|
T0800 |
Activate Firmware Update Mode |
Adversaries may activate firmware update mode on devices to prevent
expected response functions from engaging in reaction to an
emergency or process malfunction. For example, devices such as
protection relays may have an operation mode designed for firmware
installation. This mode may halt process monitoring and related
functions to allow new firmware to be loaded. A device left in
update mode may be placed in an inactive holding state if no
firmware is provided to it. By entering and leaving a device in this
mode, the adversary may deny its usual functionalities. |
|
T0830 |
Adversary-in-the-Middle |
Adversaries with privileged network access may seek to modify
network traffic in real time using adversary-in-the-middle (AiTM)
attacks. This type of attack allows the adversary to intercept
traffic to and/or from a particular device on the network. If a AiTM
attack is established, then the adversary has the ability to block,
log, modify, or inject traffic into the communication stream. There
are several ways to accomplish this attack, but some of the most-common
are Address Resolution Protocol (ARP) poisoning and the use of a
proxy. |
|
T0878 |
Alarm Suppression |
Adversaries may target protection function alarms to prevent them
from notifying operators of critical conditions. Alarm messages may
be a part of an overall reporting system and of particular interest
for adversaries. Disruption of the alarm system does not imply the
disruption of the reporting system as a whole. |
|
T0802 |
Automated Collection |
Adversaries may automate collection of industrial environment
information using tools or scripts. This automated collection may
leverage native control protocols and tools available in the control
systems environment. For example, the OPC protocol may be used to
enumerate and gather information. Access to a system or interface
with these native protocols may allow collection and enumeration of
other attached, communicating servers and devices. |
|
T0803 |
Block Command Message |
Adversaries may block a command message from reaching its intended
target to prevent command execution. In OT networks, command
messages are sent to provide instructions to control system devices.
A blocked command message can inhibit response functions from
correcting a disruption or unsafe condition. |
|
T0804 |
Block Reporting Message |
Adversaries may block or prevent a reporting message from reaching
its intended target. In control systems, reporting messages contain
telemetry data (e.g., I/O values) pertaining to the current state of
equipment and the industrial process. By blocking these reporting
messages, an adversary can potentially hide their actions from an
operator. |
|
T0805 |
Block Serial COM |
Adversaries may block access to serial COM to prevent instructions
or configurations from reaching target devices. Serial Communication
ports (COM) allow communication with control system devices. Devices
can receive command and configuration messages over such serial COM.
Devices also use serial COM to send command and reporting messages.
Blocking device serial COM may also block command messages and block
reporting messages. |
|
T0806 |
Brute Force I/O |
Adversaries may repetitively or successively change I/O point values
to perform an action. Brute Force I/O may be achieved by changing
either a range of I/O point values or a single point value
repeatedly to manipulate a process function. The adversarys goal and
the information they have about the target environment will
influence which of the options they choose. In the case of brute
forcing a range of point values, the adversary may be able to
achieve an impact without targeting a specific point. In the case
where a single point is targeted, the adversary may be able to
generate instability on the process function associated with that
particular point. |
|
T0858 |
Change Operating Mode |
Adversaries may change the operating mode of a controller to gain
additional access to engineering functions such as Program Download.
