Techniques
| ID | Name | Description |
|---|---|---|
| EST000189 | Active Scanning | A Cyber Embedded Technique in which an adversary scans to gather information that can be used during targeting. Active scans are those where the adversary probes victim infrastructure via network traffic, serial connections, or through a Radio Frequency. |
| EST000001 | Drive-By Compromise | A Cyber Embedded Technique in which an adversary gains access to a system through the actor utilizing a maintenance or debug port or protocol on the system to maliciously inject malware. This is different from the traditional Drive-by Compromise in that it requires an active event by the actor and passive event by the unwitting user for embedded systems. Typical drive-by compromise process: An adversary has preloaded malware on a debug interface of the target sub-system inclusive of: • 1394B (via FireWire) • UART (via RS-232) • PCMCIA Slot (via external PCI interface) • ARINC 615 (via ARINC 429) • ARINC 615A (via ethernet) These unauthenticated protocols will accept the malware by default because it is a trusted system (no authentication or software signing) and allow the adversary to gain persistence inside the sub-system. Once the malware is loaded the adversary removed any physical connection and the system appears to be physically unaltered. |
| EST000002 | Hardware Additions | A Cyber Embedded Technique in which an adversary introduces computer accessories, computers, or networking hardware into a sub-system or serial network that can be used as a vector to gain access. Products have the capabilities such as passive network tapping, man-in-the middle encryption breaking, keystroke injection, data injection, kernel memory reading via DMA, adding new wireless access to an existing network, and others. Serial network examples such as, ARINC 429, CAN, J1939, AS5643, SpaceWire. |
| EST000003 | Access via Removable Media | A Cyber Embedded Technique in which an adversary moves onto systems, possibly those on disconnected or air-gapped networks, by copying malware to removable media and taking advantage of embedded features when the media is inserted into a system and executes. This technique aligns with ICS ATT&CK T0847, Replication Through Removable Media. |
| EST000004 | Supply Chain Compromise | A Cyber Embedded Technique in which an adversary compromises the supply chain by manipulation of products or product delivery mechanisms prior to receipt by a final consumer for the purpose of data or system compromise. Supply chain compromise can take place at any stage of the supply chain including: • Manipulation of development tools • Manipulation of a development environment • Manipulation of source code repositories (public or private) • Manipulation of source code in open-source dependencies • Manipulation of software update/distribution mechanisms • Compromised/infected system images (multiple cases of removable media infected at the factory) • Replacement of legitimate software with modified versions • Sales of modified/counterfeit products to legitimate distributors • Shipment interdiction While supply chain compromise can impact any component of hardware or software, attackers looking to gain execution have often focused on malicious additions to legitimate software in software distribution or update channels. Targeting may be specific to a desired victim set or malicious software may be distributed to a broad set of consumers but only move on to additional tactics on specific victims. Popular open source projects that are used as dependencies in many applications may also be targeted as a means to add malicious code to users of. |
| EST000005 | Trusted Relationship | A Cyber Embedded Technique in which an adversary breaches or otherwise leverages organizations who have access through trusted relationships. Access through trusted third-party relationship exploits an existing connection that may not be protected or receives less scrutiny than standard mechanisms of gaining access to a network. Organizations often grant elevated access to second or third-party external providers in order to allow them to manage internal systems as well as cloud-based environments. Some examples of these relationships include original equipment engineers, or depot maintenance contractors. The third-party provider's access may be intended to be limited to the infrastructure being maintained but may exist on the same network as the rest of the enterprise. As such, Valid Accounts used by the other party for access to internal network systems may be compromised and used. |
| EST000006 | Access via Valid Accounts | A Cyber Embedded Technique in which a cyber adversary may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. In practice, embedded systems are more closely aligned with Local Accounts as described by MITRE ATT&CK sub-technique T1079.003, but could also be inclusive of devices such as embedded laptops. |
| EST000007 | Exploit via Radio Interfaces | A Cyber Embedded Technique in which an adversary seeks to attack the platform via external RF sources where the overall goal is to influence the subsystem on the platform that manage RF energy in some way. • Analog Communication: Compromise through analog voice at the subsystem stage on a platform from an external or internal source. Processing of the signal acts a peripheral to the host system MCU / Processor. This may be used as the pivot point to other subsystems. • Digital Communication: Compromise through digital communications mediums voice at the subsystem stage on a platform from an external or internal source. Processing of the signal acts a peripheral to the host system MCU / Processor. This may be used as the pivot point to other subsystems. • Data Link: Compromise through some remote service the platform uses for legitimate purposes to compromise platform (IFF, datalinks, etc.) Processing of the signal acts a peripheral to the host system MCU / Processor. This may be used as the pivot point to other subsystems. • Non-Data Link: Exploiting some non-communications RF path (Radar for example) to gain initial access into platform. Processing of the signal acts a peripheral to the host system MCU / Processor. This may be used as the pivot point to other subsystems. • Standardized Open Frequencies (i.e. 2.4 Ghz, 5 Ghz, 60Ghz): Compromise wireless communications typically used for packetized data transfer to gain access to platform via a specific subsystem. Processing of the signal acts a peripheral to the host system MCU / Processor. This may be used as the pivot point to other subsystems. |
| EST000008 | Install Insecure or Malicious Configuration | A Cyber Embedded Technique in which an adversary inserts malicious configuration either through Supply Chain or some other Dev Ops cycle in order to download malware. An example would be inserting a callout function on a data link which causes the system to use malicious data by controlling the location it draws from. |
| EST000009 | Maintenance or Debug Ports | A Cyber Embedded Technique in which an adversary gains access through maintenance or debug ports typically used for maintenance actions raises the capability of an attacker and could serve as the initial access point. These ports typically allow for OEMs or field level maintenance technicians to perform required operations to preserve mission capability of the platform. The use of these ports also drives technical knowledge of the system forward enabling reverse engineering efforts. |
| EST000010 | Authenticated Menu Bypass | A Cyber Embedded Technique in which an adversary gains an initial access vector and performs DMA attacks/manipulation directly from the multi-function display/MCDU to bypass authentication mechanisms. This may further reverse engineering efforts or simply allow an adversary to perform an impact action immediately. |
| EST000011 | Masquerade as Legitimate Application | A Cyber Embedded Technique in which an adversary exploits lacking or primative legacy sub-system security to masquerade as a legitimate application. Computationally, some of the legacy avionics LRUs could only perform simple cyclical redundancy checks. Defeating these checks in modern times can be accomplished by a standard desktop pc extremely quickly. |
| EST000012 | Engineering Workstation Compromise | A Cyber Embedded Technique in which an adversary compromises ground support equipment used at the depot maintenance location, so that they can affect the system baseline or as platforms are cycled through depot. This provides multi routes of entry into the platform. Refer to Enterprise ATT&CK for routes to compromise. This may affect the platform or may only effect specific LRUs. This would also then effect devices in the maintenance lifecycle. |
| EST000013 | Internet Accessible Device | A Cyber Embedded Technique in which an adversary exploits an internet accessible device. For example, planning documents for operational use that have been maliciously modified. |
| EST000014 | Access via Direct Connect System | A Cyber Embedded Technique in which an adversary exploits Direct Connect System (DCS) to deploy and execute malware on the connected device to gain a persistent foothold or pivot to other subsystems to have a specific effect on a system. Emulating a specific type of DCS is also possible, enabling the execution. ICE is an example of this. In-circuit emulation (ICE) is the use of a hardware device or in-circuit emulator used to debug the software of an embedded system. It operates by using a processor with the additional ability to support debugging operations, as well as to carry out the main function of the system. Particularly for older systems, with limited processors, this usually involved temporarily replacing the processor with a hardware emulator: a more expensive, more powerful version. This was historically done in the form of bond-out processor with many internal signals exposed for the purpose of debugging. These signals provide information about the state of the processor. |
| EST000015 | Downgrade to Insecure Protocols | A Cyber Embedded Technique in which an adversary exploits secure protocol through means such as intercepting a secure handshake or jamming secure protocols such that an adversary forces the operator to revert to an insecure protocol. This exposes the insecure protocol to the open and changes the security posture of the system to further allow attack vectors. |
| EST000016 | Command-Line Interface | A Cyber Embedded Technique in which an adversary uses a command-line interfaces to interact with systems and execute other software during the course of an operation. Command-line interfaces provide a way of interacting with computer systems and is a common feature across many types of operating system platforms, for example non-traditional operating systems like Green Hills Integrity, VxWorks or pSoS. Adversaries may require physical access to serial interfaces that may or may not be documented in the system AAR/ICD. |
| EST000017 | Compiled HTML File | A Cyber Embedded Technique in which an adversary abuses compiled HTML files to embed malicious code. A custom CHM file containing embedded payloads could be delivered to a victim then triggered by User Execution. CHM execution may also bypass application whitelisting on older and/or unpatched systems that do not account for execution of binaries through hh.exe. Compiled HTML files (.chm/.hta) are commonly distributed as part of the Microsoft HTML Help system. CHM files are compressed compilations of various content such as HTML documents, images, and scripting/web related programming languages such VBA, JScript, Java, and ActiveX. CHM content is displayed using underlying components of the Internet Explorer browser loaded by the HTML Help executable program (hh.exe). |
| EST000018 | Graphical User Interface | A Cyber Embedded Technique in which an adversary exploits a system's GUI during an operation instead of through a Command-Line Interface. Adversaries may use a system's GUI through a remote interactive session, such as Remote Desktop Protocol, instead of through a Command-Line Interface, to search for information and execute files via mouse double-click events, the Windows Run command , or other potentially difficult to monitor interactions. The Graphical User Interfaces (GUI) is a common way to interact with an operating system. The GUIs of platforms offer unique opportunities due to the platform intranet connections that are commanded by the GUI, in this case a multifunction display unit/MCDU. Interface subsystems which contain a GUI generally provides information about that subsystem and may serve to find additional access vectors. Pilots and maintenance alike rely on these GUIs to operate and maintain the platform. |
| EST000019 | Scheduled Task | A Cyber Embedded Technique in which an adversary uses task scheduling to execute programs at system startup or on a scheduled basis for persistence, to conduct remote Execution as part of Lateral Movement, to gain SYSTEM privileges, or to run a process under the context of a specified account. Utilities such as at and schtasks, along with the Windows Task Scheduler, can be used to schedule programs or scripts to be executed at a date and time. A task can also be scheduled on a remote system, provided the proper authentication is met to use RPC and file and printer sharing is turned on. Scheduling a task on a remote system typically required being a member of the Administrators group on the remote system. Hooking a startup bit or initiated bit would allow an adversary to run malware or hide the fact that malware is already running. This may be done continuously as well, coinciding with the continuous bit of a subsystem or LRU. Some platforms also broadcast maintenance and other telemetry data on approach, any scheduled task that the platform performs in this manner could be used as a trigger to execute malware or hide the fact that malware is running. |
| EST000020 | Service Execution | A Cyber Embedded Technique in which an adversary executes a binary, command, or script via a method that interacts with operating system services. This can be done by either creating a new service or modifying an existing service. This technique is the execution used in conjunction with New Service and Modify Existing Service during service persistence or privilege escalation. There are other forms of service execution for various operating systems. Adversaries may execute binaries or commands in RTOS service handlers. |
| EST000021 | Execute via Trusted Developer Utilities | A Cyber Embedded Technique in which an adversary compromises and utilizes Trusted Developer Utilities as a method to execute code on a targeted subsystem. There are many utilities used for software development related tasks that can be used to execute code in various forms to assist in development, debugging, and reverse engineering. These utilities may often be signed with legitimate certificates that allow them to execute on a system and proxy execution of malicious code through a trusted process that effectively bypasses application whitelisting defensive solutions. For platforms that rely on ground support equipment or depot level support equipment, the GSE may serve as the initial attack vector, but may also serve to launch malware that has been pre-positioned in a supply chain attack. |
| EST000022 | Change Operating Mode | A Cyber Embedded Technique in which an adversary changes the operating mode of a controller to gain additional access to engineering functions such as Program Download. Embedded systems typically have several modes of operation that control the state of the user program and control access to the system's API. Operating modes can be physically selected various means of the system but may also be selected with calls to the system’s API. Operating modes and the mechanisms by which they are selected often vary by vendor and product line. |
| EST000023 | Execution Through API | A Cyber Embedded Technique in which an adversary leverages Application Program Interfaces (APIs) used for communication between control software and the hardware. Specific functionality is often coded into APIs which can be called by software to engage specific functions on a device or other software. |
| EST000024 | Logical Man in the Middle | A Cyber Embedded Technique in which an adversary performs a logical man in the middle attack within the 2-4 layers of the OSI model, by abusing the inherent serial bus protocols to have a pivot effect on adjacent subsystems. The bus protocols for embedded systems will be more expansive to include CAN, AS5643, J1939, and ARINC 429. |
| EST000025 | Execute via Modified System Tasking | A Cyber Embedded Technique in which an adversary modifies the tasking of an embedded system to allow for the execution of their own programs. This can allow an adversary to manipulate the execution flow and behavior of a embedded system. An adversary may modify these associations or create new ones to manipulate the execution flow of a embedded system. Modification of embedded system tasking can be accomplished using a Program Download in addition to other types of program modification such as online edit and program append. Tasks have properties, such as interval, frequency and priority to meet the requirements of program execution. Some embedded system vendors implement tasks with implicit, pre-defined properties whereas others allow for these properties to be formulated explicitly. An adversary may associate their program with tasks that have a higher priority or execute associated programs more frequently. |
| EST000026 | Improper Memory Management | A Cyber Embedded Technique in which an adversary utilizes poor software hygiene and memory management to inject executable code on a target subsystem to perform a variety of embedded system specific effects. Legacy LRUs typically are memory and processor constrained, compilers were also in their infancy. This led early component developers to seek performance over security. There are many of these tradeoffs that gain performance at the cost of security or were done because those were available at the time. Examples include but are probably not limited to: • Direct memory access • Stack overflow • Double free • Heap underflow • Buffer overflow • Integer over/underflow • Shared memory space • Dual port ram • Local/global descriptor table mismatch • Improper Segmentation Allocation Typically, these would be exploited through bus communications or via an RF attack vector. |
