Ics Attack v12.1 Techniques

ID name description url created last modified version tactics platformsdata sources
T0800 Activate F Adversaries https://attack.mitre.org/techniques/T0800

An AiTM attack may allow21 May 20 24 October1.0
an adversary to perform theInhibit Re Field
following attacks:Cont Application Log: Appl
T0830 Adversary-[Block Reporting
https://attack.mitre.org/techniques/T0830
Message](https://attack.mitre.org/techniques/T0804),
21 May 20 26 Septem2.0 Collection Control[Spoof Se Application
Reporting Log:
Message](http
Appl
T0878 Alarm SuppIn the Maroochy
Shire21 attack,
May 20 the20adversary
October1.1 suppressed Inhibit
alarmRereporting
Device ConNetwork
to the central Traffic:
computer.(Citatio
Netw
T0802 AutomatedAdversarieshttps://attack.mitre.org/techniques/T0802
21 May 20 24 October1.0 Collection Control SerCommand: Command Executi
T0803 Block Com Adversarieshttps://attack.mitre.org/techniques/T0803
21 May 20 24 October1.0 Inhibit Re Device ConApplication Log: Application
T0804 Block RepoBlocking reporting
messages
21 Mayin 20control
19 Septem1.0
systems that manageInhibit Rephysical
Device processes
ConApplication
may contribute
Log: Application
to system
T0805 Block Seri A serial to Ethernet
converter
21 May 20 is often
20 October1.1
connected to a serial
InhibitCOMRe Device
to facilitate
ConApplication
communication Log: Application
between se
T0806 Brute ForceAdversaries https://attack.mitre.org/techniques/T0806
may useon
* Reset - Conditions Brute
21the
May Force
PLC20are
20
I/OSeptem1.0
to cause
reset failures
to their Impair
within
original various
ProcWarm
states. Controlindustrial
SerApplication
resets processes.
may retainLog:
These
someApplication
failures
memory
T0858 Change Op* Test / Monitor
mode21- Similar
May 20to 24run
May mode,
20 1.0I/O is processed,
Evasion IcsField
although Cont
thisApplication
mode allows Log:
forApplication
monitoring
T0807 Command-Li CLIs are https://attack.mitre.org/techniques/T0807
typically
* TCP:20000 (DNP3) 21
accessed May 20
locally,27 Septem1.1
but can also be Execution
exposed via IControl
services, Se
such Application
as SSH, Log:
Telnet, Application
and RDP. Co
T0885 Commonly * TCP:44818 https://attack.mitre.org/techniques/T0885
(Ethernet/IP)
21 May 20 27 Septem1.1 Command Control an Se Network Traffic: Netw
T0884 ConnectionThe network https://attack.mitre.org/techniques/T0884
may be within
21 Maya 20 single
20 October1.1
organization or across Commandmultiple None
an organizations
Network withTraffic:
trust relationships
Network Tra
T0879 Damage toA Polish student
used21 a remote
May 20controller
20 October1.0 device to interface
Impact withIcs None the Lodz city tram system in Poland. (C
T0809 Data Destr Standard filehttps://attack.mitre.org/techniques/T0809
deletion21 commands
May 20 19are Septem1.0
available on mostInhibit
operating
Re Control
systemSe and
Command:
device interfaces
Command to Exec
perfor
T0811 Data from In a campaign https://attack.mitre.org/techniques/T0811
between 212011
May and20 272013
Septem1.1
against ONG organizations,
Collection Control ChineseSe state-sponsored
Application Log: Application
actors searc
T0812 Default CreDefault credentials
are21normally
May 20 19 documented
Septem1.0in an instruction
Lateral MoControl
manual that Se Logon
is either Session:
packagedLogonwithSession
the d
T0813 Denial of CIn the 2017https://attack.mitre.org/techniques/T0813
Dallas Siren 21incident
May 20 20 operators
October1.0 were unable Impact
to disable
Ics None the false alarms from the Office of Em
T0814 Denial of S In the Maroochy
Shire21 attack,
October1.0 shut an investigator
Inhibit Re out FieldofCont
the network.(Citation:
Application Log: Application
Marshall A
T0815 Denial of In the Maroochy
* Reset https://attack.mitre.org/techniques/T0815
Shire
- Conditions on21
attack,
May
the PLC20
the 20adversary
are October1.0 temporarily
reset to their Impact
original shut Ics
an Warm
states. investigator
None resetsout mayofretain
the network, preven
some memory
T0868 Detect Ope* Test / Monitor
mode21- Similar
May 20to 24run
May mode,
20 1.0I/O is processed,
Collection although
Field Cont thisNetwork
mode allows Traffic:
forNetwork
monitoringTra
T0816 Device ResA device restart
can also21 May
be a 20sign26ofSeptem1.1
malicious device Inhibit
modifications,
Re FieldasCont many Application
updates require
Log: Application
a shutdow
T0817 Drive-by C The National https://attack.mitre.org/techniques/T0817
Cyber Awareness
21 May 20System20 Septem1.0
(NCAS) has issued Initial
a Technical
AcceNoneAlert (TA) Application
regarding Log:
Russian
Application
govern
T0871 Execution Adversarieshttps://attack.mitre.org/techniques/T0871
21 May 20 27 Septem1.1 Execution IField Cont Process: OS API Execution
T0819 Exploit PubAn adversary https://attack.mitre.org/techniques/T0819
may seek 21toMay
target
20 19
public-facing
Septem1.0applications InitialasAcceHuman-Mach
they may provide Application
direct access
Log: Application
into an ICS
T0820 Exploitatio Adversarieshttps://attack.mitre.org/techniques/T0820
may have21 prior
Mayknowledge
20 30 Septem1.1
through [Remote Evasion
System IcsField
Information
Cont Application
Discovery](https://attack.m
Log: Application
T0890 Exploitatio When initially
gaining13 access
Aprilto2027
a system,
Septem1.1 an adversaryPrivilege
may be operating
E Human-Mach within
Application
a lowerLog:
privileged
Application
proce
T0866 Exploitatio ICS asset owners
and 21 operators
May 20have 20 Septem1.0
been affected byInitialransomware
Acc Data (orHisto
disruptive
Application
malwareLog:masqueradin
Application
T0822 External R In the Maroochy
Shire21 attack,
October1.0 gained remote
Initialcomputer
AcceControl access
SerApplication
to the system Log:over
Application
radio.(C
T0823 Graphical UIf physical access
Adversaries https://attack.mitre.org/techniques/T0823
is not
may utilize 21anMay
theseoption,
20 30then
Septem1.1
hardcoded access might to
credentials be
Execution
possible
move IHuman-Mach
via protocols
throughout Command:
the such assystem
control VNC
Command
onenvironmen
Linux-base
Executi
T0891 Hardcoded https://attack.mitre.org/techniques/T0891
29 Septem29 Septem1.0 Lateral MovControl Se Logon Session: Logon
T0874 Hooking One type ofhttps://attack.mitre.org/techniques/T0874
hooking seen 21 Mayin ICS
20 involves
27 Septem1.1redirecting calls
Execution
to theseIEngineerinProcess:
functions via import OSaddress
API Execution,
table (IAT
Pr
T0877 I/O Image Adversarieshttps://attack.mitre.org/techniques/T0877
may collect 21 the
MayI/O 20Image
27 Septem1.1
state of a PLC byCollection
utilizing aFielddevicesCont[Native
Asset:API](https://attack.mit
Software
T0872 Indicator Adversarieshttps://attack.mitre.org/techniques/T0872
21 May 20 24 October1.0 Evasion IcsHuman-Mach Command: Command Executi
T0883 Internet AcIn Trend Micros
manufacturing
21 May 20deception
19 Septem1.0 operations adversaries
Initial AcceControl
were detected
Se Logonleveraging
Session: Logon
direct Session
intern
T0867 Lateral TooIn control systems
environments,
21 May 20 27malwareSeptem1.1 may use SMB Lateral
and MoControl
other file sharing
Se Command:
protocols Command
to move lateral
Executi
T0826 Loss of AvaiIn the 2021https://attack.mitre.org/techniques/T0826
Colonial Pipeline
21 May ransomware
20 19 Septem1.0 incident, pipeline
Impactoperations
Ics None were temporally halted on May 7
T0827 Loss of ConThe German https://attack.mitre.org/techniques/T0827
Federal Office
21 May for20Information
19 Septem1.0 Security (BSI)
Impact
reported
Ics None a targeted attack on a steel mill in its 2
T0828 Loss of Pr In the 2021https://attack.mitre.org/techniques/T0828
Colonial Pipeline
21 May ransomware
20 20 Septem1.0 incident, theImpact
pipeline Icswas
None unable to transport approximately 2
T0837 Loss of ProAdversarieshttps://attack.mitre.org/techniques/T0837
may target 12and
Aprildisable
2019 Septem1.0
protective system Impactfunctions IcsasNonea prerequisite to subsequent attack e
T0880 Loss of Saf Adversarieshttps://attack.mitre.org/techniques/T0880
may target 21and
Maydisable
20 19 Septem1.0
safety system functions ImpactasIcs a prerequisite
None to subsequent attack execu
T0829 Loss of VieAdversarieshttps://attack.mitre.org/techniques/T0829
21 May 20 24 October1.0 Impact Ics Engineering Workstation, Human-Mach
T0835 ManipulateOne of the https://attack.mitre.org/techniques/T0835
unique characteristics
21 May 20 20ofOctober1.1
PLCs is their abilityInhibit
to override
Re Field theCont
status
Asset:
of a physical
Softwarediscrete input
T0831 ManipulatiA Polish student
used21 a remote
May 20controller
24 May 20device1.0 to interface
Impact withIcs None the Lodz city tram system in Poland. (C
T0832 ManipulatiOperators may https://attack.mitre.org/techniques/T0832
be fooled21 May
into20doing
20 Septem1.0
something that is Impact
harmfulIcs toEngineering
the system in Workstation,
a loss of viewField
situation.
