misp-galaxy/ics_technique_matrix_cluster.json
tw010101 3230d7ced4
Add files via upload
Mitre ATT&CK for ICS
Galaxy + Cluster files Mitre ATT&CK for ICS - Assets
Galaxy + Cluster files Mitre ATT&CK for ICS - Groups
Galaxy and Cluster files Mitre ATT&CK for ICS - Levels
Galaxy + Cluster files for Mitre ATT&CK for ICS - Software
Galaxy + Cluster files for Mitre ATT&CK for ICS - Tactics
Galaxy + Cluster files for Mitre ATT&CK for ICS - Techniques
Galaxy + Cluster files for Mitre ATT&CK for ICS - Technique Matrix
2020-10-01 16:10:21 +01:00

958 lines
No EOL
58 KiB
JSON

{
"author": [
"Tony Williams"
],
"category": "Technique Matrix",
"description": "ATT&CK for ICS Technique Matrix",
"name": "Technique Matrix",
"source": "https://collaborate.mitre.org/attackics/index.php/Main_Page",
"type": "mitre-ics-technique-matrix",
"uuid": "005ffa53-9400-4231-bbf2-c49c22c2683c",
"values": [
{
"description": "T810: Adversaries may compromise and gain control of a data historian to gain a foothold into the control system environment. Access to a data historian may be used to learn stored database archival and analysis information on the control system. A dual-homed data historian may provide adversaries an interface from the IT environment to the OT environment.",
"meta": {
"kill_chain": [
"Technique Matrix:Initial Access"
]
},
"uuid": "71955277-ac75-4bfb-a268-cd496f317981",
"value": "Data Historian Compromise"
},
{
"description": "T817: Adversaries may gain access to a system during a drive-by compromise, when a user visits a website as part of a regular browsing session.With this technique, the user's web browser is targeted and exploited simply by visiting the compromised website.",
"meta": {
"kill_chain": [
"Technique Matrix:Initial Access"
]
},
"uuid": "f12762ff-5d54-4544-8091-80d22d771799",
"value": "Drive-by Compromise"
},
{
"description": "T818: Adversaries may compromise and gain control of an engineering workstation as an Initial Access technique into the control system environment. Access to an engineering workstation may occur as a result of remote access or by physical means, such as a person with privileged access or infection by removable media. A dual-homed engineering workstation may allow the adversary access into multiple networks. For example, unsegregated process control, safety system, or information system networks.",
"meta": {
"kill_chain": [
"Technique Matrix:Initial Access"
]
},
"uuid": "697497fb-af7d-4a08-91df-405e62e14b1f",
"value": "Engineering Workstation Compromise"
},
{
"description": "T819: Adversaries may attempt to exploit public-facing applications to leverage weaknesses on Internet-facing computer systems, programs, or assets in order to cause unintended or unexpected behavior. These public-facing applications may include user interfaces, software, data, or commands. In particular, a public-facing application in the IT environment may provide adversaries an interface into the OT environment.",
"meta": {
"kill_chain": [
"Technique Matrix:Initial Access"
]
},
"uuid": "de7f14f7-2292-428c-894e-44a13bbd86c0",
"value": "Exploit Public-Facing Application"
},
{
"description": "T822: Adversaries may leverage external remote services as a point of initial access into your network. These services allow users to connect to internal network resources from external locations. Examples are VPNs, Citrix, and other access mechanisms. Remote service gateways often manage connections and credential authentication for these services.",
"meta": {
"kill_chain": [
"Technique Matrix:Initial Access"
]
},
"uuid": "6b149ac6-c7d4-45c9-9240-90c2b6e4c4c9",
"value": "External Remote Services"
},
{
"description": "T883: Adversaries may gain access into industrial environments directly through systems exposed to the internet for remote access rather than through External Remote Services. Minimal protections provided by these devices such as password authentication may be targeted and compromised.",
"meta": {
"kill_chain": [
"Technique Matrix:Initial Access"
]
},
"uuid": "78d5b40d-6452-446d-8d50-5a48e633eb81",
"value": "Internet Accessible Device"
},
{
"description": "T847: Adversaries may gain access into industrial environments directly through systems exposed to the internet for remote access rather than through External Remote Services. Minimal protections provided by these devices such as password authentication may be targeted and compromised.",
"meta": {
"kill_chain": [
"Technique Matrix:Initial Access"
]
},
"uuid": "26d3a202-15db-447e-9681-4647d3ca5040",
"value": "Replication Through Removable Media"
},
{
"description": "T865: Adversaries may use a spearphishing attachment, a variant of spearphishing, as a form of a social engineering attack against specific targets. Spearphishing attachments are different from other forms of spearphishing in that they employ malware attached to an email. All forms of spearphishing are electronically delivered and target a specific individual, company, or industry. In this scenario, adversaries attach a file to the spearphishing email and usually rely upon User Execution to gain execution and access.",
"meta": {
"kill_chain": [
"Technique Matrix:Initial Access"
]
},
"uuid": "2252992e-c1a8-4900-91cd-ada02f23c6c9",
"value": "Spearphishing Attachment"
},
{
"description": "T862: Adversaries may perform supply chain compromise to gain control systems environment access by means of infected products, software, and workflows. Supply chain compromise is the manipulation of products, such as devices or software, or their delivery mechanisms before receipt by the end consumer. Adversary compromise of these products and mechanisms is done for the goal of data or system compromise, once infected products are introduced to the target environment.",
"meta": {
"kill_chain": [
"Technique Matrix:Initial Access"
]
},
"uuid": "123b7a01-785b-4679-9c69-828296d17ef2",
"value": "Supply Chain Compromise"
},
{
"description": "T860: Adversaries may perform wireless compromise as a method of gaining communications and unauthorized access to a wireless network. Access to a wireless network may be gained through the compromise of a wireless device.12 Adversaries may also utilize radios and other wireless communication devices on the same frequency as the wireless network. Wireless compromise can be done as an initial access vector from a remote distance.",
"meta": {
"kill_chain": [
"Technique Matrix:Initial Access"
]
},
"uuid": "0827be38-7863-4af6-b2aa-bde01e3cb9b9",
"value": "Wireless Compromise"
},
{
"description": "T875: Adversaries may attempt to change the state of the current program on a control device. Program state changes may be used to allow for another program to take over control or be loaded onto the device.",
"meta": {
"kill_chain": [
"Technique Matrix:Execution"
]
},
"uuid": "a5de16bf-b123-4ca7-8136-7549b014abc1",
"value": "Change Program State"
},
{
"description": "T807: Adversaries may utilize command-line interfaces(CLIs)to interact with systems and execute commands. CLIs provide a means of interacting with computer systems and are a common feature across many types of platforms and devices within control systems environments. Adversaries may also use CLIs to install and run new software, including malicious tools that may be installed over the course of an operation.",