Programmable controllers typically have several modes of operation
that control the state of the user program and control access to the
controllers API. Operating modes can be physically selected using a
key switch on the face of the controller but may also be selected
with calls to the controllers API. Operating modes and the
mechanisms by which they are selected often vary by vendor and
product line. Some commonly implemented operating modes are
described below: |
|
T0807 |
Command-Line Interface |
Adversaries may utilize command-line interfaces (CLIs) to interact
with systems and execute commands. CLIs provide a means of
interacting with computer systems and are a common feature across
many types of platforms and devices within control systems
environments. Adversaries may also use CLIs to install and run new
software, including malicious tools that may be installed over the
course of an operation. |
|
T0885 |
Commonly Used Port |
Adversaries may communicate over a commonly used port to bypass
firewalls or network detection systems and to blend in with normal
network activity, to avoid more detailed inspection. They may use
the protocol associated with the port, or a completely different
protocol. They may use commonly open ports, such as the examples
provided below. |
|
T0884 |
Connection Proxy |
Adversaries may use a connection proxy to direct network traffic
between systems or act as an intermediary for network communications. |
|
T0879 |
Damage to Property |
Adversaries may cause damage and destruction of property to
infrastructure, equipment, and the surrounding environment when
attacking control systems. This technique may result in device and
operational equipment breakdown, or represent tangential damage from
other techniques used in an attack. Depending on the severity of
physical damage and disruption caused to control processes and
systems, this technique may result in Loss
of Safety. Operations that result in Loss
of Control may also cause damage to property, which may be
directly or indirectly motivated by an adversary seeking to cause
impact in the form of Loss
of Productivity and Revenue. |
|
T0809 |
Data Destruction |
Adversaries may perform data destruction over the course of an
operation. The adversary may drop or create malware, tools, or other
non-native files on a target system to accomplish this, potentially
leaving behind traces of malicious activities. Such non-native files
and other data may be removed over the course of an intrusion to
maintain a small footprint or as a standard part of the
post-intrusion cleanup process. |
|
T0811 |
Data from Information Repositories |
Adversaries may target and collect data from information
repositories. This can include sensitive data such as
specifications, schematics, or diagrams of control system layouts,
devices, and processes. Examples of information repositories include
reference databases or local machines in the process environment, as
well as workstations and databases in the corporate network that
might contain information about the ICS. |
|
T0812 |
Default Credentials |
Adversaries may leverage manufacturer or supplier set default
credentials on control system devices. These default credentials may
have administrative permissions and may be necessary for initial
configuration of the device. It is general best practice to change
the passwords for these accounts as soon as possible, but some
manufacturers may have devices that have passwords or usernames that
cannot be changed. |
|
T0813 |
Denial of Control |
Adversaries may cause a denial of control to temporarily prevent
operators and engineers from interacting with process controls. An
adversary may attempt to deny process control access to cause a
temporary loss of communication with the control device or to
prevent operator adjustment of process controls. An affected process
may still be operating during the period of control loss, but not
necessarily in a desired state. |
|
T0814 |
Denial of Service |
Adversaries may perform Denial-of-Service (DoS) attacks to disrupt
expected device functionality. Examples of DoS attacks include
overwhelming the target device with a high volume of requests in a
short time period and sending the target device a request it does
not know how to handle. Disrupting device state may temporarily
render it unresponsive, possibly lasting until a reboot can occur.
When placed in this state, devices may be unable to send and receive
requests, and may not perform expected response functions in
reaction to other events in the environment. |
|
T0815 |
Denial of View |
Adversaries may cause a denial of view in attempt to disrupt and
prevent operator oversight on the status of an ICS environment. This
may manifest itself as a temporary communication failure between a
device and its control source, where the interface recovers and
becomes available once the interference ceases. |
|
T0868 |
Detect Operating Mode |
Adversaries may gather information about a PLCs or controllers
current operating mode. Operating modes dictate what change or
maintenance functions can be manipulated and are often controlled by
a key switch on the PLC (e.g., run, prog [program], and remote).
Knowledge of these states may be valuable to an adversary to
determine if they are able to reprogram the PLC. Operating modes and
the mechanisms by which they are selected often vary by vendor and
product line. Some commonly implemented operating modes are
described below: |
|
T0816 |
Device Restart/Shutdown |
Adversaries may forcibly restart or shutdown a device in an ICS
environment to disrupt and potentially negatively impact physical
processes. Methods of device restart and shutdown exist in some
devices as built-in, standard functionalities. These functionalities
can be executed using interactive device web interfaces, CLIs, and
network protocol commands. |
|
T0817 |
Drive-by Compromise |
Adversaries may gain access to a system during a drive-by
compromise, when a user visits a website as part of a regular
browsing session. With this technique, the user's web browser is
targeted and exploited simply by visiting the compromised website. |
|
T0871 |
Execution through API |
Adversaries may attempt to leverage Application Program Interfaces
(APIs) used for communication between control software and the
hardware. Specific functionality is often coded into APIs which can
be called by software to engage specific functions on a device or
other software. |
|
T0819 |
Exploit Public-Facing Application |
Adversaries may leverage weaknesses to exploit internet-facing
software for initial access into an industrial network.