ControllW
T0849 MasqueradApplications https://attack.mitre.org/techniques/T0849
and other21files
Maycommonly
20 27 Septem1.1
found on Windows Evasion
systems
IcsControl
or in engineering
Se Command: workstations
Command Executi have b
T0838 Modify AlaIn the Maroochy
Shire21
attack,
May 20the20adversary
October1.1 disabled alarms
Inhibit at
RefourControl
pumping
Se Application
stations. ThisLog:caused
Application
alarm
T0821 Modify ConTasks havehttps://attack.mitre.org/techniques/T0821
properties,13such
April
as2027
interval,
Septem1.1
frequency andExecution
priority toIField
meetCont
the requirements
Application Log: of program
Application exe
T0836 Modify ParIn the Maroochy
Shire21
attack,
October1.1 gained remote
Impaircomputer
ProcControl access
Se Application
to the controlLog:system
Application
and a
T0889 Modify Pr Some programs
* A Field https://attack.mitre.org/techniques/T0889
Device may
Worm allow
13- The
April
anadversary
2027
adversary
Septem1.1
to interact
may choose directly
to Persistence
with
identify allthe
Fieldnative
field Cont API
Application
devices ofthe
of thesame
controller
Log:model,
Application
to with
take ta
T0839 Module Fi * Attack Other
Cards on
21 the
MayField
20 26Device
Septem1.1- Although it is
Impair
not the
Proc most
Fieldimportant
Cont Application
moduleLog: in a Application
field device,
T0801 Monitor PrAdversarieshttps://attack.mitre.org/techniques/T0801
21 May 20 24 October1.0 Collection Control Se Application Log: Application
T0834 Native API Functionality
provided13byApril
native
2019APIsSeptem1.0
are often also exposed
Executionto user-mode
IControl Seapplications
Process: OS via APIinterfaces
Execution an
T0840 Network CoAdversarieshttps://attack.mitre.org/techniques/T0840
21 May 20 27 Septem1.1 Discovery IHuman-Mach Command: Command Executi
T0842 Network SnIn addition,https://attack.mitre.org/techniques/T0842
ARP and Domain
21 May Name
20 20 Septem1.0
Service (DNS) poisoningDiscovery
can beIField
usedCont
to capture
Command: credentials
Command to websit
Executi
T0861 Point & TagCollecting such
21 May valuable
tags provides 20 26 Septem1.1 Collection points
context to environmental ControlandSe Application Log: Appl to map
enables an adversary
T0843 Program D [Modify Controller
Tasking](https://attack.mitre.org/techniques/T0821)
21 May 20 26 Septem1.1 Lateral MoField Cont andApplication
[Modify Program](https://att
Log: Application
T0845 Program UAdversarieshttps://attack.mitre.org/techniques/T0845
21 May 20 24 October1.0 Collection Field Cont Application Log: Application
T0873 Project FileAdversarieshttps://attack.mitre.org/techniques/T0873
may export 21 their
May own
20 20code
Septem1.0
into project files
Persistence
with conditions
EngineerinFile:
to executeFile at
Modification
specific intervals.
T0886 Remote SerBased on incident
data,
12CISA
Apriland
2030 FBISeptem1.1
assessed that ChineseInitialstate-sponsored
Acc Control Se Command:
actors alsoCommand
compromised Execva
T0846 Remote SysAdversarieshttps://attack.mitre.org/techniques/T0846
21 May 20 30 Septem1.1 Discovery IControl Se File: File Access, Network Tra
T0888 Remote SysRequests for https://attack.mitre.org/techniques/T0888
system information
13 April 2026 areSeptem1.1
typically implementedDiscovery
usingIField
automation
Cont File:andFile
management
Access, Network protoco
Tra
T0847 Replicatio Operators ofhttps://attack.mitre.org/techniques/T0847
the German21 May
nuclear
20 20power
Septem1.0plant, Gundremmingen,
Initial AcceControl
discovered
Se Drive:
malwareDrive onCreation,
a facilityFile:
compuFil
T0848 Rogue MasIn the casehttps://attack.mitre.org/techniques/T0848
of the 2017 21Dallas
May 20Siren
20 October1.1
incident, adversaries Initial
usedAcceControl
a rogue masterSe Application
to send command
Log: Application
messag
T0851 Rootkit Firmware rootkits
that21affect
May the
20 20operating
October1.1 system yieldEvasion
nearlyIcsField
full control
ContofFirmware:
the system. Firmware
While firmware
Modific
T0852 Screen CapAdversarieshttps://attack.mitre.org/techniques/T0852
21 May 20 24 October1.0 Collection Human-Mach Command: Command Executi
T0853 Scripting In additionhttps://attack.mitre.org/techniques/T0853
to being a 21
useful
Maytool
20 20forSeptem1.0
developers and administrators,
Execution IEngineerinCommand:
scripting language interpreters
Command Executi may
T0881 Service StoAdversarieshttps://attack.mitre.org/techniques/T0881
21 May 20 24 October1.0 Inhibit Re Control Se Command: Command Executi
T0865 SpearphishA Chinese spearphishing
21 May
campaign
20 27 running
Septem1.1 from December
Initial 9,
AcceControl
2011 through Se Application
February 29, Log:2012,
Application
targeted
T0856 Spoof RepoIn the Maroochy
Shire21
attack,
October1.1 used a dedicated
Evasion analog
IcsControltwo-way
SerNetwork
radio system
Traffic:to Network
send false
Tra
T0869 Standard Ap Adversarieshttps://attack.mitre.org/techniques/T0869
21 May 20 24 October1.0 Command Controlan Se Network Traffic: Network Tra
T0862 Supply ChaF-Secure Labshttps://attack.mitre.org/techniques/T0862
analyzed21the
Mayapproach
20 27 Septem1.1
the adversary used Initial
to compromise
AcceControl Se victim
File:systems
File Metadata
with Havex. (Cita
T0857 System Fi An adversary https://attack.mitre.org/techniques/T0857
may exploit
21 May
the 20
firmware
26 Septem1.1
update featureInhibit
on accessible
Res Fielddevices
Cont Application
to upload malicious
Log: Application
or out-o
T0882 Theft of OpAdversarieshttps://attack.mitre.org/techniques/T0882
21 May 20 24 October1.0 Impact Ics None
T0864 Transient In the Maroochy
Shire14
attack,
October20
the adversary
October1.1 utilized a computer,
Initial AcceEngineerinApplication
possibly stolen, with proprietary
Log: Applicationengine
T0855 Unauthori In the Dallashttps://attack.mitre.org/techniques/T0855
Siren incident,
21 Mayadversaries
20 20 October1.1
were able to sendImpaircommand
ProcFieldmessages
Cont Application
to activate
Log: tornado
Application
alarm
T0863 User ExecuA Chinese spearphishing
21 May
campaign
20 27 running
Septem1.1 from December
Execution
9, 2011
IEngineerinApplication
through February 29, Log:2012
Application
delivered
T0859 Valid Acco The overlaphttps://attack.mitre.org/techniques/T0859
of credentials
21 Mayand20permissions
27 Septem1.1 across a network
Lateral ofMovsystems
ControlisSeofLogon
concern Session:
because Logon
theSession
advers
T0860 Wireless A Polish student
used21a modified
May 20 20 TVOctober1.1
remote controllerInitialto gain
AcceControl
access to and SerApplication
control overLog: theAppl
Lodz city tra
T0887 Wireless SnIn the 2017https://attack.mitre.org/techniques/T0887