"meta": {
"kill_chain": [
"Technique Matrix:Execution"
]
},
"uuid": "a6cb2662-e099-4c35-b621-4cc047b76027",
"value": "Command-Line Interface"
},
{
"description": "T871: Adversaries may attempt to leverage Application Program Interfaces (APIs) used for communication between control software and the hardware. Specific functionality is often coded into APIs which can be called by software to engage specific functions on a device or other software, such as Change Program State of a program on a PLC.",
"meta": {
"kill_chain": [
"Technique Matrix:Execution"
]
},
"uuid": "6b3cfa9e-cbd9-48fb-91e4-75910153ce6e",
"value": "Execution through API"
},
{
"description": "T823: Adversaries may attempt to gain access to a machine via a Graphical User Interface (GUI) to enhance execution capabilities. Access to a GUI allows a user to interact with a computer in a more visual manner than a CLI. A GUI allows users to move a cursor and click on interface objects, with a mouse and keyboard as the main input devices, as opposed to just using the keyboard.",
"meta": {
"kill_chain": [
"Technique Matrix:Execution"
]
},
"uuid": "125c702e-a49d-41d1-b8ce-7700b89a32bc",
"value": "Graphical User Interface"
},
{
"description": "T830: Adversaries with privileged network access may seek to modify network traffic in real time using man-in-the-middle (MITM) attacks. This type of attack allows the adversary to intercept traffic to and/or from a particular device on the network. If a MITM attack is established, then the adversary has the ability to block, log, modify, or inject traffic into the communication stream. There are several ways to accomplish this attack, but some of the most-common are Address Resolution Protocol (ARP) poisoning and the use of a proxy.",
"meta": {
"kill_chain": [
"Technique Matrix:Execution"
]
},
"uuid": "8cef4c48-4b4b-4861-a423-0331f618f476",
"value": "Man in the Middle"
},
{
"description": "T844: Program Organizational Units (POUs) are block structures used within PLC programming to create programs and projects. POUs can be used to hold user programs written in IEC 61131-3 languages: Structured text, Instruction list, Function block, and Ladder logic. They can also provide additional functionality, such as establishing connections between the PLC and other devices using TCON.",
"meta": {
"kill_chain": [
"Technique Matrix:Execution"
]
},
"uuid": "fe2ba1de-686d-42ab-b09f-670d31da5509",
"value": "Program Organisation Units"
},
{
"description": "T873: Adversaries may attempt to infect project files with malicious code. These project files may consist of objects, program organization units, variables such as tags, documentation, and other configurations needed for PLC programs to function. Using built in functions of the engineering software, adversaries may be able to download an infected program to a PLC in the operating environment enabling further execution and persistence techniques.",
"meta": {
"kill_chain": [
"Technique Matrix:Execution"
]
},
"uuid": "fe4f5116-b54c-4fc9-ac32-b7a7f97d2636",
"value": "Project File Infection"
},
{
"description": "T853: Adversaries may use scripting languages to execute arbitrary code in the form of a pre-written script or in the form of user-supplied code to an interpreter. Scripting languages are programming languages that differ from compiled languages, in that scripting languages use an interpreter, instead of a compiler. These interpreters read and compile part of the source code just before it is executed, as opposed to compilers, which compile each and every line of code to an executable file. Scripting allows software developers to run their code on any system where the interpreter exists. This way, they can distribute one package, instead of precompiling executables for many different systems. Scripting languages, such as Python, have their interpreters shipped as a default with many Linux distributions.",
"meta": {
"kill_chain": [
"Technique Matrix:Execution"
]
},
"uuid": "37895354-a93a-4ca2-85cf-403d6c1ab9a2",
"value": "Scripting"
},
{
"description": "T863: Adversaries may rely on a targeted organizations’ user interaction for the execution of malicious code. User interaction may consist of installing applications, opening email attachments, or granting higher permissions to documents.",
"meta": {
"kill_chain": [
"Technique Matrix:Execution"
]
},
"uuid": "f6e39713-2d05-46d0-89c2-b4a9da13dc03",
"value": "User Execution"
},
{
"description": "T874: Adversaries may hook into application programming interface (API) functions used by processes to redirect calls for persistent means. Windows processes often leverage these API functions to perform tasks that require reusable system resources. Windows API functions are typically stored in dynamic-link libraries (DLLs) as exported functions.",
"meta": {
"kill_chain": [
"Technique Matrix:Persistence"
]
},
"uuid": "aa9e4783-f0b8-4838-9cbd-ca6301754004",
"value": "Hooking"
},
{
"description": "T839: Adversaries may install malicious or vulnerable firmware onto modular hardware devices. Control system devices often contain modular hardware devices. These devices may have their own set of firmware that is separate from the firmware of the main control system equipment.",
"meta": {
"kill_chain": [
"Technique Matrix:Persistence"
]
},
"uuid": "f004bce4-f161-468f-86dd-3a2c1c9f9945",
"value": "Module Firmware"
},
{
"description": "T843: Adversaries may perform a program download to load malicious or unintended program logic on a device as a method of persistence or to disrupt response functions or process control. Program download onto devices, such as PLCs, allows adversaries to implement custom logic. Malicious PLC programs may be used to disrupt physical processes or enable adversary persistence. The act of a program download will cause the PLC to enter a STOP operation state, which may prevent response functions from operating correctly.",
"meta": {
"kill_chain": [
"Technique Matrix:Persistence"
]
},
"uuid": "ef6aa7a4-ab2a-4489-ac85-304e6ce06552",
"value": "Program Download"
},
{
"description": "T873: Adversaries may attempt to infect project files with malicious code. These project files may consist of objects, program organization units, variables such as tags, documentation, and other configurations needed for PLC programs to function. Using built in functions of the engineering software, adversaries may be able to download an infected program to a PLC in the operating environment enabling further execution and persistence techniques.",
"meta": {
"kill_chain": [
"Technique Matrix:Persistence"
]
},
"uuid": "0169122e-36f5-4223-a7fe-0d9863470566",
"value": "Project File Infection"
},
{
"description": "T857: System firmware on modern assets is often designed with an update feature. Older device firmware may be factory installed and require special reprograming equipment. When available, the firmware update feature enables vendors to remotely patch bugs and perform upgrades. Device firmware updates are often delegated to the user and may be done using a software update package. It may also be possible to perform this task over the network.",
