Execution
Techniques
| ID | Name | Description |
|---|---|---|
| EST000016 | Command-Line Interface | A Cyber Embedded Technique in which an adversary uses a command-line interfaces to interact with systems and execute other software during the course of an operation. |
| EST000017 | Compiled HTML File | A Cyber Embedded Technique in which an adversary abuses compiled HTML files to embed malicious code. A custom CHM file containing embedded payloads could be delivered to a victim then triggered by User Execution. CHM execution may also bypass application whitelisting on older and/or unpatched systems that do not account for execution of binaries through hh.exe. Compiled HTML files (.chm/.hta) are commonly distributed as part of the Microsoft HTML Help system. CHM files are compressed compilations of various content such as HTML documents, images, and scripting/web related programming languages such VBA, JScript, Java, and ActiveX. CHM content is displayed using underlying components of the Internet Explorer browser loaded by the HTML Help executable program (hh.exe). |
| EST000018 | Graphical User Interface | Command-line interfaces provide a way of interacting with computer systems and is a common feature across many types of operating system platforms, for example non-traditional operating systems like Green Hills Integrity, VxWorks or pSoS. Adversaries may require physical access to serial interfaces that may or may not be documented in the system AAR/ICD. |
| EST000019 | Scheduled Task | A Cyber Embedded Technique in which an adversary uses task scheduling to execute programs at system startup or on a scheduled basis for persistence, to conduct remote Execution as part of Lateral Movement, to gain SYSTEM privileges, or to run a process under the context of a specified account. Utilities such as at and schtasks, along with the Windows Task Scheduler, can be used to schedule programs or scripts to be executed at a date and time. A task can also be scheduled on a remote system, provided the proper authentication is met to use RPC and file and printer sharing is turned on. Scheduling a task on a remote system typically required being a member of the Administrators group on the remote system. Hooking a startup bit or initiated bit would allow an adversary to run malware or hide the fact that malware is already running. This may be done continuously as well, coinciding with the continuous bit of a subsystem or LRU. Some platforms also broadcast maintenance and other telemetry data on approach, any scheduled task that the platform performs in this manner could be used as a trigger to execute malware or hide the fact that malware is running. |
| EST000020 | Service Execution | A Cyber Embedded Technique in which an adversary executes a binary, command, or script via a method that interacts with operating system services. This can be done by either creating a new service or modifying an existing service. This technique is the execution used in conjunction with New Service and Modify Existing Service during service persistence or privilege escalation. There are other forms of service execution for various operating systems. Adversaries may execute binaries or commands in RTOS service handlers. |
| EST000021 | Execute via Trusted Developer Utilities | A Cyber Embedded Technique in which an adversary compromises and utilizes Trusted Developer Utilities as a method to execute code on a targeted subsystem. There are many utilities used for software development related tasks that can be used to execute code in various forms to assist in development, debugging, and reverse engineering. These utilities may often be signed with legitimate certificates that allow them to execute on a system and proxy execution of malicious code through a trusted process that effectively bypasses application whitelisting defensive solutions. For platforms that rely on ground support equipment or depot level support equipment, the GSE may serve as the initial attack vector, but may also serve to launch malware that has been pre-positioned in a supply chain attack. |
| EST000022 | Change Operating Mode | A Cyber Embedded Technique in which an adversary changes the operating mode of a controller to gain additional access to engineering functions such as Program Download. Embedded systems typically have several modes of operation that control the state of the user program and control access to the system's API. Operating modes can be physically selected various means of the system but may also be selected with calls to the system’s API. Operating modes and the mechanisms by which they are selected often vary by vendor and product line. |
| EST000023 | Execution Through API | A Cyber Embedded Technique in which an adversary leverages Application Program Interfaces (APIs) used for communication between control software and the hardware. Specific functionality is often coded into APIs which can be called by software to engage specific functions on a device or other software. |
| EST000024 | Logical Man in the Middle | A Cyber Embedded Technique in which an adversary performs a logical man in the middle attack within the 2-4 layers of the OSI model, by abusing the inherent serial bus protocols to have a pivot effect on adjacent subsystems. The bus protocols for embedded systems will be more expansive to include CAN, AS5643, J1939, and ARINC 429. |
| EST000025 | Execute via Modified System Tasking | A Cyber Embedded Technique in which an adversary modifies the tasking of an embedded system to allow for the execution of their own programs. This can allow an adversary to manipulate the execution flow and behavior of a embedded system. An adversary may modify these associations or create new ones to manipulate the execution flow of a embedded system. Modification of embedded system tasking can be accomplished using a Program Download in addition to other types of program modification such as online edit and program append. Tasks have properties, such as interval, frequency and priority to meet the requirements of program execution. Some embedded system vendors implement tasks with implicit, pre-defined properties whereas others allow for these properties to be formulated explicitly. An adversary may associate their program with tasks that have a higher priority or execute associated programs more frequently. |