Dallas Siren
21incident,
May 20 27 it is
Septem1.1
suspected that adversaries
Collection Nonelikely captured
Networkwireless
Traffic:
command
Netw mess
detectioncontributors
relationship citations
Application Log: Appl Joe Slowik (Citation: Joe Slowik August 2019),(Citation: Department of Homeland Security September 2016)
Application Log: Appl Conrad Layn(Citation: William Largent June 2018),(Citation: Carl Hurd March 2019),
Network Traffic: NetwJos Wetzels,(Citation: Dwight Anderson 2014),(Citation: Department of Homeland Security September 2016),(Citatio
Command: Command Execution,(Citation:
File Anton Cherepanov, ESET June 2017),(Citation: Daavid Hentunen, Antti Tikkanen June 2014),
Application Log: Application Log (Citation: Anton Cherepanov, ESET June 2017),(Citation: Electricity Information Sharing and Analysis Cen
Application Log: Application Log (Citation: Anton Cherepanov, ESET June 2017),
Application Log: Application Log (Citation: Anton Cherepanov, ESET June 2017),(Citation: Dwight Anderson 2014),(Citation: Department o
Application Log: Application Log (Citation: MDudek-ICS),(Citation: Spenneberg, Ralf, Maik Brggemann, and Hendrik Schwartke March 201
Application Log: Application Lo (Citation: Anton Cherepanov, ESET June 2017),(Citation: Nicolas Falliere, Liam O Murchu, Eric Chien Febr
Network Traffic: NetwMatan Dobr (Citation: MDudek-ICS),(Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011),(Citation: Ga
Network Traffic: Network Traffic(Citation: Dragos Inc. June 2017),(Citation: Wylie-22),(Citation: Gardiner, J., Cova, M., Nagaraja, S Februa
,(Citation: Department of Homeland Security September 2016),(Citation: A G Foord, W G Gulland, C R Ho
Command: CommandMatan Exec Dobr (Citation: Dragos Inc. June 2017),(Citation: Anton Cherepanov),(Citation: Dragos-Pipedream),(Citation: Br
Application Log: Application Log (Citation: Kevin Savage and Branko Spasojevic),(Citation: Symantec),(Citation: ESET),(Citation: Keith Stou
Logon Session: Logon Session Cre,
(Citation: Anton Cherepanov, ESET June 2017),(Citation: Department of Homeland Security October 2009
Application Log: Application Log (Citation: Anton Cherepanov, ESET June 2017),(Citation: Spenneberg, Ralf, Maik Brggemann, and Hendrik
(Citation: Anton Cherepanov, ESET June 2017),(Citation: Department of Homeland Security October 2009
Network Traffic: Network Traffic(Citation: MDudek-ICS),(Citation: Department of Homeland Security September 2016)
Application Log: Application Log (Citation: Symantec Security Response July 2014),(Citation: Eduard Kovacs May 2018),(Citation: Chris Bin
Process: OS API Execution (Citation: Jos Wetzels January 2018),(Citation: MITRE June 2020),(Citation: McCarthy, J et al. July 2018)
Application Log: Application Log (Citation: ICS-CERT December 2014),(Citation: ICS CERT September 2018),(Citation: Karen Scarfone; Paul
Application Log: Application Log (Citation: ICS-CERT December 2018),(Citation: DHS CISA February 2019),(Citation: The Office of Nuclear R
Application Log: Application Log (Citation: DHS CISA February 2019),(Citation: Wylie-22),(Citation: Wikipedia),(Citation: Dan Goodin Marc
Application Log: Application Log (Citation: Joe Slowik April 2019),(Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011),(Cit
Application Log: Application Log (Citation: John Hultquist January 2016),(Citation: Zetter, Kim March 2016),(Citation: ICS-CERT February 2
Lo Pinellas County Sheriffs Office February 2021),(Citation: Electricity Information Sharing and Ana
Logon Session: Logon Aagam Shah (Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011),(Citation: Wylie-22),
Process: OS API Execution, Proc (Citation: Jos Wetzels January 2018),(Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011
Asset: Software (Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011),
File Jos Wetzels January 2018),(Citation: Anton Cherepanov),(Citation: Keith Stouffer May 2015),(C
Logon Session: Logon Session Met ,
File CISA-AA22-103A),(Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011),(Citation
(Citation: Catalin Cimpanu April 2016),(Citation: Department of Homeland Security October 2009),(Citati
Dragos Thre(Citation: Hydro),(Citation: Anton Cherepanov, ESET June 2017),(Citation: Kevin Beaumont),(Citation: De
(Citation: Selena Larson, Camille Singleton December 2020),(Citation: Hydro),(Citation: Kevin Beaumont)
(Citation: Dragos October 2018),
(Citation: Blake Johnson, Dan Caban, Marina Krotofil, Dan Scali, Nathan Brubaker, Christopher Glyer Dece
ng Workstation, Human-Machine (ICitation: Hydro),(Citation: Anton Cherepanov, ESET June 2017),(Citation: Booz Allen Hamilton),(Citation:
Asset: Software (Citation: Spenneberg, Ralf, Maik Brggemann, and Hendrik Schwartke March 2016),(Citation: Nicolas Fall
(Citation: Anton Cherepanov, ESET June 2017),(Citation: Pinellas County Sheriffs Office February 2021),(C
ng Workstation, Field Controller (Citation: Anton Cherepanov, ESET June 2017),(Citation: Ralph Langner November 2013),(Citation: Nicola
File Tom Fakterman August 2019),(Citation: DHS CISA February 2019),(Citation: FireEye TRITON),(C
Application Log: Application Log ,(Citation: Department of Homeland Security September 2016),(Citation: N/A)
Application Log: Application Log (Citation: DHS CISA February 2019),(Citation: Spenneberg, Ralf, Maik Brggemann, and Hendrik Schwartke
Application Log: Application Log (Citation: Pinellas County Sheriffs Office February 2021),(Citation: Nicolas Falliere, Liam O Murchu, Eric C
Application Log: Application Log (Citation: Spenneberg, Ralf, Maik Brggemann, and Hendrik Schwartke March 2016),(Citation: Nicolas Fall
Application Log: Application Log ,(Citation: Department of Homeland Security September 2016),(Citation: Intel),(Citation: ESET Research W
Application Log: Application Log (Citation: Anton Cherepanov, ESET June 2017),(Citation: Nicolas Falliere, Liam O Murchu, Eric Chien Febr
Process: OS API Execution (Citation: Spenneberg, Ralf, Maik Brggemann, and Hendrik Schwartke March 2016),(Citation: Jos Wetzels
Pro Anton Cherepanov, ESET June 2017),(Citation: Ben Hunter and Fred Gutierrez July 2020),
P Carl Hurd March 2019),(Citation: William Largent June 2018),(Citation: Nicolas Falliere, Liam O
Application Log: Appl Jos Wetzels(Citation: Daavid Hentunen, Antti Tikkanen June 2014),(Citation: ICS-CERT August 2018),(Citation: CISA-A
Application Log: Application Log (Citation: Jos Wetzels January 2018),(Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011
Application Log: Application Log (Citation: MDudek-ICS),(Citation: Brubaker-Incontroller),(Citation: Wylie-22),(Citation: Department of Ho