| EST000027 | Execute via Direct Connect System | A Cyber Embedded Technique in which an adversary utilizes Direct Connect System (DCS) to directly connect, deploy and execute malware on the connected device to gain a persistent foothold or pivot to other subsystems to have a specific effect on a system. Emulating a specific type of DCS is also possible, enabling the execution. ICE is an example of this. In-circuit emulation (ICE) is the use of a hardware device or in-circuit emulator used to debug the software of an embedded system. It operates by using a processor with the additional ability to support debugging operations, as well as to carry out the main function of the system. Particularly for older systems, with limited processors, this usually involved temporarily replacing the processor with a hardware emulator: a more expensive, more powerful version. This was historically done in the form of bond-out processor with many internal signals exposed for the purpose of debugging. These signals provide information about the state of the processor. |
| EST000028 | Positioning, Navigation and Timing (PNT) Geofencing | A Cyber Embedded Technique in which an adversary utilizes PNT specific parameters accessible to the subsystem to execute previously implanted malware to gain a embedded system platform specific effect in a covert manner. Platforms can move through space unlike typical enterprise systems. If malware has a trigger to only execute when the platform is within a certain space (within a countries boundary for example) that is known as a Geofence. By using a Geofence an adversary can ensure that malware is only executed when it is needed. Similar to Geofencing, the relative or absolute position of the platform could be combined with some form of timing to serve as the trigger for malware execution. |
| EST000029 | Embedded System State | A Cyber Embedded Technique in which an adversary utilizes the current embedded system state parameters accessible to the subsystem to execute previously implanted malware to gain a platform specific effect in a covert manner. Unlike standard enterprise systems platforms undergo changes in state which are governed by operational needs. For instance, Weight on Wheels is the value that reflects whether or not the platform thinks it is on the ground. This changes the characteristics of certain subsystems. |
| EST000030 | Non-Self Originated Sensor Signal | A Cyber Embedded Technique in which an adversary utilizes external signals to trigger malware execution or alter the normal operation of integrated circuit. This can take many forms, the platform may use a camera to detect an anomaly, or an adversary may fire a laser from an aquatic location at the platform. It may be an RF signal that is captured by a specific antenna. Previously named: Non-Self Originated Electro Optical Signal |
| EST000031 | Self-Originated Sensor Signal | A Cyber Embedded Technique in which an adversary uses onboard generation of signals to trigger malware. If the malware triggers on an action generated by the platform this would be an example of a self-originated signal. For example, if a platform uses directed energy, and the malware is capable of detecting this, it could begin execution based on that event. Previously named: Self Originated Electro Optical Signal |
| EST000032 | Hardware Trojan | A Cyber Embedded Technique in which an adversary implants a hardware trojan to gain execution and persistence on a specific subsystem to have a embedded system platform specific effect. They may implant or leave behind “Software” HDL for FPGA/ASICS. These can be implanted or triggered by various means. There is a wide range of which to accomplish this. |
| EST000033 | Out-of-Band Transceiver Manipulation | A Cyber Embedded Technique in which an adversary utilizes out-of-protocol or out-of-band Command and Control (C2) channels to disrupt normal C2 communication and trigger malware execution, resulting in a platform-specific effect on an embedded system. This involves manipulating the execution state of a transceiver using unconventional communication methods that bypass standard protocols. These methods can include command spoofing, direct hardware manipulation, or protocol exploitation. The adversary leverages some form of out-of-band communication, whether on the same physical connection or a separate channel, to induce a change of state in the transceiver. This change of state is then detected by resident malware, which triggers the execution of its malicious payload. Previously named: Out of Protocol C2 |
| EST000034 | Account Manipulation | A Cyber Embedded Technique in which an adversary manipulates accounts to maintain access to credentials and certain permission levels within an environment. Manipulation could consist of modifying permissions, modifying credentials, adding or changing permission groups, modifying account settings, or modifying how authentication is performed. These actions could also include account activity designed to subvert security policies, such as performing iterative password updates to subvert password duration policies and preserve the life of compromised credentials. In order to create or manipulate accounts, the adversary must already have sufficient permissions on systems or the domain. |
| EST000035 | Bootkit | A Cyber Embedded Technique in which an adversary uses bootkits to persist on systems at a layer below the operating system. This may make it difficult to perform full remediation unless an organization suspects one was used and can act accordingly. |
| EST000036 | Persistent Firmware | A Cyber Embedded Technique in which an adversary employs sophisticated means to compromise computer components and install malicious firmware that will execute adversary code outside of the operating system and main system in firmware or BIOS. This technique may be similar to System Firmware but conducted upon other system components that may not have the same capability or level of integrity checking. Malicious device firmware could provide both a persistent level of access to systems despite potential typical failures to maintain access and hard disk re-images, as well as a way to evade host software-based defenses and integrity checks. An easy point of access for an adversary is the Ethernet card, which may have its own CPU, RAM, and operating system. The adversary may attack and likely exploit the computer on an Ethernet card. Exploitation of the Ethernet card computer may enable the adversary to accomplish additional attacks, such as the following: Delayed Attack: The adversary may stage an attack in advance and choose when to launch it, such as at a particularly damaging time. Brick the Ethernet Card: Malicious firmware may be programmed to result in an Ethernet card failure, requiring a factory return. "Random" Attack or Failure: The adversary may load malicious firmware onto multiple field devices. Execution of an attack and the time it occurs is generated by a pseudo-random number generator. A Field Device Worm: The adversary may choose to identify all field devices of the same model, with the end goal of performing a device-wide compromise. Attack Other Cards on the Field Device: Although it is not the most important module in a field device, the Ethernet card is most accessible to the adversary and malware. Compromise of the Ethernet card may provide a more direct route to compromising other modules, such as the CPU module. |
| EST000037 | Create Account | A Cyber Embedded Technique in which an adversary with a sufficient level of access creates a local system, domain, or cloud tenant account. Such accounts may be used for persistence that do not require persistent remote access tools to be deployed on the system. |
| EST000038 | External Remote Services | A Cyber Embedded Technique in which an adversary uses remote services to initially access and or persist within a network. Access to valid accounts to use the service is often a requirement, which could be obtained through credential pharming or by obtaining the credentials from users after compromising the enterprise network. Access to remote services may be used as part of Redundant Access during an operation and could include data links used to provide services on a platform. |
| EST000039 | File System Permissions Weakness | A Cyber Embedded Technique in which an adversary replaces legitimate binaries with malicious ones as a means of executing code at a higher permissions level. If the executing process is set to run at a specific time or during a certain event (e.g., system bootup) then this technique can also be used for persistence. Processes may automatically execute specific binaries as part of their functionality or to perform other actions. If the permissions on the file system directory containing a target binary, or permissions on the binary itself, are improperly set, then the target binary may be overwritten with another binary using user-level permissions and executed by the original process. If the original process and thread are running under a higher permissions level, then the replaced binary will also execute under higher-level permissions, which could include root/SYSTEM/administrator/etc. |
| EST000040 | Hidden Files and Directories | A Cyber Embedded Technique in which an adversary hides files and folders anywhere on the system for persistence and evading a typical user or system analysis that does not incorporate investigation of hidden files. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches (dir /a for Windows and ls –a for Linux and macOS). |
| EST000041 | Persistence Hooking | A Cyber Embedded Technique in which an adversary uses hooking to load and execute malicious code within the context of another process. This technique could mask the execution while simultaneously allowing access to the process's memory and possibly elevated privileges. Installing hooking mechanisms may also provide Persistence via continuous invocation when the functions are called through normal use. Malicious hooking mechanisms may also capture API calls that include parameters that reveal user authentication credentials for Credential Access. Hooking is commonly utilized by Rootkits to conceal files, processes, Registry keys, and other objects in order to hide malware and associated behaviors. |
| EST000042 | Hypervisor | A Cyber Embedded Technique in which an adversary establishes a malicious type-1 hypervisor to persist on systems through interruption. A type-1 hypervisor is a software layer that sits between the guest operating systems and system's hardware. It presents a virtual running environment to an operating system. An example of a common hypervisor is Xen. A type-1 hypervisor operates at a level below the operating system and could be designed with Rootkit functionality to hide its existence from the guest operating system. |
| EST000043 | Kernel Modules and Extensions | A Cyber Embedded Technique in which an adversary uses a loadable kernel modules to covertly persist on a system and evade defenses. Loadable Kernel Modules (or LKMs) are pieces of code that can be loaded and unloaded into the kernel upon demand. They extend the functionality of the kernel without the need to reboot the system. For example, one type of module is the device driver, which allows the kernel to access hardware connected to the system. When used maliciously, Loadable Kernel Modules (LKMs) can be a type of kernel-mode Rootkit that run with the highest operating system privilege (Ring 0). Examples have been found in the wild and there are some open source projects. |
| EST000044 | Local Job Scheduling | A Cyber Embedded Technique in which an adversary utilizes a job scheduling mechanisms of the operating system to schedule background tasks. |
| EST000045 | Modify Existing Service | A Cyber Embedded Technique in which an adversary modifies an existing service to persist malware on a system by using system utilities or by using custom tools to interact with the Windows API. Use of existing services is a type of Masquerading that may make detection analysis more challenging. Modifying existing services may interrupt their functionality or may enable services that are disabled or otherwise not commonly used. Adversaries may also intentionally corrupt or kill services to execute malicious recovery programs/commands. |
| EST000046 | New Service | A Cyber Embedded Technique in which an adversary installs a new service that can be configured to execute at startup by using utilities to interact with services or by directly modifying the Registry. When operating systems boot up, they can start programs or applications called services that perform background system functions. A service's configuration information, including the file path to the service's executable, is stored in the Windows Registry. The service name may be disguised by using a name from a related operating system or benign software with Masquerading. Services may be created with administrator privileges but are executed under root/admin/SYSTEM/etc privileges, so an adversary may also use a service to escalate privileges from administrator to root/admin/SYSTEM/etc. Adversaries may also directly start services through Service Execution. |
| EST000047 | Path Interception | A Cyber Embedded Technique in which an adversary uses a file placement strategies to execute malicious applications instead of the intended application. Path interception occurs when an executable is placed in a specific path so that it is executed by an application instead of the intended target. One example of this was the use of a copy of cmd in the current working directory of a vulnerable application that loads a CMD or BAT file with the CreateProcess function. There are multiple distinct weaknesses or misconfigurations that adversaries may take advantage of when performing path interception: unquoted paths, path environment variable misconfigurations, and search order hijacking. The first vulnerability deals with full program paths, while the second and third occur when program paths are not specified. These techniques can be used for persistence if executables are called on a regular basis, as well as privilege escalation if intercepted executables are started by a higher privileged process. |
| EST000048 | Port Knocking - Serial Bus | A Cyber Embedded Technique in which an adversary unlocks hidden, undocumented, or adversary-controlled services on a serial bus by sending a specific sequence of commands to different subaddresses on a known terminal address. This sequence, analogous to 'port knocking' in network protocols, acts as a 'key' to enable the service. The adversary discovers this 'knock' sequence by observing serial bus traffic and analyzing the responses from the subsystem. Once the correct 'knock' is performed, the service is activated, potentially granting the adversary persistence. While not directly opening firewall ports as in traditional network port knocking, this technique similarly relies on a specific, pre-defined sequence to gain access to a protected resource. |
| EST000049 | Port Monitors - Serial Bus | A Cyber Embedded Technique in which an adversary gains persistence on a serial bus by exploiting a vulnerable or misconfigured port monitor. Typically, port monitors are designed to passively observe serial bus traffic in a receive-only mode for debugging or analysis purposes. The adversary exploits a weakness to switch the port monitor into transmit mode. By transmitting malicious commands or data onto the bus using the compromised port monitor, the adversary can modify system configurations, inject malicious code, or install backdoors, thereby establishing persistence on the serial bus. |
| EST000050 | Redundant Access Points | A Cyber Embedded Technique in which an adversary uses more than one remote access tool with varying command and control protocols or credentialed access to remote services so they can maintain access if an access mechanism is detected or mitigated. If one type of tool is detected and blocked or removed as a response but the organization did not gain a full understanding of the adversary's tools and access, then the adversary will be able to retain access to the network. Adversaries may also attempt to gain access to Valid Accounts to use External Remote Services such as external VPNs as a way to maintain access despite interruptions to remote access tools deployed within a target network. Adversaries may also retain access through cloud-based infrastructure and applications. Use of a Web Shell is one such way to maintain access to a network through an externally accessible Web server. |
| EST000051 | Startup Items | A Cyber Embedded Technique in which an adversary creates the appropriate folders/files in the startup directory to register their own persistence mechanism. |
| EST000052 | Evasive System Firmware | A Cyber Embedded Technique in which an adversary utilizes the BIOS (Basic Input/Output System) or similar capabilities as a way to interject executable code prior to operating system boot. The BIOS (Basic Input/Output System) and The Unified Extensible Firmware Interface (UEFI) or Extensible Firmware Interface (EFI) are examples of system firmware that operate as the software interface between the operating system and hardware of a computer. Capabilities exist to overwrite the system firmware, which may give sophisticated adversaries a means to install malicious firmware updates as a means of persistence on a system that may be difficult to detect. |
| EST000053 | Time Providers | A Cyber Embedded Technique in which an adversary abuses this architecture to establish Persistence, specifically by registering and enabling a malicious DLL as a time provider. The Windows Time service (W32Time) enables time synchronization across and within domains. W32Time time providers are responsible for retrieving time stamps from hardware/network resources and outputting these values to other network clients. Time providers are implemented as dynamic-link libraries (DLLs) that are registered in the subkeys of HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\W32Time\TimeProviders\. The time provider manager, directed by the service control manager, loads and starts time providers listed and enabled under this key at system startup and/or whenever parameters are changed. Administrator privileges are required for time provider registration, though execution will run in context of the Local Service account. |