Internet-facing software may be user applications, underlying
networking implementations, an assets operating system, weak
defenses, etc. Targets of this technique may be intentionally
exposed for the purpose of remote management and visibility. |
|
T0820 |
Exploitation for Evasion |
Adversaries may exploit a software vulnerability to take advantage
of a programming error in a program, service, or within the
operating system software or kernel itself to evade detection.
Vulnerabilities may exist in software that can be used to disable or
circumvent security features. |
|
T0890 |
Exploitation for Privilege Escalation |
Adversaries may exploit software vulnerabilities in an attempt to
elevate privileges. Exploitation of a software vulnerability occurs
when an adversary takes advantage of a programming error in a
program, service, or within the operating system software or kernel
itself to execute adversary-controlled code. Security constructs
such as permission levels will often hinder access to information
and use of certain techniques, so adversaries will likely need to
perform privilege escalation to include use of software exploitation
to circumvent those restrictions. |
|
T0866 |
Exploitation of Remote Services |
Adversaries may exploit a software vulnerability to take advantage
of a programming error in a program, service, or within the
operating system software or kernel itself to enable remote service
abuse. A common goal for post-compromise exploitation of remote
services is for initial access into and lateral movement throughout
the ICS environment to enable access to targeted systems. |
|
T0822 |
External Remote Services |
Adversaries may leverage external remote services as a point of
initial access into your network. These services allow users to
connect to internal network resources from external locations.
Examples are VPNs, Citrix, and other access mechanisms. Remote
service gateways often manage connections and credential
authentication for these services. |
|
T0823 |
Graphical User Interface |
Adversaries may attempt to gain access to a machine via a Graphical
User Interface (GUI) to enhance execution capabilities. Access to a
GUI allows a user to interact with a computer in a more visual
manner than a CLI. A GUI allows users to move a cursor and click on
interface objects, with a mouse and keyboard as the main input
devices, as opposed to just using the keyboard. |
|
T0891 |
Hardcoded Credentials |
Adversaries may leverage credentials that are hardcoded in software
or firmware to gain an unauthorized interactive user session to an
asset. Examples credentials that may be hardcoded in an asset
include: |
|
T0874 |
Hooking |
Adversaries may hook into application programming interface (API)
functions used by processes to redirect calls for execution and
privilege escalation means. Windows processes often leverage these
API functions to perform tasks that require reusable system
resources. Windows API functions are typically stored in
dynamic-link libraries (DLLs) as exported functions. |
|
T0877 |
I/O Image |
Adversaries may seek to capture process values related to the inputs
and outputs of a PLC. During the scan cycle, a PLC reads the status
of all inputs and stores them in an image table. The image table is
the PLCs internal storage location where values of inputs/outputs
for one scan are stored while it executes the user program. After
the PLC has solved the entire logic program, it updates the output
image table. The contents of this output image table are written to
the corresponding output points in I/O Modules. |
|
T0872 |
Indicator Removal on Host |
Adversaries may attempt to remove indicators of their presence on a
system in an effort to cover their tracks. In cases where an
adversary may feel detection is imminent, they may try to overwrite,
delete, or cover up changes they have made to the device. |
|
T0883 |
Internet Accessible Device |
Adversaries may gain access into industrial environments through
systems exposed directly to the internet for remote access rather
than through External
Remote Services. Internet Accessible Devices are exposed to the
internet unintentionally or intentionally without adequate
protections. This may allow for adversaries to move directly into
the control system network. Access onto these devices is
accomplished without the use of exploits, these would be represented
within the Exploit
Public-Facing Application technique. |
|
T0867 |
Lateral Tool Transfer |
Adversaries may transfer tools or other files from one system to
another to stage adversary tools or other files over the course of
an operation. Copying of files may also be performed laterally
between internal victim systems to support Lateral Movement with
remote Execution using inherent file sharing protocols such as file
sharing over SMB to connected network shares. |
|
T0826 |