File: File Modification (Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011),(Citation: National Institute of Stand
Command: CommandDaisuke Exec Su(Citation: Pinellas County Sheriffs Office February 2021),(Citation: Dragos October 2018),(Citation: Nicola
File: File Access, Network Traffi (Citation: DHS CISA February 2019),(Citation: CISA-AA22-103A),(Citation: Julian Rrushi, Hassan Farhangi,
File: File Access, Network Traffi (Citation: CISA-AA22-103A),(Citation: Daavid Hentunen, Antti Tikkanen June 2014),(Citation: Nicolas Falli
Drive: Drive Creation, File: File (Citation: Symantec June 2015),(Citation: Ralph Langner November 2013),(Citation: Nicolas Falliere, Liam
Application Log: Application Log ,(Citation: Dwight Anderson 2014),(Citation: Department of Homeland Security September 2016),(Citatio
Firmware: Firmware Modificatio(Citation: Ralph Langner November 2013),(Citation: IEC February 2019)
P ICS-CERT October 2017),(Citation: Dragos),(Citation: Jacqueline O'Leary et al. September 2017)
Mod Tom Fakterman August 2019),(Citation: DHS CISA February 2019),(Citation: Dragos October 20
Fil Daniel Kapellmann Zafra, Keith Lunden, Nathan Brubaker, Jeremy Kennelly July 2020),(Citation
Application Log: Application Log (Citation: Booz Allen Hamilton),(Citation: Novetta Threat Research Group February 2016),(Citation: Daav
Network Traffic: Network Traffi ,(Citation: Dwight Anderson 2014),(Citation: Department of Homeland Security September 2016),(Citatio
Network Traffic: Network Traffic(Citation: Tom Fakterman August 2019),(Citation: Booz Allen Hamilton),(Citation: SecureWorks Septemb
File: File Metadata (Citation: Symantec Security Response July 2014),(Citation: Dragos Threat Intelligence August 2019),(Cita
Application Log: Application Log (Citation: DHS CISA February 2019),(Citation: Electricity Information Sharing and Analysis Center; SANS In
(Citation: SecureWorks September 2019),(Citation: Kevin Savage and Branko Spasojevic),(Citation: ESET)
Application Log: Application Log ,(Citation: North America Transmission Forum December 2019),(Citation: Emerson Exchange),(Citation: N
Application Log: Application Log (Citation: Anton Cherepanov, ESET June 2017),(Citation: CISA-AA22-103A),(Citation: Electricity Informatio
Application Log: Application Log (Citation: Tom Fakterman August 2019),(Citation: Daavid Hentunen, Antti Tikkanen June 2014),(Citation:
Logon Session: Logon Session Cr (Citation: Booz Allen Hamilton),(Citation: CISA-AA22-103A),(Citation: Electricity Information Sharing and
Application Log: Appl Scott Doug,(Citation: DHS National Urban Security Technology Laboratory April 2019),(Citation: CISA March 2010)
Network Traffic: NetwICSCoE Jap,(Citation: Bastille April 2017),(Citation: DHS National Urban Security Technology Laboratory April 2019)
urity September 2016)
urity September 2016),(Citation: Karen Scarfone; Paul Hoffman September 2009),(Citation: Keith Stouffer May 2015)
Antti Tikkanen June 2014),
tion Sharing and Analysis Center; SANS Industrial Control Systems March 2016),
tion Sharing and Analysis Center; SANS Industrial Control Systems March 2016),
2014),(Citation: Department of Homeland Security September 2016),(Citation: Karen Scarfone; Paul Hoffman September 2009),(Citation: K
Hendrik Schwartke March 2016),(Citation: Dragos-Pipedream),(Citation: Wylie-22),(Citation: Department of Homeland Security September
am O Murchu, Eric Chien February 2011),(Citation: Dragos October 2018),
n February 2011),(Citation: Gardiner, J., Cova, M., Nagaraja, S February 2014)
, Cova, M., Nagaraja, S February 2014)
G Foord, W G Gulland, C R Howard, T Kellacher, W H Smith 2004)
ragos-Pipedream),(Citation: Brubaker-Incontroller),(Citation: Wylie-22),(Citation: National Institute of Standards and Technology April 201
on: ESET),(Citation: Keith Stouffer May 2015),(Citation: National Institute of Standards and Technology April 2013)
meland Security October 2009),(Citation: M. Rentschler and H. Heine),(Citation: National Institute of Standards and Technology April 2013
Maik Brggemann, and Hendrik Schwartke March 2016),(Citation: ICS-CERT August 2018),
meland Security October 2009),(Citation: M. Rentschler and H. Heine),(Citation: National Institute of Standards and Technology April 2013
tion Sharing and Analysis Center; SANS Industrial Control Systems March 2016),(Citation: Department of Homeland Security September 20
May 2018),(Citation: Chris Bing May 2018),(Citation: Orkhan Mamedov, Fedor Sinitsyn, Anton Ivanov October 2017),
McCarthy, J et al. July 2018)
Citation: Karen Scarfone; Paul Hoffman September 2009),(Citation: National Institute of Standards and Technology April 2013),(Citation: K
tation: The Office of Nuclear Reactor Regulation),(Citation: Schneider Electric January 2018),(Citation: Wikipedia),(Citation: Dan Goodin M
a),(Citation: Dan Goodin March 2017),(Citation: Microsoft Security Response Center August 2017)
Eric Chien February 2011),(Citation: Wikipedia),(Citation: Dan Goodin March 2017),(Citation: Microsoft Security Response Center August 2
(Citation: ICS-CERT February 2016),(Citation: Electricity Information Sharing and Analysis Center; SANS Industrial Control Systems March 20
y Information Sharing and Analysis Center; SANS Industrial Control Systems March 2016),
tion: Wylie-22),
chu, Eric Chien February 2011),
n: Keith Stouffer May 2015),(Citation: National Institute of Standards and Technology April 2013)
Chien February 2011),(Citation: Dragos October 2018),(Citation: Joe Slowik April 2019),(Citation: Wylie-22),(Citation: Gardiner, J., Cova, M
Security October 2009),(Citation: M. Rentschler and H. Heine),(Citation: National Institute of Standards and Technology April 2013)
Kevin Beaumont),(Citation: Department of Homeland Security October 2009),(Citation: M. Rentschler and H. Heine),(Citation: National Insti
o),(Citation: Kevin Beaumont),(Citation: Davey Winder June 2020),(Citation: David Voreacos, Katherine Chinglinsky, Riley Griffin December
ubaker, Christopher Glyer December 2017),(Citation: A G Foord, W G Gulland, C R Howard, T Kellacher, W H Smith 2004)
Booz Allen Hamilton),(Citation: Kevin Beaumont),(Citation: Department of Homeland Security October 2009),(Citation: M. Rentschler and H
ch 2016),(Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011),
eriffs Office February 2021),(Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011),(Citation: Department of Homeland Secu
vember 2013),(Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011),(Citation: Department of Homeland Security October 2
),(Citation: FireEye TRITON),(Citation: Dragos Threat Intelligence February 2020),(Citation: Nicolas Falliere, Liam O Murchu, Eric Chien Febr