"meta": {
"kill_chain": [
"Technique Matrix:Persistence"
]
},
"uuid": "3f4afa40-be02-42c9-937c-e5c1059e5a86",
"value": "System Firmware"
},
{
"description": "T859: Adversaries may steal the credentials of a specific user or service account using credential access techniques. In some cases, default credentials for control system devices may be publicly available. Compromised credentials may be used to bypass access controls placed on various resources on hosts and within the network, and may even be used for persistent access to remote systems. Compromised and default credentials may also grant an adversary increased privilege to specific systems and devices or access to restricted areas of the network. Adversaries may choose not to use malware or tools, in conjunction with the legitimate access those credentials provide, to make it harder to detect their presence or to control devices and send legitimate commands in an unintended way.",
"meta": {
"kill_chain": [
"Technique Matrix:Persistence"
]
},
"uuid": "6b214211-394d-4d9c-b92f-7c77b9b4efdb",
"value": "Valid Accounts"
},
{
"description": "T820: Adversaries may exploit a software vulnerability to take advantage of a programming error in a program, service, or within the operating system software or kernel itself to evade detection. Vulnerabilities may exist in software that can be used to disable or circumvent security features.",
"meta": {
"kill_chain": [
"Technique Matrix:Evasion"
]
},
"uuid": "3a4c6ba2-6895-4cec-a468-a1ea41c77edd",
"value": "Exploitation for Evasion"
},
{
"description": "T872: Adversaries may attempt to remove indicators of their presence on a system in an effort to cover their tracks. In cases where an adversary may feel detection is imminent, they may try to overwrite, delete, or cover up changes they have made to the device.",
"meta": {
"kill_chain": [
"Technique Matrix:Evasion"
]
},
"uuid": "be992931-bcf0-4ad9-898a-12d78007805f",
"value": "Indicator Removal on Host"
},
{
"description": "T849: Adversaries may use masquerading to disguise a malicious application or executable as another file, to avoid operator and engineer suspicion. Possible disguises of these masquerading files can include commonly found programs, expected vendor executables and configuration files, and other commonplace application and naming conventions. By impersonating expected and vendor-relevant files and applications, operators and engineers may not notice the presence of the underlying malicious content and possibly end up running those masquerading as legitimate functions.",
"meta": {
"kill_chain": [
"Technique Matrix:Evasion"
]
},
"uuid": "eaeedd92-dbe9-4624-b6bb-1b7bf88f9c17",
"value": "Masquerading"
},
{
"description": "T848: Adversaries may setup a rogue master to leverage control server functions to communicate with slave devices. A rogue master device can be used to send legitimate control messages to other control system devices, affecting processes in unintended ways. It may also be used to disrupt network communications by capturing and receiving the network traffic meant for the actual master device. Impersonating a master device may also allow an adversary to avoid detection.",
"meta": {
"kill_chain": [
"Technique Matrix:Evasion"
]
},
"uuid": "824f7bf4-15b3-4421-8aee-d93cef18abc0",
"value": "Rogue Master Device"
},
{
"description": "T851: Adversaries may deploy rootkits to hide the presence of programs, files, network connections, services, drivers, and other system components. Rootkits are programs that hide the existence of malware by intercepting and modifying operating-system API calls that supply system information. Rootkits or rootkit-enabling functionality may reside at the user or kernel level in the operating system, or lower.",
"meta": {
"kill_chain": [
"Technique Matrix:Evasion"
]
},
"uuid": "5690f110-5867-48b5-b952-9a5332ffa6af",
"value": "Rootkit"
},
{
"description": "T856: Adversaries may spoof reporting messages in control systems environments to achieve evasion and assist with impairment of process controls. Reporting messages are used in control systems so that operators and network defenders can understand the status of the network. Reporting messages show the status of devices and any important events that the devices control.",
"meta": {
"kill_chain": [
"Technique Matrix:Evasion"
]
},
"uuid": "cb2dd5d6-0733-4e2e-aff4-b2ae583c5958",
"value": "Spoof Reporting Message"
},
{
"description": "T858: Adversaries may place controllers into an alternate mode of operation to enable configuration setting changes for evasive code execution or to inhibit device functionality. Programmable controllers typically have several modes of operation. These modes can be broken down into three main categories: program run, program edit, and program write. Each of these modes puts the device in a state in which certain functions are available. For instance, the program edit mode allows alterations to be made to the user program while the device is still online.",
"meta": {
"kill_chain": [
"Technique Matrix:Evasion"
]
},
"uuid": "c06ce396-1a44-4d67-8674-cbbbab3c28ff",
"value": "Utilize/Change Operating Mode"
},
{
"description": "T808: Adversaries may perform control device identification to determine the make and model of a target device. Management software and device APIs may be utilized by the adversary to gain this information. By identifying and obtaining device specifics, the adversary may be able to determine device vulnerabilities. This device information can also be used to understand device functionality and inform the decision to target the environment.",
"meta": {
"kill_chain": [
"Technique Matrix:Discovery"
]
},
"uuid": "e54c2304-7758-4166-93cb-e9fa71072c7b",
"value": "Control Device Identification"
},
{
"description": "T824: Adversaries may use input/output (I/O) module discovery to gather key information about a control system device. An I/O module is a device that allows the control system device to either receive or send signals to other devices. These signals can be analog or digital, and may support a number of different protocols. Devices are often able to use attachable I/O modules to increase the number of inputs and outputs that it can utilize. An adversary with access to a device can use native device functions to enumerate I/O modules that are connected to the device. Information regarding the I/O modules can aid the adversary in understanding related control processes.",
"meta": {
"kill_chain": [
"Technique Matrix:Discovery"
]
},
"uuid": "6236f6db-413b-4fd3-8788-39e062c4cd1d",
"value": "I/O Module Discovery"
},
{
"description": "T840: Adversaries may perform network connection enumeration to discover information about device communication patterns. If an adversary can inspect the state of a network connection with tools, such as netstat, in conjunction with System Firmware, then they can determine the role of certain devices on the network. The adversary can also use Network Sniffing to watch network traffic for details about the source, destination, protocol, and content.",
