:00.188Z", "created": "2022-05-11T16:22:58.803Z", "id": "relationship--ed432378-62bc-433c-b61b-6d87997c33f4", "type": "relationship", "source_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c", "relationship_type": "detects", "target_ref": "attack-pattern--2900bbd8-308a-4274-b074-5b8bde8347bc", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--edf73653-b2d7-422f-b433-b6a428ff12d4", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2017-05-31T21:33:27.074Z", "modified": "2022-05-06T17:47:24.258Z", "relationship_type": "uses", "description": "[Bad Rabbit](https://attack.mitre.org/software/S0005) is disguised as an Adobe Flash installer. When the file is opened it starts locking the infected computer. (Citation: Orkhan Mamedov, Fedor Sinitsyn, Anton Ivanov October 2017)", "source_ref": "malware--2eaa5319-5e1e-4dd7-bbc4-566fced3964a", "target_ref": "attack-pattern--2736b752-4ec5-4421-a230-8977dea7649c", "external_references": [ { "source_name": "Orkhan Mamedov, Fedor Sinitsyn, Anton Ivanov October 2017", "description": "Orkhan Mamedov, Fedor Sinitsyn, Anton Ivanov 2017, October 27 Bad Rabbit Ransomware Retrieved. 2019/10/27 ", "url": "https://securelist.com/bad-rabbit-ransomware/82851/" } ], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "modified": "2022-05-24T14:00:00.188Z", "created": "2022-05-11T16:22:58.805Z", "id": "relationship--ee1a52bc-6c1b-4e2c-b296-173dccbc020a", "type": "relationship", "source_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c", "relationship_type": "detects", "target_ref": "attack-pattern--85a45294-08f1-4539-bf00-7da08aa7b0ee", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--ee1bf429-2c7c-4eb6-acca-e758522baf2e", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2021-04-12T18:49:06.044Z", "modified": "2022-05-06T17:47:24.306Z", "relationship_type": "uses", "description": "[REvil](https://attack.mitre.org/software/S0019) utilizes JavaScript, WScript, and PowerShell scripts to execute. The malicious JavaScript attachment has an obfuscated PowerShell script that executes the malware. (Citation: Tom Fakterman August 2019)", "source_ref": "malware--ac61f1f9-7bb1-465e-9b8a-c2ce8e88baf5", "target_ref": "attack-pattern--2dc2b567-8821-49f9-9045-8740f3d0b958", "external_references": [ { "source_name": "Tom Fakterman August 2019", "description": "Tom Fakterman 2019, August 05 Sodinokibi: The Crown Prince of Ransomware Retrieved. 2021/04/12 ", "url": "https://www.cybereason.com/blog/the-sodinokibi-ransomware-attack" } ], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--ee2fdebd-1587-4e53-a7d7-c15fcc88879d", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2017-12-14T16:46:06.044Z", "modified": "2022-05-06T17:47:24.260Z", "relationship_type": "uses", "description": "[[Sandworm Team](https://attack.mitre.org/groups/G0034) utilizes valid user and administrator credentials, in addition to creating new administrator accounts to maintain presence. (Citation: Booz Allen Hamilton)\n", "source_ref": "malware--54cc1d4f-5c53-4f0e-9ef5-11b4998e82e4", "target_ref": "attack-pattern--cd2c76a4-5e23-4ca5-9c40-d5e0604f7101", "external_references": [ { "source_name": "Booz Allen Hamilton", "description": "Booz Allen Hamilton When The Lights Went Out Retrieved. 2019/10/22 ", "url": "https://www.boozallen.com/content/dam/boozallen/documents/2016/09/ukraine-report-when-the-lights-went-out.pdf" } ], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "modified": "2022-05-24T14:00:00.188Z", "created": "2022-05-11T16:22:58.803Z", "id": "relationship--ee3309e1-12fb-4f5e-8fe6-6426cca19811", "type": "relationship", "source_ref": "x-mitre-data-component--181a9f8c-c780-4f1f-91a8-edb770e904ba", "relationship_type": "detects", "target_ref": "attack-pattern--008b8f56-6107-48be-aa9f-746f927dbb61", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--ee89466e-0655-4217-844d-fb8ea4f76247", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-21T17:59:24.739Z", "modified": "2022-05-06T17:47:24.065Z", "relationship_type": "mitigates", "description": "Filter for protocols and payloads associated with firmware activation or updating activity.\n", "source_ref": "course-of-action--11f242bc-3121-438c-84b2-5cbd46a4bb17", "target_ref": "attack-pattern--19a71d1e-6334-4233-8260-b749cae37953", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--eecca3e7-4db5-40d4-b04c-13f84701acb3", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-21T17:59:24.739Z", "modified": "2022-05-06T17:47:24.140Z", "relationship_type": "mitigates", "description": "Take and store data backups from end user systems and critical servers. Ensure backup and storage systems are hardened and kept separate from the corporate network to prevent compromise. Maintain and exercise incident response plans (Citation: Department of Homeland Security October 2009), including the management of \\gold-copy\\ back-up images and configurations for key systems to enable quick recovery and response from adversarial activities that impact control, view, or availability.\n", "source_ref": "course-of-action--ad12819e-3211-4291-b360-069f280cff0a", "target_ref": "attack-pattern--138979ba-0430-4de6-a128-2fc0b056ba36", "external_references": [ { "source_name": "Department of Homeland Security October 2009", "description": "Department of Homeland Security 2009, October Developing an Industrial Control Systems Cybersecurity Incident Response Capability Retrieved. 2020/09/17 ", "url": "https://us-cert.cisa.gov/sites/default/files/recommended_practices/final-RP_ics_cybersecurity_incident_response_100609.pdf" } ], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--eeeaa0d4-0ca0-468e-ae13-43ab7aba61b4", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-21T17:59:24.739Z", "modified": "2022-05-06T17:47:24.231Z", "relationship_type": "mitigates", "description": "Consider configuration and use of a network-wide authentication service such as Active Directory, LDAP, or RADIUS capabilities which can be found in ICS devices. (Citation: Keith Stouffer May 2015) (Citation: Schweitzer Engineering Laboratories August 2015)\n", "source_ref": "course-of-action--2f0160b7-e982-49d7-9612-f19b810f1722", "target_ref": "attack-pattern--cd2c76a4-5e23-4ca5-9c40-d5e0604f7101", "external_references": [ { "source_name": "Keith Stouffer May 2015", "description": "Keith Stouffer 2015, May Guide to Industrial Control Systems (ICS) Security Retrieved. 2018/03/28 ", "url": "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf" }, { "source_name": "Schweitzer Engineering Laboratories August 2015", "description": "Schweitzer Engineering Laboratories 2015, August Understanding When to Use LDAP or RADIUS for Centralized Authentication Retrieved. 2020/09/25 ", "url": "https://cdn.selinc.com/assets/Literature/Publications/Application%20Notes/AN2015-08_20150817.pdf?" } ], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--eeeff03f-7436-4f76-8591-42075e6647d4", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-21T17:59:24.739Z", "modified": "2022-05-06T17:47:24.076Z", "relationship_type": "mitigates", "description": "All field controllers should restrict operating mode changes to only required authenticated users (e.g., engineers, field technicians), preferably through implementing a role-based access mechanism. Further, physical mechanisms (e.g., keys) can also be used to limit unauthorized operating mode changes.\n", "source_ref": "course-of-action--e0d38502-decb-481d-ad8b-b8f0a0c330bd", "target_ref": "attack-pattern--2883c520-7957-46ca-89bd-dab1ad53b601", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--ef615d62-fe85-4740-9c5d-5dddff9b5693", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2018-04-18T17:59:24.739Z", "modified": "2022-05-06T17:47:24.360Z", "relationship_type": "uses", "description": "[Dragonfly](https://attack.mitre.org/groups/G0002) trojanized legitimate ICS equipment providers software packages available for download on their websites. (Citation: Symantec Security Response July 2014)", "source_ref": "intrusion-set--1c63d4ec-0a75-4daa-b1df-0d11af3d3cc1", "target_ref": "attack-pattern--5e0f75da-e108-4688-a6de-a4f07cc2cbe3", "external_references": [ { "source_name": "Symantec Security Response July 2014", "description": "Symantec Security Response 2014, July 7 Dragonfly: Cyberespionage Attacks Against Energy Suppliers Retrieved. 2016/04/08 ", "url": "https://docs.broadcom.com/doc/dragonfly_threat_against_western_energy_suppliers#:~:text=The%20attackers%2C%20known%20to%20Symantec,supply%20in%20the%20affected%20countries." } ], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--efb80069-e4be-4055-bd34-06d1376b4601", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-21T17:59:24.739Z", "modified": "2022-05-06T17:47:24.109Z", "relationship_type": "mitigates", "description": "Access Management technologies can be used to enforce authorization policies and decisions, especially when existing field devices do not provide capabilities to support user identification and authentication. (Citation: McCarthy, J et al. July 2018) These technologies typically utilize an in-line network device or gateway system to prevent access to unauthenticated users, while also integrating with an authentication service to first verify user credentials.\n", "source_ref": "course-of-action--3992ce42-43e9-4bea-b8db-a102ec3ec1e3", "target_ref": "attack-pattern--5a2610f6-9fff-41e1-bc27-575ca20383d4", "external_references": [ { "source_name": "McCarthy, J et al. July 2018", "description": "McCarthy, J et al. 2018, July NIST SP 1800-2 Identity and Access Management for Electric Utilities Retrieved. 2020/09/17 ", "url": "https://doi.org/10.6028/NIST.SP.1800-2" } ], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--f0ac1d07-fccd-4330-93cf-fbc985ee6fb9", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-21T17:59:24.739Z", "modified": "2022-05-06T17:47:24.160Z", "relationship_type": "mitigates", "description": "Use host-based allowlists to prevent devices from accepting connections from unauthorized systems. For example, allowlists can be used to ensure devices can only connect with master stations or known management/engineering workstations. (Citation: Department of Homeland Security September 2016)\n", "source_ref": "course-of-action--aadac250-bcdc-44e3-a4ae-f52bd0a7a16a", "target_ref": "attack-pattern--efbf7888-f61b-4572-9c80-7e2965c60707", "external_references": [ { "source_name": "Department of Homeland Security September 2016", "description": "Department of Homeland Security 2016, September Retrieved. 2020/09/25 ", "url": "https://us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf" } ], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--f0c81c9f-2fb7-4e7d-98ed-c75e3be7d962", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2017-12-14T16:46:06.044Z", "modified": "2022-05-06T17:47:24.316Z", "relationship_type": "uses", "description": "When the peripheral output is written to, sequence C intercepts the output and ensures it is not written to the process image output. The output is the instructions the PLC sends to a device to change its operating behavior. By intercepting the peripheral output, [Stuxnet](https://attack.mitre.org/software/S0010) prevents an operator from noticing unauthorized commands sent to the peripheral. (Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011)", "source_ref": "malware--088f1d6e-0783-47c6-9923-9c79b2af43d4", "target_ref": "attack-pattern--36e9f5bc-ac13-4da4-a2f4-01f4877d9004", "external_references": [ { "source_name": "Nicolas Falliere, Liam O Murchu, Eric Chien February 2011", "description": "Nicolas Falliere, Liam O Murchu, Eric Chien 2011, February W32.Stuxnet Dossier (Version 1.4) Retrieved. 2017/09/22 ", "url": "https://www.wired.com/images_blogs/threatlevel/2011/02/Symantec-Stuxnet-Update-Feb-2011.pdf" } ], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--f0c8a954-c1a0-453a-9c1d-484305abdab2", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2021-04-12T18:59:17.429Z", "modified": "2022-05-06T17:47:24.189Z", "relationship_type": "mitigates", "description": "Filter application-layer protocol messages for remote services to block any unauthorized activity.\n", "source_ref": "course-of-action--11f242bc-3121-438c-84b2-5cbd46a4bb17", "target_ref": "attack-pattern--e1f9cdd2-9511-4fca-90d7-f3e92cfdd0bf", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--f130282b-f681-455f-966b-55829842be92", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2017-12-14T16:46:06.044Z", "modified": "2022-05-06T17:47:24.328Z", "relationship_type": "uses", "description": "One of [Stuxnet](https://attack.mitre.org/software/S0010)'s rootkits is contained entirely in the fake s7otbxdx.dll. In order to continue existing undetected on the PLC it needs to account for at least the following situations: read requests for its own malicious code blocks, read requests for infected blocks (OB1, OB35, DP_RECV), and write requests that could overwrite Stuxnets own code. Stuxnet contains code to monitor and intercept these types of requests. The rootkit modifies these requests so that Stuxnets PLC code is not discovered or damaged. (Citation: Ralph Langner November 2013)", "source_ref": "malware--088f1d6e-0783-47c6-9923-9c79b2af43d4", "target_ref": "attack-pattern--3b6b9246-43f8-4c69-ad7a-2b11cfe0a0d9", "external_references": [ { "source_name": "Ralph Langner November 2013", "description": "Ralph Langner 2013, November To Kill a Centrifuge: A Technical Analysis of What Stuxnet's Creators Tried to Achieve Retrieved. 2018/03/27 ", "url": "https://www.langner.com/wp-content/uploads/2017/03/to-kill-a-centrifuge.pdf" } ], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "modified": "2022-05-24T14:00:00.188Z", "created": "2022-05-11T16:22:58.804Z", "id": "relationship--f145b7e5-048b-46e7-8439-e2b88917523c", "type": "relationship", "source_ref": "x-mitre-data-component--9d56be63-3501-4dd3-bb5f-63c580833298", "relationship_type": "detects", "target_ref": "attack-pattern--2883c520-7957-46ca-89bd-dab1ad53b601", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--f15f24d2-e581-46ce-83e4-a924f572aae6", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-21T17:59:24.739Z", "modified": "2022-05-06T17:47:24.065Z", "relationship_type": "mitigates", "description": "Segment operational network and systems to restrict access to critical system functions to predetermined management systems. (Citation: Department of Homeland Security September 2016)\n", "source_ref": "course-of-action--1e7ccfc0-94c8-496e-8d27-032120892291", "target_ref": "attack-pattern--19a71d1e-6334-4233-8260-b749cae37953", "external_references": [ { "source_name": "Department of Homeland Security September 2016", "description": "Department of Homeland Security 2016, September Retrieved. 2020/09/25 ", "url": "https://us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf" } ], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--f20d8eed-b517-4297-b32a-9a5e0845de9f", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-21T17:59:24.739Z", "modified": "2022-05-06T17:47:24.150Z", "relationship_type": "mitigates", "description": "All devices or systems changes, including all administrative functions, should require authentication. Consider using access management technologies to enforce authorization on all management interface access attempts, especially when the device does not inherently provide strong authentication and authorization functions.\n", "source_ref": "course-of-action--3992ce42-43e9-4bea-b8db-a102ec3ec1e3", "target_ref": "attack-pattern--e5de767e-f513-41cd-aa15-33f6ce5fbf92", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--f29ecf69-1753-44bb-9b80-1025f49cadda", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2017-12-14T16:46:06.044Z", "modified": "2022-05-06T17:47:24.323Z", "relationship_type": "uses", "description": "DP_RECV is the name of a standard function block used by network coprocessors. It is used to receive network frames on the Profibus a standard industrial network bus used for distributed I/O. The original block is copied to FC1869, and then replaced by a malicious block. Each time the function is used to receive a packet, the malicious [Stuxnet](https://attack.mitre.org/software/S0010) block takes control: it will call the original DP_RECV in FC1869 and then perform postprocessing on the packet data. The replaced DP_RECV block (later on referred to as the DP_RECV monitor) is meant to monitor data sent by the frequency converter drives to the 315-2 CPU via CP 342-5 Profibus communication modules. (Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011)", "source_ref": "malware--088f1d6e-0783-47c6-9923-9c79b2af43d4", "target_ref": "attack-pattern--38213338-1aab-479d-949b-c81b66ccca5c", "external_references": [ { "source_name": "Nicolas Falliere, Liam O Murchu, Eric Chien February 2011", "description": "Nicolas Falliere, Liam O Murchu, Eric Chien 2011, February W32.Stuxnet Dossier (Version 1.4) Retrieved. 2017/09/22 ", "url": "https://www.wired.com/images_blogs/threatlevel/2011/02/Symantec-Stuxnet-Update-Feb-2011.pdf" } ], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "modified": "2022-05-24T14:00:00.188Z", "created": "2022-05-11T16:22:58.803Z", "id": "relationship--f2e6103d-ca06-45c4-8fe9-049687fc4361", "type": "relationship", "source_ref": "x-mitre-data-component--4c12c1c8-bcef-4daf-8e5b-fca235f71d9e", "relationship_type": "detects", "target_ref": "attack-pattern--2900bbd8-308a-4274-b074-5b8bde8347bc", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "modified": "2022-05-24T14:00:00.188Z", "created": "2022-05-11T16:22:58.807Z", "id": "relationship--f2e672bb-8c73-4066-94d8-7dfb9a8025a7", "type": "relationship", "source_ref": "x-mitre-data-component--b9d031bb-d150-4fc6-8025-688201bf3ffd", "relationship_type": "detects", "target_ref": "attack-pattern--b9160e77-ea9e-4ba9-b1c8-53a3c466b13d", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "modified": "2022-05-24T14:00:00.188Z", "created": "2022-05-11T16:22:58.803Z", "id": "relationship--f2e9ed5f-e92c-4964-8e9d-1a02e7da2728", "type": "relationship", "source_ref": "x-mitre-data-component--181a9f8c-c780-4f1f-91a8-edb770e904ba", "relationship_type": "detects", "target_ref": "attack-pattern--3f1f4ccb-9be2-4ff8-8f69-dd972221169b", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--f347b4fe-d829-427d-851a-fff3393441db", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2021-04-12T07:57:26.506Z", "modified": "2022-05-06T17:47:24.280Z", "relationship_type": "uses", "description": "[Industroyer](https://attack.mitre.org/software/S0001) contained a module which leveraged a vulnerability in the Siemens SIPROTEC relays (CVE-2015-5374) to create a Denial of Service against automated protective relays. (Citation: Dragos October 2018)", "source_ref": "malware--e401d4fe-f0c9-44f0-98e6-f93487678808", "target_ref": "attack-pattern--2bb4d762-bf4a-4bc3-9318-15cc6a354163", "external_references": [ { "source_name": "Dragos October 2018", "description": "Dragos 2018, October 12 Anatomy of an Attack: Detecting and Defeating CRASHOVERRIDE Retrieved. 2019/10/14 ", "url": "https://dragos.com/wp-content/uploads/CRASHOVERRIDE2018.pdf" } ], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--f40cc6f5-111c-418f-aa84-50d920fa6c48", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2021-04-13T12:08:26.506Z", "modified": "2022-05-06T17:47:24.118Z", "relationship_type": "mitigates", "description": "Develop a robust cyber threat intelligence capability to determine what types and levels of threat may use software exploits and 0-days against a particular organization.\n", "source_ref": "course-of-action--d48b79b2-076d-483e-949c-0d38aa347499", "target_ref": "attack-pattern--cfe68e93-ce94-4c0f-a57d-3aa72cedd618", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--f45c2df8-30e7-45d0-8067-7b2870767574", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-21T17:59:24.739Z", "modified": "2022-05-06T17:47:24.180Z", "relationship_type": "mitigates", "description": "All field controllers should require users to authenticate for all remote or local management sessions. The authentication mechanisms should also support [Account Use Policies](https://attack.mitre.org/mitigations/M0936), [Password Policies](https://attack.mitre.org/mitigations/M0927), and [User Account Management](https://attack.mitre.org/mitigations/M0918).", "source_ref": "course-of-action--66cfe23e-34b6-4583-b178-ed6a412db2b0", "target_ref": "attack-pattern--3067b85e-271e-4bc5-81ad-ab1a81d411e3", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--f497fd3e-8f05-4db2-97cc-48a8d35a8827", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-21T17:59:24.739Z", "modified": "2022-05-06T17:47:24.091Z", "relationship_type": "mitigates", "description": "Develop and publish policies that define acceptable information to be stored in repositories.\n", "source_ref": "course-of-action--dc61c280-c29d-44e5-a960-c0dd1623d2ba", "target_ref": "attack-pattern--3405891b-16aa-4bd7-bd7c-733501f9b20f", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "modified": "2022-05-24T14:00:00.188Z", "created": "2022-05-11T16:22:58.807Z", "id": "relationship--f4f98ce1-d0b8-4699-b602-33a6a6ffca67", "type": "relationship", "source_ref": "x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa", "relationship_type": "detects", "target_ref": "attack-pattern--b14395bd-5419-4ef4-9bd8-696936f509bb", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--f584a257-c22a-434b-aa2d-6220987821ab", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2021-10-13T17:59:24.739Z", "modified": "2022-05-06T17:47:24.346Z", "relationship_type": "uses", "description": "[Triton](https://attack.mitre.org/software/S0013) can communicate with the implant utilizing the TriStation 'get main processor diagnostic data' command and looks for a specifically crafted packet body from which it extracts a command value and its arguments. (Citation: Jos Wetzels January 2018)", "source_ref": "malware--80099a91-4c86-4bea-9ccb-dac55d61960e", "target_ref": "attack-pattern--e076cca8-2f08-45c9-aff7-ea5ac798b387", "external_references": [ { "source_name": "Jos Wetzels January 2018", "description": "Jos Wetzels 2018, January 16 Analyzing the TRITON industrial malware Retrieved. 2019/10/22 ", "url": "https://www.midnightbluelabs.com/blog/2018/1/16/analyzing-the-triton-industrial-malware" } ], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--f65a8ce8-90fa-4d92-a0dc-3ee544c541fe", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2018-10-17T00:14:20.652Z", "modified": "2022-05-06T17:47:24.378Z", "relationship_type": "uses", "description": "[OilRig](https://attack.mitre.org/groups/G0010) utilized stolen credentials to gain access to victim machines. (Citation: Dragos)", "source_ref": "intrusion-set--4ca1929c-7d64-4aab-b849-badbfc0c760d", "target_ref": "attack-pattern--cd2c76a4-5e23-4ca5-9c40-d5e0604f7101", "external_references": [ { "source_name": "Dragos", "description": "Dragos Chrysene Retrieved. 2019/10/27 ", "url": "https://dragos.com/resource/chrysene/" } ], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "modified": "2022-05-24T14:00:00.188Z", "created": "2022-05-11T16:22:58.803Z", "id": "relationship--f664bf42-5fb2-41e5-b790-978ddf866da3", "type": "relationship", "source_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c", "relationship_type": "detects", "target_ref": "attack-pattern--3de230d4-3e42-4041-b089-17e1128feded", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--f6b1e463-5db5-40c7-8a6d-5f70194fdadd", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2021-04-21T14:04:49.301Z", "modified": "2022-05-06T17:47:24.361Z", "relationship_type": "uses", "description": "[Dragonfly 2.0](https://attack.mitre.org/groups/G0035) communicated with command and control over TCP ports 445 and 139 or UDP 137 or 138. (Citation: Cybersecurity & Infrastructure Security Agency March 2018)", "source_ref": "intrusion-set--76d59913-1d24-4992-a8ac-05a3eb093f71", "target_ref": "attack-pattern--e6c31185-8040-4267-83d3-b217b8a92f07", "external_references": [ { "source_name": "Cybersecurity & Infrastructure Security Agency March 2018", "description": "Cybersecurity & Infrastructure Security Agency 2018, March 15 Alert (TA18-074A) Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors Retrieved. 2019/10/11 ", "url": "https://us-cert.cisa.gov/ncas/alerts/TA18-074A" } ], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--f6ff74c2-d088-4252-a8e0-189574863765", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-21T17:59:24.739Z", "modified": "2022-05-06T17:47:24.139Z", "relationship_type": "mitigates", "description": "Communication authenticity will ensure that any messages tampered with through MITM can be detected, but cannot prevent eavesdropping on these. In addition, providing communication authenticity around various discovery protocols, such as DNS, can be used to prevent various MITM procedures.\n", "source_ref": "course-of-action--c7257b6e-4159-4771-b1f3-2bb93adaecac", "target_ref": "attack-pattern--9a505987-ab05-4f46-a9a6-6441442eec3b", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--f703f8b2-b6b9-41f3-a551-6bb3647c45cc", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-21T17:59:24.739Z", "modified": "2022-05-06T17:47:24.147Z", "relationship_type": "mitigates", "description": "Use file system access controls to protect system and application folders.\n", "source_ref": "course-of-action--f9fcb3ec-6de0-4559-8cd9-ef1c0c7d1971", "target_ref": "attack-pattern--ba203963-3182-41ac-af14-7e7ebc83cd61", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--f8318ac4-8ed0-478d-be87-faa2c9d8a740", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2018-10-17T00:14:20.652Z", "modified": "2022-05-06T17:47:24.375Z", "relationship_type": "uses", "description": "[OilRig](https://attack.mitre.org/groups/G0010) has been seen utilizing watering hole attacks to collect credentials which could be used to gain access into ICS networks. (Citation: Eduard Kovacs May 2018)", "source_ref": "intrusion-set--4ca1929c-7d64-4aab-b849-badbfc0c760d", "target_ref": "attack-pattern--7830cfcf-b268-4ac0-a69e-73c6affbae9a", "external_references": [ { "source_name": "Eduard Kovacs May 2018", "description": "Eduard Kovacs 2018, May 21 Group linked to Shamoon attacks targeting ICS networks in Middle East and UK Retrieved. 2020/01/03 ", "url": "https://www.cyberviser.com/2018/05/group-linked-to-shamoon-attacks-targeting-ics-networks-in-middle-east-and-uk/" } ], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--f862418a-e7b4-4783-8949-7145f3dee665", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-21T17:59:24.739Z", "modified": "2022-05-06T17:47:24.104Z", "relationship_type": "mitigates", "description": "Authenticate connections from software and devices to prevent unauthorized systems from accessing protected management functions.\n", "source_ref": "course-of-action--72e46e53-e12d-4106-9c70-33241b6ed549", "target_ref": "attack-pattern--25dfc8ad-bd73-4dfd-84a9-3c3d383f76e9", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "modified": "2022-05-24T14:00:00.188Z", "created": "2022-05-11T16:22:58.804Z", "id": "relationship--f8cf3800-6521-41d9-b272-d6ba2db0ccd2", "type": "relationship", "source_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c", "relationship_type": "detects", "target_ref": "attack-pattern--8e7089d3-fba2-44f8-94a8-9a79c53920c4", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--f951d934-d555-45e9-a564-27b84518cae4", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-21T17:59:24.739Z", "modified": "2022-05-06T17:47:24.070Z", "relationship_type": "mitigates", "description": "Unauthorized connections can be prevented by statically defining the hosts and ports used for automation protocol connections.\n", "source_ref": "course-of-action--52c7a1a9-3a78-4528-a44f-cd7b0fa3541a", "target_ref": "attack-pattern--008b8f56-6107-48be-aa9f-746f927dbb61", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "modified": "2022-05-24T14:00:00.188Z", "created": "2022-05-11T16:22:58.807Z", "id": "relationship--f9625775-662c-425e-9ea0-6cb3f3bf5c3c", "type": "relationship", "source_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c", "relationship_type": "detects", "target_ref": "attack-pattern--40b300ba-f553-48bf-862e-9471b220d455", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--f9aa3364-a1eb-4776-ae03-c39b250545a0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-21T17:59:24.739Z", "modified": "2022-05-06T17:47:24.185Z", "relationship_type": "mitigates", "description": "Review the integrity of project files to verify they have not been modified by adversary behavior. Verify a cryptographic hash for the file with a known trusted version, or look for other indicators of modification (e.g., timestamps).\n", "source_ref": "course-of-action--bcf91ebc-f316-4e19-b2f6-444e9940c697", "target_ref": "attack-pattern--e72425f8-9ae6-41d3-bfdb-e1b865e60722", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--f9c29dd4-1c5e-4f7e-b60a-862319a6d0a0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-21T17:59:24.739Z", "modified": "2022-05-06T17:47:24.184Z", "relationship_type": "mitigates", "description": "Allow for code signing of any project files stored at rest to prevent unauthorized tampering. Ensure the signing keys are not easily accessible on the same system.