mann, and Hendrik Schwartke March 2016),(Citation: Jos Wetzels January 2018),(Citation: Nicolas Falliere, Liam O Murchu, Eric Chien Feb
alliere, Liam O Murchu, Eric Chien February 2011),(Citation: Wylie-22),(Citation: IEC February 2019)
ch 2016),(Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011),(Citation: IEC February 2019)
ntel),(Citation: ESET Research Whitepapers September 2018),(Citation: N/A)
am O Murchu, Eric Chien February 2011),
ch 2016),(Citation: Jos Wetzels January 2018),(Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011),
ed Gutierrez July 2020),
ation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011),(Citation: Wylie-22),(Citation: Keith Stouffer May 2015),(Citation: Nationa
August 2018),(Citation: CISA-AA22-103A),(Citation: Dwight Anderson 2014),(Citation: Department of Homeland Security September 2016),
chu, Eric Chien February 2011),(Citation: Spenneberg, Ralf, Maik Brggemann, and Hendrik Schwartke March 2016),(Citation: Brubaker-Inco
2),(Citation: Department of Homeland Security September 2016)
tion: National Institute of Standards and Technology April 2013)
October 2018),(Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011),(Citation: Dragos-Pipedream),(Citation: Max Heinemey
ulian Rrushi, Hassan Farhangi, Clay Howey, Kelly Carmichael, Joey Dabell December 2015),(Citation: Anton Cherepanov, ESET June 2017),(C
e 2014),(Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011),(Citation: ESET Industroyer),(Citation: ICS-CERT August 2018)
Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011),(Citation: Catalin Cimpanu April 2016),
O'Leary et al. September 2017),(Citation: Junnosuke Yagi March 2017),

),(Citation: Dragos October 2018),(Citation: Symantec March 2019),(Citation: Robert Falcone, Bryan Lee May 2016),(Citation: Dragos),
y Kennelly July 2020),(Citation: Ben Hunter and Fred Gutierrez July 2020),(Citation: Anton Cherepanov),(Citation: Anton Cherepanov, ESET
ebruary 2016),(Citation: Daavid Hentunen, Antti Tikkanen June 2014),(Citation: Robert Falcone, Bryan Lee May 2016),(Citation: Andy Gree
tation: SecureWorks September 2019),(Citation: CISA-AA22-103A),(Citation: Jos Wetzels January 2018),(Citation: Nicolas Falliere, Liam O M
ntelligence August 2019),(Citation: Daavid Hentunen, Antti Tikkanen June 2014),(Citation: OWASP),(Citation: Robert A. Martin January 202
g and Analysis Center; SANS Industrial Control Systems March 2016),(Citation: Department of Homeland Security September 2016),(Citatio
ko Spasojevic),(Citation: ESET),(Citation: McAfee Labs October 2019),(Citation: Symantec),(Citation: Keith Stouffer May 2015),(Citation: Nati
merson Exchange),(Citation: National Institute of Standards and Technology April 2013),(Citation: National Security Agency February 2016
(Citation: Electricity Information Sharing and Analysis Center; SANS Industrial Control Systems March 2016),(Citation: Dwight Anderson 20
Tikkanen June 2014),(Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011),(Citation: Kyle Wilhoit),(Citation: Orkhan Mamed
icity Information Sharing and Analysis Center; SANS Industrial Control Systems March 2016),(Citation: Dragos October 2018),(Citation: Dra
,(Citation: CISA March 2010)
nology Laboratory April 2019)
n September 2009),(Citation: Keith Stouffer May 2015)
Homeland Security September 2016)
ards and Technology April 2013)
rds and Technology April 2013)
rds and Technology April 2013)
meland Security September 2016)
nology April 2013),(Citation: Keith Stouffer May 2015)

edia),(Citation: Dan Goodin March 2017),(Citation: Microsoft Security Response Center August 2017)
rity Response Center August 2017),(Citation: Keith Stouffer May 2015)

trial Control Systems March 2016),(Citation: Department of Homeland Security September 2016),(Citation: Keith Stouffer May 2015)
Citation: Gardiner, J., Cova, M., Nagaraja, S February 2014)

Technology April 2013)
Heine),(Citation: National Institute of Standards and Technology April 2013)
glinsky, Riley Griffin December 2019),(Citation: Kelly Jackson Higgins),(Citation: Marc-Etienne M.Lveill October 2017),(Citation: Catalin Cimp
Smith 2004)
(Citation: M. Rentschler and H. Heine),(Citation: National Institute of Standards and Technology April 2013)
Department of Homeland Security October 2009)

Homeland Security October 2009)
am O Murchu, Eric Chien February 2011),(Citation: Dragos October 2018),
iam O Murchu, Eric Chien February 2011),(Citation: IEC February 2019)
r May 2015),(Citation: National Institute of Standards and Technology April 2013)

nd Security September 2016),(Citation: Karen Scarfone; Paul Hoffman September 2009),(Citation: Keith Stouffer May 2015)
2016),(Citation: Brubaker-Incontroller),(Citation: Wylie-22),(Citation: IEC February 2019),(Citation: Department of Homeland Security Sept
am),(Citation: Max Heinemeyer February 2020),(Citation: Dragos December 2017),(Citation: Brubaker-Incontroller),(Citation: Wylie-22),(C
herepanov, ESET June 2017),(Citation: Spenneberg, Ralf, Maik Brggemann, and Hendrik Schwartke March 2016),(Citation: Dragos-Pipedrea
tation: ICS-CERT August 2018),(Citation: Wylie-22),(Citation: Aditya K Sood July 2019),(Citation: Colin Gray),(Citation: D. Parsons and D. Wy
2016),(Citation: Dragos),
tion: Anton Cherepanov, ESET June 2017),(Citation: McAfee Labs October 2019),(Citation: Department of Homeland Security September 20
May 2016),(Citation: Andy Greenburg June 2019),(Citation: UNITED STATES DISTRICT COURT WESTERN DISTRICT OF PENNSYLVANIA Octobe
tion: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011),(Citation: Robert Falcone, Bryan Lee May 2016),
: Robert A. Martin January 2021)
urity September 2016),(Citation: Intel),(Citation: ESET Research Whitepapers September 2018),(Citation: N/A)
uffer May 2015),(Citation: National Institute of Standards and Technology April 2013)
ecurity Agency February 2016)
Citation: Dwight Anderson 2014),(Citation: Department of Homeland Security September 2016),(Citation: Karen Scarfone; Paul Hoffman S
hoit),(Citation: Orkhan Mamedov, Fedor Sinitsyn, Anton Ivanov October 2017),
s October 2018),(Citation: Dragos December 2017),(Citation: Dragos),(Citation: Wylie-22),(Citation: Schweitzer Engineering Laboratories A
eith Stouffer May 2015)
er 2017),(Citation: Catalin Cimpanu April 2016),(Citation: Department of Homeland Security October 2009)
uffer May 2015)
ent of Homeland Security September 2016)
troller),(Citation: Wylie-22),(Citation: North America Transmission Forum December 2019)

16),(Citation: Dragos-Pipedream),(Citation: Wylie-22),(Citation: Aditya K Sood July 2019),(Citation: Colin Gray),(Citation: D. Parsons and D.