"meta": {
"kill_chain": [
"Technique Matrix:Discovery"
]
},
"uuid": "845228e3-f859-4aa6-96cd-b23ee18b2f31",
"value": "Network Connection Enumeration"
},
{
"description": "T841: Network Service Scanning is the process of discovering services on networked systems. This can be achieved through a technique called port scanning or probing. Port scanning interacts with the TCP/IP ports on a target system to determine whether ports are open, closed, or filtered by a firewall. This does not reveal the service that is running behind the port, but since many common services are run on specific port numbers, the type of service can be assumed. More in-depth testing includes interaction with the actual service to determine the service type and specific version. One of the most-popular tools to use for Network Service Scanning is Nmap.",
"meta": {
"kill_chain": [
"Technique Matrix:Discovery"
]
},
"uuid": "0c3403ab-eb9d-4192-b70c-c87eec584a22",
"value": "Network Service Scanning"
},
{
"description": "T842: Network sniffing is the practice of using a network interface on a computer system to monitor or capture information1 regardless of whether it is the specified destination for the information.",
"meta": {
"kill_chain": [
"Technique Matrix:Discovery"
]
},
"uuid": "de476155-9fc5-4358-8900-9146e147c228",
"value": "Network Sniffing"
},
{
"description": "T846: Remote System Discovery is the process of identifying the presence of hosts on a network, and details about them. This process is common to network administrators validating the presence of machines and services, as well as adversaries mapping out a network for future-attack targets. An adversary may attempt to gain information about the target network via network enumeration techniques such as port scanning. One of the most popular tools for enumeration is Nmap. Remote System Discovery allows adversaries to map out hosts on the network as well as the TCP/IP ports that are open, closed, or filtered. Remote System Discovery tools also aid in by attempting to connect to the service and determine its exact version. The adversary may use this information to pick an exploit for a particular version if a known vulnerability exists.",
"meta": {
"kill_chain": [
"Technique Matrix:Discovery"
]
},
"uuid": "3ac07eea-8cec-4087-824c-a69b9fa42384",
"value": "Remote System Discovery"
},
{
"description": "T854: Adversaries may perform serial connection enumeration to gather situational awareness after gaining access to devices in the OT network. Control systems devices often communicate to each other via various types of serial communication mediums. These serial communications are used to facilitate informational communication, as well as commands. Serial Connection Enumeration differs from I/O Module Discovery, as I/O modules are auxiliary systems to the main system, and devices that are connected via serial connection are normally discrete systems.",
"meta": {
"kill_chain": [
"Technique Matrix:Discovery"
]
},
"uuid": "072123cb-08e9-4c7e-b47b-8fd4d76a778a",
"value": "Serial Connection Enumeration"
},
{
"description": "T812: Adversaries may leverage manufacturer or supplier set default credentials on control system devices. These default credentials may have administrative permissions and may be necessary for initial configuration of the device. It is general best practice to change the passwords for these accounts as soon as possible, but some manufacturers may have devices that have passwords or usernames that cannot be changed.",
"meta": {
"kill_chain": [
"Technique Matrix:Lateral Movement"
]
},
"uuid": "b67eb554-d305-454b-9b72-0b9082cf51bd",
"value": "Default Credentials"
},
{
"description": "T866: Adversaries may exploit a software vulnerability to take advantage of a programming error in a program, service, or within the operating system software or kernel itself to enable remote service abuse. A common goal for post-compromise exploitation of remote services is for lateral movement to enable access to a remote system.",
"meta": {
"kill_chain": [
"Technique Matrix:Lateral Movement"
]
},
"uuid": "0d9fec39-95b2-4516-a9a7-c4b48a3fa9bb",
"value": "Exploitation of Remote Services"
},
{
"description": "T822: Adversaries may leverage external remote services as a point of initial access into your network. These services allow users to connect to internal network resources from external locations. Examples are VPNs, Citrix, and other access mechanisms. Remote service gateways often manage connections and credential authentication for these services.",
"meta": {
"kill_chain": [
"Technique Matrix:Lateral Movement"
]
},
"uuid": "e096543e-e4c0-4eb0-acb1-df9feaae9697",
"value": "External Remote Services"
},
{
"description": "T844: Program Organizational Units (POUs) are block structures used within PLC programming to create programs and projects. POUs can be used to hold user programs written in IEC 61131-3 languages: Structured text, Instruction list, Function block, and Ladder logic. They can also provide additional functionality, such as establishing connections between the PLC and other devices using TCON.",
"meta": {
"kill_chain": [
"Technique Matrix:Lateral Movement"
]
},
"uuid": "92ed2463-473d-4bf6-a6e7-dcbd46b32791",
"value": "Program Organization Units"
},
{
"description": "T867: Adversaries may copy files from one system to another to stage adversary tools or other files over the course of an operation.1 Copying of files may also be performed laterally between internal victim systems to support Lateral Movement with remote Execution using inherent file sharing protocols such as file sharing over SMB to connected network shares.",
"meta": {
"kill_chain": [
"Technique Matrix:Lateral Movement"
]
},
"uuid": "ac6e920d-9880-4fe6-b8f0-e0d0fbfd01a9",
"value": "Remote File Copy"
},
{
"description": "T859: Adversaries may steal the credentials of a specific user or service account using credential access techniques. In some cases, default credentials for control system devices may be publicly available. Compromised credentials may be used to bypass access controls placed on various resources on hosts and within the network, and may even be used for persistent access to remote systems. Compromised and default credentials may also grant an adversary increased privilege to specific systems and devices or access to restricted areas of the network. Adversaries may choose not to use malware or tools, in conjunction with the legitimate access those credentials provide, to make it harder to detect their presence or to control devices and send legitimate commands in an unintended way.",
"meta": {
"kill_chain": [
"Technique Matrix:Lateral Movement"
]
},
"uuid": "9ede0533-551d-407e-ad35-a0c325dbf5c4",
"value": "Valid Accounts"
},
{
"description": "T802: Adversaries may automate collection of industrial environment information using tools or scripts. This automated collection may leverage native control protocols and tools available in the control systems environment. For example, the OPC protocol may be used to enumerate and gather information. Access to a system or interface with these native protocols may allow collection and enumeration of other attached, communicating servers and devices.",