Loss of Availability |
Adversaries may attempt to disrupt essential components or systems
to prevent owner and operator from delivering products or services. |
|
T0827 |
Loss of Control |
Adversaries may seek to achieve a sustained loss of control or a
runaway condition in which operators cannot issue any commands even
if the malicious interference has subsided. |
|
T0828 |
Loss of Productivity and Revenue |
Adversaries may cause loss of productivity and revenue through
disruption and even damage to the availability and integrity of
control system operations, devices, and related processes. This
technique may manifest as a direct effect of an ICS-targeting attack
or tangentially, due to an IT-targeting attack against
non-segregated environments. |
|
T0837 |
Loss of Protection |
Adversaries may compromise protective system functions designed to
prevent the effects of faults and abnormal conditions. This can
result in equipment damage, prolonged process disruptions and
hazards to personnel. |
|
T0880 |
Loss of Safety |
Adversaries may compromise safety system functions designed to
maintain safe operation of a process when unacceptable or dangerous
conditions occur. Safety systems are often composed of the same
elements as control systems but have the sole purpose of ensuring
the process fails in a predetermined safe manner. |
|
T0829 |
Loss of View |
Adversaries may cause a sustained or permanent loss of view where
the ICS equipment will require local, hands-on operator
intervention; for instance, a restart or manual operation. By
causing a sustained reporting or visibility loss, the adversary can
effectively hide the present state of operations. This loss of view
can occur without affecting the physical processes themselves. |
|
T0835 |
Manipulate I/O Image |
Adversaries may manipulate the I/O image of PLCs through various
means to prevent them from functioning as expected. Methods of I/O
image manipulation may include overriding the I/O table via direct
memory manipulation or using the override function used for testing
PLC programs. During the scan cycle, a PLC reads the status of all
inputs and stores them in an image table. The image table is the
PLCs internal storage location where values of inputs/outputs for
one scan are stored while it executes the user program. After the
PLC has solved the entire logic program, it updates the output image
table. The contents of this output image table are written to the
corresponding output points in I/O Modules. |
|
T0831 |
Manipulation of Control |
Adversaries may manipulate physical process control within the
industrial environment. Methods of manipulating control can include
changes to set point values, tags, or other parameters. Adversaries
may manipulate control systems devices or possibly leverage their
own, to communicate with and command physical control processes. The
duration of manipulation may be temporary or longer sustained,
depending on operator detection. |
|
T0832 |
Manipulation of View |
Adversaries may attempt to manipulate the information reported back
to operators or controllers. This manipulation may be short term or
sustained. During this time the process itself could be in a much
different state than what is reported. |
|
T0849 |
Masquerading |
Adversaries may use masquerading to disguise a malicious application
or executable as another file, to avoid operator and engineer
suspicion. Possible disguises of these masquerading files can
include commonly found programs, expected vendor executables and
configuration files, and other commonplace application and naming
conventions. By impersonating expected and vendor-relevant files and
applications, operators and engineers may not notice the presence of
the underlying malicious content and possibly end up running those
masquerading as legitimate functions. |
|
T0838 |
Modify Alarm Settings |
Adversaries may modify alarm settings to prevent alerts that may
inform operators of their presence or to prevent responses to
dangerous and unintended scenarios. Reporting messages are a
standard part of data acquisition in control systems. Reporting
messages are used as a way to transmit system state information and
acknowledgements that specific actions have occurred. These messages
provide vital information for the management of a physical process,
and keep operators, engineers, and administrators aware of the state
of system devices and physical processes. |
|
T0821 |
Modify Controller Tasking |
Adversaries may modify the tasking of a controller to allow for the
execution of their own programs. This can allow an adversary to
manipulate the execution flow and behavior of a controller. |
|
T0836 |
Modify Parameter |
Adversaries may modify parameters used to instruct industrial
control system devices. These devices operate via programs that
dictate how and when to perform actions based on such parameters.