Citation: D. Parsons and D. Wylie September 2019),(Citation: Langner November 2018),(Citation: Josh Rinaldi April 2016)
meland Security September 2016)

CT OF PENNSYLVANIA October 2020),(Citation: Jeff Jones May 2018),(Citation: Eduard Kovacs March 2018),(Citation: Jacqueline O'Leary et
aren Scarfone; Paul Hoffman September 2009),(Citation: Keith Stouffer May 2015)
er Engineering Laboratories August 2015),(Citation: Microsoft August 2018),(Citation: CISA June 2013),(Citation: Microsoft May 2017),(Cita
),(Citation: D. Parsons and D. Wylie September 2019),(Citation: Langner November 2018),(Citation: Josh Rinaldi April 2016)
April 2016)
Citation: Jacqueline O'Leary et al. September 2017),
tion: Microsoft May 2017),(Citation: Keith Stouffer May 2015),(Citation: Microsoft February 2019)
aldi April 2016)
source name
source type
mapping typetarget IDtarget nametargetmapping
type description
source ID
Oldsmar Trcampaign uses T0823 Graphical Utechnique During the C0009
Oldsmar Trcampaign uses T0831 Manipulatitechnique During the C0009
Oldsmar Trcampaign uses T0836 Modify Partechnique During the C0009
Oldsmar Trcampaign uses T0886 Remote Sertechnique During the C0009
ALLANITE group uses T0817 Drive-by C technique [ALLANITE](G1000
ALLANITE group uses T0852 Screen Captechnique [ALLANITE](G1000
ALLANITE group uses T0865 Spearphishtechnique [ALLANITE](G1000
ALLANITE group uses T0859 Valid Acco technique [ALLANITE](G1000
APT33 group uses T0852 Screen Captechnique [APT33](httG0064
APT33 group uses T0853 Scripting technique [APT33](httG0064
APT33 group uses T0865 Spearphishtechnique [APT33](httG0064
Dragonfly group uses T0817 Drive-by C technique [Dragonfly]G0035
Dragonfly group uses T0862 Supply Chatechnique [Dragonfly]G0035
Lazarus Gr group uses T0865 Spearphishtechnique [Lazarus G G0032
OilRig group uses T0817 Drive-by C technique [OilRig](ht G0049
OilRig group uses T0853 Scripting technique [OilRig](h G0049
OilRig group uses T0865 Spearphishtechnique [OilRig](ht G0049
OilRig group uses T0869 Standard Aptechnique [OilRig](h G0049
OilRig group uses T0859 Valid Acco technique [OilRig](ht G0049
Sandwormgroup uses T0803 Block Com technique In the Ukr G0034
Sandwormgroup uses T0804 Block Repotechnique In the UkraG0034
Sandwormgroup uses T0807 Command-Li technique [SandwormG0034
Sandwormgroup uses T0884 Connectiontechnique [SandwormG0034T
Sandwormgroup uses T0816 Device Restechnique In the 2015G0034
Sandwormgroup uses T0819 Exploit Pubtechnique [SandwormG0034
Sandwormgroup uses T0822 External R technique In the UkraG0034
Sandwormgroup uses T0823 Graphical Utechnique In the UkraG0034
Sandwormgroup uses T0867 Lateral Tootechnique [SandwormG0034
T
Sandwormgroup uses T0849 Masqueradtechnique [SandwormG0034 T
Sandwormgroup uses T0886 Remote Sertechnique [SandwormG0034
Sandwormgroup uses T0853 Scripting technique [SandwormG0034
Sandwormgroup uses T0865 Spearphishtechnique In the Ukr G0034
Sandwormgroup uses T0857 System Fi technique In the Ukr G0034
Sandwormgroup uses T0855 Unauthori technique In the UkraG0034
Sandwormgroup uses T0859 Valid Acco technique [SandwormG0034
T
TEMP.Velegroup uses T0817 Drive-by C technique [TEMP.Veles G0088
TEMP.Velegroup uses T0886 Remote Sertechnique [TEMP.VeleG0088
TEMP.Velegroup uses T0862 Supply Chatechnique [TEMP.Veles G0088
TEMP.Velegroup uses T0859 Valid Acco technique [TEMP.Vele G0088
[ACAD/Medre.A](https://attack.mitre.org/software/S1000) co
ACAD/Medr software uses T0811 Data from technique [ACAD/Medre.A](https://attack.mitre.org/software/S1000)
S1000 ca
ACAD/Medr software uses T0882 Theft of Optechnique S1000
Backdoor.Osoftware uses T0802 Automatedtechnique Using OPC,S0093
Backdoor.Osoftware uses T0814 Denial of Stechnique The [Backdo S0093
Backdoor.Osoftware uses T0861 Point & Tagtechnique The [Backdo S0093
Backdoor.Osoftware uses T0846 Remote Systechnique The [Backdo S0093
Backdoor.Osoftware uses T0888 Remote Systechnique The [Backdo S0093
Backdoor.Osoftware uses T0865 Spearphishtechnique The [Backdo S0093
Backdoor.Osoftware uses T0862 Supply Chatechnique The [Backdo S0093
Backdoor.Osoftware uses T0863 User Executechnique Execution oS0093
Bad Rabbitsoftware uses T0817 Drive-by C technique [Bad RabbitS0606
Bad Rabbitsoftware uses T0866 Exploitatiotechnique [Bad RabbitS0606
Bad Rabbitsoftware uses T0867 Lateral Tootechnique [Bad RabbitS0606
Bad Rabbitsoftware uses T0828 Loss of Pr technique Several traS0606
Bad Rabbitsoftware uses T0863 User Executechnique [Bad RabbitS0606
[BlackEnergy](https://attack.mitre.org/software/S0089) targe
BlackEnergsoftware uses T0865 Spearphishtechnique [BlackEnergy](https://attack.mitre.org/software/S0089)
S0089 uses
BlackEnergsoftware uses T0869 Standard Aptechnique [BlackEnergy](https://attack.mitre.org/software/S0089)
S0089 utiliz
BlackEnergsoftware uses T0859 Valid Acco technique S0089
Conficker software uses T0826 Loss of Avaitechnique A [ConfickeS0608
Conficker software uses T0828 Loss of Pr technique A [ConfickeS0608
Conficker software uses T0847 Replicatio technique [Conficker]S0608
Duqu software uses T0811 Data from technique [Duqu](httpS0038
Duqu software uses T0882 Theft of Optechnique [Duqu](httpS0038
EKANS software uses T0828 Loss of Pr technique [EKANS](httS0605
EKANS software uses T0849 Masqueradtechnique [EKANS](htS0605
EKANS software uses T0840 Network Cotechnique [EKANS](httS0605
EKANS software uses T0881 Service Stotechnique Before encrS0605
Flame software uses T0811 Data from technique [Flame](ht S0143
Flame software uses T0882 Theft of Optechnique [Flame](httS0143
INCONTROsoftware uses T0858 Change Optechnique [INCONTROL S1045
INCONTROsoftware uses T0884 Connectiontechnique The [INCONT S1045
INCONTROsoftware uses T0809 Data Destrtechnique [INCONTROL S1045
INCONTROsoftware uses T0890 Exploitatiotechnique [INCONTROLL S1045
INCONTROsoftware uses T0891 Hardcodedtechnique [INCONTROL S1045
INCONTROsoftware uses T0867 Lateral Tootechnique [INCONTROL S1045
INCONTROsoftware uses T0836 Modify Partechnique [INCONTROL S1045
INCONTROsoftware uses T0842 Network Sntechnique [INCONTROLL S1045
INCONTROsoftware uses T0861 Point & Tagtechnique [INCONTROL S1045
INCONTROsoftware uses T0843 Program Dtechnique [INCONTROLLER](https://attack.mitre.org/software/S1045)
S1045 ca
INCONTROsoftware uses T0845 Program Utechnique [INCONTROLLER](https://attack.mitre.org/software/S1045)
S1045 c
INCONTROsoftware uses T0886 Remote Sertechnique [INCONTROLLER](https://attack.mitre.org/software/S1045)
S1045 ca
INCONTROsoftware uses T0846 Remote Systechnique [INCONTROLLER](https://attack.mitre.org/software/S1045)
S1045 h
INCONTROsoftware uses T0888 Remote Systechnique [INCONTROLL S1045
INCONTROsoftware uses T0869 Standard Aptechnique [INCONTROL S1045
INCONTROsoftware uses T0855 Unauthori technique [INCONTROLLER](https://attack.mitre.org/software/S1045)
S1045 ca
INCONTROsoftware uses T0859 Valid Acco technique [INCONTROLLER](https://attack.mitre.org/software/S1045)
S1045 c
Industroyesoftware uses T0800 Activate F technique The [IndustS0604
Industroyesoftware uses T0802 Automatedtechnique [IndustroyeS0604
Industroyesoftware uses T0803 Block Com technique In [Industr S0604
Industroyesoftware uses T0804 Block Repotechnique [IndustroyeS0604
Industroyesoftware uses T0805 Block Seri technique In [Industr S0604
Industroyesoftware uses T0806 Brute Forcetechnique The [IndustS0604
Industroyesoftware uses T0807 Command-Li technique The name oS0604
Industroyesoftware uses T0884 Connectiontechnique [IndustroyeS0604
Industroyesoftware uses T0809 Data Destrtechnique [IndustroyeS0604
Industroyesoftware uses T0813 Denial of Ctechnique [IndustroyeS0604
Industroyesoftware uses T0814 Denial of Stechnique The [IndustS0604
Industroyesoftware uses T0815 Denial of technique [IndustroyeS0604
Industroyesoftware uses T0816 Device Restechnique The [IndustS0604