"meta": {
"kill_chain": [
"Technique Matrix:Collection"
]
},
"uuid": "4f559e96-f297-48ae-9a98-639bd63cee3f",
"value": "Automated Collection"
},
{
"description": "T811: Adversaries may target and collect data from information repositories. This can include sensitive data such as specifications, schematics, or diagrams of control system layouts, devices, and processes. Examples of target information repositories include reference databases and local machines on the process environment.",
"meta": {
"kill_chain": [
"Technique Matrix:Collection"
]
},
"uuid": "2666163e-c72e-4e13-9f81-4433beb92c93",
"value": "Data from Information Repositories"
},
{
"description": "T868: Adversaries may gather information about the current operating state of a PLC. CPU operating modes are often controlled by a key switch on the PLC. Example states may be run, prog, stop, remote, and invalid. Knowledge of these states may be valuable to an adversary to determine if they are able to reprogram the PLC.",
"meta": {
"kill_chain": [
"Technique Matrix:Collection"
]
},
"uuid": "d8eb72d0-879a-4f06-a220-33aafdbf075d",
"value": "Detect Operating Mode"
},
{
"description": "T877: Adversaries may seek to capture process image values related to the inputs and outputs of a PLC. Within a PLC all input and output states are stored into an I/O image. This image is used by the user program instead of directly interacting with physical I/O.",
"meta": {
"kill_chain": [
"Technique Matrix:Collection"
]
},
"uuid": "fb3f7181-f54a-4552-8aef-c205b5d9f70a",
"value": "I/O Image"
},
{
"description": "T825: Adversaries may perform location identification using device data to inform operations and targeted impact for attacks. Location identification data can come in a number of forms, including geographic location, location relative to other control system devices, time zone, and current time. An adversary may use an embedded global positioning system (GPS) module in a device to figure out the physical coordinates of a device. NIST SP800-82 recommends that devices utilize GPS or another location determining mechanism to attach appropriate timestamps to log entries1. While this assists in logging and event tracking, an adversary could use the underlying positioning mechanism to determine the general location of a device. An adversary can also infer the physical location of serially connected devices by using serial connection enumeration.",
"meta": {
"kill_chain": [
"Technique Matrix:Collection"
]
},
"uuid": "eb77b9b5-664a-4402-94c1-ff6e68c4a031",
"value": "Location Identification"
},
{
"description": "T801: Adversaries may gather information about the physical process state. This information may be used to gain more information about the process itself or used as a trigger for malicious actions. The sources of process state information may vary such as, OPC tags, historian data, specific PLC block information, or network traffic.",
"meta": {
"kill_chain": [
"Technique Matrix:Collection"
]
},
"uuid": "f51cac7e-e377-4d6c-8bf6-4a284e645f35",
"value": "Monitor Process State"
},
{
"description": "T861: Adversaries may collect point and tag values to gain a more comprehensive understanding of the process environment. Points may be values such as inputs, memory locations, outputs or other process specific variables.1 Tags are the identifiers given to points for operator convenience.",
"meta": {
"kill_chain": [
"Technique Matrix:Collection"
]
},
"uuid": "23f90d65-611f-42fc-82f9-e1117bad6481",
"value": "Point and Tag Identification"
},
{
"description": "T845: Adversaries may attempt to upload a program from a PLC to gather information about an industrial process. Uploading a program may allow them to acquire and study the underlying logic. Methods of program upload include vendor software, which enables the user to upload and read a program running on a PLC. This software can be used to upload the target program to a workstation, jump box, or an interfacing device.",
"meta": {
"kill_chain": [
"Technique Matrix:Collection"
]
},
"uuid": "fd05f928-be95-459a-add0-d03d73c1a5f2",
"value": "Program Upload"
},
{
"description": "T850: Adversaries may perform role identification of devices involved with physical processes of interest in a target control system. Control systems devices often work in concert to control a physical process. Each device can have one or more roles that it performs within that control process. By collecting this role-based data, an adversary can construct a more targeted attack.",
"meta": {
"kill_chain": [
"Technique Matrix:Collection"
]
},
"uuid": "05b1ad22-7971-48c1-924c-55fcae709cdd",
"value": "Role Identification"
},
{
"description": "T852: Adversaries may attempt to perform screen capture of devices in the control system environment. Screenshots may be taken of workstations, HMIs, or other devices that display environment-relevant process, device, reporting, alarm, or related data. These device displays may reveal information regarding the ICS process, layout, control, and related schematics. In particular, an HMI can provide a lot of important industrial process information.1 Analysis of screen captures may provide the adversary with an understanding of intended operations and interactions between critical devices.",
"meta": {
"kill_chain": [
"Technique Matrix:Collection"
]
},
"uuid": "86be4b62-0180-4651-a6a6-da1a45cc10df",
"value": "Screen Capture"
},
{
"description": "T885: Adversaries may communicate over a commonly used port to bypass firewalls or network detection systems and to blend in with normal network activity, to avoid more detailed inspection. They may use the protocol associated with the port, or a completely different protocol. They may use commonly open ports such as TCP:80(HTTP),TCP:443(HTTPS),TCP/UDP:53(DNS),TCP:1024-4999(OPC on XP/Win2k3),TCP:49152-65535(OPC on Vista and later),TCP:23(TELNET),UDP:161(SNMP),TCP:502(MODBUS),TCP:102(S7comm/ISO-TSAP),TCP:20000(DNP3),TCP:44818(Ethernet/IP).",
"meta": {
"kill_chain": [
"Technique Matrix:Command and Control"
]
},
"uuid": "01470ce5-c23b-4083-a90f-4ffde6362475",
"value": "Commonly Used Port"
},
{
"description": "T884: Adversaries may use a connection proxy to direct network traffic between systems or act as an intermediary for network communications.",
"meta": {
"kill_chain": [
"Technique Matrix:Command and Control"
]
},
"uuid": "ac6c341f-94eb-42fd-a818-0463ba978f0d",
"value": "Connection Proxy"
},
{
"description": "T869: Adversaries may establish command and control capabilities over commonly used application layer protocols such as HTTP(S), OPC, RDP, telnet, DNP3, and modbus. These protocols may be used to disguise adversary actions as benign network traffic. Standard protocols may be seen on their associated port or in some cases over a non-standard port.",
"meta": {
"kill_chain": [
"Technique Matrix:Command and Control"
]
},
"uuid": "19c90986-98cd-48f3-9c29-884a97787497",