Such parameters can determine the extent to which an action is
performed and may specify additional options. For example, a program
on a control system device dictating motor processes may take a
parameter defining the total number of seconds to run that motor. |
|
T0889 |
Modify Program |
Adversaries may modify or add a program on a controller to affect
how it interacts with the physical process, peripheral devices and
other hosts on the network. Modification to controller programs can
be accomplished using a Program Download in addition to other types
of program modification such as online edit and program append. |
|
T0839 |
Module Firmware |
Adversaries may install malicious or vulnerable firmware onto
modular hardware devices. Control system devices often contain
modular hardware devices. These devices may have their own set of
firmware that is separate from the firmware of the main control
system equipment. |
|
T0801 |
Monitor Process State |
Adversaries may gather information about the physical process state.
This information may be used to gain more information about the
process itself or used as a trigger for malicious actions. The
sources of process state information may vary such as, OPC tags,
historian data, specific PLC block information, or network traffic. |
|
T0834 |
Native API |
Adversaries may directly interact with the native OS application
programming interface (API) to access system functions. Native APIs
provide a controlled means of calling low-level OS services within
the kernel, such as those involving hardware/devices, memory, and
processes. These native APIs are leveraged by the OS during system
boot (when other system components are not yet initialized) as well
as carrying out tasks and requests during routine operations. |
|
T0840 |
Network Connection Enumeration |
Adversaries may perform network connection enumeration to discover
information about device communication patterns. If an adversary can
inspect the state of a network connection with tools, such as
Netstat, in conjunction with System
Firmware, then they can determine the role of certain devices on
the network . The adversary can also use Network
Sniffing to watch network traffic for details about the source,
destination, protocol, and content. |
|
T0842 |
Network Sniffing |
Network sniffing is the practice of using a network interface on a
computer system to monitor or capture information regardless of
whether it is the specified destination for the information. |
|
T0861 |
Point & Tag Identification |
Adversaries may collect point and tag values to gain a more
comprehensive understanding of the process environment. Points may
be values such as inputs, memory locations, outputs or other process
specific variables. Tags are the identifiers given to points for
operator convenience. |
|
T0843 |
Program Download |
Adversaries may perform a program download to transfer a user
program to a controller. |
|
T0845 |
Program Upload |
Adversaries may attempt to upload a program from a PLC to gather
information about an industrial process. Uploading a program may
allow them to acquire and study the underlying logic. Methods of
program upload include vendor software, which enables the user to
upload and read a program running on a PLC. This software can be
used to upload the target program to a workstation, jump box, or an
interfacing device. |
|
T0873 |
Project File Infection |
Adversaries may attempt to infect project files with malicious code.
These project files may consist of objects, program organization
units, variables such as tags, documentation, and other
configurations needed for PLC programs to function. Using built in
functions of the engineering software, adversaries may be able to
download an infected program to a PLC in the operating environment
enabling further execution and persistence techniques. |
|
T0886 |
Remote Services |
Adversaries may leverage remote services to move between assets and
network segments. These services are often used to allow operators
to interact with systems remotely within the network, some examples
are RDP, SMB, SSH, and other similar mechanisms. |
|
T0846 |
Remote System Discovery |
Adversaries may attempt to get a listing of other systems by IP
address, hostname, or other logical identifier on a network that may
be used for subsequent Lateral Movement or Discovery techniques.