| EST000054 | Persistence via Valid Accounts | A Cyber Embedded Technique that mirrors ATT&CK Enterprise Technique called Valid Accounts, T1078. Valid Accounts, Technique T1078 - Enterprise | MITRE ATT&CK® |
| EST000055 | Persistent OS Kernel or Boot Partition | A Cyber Embedded Technique in which an adversary with escalated privileges places malicious code in the device kernel or other boot partition to maintain a persistance presence on a system. If an adversary can escalate malicious code privileges, may persist after device resets, and may not be removable by the device user. In some cases (e.g., the Samsung Knox warranty bit as described under Detection), the attack may be detected but could result in the device being placed in a state that no longer allows certain functionality. Previously named: Modify OS Kernel or Boot Partition |
| EST000056 | Modify System Partition | A Cyber Embedded Technique in which an adversary escalates privileges to use those privileges to place malicious code in the device system partition. If an adversary is escalate malicious code privileges, the malicious code may persist after device resets and may not be easily removed by the device user. |
| EST000057 | Modify Trusted Execution Environment | A Cyber Embedded Technique in which an adversary escalates privileges to use those privileges to place malicious code in the device's Trusted Execution Environment (TEE). If an adversary is escalate malicious code privileges, the code may evade detection, may persist after device resets, and may not be removable by the device user. Running code within the TEE may provide an adversary with the ability to monitor or tamper with overall device behavior. |
| EST000058 | Modify NVRAM Code and Configuration | A Cyber Embedded Technique in which an adversary modifies code or configuration data stored in Non-Volatile Random-Access Memory (NVRAM) to achieve persistence on a subsystem. NVRAM is targeted because it retains its data even after a reboot, making it a reliable location to store malicious code or configurations. This technique exploits the fact that NVRAM often stores boot configuration data, early initialization code, or device drivers loaded during system startup. By modifying these elements, the adversary can gain control early in the boot sequence and ensure that malware is executed automatically after each reboot. This technique may involve exploiting vulnerabilities in the NVRAM update process, bypassing security mechanisms designed to protect NVRAM contents, or directly manipulating NVRAM data through hardware interfaces. Because NVRAM implementations are highly platform-specific, successful exploitation often requires detailed knowledge of the target system's hardware architecture and boot process. |
| EST000059 | Supply Chain and Third Party Library | A Cyber Embedded Technique in which an adversary utilizes COTS or GOTS third party libraries with an implanted vulnerability to gain persistence on a subsystem that meets a specific hardware and software profile. |
| EST000060 | Embedded Software | A Cyber Embedded Technique in which an adversary exploits embedded software specific vulnerabilities to implant code into persistent memory. |
| EST000061 | Operational Data Files | A Cyber Embedded Technique in which an adversary modifies operational data files to be executed in a malicious manner to gain persistence on a subsystem when they are loaded via various means. |
| EST000062 | Privilege Escalation via Direct Connect System | A Cyber Embedded Technique in which an adversary utilizes Direct Connect System or spoofed Direct Connect System to gain privileged access to a Line Replaceable Unit (LRU) by appearing to mimic normal maintenance operations. Some LRUs have additional guards that require DCS configurations to reflash protected portions of memory that can only be written from DCS in ‘OEM’ mode. |
| EST000063 | Hidden Menu | A Cyber Embedded Technique in which an adversary utilizes hidden menus that are inherent in the LRU but require special knowledge of its presence to gain privileged access to LRU submenus and settings. Submenus can include diagnostic and maintenance pages that can provide complete control over the targeted LRU by allowing read and write access to system memory while the device is running. This may be further exploited by dumping the system memory to reverse engineer the devices functionality and look for additional vulnerabilities that can be exploited remotely at a later time. |
| EST000064 | Reserve Software Options | A Cyber Embedded Technique in which an adversary utilizes software options that did not originally ship with a LRU but are built into the software package as options for maintainers and OEM maintenance to gain privileged access to the LRU. Software options can generally be configured from hidden menus or general maintenance pages. They follow specific bit sequences that are usually proprietary information, but once exploited can provide an abundance of additional functionality and/or access to the targeted LRU, potentially including persistent remote access via RF channels. |
| EST000065 | Configuration Changes | A Cyber Embedded Technique in which an adversary changes the startup configurations that effect LRU boot to gain privileged access to the LRU. |
| EST000066 | Differential Software Loading | A Cyber Embedded Technique in which an adversary exploits the differential software loading capability of a Line Replaceable Unit (LRU) or other embedded system to inject malicious code. Differential software loading allows for updating only the differences between the old and new software versions, rather than replacing the entire image. The adversary crafts a malicious delta update that overwrites specific, vulnerable sections of code, often targeting inactive or rarely used functions to avoid disrupting core system functionality. This can enable the adversary to gain privileged access (Ring 0) and execute arbitrary code. For example, the adversary might overwrite system memory, such as the serial bus memory buffer, potentially allowing them to intercept or manipulate communication on the bus. |
| EST000067 | Side Channel Attack | A Cyber Embedded Technique in which an adversary exploits unintended information leakage from a system during its normal operation. This leakage can be observed through various side channels, such as timing variations, power consumption, electromagnetic emissions, or memory access patterns. These channels provide indirect insights into the system's internal state or the data it is processing. Attackers leverage these side channels in passive ways, observing and analyzing the side channel data to extract sensitive information, such as cryptographic keys or algorithm secrets, without directly interfering with the system's execution. Examples include timing attacks, power analysis attacks, and electromagnetic analysis attacks. Complementing this, a Living-off-the-Land approach at the hardware level involves leveraging legitimate, low-level processor or memory operations—such as cache behavior, memory mapping, or speculative execution pipelines—to amplify/enable side channel leakage without relying on traditional software-based payloads. This approach capitalizes on the system's intended architecture and behavior to establish persistence or escalate privileges, effectively blending in with normal operations to evade detection. Note: This technique focuses on passive observation and analysis of side channels. Active manipulation of the system to induce faults is covered in the separate technique, EST000068 Fault Injection (Power/EM). |
| EST000068 | Fault Injection | A Cyber Embedded Technique in which an adversary actively utilizes power or electromagnetic (EM) fault injection techniques to deliberately introduce errors into the execution of code within a Line Replaceable Unit (LRU). This technique specifically focuses on the active introduction of faults using power and electromagnetic manipulation. This involves precisely manipulating the power supply voltage or applying EM pulses to the LRU's hardware to cause specific glitches or skips in instructions, such as bit flips in memory, instruction skips, or register corruption. By carefully timing these faults, the adversary can alter the intended control flow of the program, bypass security checks, or force the system into a privileged state. This allows the adversary to gain unauthorized access, execute arbitrary code, or extract sensitive information. Power and EM fault injection attacks exploit the physical characteristics of the hardware to compromise the system's security. It does not include passive observation and analysis of side channels, which are covered in the separate technique, EST000067 Side Channel Attack. |
| EST000069 | Binary Padding | A Cyber Embedded Technique in which an adversary uses binary padding to add junk data and change the on-disk representation of malware without affecting the functionality or behavior of the binary. This will often increase the size of the binary beyond what some security tools are capable of handling due to file size limitations. Binary padding effectively changes the checksum of the file and can also be used to avoid hash-based blacklists and static anti-virus signatures. The padding used is commonly generated by a function to create junk data and then appended to the end or applied to sections of malware. Increasing the file size may decrease the effectiveness of certain tools and detection capabilities that are not designed or configured to scan large files. This may also reduce the likelihood of being collected for analysis. Public file scanning services, such as VirusTotal, limits the maximum size of an uploaded file to be analyzed. |
| EST000070 | Code Signing | A Cyber Embedded Technique in which an adversary uses code signing certificates to masquerade malware and tools as legitimate binaries. Code signing provides a level of authenticity on a binary from the developer and a guarantee that the binary has not been tampered with. The certificates used during an operation may be created, forged, or stolen by the adversary. Code signing certificates may be used to bypass security policies that require signed code to execute on a system. |
| EST000071 | Compile After Delivery | A Cyber Embedded Technique in which an adversary attempts to make payloads difficult to discover and analyze by delivering files to victims as uncompiled code. Similar to Obfuscated Files or Information, text-based source code files may subvert analysis and scrutiny from protections targeting executables/binaries. These payloads will need to be compiled before execution; typically, via native utilities such as csc.exe or GCC/MinGW. Source code payloads may also be encrypted, encoded, and/or embedded within other files, such as those delivered as a Spearphishing Attachment. Payloads may also be delivered in formats unrecognizable and inherently benign to the native OS (ex: EXEs on macOS/Linux) before later being (re)compiled into a proper executable binary with a bundled compiler and execution framework. |
| EST000072 | Component Firmware | A Cyber Embedded Technique in which an adversary employs sophisticated means to compromise computer components and install malicious firmware that will execute adversary code outside of the operating system and main system firmware or BIOS. This technique may be similar to System Firmware but conducted upon other system components that may not have the same capability or level of integrity checking. Malicious device firmware could provide both a persistent level of access to systems despite potential typical failures to maintain access and hard disk re-images, as well as a way to evade host software-based defenses and integrity checks. |
| EST000073 | Evasive Connection Proxy | A Cyber Embedded Technique in which an adversary uses a connection proxy to direct network traffic between systems or act as an intermediary for network communications to a command and control server to avoid direct connections to their infrastructure. Many tools exist that enable traffic redirection through proxies or port redirection, including HTRAN, ZXProxy, and ZXPortMap. Adversaries use these types of proxies to manage command and control communications, to reduce the number of simultaneous outbound network connections, to provide resiliency in the face of connection loss, or to ride over existing trusted communications paths between victims to avoid suspicion. External connection proxies are used to mask the destination of C2 traffic and are typically implemented with port redirectors. Compromised systems outside of the victim environment may be used for these purposes, as well as purchased infrastructure such as cloud-based resources or virtual private servers. Proxies may be chosen based on the low likelihood that a connection to them from a compromised system would be investigated. Victim systems would communicate directly with the external proxy on the internet and then the proxy would forward communications to the C2 server. Internal connection proxies can be used to consolidate internal connections from compromised systems. Adversaries may use a compromised internal system as a proxy in order to conceal the true destination of C2 traffic. The proxy can redirect traffic from compromised systems inside the network to an external C2 server making discovery of malicious traffic difficult. Additionally, the network can be used to relay information from one system to another in order to avoid broadcasting traffic to all systems. |
| EST000074 | Deobfuscate Files or Information | A Cyber Embedded Technique in which an adversary decodes a payload hidden in obfuscated files or information. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware, Scripting, PowerShell, or by using utilities present on the system. One such example is use of certutil to decode a remote access tool portable executable file that has been hidden inside a certificate file. Another example is using the Windows copy /b command to reassemble binary fragments into a malicious payload. Payloads may be compressed, archived, or encrypted in order to avoid detection. These payloads may be used with Obfuscated Files or Information during Initial Access or later to mitigate detection. Sometimes a user's action may be required to open it for deobfuscation or decryption as part of User Execution. The user may also be required to input a password to open a password protected compressed/encrypted file that was provided by the adversary. Adversaries may also used compressed or archived scripts, such as Javascript. |
| EST000075 | Disabling Security Tools | A Cyber Embedded Technique in which an adversary disables security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security scanning or event reporting. |
| EST000076 | Execution Guardrails | A Cyber Embedded Technique in which an adversary uses guardrails and environmental keying to help protect their TTPs and evade detection. In a ebedded system an adversary may use execution guardrails to not execute certain malware in a SIL/maintenance environment in order to evade detection but may execute malware once it has been loaded onto the embedded system and the embedded system is operational. Execution guardrails constrain execution or actions based on adversary supplied environment specific details. The goal for the adversary is to only execute payloads when there an operational value to be gained. |
| EST000077 | Exploitation for Defense Evasion | A Cyber Embedded Technique in which an adversary exploits defensive software to avoid detection. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Vulnerabilities may exist in defensive security software that can be used to disable or circumvent them. Adversaries may have prior knowledge through reconnaissance that security software exists within an environment, or they may perform checks during or shortly after the system is compromised for Security Software Discovery. The security software will likely be targeted directly for exploitation. There are examples of antivirus software being targeted by persistent threat groups to avoid detection. |
| EST000078 | File Deletion | A Cyber Embedded Technique in which an adversary removes files over the course of an intrusion to keep their footprint low or remove them at the end as part of the post-intrusion cleanup process. Malware, tools, or other non-native files dropped or created on a system by an adversary may leave traces behind as to what was done within a network and how. There are tools available from the host operating system to perform cleanup, but adversaries may use other tools as well. Examples include native cmd functions such as DEL, secure deletion tools such as Windows Sysinternals SDelete, or other third-party file deletion tools. |
| EST000079 | Indicator Blocking | A Cyber Embedded Technique in which an adversary attempts to block indicators or events typically captured by sensors from being gathered and analyzed. This could include maliciously redirecting or even disabling host-based sensors, such as Event Tracing for Windows (ETW), by tampering settings that control the collection and flow of event telemetry. These settings may be stored on the system in configuration files and/or in the Registry as well as being accessible via administrative utilities such as PowerShell or Windows Management Instrumentation. ETW interruption can be achieved multiple ways, however most directly by defining conditions using the PowerShell Set-EtwTraceProvider cmdlet or by interfacing directly with the registry to make alterations. In the case of network-based reporting of indicators, an adversary may block traffic associated with reporting to prevent central analysis. This may be accomplished by many means, such as stopping a local process responsible for forwarding telemetry and/or creating a host-based firewall rule to block traffic to specific hosts responsible for aggregating events, such as security information and event management (SIEM) products. |
