Embedded Systems Threat Matrix™
While drawing inspiration from the MITRE ATT&CK framework, the ESTM includes behaviors not yet widely observed against real systems, including known exploitable weaknesses, proofs-of-concept, and theoretical techniques. This forward-looking approach helps organizations anticipate and prepare for future threats. The ESTM’s standardized terminology and framework break down communication barriers between researchers, vendors, and security teams, enabling a more unified approach to embedded system security. Although the ESTM doesn’t currently offer specific mitigation guidance, it provides a common language and framework for cybersecurity professionals to analyze attacks, understand potential vulnerabilities, and collaborate on more effective defense strategies.
You can download the latest version here.
Reconnaissance | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Active Scanning | Drive-By Compromise | Command-Line Interface | Account Manipulation | Privilege Escalation via Direct Connect System | Binary Padding | Brute Force | Account Discovery | Application Deployment Software | Audio Capture | Communication Through Removable Media | Data Compressed | Activate Firmware Update Mode |
| Hardware Additions | Compiled HTML File | Bootkit | Hidden Menu | Code Signing | Credential Dumping | File and Directory Discovery | Exploitation of Remote Services | Automated Collection | C2 Connection Proxy | Data Encrypted | Alarm Suppression | |
| Access via Removable Media | Graphical User Interface | Persistent Firmware | Reserve Software Options | Compile After Delivery | Credentials in Files | Network Service Scanning | Pass the Key | Data from Local System | Custom Command and Control Protocol | Data Transfer Size Limits | Block Command Message | |
| Supply Chain Compromise | Scheduled Task | Create Account | Configuration Changes | Component Firmware | Exploitation for Credential Access | Discovery Network Sniffing | Remote File Copy | Point and Tag Identification | Custom Cryptographic Protocol | Exfiltration Over Alternative Protocol | Block Reporting Message | |
| Trusted Relationship | Service Execution | External Remote Services | Differential Software Loading | Evasive Connection Proxy | Credential Access Hooking | Internal Peripheral Device Discovery | Remote Services | Data from Removable Media | Data Encoding | Exfiltration Over Command and Control Channel | Data Manipulation | |
| Access via Valid Accounts | Execute via Trusted Developer Utilities | File System Permissions Weakness | Side Channel Attack | Deobfuscate Files or Information | Credential Access Input Capture | Process Discovery | Pivot via Removable Media | Data Staged | Data Obfuscation | Exfiltration Over Other Network Medium | Denial of Service | |
| Exploit via Radio Interfaces | Change Operating Mode | Hidden Files and Directories | Fault Injection | Disabling Security Tools | Credential Access Network Sniffing | Remote System Discovery | Taint Shared Content | Collection Input Capture | C2 Fallback Channels | Exfiltration Over Physical Medium | Device Restart/Shutdown | |
| Install Insecure or Malicious Configuration | Execution Through API | Persistence Hooking | Execution Guardrails | Private Keys | Security Software Discovery | Third-party Software | Screen Capture | Multi-Stage Command and Control Channels | Scheduled Transfer | Manipulate Instumentation and/or Controls | ||
| Maintenance or Debug Ports | Logical Man in the Middle | Hypervisor | Exploitation for Defense Evasion | Reverse Engineering Extraction of Obfuscated Credentials | Software Discovery | Default Credentials | Video Capture | Multiband Communication | Multi-Stage Exfiltration Channels | Modify Alarm Settings | ||
| Authenticated Menu Bypass | Execute via Modified System Tasking | Kernel Modules and Extensions | File Deletion | Default Credentials from System Documentation | System Information Discovery | System Interface Traversal via Serial Interfaces | Access Stored Application Data | Serial Port Knocking | Exfiltration Fallback Channels | Inhibit Control Logic | ||
| Masquerade as Legitimate Application | Improper Memory Management | Local Job Scheduling | Indicator Blocking | System Owner/User Discovery | System Interface Traversal via RF | Capture Camera | Standard Non-Application Layer Protocol | Exfiltration via Maintenance Channels | Function Inhibiting Program Download | |||
| Engineering Workstation Compromise | Execute via Direct Connect System | Modify Existing Service | Indicator Removal from Tools | System Time Discovery | Pivot Through Input Interface Device | Network Information Discovery | Inhibiting Rootkit | |||||
| Internet Accessible Device | Positioning, Navigation and Timing (PNT) Geofencing | New Service | Indicator Removal on Host | Virtualization/Sandbox Evasion | Out of Band Communication | Collect IP Network Traffic | Inhibiting System Firmware | |||||
| Access via Direct Connect System | Embedded System State | Path Interception | Install Root Certificate | Maintenance Action Transversal | Detect Operating Mode | Inhibiting via Operating Mode Changes | ||||||
| Downgrade to Insecure Protocols | Non-Self Originated Sensor Signal | Port Knocking - Serial Bus | Subsytem Masquerading | Detect Program State | Impair Process via Modified System Tasking | |||||||
| Self-Originated Sensor Signal | Port Monitors - Serial Bus | Process Masquerading | Program Upload | Impairing Masquerade | ||||||||
| Hardware Trojan | Redundant Access Points | Bus Communication Masquerading | Monitor Process State | Process Masquerading | ||||||||
| Out-of-Band Transceiver Manipulation | Startup Items | Obfuscated Files or Information | I/O Image | Impair Processes via Logical Masquerading | ||||||||
| Evasive System Firmware | Port Knocking | Location Identification | Impair Control Logic | |||||||||
| Time Providers | Process Hollowing | Collect Serial Bus Information | Modify Parameter | |||||||||
| Persistence via Valid Accounts | Process Injection | Intercept Sensor Data Prior to Processing | Malicious Device Firmware | |||||||||
| Persistent OS Kernel or Boot Partition | Redundant Evasive Access Points | Process Impairing Program Download | ||||||||||
| Modify System Partition | Hidden Rootkit | Rogue Master Device | ||||||||||
| Modify Trusted Execution Environment | Scripting | Service Stop | ||||||||||
| Modify NVRAM Code and Configuration | Timestomp | Impair Process via Spoofed Reporting Message | ||||||||||
| Supply Chain and Third Party Library | Evade via Trusted Developer Utilities | Unauthorized Command Message | ||||||||||
| Embedded Software | Device Lockout | |||||||||||
| Operational Data Files | Evade Analysis Environment | |||||||||||
| Input Injection | ||||||||||||
| Evasive OS Kernel or Boot Partition | ||||||||||||
| Modify Underlying System | ||||||||||||
| Container Breakout | ||||||||||||
| Exploitation for Evasion | ||||||||||||
| Impersonate Master Device | ||||||||||||
| Spoof Reporting Message | ||||||||||||
| Evade via Operating Mode Changes | ||||||||||||
| Modify Checksums | ||||||||||||
| Evade Physical Detection | ||||||||||||