Functionality could exist within adversary tools to enable this, but
utilities available on the operating system or vendor software could
also be used. |
|
T0888 |
Remote System Information Discovery |
An adversary may attempt to get detailed information about remote
systems and their peripherals, such as make/model, role, and
configuration. Adversaries may use information from Remote System
Information Discovery to aid in targeting and shaping follow-on
behaviors. For example, the systems operational role and model
information can dictate whether it is a relevant target for the
adversary's operational objectives. In addition, the systems
configuration may be used to scope subsequent technique usage. |
|
T0847 |
Replication Through Removable Media |
Adversaries may move onto systems, such as those separated from the
enterprise network, by copying malware to removable media which is
inserted into the control systems environment. The adversary may
rely on unknowing trusted third parties, such as suppliers or
contractors with access privileges, to introduce the removable
media. This technique enables initial access to target devices that
never connect to untrusted networks, but are physically accessible. |
|
T0848 |
Rogue Master |
Adversaries may setup a rogue master to leverage control server
functions to communicate with outstations. A rogue master can be
used to send legitimate control messages to other control system
devices, affecting processes in unintended ways. It may also be used
to disrupt network communications by capturing and receiving the
network traffic meant for the actual master. Impersonating a master
may also allow an adversary to avoid detection. |
|
T0851 |
Rootkit |
Adversaries may deploy rootkits to hide the presence of programs,
files, network connections, services, drivers, and other system
components. Rootkits are programs that hide the existence of malware
by intercepting and modifying operating-system API calls that supply
system information. Rootkits or rootkit-enabling functionality may
reside at the user or kernel level in the operating system, or
lower. |
|
T0852 |
Screen Capture |
Adversaries may attempt to perform screen capture of devices in the
control system environment. Screenshots may be taken of
workstations, HMIs, or other devices that display
environment-relevant process, device, reporting, alarm, or related
data. These device displays may reveal information regarding the ICS
process, layout, control, and related schematics. In particular, an
HMI can provide a lot of important industrial process information.
Analysis of screen captures may provide the adversary with an
understanding of intended operations and interactions between
critical devices. |
|
T0853 |
Scripting |
Adversaries may use scripting languages to execute arbitrary code in
the form of a pre-written script or in the form of user-supplied
code to an interpreter. Scripting languages are programming
languages that differ from compiled languages, in that scripting
languages use an interpreter, instead of a compiler. These
interpreters read and compile part of the source code just before it
is executed, as opposed to compilers, which compile each and every
line of code to an executable file. Scripting allows software
developers to run their code on any system where the interpreter
exists. This way, they can distribute one package, instead of
precompiling executables for many different systems. Scripting
languages, such as Python, have their interpreters shipped as a
default with many Linux distributions. |
|
T0881 |
Service Stop |
Adversaries may stop or disable services on a system to render those
services unavailable to legitimate users. Stopping critical services
can inhibit or stop response to an incident or aid in the
adversary's overall objectives to cause damage to the environment.
Services may not allow for modification of their data stores while
running. Adversaries may stop services in order to conduct Data
Destruction. |
|
T0865 |
Spearphishing Attachment |
Adversaries may use a spearphishing attachment, a variant of
spearphishing, as a form of a social engineering attack against
specific targets. Spearphishing attachments are different from other
forms of spearphishing in that they employ malware attached to an
email. All forms of spearphishing are electronically delivered and
target a specific individual, company, or industry. In this scenario,
adversaries attach a file to the spearphishing email and usually
rely upon User
Execution to gain execution and access. |
|
T0856 |
Spoof Reporting Message |
Adversaries may spoof reporting messages in control system
environments for evasion and to impair process control. In control
systems, reporting messages contain telemetry data (e.g., I/O
values) pertaining to the current state of equipment and the
industrial process. Reporting messages are important for monitoring
the normal operation of a system or identifying important events
such as deviations from expected values. |
|
T0869 |
Standard Application Layer Protocol |
Adversaries may establish command and control capabilities over
commonly used application layer protocols such as HTTP(S), OPC, RDP,
telnet, DNP3, and modbus. These protocols may be used to disguise
adversary actions as benign network traffic. Standard protocols may
be seen on their associated port or in some cases over a
non-standard port. Adversaries may use these protocols to reach out
of the network for command and control, or in some cases to other
infected devices within the network. |
|
T0862 |
Supply Chain Compromise |
Adversaries may perform supply chain compromise to gain control
systems environment access by means of infected products, software,
and workflows. Supply chain compromise is the manipulation of
products, such as devices or software, or their delivery mechanisms
before receipt by the end consumer. Adversary compromise of these
products and mechanisms is done for the goal of data or system
compromise, once infected products are introduced to the target
environment. |
|
T0857 |
System Firmware |
System firmware on modern assets is often designed with an update
feature. Older device firmware may be factory installed and require
special reprograming equipment. When available, the firmware update
feature enables vendors to remotely patch bugs and perform upgrades.