| EST000080 | Indicator Removal from Tools | A Cyber Embedded Technique in which an adversary determines why a malicious tool was detected (the indicator), modify the tool by removing the indicator, and use the updated version that is no longer detected by the target's defensive systems or subsequent targets that may use similar systems. A good example of this is when malware is detected with a file signature and quarantined by anti-virus software. An adversary who can determine that the malware was quarantined because of its file signature may use Software Packing or otherwise modify the file so it has a different signature, and then re-use the malware. |
| EST000081 | Indicator Removal on Host | A Cyber Embedded Technique in which an adversary deletes or alters generated artifacts on a host system, including logs and potentially captured files such as quarantined malware. Locations and format of logs will vary, but typical organic system logs are captured as Windows events or Linux/macOS files such as Bash History and /var/log/* . Actions that interfere with eventing and other notifications that can be used to detect intrusion activity may compromise the integrity of security solutions, causing events to go unreported. They may also make forensic analysis and incident response more difficult due to lack of sufficient data to determine what occurred. |
| EST000082 | Install Root Certificate | A Cyber Embedded Technique in which an adversary installs a malicious root certificate to avoid "not trusted error messages." Root certificates are used in public key cryptography to identify a root certificate authority (CA). When a root certificate is installed, the system or application will trust certificates in the root's chain of trust that have been signed by the root certificate. Certificates are commonly used for establishing secure TLS/SSL communications within a web browser. When a user attempts to browse a website that presents a certificate that is not trusted an error message will be displayed to warn the user of the security risk. Depending on the security settings, the browser may not allow the user to establish a connection to the website. Installation of a root certificate on a compromised system would give an adversary a way to degrade the security of that system. Adversaries have used this technique to avoid security warnings prompting users when compromised systems connect over HTTPS to adversary-controlled web servers that spoof legitimate websites in order to collect login credentials. |
| EST000083 | Subsytem Masquerading | A Cyber Embedded Technique in which an adversary masquerades as a legitimate subsystem on a communication bus to perform unauthorized operations. This involves mimicking the identity, communication protocols, and behavior of a trusted component to gain access to sensitive data, control other devices, or disrupt system functionality. The adversary might achieve this by spoofing the subsystem's unique identifier on the bus, replicating its communication patterns, or exploiting vulnerabilities in authentication mechanisms. By successfully masquerading as a trusted subsystem, the adversary can bypass security checks and operate undetected within the embedded platform. This technique is distinct from Logical Masquerading (EST000085), which involves an adversary impersonating an LRU within a subsystem. Previously named: Masquerading |
| EST000084 | Process Masquerading | A Cyber Embedded Technique in which an adversary masquerades a malicious process as a legitimate executable process to evade defenses and monitoring. Within an LRU or other embedded system, process masquerading occurs when a malicious process is disguised to appear as a trusted or system-critical process. This can be achieved by renaming the executable, modifying its metadata, placing it in a trusted directory, or mimicking the command-line arguments and parent process of a legitimate process. By successfully masquerading as a legitimate process, the adversary can bypass security checks, avoid detection by monitoring tools, and maintain persistence within the system. This technique is distinct from Subsystem Masquerading (EST000083), which involves an adversary impersonating an entire subsystem within a platform and Logical Masquerading (EST000085), which involves an adversary impersonating an LRU within a subsystem. Previously named: Evasive Process Masquerading |
| EST000085 | Bus Communication Masquerading | A Cyber Embedded Technique in which an adversary masquerades their malicious communications amongst legitimate communications within a subsystem bus. This involves mimicking the protocols, timing, and addressing schemes of trusted devices to blend in with normal bus activity and avoid detection. Due to protocol limitations, some serial buses lack built-in authentication, and some protocols allow any device to transmit at any time. This enables the adversary to inject malicious commands, exfiltrate data, or disrupt system functionality while appearing to be a legitimate participant on the bus. The adversary might achieve this by spoofing device identifiers, replicating message formats, or exploiting vulnerabilities in bus communication protocols. This technique is distinct from Subsystem Masquerading (EST000083), which involves an adversary impersonating an entire subsystem within a platform. Previously named: Logical Masquerading |
| EST000086 | Obfuscated Files or Information | A Cyber Embedded Technique in which an adversary makes an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses. Payloads may be compressed, archived, or encrypted in order to avoid detection. These payloads may be used during Initial Access or later to mitigate detection. Sometimes a user's action may be required to open and Deobfuscate/Decode Files or Information for User Execution. The user may also be required to input a password to open a password protected compressed/encrypted file that was provided by the adversary. Adversaries may also use compressed or archived scripts, such as Javascript. Portions of files can also be encoded to hide the plain-text strings that would otherwise help defenders with discovery. Payloads may also be split into separate, seemingly benign files that only reveal malicious functionality when reassembled. Adversaries may also obfuscate commands executed from payloads or directly via a Command-Line Interface. Environment variables, aliases, characters, and other platform/language specific semantics can be used to evade signature-based detections and whitelisting mechanisms. Another example of obfuscation is through the use of steganography, a technique of hiding messages or code in images, audio tracks, video clips, or text files. One of the first known and reported adversaries that used steganography activity surrounding Invoke-PSImage. The Duqu malware encrypted the gathered information from a victim's system and hid it into an image followed by exfiltrating the image to a C2 server. By the end of 2017, an adversary group used Invoke-PSImage to hide PowerShell commands in an image file (png) and execute the code on a victim's system. In this particular case the PowerShell code downloaded another obfuscated script to gather intelligence from the victim's machine and communicate it back to the adversary. |
| EST000087 | Port Knocking | A Cyber Embedded Technique in which an adversary evades defenses by evading being detected in test environments. On some serial bus protocols there is a concept of a “port.”. It would be possible for an adversary to create malware that opens and responds on one adressable detail only after receiving the correct information on a different addressable detail. Detecting Port Knocking would require knowledge of “usual traffic” and monitoring the specific network. |
| EST000088 | Process Hollowing | A Cyber Embedded Technique in which an adversary executes arbitary code in the address space of a separate live process. Process hollowing occurs when a process is created in a suspended state then its memory is unmapped and replaced with malicious code. Similar to Process Injection, execution of the malicious code is masked under a legitimate process and may evade defenses and detection analysis |
| EST000089 | Process Injection | A Cyber Embedded Technique in which an adversary executes arbitary code in the address space of a separate live process. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process. |
| EST000090 | Redundant Evasive Access Points | A Cyber Embedded Technique in which an adversary uses more than one initial access vector and persistence technique to maintain and re-access the platform. This may be done through a combination of physical devices or remote RF vectors. The goal for the adversary here would be to maintain access to the subsystems they previously have access to. |
| EST000091 | Hidden Rootkit | A Cyber Embedded Technique in which an adversary uses rootkits to hide the presence of programs, files, network connections, services, drivers, and other system components. Rootkits are programs that hide the existence of malware by intercepting (i.e., Hooking) and modifying operating system API calls that supply system information. Rootkits or rootkit enabling functionality may reside at the user or kernel level in the operating system or lower, to include a Hypervisor, Master Boot Record, or the System Firmware. Rootkits have been seen for Windows, Linux, Mac OS X systems and shown to work on VXWorks systems and may be possible on other common embedded operating systems. |
| EST000092 | Scripting | A Cyber Embedded Technique in which an adversary uses scripts to aid in operations and perform multiple actions that would otherwise be manual. In a platform this can be a second stage bootloader or be used as maintenance to perform data loading operations. Maintenance typically needs to change the mode of operation to be able to access certain functions and that is accomplished by scripts that control the LRU. Due to the disconnected nature of platforms to the internet it is less likely to be used in real time by an operator and more likely to execute on some trigger. |
| EST000093 | Timestomp | A Cyber Embedded Technique in which an adversary manipulates timestamps to avoid defenses or forensic investigations. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools. Timestomping may be used along with file name Masquerading to hide malware and tools. |
| EST000094 | Evade via Trusted Developer Utilities | A Cyber Embedded Technique in which an adversary exploits Trusted Developer Utilities to evade defensive measures. These utilities may often be signed with legitimate certificates that allow them to execute on a system and proxy execution of malicious code through a trusted process that effectively bypasses application whitelisting defensive solutions. On embedded systems OEMs have various ways of accessing and controlling the LRUs that they produce. These are typically undocumented at the operational location in any way due to the contractor’s proprietary information. These tools are undocumented because the Government does not typically own the technical baseline of these devices. On the boards themselves, SPI, I2C or various other serial communications may be used to access memory or other useful interfaces to the device. |
| EST000095 | Device Lockout | A Cyber Embedded Technique in which an adversary locks the legitimate user out of the device, for example to inhibit user interaction. |
| EST000096 | Evade Analysis Environment | A Cyber Embedded Technique in which an adversary uses many different checks such as physical sensors, location, and system properties to fingerprint emulators and sandbox environments. Malicious applications may attempt to detect their operating environment prior to fully executing their payloads. These checks are often used to ensure the application is not running within an analysis environment such as a sandbox used for application vetting, security research, or reverse engineering. For embedded devices, this would include evading SIL and testing activities performed by various organizations. The goal here is evade detection by an analyst who is specifically searching for malicious activity. |
| EST000097 | Input Injection | A Cyber Embedded Technique in which an adversary introduces valid data into menu or data structures as if they are a pilot. It is also possible to appear as a legitimate application to the pilot or from the MCDU. The payload would take advantage of the fact that the pilot is enabled to perform various operations on the platform due to their role. Because this is legitimate traffic, operating within legitimate bounds the adversary will evade defenses. For example: a payload could detect that a subsystem has been turned on via the “on” button, and then immediately send the “off” command as if the “off” button was depressed. Doing this would ensure that the target subsystem would not be allowed to be turned on. |
| EST000098 | Evasive OS Kernel or Boot Partition | A Cyber Embedded Technique in which an adversary with escalated privileges places malicious code in the device kernel or other boot partition to avoid detection on a system. If an adversary can escalate privileges, he or she may be able to use those privileges to place malicious code in the device kernel or other boot partition components, where the code may evade detection, may persist after device resets, and may not be removable by the device user. In some cases, the attack may be detected but could result in the device being placed in a state that no longer allows certain functionality. Most PIT embedded systems do not have secure boot technologies implemented allowing adversaries to easily modify boot partition components. If the bootloader is not unlocked, it may still be possible to exploit device vulnerabilities to update the code. |
| EST000099 | Modify Underlying System | A Cyber Embedded Technique in which an adversary modifies the underlying system, specifically targeting security mechanisms or monitoring tools, to evade detection. This involves altering system files or configurations that are responsible for security logging, intrusion detection, or integrity checks. By disabling or manipulating these security functions, the adversary can hide their malicious activity and operate undetected within the system. For example, the adversary might modify system logs to remove evidence of their presence, disable intrusion detection rules, or corrupt integrity verification databases. This technique relies on first achieving privilege escalation to then directly impair defense capabilities. |
| EST000101 | Container Breakout | A Cyber Embedded Technique in which an adversary performs defense evasion by escaping from a container and gaining access to the underlying host system. The goal of the adversary is not to obtain more abilities, simply to obfuscate execution from container defenses. Previously named: Containerization |
| EST000102 | Exploitation for Evasion | A Cyber Embedded Technique in which an adversary exploits a software vulnerability to take advantage of a programming error in a program, service, or within the operating system software or kernel itself to evade detection. Vulnerabilities may exist in software that can be used to disable or circumvent security features. Adversaries may have prior knowledge through Control Device Identification about security features implemented on control devices. These device security features will likely be targeted directly for exploitation. There are examples of firmware RAM/ROM consistency checks on control devices being targeted by adversaries to enable the installation of malicious System Firmware. |
| EST000103 | Impersonate Master Device | A Cyber Embedded Technique in which an adversary setups a rogue master to leverage control server functions to communicate with slave devices. A rogue master device can be used to send legitimate control messages to other control system devices, affecting processes in unintended ways. Impersonating a master device may also allow an adversary to avoid detection. |
| EST000104 | Spoof Reporting Message | A Cyber Embedded Technique in which an adversary spoofs reporting messages in control systems environments to achieve evasion. Reporting messages are used in control systems so that operators and network defenders can understand the status of the network. Reporting messages show the status of devices and any important events that the devices control. If an adversary has the ability to Spoof Reporting Messages, then they can impact the network in many ways. The adversary can Spoof Reporting Messages that state that the device is in normal working condition, as a form of evasion. The adversary could also Spoof Reporting Messages to make the defenders and operators think that other errors were occurring, to distract them from the actual source of the problem. |
| EST000105 | Evade via Operating Mode Changes | A Cyber Embedded Technique in which an adversary places controllers into an alternate mode of operation to enable configuration setting changes for evasive code execution. Programmable controllers typically have several modes of operation. These modes can be broken down into three main categories: program run, program edit, and program write. Each of these modes puts the device in a state in which certain functions are available. For instance, the program edit mode allows alterations to be made to the user program while the device is still online. By driving a device into an alternate mode of operation, an adversary has the ability to change configuration settings in such a way to cause an impact to equipment and/or industrial process associated with the targeted device. An adversary may also use this alternate mode to execute arbitrary code which could be used to evade defenses. |
| EST000106 | Modify Checksums | A Cyber Embedded Technique in which an adversary reverse engineers and recalculates or modifies binary checksums to load malware without affecting the functionality or behavior of the binary. This will not change the size of the file as it requires no other change to the binary other than the physical location and recalculation of the Cylical Redundancy Check (CRC) after the malware has been inserted. Although this is possible the preferred method would be Binary padding as a modified checksum may be visible to operator during a operational check of currently loaded software on any debug/maintenance console. |
| EST000107 | Evade Physical Detection | A Cyber Embedded Technique in which an adversary uses techniques to avoid physical detection of system manipluation. Adversaries seek not to be found through maintenance visual inspection. They will seek to design their implant and/or leave behind device such that it is not easily found, either by miniaturization or camouflage. |