\n", "source_ref": "course-of-action--71eb7dad-07eb-4bbc-9df0-ac57bf2fba4a", "target_ref": "attack-pattern--e72425f8-9ae6-41d3-bfdb-e1b865e60722", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--fa1bde35-63d9-4c5c-969b-2c17c29089fa", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-21T17:59:24.739Z", "modified": "2022-05-06T17:47:24.175Z", "relationship_type": "mitigates", "description": "All field controllers should require users to authenticate for all remote or local management sessions. The authentication mechanisms should also support [Account Use Policies](https://attack.mitre.org/mitigations/M0936), [Password Policies](https://attack.mitre.org/mitigations/M0927), and [User Account Management](https://attack.mitre.org/mitigations/M0918).", "source_ref": "course-of-action--66cfe23e-34b6-4583-b178-ed6a412db2b0", "target_ref": "attack-pattern--be69c571-d746-4b1f-bdd0-c0c9817e9068", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "modified": "2022-05-24T14:00:00.188Z", "created": "2022-05-11T16:22:58.804Z", "id": "relationship--fb80368e-b3f6-4fa3-828b-b1cf792ea161", "type": "relationship", "source_ref": "x-mitre-data-component--685f917a-e95e-4ba0-ade1-c7d354dae6e0", "relationship_type": "detects", "target_ref": "attack-pattern--493832d9-cea6-4b63-abe7-9a65a6473675", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "modified": "2022-05-24T14:00:00.188Z", "created": "2022-05-11T16:22:58.807Z", "id": "relationship--fc1d3924-3210-4ca6-b3cc-a7a525eab47c", "type": "relationship", "source_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c", "relationship_type": "detects", "target_ref": "attack-pattern--b9160e77-ea9e-4ba9-b1c8-53a3c466b13d", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "modified": "2022-05-24T14:00:00.188Z", "created": "2022-05-11T16:22:58.806Z", "id": "relationship--fc1ebb31-4e15-4638-8706-00505ba00b9a", "type": "relationship", "source_ref": "x-mitre-data-component--84572de3-9583-4c73-aabd-06ea88123dd8", "relationship_type": "detects", "target_ref": "attack-pattern--fc5fda7e-6b2c-4457-b036-759896a2efa2", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "modified": "2022-05-24T14:00:00.188Z", "created": "2022-05-11T16:22:58.805Z", "id": "relationship--fc3d0a84-e7c7-415c-ae47-42bc513e9bf9", "type": "relationship", "source_ref": "x-mitre-data-component--a7f22107-02e5-4982-9067-6625d4a1765a", "relationship_type": "detects", "target_ref": "attack-pattern--ead7bd34-186e-4c79-9a4d-b65bcce6ed9d", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--fc4803cb-d6bf-4674-bf40-d4b0997824ba", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2018-04-18T17:59:24.739Z", "modified": "2022-05-06T17:47:24.351Z", "relationship_type": "uses", "description": "[ALLANITE](https://attack.mitre.org/groups/G1000) leverages watering hole attacks to gain access into electric utilities. (Citation: Eduard Kovacs May 2018)", "source_ref": "intrusion-set--190242d7-73fc-4738-af68-20162f7a5aae", "target_ref": "attack-pattern--7830cfcf-b268-4ac0-a69e-73c6affbae9a", "external_references": [ { "source_name": "Eduard Kovacs May 2018", "description": "Eduard Kovacs 2018, May 10 'Allanite' Group Targets ICS Networks at Electric Utilities in US, UK Retrieved. 2020/01/03 ", "url": "https://www.securityweek.com/allanite-group-targets-ics-networks-electric-utilities-us-uk" } ], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "modified": "2022-05-24T14:00:00.188Z", "created": "2022-05-11T16:22:58.808Z", "id": "relationship--fc6cc5f2-ef5b-4a28-a0b2-a277ee98191d", "type": "relationship", "source_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c", "relationship_type": "detects", "target_ref": "attack-pattern--2736b752-4ec5-4421-a230-8977dea7649c", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--fcb7733f-553d-43de-a8c6-c85a5cd65041", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-21T17:59:24.739Z", "modified": "2022-05-06T17:47:24.111Z", "relationship_type": "mitigates", "description": "Segment externally facing servers and services from the rest of the network with a DMZ or on separate hosting infrastructure.\n", "source_ref": "course-of-action--1e7ccfc0-94c8-496e-8d27-032120892291", "target_ref": "attack-pattern--32632a95-6856-47b9-9ab7-fea5cd7dce00", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--fcd3fdbf-4909-48ab-85c4-ce4b34172eb0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-21T17:59:24.739Z", "modified": "2022-05-06T17:47:24.106Z", "relationship_type": "mitigates", "description": "Restrict browsers to limit the capabilities of malicious ads and Javascript.\n", "source_ref": "course-of-action--143b4398-3222-480a-b6a4-e131bc2d3144", "target_ref": "attack-pattern--7830cfcf-b268-4ac0-a69e-73c6affbae9a", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "modified": "2022-05-24T14:00:00.188Z", "created": "2022-05-11T16:22:58.805Z", "id": "relationship--fd856176-396c-4121-9754-35e49bfa5758", "type": "relationship", "source_ref": "x-mitre-data-component--181a9f8c-c780-4f1f-91a8-edb770e904ba", "relationship_type": "detects", "target_ref": "attack-pattern--7830cfcf-b268-4ac0-a69e-73c6affbae9a", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "modified": "2022-05-24T14:00:00.188Z", "created": "2022-05-11T16:22:58.803Z", "id": "relationship--fe22637e-7187-4990-b24a-5dc851eec736", "type": "relationship", "source_ref": "x-mitre-data-component--931b3fc6-ad68-42a8-9018-e98515eedc95", "relationship_type": "detects", "target_ref": "attack-pattern--3f1f4ccb-9be2-4ff8-8f69-dd972221169b", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--ff3f0668-98df-44c1-88c2-711f05720eb8", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-21T17:59:24.739Z", "modified": "2022-05-06T17:47:24.060Z", "relationship_type": "mitigates", "description": "Restrict configurations changes and firmware updating abilities to only authorized individuals.\n", "source_ref": "course-of-action--e0d38502-decb-481d-ad8b-b8f0a0c330bd", "target_ref": "attack-pattern--19a71d1e-6334-4233-8260-b749cae37953", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--ffc5bbce-8d9c-4276-9dc6-efed5c01af8b", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2017-05-31T21:33:27.074Z", "modified": "2022-05-06T17:47:24.257Z", "relationship_type": "uses", "description": "[Bad Rabbit](https://attack.mitre.org/software/S0005) can move laterally through industrial networks by means of the SMB service. (Citation: Joe Slowik April 2019)", "source_ref": "malware--2eaa5319-5e1e-4dd7-bbc4-566fced3964a", "target_ref": "attack-pattern--ead7bd34-186e-4c79-9a4d-b65bcce6ed9d", "external_references": [ { "source_name": "Joe Slowik April 2019", "description": "Joe Slowik 2019, April 10 Implications of IT Ransomware for ICS Environments Retrieved. 2019/10/27 ", "url": "https://dragos.com/blog/industry-news/implications-of-it-ransomware-for-ics-environments/" } ], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "modified": "2022-05-24T14:00:00.188Z", "created": "2022-05-11T16:22:58.805Z", "id": "relationship--ffc80065-cd83-4536-89d7-fe80ab5a5ad4", "type": "relationship", "source_ref": "x-mitre-data-component--a953ca55-921a-44f7-9b8d-3d40141aa17e", "relationship_type": "detects", "target_ref": "attack-pattern--53a26eee-1080-4d17-9762-2027d5a1b805", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "x-mitre-data-component--1177a4c5-31c8-400c-8544-9071166afa0e", "type": "x-mitre-data-component", "created": "2021-10-20T15:05:19.273Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "modified": "2022-05-24T14:00:00.188Z", "name": "Windows Registry Key Deletion", "description": "Removal of a Registry Key (ex: Windows EID 4658 or Sysmon EID 12)", "x_mitre_data_source_ref": "x-mitre-data-source--0f42a24c-e035-4f93-a91c-5f7076bd8da0", "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "x-mitre-data-component--181a9f8c-c780-4f1f-91a8-edb770e904ba", "type": "x-mitre-data-component", "created": "2021-10-20T15:05:19.274Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "modified": "2022-05-24T14:00:00.188Z", "name": "Network Connection Creation", "description": "Initial construction of a WMI object, such as a filter, consumer, subscription, binding, or provider (ex: Sysmon EIDs 19-21)", "x_mitre_data_source_ref": "x-mitre-data-source--c000cd5c-bbb3-4606-af6f-6c6d9de0bbe3", "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "x-mitre-data-component--235b7491-2d2b-4617-9a52-3c0783680f71", "type": "x-mitre-data-component", "created": "2021-10-20T15:05:19.273Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "modified": "2022-05-24T14:00:00.188Z", "name": "File Access", "description": "Opening a file, which makes the file contents available to the requestor (ex: Windows EID 4663)", "x_mitre_data_source_ref": "x-mitre-data-source--509ed41e-ca42-461e-9058-24602256daf9", "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "x-mitre-data-component--2b3bfe19-d59a-460d-93bb-2f546adc2d2c", "type": "x-mitre-data-component", "created": "2021-10-20T15:05:19.273Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "modified": "2022-05-24T14:00:00.188Z", "name": "File Creation", "description": "Initial construction of a new file (ex: Sysmon EID 11)", "x_mitre_data_source_ref": "x-mitre-data-source--509ed41e-ca42-461e-9058-24602256daf9", "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c", "type": "x-mitre-data-component", "created": "2021-10-20T15:05:19.274Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "modified": "2022-05-24T14:00:00.188Z", "name": "Network Traffic Content", "description": "Logged network traffic data showing both protocol header and body values (ex: PCAP)", "x_mitre_data_source_ref": "x-mitre-data-source--c000cd5c-bbb3-4606-af6f-6c6d9de0bbe3", "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "x-mitre-data-component--39b9db72-8b48-4595-a18d-db5bbba3091b", "type": "x-mitre-data-component", "created": "2021-10-20T15:05:19.274Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "modified": "2022-05-24T14:00:00.188Z", "name": "Logon Session Metadata", "description": "Contextual data about a logon session, such as username, logon type, access tokens (security context, user SIDs, logon identifiers, and logon SID), and any activity associated within it", "x_mitre_data_source_ref": "x-mitre-data-source--4358c631-e253-4557-86df-f687d0ef9891", "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "x-mitre-data-component--3d20385b-24ef-40e1-9f56-f39750379077", "type": "x-mitre-data-component", "created": "2021-10-20T15:05:19.272Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "modified": "2022-05-24T14:00:00.188Z", "name": "Process Creation", "description": "Birth of a new running process (ex: Sysmon EID 1 or Windows EID 4688)", "x_mitre_data_source_ref": "x-mitre-data-source--e8b8ede7-337b-4c0c-8c32-5c7872c1ee22", "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "x-mitre-data-component--3d6e6b3b-4aa8-40e1-8c47-91db0f313d9f", "type": "x-mitre-data-component", "created": "2021-10-20T15:05:19.273Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "modified": "2022-05-24T14:00:00.188Z", "name": "Drive Creation", "description": "Initial construction of a drive letter or mount point to a data storage device", "x_mitre_data_source_ref": "x-mitre-data-source--61bbbf27-f7c3-46ba-a6bc-48ae76928065", "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "x_mitre_domains": [ "ics-attack" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "modified": "2022-05-24T14:00:00.188Z", "created": "2022-05-11T16:22:58.802Z", "type": "x-mitre-data-component", "id": "x-mitre-data-component--4c12c1c8-bcef-4daf-8e5b-fca235f71d9e", "name": "Process/Event Alarm", "description": "This includes a list of any process alarms or alerts produced to indicate unusual or concerning activity within the operational process (e.g., increased temperature/pressure)", "x_mitre_version": "1.0", "x_mitre_data_source_ref": "x-mitre-data-source--1b8c9f31-ad35-4850-bf8c-80c565ad3552", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "spec_version": "2.1" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "x-mitre-data-component--4dcd8ba3-2075-4f8b-941e-39884ffaac08", "type": "x-mitre-data-component", "created": "2021-10-20T15:05:19.273Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "modified": "2022-05-24T14:00:00.188Z", "name": "Drive Modification", "description": "Changes made to a drive letter or mount point of a data storage device", "x_mitre_data_source_ref": "x-mitre-data-source--61bbbf27-f7c3-46ba-a6bc-48ae76928065", "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "x-mitre-data-component--5297a638-1382-4f0c-8472-0d21830bf705", "type": "x-mitre-data-component", "created": "2021-10-20T15:05:19.273Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "modified": "2022-05-24T14:00:00.188Z", "name": "Service Creation", "description": "Initial construction of a new service/daemon (ex: Windows EID 4697 or /var/log daemon logs)", "x_mitre_data_source_ref": "x-mitre-data-source--d710099e-df94-4be4-bf85-cabd30e912bb", "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "x-mitre-data-component--61f1d40e-f3d0-4cc6-aa2d-937b6204194f", "type": "x-mitre-data-component", "created": "2021-10-20T15:05:19.272Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "modified": "2022-05-24T14:00:00.188Z", "name": "Process Termination", "description": "Exit of a running process (ex: Sysmon EID 5 or Windows EID 4689)", "x_mitre_data_source_ref": "x-mitre-data-source--e8b8ede7-337b-4c0c-8c32-5c7872c1ee22", "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "x-mitre-data-component--639e87f3-acb6-448a-9645-258f20da4bc5", "type": "x-mitre-data-component", "created": "2021-10-20T15:05:19.273Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "modified": "2022-05-24T14:00:00.188Z", "name": "File Metadata", "description": "Contextual data about a file, which may include information such as name, the content (ex: signature, headers, or data/media), user/ower, permissions, etc.", "x_mitre_data_source_ref": "x-mitre-data-source--509ed41e-ca42-461e-9058-24602256daf9", "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "x-mitre-data-component--685f917a-e95e-4ba0-ade1-c7d354dae6e0", "type": "x-mitre-data-component", "created": "2021-10-20T15:05:19.273Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "modified": "2022-05-24T14:00:00.188Z", "name": "Command Execution", "description": "Invoking a computer program directive to perform a specific task (ex: Windows EID 4688 of cmd.exe showing command-line parameters, ~/.bash_history, or ~/.zsh_history)", "x_mitre_data_source_ref": "x-mitre-data-source--73691708-ffb5-4e29-906d-f485f6fa7089", "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "x-mitre-data-component--74fa567d-bc90-425c-8a41-3c703abb221c", "type": "x-mitre-data-component", "created": "2021-10-20T15:05:19.273Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "modified": "2022-05-24T14:00:00.188Z", "name": "Service Metadata", "description": "Contextual data about a service/daemon, which may include information such as name, service executable, start type, etc.", "x_mitre_data_source_ref": "x-mitre-data-source--d710099e-df94-4be4-bf85-cabd30e912bb", "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "x-mitre-data-component--7b375092-3a61-448d-900a-77c9a4bde4dc", "type": "x-mitre-data-component", "created": "2021-10-20T15:05:19.271Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "modified": "2022-05-24T14:00:00.188Z", "name": "Scheduled Job Metadata", "description": "Contextual data about a scheduled job, which may include information such as name, timing, command(s), etc.", "x_mitre_data_source_ref": "x-mitre-data-source--c9ddfb51-eb45-4e22-b614-44ac1caa7883", "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "x-mitre-data-component--84572de3-9583-4c73-aabd-06ea88123dd8", "type": "x-mitre-data-component", "created": "2021-10-20T15:05:19.273Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "modified": "2022-05-24T14:00:00.188Z", "name": "File Modification", "description": "Changes made to a file, or its access permissions and attributes, typically to alter the contents of the targeted file (ex: Windows EID 4670 or Sysmon EID 2)", "x_mitre_data_source_ref": "x-mitre-data-source--509ed41e-ca42-461e-9058-24602256daf9", "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "x_mitre_domains": [ "ics-attack" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "modified": "2022-05-24T14:00:00.188Z", "created": "2022-05-11T16:22:58.802Z", "type": "x-mitre-data-component", "id": "x-mitre-data-component--931b3fc6-ad68-42a8-9018-e98515eedc95", "name": "Process History/Live Data", "description": "This includes any data stores that maintain historical or real-time events and telemetry recorded from various sensors or devices", "x_mitre_version": "1.0", "x_mitre_data_source_ref": "x-mitre-data-source--1b8c9f31-ad35-4850-bf8c-80c565ad3552", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "spec_version": "2.1" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e", "type": "x-mitre-data-component", "created": "2021-10-20T15:05:19.272Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "modified": "2022-05-24T14:00:00.188Z", "name": "OS API Execution", "description": "Initial construction of a WMI object, such as a filter, consumer, subscription, binding, or provider (ex: Sysmon EIDs 19-21)", "x_mitre_data_source_ref": "x-mitre-data-source--e8b8ede7-337b-4c0c-8c32-5c7872c1ee22", "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa", "type": "x-mitre-data-component", "created": "2021-10-20T15:05:19.272Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "modified": "2022-05-24T14:00:00.188Z", "name": "Application Log Content", "description": "Logging, messaging, and other artifacts provided by third-party services (ex: metrics, errors, and/or alerts from mail/web applications)", "x_mitre_data_source_ref": "x-mitre-data-source--40269753-26bd-437b-986e-159c66dec5e4", "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "x-mitre-data-component--9ce98c86-8d30-4043-ba54-0784d478d0b5", "type": "x-mitre-data-component", "created": "2021-10-20T15:05:19.274Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "modified": "2022-05-24T14:00:00.188Z", "name": "Logon Session Creation", "description": "Initial construction of a new user logon session (ex: Windows EID 4624, /var/log/utmp, or /var/log/wmtp)", "x_mitre_data_source_ref": "x-mitre-data-source--4358c631-e253-4557-86df-f687d0ef9891", "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "x_mitre_domains": [ "ics-attack" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "modified": "2022-05-24T14:00:00.188Z", "created": "2022-05-11T16:22:58.802Z", "type": "x-mitre-data-component", "id": "x-mitre-data-component--9d56be63-3501-4dd3-bb5f-63c580833298", "name": "Device Alarm", "description": "This includes alarms associated with unexpected device functions, such as shutdowns, restarts, failures, or configuration changes", "x_mitre_version": "1.0", "x_mitre_data_source_ref": "x-mitre-data-source--1b8c9f31-ad35-4850-bf8c-80c565ad3552", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "spec_version": "2.1" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "x-mitre-data-component--9f387817-df83-432a-b56b-a8fb7f71eedd", "type": "x-mitre-data-component", "created": "2021-10-20T15:05:19.272Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "modified": "2022-05-24T14:00:00.188Z", "name": "Script Execution", "description": "Launching a list of commands through a script file (ex: Windows EID 4104)", "x_mitre_data_source_ref": "x-mitre-data-source--12c1e727-7fa4-49b6-af81-366ed2ce231e", "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "x-mitre-data-component--a7f22107-02e5-4982-9067-6625d4a1765a", "type": "x-mitre-data-component", "created": "2021-10-20T15:05:19.274Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "modified": "2022-05-24T14:00:00.188Z", "name": "Network Traffic Flow", "description": "Summarized network packet data, with metrics, such as protocol headers and volume (ex: Netflow or Zeek http.log)", "x_mitre_data_source_ref": "x-mitre-data-source--c000cd5c-bbb3-4606-af6f-6c6d9de0bbe3", "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "x-mitre-data-component--a953ca55-921a-44f7-9b8d-3d40141aa17e", "type": "x-mitre-data-component", "created": "2021-10-20T15:05:19.271Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "modified": "2022-05-24T14:00:00.188Z", "name": "User Account Authentication", "description": "An attempt by a user to gain access to a network or computing resource, often by providing credentials (ex: Windows EID 4625 or /var/log/auth.log)", "x_mitre_data_source_ref": "x-mitre-data-source--0b4f86ed-f4ab-46a3-8ed1-175be1974da6", "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "x-mitre-data-component--b9d031bb-d150-4fc6-8025-688201bf3ffd", "type": "x-mitre-data-component", "created": "2021-10-20T15:05:19.271Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "modified": "2022-05-24T14:00:00.188Z", "name": "Firmware Modification", "description": "Changes made to firmware, including its settings and/or data, such as MBR (Master Boot Record) and VBR (Volume Boot Record)", "x_mitre_data_source_ref": "x-mitre-data-source--ca1cb239-ff6d-4f64-b9d7-41c8556a8b4f", "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "x-mitre-data-component--c0a4a086-cc20-4e1e-b7cb-29d99dfa3fb1", "type": "x-mitre-data-component", "created": "2021-10-20T15:05:19.272Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "modified": "2022-05-24T14:00:00.188Z", "name": "Module Load", "description": "Attaching a module into the memory of a process/program, typically to access shared resources/features provided by the module (ex: Sysmon EID 7)", "x_mitre_data_source_ref": "x-mitre-data-source--f424e4b4-a8a4-4c58-a4ae-4f53bfd08563", "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "x-mitre-data-component--da85d358-741a-410d-9433-20d6269a6170", "type": "x-mitre-data-component", "created": "2021-10-20T15:05:19.273Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "modified": "2022-05-24T14:00:00.188Z", "name": "Windows Registry Key Modification", "description": "Changes made to a Registry Key and/or Key value (ex: Windows EID 4657 or Sysmon EID 13|14)", "x_mitre_data_source_ref": "x-mitre-data-source--0f42a24c-e035-4f93-a91c-5f7076bd8da0", "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "x-mitre-data-component--e905dad2-00d6-477c-97e8-800427abd0e8", "type": "x-mitre-data-component", "created": "2021-10-20T15:05:19.273Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "modified": "2022-05-24T14:00:00.188Z", "name": "File Deletion", "description": "Removal of a file (ex: Sysmon EID 23, macOS ESF EID ES_EVENT_TYPE_AUTH_UNLINK, or Linux commands auditd unlink, rename, rmdir, unlinked, or renameat rules)", "x_mitre_data_source_ref": "x-mitre-data-source--509ed41e-ca42-461e-9058-24602256daf9", "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "x-mitre-data-component--ee575f4a-2d4f-48f6-b18b-89067760adc1", "type": "x-mitre-data-component", "created": "2021-10-20T15:05:19.272Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "modified": "2022-05-24T14:00:00.188Z", "name": "Process Metadata", "description": "Contextual data about a running process, which may include information such as environment variables, image name, user/owner, etc.", "x_mitre_data_source_ref": "x-mitre-data-source--e8b8ede7-337b-4c0c-8c32-5c7872c1ee22", "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "x-mitre-data-component--f5468e67-51c7-4756-9b4f-65707708e7fa", "type": "x-mitre-data-component", "created": "2021-10-20T15:05:19.275Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "modified": "2022-05-24T14:00:00.188Z", "name": "Network Share Access", "description": "Opening a network share, which makes the contents available to the requestor (ex: Windows EID 5140 or 5145)", "x_mitre_data_source_ref": "x-mitre-data-source--ba27545a-9c32-47ea-ba6a-cce50f1b326e", "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "x-mitre-data-component--faa34cf6-cf32-4dc9-bd6a-8f7a606ff65b", "type": "x-mitre-data-component", "created": "2021-10-20T15:05:19.271Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "modified": "2022-05-24T14:00:00.188Z", "name": "Scheduled Job Modification", "description": "Changes made to a scheduled job, such as modifications to the execution launch (ex: Windows EID 4702 or /var/log cron logs)", "x_mitre_data_source_ref": "x-mitre-data-source--c9ddfb51-eb45-4e22-b614-44ac1caa7883", "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "spec_version": "2.1", "x_mitre_domains": [ "ics-attack" ] }, { "x_mitre_platforms": [ "Azure AD", "Containers", "Google Workspace", "IaaS", "Linux", "Office 365", "SaaS", "Windows", "macOS" ], "x_mitre_domains": [ "enterprise-attack", "ics-attack" ], "x_mitre_contributors": [ "Center for Threat-Informed Defense (CTID)" ], "x_mitre_collection_layers": [ "Cloud Control Plane", "Container", "Host" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "x-mitre-data-source--0b4f86ed-f4ab-46a3-8ed1-175be1974da6", "type": "x-mitre-data-source", "created": "2021-10-20T15:05:19.271Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/datasources/DS0002", "external_id": "DS0002" } ], "modified": "2022-03-30T14:26:51.807Z", "name": "User Account", "description": "A profile representing a user, device, service, or application used to authenticate and access resources", "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "spec_version": "2.1" }, { "x_mitre_platforms": [ "Windows" ], "x_mitre_domains": [ "enterprise-attack", "ics-attack" ], "x_mitre_collection_layers": [ "Host" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "x-mitre-data-source--0f42a24c-e035-4f93-a91c-5f7076bd8da0", "type": "x-mitre-data-source", "created": "2021-10-20T15:05:19.273Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/datasources/DS0024", "external_id": "DS0024" }, { "source_name": "Microsoft Registry", "description": "Microsoft. (2018, May 31). Registry. Retrieved September 29, 2021.", "url": "https://docs.microsoft.com/en-us/windows/win32/sysinfo/registry" } ], "modified": "2022-05-11T14:00:00.188Z", "name": "Windows Registry", "description": "A Windows OS hierarchical database that stores much of the information and settings for software programs, hardware devices, user preferences, and operating-system configurations(Citation: Microsoft Registry)", "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "spec_version": "2.1" }, { "x_mitre_platforms": [ "Windows" ], "x_mitre_domains": [ "enterprise-attack", "ics-attack" ], "x_mitre_contributors": [ "Center for Threat-Informed Defense (CTID)" ], "x_mitre_collection_layers": [ "Host" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "x-mitre-data-source--12c1e727-7fa4-49b6-af81-366ed2ce231e", "type": "x-mitre-data-source", "created": "2021-10-20T15:05:19.272Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/datasources/DS0012", "external_id": "DS0012" }, { "source_name": "Microsoft PowerShell Logging", "description": "Microsoft. (2020, March 30). about_Logging_Windows. Retrieved September 28, 2021.", "url": "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_logging_windows?view=powershell-7" }, { "source_name": "FireEye PowerShell Logging", "description": "Dunwoody, M. (2016, February 11). Greater Visibility Through PowerShell Logging. Retrieved September 28, 2021.", "url": "https://www.fireeye.com/blog/threat-research/2016/02/greater_visibilityt.html" }, { "source_name": "Microsoft AMSI", "description": "Microsoft. (2019, April 19). Antimalware Scan Interface (AMSI). Retrieved September 28, 2021.", "url": "https://docs.microsoft.com/en-us/windows/win32/amsi/antimalware-scan-interface-portal" } ], "modified": "2021-11-10T09:30:48.698Z", "name": "Script", "description": "A file or stream containing a list of commands, allowing them to be launched in sequence(Citation: Microsoft PowerShell Logging)(Citation: FireEye PowerShell Logging)(Citation: Microsoft AMSI)", "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "spec_version": "2.1" }, { "x_mitre_domains": [ "ics-attack" ], "x_mitre_collection_layers": [ "host" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "modified": "2022-05-24T14:00:00.188Z", "created": "2022-05-11T16:22:58.802Z", "type": "x-mitre-data-source", "id": "x-mitre-data-source--1b8c9f31-ad35-4850-bf8c-80c565ad3552", "name": "Operational Databases", "description": "Operational databases contain information about the status of the operational process and associated devices, including any measurements, events, history, or alarms that have occurred", "x_mitre_version": "1.0", "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/datasources/DS0040", "external_id": "DS0040" } ], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "spec_version": "2.1" }, { "x_mitre_platforms": [ "Google Workspace", "IaaS", "Linux", "Office 365", "SaaS", "Windows", "macOS" ], "x_mitre_domains": [ "enterprise-attack", "ics-attack" ], "x_mitre_collection_layers": [ "Cloud Control Plane", "Host" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "x-mitre-data-source--40269753-26bd-437b-986e-159c66dec5e4", "type": "x-mitre-data-source", "created": "2021-10-20T15:05:19.272Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/datasources/DS0015", "external_id": "DS0015" }, { "source_name": "Confluence Logs", "description": "Confluence Support. (2021, April 22). Working with Confluence Logs. Retrieved September 23, 2021.", "url": "https://confluence.atlassian.com/doc/working-with-confluence-logs-108364721.html" } ], "modified": "2022-05-11T14:00:00.188Z", "name": "Application Log", "description": "Events collected by third-party services such as mail servers, web applications, or other appliances (not by the native OS or platform)(Citation: Confluence Logs)", "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "spec_version": "2.1" }, { "x_mitre_platforms": [ "Azure AD", "Google Workspace", "IaaS", "Linux", "Office 365", "SaaS", "Windows", "macOS" ], "x_mitre_domains": [ "enterprise-attack", "ics-attack" ], "x_mitre_contributors": [ "Center for Threat-Informed Defense (CTID)" ], "x_mitre_collection_layers": [ "Cloud Control Plane", "Host", "Network" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "x-mitre-data-source--4358c631-e253-4557-86df-f687d0ef9891", "type": "x-mitre-data-source", "created": "2021-10-20T15:05:19.274Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/datasources/DS0028", "external_id": "DS0028" }, { "source_name": "Microsoft Audit Logon Events", "description": "Microsoft. (2021, September 6). Audit logon events. Retrieved September 28, 2021.", "url": "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/basic-audit-logon-events" } ], "modified": "2022-03-30T14:26:51.805Z", "name": "Logon Session", "description": "Logon occurring on a system or resource (local, domain, or cloud) to which a user/device is gaining access after successful authentication and authorizaton(Citation: Microsoft Audit Logon Events)", "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "spec_version": "2.1" }, { "x_mitre_platforms": [ "Linux", "Network", "Windows", "macOS" ], "x_mitre_domains": [ "enterprise-attack", "ics-attack" ], "x_mitre_contributors": [ "Center for Threat-Informed Defense (CTID)" ], "x_mitre_collection_layers": [ "Host" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "x-mitre-data-source", "id": "x-mitre-data-source--509ed41e-ca42-461e-9058-24602256daf9", "created": "2021-10-20T15:05:19.273Z", "x_mitre_version": "1.0", "external_references": [ { "source_name": "mitre-attack", "external_id": "DS0022", "url": "https://attack.mitre.org/data-sources/DS0022" }, { "source_name": "Microsoft File Mgmt", "url": "https://docs.microsoft.com/en-us/windows/win32/fileio/file-management", "description": "Microsoft. (2018, May 31). File Management (Local File Systems). Retrieved September 28, 2021." } ], "x_mitre_deprecated": false, "revoked": false, "description": "A computer resource object, managed by the I/O system, for storing data (such as images, text, videos, computer programs, or any wide variety of other media).