Industroyesoftware uses T0827 Loss of Contechnique [IndustroyeS0604
Industroyesoftware uses T0837 Loss of Protechnique [IndustroyeS0604
Industroyesoftware uses T0829 Loss of Vietechnique [IndustroyeS0604
Industroyesoftware uses T0831 Manipulatitechnique [IndustroyeS0604
Industroyesoftware uses T0832 Manipulatitechnique [IndustroyeS0604
Industroyesoftware uses T0801 Monitor Prtechnique [IndustroyeS0604
Industroyesoftware uses T0840 Network Cotechnique [Industroy S0604
Industroyesoftware uses T0846 Remote Systechnique [Industroyer](https://attack.mitre.org/software/S0604)
S0604 conta
Industroyesoftware uses T0888 Remote Systechnique [Industroyer](https://attack.mitre.org/software/S0604)
S0604 IEC 60
Industroyesoftware uses T0881 Service Stotechnique [IndustroyeS0604
Industroyesoftware uses T0855 Unauthori technique Using its S0604
KillDisk software uses T0809 Data Destrtechnique [KillDisk]( S0607
KillDisk software uses T0872 Indicator technique [KillDisk]( S0607
KillDisk software uses T0829 Loss of Vietechnique [KillDisk]( S0607
KillDisk software uses T0881 Service Stotechnique [KillDisk]( S0607
LockerGogsoftware uses T0827 Loss of Contechnique Some of Nor S0372
LockerGogsoftware uses T0828 Loss of Pr technique While Norsk S0372
LockerGogsoftware uses T0829 Loss of Vietechnique Some of Nor S0372
NotPetya software uses T0866 Exploitatiotechnique [NotPetya](S0368
NotPetya software uses T0867 Lateral Tootechnique [NotPetya](S0368
NotPetya software uses T0828 Loss of Pr technique [NotPetya](S0368
PLC-Blastersoftware uses T0858 Change Optechnique [PLC-BlasteS1006
PLC-Blastersoftware uses T0814 Denial of Stechnique The executiS1006
PLC-Blastersoftware uses T0835 Manipulatetechnique [PLC-Blast S1006
PLC-Blastersoftware uses T0821 Modify Contechnique [PLC-BlasteS1006
PLC-Blastersoftware uses T0889 Modify Pr technique [PLC-BlasteS1006
PLC-Blastersoftware uses T0834 Native API technique [PLC-Blast S1006
PLC-Blastersoftware uses T0843 Program Dtechnique [PLC-Blast S1006
PLC-Blastersoftware uses T0846 Remote Systechnique [PLC-BlasteS1006
REvil software uses T0828 Loss of Pr technique The [REvil]S0496
REvil software uses T0849 Masqueradtechnique [REvil](htt S0496
REvil software uses T0886 Remote Sertechnique [REvil](htt S0496
REvil software uses T0853 Scripting technique [REvil](htt S0496
REvil software uses T0881 Service Stotechnique [REvil](htt S0496
REvil software uses T0869 Standard Aptechnique [REvil](ht S0496
REvil software uses T0882 Theft of Optechnique [REvil](htt S0496
REvil software uses T0863 User Executechnique [REvil](htt S0496
Ryuk software uses T0828 Loss of Pr technique An enterpriS0446
Stuxnet software uses T0807 Command-Li technique [Stuxnet](hS0603
Stuxnet software uses T0885 Commonlytechnique [Stuxnet](hS0603
Stuxnet software uses T0866 Exploitatiotechnique [Stuxnet]( S0603
Stuxnet software uses T0891 Hardcodedtechnique [Stuxnet](hS0603
Stuxnet software uses T0874 Hooking technique [Stuxnet](hS0603
Stuxnet software uses T0877 I/O Image technique [Stuxnet](hS0603
Stuxnet software uses T0867 Lateral Tootechnique [Stuxnet](hS0603
Stuxnet software uses T0835 Manipulatetechnique When the pe S0603
Stuxnet software uses T0831 Manipulatitechnique [Stuxnet](hS0603
Stuxnet software uses T0832 Manipulatitechnique [Stuxnet](hS0603
Stuxnet software uses T0849 Masqueradtechnique [Stuxnet](hS0603
Stuxnet software uses T0821 Modify Contechnique [Stuxnet](hS0603
Stuxnet software uses T0836 Modify Partechnique In states 3 S0603
Stuxnet software uses T0889 Modify Pr technique [Stuxnet](hS0603
Stuxnet software uses T0801 Monitor Prtechnique [Stuxnet](hS0603
Stuxnet software uses T0834 Native API technique [Stuxnet](hS0603
Stuxnet software uses T0842 Network Sntechnique DP_RECV isS0603
Stuxnet software uses T0843 Program Dtechnique [Stuxnet](hS0603
Stuxnet software uses T0873 Project Filetechnique [Stuxnet](hS0603
Stuxnet software uses T0886 Remote Sertechnique [Stuxnet]( S0603
Stuxnet software uses T0888 Remote Systechnique [Stuxnet](https://attack.mitre.org/software/S0603)
S0603 was spec
Stuxnet software uses T0847 Replicatio technique [Stuxnet](hS0603
Stuxnet software uses T0851 Rootkit technique One of [StuS0603
Stuxnet software uses T0869 Standard Ap technique [Stuxnet](hS0603
Stuxnet software uses T0863 User Executechnique [Stuxnet](hS0603
Triton software uses T0858 Change Optechnique [Triton](ht S1009
Triton software uses T0885 Commonlytechnique [Triton](ht S1009
Triton software uses T0868 Detect Opetechnique [Triton](https://attack.mitre.org/software/S1009)
S1009 contains a
Triton software uses T0871 Execution technique [Triton](ht S1009
Triton software uses T0820 Exploitatiotechnique [Triton](ht S1009
Triton software uses T0890 Exploitatiotechnique [Triton](ht S1009
Triton software uses T0874 Hooking technique [Triton](ht S1009
Triton software uses T0872 Indicator technique [Triton](ht S1009
Triton software uses T0880 Loss of Saf technique [Triton](ht S1009
Triton software uses T0849 Masqueradtechnique [Triton](https://attack.mitre.org/software/S1009)
S1009 was configu
Triton software uses T0821 Modify Contechnique [Triton](ht S1009
Triton software uses T0834 Native API technique [Triton](ht S1009
Triton software uses T0843 Program Dtechnique [Triton](ht S1009
Triton software uses T0845 Program Utechnique [Triton](ht S1009
Triton software uses T0846 Remote Systechnique [Triton](ht S1009
Triton software uses T0853 Scripting technique [Triton](ht S1009
Triton software uses T0869 Standard Ap technique [Triton](ht S1009
Triton software uses T0857 System Fi technique [Triton](ht S1009
VPNFilter software uses T0830 Adversary-technique The [VPNFilS1010
VPNFilter software uses T0842 Network Sntechnique The [VPNFilS1010
WannaCry software uses T0866 Exploitatiotechnique [WannaCry](
S0366
WannaCry software uses T0867 Lateral Tootechnique [WannaCry](
S0366
source namesource type
mapping typetarget IDtarget nametargetmapping
type description
source ID
All devices or systems changes, including all administrative fu
Access Ma mitigation mitigates T0800 Activate F technique Authenticate M0801
all access to field controllers before authorizing
Access Ma mitigation mitigates T0858 Change Optechnique Ensure embeddedM0801 controls and network devices are protecte
Access Ma mitigation mitigates T0812 Default Cretechnique Authenticate M0801
Access Ma mitigation mitigates T0868 Detect Opetechnique All devices M0801
or systems changes, including all administrative fu
Access Ma mitigation mitigates T0816 Device Restechnique Access Management
M0801 technologies can be used to enforce aut
Access Ma mitigation mitigates T0871 Execution technique M0801
Access Ma mitigation mitigates T0891 Hardcodedtechnique Ensure embM
All devices or0801
systems changes, including all administrative fu
Access Ma mitigation mitigates T0838 Modify Alatechnique All devices M0801
Access Ma mitigation mitigates T0839 Module Fi technique Authenticate M0801
Access Ma mitigation mitigates T0861 Point & Tagtechnique Authenticate M0801
Access Ma mitigation mitigates T0843 Program Dtechnique Authenticate M0801
Access Ma mitigation mitigates T0845 Program Utechnique Access Management
M0801 technologies can help enforce authentic
Access Ma mitigation mitigates T0886 Remote Sertechnique All devices M0801
Access Ma mitigation mitigates T0857 System Fi technique Authenticate M0801
Access Ma mitigation mitigates T0859 Valid Acco technique Configure features
M0801 related to account use like login attempt l
Account Usemitigation mitigates T0822 External R technique Configure features
M0936 related to account use like login attempt l
Account Usemitigation mitigates T0859 Valid Acco technique Consider configuration
M0936 and use of a network-wide authentica
Active Diremitigation mitigates T0859 Valid Acco technique Deploy anti-virus
M0915on all systems that support external email.