| EST000108 | Brute Force | A Cyber Embedded Technique in which an adversary uses brute force techniques to attempt access to accounts when passwords are unknown or when password hashes are obtained. Credential Dumping is used to obtain password hashes, this may only get an adversary so far when Pass the Hash is not an option. Techniques to systematically guess the passwords used to compute hashes are available, or the adversary may use a pre-computed rainbow table to crack hashes. Cracking hashes is usually done on adversary-controlled systems outside of the target network. Adversaries may attempt to brute force logins without knowledge of passwords or hashes during an operation either with zero knowledge or by attempting a list of known or possible passwords. This is a riskier option because it could cause numerous authentication failures and account lockouts, depending on the organization's login failure policies. A related technique called password spraying uses one password (e.g. 'Password01'), or a small list of passwords, that matches the complexity policy of the domain and may be a commonly used password. Logins are attempted with that password and many different accounts on a network to avoid account lockouts that would normally occur when brute forcing a single account with many passwords. Typically, management services over commonly used ports are used when password spraying. Commonly targeted services include the following: • SSH (22/TCP) • Telnet (23/TCP) • FTP (21/TCP) • NetBIOS / SMB / Samba (139/TCP & 445/TCP) • LDAP (389/TCP) • Kerberos (88/TCP) • RDP / Terminal Services (3389/TCP) • HTTP/HTTP Management Services (80/TCP & 443/TCP) • MSSQL (1433/TCP) • Oracle (1521/TCP) • MySQL (3306/TCP) • VNC (5900/TCP) In addition to management services, adversaries may "target single sign-on (SSO) and cloud-based applications utilizing federated authentication protocols," as well as externally facing email applications, such as Office 365. In addition to management services, adversaries may target proprietary UART or other serial interfaces for maintenance reasons. These maintenance interfaces generally do not follow a standard protocol as they are vendor specific. In default environments, LDAP and Kerberos connection attempts are less likely to trigger events over SMB, which creates Windows "logon failure" event ID 4625. |
| EST000109 | Credential Dumping | A Cyber Embedded Technique in which an adversary extracts stored credentials, such as usernames, passwords, or cryptographic keys, from a maintenance aid or remote (over the air loading/keying) data load. The dumped credentials can then be used for subsequent malicious activities, such as gaining unauthorized access to the LRU itself, compromising other systems, or intercepting sensitive communications. The lack of encryption during binary transfers from support system to the LRU can allow an adversary to use dumped credentials to inject malicious binaries onto the LRU. |
| EST000110 | Credentials in Files | A Cyber Embedded Technique in which an adversary searches local file systems and remote file shares for files containing passwords. These can be files created by users to store their own credentials, shared credential stores for a group of individuals, configuration files containing passwords for a system or service, or source code/binary files containing embedded passwords. It is possible to extract passwords from backups or saved virtual machines through Credential Dumping. Passwords may also be obtained from Group Policy Preferences stored on the Windows Domain Controller. In cloud environments, authenticated user credentials are often stored in local configuration and credential files. In some cases, these files can be copied and reused on another machine or the contents can be read and then used to authenticate without needing to copy any files. |
| EST000111 | Exploitation for Credential Access | A Cyber Embedded Technique in which an adversary exploits software vulnerabilities to take advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Credentialing and authentication mechanisms may be targeted for exploitation by adversaries as a means to gain access to useful credentials or circumvent the process to gain access to systems. One example of this is MS14-068, which targets Kerberos and can be used to forge Kerberos tickets using domain user permissions. Exploitation for credential access may also result in Privilege Escalation depending on the process targeted or credentials obtained. |
| EST000112 | Credential Access Hooking | A Cyber Embedded Technique in which an adversary exploits a process that leverages application programming interface (API) functions to perform tasks that require reusable system resources. Windows API functions are typically stored in dynamic-link libraries (DLLs) as exported functions. • Hooking involves redirecting calls to these functions and can be implemented via: • Hooks procedures, which intercept and execute designated code in response to events such as messages, keystrokes, and mouse inputs. • Import address table (IAT) hooking, which use modifications to a process’s IAT, where pointers to imported API functions are stored. • Inline hooking, which overwrites the first bytes in an API function to redirect code flow. Similar to Process Injection, adversaries may use hooking to load and execute malicious code within the context of another process, masking the execution while also allowing access to the process's memory and possibly elevated privileges. Installing hooking mechanisms may also provide Persistence via continuous invocation when the functions are called through normal use. Malicious hooking mechanisms may also capture API calls that include parameters that reveal user authentication credentials for Credential Access. Hooking is commonly utilized by Rootkits to conceal files, processes, Registry keys, and other objects in order to hide malware and associated behaviors. |
| EST000113 | Credential Access Input Capture | A Cyber Embedded Technique in which an adversary captures user input for obtaining credentials for Valid Accounts and information Collection that include keylogging and user input field interception. This could include MCDUs on an aircraft, tank, and/or ship, in addition to other operator interfaces that are not a standard keyboard/mouse. Keylogging is the most prevalent type of input capture, with many different ways of intercepting keystrokes, but other methods exist to target information for specific purposes, such as performing a UAC prompt or wrapping the Windows default credential provider. Keylogging is likely to be used to acquire credentials for new access opportunities when Credential Dumping efforts are not effective and may require an adversary to remain passive on a system for a period of time before an opportunity arises. Adversaries may also install code on externally facing portals, such as a VPN login page, to capture and transmit credentials of users who attempt to log into the service. This variation on input capture may be conducted post-compromise using legitimate administrative access as a backup measure to maintain network access through External Remote Services and Valid Accounts or as part of the initial compromise by exploitation of the externally facing web service. |
| EST000114 | Credential Access Network Sniffing | A Cyber Embedded Technique in which an adversary uses a network interface on a system to monitor or capture information sent over a wired or wireless connection. An adversary may place a network interface into promiscuous mode to passively access data in transit over the network or use span ports to capture a larger amount of data. This can be inclusive of standard IP based protocols as well as embedded serial busses, such as ARINC 429, J1393, CAN, AS5643, etc. Data captured via this technique may include user credentials, especially those sent over an insecure, unencrypted protocol. Techniques for name service resolution poisoning, such as LLMNR/NBT-NS Poisoning and Relay, can also be used to capture credentials to websites, proxies, and internal systems by redirecting traffic to an adversary. Network sniffing may also reveal configuration details, such as running services, version numbers, and other network characteristics (ex: IP addressing, hostnames, VLAN IDs) necessary for follow-on Lateral Movement and/or Defense Evasion activities. |
| EST000115 | Private Keys | A Cyber Embedded Technique in which an adversary gathers private keys from compromised systems for use in authenticating to Remote Services like SSH or for use in decrypting other collected files. Private cryptographic keys and certificates are used for authentication, encryption/decryption, and digital signatures. Common key and certificate file extensions include: .key, .pgp, .gpg, .ppk., .p12, .pem, .pfx, .cer, .p7b, .asc. Adversaries may also look in common key directories, such as ~/.ssh for SSH keys on * nix-based systems or C:\Users(username).ssh\ on Windows. Private keys should require a password or passphrase for operation, so an adversary may also use Input Capture for keylogging or attempt to Brute Force the passphrase off-line. Adversary tools have been discovered that search compromised systems for file extensions relating to cryptographic keys and certificates. |
| EST000116 | Extraction of Protected Credentials | A Cyber Embedded Technique in which an adversary extracts credentials that are deliberately hidden or protected using non-trivial methods. These credentials are not directly accessible through simple file reading and require specialized techniques to uncover. The adversary may employ a variety of methods to extract these credentials, including: -Reverse engineering compiled binaries to uncover obfuscated or encrypted credentials. -Analyzing persistent read-only memory or similar hardware components. -Recovering credentials hidden in unconventional locations, such as HDD sectors marked as bad or fragmented across multiple locations. -Exploiting vulnerabilities in custom credential management schemes. This technique differs from Credentials in Files (EST00110) in that it specifically addresses the extraction of credentials that are deliberately not stored in easily accessible file structures and require specialized knowledge or tools to uncover. Previously named: Reverse Engineering Extraction of Hard-Coded Credentials |
| EST000117 | Default Credentials from System Documentation | A Cyber Embedded Technique in which an adversary references system documentation for an LRU to discover credentials stored in the documentation. These credentials may be provided in the documentation by vendors for specific types of services accesses, privileged processes, or ease of maintenance. |
| EST000118 | Account Discovery | A Cyber Embedded Technique in which an adversary acquires a listing of local system or domain accounts. |
| EST000119 | File and Directory Discovery | A Cyber Embedded Technique in which an adversary enumerates files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions. |
| EST000120 | Network Service Scanning | A Cyber Embedded Technique in which an adversary acquires a listing of LRUs and/or services running on remote hosts, including those that may be vulnerable to remote software exploitation. Methods to acquire this information include port scans and vulnerability scans using tools that are brought onto a system. Networks scanning can be inclusive of labels being transmitted on a ARINC 429 pair. FireWire would be device equipment ID, etc. |
| EST000121 | Discovery Network Sniffing | A Cyber Embedded Technique in which an adversary places a network interface into promiscuous mode to passively access data in transit over the network or use span ports to capture a larger amount of data. Network sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection. Network sniffing will vary drastically between different serial networks such as ARINC 429, and AS5643. On ARINC 429 all devices are point to point, so a compromised device can only see traffic that is specifically designed for the device. On AS5643 a device may be able to see all traffic destined for itself and any immediate peer devices that it is connected to. Data captured via this technique may include user credentials, especially those sent over an insecure, unencrypted protocol. Techniques for name service resolution poisoning, such as LLMNR/NBT-NS Poisoning and Relay, can also be used to capture credentials to websites, proxies, and internal systems by redirecting traffic to an adversary. Network sniffing may also reveal configuration details, such as running services, version numbers, and other network characteristics (ex: IP addressing, hostnames, VLAN IDs) necessary for follow-on Lateral Movement and/or Defense Evasion activities. |
| EST000122 | Internal Peripheral Device Discovery | A Cyber Embedded Technique in which an adversary gathers detailed information about internal peripheral devices and components directly connected to an embedded system by passively observing the system's internal state through analysis of existing system resources. This technique focuses on discovering hardware configurations that are not typically exposed through network interfaces. The adversary leverages internal system resources, such as device drivers, system memory, pre-existing data in hardware registers, and debugging interfaces used for introspection (e.g., JTAG, SWD), to identify and characterize the internal hardware architecture. This involves analyzing data already present within these resources, rather than actively querying the peripherals themselves. Information gathered may include: -Hardware List -Digital Signal Processor (DSP) Details -Memory Architecture -Internal Bus Structure Memory -Memory Mapped I/O (MMIO) Port and Direct Memory Access (DMA) Configurations -Memory Map This information can then be used to identify vulnerabilities, develop targeted exploits, or map the system's attack surface. This technique differs from Network Service Scanning (EST0120) in that it relies on passive internal reconnaissance methods to gather information about the system's hardware, rather than probing network services or directly interacting with the peripherals |
| EST000123 | Process Discovery | A Cyber Embedded Technique in which an adversary acquires information about running processes on a system. Information obtained could be used to gain an understanding of common software running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions. Adversaries may also attempt to find which processes are currently or recently executed to determine where that LRU is being run (Operationally vs during repair vs in maintenance mode etc.). |
| EST000124 | Remote System Discovery | A Cyber Embedded Technique in which an adversary acquires a listing of other systems that interact with the target platform. This may be a wired or wireless communication, or it may be through sneakernet. The wired communications may consist of typical ip networks or more often, serial networks including ARINC429, AS5643 or CAN. On platforms this include adversaries discovering what other subsystems exist on that platform by utilizing the network or some other means while already on the platform. This will be necessary if the adversary seeks to pivot to those systems but does not have full documentation of the platform. Remote System discovery can also include discovering what external services are communicating with the platform. Common communications medium includes datalinks, IFF or GPS, etc. Adversaries may also want to discover the tools and techniques used to generate data that is used by the platform. This may include analyzing file endings and encodings of files, or other techniques that indicate the operating system or application that created that file. |
| EST000125 | Security Software Discovery | A Cyber Embedded Technique in which an adversary acquires a listing of security software, configurations, defensive tools, and sensors that are installed on the system. This may include things such as local firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions. |
| EST000126 | Software Discovery | A Cyber Embedded Technique in which an adversary acquires a listing of non-security related software that is installed on the system. Adversaries may use the information from Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions. Due to the nature of moving platforms it is of even greater importance to leverage existing tooling on an LRU in order to accomplish objectives. Understanding which tools are already installed on a target system means that the adversary does not need to move that tool to the target. |
| EST000127 | System Information Discovery | A Cyber Embedded Technique in which an adversary acquires detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, architecture, LRU External interface discovery, platform mode of operation, where the platform is in space, what datalinks are enabled and being used and how the system deviates from the baseline. An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, architecture, LRU External interface discovery, platform mode of operation, where the platform is in space, what datalinks are enabled and being used and how the system deviates from the baseline. |
| EST000128 | System Owner/User Discovery | A Cyber Embedded Technique in which an adversary seeks to understand the target operating system’s user structure. On embedded systems this can be wildly different from system to system. They will commonly use the same type of tools for windows/linux and mac but applicable to the system currently being targeted. On VxWorks for example they may use the agentModeShow( ) routine or the windsh command line tool. Every different proprietary operating system will most likely have some form of these commands but due to the landscape of embedded technology it is impossible for those tools to be enumerated. It is therefore more useful to understand what the adversary is trying to accomplish. Adversaries need to understand what user they are currently logged in as, they need to understand what permissions that user has access to and they need to understand how to escalate privileges and what those escalated privileges allow them to accomplish. |
