Lateral Movement
Techniques
| ID | Name | Description |
|---|---|---|
| EST000131 | Application Deployment Software | A Cyber Embedded Technique in which an adversary deploys malicious software to systems within a network. This can be accomplished through various means within the platform governed by what the platform requires to obtain its software in the first place. ARINC615/ARINC5615A, Ethernet or various other serial data bus loading protocols may be used to move software from one LRU to another. Additionally, this can be done via GSE or within the body of the platform. |
| EST000132 | Exploitation of Remote Services | A Cyber Embedded Technique in which an adversary exploits a software vulnerability by taking advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. A common goal for post-compromise exploitation of remote services is for lateral movement to enable access to a remote system. Adversaries will seek to move from sub-system to sub-system or platform to platform using these remote services/systems. An adversary may need to determine if the remote system is in a vulnerable state, which may be done through Network Service Scanning or other Discovery methods looking for common, vulnerable software that may be deployed in the network, the lack of certain patches that may indicate vulnerabilities, or security software that may be used to detect or contain remote exploitation. Primary bus interface nodes will likely be the prime target for adversaries, but some impact may be possible without infecting these critical devices. This is the same concept as targeting the primary router in classical enterprise ecosystems if the router also controlled the HVAC and power for the target network. Depending on the permissions level of the vulnerable remote service an adversary may achieve Exploitation for Privilege Escalation as a result of lateral movement exploitation as well. |
| EST000133 | Pass the Key | A Cyber Embedded Technique in which an adversary seeks to laterally move through remote services that are authenticated in some way. This is usually accomplished by managing and loading cryptographic keys into a device at the beginning of operational use. This is usually accomplished by using an Secure Key Loader (SKL). Pass the key, similar to Enterprise’s Pass The Ticket, allows software to communicate over secure data channels. |
| EST000134 | Remote File Copy | A Cyber Embedded Technique in which an adversary copies files from one system to another to stage adversary tools or other files over the course of an operation. Files may be copied from an external adversary-controlled system through the Command and Control channel to bring tools into the victim network. On embedded systems this will be accomplished by the various data loading protocols that accompany normal serial bus usage. |
| EST000135 | Remote Services | A Cyber Embedded Technique in which an adversary uses Valid Accounts to log into a service specifically designed to accept remote connections. Various standards exist for remote services on platforms such as Aircraft Communication Addressing and Reporting System (ACARS). Other platforms make use of traditional Ethernet based tools. This also applies to various data links. The adversary may then perform actions as the logged-on user. |
| EST000136 | Pivot via Removable Media | A Cyber Embedded Technique in which an adversary moves onto systems, possibly those on disconnected or air-gapped networks, by copying malware to removable media and taking advantage of Autorun features when the media is inserted into a system and executes. In the case of Lateral Movement, this may occur through modification of executable files stored on removable media or by copying malware and renaming it to look like a legitimate file to trick users into executing it on a separate system. In the case of Initial Access, this may occur through manual manipulation of the media, modification of systems used to initially format the media, or modification to the media's firmware itself. Many platforms use removable media to serve as the central repository for Operating System/Applications/Data. Adversaries will seek to disguise their payload as part of this data load. Depending on the nature of the OS/Application/Data Load this may enable an adversary to obtain persistent access. If an adversary is able to infect the removable media used to operate the platform they most likely have control over enabling technology present on that platform. |
| EST000137 | Taint Shared Content | A Cyber Embedded Technique in which an adversary uses tainted shared content to move laterally. Content stored on network drives or in other shared locations may be tainted by adding malicious programs, scripts, or exploit code to otherwise valid files. Once a user opens the shared tainted content, the malicious portion can be executed to run the adversary's code on a remote system. Many platforms use common software to modify, manage and deploy various shared content throughout the platform. |