"value": "Standard Application Layer Protocol"
},
{
"description": "T800: Adversaries may activate firmware update mode on devices to prevent expected response functions from engaging in reaction to an emergency or process malfunction. For example, devices such as protection relays may have an operation mode designed for firmware installation. This mode may halt process monitoring and related functions to allow new firmware to be loaded. A device left in update mode may be placed in an inactive holding state if no firmware is provided to it. By entering and leaving a device in this mode, the adversary may deny its usual functionalities.",
"meta": {
"kill_chain": [
"Technique Matrix:Inhibit Response Function"
]
},
"uuid": "723d53c8-b41b-4e36-bcbd-a0f08393f625",
"value": "Active Firmware Update Mode"
},
{
"description": "T878: Adversaries may target protection function alarms to prevent them from notifying operators of critical conditions. Alarm messages may be a part of an overall reporting system and of particular interest for adversaries. Disruption of the alarm system does not imply the disruption of the reporting system as a whole.",
"meta": {
"kill_chain": [
"Technique Matrix:Inhibit Response Function"
]
},
"uuid": "91c5fad4-7278-462e-a98b-6556addf8b70",
"value": "Alarm Suppression"
},
{
"description": "T803: Adversaries may block a command message from reaching its intended target to prevent command execution. In OT networks, command messages are sent to provide instructions to control system devices. A blocked command message can inhibit response functions from correcting a disruption or unsafe condition.",
"meta": {
"kill_chain": [
"Technique Matrix:Inhibit Response Function"
]
},
"uuid": "7ee52584-fb2e-407d-83bf-d26fcda17e56",
"value": "Block Command Message"
},
{
"description": "T804: Adversaries may block or prevent a reporting message from reaching its intended target. Reporting messages relay the status of control system devices, which can include event log data and I/O values of the associated device. By blocking these reporting messages, an adversary can potentially hide their actions from an operator.",
"meta": {
"kill_chain": [
"Technique Matrix:Inhibit Response Function"
]
},
"uuid": "327c63ed-59d5-4565-be22-a75bb85e751c",
"value": "Block Reporting Message"
},
{
"description": "T805: Adversaries may block access to serial COM to prevent instructions or configurations from reaching target devices. Serial Communication ports (COM) allow communication with control system devices. Devices can receive command and configuration messages over such serial COM. Devices also use serial COM to send command and reporting messages. Blocking device serial COM may also block command messages and block reporting messages.",
"meta": {
"kill_chain": [
"Technique Matrix:Inhibit Response Function"
]
},
"uuid": "1511927c-47cc-4da6-a462-84ee206d1317",
"value": "Block Serial COM"
},
{
"description": "T809: Adversaries may perform data destruction over the course of an operation. The adversary may drop or create malware, tools, or other non-native files on a target system to accomplish this, potentially leaving behind traces of malicious activities. Such non-native files and other data may be removed over the course of an intrusion to maintain a small footprint or as a standard part of the post-intrusion cleanup process.",
"meta": {
"kill_chain": [
"Technique Matrix:Inhibit Response Function"
]
},
"uuid": "be284064-e0de-448c-860d-2e140dfde1c0",
"value": "Data Destruction"
},
{
"description": "T814: Adversaries may perform Denial-of-Service (DoS) attacks to disrupt expected device functionality. Examples of DoS attacks include overwhelming the target device with a high volume of requests in a short time period and sending the target device a request it does not know how to handle. Disrupting device state may temporarily render it unresponsive, possibly lasting until a reboot can occur. When placed in this state, devices may be unable to send and receive requests, and may not perform expected response functions in reaction to other events in the environment.",
"meta": {
"kill_chain": [
"Technique Matrix:Inhibit Response Function"
]
},
"uuid": "b4a7de26-746e-4981-a82c-9a1139d65cdd",
"value": "Denial of Service"
},
{
"description": "T816: Adversaries may forcibly restart or shutdown a device in the ICS environment to disrupt and potentially cause adverse effects on the physical processes it helps to control. Methods of device restart and shutdown exist as built-in, standard functionalities. This can include interactive device web interfaces, CLIs, and network protocol commands, among others. Device restart or shutdown may also occur as a consequence of changing a device into an alternative mode of operation for testing or firmware loading.",
"meta": {
"kill_chain": [
"Technique Matrix:Inhibit Response Function"
]
},
"uuid": "e82dada6-7306-46c4-bbd9-e29dcf033ceb",
"value": "Device Restart/Shutdown"
},
{
"description": "T835: Adversaries may manipulate the I/O image of PLCs through various means to prevent them from functioning as expected. Methods of I/O image manipulation may include overriding the I/O table via direct memory manipulation or using the override function used for testing PLC programs.",
"meta": {
"kill_chain": [
"Technique Matrix:Inhibit Response Function"
]
},
"uuid": "d390887c-68af-4e4f-87b4-6d2888ce21e6",
"value": "Manipulate I/O Image"
},
{
"description": "T838: Adversaries may modify alarm settings to prevent alerts that may inform operators of their presence or to prevent responses to dangerous and unintended scenarios. Reporting messages are a standard part of data acquisition in control systems. Reporting messages are used as a way to transmit system state information and acknowledgements that specific actions have occurred. These messages provide vital information for the management of a physical process, and keep operators, engineers, and administrators aware of the state of system devices and physical processes.",
"meta": {
"kill_chain": [
"Technique Matrix:Inhibit Response Function"
]
},
"uuid": "f676877a-b6c4-4d58-84da-56808847270e",
"value": "Modify Alarm Settings"
},
{
"description": "T843: Adversaries may perform a program download to load malicious or unintended program logic on a device as a method of persistence or to disrupt response functions or process control. Program download onto devices, such as PLCs, allows adversaries to implement custom logic. Malicious PLC programs may be used to disrupt physical processes or enable adversary persistence. The act of a program download will cause the PLC to enter a STOP operation state, which may prevent response functions from operating correctly.",
"meta": {
"kill_chain": [
"Technique Matrix:Inhibit Response Function"
]
},
"uuid": "4897156e-0462-45b7-8637-f222b68c6a48",
"value": "Program Download"
},
{
"description": "T851: Adversaries may deploy rootkits to hide the presence of programs, files, network connections, services, drivers, and other system components. Rootkits are programs that hide the existence of malware by intercepting and modifying operating-system API calls that supply system information. Rootkits or rootkit-enabling functionality may reside at the user or kernel level in the operating system, or lower.",