(Citation: Microsoft File Mgmt)", "modified": "2022-04-21T14:50:59.123Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "name": "File", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "spec_version": "2.1" }, { "x_mitre_platforms": [ "Linux", "Windows", "macOS" ], "x_mitre_domains": [ "enterprise-attack", "ics-attack" ], "x_mitre_contributors": [ "Center for Threat-Informed Defense (CTID)" ], "x_mitre_collection_layers": [ "Host" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "x-mitre-data-source--61bbbf27-f7c3-46ba-a6bc-48ae76928065", "type": "x-mitre-data-source", "created": "2021-10-20T15:05:19.272Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/datasources/DS0016", "external_id": "DS0016" }, { "source_name": "Sysmon EID 9", "description": "Russinovich, R. & Garnier, T. (2021, August 18). Sysmon Event ID 9. Retrieved September 24, 2021.", "url": "https://docs.microsoft.com/sysinternals/downloads/sysmon#event-id-9-rawaccessread" } ], "modified": "2022-03-30T14:26:51.804Z", "name": "Drive", "description": "A non-volatile data storage device (hard drive, floppy disk, USB flash drive) with at least one formatted partition, typically mounted to the file system and/or assigned a drive letter(Citation: Sysmon EID 9)", "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "spec_version": "2.1" }, { "x_mitre_platforms": [ "Containers", "Linux", "Network", "Windows", "macOS" ], "x_mitre_domains": [ "enterprise-attack", "ics-attack" ], "x_mitre_contributors": [ "Center for Threat-Informed Defense (CTID)", "Austin Clark, @c2defense" ], "x_mitre_collection_layers": [ "Container", "Host" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "x-mitre-data-source", "id": "x-mitre-data-source--73691708-ffb5-4e29-906d-f485f6fa7089", "created": "2021-10-20T15:05:19.273Z", "x_mitre_version": "1.0", "external_references": [ { "source_name": "mitre-attack", "external_id": "DS0017", "url": "https://attack.mitre.org/data-sources/DS0017" }, { "source_name": "Confluence Linux Command Line", "url": "https://confluence.atlassian.com/confkb/how-to-enable-command-line-audit-logging-in-linux-956166545.html", "description": "Confluence Support. (2021, September 8). How to enable command line audit logging in linux. Retrieved September 23, 2021." }, { "source_name": "Audit OSX", "url": "https://www.scip.ch/en/?labs.20150108", "description": "Gagliardi, R. (n.d.). Audit in a OS X System. Retrieved September 23, 2021." } ], "x_mitre_deprecated": false, "revoked": false, "description": "A directive given to a computer program, acting as an interpreter of some kind, in order to perform a specific task(Citation: Confluence Linux Command Line)(Citation: Audit OSX)", "modified": "2022-04-20T18:09:26.646Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "name": "Command", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "spec_version": "2.1" }, { "x_mitre_platforms": [ "Linux", "Windows", "macOS" ], "x_mitre_domains": [ "enterprise-attack", "ics-attack" ], "x_mitre_contributors": [ "Center for Threat-Informed Defense (CTID)" ], "x_mitre_collection_layers": [ "Host" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "x-mitre-data-source--ba27545a-9c32-47ea-ba6a-cce50f1b326e", "type": "x-mitre-data-source", "created": "2021-10-20T15:05:19.274Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/datasources/DS0033", "external_id": "DS0033" }, { "source_name": "Microsoft NFS Overview", "description": "Microsoft. (2018, July 9). Network File System overview. Retrieved September 28, 2021.", "url": "https://docs.microsoft.com/en-us/windows-server/storage/nfs/nfs-overview" } ], "modified": "2022-03-30T14:26:51.806Z", "name": "Network Share", "description": "A storage resource (typically a folder or drive) made available from one host to others using network protocols, such as Server Message Block (SMB) or Network File System (NFS)(Citation: Microsoft NFS Overview)", "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "spec_version": "2.1" }, { "x_mitre_platforms": [ "IaaS", "Linux", "Windows", "macOS" ], "x_mitre_domains": [ "enterprise-attack", "ics-attack" ], "x_mitre_contributors": [ "Center for Threat-Informed Defense (CTID)", "ExtraHop" ], "x_mitre_collection_layers": [ "Cloud Control Plane", "Host", "Network" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "x-mitre-data-source--c000cd5c-bbb3-4606-af6f-6c6d9de0bbe3", "type": "x-mitre-data-source", "created": "2021-10-20T15:05:19.274Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/datasources/DS0029", "external_id": "DS0029" } ], "modified": "2022-03-30T14:26:51.806Z", "name": "Network Traffic", "description": "Data transmitted across a network (ex: Web, DNS, Mail, File, etc.), that is either summarized (ex: Netflow) and/or captured as raw data in an analyzable format (ex: PCAP)", "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "spec_version": "2.1" }, { "x_mitre_platforms": [ "Containers", "Linux", "Windows", "macOS" ], "x_mitre_domains": [ "enterprise-attack", "ics-attack" ], "x_mitre_contributors": [ "Center for Threat-Informed Defense (CTID)" ], "x_mitre_collection_layers": [ "Container", "Host" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "x-mitre-data-source--c9ddfb51-eb45-4e22-b614-44ac1caa7883", "type": "x-mitre-data-source", "created": "2021-10-20T15:05:19.271Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/datasources/DS0003", "external_id": "DS0003" }, { "source_name": "Microsoft Tasks", "description": "Microsoft. (2018, May 31). Tasks. Retrieved September 28, 2021.", "url": "https://docs.microsoft.com/en-us/windows/win32/taskschd/tasks" } ], "modified": "2022-03-30T14:26:51.806Z", "name": "Scheduled Job", "description": "Automated tasks that can be executed at a specific time or on a recurring schedule running in the background (ex: Cron daemon, task scheduler, BITS)(Citation: Microsoft Tasks)", "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "spec_version": "2.1" }, { "x_mitre_platforms": [ "Linux", "Windows", "macOS" ], "x_mitre_domains": [ "enterprise-attack", "ics-attack" ], "x_mitre_contributors": [ "Center for Threat-Informed Defense (CTID)" ], "x_mitre_collection_layers": [ "Host" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "x-mitre-data-source--ca1cb239-ff6d-4f64-b9d7-41c8556a8b4f", "type": "x-mitre-data-source", "created": "2021-10-20T15:05:19.265Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/datasources/DS0001", "external_id": "DS0001" } ], "modified": "2022-03-30T14:26:51.805Z", "name": "Firmware", "description": "Computer software that provides low-level control for the hardware and device(s) of a host, such as BIOS or UEFI/EFI", "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "spec_version": "2.1" }, { "x_mitre_platforms": [ "Linux", "Windows", "macOS" ], "x_mitre_domains": [ "enterprise-attack", "ics-attack" ], "x_mitre_contributors": [ "Center for Threat-Informed Defense (CTID)" ], "x_mitre_collection_layers": [ "Host" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "x-mitre-data-source--d710099e-df94-4be4-bf85-cabd30e912bb", "type": "x-mitre-data-source", "created": "2021-10-20T15:05:19.273Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/datasources/DS0019", "external_id": "DS0019" }, { "source_name": "Microsoft Services", "description": "Microsoft. (2017, March 30). Introduction to Windows Service Applications. Retrieved September 28, 2021.", "url": "https://docs.microsoft.com/en-us/dotnet/framework/windows-services/introduction-to-windows-service-applications" }, { "source_name": "Linux Services Run Levels", "description": "The Linux Foundation. (2006, January 11). An introduction to services, runlevels, and rc.d scripts. Retrieved September 28, 2021.", "url": "https://www.linux.com/news/introduction-services-runlevels-and-rcd-scripts/" } ], "modified": "2022-03-30T14:26:51.807Z", "name": "Service", "description": "A computer process that is configured to execute continuously in the background and perform system tasks, in some cases before any user has logged in(Citation: Microsoft Services)(Citation: Linux Services Run Levels)", "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "spec_version": "2.1" }, { "x_mitre_platforms": [ "Linux", "Windows", "macOS" ], "x_mitre_domains": [ "enterprise-attack", "ics-attack" ], "x_mitre_contributors": [ "Center for Threat-Informed Defense (CTID)" ], "x_mitre_collection_layers": [ "Host" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "x-mitre-data-source--e8b8ede7-337b-4c0c-8c32-5c7872c1ee22", "type": "x-mitre-data-source", "created": "2021-10-20T15:05:19.272Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/datasources/DS0009", "external_id": "DS0009" }, { "source_name": "Microsoft Processes and Threads", "description": "Microsoft. (2018, May 31). Processes and Threads. Retrieved September 28, 2021.", "url": "https://docs.microsoft.com/en-us/windows/win32/procthread/processes-and-threads" } ], "modified": "2022-03-30T14:26:51.806Z", "name": "Process", "description": "Instances of computer programs that are being executed by at least one thread. Processes have memory space for process executables, loaded modules (DLLs or shared libraries), and allocated memory regions containing everything from user input to application-specific data structures(Citation: Microsoft Processes and Threads)", "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "spec_version": "2.1" }, { "x_mitre_platforms": [ "Linux", "Windows", "macOS" ], "x_mitre_domains": [ "enterprise-attack", "ics-attack" ], "x_mitre_contributors": [ "Center for Threat-Informed Defense (CTID)" ], "x_mitre_collection_layers": [ "Host" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "x-mitre-data-source--f424e4b4-a8a4-4c58-a4ae-4f53bfd08563", "type": "x-mitre-data-source", "created": "2021-10-20T15:05:19.272Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/datasources/DS0011", "external_id": "DS0011" }, { "source_name": "Microsoft LoadLibrary", "description": "Microsoft. (2018, December 5). LoadLibraryA function (libloaderapi.h). Retrieved September 28, 2021.", "url": "https://docs.microsoft.com/en-us/windows/win32/api/libloaderapi/nf-libloaderapi-loadlibrarya" }, { "source_name": "Microsoft Module Class", "description": "Microsoft. (n.d.). Module Class. Retrieved September 28, 2021.", "url": "https://docs.microsoft.com/en-us/dotnet/api/system.reflection.module" } ], "modified": "2022-03-30T14:26:51.806Z", "name": "Module", "description": "Executable files consisting of one or more shared classes and interfaces, such as portable executable (PE) format binaries/dynamic link libraries (DLL), executable and linkable format (ELF) binaries/shared libraries, and Mach-O format binaries/shared libraries(Citation: Microsoft LoadLibrary)(Citation: Microsoft Module Class)", "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "spec_version": "2.1" }, { "tactic_refs": [ "x-mitre-tactic--69da72d2-f550-41c5-ab9e-e8255707f28a", "x-mitre-tactic--93bf9a8e-b14c-4587-b6d5-9efc7c12eb45", "x-mitre-tactic--78f1d2ae-a579-44c4-8fc5-3e1775c73fac", "x-mitre-tactic--33752ae7-f875-4f43-bdb6-d8d02d341046", "x-mitre-tactic--ddf70682-f3ce-479c-a9a4-7eadf9bfead7", "x-mitre-tactic--696af733-728e-49d7-8261-75fdc590f453", "x-mitre-tactic--51c25a9e-8615-40c0-8afd-1da578847924", "x-mitre-tactic--b2a67b1e-913c-46f6-b219-048a90560bb9", "x-mitre-tactic--97c8ff73-bd14-4b6c-ac32-3d91d2c41e3f", "x-mitre-tactic--298fe907-7931-4fd2-8131-2814dd493134", "x-mitre-tactic--ff048b6c-b872-4218-b68c-3735ebd1f024", "x-mitre-tactic--77542f83-70d0-40c2-8a9d-ad2eb8b00279" ], "x_mitre_domains": [ "ics-attack" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "created": "2018-10-17T00:14:20.652Z", "description": "The full ATT&CK for ICS Matrix includes techniques spanning various ICS assets and can be used to navigate through the knowledge base.", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "external_id": "ics-attack", "url": "https://attack.mitre.org/matrices/ics/" } ], "id": "x-mitre-matrix--575f48f4-8897-4468-897b-48bb364af6c7", "modified": "2022-05-24T14:00:00.188Z", "name": "ATT&CK for ICS", "type": "x-mitre-matrix", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1" }, { "x_mitre_domains": [ "ics-attack" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "created": "2018-10-17T00:14:20.652Z", "description": "The adversary is trying to prevent your safety, protection, quality assurance, and operator intervention functions from responding to a failure, hazard, or unsafe state.\n\nInhibit Response Function consists of techniques that adversaries use to hinder the safeguards put in place for processes and products. This may involve the inhibition of safety, protection, quality assurance, or operator intervention functions to disrupt safeguards that aim to prevent the loss of life, destruction of equipment, and disruption of production. These techniques aim to actively deter and prevent expected alarms and responses that arise due to statuses in the ICS environment. Adversaries may modify or update system logic, or even outright prevent responses with a denial-of-service. They may result in the prevention, destruction, manipulation, or modification of programs, logic, devices, and communications. As prevention functions are generally dormant, reporting and processing functions can appear fine, but may have been altered to prevent failure responses in dangerous scenarios. Unlike [Evasion](https://attack.mitre.org/tactics/TA0103), Inhibit Response Function techniques may be more intrusive, such as actively preventing responses to a known dangerous scenario. Adversaries may use these techniques to follow through with or provide cover for [Impact](https://attack.mitre.org/tactics/TA0105) techniques.", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-ics-attack", "external_id": "TA0107", "url": "https://attack.mitre.org/tactics/TA0107" } ], "id": "x-mitre-tactic--298fe907-7931-4fd2-8131-2814dd493134", "modified": "2022-05-06T17:47:24.396Z", "name": "Inhibit Response Function", "type": "x-mitre-tactic", "x_mitre_shortname": "inhibit-response-function", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1" }, { "x_mitre_domains": [ "ics-attack" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "x-mitre-tactic", "id": "x-mitre-tactic--33752ae7-f875-4f43-bdb6-d8d02d341046", "created": "2021-04-10T17:32:33.899Z", "x_mitre_version": "1.0", "external_references": [ { "source_name": "mitre-attack", "external_id": "TA0111", "url": "https://attack.mitre.org/tactics/TA0111" } ], "x_mitre_deprecated": false, "revoked": false, "description": "The adversary is trying to gain higher-level permissions.
Privilege Escalation consists of techniques that adversaries use to gain higher-level permissions on a system or network. Adversaries can often enter and explore a network with unprivileged access but require elevated permissions to follow through on their objectives. Common approaches are to take advantage of system weaknesses, misconfigurations, and vulnerabilities.", "modified": "2022-05-23T21:37:22.752Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "name": "Privilege Escalation", "x_mitre_shortname": "privilege-escalation", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "spec_version": "2.1" }, { "x_mitre_domains": [ "ics-attack" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "created": "2018-10-17T00:14:20.652Z", "description": "The adversary is trying to move through your ICS environment.\n\nLateral Movement consists of techniques that adversaries use to enter and control remote systems on a network. These techniques abuse default credentials, known accounts, and vulnerable services, and may also leverage dual-homed devices and systems that reside on both the IT and OT networks. The adversary uses these techniques to pivot to their next point in the environment, positioning themselves to where they want to be or think they should be. Following through on their primary objective often requires [Discovery](https://attack.mitre.org/tactics/TA0102) of the network and [Collection](https://attack.mitre.org/tactics/TA0100) to develop awareness of unique ICS devices and processes, in order to find their target and subsequently gain access to it. Reaching this objective often involves pivoting through multiple systems, devices, and accounts. Adversaries may install their own remote tools to accomplish Lateral Movement or leverage default tools, programs, and manufacturer set or other legitimate credentials native to the network, which may be stealthier.", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-ics-attack", "external_id": "TA0109", "url": "https://attack.mitre.org/tactics/TA0109" } ], "id": "x-mitre-tactic--51c25a9e-8615-40c0-8afd-1da578847924", "modified": "2022-05-06T17:47:24.396Z", "name": "Lateral Movement", "type": "x-mitre-tactic", "x_mitre_shortname": "lateral-movement-ics", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1" }, { "x_mitre_domains": [ "ics-attack" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "created": "2018-10-17T00:14:20.652Z", "description": "The adversary is locating information to assess and identify their targets in your environment.\n\nDiscovery consists of techniques that adversaries use to survey your ICS environment and gain knowledge about the internal network, control system devices, and how their processes interact. These techniques help adversaries observe the environment and determine next steps for target selection and Lateral Movement. They also allow adversaries to explore what they can control and gain insight on interactions between various control system processes. Discovery techniques are often an act of progression into the environment which enable the adversary to orient themselves before deciding how to act. Adversaries may use Discovery techniques that result in Collection, to help determine how available resources benefit their current objective. A combination of native device communications and functions, and custom tools are often used toward this post-compromise information-gathering objective.", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-ics-attack", "external_id": "TA0102", "url": "https://attack.mitre.org/tactics/TA0102" } ], "id": "x-mitre-tactic--696af733-728e-49d7-8261-75fdc590f453", "modified": "2022-05-06T17:47:24.396Z", "name": "Discovery", "type": "x-mitre-tactic", "x_mitre_shortname": "discovery-ics", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1" }, { "x_mitre_domains": [ "ics-attack" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "created": "2018-10-17T00:14:20.652Z", "description": "The adversary is trying to get into your ICS environment.\n\nInitial Access consists of techniques that adversaries may use as entry vectors to gain an initial foothold within an ICS environment. These techniques include compromising operational technology assets, IT resources in the OT network, and external remote services and websites. They may also target third party entities and users with privileged access. In particular, these initial access footholds may include devices and communication mechanisms with access to and privileges in both the IT and OT environments. IT resources in the OT environment are also potentially vulnerable to the same attacks as enterprise IT systems. Trusted third parties of concern may include vendors, maintenance personnel, engineers, external integrators, and other outside entities involved in expected ICS operations. Vendor maintained assets may include physical devices, software, and operational equipment. Initial access techniques may also leverage outside devices, such as radios, controllers, or removable media, to remotely interfere with and possibly infect OT operations.", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-ics-attack", "external_id": "TA0108", "url": "https://attack.mitre.org/tactics/TA0108" } ], "id": "x-mitre-tactic--69da72d2-f550-41c5-ab9e-e8255707f28a", "modified": "2022-05-06T17:47:24.396Z", "name": "Initial Access", "type": "x-mitre-tactic", "x_mitre_shortname": "initial-access-ics", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1" }, { "x_mitre_domains": [ "ics-attack" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "created": "2019-03-14T18:44:44.639Z", "description": "The adversary is trying to manipulate, interrupt, or destroy your ICS systems, data, and their surrounding environment.\n\nImpact consists of techniques that adversaries use to disrupt, compromise, destroy, and manipulate the integrity and availability of control system operations, processes, devices, and data. These techniques encompass the influence and effects resulting from adversarial efforts to attack the ICS environment or that tangentially impact it. Impact techniques can result in more instantaneous disruption to control processes and the operator, or may result in more long term damage or loss to the ICS environment and related operations. The adversary may leverage [Impair Process Control](https://attack.mitre.org/tactics/TA0106) techniques, which often manifest in more self-revealing impacts on operations, or [Inhibit Response Function](https://attack.mitre.org/tactics/TA0106) techniques to hinder safeguards and alarms in order to follow through with and provide cover for Impact. In some scenarios, control system processes can appear to function as expected, but may have been altered to benefit the adversary\u2019s goal over the course of a longer duration. These techniques might be used by adversaries to follow through on their end goal or to provide cover for a confidentiality breach.\n\n[Loss of Productivity and Revenue](https://attack.mitre.org/techniques/T0828), [Theft of Operational Information](https://attack.mitre.org/techniques/T0882), and [Damage to Property](https://attack.mitre.org/techniques/T0879) are meant to encompass some of the more granular goals of adversaries in targeted and untargeted attacks. These techniques in and of themselves are not necessarily detectable, but the associated adversary behavior can potentially be mitigated and/or detected.", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-ics-attack", "external_id": "TA0105", "url": "https://attack.mitre.org/tactics/TA0105" } ], "id": "x-mitre-tactic--77542f83-70d0-40c2-8a9d-ad2eb8b00279", "modified": "2022-05-06T17:47:24.396Z", "name": "Impact", "type": "x-mitre-tactic", "x_mitre_shortname": "impact-ics", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1" }, { "x_mitre_domains": [ "ics-attack" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "created": "2018-10-17T00:14:20.652Z", "description": "The adversary is trying to maintain their foothold in your ICS environment.\n\nPersistence consists of techniques that adversaries use to maintain access to ICS systems and devices across restarts, changed credentials, and other interruptions that could cut off their access. Techniques used for persistence include any access, action, or configuration changes that allow them to secure their ongoing activity and keep their foothold on systems. This may include replacing or hijacking legitimate code, firmware, and other project files, or adding startup code and downloading programs onto devices.", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-ics-attack", "external_id": "TA0110", "url": "https://attack.mitre.org/tactics/TA0110" } ], "id": "x-mitre-tactic--78f1d2ae-a579-44c4-8fc5-3e1775c73fac", "modified": "2022-05-06T17:47:24.396Z", "name": "Persistence", "type": "x-mitre-tactic", "x_mitre_shortname": "persistence-ics", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1" }, { "x_mitre_domains": [ "ics-attack" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "created": "2018-10-17T00:14:20.652Z", "description": "The adversary is trying to run code or manipulate system functions, parameters, and data in an unauthorized way.\n\nExecution consists of techniques that result in adversary-controlled code running on a local or remote system, device, or other asset. This execution may also rely on unknowing end users or the manipulation of device operating modes to run. Adversaries may infect remote targets with programmed executables or malicious project files that operate according to specified behavior and may alter expected device behavior in subtle ways. Commands for execution may also be issued from command-line interfaces, APIs, GUIs, or other available interfaces. Techniques that run malicious code may also be paired with techniques from other tactics, particularly to aid network [Discovery](https://attack.mitre.org/tactics/TA0102) and [Collection](https://attack.mitre.org/tactics/TA0100), impact operations, and inhibit response functions.", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-ics-attack", "external_id": "TA0104", "url": "https://attack.mitre.org/tactics/TA0104" } ], "id": "x-mitre-tactic--93bf9a8e-b14c-4587-b6d5-9efc7c12eb45", "modified": "2022-05-06T17:47:24.396Z", "name": "Execution", "type": "x-mitre-tactic", "x_mitre_shortname": "execution-ics", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1" }, { "x_mitre_domains": [ "ics-attack" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "created": "2018-10-17T00:14:20.652Z", "description": "The adversary is trying to communicate with and control compromised systems, controllers, and platforms with access to your ICS environment.\n\nCommand and Control consists of techniques that adversaries use to communicate with and send commands to compromised systems, devices, controllers, and platforms with specialized applications used in ICS environments. Examples of these specialized communication devices include human machine interfaces (HMIs), data historians, SCADA servers, and engineering workstations (EWS). Adversaries often seek to use commonly available resources and mimic expected network traffic to avoid detection and suspicion. For instance, commonly used ports and protocols in ICS environments, and even expected IT resources, depending on the target network. Command and Control may be established to varying degrees of stealth, often depending on the victim\u2019s network structure and defenses.", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-ics-attack", "external_id": "TA0101", "url": "https://attack.mitre.org/tactics/TA0101" } ], "id": "x-mitre-tactic--97c8ff73-bd14-4b6c-ac32-3d91d2c41e3f", "modified": "2022-05-06T17:47:24.395Z", "name": "Command and Control", "type": "x-mitre-tactic", "x_mitre_shortname": "command-and-control-ics", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1" }, { "x_mitre_domains": [ "ics-attack" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "created": "2018-10-17T00:14:20.652Z", "description": "The adversary is trying to gather data of interest and domain knowledge on your ICS environment to inform their goal.