| EST000129 | System Time Discovery | A Cyber Embedded Technique in which an adversary gathers the system time and/or time zone from a local or remote system/network. On platforms which have GPS enabled this is usually accomplished by learning the information from the time service, whatever that may be on the platform. It can be accomplished by direct memory reads or read from the network. |
| EST000130 | Virtualization/Sandbox Evasion | A Cyber Embedded Technique in which an adversary checks for the presence of a virtual machine environment (VME) or sandbox to avoid potential detection of tools and activities. If the adversary detects a VME, they may alter their malware to conceal the core functions of the implant or disengage from the victim. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information from learned from Virtualization/Sandbox Evasion during automated discovery to shape follow-on behaviors. On platforms, hardware is deployed in conjunction with larger simulations. This is known as a hardware in the loop (HWIL) simulation. LRUs are typically deployed in Systems Integration Laboratories (SILs) before being deployed in operational environments so that they can be rigorously tested. Adversaries will seek to not be discovered while in this environment and therefore need to know if they are in this environment. Typically, there is a much higher amount of scrutiny on the LRU and its interfaces while in test environments which causes the likelihood of being discovered to be higher. |
| EST000131 | Application Deployment Software | A Cyber Embedded Technique in which an adversary deploys malicious software to systems within a network. This can be accomplished through various means within the platform governed by what the platform requires to obtain its software in the first place. ARINC615/ARINC5615A, Ethernet or various other serial data bus loading protocols may be used to move software from one LRU to another. Additionally, this can be done via GSE or within the body of the platform. |
| EST000132 | Exploitation of Remote Services | A Cyber Embedded Technique in which an adversary exploits a software vulnerability by taking advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. A common goal for post-compromise exploitation of remote services is for lateral movement to enable access to a remote system. Adversaries will seek to move from sub-system to sub-system or platform to platform using these remote services/systems. An adversary may need to determine if the remote system is in a vulnerable state, which may be done through Network Service Scanning or other Discovery methods looking for common, vulnerable software that may be deployed in the network, the lack of certain patches that may indicate vulnerabilities, or security software that may be used to detect or contain remote exploitation. Primary bus interface nodes will likely be the prime target for adversaries, but some impact may be possible without infecting these critical devices. This is the same concept as targeting the primary router in classical enterprise ecosystems if the router also controlled the HVAC and power for the target network. Depending on the permissions level of the vulnerable remote service an adversary may achieve Exploitation for Privilege Escalation as a result of lateral movement exploitation as well. |
| EST000133 | Pass the Key | A Cyber Embedded Technique in which an adversary seeks to laterally move through remote services that are authenticated in some way. This is usually accomplished by managing and loading cryptographic keys into a device at the beginning of operational use. This is usually accomplished by using an Secure Key Loader (SKL). Pass the key, similar to Enterprise’s Pass The Ticket, allows software to communicate over secure data channels. |
| EST000134 | Remote File Copy | A Cyber Embedded Technique in which an adversary copies files from one system to another to stage adversary tools or other files over the course of an operation. Files may be copied from an external adversary-controlled system through the Command and Control channel to bring tools into the victim network. On embedded systems this will be accomplished by the various data loading protocols that accompany normal serial bus usage. |
| EST000135 | Remote Services | A Cyber Embedded Technique in which an adversary uses Valid Accounts to log into a service specifically designed to accept remote connections. Various standards exist for remote services on platforms such as Aircraft Communication Addressing and Reporting System (ACARS). Other platforms make use of traditional Ethernet based tools. This also applies to various data links. The adversary may then perform actions as the logged-on user. |
| EST000136 | Pivot via Removable Media | A Cyber Embedded Technique in which an adversary moves onto systems, possibly those on disconnected or air-gapped networks, by copying malware to removable media and taking advantage of Autorun features when the media is inserted into a system and executes. In the case of Lateral Movement, this may occur through modification of executable files stored on removable media or by copying malware and renaming it to look like a legitimate file to trick users into executing it on a separate system. In the case of Initial Access, this may occur through manual manipulation of the media, modification of systems used to initially format the media, or modification to the media's firmware itself. Many platforms use removable media to serve as the central repository for Operating System/Applications/Data. Adversaries will seek to disguise their payload as part of this data load. Depending on the nature of the OS/Application/Data Load this may enable an adversary to obtain persistent access. If an adversary is able to infect the removable media used to operate the platform they most likely have control over enabling technology present on that platform. |
| EST000137 | Taint Shared Content | A Cyber Embedded Technique in which an adversary uses tainted shared content to move laterally. Content stored on network drives or in other shared locations may be tainted by adding malicious programs, scripts, or exploit code to otherwise valid files. Once a user opens the shared tainted content, the malicious portion can be executed to run the adversary's code on a remote system. Many platforms use common software to modify, manage and deploy various shared content throughout the platform. |
| EST000138 | Third-Party Software | A Cyber Embedded Technique in which an adversary exploits third-party applications and software deployment systems that may be in use in the network environment. If an adversary gains access to these systems, then they may be able to execute code. Due to the nature of development many platforms utilize common open source tools and applications to remain agile and move through development quickly. The Boost C++ library, OpenSSL is a good example of third-party software typically loaded onto platforms. Additionally, many original equipment manufacturers (OEMs) use software that is utilized to develop more than one sub-system. These shared tools may be left on production devices and re-used by adversaries to perform various operations that would be considered normal operation under the control of an OEM. Data loading operations are also areas for concern in this regard. The applications that load software onto embedded devices are typically used across the platform environment and can be shared between platforms. This scope of access makes them high priority targets for adversaries seeking to have a wide range of targets. The permissions required for this action vary by system configuration; local credentials may be sufficient with direct access to the third-party system, or specific domain credentials may be required. However, the system may require an administrative account to log in or to perform it's intended purpose. |
| EST000139 | Default Credentials | A Cyber Embedded Technique in which an adversary leverages manufacturer or supplier set default credentials on control system devices. These default credentials may have administrative permissions and may be necessary for initial configuration of the device. It is general best practice to change the passwords for these accounts as soon as possible, but some manufacturers may have devices that have passwords or usernames that cannot be changed. Default credentials are normally documented in an instruction manual that is either packaged with the device, published online through official means, or published online through unofficial means. Adversaries may leverage default credentials that have not been properly modified or disabled. |
| EST000140 | System Interface Traversal via Serial Interfaces | A Cyber Embedded Technique in which an adversary moves laterally where connectivity has already been established. Most serial interfaces have an accompanying data load protocol that can be utilized to pivot within a sub-system or through adjacent sub-systems. Examples include but are not limited to ARINC 615/615A, CAN etc. RS 232, 422 and 485 may also be used. If physical access can be established there are other serial interfaces that can be used once a connection between different SRUs can be established. |
| EST000141 | System Interface Traversal via RF | A Cyber Embedded Technique in which an adversary moves laterally where connectivity has already been established. Some wireless communications used for operational data can also be used to transfer files as well. Additionally, problems in the analog decoding process can have unintended consequences within the target LRU. Lateral movement can occur bidirectionally platform to platform, platform to ground/sea and platform to space. It is important to not be blinded by what the system was designed to accomplish and focus on what the system is capable of. |
| EST000142 | Pivot Through Input Interface Device | A Cyber Embedded Technique in which an adversary targets high value devices that have operational control over the platforms systems and sub-systems. This allows an adversary to utilize the device’s intended operation in a malicious manner. An Multi Conrol Display Unit (MCDU) is an example of an interface device that can be pivoted through, another would be the device that controls the data load operation on the platform that is typically operated during pre-flight. |
| EST000143 | Out of Band Communication | A Cyber Embedded Technique in which an adversary communicates with other LRUs / sub-systems in ways that the physical cabling/waveform can support. These communications would require that the other side of the communication can be interfaced with correctly at the target. Examples include sending a 1Mhz manchester encdoed signal over a IEEE 1394b connection or using Orthogonal Frequency Domain Multiplexing (OFDM) to layer signals on top of each other. |
| EST000144 | Maintenance Action Transversal | A Cyber Embedded Technique in which malware spreads to other systems when a compromised component (e.g., a Line Replaceable Unit (LRU), maintenance device, subsystem, or other removable part) is moved between platforms during maintenance activities. This occurs because these components are often transferred between systems without proper sanitization, allowing malware to persist and infect new hosts. Platforms are complex systems composed of numerous interconnected devices. Maintenance procedures, such as component swapping, cannibalization, or replacement, can inadvertently propagate malware across the fleet. The adversary exploits these maintenance actions to establish a foothold on multiple systems, even without directly targeting each system individually. The specific methods of propagation may vary depending on the type of component, but the underlying principle remains the same: the transfer of a compromised component without proper sanitization leads to malware infection on the new host. |
| EST000145 | Audio Capture | A Cyber Embedded Technique in which an adversary leverages a platform’s peripheral devices or applications to capture audio recordings for the purpose of listening into sensitive conversations to gather information. Malware or scripts may be used to interact with the devices through an available API provided by the operating system or an application to capture audio. Audio files may be written to disk and exfiltrated later. On PIT systems the majority of the intraplatform and inter-platform communications rely on the interconnection system which enable communications. Adversaries will seek to collect intelligence from this sub-system. |
| EST000146 | Automated Collection | A Cyber Embedded Technique in which an adversary exploits a platforms ability to automate the collection of certain data to provide to maintenance or OEMs for troubleshooting purposes. Adversaries will seek to live of the land and utilize the features of platforms to enable their data collection goals. This may involve making use of the various sensors on an aircraft, or maintenance logs. |
| EST000147 | Data from Local File System | A Cyber Embedded Technique in which an adversary searches the file system on a compromised embedded system to identify and extract files of interest. This involves using system utilities or custom tools to enumerate directories, identify files based on name, type, or content, and then copy those files to a staging area for later exfiltration. Due to hardware and bandwidth limitations in many embedded systems, adversaries typically focus on collecting specific configuration files, logs, or other data that provide valuable insights into the system's operation or security posture. The adversary may use knowledge of the device's file system structure and naming conventions to efficiently locate the desired files. Previously named: Data from Local System |
| EST000148 | Point and Tag Identification | A Cyber Embedded Technique in which an adversary collects point and tag values to gain a more comprehensive understanding of the application's process environment. Points may be values such as inputs, memory locations, outputs or other process specific variables.1 Tags are the identifiers given to points for operator convenience. Collecting such tags provides valuable context to environmental points and enables an adversary to map inputs, outputs, and other values to their control processes. Understanding the points being collected may inform an adversary on which processes and values to keep track of over the course of an operation. |
| EST000149 | Data from Removable Media | A Cyber Embedded Technique in which an adversary collects sensitive data from removable media (optical disk drive, USB memory, etc.) connected to the compromised system prior to Exfiltration. Adversaries may search connected removable media on computers they have compromised to find files of interest. Interactive command shells may be in use, and common functionality within cmd may be used to gather information. Some adversaries may also use Automated Collection on removable media. |
| EST000150 | Data Staged | A Cyber Embedded Technique in which an adversary stages collected data in a central location or directory prior to Exfiltration. Data may be kept in separate files or combined into one file through techniques such as Data Compressed or Data Encrypted. Interactive command shells may be used, and common functionality within cmd and bash may be used to copy data into a staging location. |
| EST000151 | Collection Input Capture | A Cyber Embedded Technique in which an adversary captures user input for obtaining credentials for Valid Accounts and information Collection that include MCDU capture, keylogging and user input field interception. Adversaries can use methods of capturing user input for obtaining credentials for Valid Accounts and information Collection that include MCDU capture, keylogging and user input field interception. |
| EST000152 | Screen Capture | A Cyber Embedded Technique in which an adversary screen captures the desktop to gather information over the course of an operation Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Adversaries will also attempt to gather intelligence through the capturing of common HUDs and platform screens. The information given to operators is real time or close to real time and typically shows the region’s threats. |
| EST000153 | Video Capture | A Cyber Embedded Technique in which an adversary leverages a platform’s built-in integrated cameras. Images may also be captured from devices or applications, potentially in specified intervals, in lieu of video files. |
| EST000154 | Access Stored Application Data | A Cyber Embedded Technique in which an adversary accesses and collects application data resident on the device. Adversaries often target popular applications such as Facebook, WeChat, and Gmail. This technique requires either escalated privileges or for the targeted app to have stored the data in an insecure manner (e.g., with insecure file permissions or in an insecure location such as an external storage directory). |
| EST000155 | Capture Camera | A Cyber Embedded Technique in which an adversary utilizes the camera to capture information about the user, their surroundings, or other physical identifiers. Adversaries may use the physical camera devices on a mobile device to capture images or video. By default, in Android and iOS, an application must request permission to access a camera device which is granted by the user through a request prompt. In Android, applications must hold the android.permission.CAMERA permission to access the camera. In iOS, applications must include the NSCameraUsageDescription key in the Info.plist file and must request access to the camera at runtime. |
| EST000156 | Network Information Discovery | A Cyber Embedded Technique in which an adversary uses device sensors to collect information about nearby networks, such as Wi-Fi and Bluetooth. Adversaries may use device sensors to collect information about nearby networks, such as Wi-Fi and Bluetooth. |