"meta": {
"kill_chain": [
"Technique Matrix:Inhibit Response Function"
]
},
"uuid": "15c52f96-2396-4a8e-b183-3898378a7ccd",
"value": "Rootkit"
},
{
"description": "T857: System firmware on modern assets is often designed with an update feature. Older device firmware may be factory installed and require special reprograming equipment. When available, the firmware update feature enables vendors to remotely patch bugs and perform upgrades. Device firmware updates are often delegated to the user and may be done using a software update package. It may also be possible to perform this task over the network.",
"meta": {
"kill_chain": [
"Technique Matrix:Inhibit Response Function"
]
},
"uuid": "4d9b87ba-bd66-4497-b3d4-8ed476425e48",
"value": "System Firmware"
},
{
"description": "T858: Adversaries may place controllers into an alternate mode of operation to enable configuration setting changes for evasive code execution or to inhibit device functionality. Programmable controllers typically have several modes of operation. These modes can be broken down into three main categories: program run, program edit, and program write. Each of these modes puts the device in a state in which certain functions are available. For instance, the program edit mode allows alterations to be made to the user program while the device is still online.",
"meta": {
"kill_chain": [
"Technique Matrix:Inhibit Response Function"
]
},
"uuid": "b24e02c6-a575-4ab8-a214-76c195e9e00a",
"value": "Utilize/Change Operating Mode"
},
{
"description": "T806: Adversaries may brute force I/O addresses on a device and attempt to exhaustively perform an action. By enumerating the full range of I/O addresses, an adversary may manipulate a process function without having to target specific I/O interfaces. More than one process function manipulation and enumeration pass may occur on the targeted I/O range in a brute force attempt.",
"meta": {
"kill_chain": [
"Technique Matrix:Impair Process Control"
]
},
"uuid": "ab9f5dd3-71cc-4de6-9ea9-7e5a35696888",
"value": "Brute Force I/O"
},
{
"description": "T875: Adversaries may attempt to change the state of the current program on a control device. Program state changes may be used to allow for another program to take over control or be loaded onto the device.",
"meta": {
"kill_chain": [
"Technique Matrix:Impair Process Control"
]
},
"uuid": "12bac6b2-e822-4424-afe3-90c441ef52dc",
"value": "Change Program State"
},
{
"description": "T849: Adversaries may use masquerading to disguise a malicious application or executable as another file, to avoid operator and engineer suspicion. Possible disguises of these masquerading files can include commonly found programs, expected vendor executables and configuration files, and other commonplace application and naming conventions. By impersonating expected and vendor-relevant files and applications, operators and engineers may not notice the presence of the underlying malicious content and possibly end up running those masquerading as legitimate functions.",
"meta": {
"kill_chain": [
"Technique Matrix:Impair Process Control"
]
},
"uuid": "6fe928e8-5433-4774-b108-60c9eba75acc",
"value": "Masquerading"
},
{
"description": "T833: Adversaries may place malicious code in a system, which can cause the system to malfunction by modifying its control logic. Control system devices use programming languages (e.g. relay ladder logic) to control physical processes by affecting actuators, which cause machines to operate, based on environment sensor readings. These devices often include the ability to perform remote control logic updates.",
"meta": {
"kill_chain": [
"Technique Matrix:Impair Process Control"
]
},
"uuid": "f4050bde-112b-46f0-a02a-6661f3472efd",
"value": "Modify Control Logic"
},
{
"description": "T836: Adversaries may modify parameters used to instruct industrial control system devices. These devices operate via programs that dictate how and when to perform actions based on such parameters. Such parameters can determine the extent to which an action is performed and may specify additional options. For example, a program on a control system device dictating motor processes may take a parameter defining the total number of seconds to run that motor.",
"meta": {
"kill_chain": [
"Technique Matrix:Impair Process Control"
]
},
"uuid": "6183345c-c5cf-44d8-9dc2-91f259f4ed4e",
"value": "Modify Parameter"
},
{
"description": "T839: Adversaries may install malicious or vulnerable firmware onto modular hardware devices. Control system devices often contain modular hardware devices. These devices may have their own set of firmware that is separate from the firmware of the main control system equipment.",
"meta": {
"kill_chain": [
"Technique Matrix:Impair Process Control"
]
},
"uuid": "492cb581-f4a6-4393-a85a-6eb0935c95d0",
"value": "Module Firmware"
},
{
"description": "T843: Adversaries may perform a program download to load malicious or unintended program logic on a device as a method of persistence or to disrupt response functions or process control. Program download onto devices, such as PLCs, allows adversaries to implement custom logic. Malicious PLC programs may be used to disrupt physical processes or enable adversary persistence. The act of a program download will cause the PLC to enter a STOP operation state, which may prevent response functions from operating correctly.",
"meta": {
"kill_chain": [
"Technique Matrix:Impair Process Control"
]
},
"uuid": "86f88e91-acdb-4702-a28a-ed10332643c6",
"value": "Program Download"
},
{
"description": "T848: Adversaries may setup a rogue master to leverage control server functions to communicate with slave devices. A rogue master device can be used to send legitimate control messages to other control system devices, affecting processes in unintended ways. It may also be used to disrupt network communications by capturing and receiving the network traffic meant for the actual master device. Impersonating a master device may also allow an adversary to avoid detection.",
"meta": {
"kill_chain": [
"Technique Matrix:Impair Process Control"
]
},
"uuid": "c5d76758-d103-4dcf-83e7-fa0818a8bdf5",
"value": "Rogue Master Device"
},
{
"description": "T881: Adversaries may stop or disable services on a system to render those services unavailable to legitimate users. Stopping critical services can inhibit or stop response to an incident or aid in the adversary's overall objectives to cause damage to the environment.",
"meta": {
"kill_chain": [
"Technique Matrix:Impair Process Control"
]
},
"uuid": "7fd8cfb0-5064-4ffb-bc88-fe81e05ffa73",
"value": "Service Stop"
},
{
"description": "T856: Adversaries may spoof reporting messages in control systems environments to achieve evasion and assist with impairment of process controls. Reporting messages are used in control systems so that operators and network defenders can understand the status of the network. Reporting messages show the status of devices and any important events that the devices control.",