\n\nCollection consists of techniques adversaries use to gather domain knowledge and obtain contextual feedback in an ICS environment. This tactic is often performed as part of [Discovery](https://attack.mitre.org/tactics/TA0102), to compile data on control systems and targets of interest that may be used to follow through on the adversary\u2019s objective. Examples of these techniques include observing operation states, capturing screenshots, identifying unique device roles, and gathering system and diagram schematics. Collection of this data can play a key role in planning, executing, and even revising an ICS-targeted attack. Methods of collection depend on the categories of data being targeted, which can include protocol specific, device specific, and process specific configurations and functionality. Information collected may pertain to a combination of system, supervisory, device, and network related data, which conceptually fall under high, medium, and low levels of plan operations. For example, information repositories on plant data at a high level or device specific programs at a low level. Sensitive floor plans, vendor device manuals, and other references may also be at risk and exposed on the internet or otherwise publicly accessible.", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-ics-attack", "external_id": "TA0100", "url": "https://attack.mitre.org/tactics/TA0100" } ], "id": "x-mitre-tactic--b2a67b1e-913c-46f6-b219-048a90560bb9", "modified": "2022-05-06T17:47:24.395Z", "name": "Collection", "type": "x-mitre-tactic", "x_mitre_shortname": "collection-ics", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1" }, { "x_mitre_domains": [ "ics-attack" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "created": "2018-10-17T00:14:20.652Z", "description": "The adversary is trying to avoid security defenses.\n\nEvasion consists of techniques that adversaries use to avoid technical defenses throughout their campaign. Techniques used for evasion include removal of indicators of compromise, spoofing communications, and exploiting software vulnerabilities. Adversaries may also leverage and abuse trusted devices and processes to hide their activity, possibly by masquerading as master devices or native software. Methods of defense evasion for this purpose are often more passive in nature.", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-ics-attack", "external_id": "TA0103", "url": "https://attack.mitre.org/tactics/TA0103" } ], "id": "x-mitre-tactic--ddf70682-f3ce-479c-a9a4-7eadf9bfead7", "modified": "2022-05-06T17:47:24.396Z", "name": "Evasion", "type": "x-mitre-tactic", "x_mitre_shortname": "evasion-ics", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1" }, { "x_mitre_domains": [ "ics-attack" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "created": "2018-10-17T00:14:20.652Z", "description": "The adversary is trying to manipulate, disable, or damage physical control processes.\n\nImpair Process Control consists of techniques that adversaries use to disrupt control logic and cause determinantal effects to processes being controlled in the target environment. Targets of interest may include active procedures or parameters that manipulate the physical environment. These techniques can also include prevention or manipulation of reporting elements and control logic. If an adversary has modified process functionality, then they may also obfuscate the results, which are often self-revealing in their impact on the outcome of a product or the environment. The direct physical control these techniques exert may also threaten the safety of operators and downstream users, which can prompt response mechanisms. Adversaries may follow up with or use [Inhibit Response Function](https://attack.mitre.org/tactics/TA0107) techniques in tandem, to assist with the successful abuse of control processes to result in [Impact](https://attack.mitre.org/tactics/TA0105).", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-ics-attack", "external_id": "TA0106", "url": "https://attack.mitre.org/tactics/TA0106" } ], "id": "x-mitre-tactic--ff048b6c-b872-4218-b68c-3735ebd1f024", "modified": "2022-05-06T17:47:24.396Z", "name": "Impair Process Control", "type": "x-mitre-tactic", "x_mitre_shortname": "impair-process-control", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "spec_version": "2.1" }, { "type": "relationship", "id": "relationship--1244a56a-1faf-4898-9f2f-fda78b665276", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2018-10-17T00:14:20.652Z", "modified": "2022-05-24T14:00:00.188Z", "relationship_type": "uses", "description": " (Citation: Anton Cherepanov, Robert Lipovsky October 2018)", "source_ref": "intrusion-set--381fcf73-60f6-4ab2-9991-6af3cbc35192", "target_ref": "malware--e401d4fe-f0c9-44f0-98e6-f93487678808", "external_references": [ { "source_name": "Anton Cherepanov, Robert Lipovsky October 2018", "description": "Anton Cherepanov, Robert Lipovsky 2018, October 11 New TeleBots backdoor: First evidence linking Industroyer to NotPetya Retrieved. 2019/12/02 ", "url": "https://www.welivesecurity.com/2018/10/11/new-telebots-backdoor-linking-industroyer-notpetya/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "spec_version": "2.1", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "ics-attack" ], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "x_mitre_deprecated": true }, { "type": "relationship", "id": "relationship--39c957e3-f89b-4b41-93af-bde08f00ce36", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2018-10-17T00:14:20.652Z", "modified": "2022-05-24T14:00:00.188Z", "relationship_type": "uses", "description": " (Citation: CISA May 2017) (Citation: Symantec Security Response May 2017)", "source_ref": "intrusion-set--c93fccb1-e8e8-42cf-ae33-2ad1d183913a", "target_ref": "malware--75ecdbf1-c2bb-4afc-a3f9-c8da4de8c661", "external_references": [ { "source_name": "CISA May 2017", "description": "CISA 2017, May 12 Alert (TA17-132A) Retrieved. 2019/10/31 ", "url": "https://www.us-cert.gov/ncas/alerts/TA17-132A" }, { "source_name": "Symantec Security Response May 2017", "description": "Symantec Security Response 2017, May 22 WannaCry: Ransomware attacks show strong links to Lazarus group Retrieved. 2019/12/09 ", "url": "https://www.symantec.com/connect/blogs/wannacry-ransomware-attacks-show-strong-links-lazarus-group" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "spec_version": "2.1", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "ics-attack" ], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "x_mitre_deprecated": true }, { "type": "relationship", "id": "relationship--5fe3f0a3-1330-4b51-be17-b38a54b6e605", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2018-04-18T17:59:24.739Z", "modified": "2022-05-24T14:00:00.188Z", "relationship_type": "uses", "description": " (Citation: Symantec September 2017)", "source_ref": "intrusion-set--1c63d4ec-0a75-4daa-b1df-0d11af3d3cc1", "target_ref": "malware--083bb47b-02c8-4423-81a2-f9ef58572974", "external_references": [ { "source_name": "Symantec September 2017", "description": "Symantec 2017, September 6 Dragonfly: Western energy sector targeted by sophisticated attack group Retrieved. 2017/09/14 ", "url": "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/dragonfly-energy-sector-cyber-attacks" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "spec_version": "2.1", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "ics-attack" ], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "x_mitre_deprecated": true }, { "type": "relationship", "id": "relationship--710999e7-8f0d-4028-b42b-5cfb7d9cb031", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2018-10-17T00:14:20.652Z", "modified": "2022-05-24T14:00:00.188Z", "relationship_type": "uses", "description": " (Citation: Andy Greenberg)", "source_ref": "intrusion-set--381fcf73-60f6-4ab2-9991-6af3cbc35192", "target_ref": "malware--5719af9d-6b16-46f9-9b28-fb019541ddbb", "external_references": [ { "source_name": "Andy Greenberg", "description": "Andy Greenberg Retrieved. 2019/10/16 ", "url": "https://www.wired.com/story/notpetya-cyberattack-ukraine-russia-code-crashed-the-world/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "spec_version": "2.1", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "ics-attack" ], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "x_mitre_deprecated": true }, { "type": "relationship", "id": "relationship--866774a2-ce03-4682-ab7e-b9570adb093b", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2021-04-11T14:06:45.694Z", "modified": "2022-05-24T14:00:00.188Z", "relationship_type": "uses", "description": " (Citation: UNITED STATES DISTRICT COURT WESTERN DISTRICT OF PENNSYLVANIA October 2020)", "source_ref": "intrusion-set--381fcf73-60f6-4ab2-9991-6af3cbc35192", "target_ref": "malware--54cc1d4f-5c53-4f0e-9ef5-11b4998e82e4", "external_references": [ { "source_name": "UNITED STATES DISTRICT COURT WESTERN DISTRICT OF PENNSYLVANIA October 2020", "description": "UNITED STATES DISTRICT COURT WESTERN DISTRICT OF PENNSYLVANIA 2020, October 15 Indictment: Conspiracy to Commit an Offense Against the United States Retrieved. 2021/04/07 ", "url": "https://www.justice.gov/opa/press-release/file/1328521/download" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "spec_version": "2.1", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "ics-attack" ], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "x_mitre_deprecated": true }, { "type": "relationship", "id": "relationship--86ce5a6d-18da-4631-b6d6-7b22f2de5152", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2021-04-11T14:06:45.694Z", "modified": "2022-05-24T14:00:00.188Z", "relationship_type": "uses", "description": " (Citation: UNITED STATES DISTRICT COURT WESTERN DISTRICT OF PENNSYLVANIA October 2020)", "source_ref": "intrusion-set--381fcf73-60f6-4ab2-9991-6af3cbc35192", "target_ref": "malware--e221eb77-1502-4129-af1d-fe1ad55e7ec6", "external_references": [ { "source_name": "UNITED STATES DISTRICT COURT WESTERN DISTRICT OF PENNSYLVANIA October 2020", "description": "UNITED STATES DISTRICT COURT WESTERN DISTRICT OF PENNSYLVANIA 2020, October 15 Indictment: Conspiracy to Commit an Offense Against the United States Retrieved. 2021/04/07 ", "url": "https://www.justice.gov/opa/press-release/file/1328521/download" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "spec_version": "2.1", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "ics-attack" ], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "x_mitre_deprecated": true }, { "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2022-05-24T14:00:00.188Z", "created": "2022-05-11T16:22:58.802094Z", "type": "x-mitre-data-source", "id": "x-mitre-data-source--b1717cb4-d536-4e2b-b5e5-07e67e26183c", "name": "Assets", "description": "Data sources with information about the set of devices found within the network, along with their current software and configurations", "x_mitre_collection_layers": [ "host" ], "x_mitre_contributors": [], "x_mitre_version": "1.0", "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/datasources/DS0039", "external_id": "DS0039" } ], "spec_version": "2.1", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "ics-attack" ], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": true }, { "type": "relationship", "id": "relationship--533175a0-7555-4342-a461-1ab1cd183b31", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2022-04-21T22:02:01.298599Z", "modified": "2022-05-11T14:00:00.188Z", "relationship_type": "uses", "description": "The [VPNFilter](https://attack.mitre.org/software/S0002)'s ssler module configures the device's iptables to redirect all traffic destined for port 80 to its local service listening on port 8888. Any outgoing web requests on port 80 are now intercepted by ssler and can be inspected by the ps module and manipulated before being sent to the legitimate HTTP service. (Citation: William Largent June 2018) (Citation: Carl Hurd March 2019)", "source_ref": "malware--6108f800-10b8-4090-944e-be579f01263d", "target_ref": "attack-pattern--9a505987-ab05-4f46-a9a6-6441442eec3b", "external_references": [ { "source_name": "William Largent June 2018", "description": "William Largent 2018, June 06 VPNFilter Update - VPNFilter exploits endpoints, targets new devices Retrieved. 2019/03/28 ", "url": "https://blog.talosintelligence.com/2018/06/vpnfilter-update.html" }, { "source_name": "Carl Hurd March 2019", "description": "Carl Hurd 2019, March 26 VPNFilter Deep Dive Retrieved. 2019/03/28 ", "url": "https://www.youtube.com/watch?v=yuZazP22rpI" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "spec_version": "2.1", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "ics-attack" ], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "x_mitre_deprecated": true }, { "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "target_ref": "attack-pattern--2fedbe69-581f-447d-8a78-32ee7db939a9", "source_ref": "course-of-action--3172222b-4983-43f7-8983-753ded4f13bc", "modified": "2022-04-25T14:00:00.188Z", "id": "relationship--00f7ecba-7692-4b7f-b9d8-193c67b11ccc", "type": "relationship", "created": "2021-04-13T12:45:26.506Z", "relationship_type": "mitigates", "description": "Use network intrusion detection/prevention systems to detect and prevent remote service scans.", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "spec_version": "2.1", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "ics-attack" ], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "x_mitre_deprecated": true }, { "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "target_ref": "attack-pattern--3f1f4ccb-9be2-4ff8-8f69-dd972221169b", "source_ref": "course-of-action--71eb7dad-07eb-4bbc-9df0-ac57bf2fba4a", "modified": "2022-04-25T14:00:00.188Z", "id": "relationship--05ac3316-a770-4c5d-b164-3494590395dd", "type": "relationship", "created": "2020-09-21T17:59:24.739Z", "relationship_type": "mitigates", "description": "Devices should verify that firmware has been properly signed by the vendor before allowing installation.", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "spec_version": "2.1", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "ics-attack" ], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "x_mitre_deprecated": true }, { "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "target_ref": "attack-pattern--50d3222f-7550-4a3c-94e1-78cb6c81d064", "source_ref": "course-of-action--72e46e53-e12d-4106-9c70-33241b6ed549", "modified": "2022-04-25T14:00:00.188Z", "id": "relationship--12e936f4-cd52-40b2-8463-b76827649ebb", "type": "relationship", "created": "2020-09-21T17:59:24.739Z", "relationship_type": "mitigates", "description": "All communication sessions with the historian should be authenticated to prevent unauthorized access.", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "spec_version": "2.1", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "ics-attack" ], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "x_mitre_deprecated": true }, { "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "target_ref": "attack-pattern--d614a9cf-18eb-4800-81e4-ab8ddf0baa73", "source_ref": "course-of-action--aadac250-bcdc-44e3-a4ae-f52bd0a7a16a", "modified": "2022-04-25T14:00:00.188Z", "id": "relationship--1ef966c6-36e0-4952-971f-cf9dee711478", "type": "relationship", "created": "2020-09-21T17:59:24.739Z", "relationship_type": "mitigates", "description": "Network allowlists can be implemented through either host-based files or system host files to specify what external connections (e.g., IP address, MAC address, port, protocol) can be made from a device. Allowlist techniques that operate at the application layer (e.g., DNP3, Modbus, HTTP) are addressed in the Filter Network Traffic mitigation.", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "spec_version": "2.1", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "ics-attack" ], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "x_mitre_deprecated": true }, { "type": "relationship", "target_ref": "attack-pattern--3067b85e-271e-4bc5-81ad-ab1a81d411e3", "description": "[Stuxnet](https://collaborate.mitre.org/attackics/index.php/Software/S0010) replaces the DLL responsible for reading projects from a PLC to the step7 software. This allows Stuxnet the ability to upload a program from the PLC.(Citation: Wired W32.Stuxnet Feb 2011)", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2017-12-14T16:46:06.044Z", "id": "relationship--21811a5f-75c3-447e-98f6-0431b4de124d", "source_ref": "malware--088f1d6e-0783-47c6-9923-9c79b2af43d4", "modified": "2022-04-25T14:00:00.188Z", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "external_references": [ { "source_name": "Wired W32.Stuxnet Feb 2011", "description": "Nicolas Falliere, Liam O Murchu, Eric Chien. (2011, February). W32.Stuxnet Dossier (Version 1.4). Retrieved September 22, 2017.", "url": "https://www.wired.com/images_blogs/threatlevel/2010/11/w32_stuxnet_dossier.pdf" } ], "relationship_type": "uses", "spec_version": "2.1", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "ics-attack" ], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "x_mitre_deprecated": true }, { "type": "relationship", "target_ref": "attack-pattern--25852363-5968-4673-b81d-341d5ed90bd1", "description": "[Backdoor.Oldrea](https://collaborate.mitre.org/attackics/index.php/Software/S0003) enumerates all OPC tags and queries for specific fields such as server state, tag name, type, access, and id.(Citation: FireEye Havex Jul 2014)", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2018-04-18T17:59:24.739Z", "id": "relationship--2cacc971-b132-47a2-a7b6-94900bb6983c", "source_ref": "malware--083bb47b-02c8-4423-81a2-f9ef58572974", "modified": "2022-04-25T14:00:00.188Z", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "external_references": [ { "source_name": "FireEye Havex Jul 2014", "description": "Kyle Wilhoit. (2014, July 17). Havex, It\u2019s Down With OPC. Retrieved October 22, 2019.", "url": "https://www.fireeye.com/blog/threat-research/2014/07/havex-its-down-with-opc.html" } ], "relationship_type": "uses", "spec_version": "2.1", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "ics-attack" ], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "x_mitre_deprecated": true }, { "type": "relationship", "target_ref": "attack-pattern--e6c31185-8040-4267-83d3-b217b8a92f07", "description": "[Dragonfly](https://collaborate.mitre.org/attackics/index.php/Group/G0002) communicated with command and control over TCP ports 445 and 139 or UDP 137 or 138.(Citation: CISA Alert (TA17-293A)", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2018-04-18T17:59:24.739Z", "id": "relationship--2da5cf39-7937-4ed3-b847-cb1926e6a4a5", "source_ref": "intrusion-set--1c63d4ec-0a75-4daa-b1df-0d11af3d3cc1", "modified": "2022-04-25T14:00:00.188Z", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "external_references": [ { "source_name": "CISA Alert (TA17-293A)", "description": "ICS-CERT. (2017, October 21). Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors. Retrieved October 23, 2017.", "url": "https://www.us-cert.gov/ncas/alerts/TA17-293A" } ], "relationship_type": "uses", "spec_version": "2.1", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "ics-attack" ], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "x_mitre_deprecated": true }, { "type": "relationship", "target_ref": "attack-pattern--5fa00fdd-4a55-4191-94a0-564181d7fec2", "description": "[Industroyer](https://collaborate.mitre.org/attackics/index.php/Software/S0001)contained a module which leveraged a vulnerability in the Siemens SIPROTEC relays (CVE-2015-5374) to create a Denial of Service against automated protective relays.(Citation: Dragos CRASHOVERRIDE Oct 2018)", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2018-10-17T00:14:20.652Z", "id": "relationship--2e1d172e-709b-4a30-8949-9494ccb7a2a9", "source_ref": "malware--e401d4fe-f0c9-44f0-98e6-f93487678808", "modified": "2022-04-25T14:00:00.188Z", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "external_references": [ { "source_name": "Dragos CRASHOVERRIDE Oct 2018", "description": "Dragos. (2018, October 12). Anatomy of an Attack: Detecting and Defeating CRASHOVERRIDE. Retrieved October 14, 2019.", "url": "https://dragos.com/wp-content/uploads/CRASHOVERRIDE2018.pdf" } ], "relationship_type": "uses", "spec_version": "2.1", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "ics-attack" ], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "x_mitre_deprecated": true }, { "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "target_ref": "attack-pattern--50d3222f-7550-4a3c-94e1-78cb6c81d064", "source_ref": "course-of-action--11f242bc-3121-438c-84b2-5cbd46a4bb17", "modified": "2022-04-25T14:00:00.188Z", "id": "relationship--3a73f450-a73a-4202-bf40-f1ec168d2ca6", "type": "relationship", "created": "2020-09-21T17:59:24.739Z", "relationship_type": "mitigates", "description": "Filter network traffic to data historians to ensure only authorized data flows are allowed, especially across network boundaries.", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "spec_version": "2.1", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "ics-attack" ], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "x_mitre_deprecated": true }, { "type": "relationship", "target_ref": "attack-pattern--5a2610f6-9fff-41e1-bc27-575ca20383d4", "description": "[PLC-Blaster](https://collaborate.mitre.org/attackics/index.php/Software/S0009) utilizes the PLC communication and management API to load executable Program Organization Units.(Citation: BlackHat Mar 2016)", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2018-10-17T00:14:20.652Z", "id": "relationship--425c5160-17e0-44eb-9f4b-1a8e216b56a2", "source_ref": "malware--4dcff507-5af8-47ce-964a-8d9569e9ccfe", "modified": "2022-04-25T14:00:00.188Z", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "external_references": [ { "source_name": "BlackHat Mar 2016", "description": "Spenneberg, Ralf, Maik Br\u00fcggemann, and Hendrik Schwartke. (2016, March 31). Plc-blaster: A worm living solely in the plc.. Retrieved September 19, 2017.", "url": "https://www.blackhat.com/docs/asia-16/materials/asia-16-Spenneberg-PLC-Blaster-A-Worm-Living-Solely-In-The-PLC-wp.pdf" } ], "relationship_type": "uses", "spec_version": "2.1", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "ics-attack" ], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "x_mitre_deprecated": true }, { "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "target_ref": "attack-pattern--2fedbe69-581f-447d-8a78-32ee7db939a9", "source_ref": "course-of-action--1e7ccfc0-94c8-496e-8d27-032120892291", "modified": "2022-04-25T14:00:00.188Z", "id": "relationship--430f0cb6-26aa-4bb6-b0f5-f1a5f6b3bdff", "type": "relationship", "created": "2021-04-13T12:45:26.506Z", "relationship_type": "mitigates", "description": "Ensure proper network segmentation is followed to protect critical servers and devices.", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "spec_version": "2.1", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "ics-attack" ], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "x_mitre_deprecated": true }, { "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "target_ref": "attack-pattern--d614a9cf-18eb-4800-81e4-ab8ddf0baa73", "source_ref": "course-of-action--9f99fcfd-772e-4e63-9d39-e45612e546dc", "modified": "2022-04-25T14:00:00.188Z", "id": "relationship--4798d35e-5df7-4f9c-b5bd-354669aecf2c", "type": "relationship", "created": "2020-09-21T17:59:24.739Z", "relationship_type": "mitigates", "description": "Consider implementing full disk encryption, especially if engineering workstations are transient assets that are more likely to be lost, stolen, or tampered with.", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "spec_version": "2.1", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "ics-attack" ], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "x_mitre_deprecated": true }, { "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "target_ref": "attack-pattern--50d3222f-7550-4a3c-94e1-78cb6c81d064", "source_ref": "course-of-action--e0d38502-decb-481d-ad8b-b8f0a0c330bd", "modified": "2022-04-25T14:00:00.188Z", "id": "relationship--50c20ad6-d88f-467a-954b-cc469f1723e6", "type": "relationship", "created": "2020-09-21T17:59:24.739Z", "relationship_type": "mitigates", "description": "All remotely accessible services should implement access control mechanisms to restrict the information or services accessible to users.", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "spec_version": "2.1", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "ics-attack" ], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "x_mitre_deprecated": true }, { "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "target_ref": "attack-pattern--d614a9cf-18eb-4800-81e4-ab8ddf0baa73", "source_ref": "course-of-action--97f33c84-8508-45b9-8a1d-cac921828c9e", "modified": "2022-04-25T14:00:00.188Z", "id": "relationship--515914bd-654c-43b7-888f-8d755b961fba", "type": "relationship", "created": "2020-09-21T17:59:24.739Z", "relationship_type": "mitigates", "description": "Update software on control network assets when possible. If feasible, use modern operating systems and software to reduce exposure to known vulnerabilities.", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "spec_version": "2.1", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "ics-attack" ], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "x_mitre_deprecated": true }, { "type": "relationship", "target_ref": "attack-pattern--8d2f3bab-507c-4424-b58b-edc977bd215c", "description": "[NotPetya](https://collaborate.mitre.org/attackics/index.php/Software/S0006) can utilize exposed SMB services to access industrial networks.(Citation: Dragos Apr 2019)", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2019-03-26T16:19:52.358Z", "id": "relationship--5258c355-677c-452d-b1fc-27767232437b", "source_ref": "malware--5719af9d-6b16-46f9-9b28-fb019541ddbb", "modified": "2022-04-25T14:00:00.188Z", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "external_references": [ { "source_name": "Dragos Apr 2019", "description": "Joe Slowik. (2019, April 10). Implications of IT Ransomware for ICS Environments. Retrieved October 27, 2019.", "url": "https://dragos.com/blog/industry-news/implications-of-it-ransomware-for-ics-environments/" } ], "relationship_type": "uses", "spec_version": "2.1", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "ics-attack" ], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "x_mitre_deprecated": true }, { "type": "relationship", "target_ref": "attack-pattern--2dc2b567-8821-49f9-9045-8740f3d0b958", "description": "In the version of [Triton](https://collaborate.mitre.org/attackics/index.php/Software/S0013) available at the time of publication, the component that programs the Triconex controllers is written entirely in Python. The modules that implement the communciation protocol and other supporting components are found in a separate file -- library.zip -- which the main script that employs this functionality is compiled into a standalone Windows executable -- trilog.exe -- that includes a Python environment.(Citation: DHS CISA MAR-17-351-01 HatMan Feb 2019)", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2018-04-18T17:59:24.739Z", "id": "relationship--53e6cf7c-e60b-4b83-8bb4-c0266e8a0c94", "source_ref": "malware--80099a91-4c86-4bea-9ccb-dac55d61960e", "modified": "2022-04-25T14:00:00.188Z", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "external_references": [ { "source_name": "DHS CISA MAR-17-351-01 HatMan Feb 2019", "description": "DHS CISA. (2019, February 27). MAR-17-352-01 HatMan\u2014Safety System Targeted Malware (Update B). Retrieved March 8, 2019.", "url": "https://ics-cert.us-cert.gov/sites/default/files/documents/MAR-17-352-01%20HatMan%20-%20Safety%20System%20Targeted%20Malware%20%28Update%20B%29.pdf" } ], "relationship_type": "uses", "spec_version": "2.1", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "ics-attack" ], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "x_mitre_deprecated": true }, { "type": "relationship", "target_ref": "attack-pattern--8d2f3bab-507c-4424-b58b-edc977bd215c", "description": "[WannaCry](https://collaborate.mitre.org/attackics/index.php/Software/S0007) can utilize exposed SMB services to access industrial networks.