| EST000026 | Improper Memory Management | A Cyber Embedded Technique in which an adversary utilizes poor software hygiene and memory management to inject executable code on a target subsystem to perform a variety of embedded system specific effects. Legacy LRUs typically are memory and processor constrained, compilers were also in their infancy. This led early component developers to seek performance over security. There are many of these tradeoffs that gain performance at the cost of security or were done because those were available at the time. Examples include but are probably not limited to: • Direct memory access • Stack overflow • Double free • Heap underflow • Buffer overflow • Integer over/underflow • Shared memory space • Dual port ram • Local/global descriptor table mismatch • Improper Segmentation Allocation Typically, these would be exploited through bus communications or via an RF attack vector. |
| EST000027 | Execute via Direct Connect System | A Cyber Embedded Technique in which an adversary utilizes Direct Connect System (DCS) to directly connect, deploy and execute malware on the connected device to gain a persistent foothold or pivot to other subsystems to have a specific effect on a system. Emulating a specific type of DCS is also possible, enabling the execution. ICE is an example of this. In-circuit emulation (ICE) is the use of a hardware device or in-circuit emulator used to debug the software of an embedded system. It operates by using a processor with the additional ability to support debugging operations, as well as to carry out the main function of the system. Particularly for older systems, with limited processors, this usually involved temporarily replacing the processor with a hardware emulator: a more expensive, more powerful version. This was historically done in the form of bond-out processor with many internal signals exposed for the purpose of debugging. These signals provide information about the state of the processor. |
| EST000028 | Positioning, Navigation and Timing (PNT) Geofencing | A Cyber Embedded Technique in which an adversary utilizes PNT specific parameters accessible to the subsystem to execute previously implanted malware to gain a embedded system platform specific effect in a covert manner. Platforms can move through space unlike typical enterprise systems. If malware has a trigger to only execute when the platform is within a certain space (within a countries boundary for example) that is known as a Geofence. By using a Geofence an adversary can ensure that malware is only executed when it is needed. Similar to Geofencing, the relative or absolute position of the platform could be combined with some form of timing to serve as the trigger for malware execution. |
| EST000029 | Embedded System State | A Cyber Embedded Technique in which an adversary utilizes the current embedded system state parameters accessible to the subsystem to execute previously implanted malware to gain a platform specific effect in a covert manner. Unlike standard enterprise systems platforms undergo changes in state which are governed by operational needs. For instance, Weight on Wheels is the value that reflects whether or not the platform thinks it is on the ground. This changes the characteristics of certain subsystems. |
| EST000030 | Non-Self Originated Sensor Signal | A Cyber Embedded Technique in which an adversary utilizes external signals to trigger malware execution or alter the normal operation of integrated circuit. This can take many forms, the platform may use a camera to detect an anomaly, or an adversary may fire a laser from an aquatic location at the platform. It may be an RF signal that is captured by a specific antenna. Previously named: Non-Self Originated Electro Optical Signal |
| EST000031 | Self-Originated Sensor Signal | A Cyber Embedded Technique in which an adversary uses onboard generation of signals to trigger malware. If the malware triggers on an action generated by the platform this would be an example of a self-originated signal. For example, if a platform uses directed energy, and the malware is capable of detecting this, it could begin execution based on that event. Previously named: Self Originated Electro Optical Signal |
| EST000032 | Hardware Trojan | A Cyber Embedded Technique in which an adversary implants a hardware trojan to gain execution and persistence on a specific subsystem to have a embedded system platform specific effect. They may implant or leave behind “Software” HDL for FPGA/ASICS. These can be implanted or triggered by various means. There is a wide range of which to accomplish this. |
| EST000033 | Out-of-Band Transceiver Manipulation | A Cyber Embedded Technique in which an adversary utilizes out-of-protocol or out-of-band Command and Control (C2) channels to disrupt normal C2 communication and trigger malware execution, resulting in a platform-specific effect on an embedded system. This involves manipulating the execution state of a transceiver using unconventional communication methods that bypass standard protocols. These methods can include command spoofing, direct hardware manipulation, or protocol exploitation. The adversary leverages some form of out-of-band communication, whether on the same physical connection or a separate channel, to induce a change of state in the transceiver. This change of state is then detected by resident malware, which triggers the execution of its malicious payload. Previously named: Out of Protocol C2 |