"meta": {
"kill_chain": [
"Technique Matrix:Impair Process Control"
]
},
"uuid": "5e489242-3d3b-4c21-9d8e-9c27857252c6",
"value": "Spoof Reporting Message"
},
{
"description": "T855: Adversaries may send unauthorized command messages to instruct control systems devices to perform actions outside their expected functionality for process control. Command messages are used in ICS networks to give direct instructions to control systems devices. If an adversary can send an unauthorized command message to a control system, then it can instruct the control systems device to perform an action outside the normal bounds of the device's actions. An adversary could potentially instruct a control systems device to perform an action that will cause an Impact.",
"meta": {
"kill_chain": [
"Technique Matrix:Impair Process Control"
]
},
"uuid": "a2085515-4b94-4fea-8d9c-1ffc6aa550d9",
"value": "Unauthorized Command Message"
},
{
"description": "T879: Adversaries may cause damage and destruction of property to infrastructure, equipment, and the surrounding environment when attacking control systems. This technique may result in device and operational equipment breakdown, or represent tangential damage from other techniques used in an attack. Depending on the severity of physical damage and disruption caused to control processes and systems, this technique may result in Loss of Safety. Operations that result in Loss of Control may also cause damage to property, which may be directly or indirectly motivated by an adversary seeking to cause impact in the form of Loss of Productivity and Revenue.",
"meta": {
"kill_chain": [
"Technique Matrix:Impact"
]
},
"uuid": "73e7afd3-fa10-49b9-baac-9c3765bf570e",
"value": "Damage to Property"
},
{
"description": "T813: Adversaries may cause a denial of control to temporarily prevent operators and engineers from interacting with process controls. An adversary may attempt to deny process control access to cause a temporary loss of communication with the control device or to prevent operator adjustment of process controls. An affected process may still be operating during the period of control loss, but not necessarily in a desired state.",
"meta": {
"kill_chain": [
"Technique Matrix:Impact"
]
},
"uuid": "d18daaa4-1b59-482c-b9bb-1f50c3d6af7a",
"value": "Denial of Control"
},
{
"description": "T815: Adversaries may cause a denial of view in attempt to disrupt and prevent operator oversight on the status of an ICS environment. This may manifest itself as a temporary communication failure between a device and its control source, where the interface recovers and becomes available once the interference ceases.",
"meta": {
"kill_chain": [
"Technique Matrix:Impact"
]
},
"uuid": "69224a2a-13f5-42dc-b200-2e7b09acf514",
"value": "Denial of View"
},
{
"description": "T826: Adversaries may attempt to disrupt essential components or systems to prevent owner and operator from delivering products or services.",
"meta": {
"kill_chain": [
"Technique Matrix:Impact"
]
},
"uuid": "7c53baea-b24d-40de-8753-e65139c93ced",
"value": "Loss of Availability"
},
{
"description": "T827: Adversaries may seek to achieve a sustained loss of control or a runaway condition in which operators cannot issue any commands even if the malicious interference has subsided.",
"meta": {
"kill_chain": [
"Technique Matrix:Impact"
]
},
"uuid": "62fee86a-2f24-4a2b-8b4c-795e82495d7d",
"value": "Loss of Control"
},
{
"description": "T828: Adversaries may cause loss of productivity and revenue through disruption and even damage to the availability and integrity of control system operations, devices, and related processes. This technique may manifest as a direct effect of an ICS-targeting attack or tangentially, due to an IT-targeting attack against non-segregated environments. In some cases, this may result from the postponement and disruption of ICS operations and production as part of a remediation effort. Operations may be brought to a halt and effectively stopped in an effort to contain and properly remove malware or due to the Loss of Safety.",
"meta": {
"kill_chain": [
"Technique Matrix:Impact"
]
},
"uuid": "4b593ce1-3f07-4f00-86dd-e614e999ed2e",
"value": "Loss of Productivity and Revenue"
},
{
"description": "T880: Adversaries may cause loss of safety whether on purpose or as a consequence of actions taken to accomplish an operation. The loss of safety can describe a physical impact and threat, or the potential for unsafe conditions and activity in terms of control systems environments, devices, or processes. For instance, an adversary may issue commands or influence and possibly inhibit safety mechanisms that allow the injury of and possible loss of life. This can also encompass scenarios resulting in the failure of a safety mechanism or control, that may lead to unsafe and dangerous execution and outcomes of physical processes and related systems.",
"meta": {
"kill_chain": [
"Technique Matrix:Impact"
]
},
"uuid": "c514cc66-b02d-497b-bac0-57f58b831442",
"value": "Loss of Safety"
},
{
"description": "T829: Adversaries may cause a sustained or permanent loss of view where the ICS equipment will require local, hands-on operator intervention; for instance, a restart or manual operation. By causing a sustained reporting or visibility loss, the adversary can effectively hide the present state of operations. This loss of view can occur without affecting the physical processes themselves.",
"meta": {
"kill_chain": [
"Technique Matrix:Impact"
]
},
"uuid": "d48aa5dc-40af-4299-85c5-64b2b28ea009",
"value": "Loss of View"
},
{
"description": "T831: Adversaries may manipulate physical process control within the industrial environment. Methods of manipulating control can include changes to set point values, tags, or other parameters. Adversaries may manipulate control systems devices or possibly leverage their own, to communicate with and command physical control processes. The duration of manipulation may be temporary or longer sustained, depending on operator detection.",
"meta": {
"kill_chain": [
"Technique Matrix:Impact"
]
},
"uuid": "1ff2853a-42bd-4aed-8aad-ed25ecc603d6",
"value": "Manipulation of Control"
},
{
"description": "T832: Adversaries may attempt to manipulate the information reported back to operators or controllers. This manipulation may be short term or sustained. During this time the process itself could be in a much different state than what is reported.",
"meta": {
"kill_chain": [
"Technique Matrix:Impact"
]
},
"uuid": "5420f2d9-debe-4e3e-8717-0952afa92dd9",
"value": "Manipulation of View"
},
{
"description": "T882: Adversaries may steal operational information on a production environment as a direct mission outcome for personal gain or to inform future operations. This information may include design documents, schedules, rotational data, or similar artifacts that provide insight on operations.",
"meta": {
"kill_chain": [
"Technique Matrix:Impact"
]
},
"uuid": "fb6e8505-98a6-489f-a8a6-4abc0b7927a1",
"value": "Theft of Operational Information"
}
],
"version": 1
}