(Citation: Dragos Apr 2019)", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2019-03-25T19:13:54.947Z", "id": "relationship--5445c04b-f792-4850-aaa7-d643998b240d", "source_ref": "malware--75ecdbf1-c2bb-4afc-a3f9-c8da4de8c661", "modified": "2022-04-25T14:00:00.188Z", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "external_references": [ { "source_name": "Dragos Apr 2019", "description": "Joe Slowik. (2019, April 10). Implications of IT Ransomware for ICS Environments. Retrieved October 27, 2019.", "url": "https://dragos.com/blog/industry-news/implications-of-it-ransomware-for-ics-environments/" } ], "relationship_type": "uses", "spec_version": "2.1", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "ics-attack" ], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "x_mitre_deprecated": true }, { "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "target_ref": "attack-pattern--d614a9cf-18eb-4800-81e4-ab8ddf0baa73", "source_ref": "course-of-action--bcf91ebc-f316-4e19-b2f6-444e9940c697", "modified": "2022-04-25T14:00:00.188Z", "id": "relationship--58ac6d42-857e-43e7-a21e-6c226ec35960", "type": "relationship", "created": "2020-09-21T17:59:24.739Z", "relationship_type": "mitigates", "description": "Integrity checking of engineering workstations can include performing the validation of the booted operating system and programs using TPM-based technologies, such as Secure Boot and Trusted Boot. It can also include verifying filesystem changes, such as programs and configuration files stored on the system, executing processes, libraries, accounts, and open ports.", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "spec_version": "2.1", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "ics-attack" ], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "x_mitre_deprecated": true }, { "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "target_ref": "attack-pattern--d614a9cf-18eb-4800-81e4-ab8ddf0baa73", "source_ref": "course-of-action--e0d38502-decb-481d-ad8b-b8f0a0c330bd", "modified": "2022-04-25T14:00:00.188Z", "id": "relationship--5da973cf-d956-4bbe-890d-34fc4c28040c", "type": "relationship", "created": "2020-09-21T17:59:24.739Z", "relationship_type": "mitigates", "description": "All remotely accessible services should implement access control mechanisms to restrict the information or services accessible to users.", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "spec_version": "2.1", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "ics-attack" ], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "x_mitre_deprecated": true }, { "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "target_ref": "attack-pattern--50d3222f-7550-4a3c-94e1-78cb6c81d064", "source_ref": "course-of-action--1e7ccfc0-94c8-496e-8d27-032120892291", "modified": "2022-04-25T14:00:00.188Z", "id": "relationship--61d4d944-a75f-4830-9199-937658b9bec9", "type": "relationship", "created": "2020-09-21T17:59:24.739Z", "relationship_type": "mitigates", "description": "Consider placing the historian into a demilitarized zone (DMZ) to allow access from enterprise networks, while protecting the control system network.", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "spec_version": "2.1", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "ics-attack" ], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "x_mitre_deprecated": true }, { "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "target_ref": "attack-pattern--d614a9cf-18eb-4800-81e4-ab8ddf0baa73", "source_ref": "course-of-action--faf2b40e-5981-433f-aa46-17458e0026f7", "modified": "2022-04-25T14:00:00.188Z", "id": "relationship--62f3f530-59ed-4f7e-8647-c05d4363d9d4", "type": "relationship", "created": "2020-09-21T17:59:24.739Z", "relationship_type": "mitigates", "description": "Install anti-virus software on all workstation and transient assets that may have external access, such as to web, email, or remote file shares.", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "spec_version": "2.1", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "ics-attack" ], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "x_mitre_deprecated": true }, { "type": "relationship", "target_ref": "attack-pattern--cd2c76a4-5e23-4ca5-9c40-d5e0604f7101", "description": "[Dragonfly](https://collaborate.mitre.org/attackics/index.php/Group/G0002) leveraged compromised user credentials to access the targets networks and download tools from a remote server.(Citation: CISA Alert (TA17-293A)", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2018-04-18T17:59:24.739Z", "id": "relationship--63351c36-80ca-4937-9a49-e6319d14c215", "source_ref": "intrusion-set--1c63d4ec-0a75-4daa-b1df-0d11af3d3cc1", "modified": "2022-04-25T14:00:00.188Z", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "external_references": [ { "source_name": "CISA Alert (TA17-293A)", "description": "ICS-CERT. (2017, October 21). Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors. Retrieved October 23, 2017.", "url": "https://www.us-cert.gov/ncas/alerts/TA17-293A" } ], "relationship_type": "uses", "spec_version": "2.1", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "ics-attack" ], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "x_mitre_deprecated": true }, { "type": "relationship", "target_ref": "attack-pattern--e1f9cdd2-9511-4fca-90d7-f3e92cfdd0bf", "description": "[Sandworm Team](https://collaborate.mitre.org/attackics/index.php/Group/G0007) appears to use MS-SQL access to a pivot machine, allowing code execution throughout the ICS network. (Citation: Dragos CRASHOVERRIDE Oct 2018)", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2021-10-14T21:33:27.046Z", "id": "relationship--6727e45e-1c65-4420-9ff6-f378ed9a1874", "source_ref": "intrusion-set--381fcf73-60f6-4ab2-9991-6af3cbc35192", "modified": "2022-04-25T14:00:00.188Z", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "external_references": [ { "description": "Dragos. (2018, October 12). Anatomy of an Attack: Detecting and Defeating CRASHOVERRIDE. Retrieved October 14, 2019.", "source_name": "Industroyer - Dragos - 201810", "url": "https://dragos.com/wp-content/uploads/CRASHOVERRIDE2018.pdf" } ], "relationship_type": "uses", "spec_version": "2.1", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "ics-attack" ], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "x_mitre_deprecated": true }, { "type": "relationship", "target_ref": "attack-pattern--d614a9cf-18eb-4800-81e4-ab8ddf0baa73", "description": "[Stuxnet](https://collaborate.mitre.org/attackics/index.php/Software/S0010) utilized an engineering workstation as the initial access point for PLC devices.(Citation: Wired W32.Stuxnet Feb 2011)", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2017-12-14T16:46:06.044Z", "id": "relationship--6a8e92be-1ab0-4cac-9ca9-9d14a870ecd9", "source_ref": "malware--088f1d6e-0783-47c6-9923-9c79b2af43d4", "modified": "2022-04-25T14:00:00.188Z", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "external_references": [ { "source_name": "Wired W32.Stuxnet Feb 2011", "description": "Nicolas Falliere, Liam O Murchu, Eric Chien. (2011, February). W32.Stuxnet Dossier (Version 1.4). Retrieved September 22, 2017.", "url": "https://www.wired.com/images_blogs/threatlevel/2010/11/w32_stuxnet_dossier.pdf" } ], "relationship_type": "uses", "spec_version": "2.1", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "ics-attack" ], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "x_mitre_deprecated": true }, { "type": "relationship", "target_ref": "attack-pattern--2fedbe69-581f-447d-8a78-32ee7db939a9", "description": "The [Industroyer](https://collaborate.mitre.org/attackics/index.php/Software/S0001) IEC 61850 component\u202fsends the domain-specific MMS\u202fgetNameList\u202frequest to determine what logical nodes the device supports. It then searches the logical nodes for the \u201cCSW\u201d value, which indicates the device performs a circuit breaker or switch control function.(Citation: ESET Win32/Industroyer June 2017)", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2021-04-13T12:45:26.506Z", "id": "relationship--6d2b684a-4e72-46ee-a8ad-4fe30b5ed20c", "source_ref": "malware--e401d4fe-f0c9-44f0-98e6-f93487678808", "modified": "2022-04-25T14:00:00.188Z", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "external_references": [ { "source_name": "ESET Win32/Industroyer June 2017", "description": "Anton Cherepanov, ESET. (2017, June 12). Win32/Industroyer: A new threat for industrial control systems. Retrieved September 15, 2017.", "url": "https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf" } ], "relationship_type": "uses", "spec_version": "2.1", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "ics-attack" ], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "x_mitre_deprecated": true }, { "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "target_ref": "attack-pattern--50d3222f-7550-4a3c-94e1-78cb6c81d064", "source_ref": "course-of-action--d0909119-2f71-4923-87db-b649881672d7", "modified": "2022-04-25T14:00:00.188Z", "id": "relationship--6d36ad87-7dbd-47ec-9d5d-9e5f5c3df896", "type": "relationship", "created": "2020-09-21T17:59:24.739Z", "relationship_type": "mitigates", "description": "Consider the disabling or removal of features or programs which are not required by that asset's function within the environment.", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "spec_version": "2.1", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "ics-attack" ], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "x_mitre_deprecated": true }, { "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "target_ref": "attack-pattern--2fedbe69-581f-447d-8a78-32ee7db939a9", "source_ref": "course-of-action--d0909119-2f71-4923-87db-b649881672d7", "modified": "2022-04-25T14:00:00.188Z", "id": "relationship--6ef54ce4-bbbc-47c8-9e2a-c41cfe3db6c1", "type": "relationship", "created": "2021-04-13T12:45:26.506Z", "relationship_type": "mitigates", "description": "Ensure that unnecessary ports and services are closed to prevent risk of discovery and potential exploitation.", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "spec_version": "2.1", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "ics-attack" ], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "x_mitre_deprecated": true }, { "type": "relationship", "target_ref": "attack-pattern--c5e3cdbc-0387-4be9-8f83-ff5c0865f377", "description": "[Dragonfly](https://collaborate.mitre.org/attackics/index.php/Group/G0002) has been reported to take screenshots of the GUI for ICS equipment, such as HMIs.(Citation: CISA Alert (TA17-293A)", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2018-04-18T17:59:24.739Z", "id": "relationship--86fe184d-1dda-481a-ab33-8ee1707cd388", "source_ref": "intrusion-set--1c63d4ec-0a75-4daa-b1df-0d11af3d3cc1", "modified": "2022-04-25T14:00:00.188Z", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "external_references": [ { "source_name": "CISA Alert (TA17-293A)", "description": "ICS-CERT. (2017, October 21). Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors. Retrieved October 23, 2017.", "url": "https://www.us-cert.gov/ncas/alerts/TA17-293A" } ], "relationship_type": "uses", "spec_version": "2.1", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "ics-attack" ], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "x_mitre_deprecated": true }, { "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "target_ref": "attack-pattern--3f1f4ccb-9be2-4ff8-8f69-dd972221169b", "source_ref": "course-of-action--bcf91ebc-f316-4e19-b2f6-444e9940c697", "modified": "2022-04-25T14:00:00.188Z", "id": "relationship--8d4c346b-5da0-4c93-aca6-cba15fd532f2", "type": "relationship", "created": "2020-09-21T17:59:24.739Z", "relationship_type": "mitigates", "description": "Perform integrity checks of firmware before uploading it on a device. Utilize cryptographic hashes to verify the firmware has not been tampered with by comparing it a trusted hash of the firmware. This could be from a trusted data sources (e.g., vendor site) or through a third-party verification service.", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "spec_version": "2.1", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "ics-attack" ], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "x_mitre_deprecated": true }, { "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "target_ref": "attack-pattern--50d3222f-7550-4a3c-94e1-78cb6c81d064", "source_ref": "course-of-action--aadac250-bcdc-44e3-a4ae-f52bd0a7a16a", "modified": "2022-04-25T14:00:00.188Z", "id": "relationship--a0b4fb40-7bee-4cf2-9be6-5e3a0ea40f71", "type": "relationship", "created": "2020-09-21T17:59:24.739Z", "relationship_type": "mitigates", "description": "Network allowlists can be implemented through either host-based files or system host files to specify what external connections (e.g., IP address, MAC address, port, protocol) can be made from a device. Allowlist techniques that operate at the application layer (e.g., DNP3, Modbus, HTTP) are addressed in the Filter Network Traffic mitigation.", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "spec_version": "2.1", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "ics-attack" ], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "x_mitre_deprecated": true }, { "type": "relationship", "target_ref": "attack-pattern--8d2f3bab-507c-4424-b58b-edc977bd215c", "description": "[XENOTIME](https://collaborate.mitre.org/attackics/index.php/Group/G0001) utilized remote desktop protocol (RDP) jump boxes to move into the ICS environment.(Citation: Dragos TRISIS Dec 2017)", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2018-10-17T00:14:20.652Z", "id": "relationship--b233e131-e448-46c6-815b-b86e4bd6d638", "source_ref": "intrusion-set--9538b1a4-4120-4e2d-bf59-3b11fcab05a4", "modified": "2022-04-25T14:00:00.188Z", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "external_references": [ { "source_name": "Dragos TRISIS Dec 2017", "description": "Dragos. (2017, December 13). TRISIS Malware Analysis of Safety System Targeted Malware. Retrieved January 12, 2018.", "url": "https://dragos.com/blog/trisis/TRISIS-01.pdf" } ], "relationship_type": "uses", "spec_version": "2.1", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "ics-attack" ], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "x_mitre_deprecated": true }, { "type": "relationship", "target_ref": "attack-pattern--50d3222f-7550-4a3c-94e1-78cb6c81d064", "description": "In [Industroyer](https://collaborate.mitre.org/attackics/index.php/Software/S0001), after pivoting into the ICS environment, the adversary gained [Initial Access](https://collaborate.mitre.org/attackics/index.php/Initial_Access) to devices involved with critical process operations through a Microsoft Windows Server 2003 running a SQL Server.(Citation: Dragos CRASHOVERRIDE Oct 2018)", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2018-10-17T00:14:20.652Z", "id": "relationship--b9c2c589-b5c6-4231-982f-cae0aa41f349", "source_ref": "malware--e401d4fe-f0c9-44f0-98e6-f93487678808", "modified": "2022-04-25T14:00:00.188Z", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "external_references": [ { "source_name": "Dragos CRASHOVERRIDE Oct 2018", "description": "Dragos. (2018, October 12). Anatomy of an Attack: Detecting and Defeating CRASHOVERRIDE. Retrieved October 14, 2019.", "url": "https://dragos.com/wp-content/uploads/CRASHOVERRIDE2018.pdf" } ], "relationship_type": "uses", "spec_version": "2.1", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "ics-attack" ], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "x_mitre_deprecated": true }, { "type": "relationship", "target_ref": "attack-pattern--d614a9cf-18eb-4800-81e4-ab8ddf0baa73", "description": "[Triton](https://collaborate.mitre.org/attackics/index.php/Software/S0013) malware gained remote access to an SIS engineering workstation.(Citation: FireEye TRITON Dec 2017)", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2018-04-18T17:59:24.739Z", "id": "relationship--c4307cc3-871b-4043-8a23-2a2e8b265df7", "source_ref": "malware--80099a91-4c86-4bea-9ccb-dac55d61960e", "modified": "2022-04-25T14:00:00.188Z", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "external_references": [ { "source_name": "FireEye TRITON Dec 2017", "description": "Blake Johnson, Dan Caban, Marina Krotofil, Dan Scali, Nathan Brubaker, Christopher Glyer. (2017, December 14). Attackers Deploy New ICS Attack Framework \u201cTRITON\u201d and Cause Operational Disruption to Critical Infrastructure. Retrieved January 12, 2018.", "url": "https://www.fireeye.com/blog/threat-research/2017/12/attackers-deploy-new-ics-attack-framework-triton.html" } ], "relationship_type": "uses", "spec_version": "2.1", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "ics-attack" ], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "x_mitre_deprecated": true }, { "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "target_ref": "attack-pattern--d614a9cf-18eb-4800-81e4-ab8ddf0baa73", "source_ref": "course-of-action--9e3adcad-0b8f-4ecc-a2f3-06f607f53bf0", "modified": "2022-04-25T14:00:00.188Z", "id": "relationship--c9965454-2b58-4438-bcce-473bf1cc98cd", "type": "relationship", "created": "2020-09-21T17:59:24.739Z", "relationship_type": "mitigates", "description": "Enforce system policies or physical restrictions to limit hardware such as USB devices on workstations.", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "spec_version": "2.1", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "ics-attack" ], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "x_mitre_deprecated": true }, { "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "target_ref": "attack-pattern--50d3222f-7550-4a3c-94e1-78cb6c81d064", "source_ref": "course-of-action--facb8840-ebe7-49f1-b464-8ef6c8131e21", "modified": "2022-04-25T14:00:00.188Z", "id": "relationship--ce5b0067-64d8-4b1e-b0b8-e09dec5cb721", "type": "relationship", "created": "2020-09-21T17:59:24.739Z", "relationship_type": "mitigates", "description": "Consider the principle of least functionality when configuring ICS software to limit host or network-based capabilities within the control environment.", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "spec_version": "2.1", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "ics-attack" ], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "x_mitre_deprecated": true }, { "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "target_ref": "attack-pattern--50d3222f-7550-4a3c-94e1-78cb6c81d064", "source_ref": "course-of-action--66cfe23e-34b6-4583-b178-ed6a412db2b0", "modified": "2022-04-25T14:00:00.188Z", "id": "relationship--f15f6e89-ad73-4962-ba7b-81d060ae3aa3", "type": "relationship", "created": "2020-09-21T17:59:24.739Z", "relationship_type": "mitigates", "description": "All remote services should require strong authentication before providing user access.", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "spec_version": "2.1", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "ics-attack" ], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "x_mitre_deprecated": true }, { "type": "relationship", "target_ref": "attack-pattern--8d2f3bab-507c-4424-b58b-edc977bd215c", "description": "[Bad Rabbit](https://collaborate.mitre.org/attackics/index.php/Software/S0005) can utilize exposed SMB services to access industrial networks.(Citation: Dragos Apr 2019)", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2017-05-31T21:33:27.074Z", "id": "relationship--f374ce58-fd26-4177-897e-a2b81c3e522c", "source_ref": "malware--2eaa5319-5e1e-4dd7-bbc4-566fced3964a", "modified": "2022-04-25T14:00:00.188Z", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "external_references": [ { "source_name": "Dragos Apr 2019", "description": "Joe Slowik. (2019, April 10). Implications of IT Ransomware for ICS Environments. Retrieved October 27, 2019.", "url": "https://dragos.com/blog/industry-news/implications-of-it-ransomware-for-ics-environments/" } ], "relationship_type": "uses", "spec_version": "2.1", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "ics-attack" ], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "x_mitre_deprecated": true }, { "type": "relationship", "target_ref": "attack-pattern--2fedbe69-581f-447d-8a78-32ee7db939a9", "description": "[Stuxnet](https://collaborate.mitre.org/attackics/index.php/Software/S0010) enumerates and parses the System Data Blocks (SDB) using the s7blk_findfirst and s7blk_findnext API calls in s7otbxdx.dll. Stuxnet must find an SDB with the DWORD at offset 50h equal to 0100CB2Ch. This specifies that the system uses the Profibus communications processor module CP 342-5. In addition, specific values are searched for and counted: 7050h and 9500h. 7050h is assigned to part number KFC750V3 which appears to be a frequency converter drive (also known as variable frequency drive) manufactured by Fararo Paya in Teheran, Iran. 9500h is assigned to Vacon NX frequency converter drives manufactured by Vacon based in Finland.(Citation: Wired W32.Stuxnet Feb 2011)", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2021-04-13T12:45:26.506Z", "id": "relationship--f465566c-e8ef-4b1f-bdfb-b392c08b7840", "source_ref": "malware--088f1d6e-0783-47c6-9923-9c79b2af43d4", "modified": "2022-04-25T14:00:00.188Z", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "external_references": [ { "source_name": "Wired W32.Stuxnet Feb 2011", "description": "Nicolas Falliere, Liam O Murchu, Eric Chien. (2011, February). W32.Stuxnet Dossier (Version 1.4). Retrieved September 22, 2017.", "url": "https://www.wired.com/images_blogs/threatlevel/2010/11/w32_stuxnet_dossier.pdf" } ], "relationship_type": "uses", "spec_version": "2.1", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "ics-attack" ], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "x_mitre_deprecated": true }, { "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "target_ref": "attack-pattern--d614a9cf-18eb-4800-81e4-ab8ddf0baa73", "source_ref": "course-of-action--11f242bc-3121-438c-84b2-5cbd46a4bb17", "modified": "2022-04-25T14:00:00.188Z", "id": "relationship--f6084bd2-06a2-4891-95ab-1fb246c9881a", "type": "relationship", "created": "2020-09-21T17:59:24.739Z", "relationship_type": "mitigates", "description": "Ensure all communication is filtered for potentially malicious content, especially for mobile workstations that may not be protected by boundary firewalls.", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "spec_version": "2.1", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "ics-attack" ], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "x_mitre_deprecated": true }, { "type": "relationship", "target_ref": "attack-pattern--2fedbe69-581f-447d-8a78-32ee7db939a9", "description": "[Industroyer](https://collaborate.mitre.org/attackics/index.php/Software/S0001) s OPC DA module also uses IOPCBrowseServerAddressSpace to look for items with the following strings: 'ctlSelOn', 'ctlOperOn', 'ctlSelOff', 'ctlOperOff', 'Pos and stVal'.(Citation: ESET Win32/Industroyer June 2017)", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2021-04-13T12:45:26.506Z", "id": "relationship--f6a2e31d-a2e1-460d-9fb4-e94770f54cbd", "source_ref": "malware--e401d4fe-f0c9-44f0-98e6-f93487678808", "modified": "2022-04-25T14:00:00.188Z", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "external_references": [ { "source_name": "ESET Win32/Industroyer June 2017", "description": "Anton Cherepanov, ESET. (2017, June 12). Win32/Industroyer: A new threat for industrial control systems. Retrieved September 15, 2017.", "url": "https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf" } ], "relationship_type": "uses", "spec_version": "2.1", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "ics-attack" ], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "x_mitre_deprecated": true }, { "type": "relationship", "target_ref": "attack-pattern--3b6b9246-43f8-4c69-ad7a-2b11cfe0a0d9", "description": "One of [Stuxnet](https://collaborate.mitre.org/attackics/index.php/Software/S0010) 's rootkits is contained entirely in the fake s7otbxdx.dll. In order to continue existing undetected on the PLC it needs to account for at least the following situations: read requests for its own malicious code blocks, read requests for infected blocks (OB1, OB35, DP_RECV), and write requests that could overwrite Stuxnet\u2019s own code. Stuxnet contains code to monitor and intercept these types of requests. The rootkit modifies these requests so that Stuxnet\u2019s PLC code is not discovered or damaged.(Citation: Langer Nov 2013)", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2017-12-14T16:46:06.044Z", "id": "relationship--f85f342c-ec0f-4fc5-b188-b633963ea78e", "source_ref": "malware--088f1d6e-0783-47c6-9923-9c79b2af43d4", "modified": "2022-04-25T14:00:00.188Z", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "external_references": [ { "source_name": "Langner Nov 2013", "description": "Ralph Langner. (2013, November). To Kill a Centrifuge: A Technical Analysis of What Stuxnet's Creators Tried to Achieve. Retrieved March 27, 2018.", "url": "https://www.langner.com/wp-content/uploads/2017/03/to-kill-a-centrifuge.pdf" } ], "relationship_type": "uses", "spec_version": "2.1", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "ics-attack" ], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "x_mitre_deprecated": true }, { "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "target_ref": "attack-pattern--d614a9cf-18eb-4800-81e4-ab8ddf0baa73", "source_ref": "course-of-action--1e7ccfc0-94c8-496e-8d27-032120892291", "modified": "2022-04-25T14:00:00.188Z", "id": "relationship--ff87ed0a-87bd-46cb-aacc-19c439250923", "type": "relationship", "created": "2020-09-21T17:59:24.739Z", "relationship_type": "mitigates", "description": "Segment and control software movement between business and OT environments by way of one directional DMZs. Web access should be restricted from the OT environment. Engineering workstations, including transient cyber assets (TCAs) should have minimal connectivity to external networks, including Internet and email, further limit the extent to which these devices are dual-homed to multiple networks.", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "spec_version": "2.1", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "ics-attack" ], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "x_mitre_deprecated": true }, { "type": "relationship", "target_ref": "attack-pattern--9a505987-ab05-4f46-a9a6-6441442eec3b", "description": "[Stuxnet](https://collaborate.mitre.org/attackics/index.php/Software/S0010) de-couples all inputs and signals from the legitimate code on a PLC and chooses what is passed to the original code. STUXNET effectively creates a man in the middle attack with the input and output signals and control logic.", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2017-12-14T16:46:06.044Z", "id": "relationship--29412608-a184-4ac3-9ee6-bd2d5063bf0d", "source_ref": "malware--496bff4d-0700-4b28-b06f-f30a63002be7", "modified": "2021-10-21T14:00:00.188Z", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "relationship_type": "uses", "spec_version": "2.1", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "ics-attack" ], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "x_mitre_deprecated": true }, { "type": "relationship", "target_ref": "attack-pattern--9a505987-ab05-4f46-a9a6-6441442eec3b", "description": "[HEXANE](https://collaborate.mitre.org/attackics/index.php/Group/G0005) targeted telecommunication providers in the greater Middle East, Central Asia, and Africa, potentially as a stepping stone to network-focused man-in-the-middle and related attacks.(Citation: Dragos Hexane)", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2018-10-17T00:14:20.652Z", "id": "relationship--9887bb6b-3dce-4553-99cb-e901997b3e4c", "source_ref": "intrusion-set--f29b7c5e-2439-42ad-a86f-9f8984fafae3", "modified": "2021-10-21T14:00:00.188Z", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "external_references": [ { "source_name": "Dragos Hexane", "description": "Dragos. (n.d.). Hexane. Retrieved October 27, 2019.", "url": "https://dragos.com/resource/hexane/" } ], "relationship_type": "uses", "spec_version": "2.1", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "ics-attack" ], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "x_mitre_deprecated": true }, { "type": "relationship", "target_ref": "attack-pattern--40b300ba-f553-48bf-862e-9471b220d455", "description": "Using [Triton](https://collaborate.mitre.org/attackics/index.php/Software/S0013), an adversary can manipulate the process into an unsafe state from the DCS while preventing the SIS from functioning appropriately.