Device firmware updates are often delegated to the user and may be
done using a software update package. It may also be possible to
perform this task over the network. |
|
T0882 |
Theft of Operational Information |
Adversaries may steal operational information on a production
environment as a direct mission outcome for personal gain or to
inform future operations. This information may include design
documents, schedules, rotational data, or similar artifacts that
provide insight on operations. In the Bowman Dam incident,
adversaries probed systems for operational data. |
|
T0864 |
Transient Cyber Asset |
Adversaries may target devices that are transient across ICS
networks and external networks. Normally, transient assets are
brought into an environment by authorized personnel and do not
remain in that environment on a permanent basis. Transient assets
are commonly needed to support management functions and may be more
common in systems where a remotely managed asset is not feasible,
external connections for remote access do not exist, or 3rd party
contractor/vendor access is required. |
|
T0855 |
Unauthorized Command Message |
Adversaries may send unauthorized command messages to instruct
control system assets to perform actions outside of their intended
functionality, or without the logical preconditions to trigger their
expected function. Command messages are used in ICS networks to give
direct instructions to control systems devices. If an adversary can
send an unauthorized command message to a control system, then it
can instruct the control systems device to perform an action outside
the normal bounds of the device's actions. An adversary could
potentially instruct a control systems device to perform an action
that will cause an Impact. |
|
T0863 |
User Execution |
Adversaries may rely on a targeted organizations user interaction
for the execution of malicious code. User interaction may consist of
installing applications, opening email attachments, or granting
higher permissions to documents. |
|
T0859 |
Valid Accounts |
Adversaries may steal the credentials of a specific user or service
account using credential access techniques. In some cases, default
credentials for control system devices may be publicly available.
Compromised credentials may be used to bypass access controls placed
on various resources on hosts and within the network, and may even
be used for persistent access to remote systems. Compromised and
default credentials may also grant an adversary increased privilege
to specific systems and devices or access to restricted areas of the
network. Adversaries may choose not to use malware or tools, in
conjunction with the legitimate access those credentials provide, to
make it harder to detect their presence or to control devices and
send legitimate commands in an unintended way. |
|
T0860 |
Wireless Compromise |
Adversaries may perform wireless compromise as a method of gaining
communications and unauthorized access to a wireless network. Access
to a wireless network may be gained through the compromise of a
wireless device. Adversaries may also utilize radios and other
wireless communication devices on the same frequency as the wireless
network. Wireless compromise can be done as an initial access vector
from a remote distance. |
|
T0887 |
Wireless Sniffing |
Adversaries may seek to capture radio frequency (RF) communication
used for remote control and reporting in distributed environments.
RF communication frequencies vary between 3 kHz to 300 GHz, although
are commonly between 300 MHz to 6 GHz. The wavelength and frequency
of the signal affect how the signal propagates through open air,
obstacles (e.g. walls and trees) and the type of radio required to
capture them. These characteristics are often standardized in the
protocol and hardware and may have an effect on how the signal is
captured. Some examples of wireless protocols that may be found in
cyber-physical environments are: WirelessHART, Zigbee, WIA-FA, and
700 MHz Public Safety Spectrum. |