Discovery
Techniques
| ID | Name | Description |
|---|---|---|
| EST000118 | Account Discovery | A Cyber Embedded Technique in which an adversary acquires a listing of local system or domain accounts. |
| EST000119 | File and Directory Discovery | A Cyber Embedded Technique in which an adversary enumerates files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions. |
| EST000120 | Network Service Scanning | A Cyber Embedded Technique in which an adversary acquires a listing of LRUs and/or services running on remote hosts, including those that may be vulnerable to remote software exploitation. Methods to acquire this information include port scans and vulnerability scans using tools that are brought onto a system. Networks scanning can be inclusive of labels being transmitted on a ARINC 429 pair. FireWire would be device equipment ID, etc. |
| EST000121 | Discovery Network Sniffing | A Cyber Embedded Technique in which an adversary places a network interface into promiscuous mode to passively access data in transit over the network or use span ports to capture a larger amount of data. Network sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection. Network sniffing will vary drastically between different serial networks such as ARINC 429, and AS5643. On ARINC 429 all devices are point to point, so a compromised device can only see traffic that is specifically designed for the device. On AS5643 a device may be able to see all traffic destined for itself and any immediate peer devices that it is connected to. Data captured via this technique may include user credentials, especially those sent over an insecure, unencrypted protocol. Techniques for name service resolution poisoning, such as LLMNR/NBT-NS Poisoning and Relay, can also be used to capture credentials to websites, proxies, and internal systems by redirecting traffic to an adversary. Network sniffing may also reveal configuration details, such as running services, version numbers, and other network characteristics (ex: IP addressing, hostnames, VLAN IDs) necessary for follow-on Lateral Movement and/or Defense Evasion activities. |
| EST000122 | Internal Peripheral Device Discovery | A Cyber Embedded Technique in which an adversary gathers detailed information about internal peripheral devices and components directly connected to an embedded system by passively observing the system's internal state through analysis of existing system resources. This technique focuses on discovering hardware configurations that are not typically exposed through network interfaces. The adversary leverages internal system resources, such as device drivers, system memory, pre-existing data in hardware registers, and debugging interfaces used for introspection (e.g., JTAG, SWD), to identify and characterize the internal hardware architecture. This involves analyzing data already present within these resources, rather than actively querying the peripherals themselves. Information gathered may include: -Hardware List -Digital Signal Processor (DSP) Details -Memory Architecture -Internal Bus Structure Memory -Memory Mapped I/O (MMIO) Port and Direct Memory Access (DMA) Configurations -Memory Map This information can then be used to identify vulnerabilities, develop targeted exploits, or map the system's attack surface. This technique differs from Network Service Scanning (EST0120) in that it relies on passive internal reconnaissance methods to gather information about the system's hardware, rather than probing network services or directly interacting with the peripherals |
| EST000123 | Process Discovery | A Cyber Embedded Technique in which an adversary acquires information about running processes on a system. Information obtained could be used to gain an understanding of common software running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions. Adversaries may also attempt to find which processes are currently or recently executed to determine where that LRU is being run (Operationally vs during repair vs in maintenance mode etc.). |
| EST000124 | Remote System Discovery | A Cyber Embedded Technique in which an adversary acquires a listing of other systems that interact with the target platform. This may be a wired or wireless communication, or it may be through sneakernet. The wired communications may consist of typical ip networks or more often, serial networks including ARINC429, AS5643 or CAN. On platforms this include adversaries discovering what other subsystems exist on that platform by utilizing the network or some other means while already on the platform. This will be necessary if the adversary seeks to pivot to those systems but does not have full documentation of the platform. |
| EST000125 | Security Software Discovery | A Cyber Embedded Technique in which an adversary acquires a listing of security software, configurations, defensive tools, and sensors that are installed on the system. This may include things such as local firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions. |
| EST000126 | Software Discovery | A Cyber Embedded Technique in which an adversary acquires a listing of non-security related software that is installed on the system. Adversaries may use the information from Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions. Due to the nature of moving platforms it is of even greater importance to leverage existing tooling on an LRU in order to accomplish objectives. Understanding which tools are already installed on a target system means that the adversary does not need to move that tool to the target. |
| EST000127 | System Information Discovery | A Cyber Embedded Technique in which an adversary acquires detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, architecture, LRU External interface discovery, platform mode of operation, where the platform is in space, what datalinks are enabled and being used and how the system deviates from the baseline. An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, architecture, LRU External interface discovery, platform mode of operation, where the platform is in space, what datalinks are enabled and being used and how the system deviates from the baseline. |
| EST000128 | System Owner/User Discovery | A Cyber Embedded Technique in which an adversary seeks to understand the target operating system’s user structure. On embedded systems this can be wildly different from system to system. They will commonly use the same type of tools for windows/linux and mac but applicable to the system currently being targeted. On VxWorks for example they may use the agentModeShow( ) routine or the windsh command line tool. Every different proprietary operating system will most likely have some form of these commands but due to the landscape of embedded technology it is impossible for those tools to be enumerated. It is therefore more useful to understand what the adversary is trying to accomplish. Adversaries need to understand what user they are currently logged in as, they need to understand what permissions that user has access to and they need to understand how to escalate privileges and what those escalated privileges allow them to accomplish. |
| EST000129 | System Time Discovery | A Cyber Embedded Technique in which an adversary gathers the system time and/or time zone from a local or remote system/network. On platforms which have GPS enabled this is usually accomplished by learning the information from the time service, whatever that may be on the platform. It can be accomplished by direct memory reads or read from the network. |
| EST000130 | Virtualization/Sandbox Evasion | A Cyber Embedded Technique in which an adversary checks for the presence of a virtual machine environment (VME) or sandbox to avoid potential detection of tools and activities. If the adversary detects a VME, they may alter their malware to conceal the core functions of the implant or disengage from the victim. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information from learned from Virtualization/Sandbox Evasion during automated discovery to shape follow-on behaviors. On platforms, hardware is deployed in conjunction with larger simulations. This is known as a hardware in the loop (HWIL) simulation. LRUs are typically deployed in Systems Integration Laboratories (SILs) before being deployed in operational environments so that they can be rigorously tested. Adversaries will seek to not be discovered while in this environment and therefore need to know if they are in this environment. Typically, there is a much higher amount of scrutiny on the LRU and its interfaces while in test environments which causes the likelihood of being discovered to be higher. |