(Citation: FireEye TRITON Dec 2017)", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2018-04-18T17:59:24.739Z", "id": "relationship--d59a9843-bc7b-4309-9cfb-226f7cd1b14c", "source_ref": "malware--80099a91-4c86-4bea-9ccb-dac55d61960e", "modified": "2021-10-21T14:00:00.188Z", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "external_references": [ { "source_name": "FireEye TRITON Dec 2017", "description": "Blake Johnson, Dan Caban, Marina Krotofil, Dan Scali, Nathan Brubaker, Christopher Glyer. (2017, December 14). Attackers Deploy New ICS Attack Framework \u201cTRITON\u201d and Cause Operational Disruption to Critical Infrastructure. Retrieved January 12, 2018.", "url": "https://www.fireeye.com/blog/threat-research/2017/12/attackers-deploy-new-ics-attack-framework-triton.html" } ], "relationship_type": "uses", "spec_version": "2.1", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "ics-attack" ], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "x_mitre_deprecated": true }, { "x_mitre_domains": [ "enterprise-attack" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "course-of-action--12241367-a8b7-49b4-b86e-2236901ba50c", "type": "course-of-action", "created": "2019-06-10T20:46:02.263Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "external_id": "M1031", "url": "https://attack.mitre.org/mitigations/M1031" } ], "modified": "2019-06-10T20:46:02.263Z", "name": "Network Intrusion Prevention", "description": "Use intrusion detection signatures to block traffic at network boundaries.", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "spec_version": "2.1", "x_mitre_attack_spec_version": "2.1.0" }, { "x_mitre_domains": [ "enterprise-attack" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "course-of-action--15437c6d-b998-4a36-be41-4ace3d54d266", "type": "course-of-action", "created": "2019-06-06T16:47:30.700Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "external_id": "M1016", "url": "https://attack.mitre.org/mitigations/M1016" } ], "modified": "2020-07-14T22:22:06.356Z", "name": "Vulnerability Scanning", "description": "Vulnerability scanning is used to find potentially exploitable software vulnerabilities to remediate them.", "x_mitre_version": "1.1", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "spec_version": "2.1", "x_mitre_attack_spec_version": "2.1.0" }, { "x_mitre_domains": [ "enterprise-attack" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "course-of-action--1dcaeb21-9348-42ea-950a-f842aaf1ae1f", "type": "course-of-action", "created": "2019-06-11T16:30:16.672Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "external_id": "M1035", "url": "https://attack.mitre.org/mitigations/M1035" } ], "modified": "2020-06-09T20:51:00.027Z", "name": "Limit Access to Resource Over Network", "description": "Prevent access to file shares, remote access to systems, unnecessary services. Mechanisms to limit access may include use of network concentrators, RDP gateways, etc.", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "spec_version": "2.1", "x_mitre_attack_spec_version": "2.1.0" }, { "x_mitre_domains": [ "enterprise-attack" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "course-of-action--20f6a9df-37c4-4e20-9e47-025983b1b39d", "type": "course-of-action", "created": "2019-06-11T16:33:55.337Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "external_id": "M1037", "url": "https://attack.mitre.org/mitigations/M1037" } ], "modified": "2020-06-20T20:46:36.342Z", "name": "Filter Network Traffic", "description": "Use network appliances to filter ingress or egress traffic and perform protocol-based filtering. Configure software on endpoints to filter network traffic.", "x_mitre_version": "1.1", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "spec_version": "2.1", "x_mitre_attack_spec_version": "2.1.0" }, { "x_mitre_domains": [ "enterprise-attack" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "course-of-action--21da4fd4-27ad-4e9c-b93d-0b9b14d02c96", "type": "course-of-action", "created": "2019-06-06T20:52:59.206Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "external_id": "M1021", "url": "https://attack.mitre.org/mitigations/M1021" } ], "modified": "2019-06-06T20:52:59.206Z", "name": "Restrict Web-Based Content", "description": "Restrict use of certain websites, block downloads/attachments, block Javascript, restrict browser extensions, etc.", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "spec_version": "2.1", "x_mitre_attack_spec_version": "2.1.0" }, { "x_mitre_domains": [ "enterprise-attack", "mobile-attack" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "course-of-action--25dc1ce8-eb55-4333-ae30-a7cb4f5894a1", "type": "course-of-action", "created": "2017-10-25T14:48:53.732Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/mitigations/M1013", "external_id": "M1013" } ], "modified": "2018-10-17T00:14:20.652Z", "name": "Application Developer Guidance", "description": "This mitigation describes any guidance or training given to developers of applications to avoid introducing security weaknesses that an adversary may be able to take advantage of.", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "spec_version": "2.1", "x_mitre_attack_spec_version": "2.1.0" }, { "x_mitre_domains": [ "enterprise-attack" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "course-of-action--2995bc22-2851-4345-ad19-4e7e295be264", "type": "course-of-action", "created": "2019-06-11T16:28:41.809Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "external_id": "M1034", "url": "https://attack.mitre.org/mitigations/M1034" } ], "modified": "2020-06-09T20:48:12.326Z", "name": "Limit Hardware Installation", "description": "Block users or groups from installing or using unapproved hardware on systems, including USB devices.", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "spec_version": "2.1", "x_mitre_attack_spec_version": "2.1.0" }, { "x_mitre_domains": [ "enterprise-attack" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "course-of-action--2a4f6c11-a4a7-4cb9-b0ef-6ae1bb3a718a", "type": "course-of-action", "created": "2019-06-06T16:50:04.963Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "external_id": "M1017", "url": "https://attack.mitre.org/mitigations/M1017" } ], "modified": "2020-10-21T19:08:13.228Z", "name": "User Training", "description": "Train users to be aware of access or manipulation attempts by an adversary to reduce the risk of successful spearphishing, social engineering, and other techniques that involve user interaction.", "x_mitre_version": "1.2", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "spec_version": "2.1", "x_mitre_attack_spec_version": "2.1.0" }, { "x_mitre_domains": [ "enterprise-attack" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "course-of-action--2f316f6c-ae42-44fe-adf8-150989e0f6d3", "type": "course-of-action", "created": "2019-06-06T21:16:18.709Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "external_id": "M1028", "url": "https://attack.mitre.org/mitigations/M1028" } ], "modified": "2020-06-19T16:50:45.681Z", "name": "Operating System Configuration", "description": "Make configuration changes related to the operating system or a common feature of the operating system that result in system hardening against techniques.", "x_mitre_version": "1.1", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "spec_version": "2.1", "x_mitre_attack_spec_version": "2.1.0" }, { "x_mitre_domains": [ "enterprise-attack" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "course-of-action--3efe43d1-6f3f-4fcb-ab39-4a730971f70b", "type": "course-of-action", "created": "2019-07-19T14:33:33.543Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "external_id": "M1053", "url": "https://attack.mitre.org/mitigations/M1053" } ], "modified": "2020-03-31T13:11:28.201Z", "name": "Data Backup", "description": "Take and store data backups from end user systems and critical servers. Ensure backup and storage systems are hardened and kept separate from the corporate network to prevent compromise.", "x_mitre_version": "1.1", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "spec_version": "2.1", "x_mitre_attack_spec_version": "2.1.0" }, { "x_mitre_domains": [ "enterprise-attack" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "course-of-action--47e0e9fe-96ce-4f65-8bb1-8be1feacb5db", "type": "course-of-action", "created": "2019-06-11T16:35:25.488Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "external_id": "M1038", "url": "https://attack.mitre.org/mitigations/M1038" } ], "modified": "2022-02-28T19:50:41.210Z", "name": "Execution Prevention", "description": "Block execution of code on a system through application control, and/or script blocking.", "x_mitre_version": "1.2", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "spec_version": "2.1", "x_mitre_attack_spec_version": "2.1.0" }, { "x_mitre_domains": [ "enterprise-attack" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "course-of-action--590777b3-b475-4c7c-aaf8-f4a73b140312", "type": "course-of-action", "created": "2019-06-11T17:01:25.405Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "external_id": "M1045", "url": "https://attack.mitre.org/mitigations/M1045" } ], "modified": "2020-05-20T13:12:02.881Z", "name": "Code Signing", "description": "Enforce binary and application integrity with digital signature verification to prevent untrusted code from executing.", "x_mitre_version": "1.1", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "spec_version": "2.1", "x_mitre_attack_spec_version": "2.1.0" }, { "x_mitre_domains": [ "enterprise-attack" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "course-of-action--7bb5fae9-53ad-4424-866b-f0ea2a8b731d", "type": "course-of-action", "created": "2019-06-06T20:15:34.146Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "external_id": "M1020", "url": "https://attack.mitre.org/mitigations/M1020" } ], "modified": "2019-06-06T20:15:34.146Z", "name": "SSL/TLS Inspection", "description": "Break and inspect SSL/TLS sessions to look at encrypted web traffic for adversary activity.", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "spec_version": "2.1", "x_mitre_attack_spec_version": "2.1.0" }, { "x_mitre_domains": [ "enterprise-attack" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "course-of-action--7da0387c-ba92-4553-b291-b636ee42b2eb", "type": "course-of-action", "created": "2019-06-11T17:02:36.984Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "external_id": "M1046", "url": "https://attack.mitre.org/mitigations/M1046" } ], "modified": "2020-05-19T12:28:50.603Z", "name": "Boot Integrity", "description": "Use secure methods to boot a system and verify the integrity of the operating system and loading mechanisms.", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "spec_version": "2.1", "x_mitre_attack_spec_version": "2.1.0" }, { "x_mitre_domains": [ "enterprise-attack" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "course-of-action--86598de0-b347-4928-9eb0-0acbfc21908c", "type": "course-of-action", "created": "2019-06-10T20:41:03.271Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "external_id": "M1030", "url": "https://attack.mitre.org/mitigations/M1030" } ], "modified": "2020-05-14T13:05:39.500Z", "name": "Network Segmentation", "description": "Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network. Configure separate virtual private cloud (VPC) instances to isolate critical cloud systems.", "x_mitre_version": "1.1", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "spec_version": "2.1", "x_mitre_attack_spec_version": "2.1.0" }, { "x_mitre_domains": [ "enterprise-attack" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "course-of-action--874c0166-e407-45c2-a1d9-e4e3a6570fd8", "type": "course-of-action", "created": "2019-06-06T19:55:50.927Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "external_id": "M1019", "url": "https://attack.mitre.org/mitigations/M1019" } ], "modified": "2019-06-06T19:55:50.927Z", "name": "Threat Intelligence Program", "description": "A threat intelligence program helps an organization generate their own threat intelligence information and track trends to inform defensive priorities to mitigate risk.", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "spec_version": "2.1", "x_mitre_attack_spec_version": "2.1.0" }, { "x_mitre_domains": [ "enterprise-attack" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "course-of-action--90c218c3-fbf8-4830-98a7-e8cfb7eaa485", "type": "course-of-action", "created": "2019-06-06T21:10:35.792Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "external_id": "M1027", "url": "https://attack.mitre.org/mitigations/M1027" } ], "modified": "2019-06-06T21:10:35.792Z", "name": "Password Policies", "description": "Set and enforce secure password policies for accounts.", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "spec_version": "2.1", "x_mitre_attack_spec_version": "2.1.0" }, { "x_mitre_domains": [ "enterprise-attack" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "course-of-action--93e7968a-9074-4eac-8ae9-9f5200ec3317", "type": "course-of-action", "created": "2019-06-06T16:50:58.767Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "external_id": "M1018", "url": "https://attack.mitre.org/mitigations/M1018" } ], "modified": "2020-05-20T13:49:12.270Z", "name": "User Account Management", "description": "Manage the creation, modification, use, and permissions associated to user accounts.", "x_mitre_version": "1.1", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "spec_version": "2.1", "x_mitre_attack_spec_version": "2.1.0" }, { "x_mitre_domains": [ "enterprise-attack" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "course-of-action--987988f0-cf86-4680-a875-2f6456ab2448", "type": "course-of-action", "created": "2019-06-06T20:54:49.964Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "external_id": "M1022", "url": "https://attack.mitre.org/mitigations/M1022" } ], "modified": "2020-05-20T15:12:39.136Z", "name": "Restrict File and Directory Permissions", "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.", "x_mitre_version": "1.1", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "spec_version": "2.1", "x_mitre_attack_spec_version": "2.1.0" }, { "x_mitre_domains": [ "enterprise-attack" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "course-of-action--9bb9e696-bff8-4ae1-9454-961fc7d91d5f", "type": "course-of-action", "created": "2019-06-06T21:09:47.115Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "external_id": "M1026", "url": "https://attack.mitre.org/mitigations/M1026" } ], "modified": "2020-03-31T13:08:36.655Z", "name": "Privileged Account Management", "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", "x_mitre_version": "1.1", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "spec_version": "2.1", "x_mitre_attack_spec_version": "2.1.0" }, { "x_mitre_domains": [ "enterprise-attack" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "course-of-action--a2c36a5d-4058-475e-8e77-fff75e50d3b9", "type": "course-of-action", "created": "2019-06-06T20:58:59.577Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "external_id": "M1024", "url": "https://attack.mitre.org/mitigations/M1024" } ], "modified": "2019-06-06T20:58:59.577Z", "name": "Restrict Registry Permissions", "description": "Restrict the ability to modify certain hives or keys in the Windows Registry.", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "spec_version": "2.1", "x_mitre_attack_spec_version": "2.1.0" }, { "x_mitre_domains": [ "enterprise-attack" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "course-of-action--a6a47a06-08fc-4ec4-bdc3-20373375ebb9", "type": "course-of-action", "created": "2019-06-11T17:08:33.055Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "external_id": "M1049", "url": "https://attack.mitre.org/mitigations/M1049" } ], "modified": "2020-03-31T13:07:15.684Z", "name": "Antivirus/Antimalware", "description": "Use signatures or heuristics to detect malicious software.", "x_mitre_version": "1.1", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "spec_version": "2.1", "x_mitre_attack_spec_version": "2.1.0" }, { "x_mitre_domains": [ "enterprise-attack" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "course-of-action--b045d015-6bed-4490-bd38-56b41ece59a0", "type": "course-of-action", "created": "2019-06-10T20:53:36.319Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "external_id": "M1032", "url": "https://attack.mitre.org/mitigations/M1032" } ], "modified": "2019-06-10T20:53:36.319Z", "name": "Multi-factor Authentication", "description": "Use two or more pieces of evidence to authenticate to a system; such as username and password in addition to a token from a physical smart card or token generator.", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "spec_version": "2.1", "x_mitre_attack_spec_version": "2.1.0" }, { "x_mitre_domains": [ "enterprise-attack" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "course-of-action--b5dbb4c5-b0b1-40b1-80b6-e9e84ab90067", "type": "course-of-action", "created": "2019-07-19T14:40:23.529Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "external_id": "M1054", "url": "https://attack.mitre.org/mitigations/M1054" } ], "modified": "2020-03-31T13:11:09.471Z", "name": "Software Configuration", "description": "Implement configuration changes to software (other than the operating system) to mitigate security risks associated to how the software operates.", "x_mitre_version": "1.1", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "spec_version": "2.1", "x_mitre_attack_spec_version": "2.1.0" }, { "x_mitre_domains": [ "enterprise-attack" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "course-of-action--b9f0c069-abbe-4a07-a245-2481219a1463", "type": "course-of-action", "created": "2019-06-11T17:06:56.230Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "external_id": "M1048", "url": "https://attack.mitre.org/mitigations/M1048" } ], "modified": "2020-03-31T13:08:03.851Z", "name": "Application Isolation and Sandboxing", "description": "Restrict execution of code to a virtual environment on or in transit to an endpoint system.", "x_mitre_version": "1.1", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "spec_version": "2.1", "x_mitre_attack_spec_version": "2.1.0" }, { "x_mitre_domains": [ "enterprise-attack" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "course-of-action--cc2399fd-3cd3-4319-8d0a-fbd6420cdaf8", "type": "course-of-action", "created": "2019-06-11T17:06:14.029Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "external_id": "M1047", "url": "https://attack.mitre.org/mitigations/M1047" } ], "modified": "2020-11-19T20:44:07.442Z", "name": "Audit", "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.", "x_mitre_version": "1.1", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "spec_version": "2.1", "x_mitre_attack_spec_version": "2.1.0" }, { "x_mitre_domains": [ "enterprise-attack" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "course-of-action--d2a24649-9694-4c97-9c62-ce7b270bf6a3", "type": "course-of-action", "created": "2019-06-11T17:10:57.070Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "external_id": "M1050", "url": "https://attack.mitre.org/mitigations/M1050" } ], "modified": "2020-06-20T20:22:55.938Z", "name": "Exploit Protection", "description": "Use capabilities to detect and block conditions that may lead to or be indicative of a software exploit occurring.", "x_mitre_version": "1.1", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "spec_version": "2.1", "x_mitre_attack_spec_version": "2.1.0" }, { "x_mitre_domains": [ "enterprise-attack" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "course-of-action--e3388c78-2a8d-47c2-8422-c1398b324462", "type": "course-of-action", "created": "2019-06-06T16:39:58.291Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "external_id": "M1015", "url": "https://attack.mitre.org/mitigations/M1015" } ], "modified": "2020-05-29T16:34:40.344Z", "name": "Active Directory Configuration", "description": "Configure Active Directory to prevent use of certain techniques; use SID Filtering, etc.", "x_mitre_version": "1.1", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "spec_version": "2.1", "x_mitre_attack_spec_version": "2.1.0" }, { "x_mitre_domains": [ "enterprise-attack" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "course-of-action--e5d930e9-775a-40ad-9bdb-b941d8dfe86b", "type": "course-of-action", "created": "2019-06-11T17:12:55.207Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "external_id": "M1051", "url": "https://attack.mitre.org/mitigations/M1051" } ], "modified": "2020-07-07T12:42:39.005Z", "name": "Update Software", "description": "Perform regular software updates to mitigate exploitation risk.", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "spec_version": "2.1", "x_mitre_attack_spec_version": "2.1.0" }, { "x_mitre_domains": [ "enterprise-attack" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "course-of-action--e8242a33-481c-4891-af63-4cf3e4cf6aff", "type": "course-of-action", "created": "2019-06-11T17:00:01.740Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "external_id": "M1044", "url": "https://attack.mitre.org/mitigations/M1044" } ], "modified": "2019-06-11T17:00:01.740Z", "name": "Restrict Library Loading", "description": "Prevent abuse of library loading mechanisms in the operating system and software to load untrusted code by configuring appropriate library loading mechanisms and investigating potential vulnerable software.", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "spec_version": "2.1", "x_mitre_attack_spec_version": "2.1.0" }, { "x_mitre_domains": [ "enterprise-attack" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "course-of-action--eb88d97c-32f1-40be-80f0-d61a4b0b4b31", "type": "course-of-action", "created": "2019-06-11T16:45:19.740Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "external_id": "M1042", "url": "https://attack.mitre.org/mitigations/M1042" } ], "modified": "2020-03-31T13:12:04.776Z", "name": "Disable or Remove Feature or Program", "description": "Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.", "x_mitre_version": "1.1", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "spec_version": "2.1", "x_mitre_attack_spec_version": "2.1.0" }, { "x_mitre_domains": [ "enterprise-attack" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "course-of-action--f9f9e6ef-bc0a-41ad-ba11-0924e5e84c4c", "type": "course-of-action", "created": "2019-06-11T16:32:21.854Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "external_id": "M1036", "url": "https://attack.mitre.org/mitigations/M1036" } ], "modified": "2019-06-13T16:07:21.233Z", "name": "Account Use Policies", "description": "Configure features related to account use like login attempt lockouts, specific login times, etc.", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "spec_version": "2.1", "x_mitre_attack_spec_version": "2.1.0" }, { "x_mitre_domains": [ "enterprise-attack" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "course-of-action--feff9142-e8c2-46f4-842b-bd6fb3d41157", "type": "course-of-action", "created": "2019-06-11T16:43:44.834Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "external_id": "M1041", "url": "https://attack.mitre.org/mitigations/M1041" } ], "modified": "2019-06-11T16:43:44.834Z", "name": "Encrypt Sensitive Information", "description": "Protect sensitive information with strong encryption.", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "spec_version": "2.1", "x_mitre_attack_spec_version": "2.1.0" }, { "aliases": [ "Leafminer", "Raspite" ], "x_mitre_domains": [ "enterprise-attack" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "intrusion-set--32bca8ff-d900-4877-aa65-d70baa041b74", "type": "intrusion-set", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/groups/G0077", "external_id": "G0077" }, { "source_name": "Leafminer", "description": "(Citation: Symantec Leafminer July 2018)" }, { "source_name": "Raspite", "description": "(Citation: Dragos Raspite Aug 2018)" }, { "url": "https://www.symantec.com/blogs/threat-intelligence/leafminer-espionage-middle-east", "description": "Symantec Security Response. (2018, July 25). Leafminer: New Espionage Campaigns Targeting Middle Eastern Regions. Retrieved August 28, 2018.", "source_name": "Symantec Leafminer July 2018" }, { "description": "Dragos, Inc. (2018, August 2). RASPITE. Retrieved November 26, 2018.", "url": "https://www.dragos.com/blog/20180802Raspite.html", "source_name": "Dragos Raspite Aug 2018" } ], "modified": "2021-10-12T23:23:16.109Z", "name": "Leafminer", "description": "[Leafminer](https://attack.mitre.org/groups/G0077) is an Iranian threat group that has targeted government organizations and business entities in the Middle East since at least early 2017. (Citation: Symantec Leafminer July 2018)", "x_mitre_version": "2.3", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "spec_version": "2.1", "x_mitre_attack_spec_version": "2.1.0" }, { "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "target_ref": "attack-pattern--23270e54-1d68-4c3b-b763-b25607bcef80", "source_ref": "course-of-action--3992ce42-43e9-4bea-b8db-a102ec3ec1e3", "modified": "2021-04-29T14:49:39.188Z", "id": "relationship--02547978-3323-4291-827e-081d0ca650d8", "type": "relationship", "created": "2020-09-21T17:59:24.739Z", "relationship_type": "mitigates", "description": "Access Management technologies can be used to enforce authorization policies and decisions, especially when existing field devices do not provided capabilities to support user identification and authentication 1. These technologies typically utilize an in-line network device or gateway system to prevent access to unauthenticated users, while also integrating with an authentication service to first verify user credentials.", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "spec_version": "2.1", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "ics-attack" ], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "x_mitre_deprecated": true }, { "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "target_ref": "attack-pattern--abb0a255-eb9c-48d0-8f5c-874bb84c0e45", "source_ref": "course-of-action--aadac250-bcdc-44e3-a4ae-f52bd0a7a16a", "modified": "2021-04-29T14:49:39.188Z", "id": "relationship--06659568-4206-415a-bf77-e412dd657ab1", "type": "relationship", "created": "2020-09-21T17:59:24.739Z", "relationship_type": "mitigates", "description": "Use host-based allowlists to prevent devices from accepting connections from unauthorized systems. For example, allowlists can be used to ensure devices can only connect with master stations or known management/engineering workstations.", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "spec_version": "2.1", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "ics-attack" ], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "x_mitre_deprecated": true }, { "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "target_ref": "attack-pattern--7374ab87-0782-41f8-b415-678c0950bb2a", "source_ref": "course-of-action--3992ce42-43e9-4bea-b8db-a102ec3ec1e3", "modified": "2021-04-29T14:49:39.188Z", "id": "relationship--06d273d4-3110-4bb2-8caf-89d691e1abad", "type": "relationship", "created": "2020-09-21T17:59:24.739Z", "relationship_type": "mitigates", "description": "All devices or systems changes, including all administrative functions, should require authentication. Consider using access management technologies to enforce authorization on all management interface access attempts, especially when the device does not inherently provide strong authentication and authorization functions.", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "spec_version": "2.1", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "ics-attack" ], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "x_mitre_deprecated": true }, { "type": "relationship", "target_ref": "attack-pattern--5f3da2f3-91c8-4d8b-a02f-bf43a11def55", "description": "[Industroyer](https://collaborate.mitre.org/attackics/index.php/Software/S0001), contains modules for IEC 101 and IEC 104 communications.(Citation: ESET Win32/Industroyer Jun 2017) IEC 101 uses serial for the physical connection and IEC 104 uses Ethernet. Analysis of the malware by Dragos states that both of the modules have equivalent functionality.(Citation: Dragos Industroyer Jun 2017) The IEC 104 module uses Network Connection Enumeration to determine the Ethernet adapters on the device. Since functionality between the two modules are equivalent, this implies that the IEC 101 module is able to detect serial interfaces on the device.(Citation: ESET Win32/Industroyer Jun 2017)", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2018-10-17T00:14:20.652Z", "id": "relationship--0810db31-f49e-4bfd-b40a-19dc84527bca", "source_ref": "malware--1d8dccb3-e779-4702-aeb1-6627a22cc585", "modified": "2021-04-29T14:49:39.188Z", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "external_references": [ { "source_name": "ESET Win32/Industroyer Jun 2017", "description": "Anton Cherepanov, ESET. (2017, June 12). Win32/Industroyer: A new threat for industrial control systems. Retrieved September 15, 2017.", "url": "https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf" }, { "source_name": "Dragos Industroyer Jun 2017", "description": "Dragos Inc.. (2017, June 13). Industroyer - Dragos - 201706: Analysis of the Threat to Electic Grid Operations. Retrieved September 18, 2017.", "url": "https://dragos.com/blog/crashoverride/CrashOverride-01.pdf" } ], "relationship_type": "uses", "spec_version": "2.1", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "ics-attack" ], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "x_mitre_deprecated": true }, { "type": "relationship", "target_ref": "attack-pattern--a8cfd474-9358-464f-a169-9c6f099a8e8a", "description": "After [PLC-Blaster](https://collaborate.mitre.org/attackics/index.php/Software/S0009) is transferred to a PLC, the PLC begins execution of PLC-Blaster.