| EST000157 | Collect IP Network Traffic | A Cyber Embedded Technique in which an adversary captures IP-based network traffic to and from the device to obtain credentials or other sensitive data, or redirect network traffic to flow through an adversary-controlled gateway to do the same. An adversary could redirect network traffic to an adversary-controlled gateway by establishing a VPN connection through exploiting a vulnerability in the device's VPN client functionality or by manipulating the device's proxy settings through exploiting a configuration flaw. For example, researchers have demonstrated the ability to redirect network traffic by installing a malicious iOS Configuration Profile through exploiting a loophole in the profile installation process. If applications encrypt their network traffic, sensitive data may not be accessible to an adversary, depending on the point of capture. However, even encrypted traffic can reveal valuable information about the device's communication patterns and destinations. Previously named: Network Traffic Capture |
| EST000158 | Detect Operating Mode | A Cyber Embedded Technique in which an adversary gathers information about the current operating state of the platform. Understanding the environment both at the system / sub-system layer as well as the platform layer is pivotal to understanding the timing on payload execution. It is not beneficial for an adversary to be discovered until they desire to have an impact. |
| EST000159 | Detect Program State | A Cyber Embedded Technique in which an adversary gathers information about the current program state of the platform. Understanding the environment both at the sub-system/sub-sub-system layer. It is not beneficial for an adversary to be discovered until they desire to have an impact. |
| EST000160 | Program Upload | A Cyber Embedded Technique in which an adversary uploads a program from a embedded system to gather information about an industrial process. Uploading a program may allow them to acquire and study the underlying logic. Methods of program upload include vendor software, which enables the user to upload and read a program running on a embedded system. This software can be used to upload the target program to a workstation, jump box, or an interfacing device. |
| EST000161 | Monitor Process State | A Cyber Embedded Technique in which an adversary gathers information about the current operating state of the platform. Understanding the environment both at the system / sub-system layer as well as the platform layer is pivotal to understanding the timing on payload execution. It is not beneficial for an adversary to be discovered until they desire to have an impact. |
| EST000162 | I/O Image | A Cyber Embedded Technique in which an adversary captures process image values related to the inputs and outputs of an embedded system. Within an embedded system input and output states are stored into an I/O image. This image is used by the user program instead of directly interacting with physical I/O. |
| EST000163 | Location Identification | A Cyber Embedded Technique in which an adversary performs location identification using device data to inform operations and targeted impact for attacks. Location identification data can come in a number of forms, including geographic location, location relative to other control system devices, time zone, and current time. An adversary may use an embedded global positioning system (GPS) module in a device to figure out the physical coordinates of a device. NIST SP800-82 recommends that devices utilize GPS or another location determining mechanism to attach appropriate timestamps to log entries1. While this assists in logging and event tracking, an adversary could use the underlying positioning mechanism to determine the general location of a device. An adversary can also infer the physical location of serially connected devices by using serial connection enumeration. An adversary attempt to attack and cause impact could potentially affect other control system devices in close proximity. Device local-time and time-zone settings can also provide adversaries a rough indicator of device location, when specific geographic identifiers cannot be determined from the system. |
| EST000164 | Collect Serial Bus Information | A Cyber Embedded Technique in which an adversary captures data transmitted on internal serial buses (e.g., CAN, I2C, SPI) with the specific goal of gathering sensitive or unusual information, such as Position, Navigation, and Timing (PNT) data, flight information, or other operational parameters. This information may be used to understand the platform's operation, identify vulnerabilities, or plan further attacks. The adversary analyzes the serial bus traffic to identify and extract these specific data elements. This technique differs from EST000157 Collect IP Network Traffic in that it focuses on capturing data transmitted on internal serial buses within the embedded system, rather than capturing IP-based network traffic to and from the device. While "Collect IP Network Traffic" targets communications external to the device or between applications using IP protocols, "Collect Serial Bus Information" focuses on the low-level communication between hardware components within the device itself. The data formats, protocols, and access methods are fundamentally different between these two techniques. |
| EST000165 | Intercept Sensor Data Prior to Processing | A Cyber Embedded Technique in which an adversary intercepts raw sensor data before it is processed by the embedded system. This involves capturing the analog or digital signals directly from the sensor before they are converted, filtered, or otherwise processed. This technique can be applied to various sensor types, including Radio Frequency (RF) receivers, Electro-Optical (EO) sensors, sonar systems, magnetometers, and other data inputs. Adversaries may seek to capture this raw data to compare it against processed data, analyze the sensor's characteristics, or gain insights into the system's operational environment. This information can improve intelligence concerning sensor effectiveness, system sensitivity, and other critical parameters that may be crucial in real-time operations. Previously named: Capture RF from Source Before Processing |
| EST000166 | Communication Through Removable Media | A Cyber Embedded Technique in which an adversary performs command and control between compromised hosts on potentially disconnected networks using removable media to transfer commands from system to system. Both systems would need to be compromised, with the likelihood that a target system was compromised first and the second through lateral movement by Replication Through Removable Media. Commands and files would be relayed to and/or from the disconnected system to the target system to which the adversary has direct access. |
| EST000167 | C2 Connection Proxy | A Cyber Embedded Technique in which an adversary uses a connection proxy to direct network traffic between systems or act as an intermediary for network communications to a command and control server to avoid direct connections to their infrastructure. An adversary may develop a tool to utilize an LRU which has multiple embedded peripheral interfaces (internal (PCI/VME) and external (serial buses i.e. ARINC 429 and RF interfaces)) to pivot through and/or redirect traffic through the other interfaces to establish multiple access points into the embedded system. Adversaries use these types of proxies to manage command and control communications, to reduce the number of simultaneous outbound network connections, to provide resiliency in the face of connection loss, or to ride over existing trusted communications paths between victims to avoid suspicion. |
| EST000168 | Custom Command and Control Protocol | A Cyber Embedded Technique in which an adversary communicates using a custom command and control protocol instead of encapsulating commands and data in an existing protocol. Implementations include mimicking well-known protocols or developing custom protocols and/or data streams (including raw sockets) on top of fundamental protocols provided by the network stack. |
| EST000169 | Custom Cryptographic Protocol | A Cyber Embedded Technique in which an adversary uses a custom cryptographic protocol or algorithm to hide command and control traffic or utilize a standard cryptographic protocol where the serial bus specification does not call for any encryption. A simple scheme, such as XOR-ing the plaintext with a fixed key, will produce a very weak ciphertext. Custom encryption schemes may vary in sophistication. Analysis and reverse engineering of malware samples may be enough to discover the algorithm and encryption key used. Some adversaries may also attempt to implement their own version of a well-known cryptographic algorithm instead of using a known implementation library, which may lead to unintentional errors. Due to limited bit-space in serial networks it is likely that Format Preserving Encryption (FPE) will be used, which makes it easier as a defender to detect because of chosen plaintext attacks. |
| EST000170 | Data Encoding | A Cyber Embedded Technique in which an adversary encodes data to make the content of command and control traffic more difficult to detect. Command and control (C2) information can be encoded using a standard data encoding system. Use of data encoding may adhere to existing protocol specifications and includes use of ASCII, Unicode, Base64, MIME, or other binary-to-text and character encoding systems. Some data encoding systems may also result in data compression, such as gzip. |
| EST000171 | Data Obfuscation | A Cyber Embedded Technique in which an adversary obfuscates command and control traffic to make it more difficult to detect. Command and control (C2) communications are hidden (but not necessarily encrypted) in an attempt to make the content more difficult to discover or decipher and to make the communication less conspicuous and hide commands from being seen. This encompasses many methods, such as adding junk data to protocol traffic, using steganography, or impersonating legitimate protocols. |
| EST000172 | C2 Fallback Channels | A Cyber Embedded Technique in which an adversary uses a fallback or alternate communication channel if the primary channel is compromised or inaccessible in order to maintain reliable command and control and to avoid data transfer thresholds. |
| EST000173 | Multi-Stage Command and Control Channels | A Cyber Embedded Technique in which an adversary uses multiple available RF channels to create multiple stages for command and control on a system. Use of multiple stages may obfuscate the command and control channel to make detection more difficult. An example of this would utilizing the civil ACARS network, which has L-band (Inmarsat and Iridium), VHF (VLDM2 and POA), and HF channels that all route through the same Communications Management Unit (CMU) on an aircraft. |
| EST000174 | Multiband Communication | A Cyber Embedded Technique in which an adversary uses multiple available RF channels for command and control on a embedded system. An example of this would utilizing the civil ACARS network, which has L-band (Inmarsat and Iridium), VHF (VLDM2 and POA), and HF channels that all route through the same Communications Management Unit (CMU) on an aircraft. |
| EST000175 | Serial Port Knocking | A Cyber Embedded Technique in which an adversary utilizes the concept of TCP/IP port knocking, in a similar manner in an embedded serial interface. An adversary sends a command and/or exploit to an existing open ‘port’ (i.e., label on ARINC 429) in order to open a new communication channel on another port to avoid detection by serial bus monitors and/or whitelisting applications and be used for persistent command and control. |
| EST000176 | Standard Non-Application Layer Protocol | A Cyber Embedded Technique in which an adversary communicates using a non-application layer protocol for command and control of an implant or other compromised LRU. An example would be an adversary causes an external effect on a subsystem that causes an error to be sent out on the serial bus. The implant receives the error, which is largely ignored by the rest of LRUs, but the implant is activated and continues to talk through error messages as they are triggered. |
| EST000177 | Data Compressed | A Cyber Embedded Technique in which an adversary compresses data that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network. The compression is done separately from the exfiltration channel and is performed using a custom program or algorithm, or a more common compression library or utility such as 7zip, RAR, ZIP, or zlib. |
| EST000178 | Data Encrypted | A Cyber Embedded Technique in which an adversary encrypts data before being exfilitrated to hide the information that is being exfiltrated from detection or to make the exfiltration less conspicuous upon inspection by a defender. The encryption is performed by a utility, programming library, or custom algorithm on the data itself and is considered separate from any encryption performed by the command and control or file transfer protocol. Common file archive formats that can encrypt files are RAR and zip. Other exfiltration techniques likely apply as well to transfer the information out of the network, such as Exfiltration Over Command and Control Channel and Exfiltration Over Alternative Protocol. |
| EST000179 | Data Transfer Size Limits | A Cyber Embedded Technique in which an adversary exfiltrates data in fixed size chunks instead of whole files or limit packet sizes below certain thresholds. This approach may be used to avoid triggering network data transfer threshold alerts. |
| EST000180 | Exfiltration Over Alternative Protocol | A Cyber Embedded Technique in which an adversary leverages various operating system utilities to exfiltrate data over an alternative protocol. Data exfiltration is performed with a different protocol from the main command and control protocol or channel. The data is likely to be sent to an alternate network location from the main command and control server. Alternate protocols include FTP, SMTP, HTTP/S, DNS, SMB, or any other network protocol not being used as the main command and control channel. Different channels could include Internet Web services such as cloud storage. |
| EST000181 | Exfiltration Over Command and Control Channel | A Cyber Embedded Technique in which an adversary exfiltrates data over the Command and Control channel. Data is encoded into the normal communications channel using the same protocol as command and control communications. |
| EST000182 | Exfiltration Over Other Network Medium | A Cyber Embedded Technique in which an adversary exfiltrates data over different network medium than the C2 channel. The exfiltration may occur, over a Wi-Fi connection, modem, cellular data connection, Bluetooth, or another radio frequency (RF) channel. Adversaries could choose to do this if they have sufficient access or proximity, and the connection might not be secured or defended as well as the primary Internet-connected channel because it is not routed through the same enterprise network. |
| EST000183 | Exfiltration Over Physical Medium | An adversary may exfiltrate data via a physical medium or removable device introduced by a user. Such media could be an external hard drive, USB drive, cellular phone, MP3 player, or other removable storage (PCMCIA Card, SD Card, etc) and processing device. The physical medium or device could be used as the final exfiltration point or to hop between otherwise disconnected systems. |
| EST000184 | Scheduled Transfer | A Cyber Embedded Technique in which an adversary exfiltrates data at certain times of the day or at certain intervals. This could be done to blend traffic patterns with normal activity or availability. When scheduled exfiltration is used, other exfiltration techniques likely apply as well to transfer the information out of the network, such as Exfiltration Over Command and Control Channel and Exfiltration Over Alternative Protocol. |
| EST000185 | Multi-Stage Exfiltration Channels | A Cyber Embedded Technique in which an adversary uses multiple channels in a similar manner to Exfiltration Over Other Network Medium in conjunction with a procedural TTP to mask exfiltration. For example, an adversary may exfil every other bit to obfuscate what is being exfiltrated or over different channels or exfiltration half the data on one channel and then switch mid exfiltration to make it appear to have stopped. |
| EST000186 | Exfiltration Fallback Channels | A Cyber Embedded Technique in which an adversary uses multiple channels in a similar manner to Exfiltration Over Other Network Medium in conjunction with a procedural TTP as a fallback channel. This would likely occur in the event the primary channel fails. |
| EST000187 | Exfiltration via Maintenance Channels | A Cyber Embedded Technique in which an adversary exfiltrates sensitive data from a Line Replaceable Unit (LRU) by exploiting legitimate maintenance interfaces or functionalities. This may involve leveraging undocumented commands, debug ports, diagnostic routines, or update mechanisms intended for system maintenance or troubleshooting. The adversary uses these channels to extract data specific to the compromised LRU or data that the LRU processes from other systems. This technique can be used to bypass security controls, exfiltrate sensitive information, or gain unauthorized access to connected systems. The adversary may exploit vulnerabilities in the implementation of these maintenance channels or abuse intended functionalities for malicious purposes. Previously named: Debug Maintenance Channels |
| EST000188 | Activate Firmware Update Mode | A Cyber Embedded Technique in which an adversary activates firmware update mode on devices to prevent expected response functions from engaging in reaction to an emergency or process malfunction. Also known as maintenance mode or an OEM debug mode. For example, devices such as protection relays may have an operation mode designed for firmware installation. This mode may halt process monitoring and related functions to allow new firmware to be loaded. A device left in update mode may be placed in an inactive holding state if no firmware is provided to it. By entering and leaving a device in this mode, the adversary may deny its usual functionalities. |
| EST000190 | Alarm Suppression | A Cyber Embedded Technique in which an adversary targets protection function alarms to prevent them from notifying operators of critical conditions. Alarm messages may be a part of an overall reporting system and of particular interest for adversaries. Disruption/Degradation of the alarm system does not imply the disruption/degradation of the reporting system as a whole. The adversary may have to suppress or contend with multiple alarms and/or alarm propagation to achieve a specific goal to evade detection or prevent intended responses from occurring. Methods of suppression may involve tampering or altering device displays and logs, modifying in memory code to fixed values, or even tampering with assembly level instruction code. |