| EST000138 | Third-party Software | A Cyber Embedded Technique in which an adversary exploits third-party applications and software deployment systems that may be in use in the network environment. If an adversary gains access to these systems, then they may be able to execute code. Due to the nature of development many platforms utilize common open source tools and applications to remain agile and move through development quickly. The Boost C++ library, OpenSSL is a good example of third-party software typically loaded onto platforms. Additionally, many original equipment manufacturers (OEMs) use software that is utilized to develop more than one sub-system. These shared tools may be left on production devices and re-used by adversaries to perform various operations that would be considered normal operation under the control of an OEM. Data loading operations are also areas for concern in this regard. The applications that load software onto embedded devices are typically used across the platform environment and can be shared between platforms. This scope of access makes them high priority targets for adversaries seeking to have a wide range of targets. The permissions required for this action vary by system configuration; local credentials may be sufficient with direct access to the third-party system, or specific domain credentials may be required. However, the system may require an administrative account to log in or to perform it's intended purpose. |
| EST000139 | Default Credentials | A Cyber Embedded Technique in which an adversary leverages manufacturer or supplier set default credentials on control system devices. These default credentials may have administrative permissions and may be necessary for initial configuration of the device. It is general best practice to change the passwords for these accounts as soon as possible, but some manufacturers may have devices that have passwords or usernames that cannot be changed. Default credentials are normally documented in an instruction manual that is either packaged with the device, published online through official means, or published online through unofficial means. Adversaries may leverage default credentials that have not been properly modified or disabled. |
| EST000140 | System Interface Traversal via Serial Interfaces | A Cyber Embedded Technique in which an adversary moves laterally where connectivity has already been established. Most serial interfaces have an accompanying data load protocol that can be utilized to pivot within a sub-system or through adjacent sub-systems. Examples include but are not limited to ARINC 615/615A, CAN etc. RS 232, 422 and 485 may also be used. If physical access can be established there are other serial interfaces that can be used once a connection between different SRUs can be established. |
| EST000141 | System Interface Traversal via RF | A Cyber Embedded Technique in which an adversary moves laterally where connectivity has already been established. Some wireless communications used for operational data can also be used to transfer files as well. Additionally, problems in the analog decoding process can have unintended consequences within the target LRU. Lateral movement can occur bidirectionally platform to platform, platform to ground/sea and platform to space. It is important to not be blinded by what the system was designed to accomplish and focus on what the system is capable of. |
| EST000142 | Pivot Through Input Interface Device | A Cyber Embedded Technique in which an adversary targets high value devices that have operational control over the platforms systems and sub-systems. This allows an adversary to utilize the device’s intended operation in a malicious manner. An Multi Conrol Display Unit (MCDU) is an example of an interface device that can be pivoted through, another would be the device that controls the data load operation on the platform that is typically operated during pre-flight. |
| EST000143 | Out of Band Communication | A Cyber Embedded Technique in which an adversary communicates with other LRUs / sub-systems in ways that the physical cabling/waveform can support. These communications would require that the other side of the communication can be interfaced with correctly at the target. Examples include sending a 1Mhz manchester encdoed signal over a IEEE 1394b connection or using Orthogonal Frequency Domain Multiplexing (OFDM) to layer signals on top of each other. |
| EST000144 | Maintenance Action Transversal | A Cyber Embedded Technique in which malware spreads to other systems when a compromised component (e.g., a Line Replaceable Unit (LRU), maintenance device, subsystem, or other removable part) is moved between platforms during maintenance activities. This occurs because these components are often transferred between systems without proper sanitization, allowing malware to persist and infect new hosts. Platforms are complex systems composed of numerous interconnected devices. Maintenance procedures, such as component swapping, cannibalization, or replacement, can inadvertently propagate malware across the fleet. The adversary exploits these maintenance actions to establish a foothold on multiple systems, even without directly targeting each system individually. The specific methods of propagation may vary depending on the type of component, but the underlying principle remains the same: the transfer of a compromised component without proper sanitization leads to malware infection on the new host. |