(Citation: BlackHat Mar 2016)", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2018-10-17T00:14:20.652Z", "id": "relationship--09ef0e68-c9b4-4cca-aa25-e65137e8f63a", "source_ref": "malware--4dcff507-5af8-47ce-964a-8d9569e9ccfe", "modified": "2021-04-29T14:49:39.188Z", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "external_references": [ { "source_name": "BlackHat Mar 2016", "description": "Spenneberg, Ralf, Maik Br\u00fcggemann, and Hendrik Schwartke. (2016, March 31). Plc-blaster: A worm living solely in the plc.. Retrieved September 19, 2017.", "url": "https://www.blackhat.com/docs/asia-16/materials/asia-16-Spenneberg-PLC-Blaster-A-Worm-Living-Solely-In-The-PLC-wp.pdf" } ], "relationship_type": "uses", "spec_version": "2.1", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "ics-attack" ], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "x_mitre_deprecated": true }, { "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "target_ref": "attack-pattern--a8cfd474-9358-464f-a169-9c6f099a8e8a", "source_ref": "course-of-action--e0d38502-decb-481d-ad8b-b8f0a0c330bd", "modified": "2021-04-29T14:49:39.188Z", "id": "relationship--1013a29f-70b5-4fda-a510-2c3477618d62", "type": "relationship", "created": "2020-09-21T17:59:24.739Z", "relationship_type": "mitigates", "description": "All field controllers should restrict the modification of programs to only certain users (e.g., engineers, field technician), preferably through implementing a role-based access mechanism.", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "spec_version": "2.1", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "ics-attack" ], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "x_mitre_deprecated": true }, { "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "target_ref": "attack-pattern--7374ab87-0782-41f8-b415-678c0950bb2a", "source_ref": "course-of-action--feff9142-e8c2-46f4-842b-bd6fb3d41157", "modified": "2021-04-29T14:49:39.188Z", "id": "relationship--15ee5b5e-2b62-45f8-82c0-1bee67ba07f9", "type": "relationship", "created": "2020-09-21T17:59:24.739Z", "relationship_type": "mitigates", "description": "Encrypt sensitive location data when feasible to prevent unauthorized access.", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "spec_version": "2.1", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "ics-attack" ], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "x_mitre_deprecated": true }, { "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "target_ref": "attack-pattern--539d0484-fe95-485a-b654-86991c0d0d00", "source_ref": "course-of-action--86598de0-b347-4928-9eb0-0acbfc21908c", "modified": "2021-04-29T14:49:39.188Z", "id": "relationship--1964c6f5-7c11-42e7-ad3c-e9bf8d70ae54", "type": "relationship", "created": "2020-09-21T17:59:24.739Z", "relationship_type": "mitigates", "description": "Ensure proper network segmentation is followed to protect critical servers and devices.", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "spec_version": "2.1", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "ics-attack" ], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "x_mitre_deprecated": true }, { "type": "relationship", "target_ref": "attack-pattern--7374ab87-0782-41f8-b415-678c0950bb2a", "description": "The [Backdoor.Oldrea](https://collaborate.mitre.org/attackics/index.php/Software/S0003) payload has the capability of enumerating OPC tags, in addition to more generic OPC server information. The tag names, depending on the naming convention, can provide information about facilities and locations.(Citation: CISA Advisory (ICSA-14-178-01))(Citation: F-Secure Labs Jun 2014)", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2018-04-18T17:59:24.739Z", "id": "relationship--1c066ecf-c728-4002-8618-8167216d23cf", "source_ref": "malware--083bb47b-02c8-4423-81a2-f9ef58572974", "modified": "2021-04-29T14:49:39.188Z", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "external_references": [ { "source_name": "CISA Advisory (ICSA-14-178-01)", "description": "ICS-CERT. (2018, August 22). Advisory (ICSA-14-178-01). Retrieved April 1, 2019.", "url": "https://ics-cert.us-cert.gov/advisories/ICSA-14-178-01" }, { "source_name": "F-Secure Labs Jun 2014", "description": "Daavid Hentunen, Antti Tikkanen. (2014, June 23). Havex Hunts For ICS/SCADA Systems. Retrieved April 1, 2019.", "url": "https://www.f-secure.com/weblog/archives/00002718.html" } ], "relationship_type": "uses", "spec_version": "2.1", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "ics-attack" ], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "x_mitre_deprecated": true }, { "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "target_ref": "attack-pattern--008b8f56-6107-48be-aa9f-746f927dbb61", "source_ref": "course-of-action--cc2399fd-3cd3-4319-8d0a-fbd6420cdaf8", "modified": "2021-04-29T14:49:39.188Z", "id": "relationship--2367a5b7-a562-462f-9d6f-c42617f2ba9d", "type": "relationship", "created": "2020-09-21T17:59:24.739Z", "relationship_type": "mitigates", "description": "Perform integrity checks of firmware before uploading it on a device. Utilize cryptographic hashes to verify the firmware has not been tampered with by comparing it a trusted hash of the firmware. This could be from a trusted data sources (e.g., vendor site) or through a third-party verification service.", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "spec_version": "2.1", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "ics-attack" ], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "x_mitre_deprecated": true }, { "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "target_ref": "attack-pattern--94f042ae-3033-4a8d-9ec3-26396533a541", "source_ref": "course-of-action--e0d38502-decb-481d-ad8b-b8f0a0c330bd", "modified": "2021-04-29T14:49:39.188Z", "id": "relationship--2c2a7347-94de-4e83-a50e-1a4bbd4db17b", "type": "relationship", "created": "2020-09-21T17:59:24.739Z", "relationship_type": "mitigates", "description": "All field controllers should restrict the modification of programs to only certain users (e.g., engineers, field technician), preferably through implementing a role-based access mechanisms.", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "spec_version": "2.1", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "ics-attack" ], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "x_mitre_deprecated": true }, { "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "target_ref": "attack-pattern--7374ab87-0782-41f8-b415-678c0950bb2a", "source_ref": "course-of-action--987988f0-cf86-4680-a875-2f6456ab2448", "modified": "2021-04-29T14:49:39.188Z", "id": "relationship--2ee703c3-c9de-4b7c-99f6-3849b257b438", "type": "relationship", "created": "2020-09-21T17:59:24.739Z", "relationship_type": "mitigates", "description": "Restrict permissions on information that may disclose locations of key physical assets.", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "spec_version": "2.1", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "ics-attack" ], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "x_mitre_deprecated": true }, { "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "target_ref": "attack-pattern--7374ab87-0782-41f8-b415-678c0950bb2a", "source_ref": "course-of-action--aadac250-bcdc-44e3-a4ae-f52bd0a7a16a", "modified": "2021-04-29T14:49:39.188Z", "id": "relationship--31c21f43-4609-49cc-a49a-f013e7ccc69f", "type": "relationship", "created": "2020-09-21T17:59:24.739Z", "relationship_type": "mitigates", "description": "Use host-based allowlists to prevent devices from accepting connections from unauthorized systems. For example, allowlists can be used to ensure devices can only connect with master stations or known management/engineering workstations.", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "spec_version": "2.1", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "ics-attack" ], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "x_mitre_deprecated": true }, { "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "target_ref": "attack-pattern--7374ab87-0782-41f8-b415-678c0950bb2a", "source_ref": "course-of-action--e0d38502-decb-481d-ad8b-b8f0a0c330bd", "modified": "2021-04-29T14:49:39.188Z", "id": "relationship--33be9511-60ea-4142-930f-15a00a4448b9", "type": "relationship", "created": "2020-09-21T17:59:24.739Z", "relationship_type": "mitigates", "description": "Systems and devices should restrict access to any data with confidentiality concerns, including location information.", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "spec_version": "2.1", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "ics-attack" ], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "x_mitre_deprecated": true }, { "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "target_ref": "attack-pattern--23270e54-1d68-4c3b-b763-b25607bcef80", "source_ref": "course-of-action--86598de0-b347-4928-9eb0-0acbfc21908c", "modified": "2021-04-29T14:49:39.188Z", "id": "relationship--3427eddf-7846-4e52-8339-0f38e60a2d03", "type": "relationship", "created": "2020-09-21T17:59:24.739Z", "relationship_type": "mitigates", "description": "Prevent unauthorized systems from accessing control servers or field devices containing industrial information, especially services used for common automation protocols (e.g., DNP3, OPC).", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "spec_version": "2.1", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "ics-attack" ], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "x_mitre_deprecated": true }, { "type": "relationship", "target_ref": "attack-pattern--e2994b6a-122b-4043-b654-7411c5198ec0", "description": "[Stuxnet](https://collaborate.mitre.org/attackics/index.php/Software/S0010) enumerates and parses the System Data Blocks (SDB). [Stuxnet](https://collaborate.mitre.org/attackics/index.php/Software/S0010) must find an SDB with the DWORD at offset 50h equal to 0100CB2Ch. This specifies that the system uses the Profibus communications processor module CP 342-5. In addition, specific values are searched for and counted: 7050h and 9500h. 7050h is assigned to part number KFC750V3 which appears to be a frequency converter drive (also known as variable frequency drive) manufactured by Fararo Paya in Teheran, Iran. 9500h is assigned to Vacon NX frequency converter drives manufactured by Vacon based in Finland.(Citation: Wired W32.Stuxnet Feb 2011)", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2017-12-14T16:46:06.044Z", "id": "relationship--3cf93229-fb60-4fc1-9edd-3e0a0c0b2302", "source_ref": "malware--496bff4d-0700-4b28-b06f-f30a63002be7", "modified": "2021-04-29T14:49:39.188Z", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "external_references": [ { "source_name": "Wired W32.Stuxnet Feb 2011", "description": "Nicolas Falliere, Liam O Murchu, Eric Chien. (2011, February). W32.Stuxnet Dossier (Version 1.4). Retrieved September 22, 2017.", "url": "https://www.wired.com/images_blogs/threatlevel/2010/11/w32_stuxnet_dossier.pdf" } ], "relationship_type": "uses", "spec_version": "2.1", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "ics-attack" ], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "x_mitre_deprecated": true }, { "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "target_ref": "attack-pattern--23270e54-1d68-4c3b-b763-b25607bcef80", "source_ref": "course-of-action--aadac250-bcdc-44e3-a4ae-f52bd0a7a16a", "modified": "2021-04-29T14:49:39.188Z", "id": "relationship--3e8cb54b-323a-4858-bbb3-a3944339eefa", "type": "relationship", "created": "2020-09-21T17:59:24.739Z", "relationship_type": "mitigates", "description": "Use host-based allowlists to prevent devices from accepting connections from unauthorized systems. For example, allowlists can be used to ensure devices can only connect with master stations or known management/engineering workstations.", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "spec_version": "2.1", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "ics-attack" ], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "x_mitre_deprecated": true }, { "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "target_ref": "attack-pattern--a8cfd474-9358-464f-a169-9c6f099a8e8a", "source_ref": "course-of-action--86598de0-b347-4928-9eb0-0acbfc21908c", "modified": "2021-04-29T14:49:39.188Z", "id": "relationship--438229aa-e593-4eb6-961e-2d82c429edf8", "type": "relationship", "created": "2020-09-21T17:59:24.739Z", "relationship_type": "mitigates", "description": "Segment operational network and systems to restrict access to critical system functions to predetermined management systems.", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "spec_version": "2.1", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "ics-attack" ], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "x_mitre_deprecated": true }, { "type": "relationship", "target_ref": "attack-pattern--94f042ae-3033-4a8d-9ec3-26396533a541", "description": "[Triton](https://collaborate.mitre.org/attackics/index.php/Software/S0013) contains a file named TS_cnames.py which contains default definitions for program state (TS_progstate). Program state is referenced in TsHi.py.(Citation: MDudek-ICS TRISIS-TRITON-HATMAN)", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2018-04-18T17:59:24.739Z", "id": "relationship--4e1e2ce9-5935-4890-8466-b9683fc38ec8", "source_ref": "malware--80099a91-4c86-4bea-9ccb-dac55d61960e", "modified": "2021-04-29T14:49:39.188Z", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "external_references": [ { "source_name": "MDudek-ICS TRISIS-TRITON-HATMAN", "description": "MDudek-ICS. (n.d.). TRISIS-TRITON-HATMAN. Retrieved November 3, 2019.", "url": "https://github.com/MDudek-ICS/TRISIS-TRITON-HATMAN/tree/master/decompiled_code/library" } ], "relationship_type": "uses", "spec_version": "2.1", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "ics-attack" ], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "x_mitre_deprecated": true }, { "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "target_ref": "attack-pattern--539d0484-fe95-485a-b654-86991c0d0d00", "source_ref": "course-of-action--eb88d97c-32f1-40be-80f0-d61a4b0b4b31", "modified": "2021-04-29T14:49:39.188Z", "id": "relationship--57067f2e-eba2-4b39-b154-2bd142485c44", "type": "relationship", "created": "2020-09-21T17:59:24.739Z", "relationship_type": "mitigates", "description": "Ensure that unnecessary ports and services are closed to prevent risk of discovery and potential exploitation.", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "spec_version": "2.1", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "ics-attack" ], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "x_mitre_deprecated": true }, { "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "target_ref": "attack-pattern--94f042ae-3033-4a8d-9ec3-26396533a541", "source_ref": "course-of-action--aadac250-bcdc-44e3-a4ae-f52bd0a7a16a", "modified": "2021-04-29T14:49:39.188Z", "id": "relationship--611c859a-4347-4dbc-a3fd-ad47b2384f78", "type": "relationship", "created": "2020-09-21T17:59:24.739Z", "relationship_type": "mitigates", "description": "Use host-based allowlists to prevent devices from accepting connections from unauthorized systems. For example, allowlists can be used to ensure devices can only connect with master stations or known management/engineering workstations.", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "spec_version": "2.1", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "ics-attack" ], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "x_mitre_deprecated": true }, { "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "target_ref": "attack-pattern--abb0a255-eb9c-48d0-8f5c-874bb84c0e45", "source_ref": "course-of-action--20f6a9df-37c4-4e20-9e47-025983b1b39d", "modified": "2021-04-29T14:49:39.188Z", "id": "relationship--64e11c1c-64fb-41df-bf0a-c874616b1412", "type": "relationship", "created": "2020-09-21T17:59:24.739Z", "relationship_type": "mitigates", "description": "Perform inline allow/denylisting of automation protocol requests associated with device identification, such as IEC 61850 getNameList or OPC DA IOPCServer::GetStatus requests.", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "spec_version": "2.1", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "ics-attack" ], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "x_mitre_deprecated": true }, { "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "target_ref": "attack-pattern--a8cfd474-9358-464f-a169-9c6f099a8e8a", "source_ref": "course-of-action--aadac250-bcdc-44e3-a4ae-f52bd0a7a16a", "modified": "2021-04-29T14:49:39.188Z", "id": "relationship--694de87e-7ecb-453c-a7b7-5690631b4026", "type": "relationship", "created": "2020-09-21T17:59:24.739Z", "relationship_type": "mitigates", "description": "Use host-based allowlists to prevent devices from accepting connections from unauthorized systems. For example, allowlists can be used to ensure devices can only connect with master stations or known management/engineering workstations.", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "spec_version": "2.1", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "ics-attack" ], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "x_mitre_deprecated": true }, { "type": "relationship", "target_ref": "attack-pattern--ae62fe1a-ea1a-479b-8dc0-65d250bd8bc7", "description": "[Stuxnet](https://collaborate.mitre.org/attackics/index.php/Software/S0010) infects PLCs with different code depending on the characteristics of the target system. An infection sequence consists of code blocks and data blocks that will be downloaded to the PLC to alter its behavior.(Citation: Wired W32.Stuxnet Feb 2011)", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2017-12-14T16:46:06.044Z", "id": "relationship--701f66f4-2267-4c22-85f4-81391953289a", "source_ref": "malware--496bff4d-0700-4b28-b06f-f30a63002be7", "modified": "2021-04-29T14:49:39.188Z", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "external_references": [ { "source_name": "Wired W32.Stuxnet Feb 2011", "description": "Nicolas Falliere, Liam O Murchu, Eric Chien. (2011, February). W32.Stuxnet Dossier (Version 1.4). Retrieved September 22, 2017.", "url": "https://www.wired.com/images_blogs/threatlevel/2010/11/w32_stuxnet_dossier.pdf" } ], "relationship_type": "uses", "spec_version": "2.1", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "ics-attack" ], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "x_mitre_deprecated": true }, { "type": "relationship", "target_ref": "attack-pattern--abb0a255-eb9c-48d0-8f5c-874bb84c0e45", "description": "[Industroyer](https://collaborate.mitre.org/attackics/index.php/Software/S0001), contains an OPC DA module that enumerates all OPC servers using the ICatInformation::EnumClassesOfCategories method with CATID_OPCDAServer20 category identifier and IOPCServer::GetStatus to identify the ones running. The OPC DA module also uses IOPCBrowseServerAddressSpace to look for items with the following strings: 'ctlSelOn', 'ctlOperOn', 'ctlSelOff', ctlOperOff', 'Pos and stVal'.\n\nIf the target device responds appropriately, the Industroyer IEC 61850 payload then sends an InitiateRequest packet using the Manufacturing Message Specification (MMS). If the expected answer is received, it continues, sending an MMS getNameList request. Thereby, the component compiles a list of object names in a Virtual Manufacturing Device.(Citation: ESET Win32/Industroyer Jun 2017)", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2018-10-17T00:14:20.652Z", "id": "relationship--81f8bb8b-7372-47ad-b030-1ea977d5372d", "source_ref": "malware--1d8dccb3-e779-4702-aeb1-6627a22cc585", "modified": "2021-04-29T14:49:39.188Z", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "external_references": [ { "source_name": "ESET Win32/Industroyer Jun 2017", "description": "Anton Cherepanov, ESET. (2017, June 12). Win32/Industroyer: A new threat for industrial control systems. Retrieved September 15, 2017.", "url": "https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf" } ], "relationship_type": "uses", "spec_version": "2.1", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "ics-attack" ], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "x_mitre_deprecated": true }, { "type": "relationship", "target_ref": "attack-pattern--abb0a255-eb9c-48d0-8f5c-874bb84c0e45", "description": "The [Triton](https://collaborate.mitre.org/attackics/index.php/Software/S0013) Python script is also capable of autodetecting Triconex controllers on the network by sending a specific UDP broadcast packet over port 1502.(Citation: CISA Advisory (ICSA-18-107-02) Dec 2018)", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2018-04-18T17:59:24.739Z", "id": "relationship--831b01b1-f005-4705-b052-bb50e7bf0338", "source_ref": "malware--80099a91-4c86-4bea-9ccb-dac55d61960e", "modified": "2021-04-29T14:49:39.188Z", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "external_references": [ { "source_name": "CISA Advisory (ICSA-18-107-02) Dec 2018", "description": "ICS-CERT. (2018, December 18). Advisory (ICSA-18-107-02) - Schneider Electric Triconex Tricon (Update B). Retrieved March 8, 2019.", "url": "https://ics-cert.us-cert.gov/advisories/ICSA-18-107-02" } ], "relationship_type": "uses", "spec_version": "2.1", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "ics-attack" ], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "x_mitre_deprecated": true }, { "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "target_ref": "attack-pattern--a8cfd474-9358-464f-a169-9c6f099a8e8a", "source_ref": "course-of-action--66cfe23e-34b6-4583-b178-ed6a412db2b0", "modified": "2021-04-29T14:49:39.188Z", "id": "relationship--85a55000-f88e-4331-9dad-0fa779d9a52e", "type": "relationship", "created": "2020-09-21T17:59:24.739Z", "relationship_type": "mitigates", "description": "All field controllers should require users to authenticate for all remote or local management sessions. The authentication mechanisms should also support Account Use Policies, Password Policies, and User Account Management.", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "spec_version": "2.1", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "ics-attack" ], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "x_mitre_deprecated": true }, { "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "target_ref": "attack-pattern--a8cfd474-9358-464f-a169-9c6f099a8e8a", "source_ref": "course-of-action--3992ce42-43e9-4bea-b8db-a102ec3ec1e3", "modified": "2021-04-29T14:49:39.188Z", "id": "relationship--8df73177-cb78-41fa-9102-266838100665", "type": "relationship", "created": "2020-09-21T17:59:24.739Z", "relationship_type": "mitigates", "description": "All devices or systems changes, including all administrative functions, should require authentication. Consider using access management technologies to enforce authorization on all management interface access attempts, especially when the device does not inherently provide strong authentication and authorization functions.", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "spec_version": "2.1", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "ics-attack" ], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "x_mitre_deprecated": true }, { "type": "relationship", "target_ref": "attack-pattern--a8cfd474-9358-464f-a169-9c6f099a8e8a", "description": "[Triton](https://collaborate.mitre.org/attackics/index.php/Software/S0013) has the ability to halt or run a program through the TriStation protocol. TsHi.py contains instances of halt and run functions being executed.(Citation: MDudek-ICS TRISIS-TRITON-HATMAN)", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2018-04-18T17:59:24.739Z", "id": "relationship--8e779618-146f-4219-9b50-a4ceca6b2210", "source_ref": "malware--80099a91-4c86-4bea-9ccb-dac55d61960e", "modified": "2021-04-29T14:49:39.188Z", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "external_references": [ { "source_name": "MDudek-ICS TRISIS-TRITON-HATMAN", "description": "MDudek-ICS. (n.d.). TRISIS-TRITON-HATMAN. Retrieved November 3, 2019.", "url": "https://github.com/MDudek-ICS/TRISIS-TRITON-HATMAN/tree/master/decompiled_code/library" } ], "relationship_type": "uses", "spec_version": "2.1", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "ics-attack" ], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "x_mitre_deprecated": true }, { "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "target_ref": "attack-pattern--ae62fe1a-ea1a-479b-8dc0-65d250bd8bc7", "source_ref": "course-of-action--cc2399fd-3cd3-4319-8d0a-fbd6420cdaf8", "modified": "2021-04-29T14:49:39.188Z", "id": "relationship--8f5d517c-b1ba-4848-92ad-f5a4355b3898", "type": "relationship", "created": "2020-09-21T17:59:24.739Z", "relationship_type": "mitigates", "description": "Provide the ability to verify the integrity of control logic or programs loaded on a controller. While techniques like CRCs and checksums are commonly used, they are not cryptographically strong and can be vulnerable to collisions. Preferably cryptographic hash functions (e.g., SHA-2, SHA-3) should be used.", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "spec_version": "2.1", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "ics-attack" ], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "x_mitre_deprecated": true }, { "type": "relationship", "target_ref": "attack-pattern--d5a69cfb-fc2a-46cb-99eb-74b236db5061", "description": "[Stuxnet](https://collaborate.mitre.org/attackics/index.php/Software/S0010) scanned the network to identify the Siemens PLCs that it was targeting.(Citation: Wired W32.Stuxnet Feb 2011)", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2017-12-14T16:46:06.044Z", "id": "relationship--8f7dcde0-03a5-4f13-a728-67a43429b45e", "source_ref": "malware--496bff4d-0700-4b28-b06f-f30a63002be7", "modified": "2021-04-29T14:49:39.188Z", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "external_references": [ { "source_name": "Wired W32.Stuxnet Feb 2011", "description": "Nicolas Falliere, Liam O Murchu, Eric Chien. (2011, February). W32.Stuxnet Dossier (Version 1.4). Retrieved September 22, 2017.", "url": "https://www.wired.com/images_blogs/threatlevel/2010/11/w32_stuxnet_dossier.pdf" } ], "relationship_type": "uses", "spec_version": "2.1", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "ics-attack" ], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "x_mitre_deprecated": true }, { "type": "relationship", "target_ref": "attack-pattern--f8df6b57-14bc-425f-9a91-6f59f6799307", "description": "[Sandworm](https://collaborate.mitre.org/attackics/index.php/Group/G0007) actors exploited vulnerabilities in GE's Cimplicity HMI and Advantech/Broadwin WebAccess HMI software which had been directly exposed to the internet.(Citation: CISA ICS Alert (ICS-ALERT-14-281-01E))(Citation: CISA ICS Advisory (ICSA-11-094-02B))", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2017-05-31T21:33:27.046Z", "id": "relationship--94a27526-f76b-4a64-8c9a-71f09e6fd9d4", "source_ref": "intrusion-set--381fcf73-60f6-4ab2-9991-6af3cbc35192", "modified": "2021-04-29T14:49:39.188Z", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "external_references": [ { "source_name": "CISA ICS Alert (ICS-ALERT-14-281-01E)", "description": "ICS-CERT. (2014, December 10). ICS Alert (ICS-ALERT-14-281-01E) Ongoing Sophisticated Malware Campaign Compromising ICS (Update E). Retrieved October 11, 2019.", "url": "https://www.us-cert.gov/ics/alerts/ICS-ALERT-14-281-01B" }, { "source_name": "CISA ICS Advisory (ICSA-11-094-02B)", "description": "ICS CERT. (2018, September 06). Advantech/Broadwin WebAccess RPC Vulnerability (Update B). Retrieved December 5, 2019.", "url": "https://www.us-cert.gov/ics/advisories/ICSA-11-094-02B" } ], "relationship_type": "uses", "spec_version": "2.1", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "ics-attack" ], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "x_mitre_deprecated": true }, { "type": "relationship", "target_ref": "attack-pattern--abb0a255-eb9c-48d0-8f5c-874bb84c0e45", "description": "The [PLC-Blaster](https://collaborate.mitre.org/attackics/index.php/Software/S0009) worm starts by scanning for probable targets. Siemens SIMATIC PLCs may be identified by the port 102/tcp.