| EST000191 | Block Command Message | A Cyber Embedded Technique in which an adversary blocks a command message from reaching its intended target to prevent command execution. In OT networks, command messages are sent to provide instructions to control system devices. A blocked command message can inhibit response functions from correcting a disruption or unsafe condition. |
| EST000192 | Block Reporting Message | A Cyber Embedded Technique in which an adversary blocks or prevents a reporting message from reaching its intended target. Reporting messages relay the status of control system devices, which can include event log data and I/O values of the associated device. By blocking these reporting messages, an adversary can potentially hide their actions from an operator. Blocking reporting messages in control systems that manage physical processes may contribute to system impact, causing inhibition of a response function. A control system may not be able to respond in a proper or timely manner to an event, such as a dangerous fault, if its corresponding reporting message is blocked. |
| EST000193 | Data Manipulation | A Cyber Embedded Technique in which an adversary modifies or removes data within an embedded system to achieve various objectives, such as disrupting system functionality, evading detection, or gaining unauthorized control. This can involve manipulating configuration files, system logs, sensor data, or control parameters. Specific examples include: -Manipulating Electrical Signals: Altering electrical signals to disrupt system operation or cause physical damage. (Previously EST000216) -Manipulating Gas Systems: Modifying gas flow rates, pressures, or compositions to disable safety mechanisms or cause malfunctions. (Previously EST000217) -Manipulating Fluid Systems: Altering fluid flow rates, pressures, or compositions to disrupt cooling systems or cause damage to mechanical components. (Previously EST000218) The adversary may drop or create malware, tools, or other non-native files on a target system to accomplish this, potentially leaving behind traces of malicious activities. Such non-native files and other data may be removed or modified over the course of an intrusion to maintain a small footprint or as a standard part of the post-intrusion cleanup process. Data removal may also be used to render operator interfaces unable to respond and to disrupt response functions from occurring as expected. An adversary may also remove data backups that are vital to recovery after an incident. |
| EST000194 | Denial of Service | A Cyber Embedded Technique in which an adversary performs a Denial-of-Service (DoS) attack to disrupt expected device functionality. Examples of DoS attacks include overwhelming the target device with a high volume of network traffic in a short period of time and sending the target device traffic it does not know how to handle. Disrupting device state may temporarily render it unresponsive, possibly lasting until a reboot can occur. When placed in this state, devices may be unable to send and receive network traffic and may not perform expected response functions in reaction to other events in the environment. Adversaries may exploit a software vulnerability to cause a denial of service by taking advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Vulnerabilities may exist in software that may be used to cause a or denial of service condition. |
| EST000195 | Device Restart/Shutdown | A Cyber Embedded Technique in which an adversary restarts or shuts down a device, or multiple devices, in the platform to disrupt and potentially cause adverse effects on the processes it controls. Methods of device restart and shutdown exist as built-in, standard functionalities. This can include network protocol usage, CLIs, and interactive device web interfaces, among others. Device restart or shutdown may also occur as a consequence of changing a device into an alternative mode of operation for testing, firmware loading, debug mode or maintenance mode. Unexpected restart or shutdown of control system devices may contribute to impact, by preventing expected response functions from activating and being received in critical states. This can also be a sign of malicious device modification, as many updates require a shutdown in order to take effect. |
| EST000196 | Manipulate Instumentation and/or Controls | A Cyber Embedded Technique in which an adversary targets the human to system interface to inhibit response. In platforms that require human intervention it is possible to simply stop the alarm from displaying to the operator or stop the operator from interacting with the platform. This will typically involve inhibiting the audio platform warning system and any form of display that operators of the platform obtain information from visually. Adversaries may also seek to inform the operator that something has occurred when in reality it has not. Adversaries may also seek to stop operators from interacting with the platform by interfering with the operator’s ability to control the platform. This may involve disabling buttons, removing or blocking messages sent from the indicator control system or other methods. |
| EST000197 | Modify Alarm Settings | A Cyber Embedded Technique in which an adversary modifies alarm settings to prevent alerts that may inform operators of their presence or to prevent responses to dangerous and unintended scenarios. By modifying the sensing parameters that the alarm system uses to trigger adversaries are able to control when the alarm triggers. |
| EST000198 | Inhibit Control Function | A Cyber Embedded Technique in which an adversary places malicious code in a system to cause the system to malfunction by modifying its control logic. In both cases of responding and modifying process control adversaries may seek to control the process that a platform undergoes by controlling the logic that systems or devices use to accomplish their goals. Relating to alarm suppression/response: adversaries may seek to control the response to an alarm by modifying the devices reaction to certain commands. This may include disregarding operator commands. |
| EST000199 | Function Inhibiting Program Download | A Cyber Embedded Technique in which an adversary performs a program download to load malicious or unintended program logic on a device to disrupt response functions. Program download onto devices, such as PLCs, allows adversaries to implement custom logic. Malicious PLC programs may be used to disrupt physical processes. The act of a program download will cause the PLC to enter a STOP operation state, which may prevent response functions from operating correctly. |
| EST000200 | Inhibiting Rootkit | A Cyber Embedded Technique in which an adversary uses rootkits to inhibit system response functions. Rootkits are programs that hide the existence of malware by intercepting (i.e., Hooking) and modifying operating system API calls that supply system information. Rootkits or rootkit enabling functionality may reside at the user or kernel level in the operating system or lower, to include a Hypervisor, Master Boot Record, or the System Firmware. Rootkits have been seen for Windows, Linux, Mac OS X systems and shown to work on VXWorks systems and may be possible on other common embedded operating systems. |
| EST000201 | Inhibiting System Firmware | A Cyber Embedded Technique in which an adversary utilizes the BIOS (Basic Input/Output System) or similar capabilities as a way to interject executable code prior to operating system boot. The BIOS (Basic Input/Output System) and The Unified Extensible Firmware Interface (UEFI) or Extensible Firmware Interface (EFI) are examples of system firmware that operate as the software interface between the operating system and hardware of a computer. System firmware like BIOS and (U)EFI underly the functionality of a computer and may be modified by an adversary to perform or assist in malicious activity. |
| EST000202 | Inhibiting via Operating Mode Changes | A Cyber Embedded Technique in which an adversary places controllers into an alternate mode of operation to enable configuration setting changes to inhibit device functionality. Programmable controllers typically have several modes of operation. These modes can be broken down into three main categories: program run, program edit, and program write. Each of these modes puts the device in a state in which certain functions are available. For instance, the program edit mode allows alterations to be made to the user program while the device is still online. By driving a device into an alternate mode of operation, an adversary has the ability to change configuration settings in such a way to cause an impact to equipment and/or industrial process associated with the targeted device. An adversary may also use this alternate mode to execute arbitrary code which could be used to evade defenses. |
| EST000203 | Deprecated | This technique was consolidated between ESTM 1.0 and ESTM 2.1 releases and inadvertantly created a duplication with EST 000196, Manipulate Instrumentation and/or Controls. |
| EST000204 | Impair Process via Modified System Tasking | A Cyber Embedded Technique in which an adversary modifies the tasking of an embedded system to impair process controls. This can allow an adversary to manipulate the execution flow and behavior of an embedded system. On platforms this applies to anything that controls physical systems control, e.g. landing gear on an aircraft no longer effecting the pilot’s capability to fire munitions. An adversary may modify these associations or create new ones to manipulate the execution flow of an embedded system. Modification of embedded system tasking can be accomplished using a Program Download in addition to other types of program modification such as online edit and program append. Tasks have properties, such as interval, frequency and priority to meet the requirements of program execution. Some embedded system vendors implement tasks with implicit, pre-defined properties whereas others allow for these properties to be formulated explicitly. An adversary may associate their program with tasks that have a higher priority or execute associated programs more frequently. |
| EST000205 | Impairing Masquerade | A Cyber Embedded Technique in which an adversary masquerades via at least one means to appear legitimate. Any manipulation or abuse for the sake of appearing as legitimate processes. For example, additional spoofed configuration files or hardware man in the middle attacks targeting decreate line. On platforms this applies to anything that controls physical systems control, e.g. landing gear on an aircraft no longer effecting the pilot’s capability to operate aircraft functions. |
| EST000206 | Process Masquerading | A Cyber Embedded Technique in which an adversary masquerades as a legitimate executable to impair a software process. Within an LRU, masquerading occurs when the name or location of an executable, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. Several different variations of this technique have been observed. On platforms this applies to anything that controls physical systems control, e.g. landing gear on an aircraft no longer effecting the pilot’s capability to fire munitions. |
| EST000207 | Impair Processes via Logical Masquerading | A Cyber Embedded Technique in which an adversary masquerades as legitimate data processing to impair physical processes. For example, some serial busses do not have authentication built into the bus protocol. Some serial protocols allow any device to communicate onto the bus at any point in time.Additionally, it may be possible to target specific algorithms contained in device or application drivers. |
| EST000208 | Impair Control Logic | A Cyber Embedded Technique in which an adversary places malicious code in a system to cause the system to malfunction by modifying its control logic. In both cases of responding and modifying process control adversaries may seek to control the process that a platform undergoes by controlling the logic that systems or devices use to accomplish their goals. Relating to process control: adversaries may seek to control the process so that physical actions do not occur in the order that was intended by system designers. This modification of logic can occur in any system that uses a conditional statement followed by the execution of code that controls something in the subsystem or at the platform level. |
| EST000209 | Modify Parameter | A Cyber Embedded Technique in which an adversary modifies parameters used to instruct platform control system devices. These devices operate via programs that dictate how and when to perform actions based on such parameters. Such parameters can determine the extent to which an action is performed and may specify additional options. For example, a program on a platform system device dictating motor processes may take a parameter defining the total number of seconds to run the motor or how far to move the aileron. An adversary can potentially modify these parameters to produce an outcome outside of what was intended by the operators. By modifying system and process critical parameters, the adversary may cause Impact to equipment and/or control processes. Modified parameters may be turned into dangerous, out-of-bounds, or unexpected values from typical operations. For example, specifying that a process run for more or less time than it should, or dictating an unusually high, low, or invalid value as a parameter. |
| EST000210 | Malicious Firmware Implant | A Cyber Embedded Technique that results in persistent and evasive malicious behavior on a compromised system, achieved through the execution of adversary code outside of the operating system and main system in firmware or BIOS. This technique manifests as a range of system anomalies and unauthorized activities that are difficult to detect and remove using traditional software-based methods. The system operator may observe: -Persistent System Compromise: Despite reboots, hard drive reimaging, or other standard recovery procedures, the system remains compromised. -Evasion of Security Controls: Traditional host-based security software and integrity checks are unable to detect or prevent the malicious activity. -Unexplained Network Activity: The system may exhibit unusual network communications, potentially exfiltrating data or participating in botnet activities. -Unexpected System Failures: The system may experience intermittent or unexplained failures, such as the Ethernet card becoming unresponsive or other hardware components malfunctioning. -Unauthorized Access: The system may be used to gain unauthorized access to other systems or resources on the network. This technique often leverages vulnerabilities in low-level system components, such as the Ethernet card, to establish a persistent foothold. The specific methods used to implant the malicious firmware are not the focus, but rather the observable impacts on the system. This technique differs from other impact techniques in its reliance on malicious firmware to achieve persistent and evasive effects. |
| EST000211 | Process Impairing Program Download | A Cyber Embedded Technique in which an adversary performs a program download to load malicious or unintended program logic on a device to disrupt process control. Program download onto devices, such as PLCs, allows adversaries to implement custom logic. Malicious PLC programs may be used to disrupt physical processes. |
| EST000212 | Rogue Master Device | A Cyber Embedded Technique in which an adversary eatablishes a rogue master to leverage control server functions to communicate with slave devices. A rogue master device can be used to send legitimate control messages to other control system devices, affecting processes in unintended ways. It may also be used to disrupt network communications by capturing and receiving the network traffic meant for the actual master device. |
| EST000213 | Service Stop | A Cyber Embedded Technique in which an adversary stops or disables services on a system to render those services unavailable to legitimate users. Stopping critical services can inhibit or stop response to an incident or aid in the adversary's overall objectives to cause damage to the environment for example, stopping the fire control systems monitoring function. Services may not allow for modification of their data stores while running. Adversaries may stop services in order to conduct Data Destruction. |
| EST000214 | Impair Process via Spoofed Reporting Message | A Cyber Embedded Technique in which an adversary spoofs reporting messages in control systems environments to impair process controls. Reporting messages are used in control systems so that operators and network defenders can understand the status of the network. Reporting messages show the status of devices and any important events that the devices control. If an adversary has the ability to Spoof Reporting Messages, then they can impact the network in many ways. The adversary can Spoof Reporting Messages that state that the device is in normal working condition, as a form of evasion. The adversary could also Spoof Reporting Messages to make the defenders and operators think that other errors were occurring, to distract them from the actual source of the problem. |
| EST000215 | Unauthorized Command Message | A Cyber Embedded Technique in which an adversary sends unauthorized command messages to instruct control systems devices to perform actions outside their expected functionality for process control. Command messages are used in ICS networks to give direct instructions to control systems devices. If an adversary can send an unauthorized command message to a control system, then it can instruct the control systems device to perform an action outside the normal bounds of the device's actions. An adversary could potentially instruct a control systems device to perform an action that will cause an impact. For example, an adversary may command the engines of an aircraft to power down mid-flight. These are legitimate commands used for adversarial gain. |