(Citation: BlackHat Mar 2016)", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2018-10-17T00:14:20.652Z", "id": "relationship--9f010e39-922a-4f20-9dd9-98f4178c5263", "source_ref": "malware--4dcff507-5af8-47ce-964a-8d9569e9ccfe", "modified": "2021-04-29T14:49:39.188Z", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "external_references": [ { "source_name": "BlackHat Mar 2016", "description": "Spenneberg, Ralf, Maik Br\u00fcggemann, and Hendrik Schwartke. (2016, March 31). Plc-blaster: A worm living solely in the plc.. Retrieved September 19, 2017.", "url": "https://www.blackhat.com/docs/asia-16/materials/asia-16-Spenneberg-PLC-Blaster-A-Worm-Living-Solely-In-The-PLC-wp.pdf" } ], "relationship_type": "uses", "spec_version": "2.1", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "ics-attack" ], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "x_mitre_deprecated": true }, { "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "target_ref": "attack-pattern--7374ab87-0782-41f8-b415-678c0950bb2a", "source_ref": "course-of-action--20f6a9df-37c4-4e20-9e47-025983b1b39d", "modified": "2021-04-29T14:49:39.188Z", "id": "relationship--a0974da1-6122-477c-9c3c-f46aa64470e6", "type": "relationship", "created": "2020-09-21T17:59:24.739Z", "relationship_type": "mitigates", "description": "Inline allow/denylists can be used to prevent devices from sending unauthorized location information across automation protocols (e.g., OPC).", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "spec_version": "2.1", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "ics-attack" ], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "x_mitre_deprecated": true }, { "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "target_ref": "attack-pattern--94f042ae-3033-4a8d-9ec3-26396533a541", "source_ref": "course-of-action--86598de0-b347-4928-9eb0-0acbfc21908c", "modified": "2021-04-29T14:49:39.188Z", "id": "relationship--a36e7ebf-d667-4f16-b3d4-cb241e15c9d0", "type": "relationship", "created": "2020-09-21T17:59:24.739Z", "relationship_type": "mitigates", "description": "Segment operational network and systems to restrict access to critical system functions to predetermined management systems.", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "spec_version": "2.1", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "ics-attack" ], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "x_mitre_deprecated": true }, { "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "target_ref": "attack-pattern--539d0484-fe95-485a-b654-86991c0d0d00", "source_ref": "course-of-action--12241367-a8b7-49b4-b86e-2236901ba50c", "modified": "2021-04-29T14:49:39.188Z", "id": "relationship--a4ead3e8-f1ce-4d8e-a801-cb20f8e241e3", "type": "relationship", "created": "2020-09-21T17:59:24.739Z", "relationship_type": "mitigates", "description": "Use network intrusion detection/prevention systems to detect and prevent remote service scans.", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "spec_version": "2.1", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "ics-attack" ], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "x_mitre_deprecated": true }, { "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "target_ref": "attack-pattern--7374ab87-0782-41f8-b415-678c0950bb2a", "source_ref": "course-of-action--66cfe23e-34b6-4583-b178-ed6a412db2b0", "modified": "2021-04-29T14:49:39.188Z", "id": "relationship--a7c31dc3-1ea7-4f7a-baa0-26be762c2af1", "type": "relationship", "created": "2020-09-21T17:59:24.739Z", "relationship_type": "mitigates", "description": "All remote services should require strong authentication before providing user access.", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "spec_version": "2.1", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "ics-attack" ], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "x_mitre_deprecated": true }, { "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "target_ref": "attack-pattern--23270e54-1d68-4c3b-b763-b25607bcef80", "source_ref": "course-of-action--20f6a9df-37c4-4e20-9e47-025983b1b39d", "modified": "2021-04-29T14:49:39.188Z", "id": "relationship--afc04523-f7df-4067-9fcb-e7e25f0b5b03", "type": "relationship", "created": "2020-09-21T17:59:24.739Z", "relationship_type": "mitigates", "description": "Perform inline allowlisting of automation protocol commands to prevent devices from sending unauthorized command or reporting messages. Allow/denylist techniques need to be designed with sufficient accuracy to prevent the unintended blocking of valid reporting messages.", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "spec_version": "2.1", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "ics-attack" ], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "x_mitre_deprecated": true }, { "type": "relationship", "target_ref": "attack-pattern--23270e54-1d68-4c3b-b763-b25607bcef80", "description": "The [Backdoor.Oldrea](https://collaborate.mitre.org/attackics/index.php/Software/S0003) payload has the capability of enumerating OPC tags, in addition to more generic OPC server information. The server data and tag names can provide information about the names and function of control devices.(Citation: CISA Advisory (ICSA-14-178-01))(Citation: F-Secure Labs Jun 2014)", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2018-04-18T17:59:24.739Z", "id": "relationship--afcfced0-8e9f-4e6a-870e-0d095f878aa2", "source_ref": "malware--083bb47b-02c8-4423-81a2-f9ef58572974", "modified": "2021-04-29T14:49:39.188Z", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "external_references": [ { "source_name": "CISA Advisory (ICSA-14-178-01)", "description": "ICS-CERT. (2018, August 22). Advisory (ICSA-14-178-01). Retrieved April 1, 2019.", "url": "https://ics-cert.us-cert.gov/advisories/ICSA-14-178-01" }, { "source_name": "F-Secure Labs Jun 2014", "description": "Daavid Hentunen, Antti Tikkanen. (2014, June 23). Havex Hunts For ICS/SCADA Systems. Retrieved April 1, 2019.", "url": "https://www.f-secure.com/weblog/archives/00002718.html" } ], "relationship_type": "uses", "spec_version": "2.1", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "ics-attack" ], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "x_mitre_deprecated": true }, { "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "target_ref": "attack-pattern--e2994b6a-122b-4043-b654-7411c5198ec0", "source_ref": "course-of-action--469b78dd-a54d-4f7c-8c3b-4a1dd916b433", "modified": "2021-04-29T14:49:39.188Z", "id": "relationship--bdbbcf46-58de-47ec-a6e1-a46689b303cf", "type": "relationship", "created": "2020-09-21T17:59:24.739Z", "relationship_type": "mitigates", "description": "This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "spec_version": "2.1", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "ics-attack" ], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "x_mitre_deprecated": true }, { "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "target_ref": "attack-pattern--7374ab87-0782-41f8-b415-678c0950bb2a", "source_ref": "course-of-action--99c746d7-a08a-4169-94f9-b8c0dad716fa", "modified": "2021-04-29T14:49:39.188Z", "id": "relationship--be5a616f-473e-4a21-92fd-b9aa6f555232", "type": "relationship", "created": "2020-09-21T17:59:24.739Z", "relationship_type": "mitigates", "description": "Protect information that may disclose locations of key physical assets.", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "spec_version": "2.1", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "ics-attack" ], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "x_mitre_deprecated": true }, { "type": "relationship", "target_ref": "attack-pattern--a8cfd474-9358-464f-a169-9c6f099a8e8a", "description": "[Stuxnet](https://collaborate.mitre.org/attackics/index.php/Software/S0010) halts the original PLC code and the malicious PLC code begins sending frames of data based on the recorded values during the DP_RECV monitor phase.(Citation: Wired W32.Stuxnet Feb 2011)", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2017-12-14T16:46:06.044Z", "id": "relationship--c6c28b76-7a31-4668-ad25-933a1b52f312", "source_ref": "malware--496bff4d-0700-4b28-b06f-f30a63002be7", "modified": "2021-04-29T14:49:39.188Z", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "external_references": [ { "source_name": "Wired W32.Stuxnet Feb 2011", "description": "Nicolas Falliere, Liam O Murchu, Eric Chien. (2011, February). W32.Stuxnet Dossier (Version 1.4). Retrieved September 22, 2017.", "url": "https://www.wired.com/images_blogs/threatlevel/2010/11/w32_stuxnet_dossier.pdf" } ], "relationship_type": "uses", "spec_version": "2.1", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "ics-attack" ], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "x_mitre_deprecated": true }, { "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "target_ref": "attack-pattern--e0d74479-86d2-465d-bf36-903ebecef43e", "source_ref": "course-of-action--cc2399fd-3cd3-4319-8d0a-fbd6420cdaf8", "modified": "2021-04-29T14:49:39.188Z", "id": "relationship--c790953b-62a5-4ded-b31c-b0825329ad2e", "type": "relationship", "created": "2020-09-21T17:59:24.739Z", "relationship_type": "mitigates", "description": "Provide the ability to verify the integrity of control logic or programs loaded on a controller. While techniques like CRCs and checksums are commonly used, they are not cryptographically strong and can be vulnerable to collisions. Preferably cryptographic hash functions (e.g., SHA-2, SHA-3) should be used.", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "spec_version": "2.1", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "ics-attack" ], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "x_mitre_deprecated": true }, { "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "target_ref": "attack-pattern--a8cfd474-9358-464f-a169-9c6f099a8e8a", "source_ref": "course-of-action--72e46e53-e12d-4106-9c70-33241b6ed549", "modified": "2021-04-29T14:49:39.188Z", "id": "relationship--c8a72fcd-dc9f-4303-994b-347b6d9e44b3", "type": "relationship", "created": "2020-09-21T17:59:24.739Z", "relationship_type": "mitigates", "description": "Authenticate connections from software and devices to prevent unauthorized systems from accessing protected management functions.", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "spec_version": "2.1", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "ics-attack" ], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "x_mitre_deprecated": true }, { "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "target_ref": "attack-pattern--94f042ae-3033-4a8d-9ec3-26396533a541", "source_ref": "course-of-action--66cfe23e-34b6-4583-b178-ed6a412db2b0", "modified": "2021-04-29T14:49:39.188Z", "id": "relationship--c8e8dbd1-965d-4507-8549-84063d0890b5", "type": "relationship", "created": "2020-09-21T17:59:24.739Z", "relationship_type": "mitigates", "description": "All field controllers should require users to authenticate for all remote or local management sessions. The authentication mechanisms should also support Account Use Policies, Password Policies, and User Account Management.", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "spec_version": "2.1", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "ics-attack" ], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "x_mitre_deprecated": true }, { "type": "relationship", "target_ref": "attack-pattern--abb0a255-eb9c-48d0-8f5c-874bb84c0e45", "description": "The [VPNFilter](https://collaborate.mitre.org/attackics/index.php/Software/S0002) packet sniffer monitors ICS traffic, and is specific to the TP-LINK R600-VPN. The malware uses a raw socket to look for connections to a pre-specified IP address, only looking at TCP packets that are 150 bytes or larger. 'ps' identifies and logs on IPs and ports, but not the packet contents on port 502 (Modbus traffic). It does not validate the traffic as Modbus.(Citation: Talos VPNFilter Jun 2018)(Citation: VPNFilter Deep Dive Mar 2019)", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2018-10-17T00:14:20.652Z", "id": "relationship--d2b3dc96-7adb-4d38-b3cf-b448535ffa60", "source_ref": "malware--6108f800-10b8-4090-944e-be579f01263d", "modified": "2021-04-29T14:49:39.188Z", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "external_references": [ { "source_name": "Talos VPNFilter Jun 2018", "description": "William Largent. (2018, June 06). VPNFilter Update - VPNFilter exploits endpoints, targets new devices. Retrieved March 28, 2019.", "url": "https://blog.talosintelligence.com/2018/06/vpnfilter-update.html" }, { "source_name": "VPNFilter Deep Dive Mar 2019", "description": "Carl Hurd. (2019, March 26). VPNFilter Deep Dive. Retrieved March 28, 2019.", "url": "https://www.youtube.com/watch?v=yuZazP22rpI" } ], "relationship_type": "uses", "spec_version": "2.1", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "ics-attack" ], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "x_mitre_deprecated": true }, { "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "target_ref": "attack-pattern--7374ab87-0782-41f8-b415-678c0950bb2a", "source_ref": "course-of-action--72e46e53-e12d-4106-9c70-33241b6ed549", "modified": "2021-04-29T14:49:39.188Z", "id": "relationship--d5359d6f-776d-4c82-8990-f7578834dbf1", "type": "relationship", "created": "2020-09-21T17:59:24.739Z", "relationship_type": "mitigates", "description": "Devices should authenticate all messages between master and outstation assets.", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "spec_version": "2.1", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "ics-attack" ], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "x_mitre_deprecated": true }, { "type": "relationship", "target_ref": "attack-pattern--abb0a255-eb9c-48d0-8f5c-874bb84c0e45", "description": "The Siemens s7otbxdx.dll is responsible for handling PLC block exchange between the programming device (i.e., a computer running a Simatic manager on Windows) and the PLC. s7db_open function is an export hook that is used to obtain information used to create handles to manage a PLC (such a handle is used by APIs that manipulate the PLC). [Stuxnet](https://collaborate.mitre.org/attackics/index.php/Software/S0010) utilized this export hook to gain information about targeted PLCs such as model information.[Stuxnet](https://collaborate.mitre.org/attackics/index.php/Software/S0010) was specifically targeting CPUs 6ES7-315-2 (Series 300) with special system data block characteristics for sequence A or B and 6ES7-315-2 for sequence C. The PLC type can also be checked using the s7ag_read_szl API.(Citation: Wired W32.Stuxnet Feb 2011)", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2017-12-14T16:46:06.044Z", "id": "relationship--d598f3d0-a4b1-4a6c-9aa6-990e4a2c2912", "source_ref": "malware--496bff4d-0700-4b28-b06f-f30a63002be7", "modified": "2021-04-29T14:49:39.188Z", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "external_references": [ { "source_name": "Wired W32.Stuxnet Feb 2011", "description": "Nicolas Falliere, Liam O Murchu, Eric Chien. (2011, February). W32.Stuxnet Dossier (Version 1.4). Retrieved September 22, 2017.", "url": "https://www.wired.com/images_blogs/threatlevel/2010/11/w32_stuxnet_dossier.pdf" } ], "relationship_type": "uses", "spec_version": "2.1", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "ics-attack" ], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "x_mitre_deprecated": true }, { "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "target_ref": "attack-pattern--008b8f56-6107-48be-aa9f-746f927dbb61", "source_ref": "course-of-action--590777b3-b475-4c7c-aaf8-f4a73b140312", "modified": "2021-04-29T14:49:39.188Z", "id": "relationship--d698b63a-b7ce-4303-b5b0-fcca4450074d", "type": "relationship", "created": "2020-09-21T17:59:24.739Z", "relationship_type": "mitigates", "description": "Devices should verify that firmware has been properly signed by the vendor before allowing installation.", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "spec_version": "2.1", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "ics-attack" ], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "x_mitre_deprecated": true }, { "type": "relationship", "target_ref": "attack-pattern--23270e54-1d68-4c3b-b763-b25607bcef80", "description": "The [Industroyer](https://collaborate.mitre.org/attackics/index.php/Software/S0001), IEC 61850 component enumerates the objects discovered in the previous step and sends the domain-specific getNameList requests with each object name. This enumerates named variables in a specific domain.(Citation: ESET Win32/Industroyer Jun 2017)", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2018-10-17T00:14:20.652Z", "id": "relationship--d72ebee3-0747-47e6-b300-2138dbfaf01e", "source_ref": "malware--1d8dccb3-e779-4702-aeb1-6627a22cc585", "modified": "2021-04-29T14:49:39.188Z", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "external_references": [ { "source_name": "ESET Win32/Industroyer Jun 2017", "description": "Anton Cherepanov, ESET. (2017, June 12). Win32/Industroyer: A new threat for industrial control systems. Retrieved September 15, 2017.", "url": "https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf" } ], "relationship_type": "uses", "spec_version": "2.1", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "ics-attack" ], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "x_mitre_deprecated": true }, { "type": "relationship", "target_ref": "attack-pattern--e0d74479-86d2-465d-bf36-903ebecef43e", "description": "[Triton](https://collaborate.mitre.org/attackics/index.php/Software/S0013), can reprogram the SIS logic to cause it to trip and shutdown a process that is, in actuality, in a safe state. In other words, trigger a false positive. Triton also can reprogram the SIS logic to allow unsafe conditions to persist.(Citation: FireEye TRITON Dec 2017)The Triton malware is able to add a malicious program to the execution table of the controller. This action leaves the legitimate programs in place. If the controller failed, Triton would attempt to return it to a running state. If the controller did not recover within a certain time window, the sample would overwrite the malicious program to cover its tracks.(Citation: FireEye TRITON Dec 2017)", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2018-04-18T17:59:24.739Z", "id": "relationship--d9bed8cf-8d1e-46cb-bd6d-b0266a1b0010", "source_ref": "malware--80099a91-4c86-4bea-9ccb-dac55d61960e", "modified": "2021-04-29T14:49:39.188Z", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "external_references": [ { "source_name": "FireEye TRITON Dec 2017", "description": "Blake Johnson, Dan Caban, Marina Krotofil, Dan Scali, Nathan Brubaker, Christopher Glyer. (2017, December 14). Attackers Deploy New ICS Attack Framework \u201cTRITON\u201d and Cause Operational Disruption to Critical Infrastructure. Retrieved January 12, 2018.", "url": "https://www.fireeye.com/blog/threat-research/2017/12/attackers-deploy-new-ics-attack-framework-triton.html" } ], "relationship_type": "uses", "spec_version": "2.1", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "ics-attack" ], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "x_mitre_deprecated": true }, { "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "target_ref": "attack-pattern--abb0a255-eb9c-48d0-8f5c-874bb84c0e45", "source_ref": "course-of-action--86598de0-b347-4928-9eb0-0acbfc21908c", "modified": "2021-04-29T14:49:39.188Z", "id": "relationship--dcb74406-f7b2-4eae-8da7-07ad5a3c99d6", "type": "relationship", "created": "2020-09-21T17:59:24.739Z", "relationship_type": "mitigates", "description": "Segment operational assets and their management devices based on their functional role within the process. Enabling more strict isolation to more critical control and operational information within the control environment.", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "spec_version": "2.1", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "ics-attack" ], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "x_mitre_deprecated": true }, { "type": "relationship", "target_ref": "attack-pattern--ae62fe1a-ea1a-479b-8dc0-65d250bd8bc7", "description": "[PLC-Blaster](https://collaborate.mitre.org/attackics/index.php/Software/S0009) copies itself to various Program Organization Units (POU) on the target device. The POUs include the Organization Block, Data Block, Function, and Function Block.(Citation: BlackHat Mar 2016)", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2018-10-17T00:14:20.652Z", "id": "relationship--e02a41f2-73b9-4cf9-820a-23156bf697e5", "source_ref": "malware--4dcff507-5af8-47ce-964a-8d9569e9ccfe", "modified": "2021-04-29T14:49:39.188Z", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "external_references": [ { "source_name": "BlackHat Mar 2016", "description": "Spenneberg, Ralf, Maik Br\u00fcggemann, and Hendrik Schwartke. (2016, March 31). Plc-blaster: A worm living solely in the plc.. Retrieved September 19, 2017.", "url": "https://www.blackhat.com/docs/asia-16/materials/asia-16-Spenneberg-PLC-Blaster-A-Worm-Living-Solely-In-The-PLC-wp.pdf" } ], "relationship_type": "uses", "spec_version": "2.1", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "ics-attack" ], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "x_mitre_deprecated": true }, { "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "target_ref": "attack-pattern--a8cfd474-9358-464f-a169-9c6f099a8e8a", "source_ref": "course-of-action--c7257b6e-4159-4771-b1f3-2bb93adaecac", "modified": "2021-04-29T14:49:39.188Z", "id": "relationship--e05d8fc1-fd50-4a78-ae2f-41fcba913fc1", "type": "relationship", "created": "2020-09-21T17:59:24.739Z", "relationship_type": "mitigates", "description": "Protocols used for device management should authenticate all network messages to prevent unauthorized system changes.", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "spec_version": "2.1", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "ics-attack" ], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "x_mitre_deprecated": true }, { "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "target_ref": "attack-pattern--94f042ae-3033-4a8d-9ec3-26396533a541", "source_ref": "course-of-action--20f6a9df-37c4-4e20-9e47-025983b1b39d", "modified": "2021-04-29T14:49:39.188Z", "id": "relationship--e4007011-03a8-44f5-be65-f4bc924beb97", "type": "relationship", "created": "2020-09-21T17:59:24.739Z", "relationship_type": "mitigates", "description": "Perform inline allowlisting of automation protocol commands to prevent devices from sending unauthorized command or reporting messages. Allow/denylist techniques need to be designed with sufficient accuracy to prevent the unintended blocking of valid messages.", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "spec_version": "2.1", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "ics-attack" ], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "x_mitre_deprecated": true }, { "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "target_ref": "attack-pattern--7374ab87-0782-41f8-b415-678c0950bb2a", "source_ref": "course-of-action--c7257b6e-4159-4771-b1f3-2bb93adaecac", "modified": "2021-04-29T14:49:39.188Z", "id": "relationship--eaec9abc-730e-4dda-92db-e289f6bccf7b", "type": "relationship", "created": "2020-09-21T17:59:24.739Z", "relationship_type": "mitigates", "description": "Protocols used for control functions should provide authenticity through MAC functions or digital signatures. If not, utilize bump-in-the-wire devices or VPNs to enforce communication authenticity between devices that are not capable of supporting this (e.g., legacy controllers, RTUs).", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "spec_version": "2.1", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "ics-attack" ], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "x_mitre_deprecated": true }, { "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "target_ref": "attack-pattern--5f3da2f3-91c8-4d8b-a02f-bf43a11def55", "source_ref": "course-of-action--469b78dd-a54d-4f7c-8c3b-4a1dd916b433", "modified": "2021-04-29T14:49:39.188Z", "id": "relationship--f13cf1cc-dfbd-4da1-9201-f9e8dccbc7a6", "type": "relationship", "created": "2020-09-21T17:59:24.739Z", "relationship_type": "mitigates", "description": "Serial connection enumeration can be accomplished using common system tools such as minicom, getty, stty, etc.", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "spec_version": "2.1", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "ics-attack" ], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "x_mitre_deprecated": true }, { "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "target_ref": "attack-pattern--94f042ae-3033-4a8d-9ec3-26396533a541", "source_ref": "course-of-action--72e46e53-e12d-4106-9c70-33241b6ed549", "modified": "2021-04-29T14:49:39.188Z", "id": "relationship--f2a47999-6d07-442f-a202-7ee345f41465", "type": "relationship", "created": "2020-09-21T17:59:24.739Z", "relationship_type": "mitigates", "description": "Authenticate connections from software and devices to prevent unauthorized systems from accessing protected management functions.", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "spec_version": "2.1", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "ics-attack" ], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "x_mitre_deprecated": true }, { "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "target_ref": "attack-pattern--94f042ae-3033-4a8d-9ec3-26396533a541", "source_ref": "course-of-action--3992ce42-43e9-4bea-b8db-a102ec3ec1e3", "modified": "2021-04-29T14:49:39.188Z", "id": "relationship--f3a55817-63f1-4370-93d0-a9e1fbe245e6", "type": "relationship", "created": "2020-09-21T17:59:24.739Z", "relationship_type": "mitigates", "description": "Authenticate all access to field controllers before authorizing access to, or modification of, a device's state, logic, or programs. Centralized authentication techniques can help manage the large number of field controller accounts needed across the ICS.", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "spec_version": "2.1", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "ics-attack" ], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "x_mitre_deprecated": true }, { "type": "relationship", "target_ref": "attack-pattern--abb0a255-eb9c-48d0-8f5c-874bb84c0e45", "description": "The [Backdoor.Oldrea](https://collaborate.mitre.org/attackics/index.php/Software/S0003) payload gathers server information that includes CLSID, server name, Program ID, OPC version, vendor information, running state, group count, and server bandwidth. This information helps indicate the role the server has in the control process.(Citation: CISA Advisory (ICSA-14-178-01))(Citation: F-Secure Labs Jun 2014)", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2018-04-18T17:59:24.739Z", "id": "relationship--f80cb0ae-96e7-4425-b9de-b8835a45e45b", "source_ref": "malware--083bb47b-02c8-4423-81a2-f9ef58572974", "modified": "2021-04-29T14:49:39.188Z", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "external_references": [ { "source_name": "CISA Advisory (ICSA-14-178-01)", "description": "ICS-CERT. (2018, August 22). Advisory (ICSA-14-178-01). Retrieved April 1, 2019.", "url": "https://ics-cert.us-cert.gov/advisories/ICSA-14-178-01" }, { "source_name": "F-Secure Labs Jun 2014", "description": "Daavid Hentunen, Antti Tikkanen. (2014, June 23). Havex Hunts For ICS/SCADA Systems. Retrieved April 1, 2019.", "url": "https://www.f-secure.com/weblog/archives/00002718.html" } ], "relationship_type": "uses", "spec_version": "2.1", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "ics-attack" ], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "x_mitre_deprecated": true }, { "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "target_ref": "attack-pattern--9a505987-ab05-4f46-a9a6-6441442eec3b", "source_ref": "course-of-action--1dcaeb21-9348-42ea-950a-f842aaf1ae1f", "modified": "2021-04-29T14:49:39.188Z", "id": "relationship--f836cab1-6c45-4ede-a220-40f88a80a14e", "type": "relationship", "created": "2020-09-21T17:59:24.739Z", "relationship_type": "mitigates", "description": "Limit access to network infrastructure and resources that can be used to reshape traffic or otherwise produce MiTM conditions.", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "spec_version": "2.1", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "ics-attack" ], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "x_mitre_deprecated": true }, { "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "target_ref": "attack-pattern--a8cfd474-9358-464f-a169-9c6f099a8e8a", "source_ref": "course-of-action--20f6a9df-37c4-4e20-9e47-025983b1b39d", "modified": "2021-04-29T14:49:39.188Z", "id": "relationship--fc786a05-2ad9-4c3c-a4c4-b85cd12ded88", "type": "relationship", "created": "2020-09-21T17:59:24.739Z", "relationship_type": "mitigates", "description": "Utilize allow/denylists to prevent any unauthorized network messages used to change program state, including any messages that may change the programs running on a device.", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "spec_version": "2.1", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "ics-attack" ], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "x_mitre_deprecated": true }, { "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "target_ref": "attack-pattern--94f042ae-3033-4a8d-9ec3-26396533a541", "source_ref": "course-of-action--c7257b6e-4159-4771-b1f3-2bb93adaecac", "modified": "2021-04-29T14:49:39.188Z", "id": "relationship--ff5f3c74-f511-4112-beed-e7419342bc44", "type": "relationship", "created": "2020-09-21T17:59:24.739Z", "relationship_type": "mitigates", "description": "Protocols used for control functions should provide authenticity through MAC functions or digital signatures. If not, utilize bump-in-the-wire devices or VPNs to enforce communication authenticity between devices that are not capable of supporting this (e.g., legacy controllers, RTUs).", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "spec_version": "2.1", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "ics-attack" ], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "x_mitre_deprecated": true }, { "type": "relationship", "target_ref": "attack-pattern--ab390887-afc0-4715-826d-b1b167d522ae", "description": "In states 3 and 4 [Stuxnet](https://collaborate.mitre.org/attackics/index.php/Software/S0010) sends two network bursts (done through the DP_SEND primitive). The data in the frames are instructions for the frequency converter drives.(Citation: Wired W32.Stuxnet Feb 2011)", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2017-12-14T16:46:06.044Z", "id": "relationship--90818d25-6ece-4035-aece-62e489abef7d", "source_ref": "malware--496bff4d-0700-4b28-b06f-f30a63002be7", "modified": "2020-11-12T14:49:39.188Z", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "external_references": [ { "source_name": "Wired W32.Stuxnet Feb 2011", "description": "Nicolas Falliere, Liam O Murchu, Eric Chien. (2011, February). W32.Stuxnet Dossier (Version 1.4). Retrieved September 22, 2017.", "url": "https://www.wired.com/images_blogs/threatlevel/2010/11/w32_stuxnet_dossier.pdf" } ], "relationship_type": "uses", "spec_version": "2.1", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "ics-attack" ], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "x_mitre_deprecated": true } ] }