Antivirus/ mitigation mitigates T0865 Spearphishtechnique Install anti-virus
M0949 software on all workstation and transient ass
Antivirus/ mitigation mitigates T0864 Transient technique Ensure anti-virus
M0949solution can detect malicious files that allow
Antivirus/ mitigation mitigates T0863 User Executechnique Ensure thatM0949
applications and devices do not store sensitive da
Applicatio mitigation mitigates T0859 Valid Acco technique Built-in browser
M0913 sandboxes and application isolation may be u
Applicationmitigation mitigates T0817 Drive-by C technique ApplicationM0948
isolation will limit the other processes and system
Applicationmitigation mitigates T0819 Exploit Pubtechnique Make it difficult
M0948 for adversaries to advance their operation th
Applicationmitigation mitigates T0820 Exploitatiotechnique Make it difficult
Applicationmitigation mitigates T0890 Exploitatiotechnique Make it difficult
Applicationmitigation mitigates T0866 Exploitatiotechnique Consider the M0948
use of application isolation and sandboxing to re
Applicationmitigation mitigates T0853 Scripting technique Limit accessM0948
to network infrastructure and resources that can
Audit mitigation mitigates T0830 Adversary-technique Consider periodic
M0947 reviews of accounts and privileges for critic
Audit mitigation mitigates T0811 Data from technique Perform auditsM0947or scans of systems, permissions, insecure soft
Audit mitigation mitigates T0874 Hooking technique Provide theM0947 ability to verify the integrity of control logic or pr
Audit mitigation mitigates T0821 Modify Contechnique Provide theM0947
ability to verify the integrity of control logic or pr
Audit mitigation mitigates T0836 Modify Partechnique Provide theM0947
Audit mitigation mitigates T0889 Modify Pr technique Perform integrity
M0947checks of firmware before uploading it on a
Audit mitigation mitigates T0839 Module Fi technique Provide theM0947
Audit mitigation mitigates T0843 Program Dtechnique Review theM0947integrity of project files to verify they have not be
Audit mitigation mitigates T0873 Project Filetechnique Audit the integrity
M0947 of PLC system and application code functio
Audit mitigation mitigates T0851 Rootkit technique Perform audits M0947or scans of systems, permissions, insecure soft
Audit mitigation mitigates T0862 Supply Chatechnique Perform integrity
M0947checks of firmware before uploading it on a
Audit mitigation mitigates T0857 System Fi technique Integrity checking
M0947 of transient assets can include performing
Audit mitigation mitigates T0864 Transient technique Routinely audit
M0947 source code, application configuration files, o
Audit mitigation mitigates T0859 Valid Acco technique Restrict configurations
M0947 changes and firmware updating abiliti
Authorizat mitigation mitigates T0800 Activate F technique All field controllers
M0800 should restrict operating mode changes to
Authorizat mitigation mitigates T0858 Change Optechnique M0800
All field controllers should restrict the modification of program
Authorizat mitigation mitigates T0868 Detect Opetechnique All field controllers
M0800 should restrict the modification of program
Authorizat mitigation mitigates T0816 Device Restechnique All APIs used M0800
to perform execution, especially those hosted o
Authorizat mitigation mitigates T0871 Execution technique Only authorized
M0800 personnel should be able to change settings
Authorizat mitigation mitigates T0838 Modify Alatechnique All field controllers
Authorizat mitigation mitigates T0836 Modify Partechnique Systems and M0800
devices should restrict access to any data with p
Authorizat mitigation mitigates T0861 Point & Tagtechnique All field controllers
Authorizat mitigation mitigates T0843 Program Dtechnique All field controllers
M0800 should restrict program uploads to only ce
Authorizat mitigation mitigates T0845 Program Utechnique Provide privileges
M0800 corresponding to the restriction of a GUI se
Authorizat mitigation mitigates T0886 Remote Sertechnique Check the integrity
M0800 of the existing BIOS or EFI to determine if
Boot Integrmitigation mitigates T0839 Module Fi technique Check the integrity
M0946 of the existing BIOS or EFI to determine if
Boot Integrmitigation mitigates T0857 System Fi technique Require signedM0946 binaries.
Code Signi mitigation mitigates T0849 Masqueradtechnique Utilize codeM0945signatures to verify the integrity of the installed p
Code Signi mitigation mitigates T0821 Modify Contechnique Utilize codeM0945
signatures to verify the integrity of the installed p
Code Signi mitigation mitigates T0889 Modify Pr technique Devices shouldM0945 verify that firmware has been properly signed
Code Signi mitigation mitigates T0839 Module Fi technique Utilize codeM0945
signatures to verify the integrity of the installed p
Code Signi mitigation mitigates T0843 Program Dtechnique Allow for code M0945 signing of any project files stored at rest to pre
Code Signi mitigation mitigates T0873 Project Filetechnique Digital signatures
M0945may be used to ensure application DLLs are
Code Signi mitigation mitigates T0851 Rootkit technique When available M0945 utilize hardware and software root-of-trust to
Code Signi mitigation mitigates T0862 Supply Chatechnique Devices shouldM0945 verify that firmware has been properly signed
Code Signi mitigation mitigates T0857 System Fi technique Prevent theM0945use of unsigned executables, such as installers an
Code Signi mitigation mitigates T0863 User Executechnique Protocols usedM0945 for device management should authenticate a
Communicat mitigation mitigates T0800 Activate F technique CommunicationM0802 authenticity will ensure that any messages ta
Communicat mitigation mitigates T0830 Adversary-technique Protocols usedM0802 for device management should authenticate a
Communicat mitigation mitigates T0858 Change Optechnique Protocols used M0802 for control functions should provide authentic
Communicat mitigation mitigates T0868 Detect Opetechnique Protocols usedM0802 for control functions should provide authentic
Communicat mitigation mitigates T0816 Device Restechnique Protocols usedM0802 for control functions should provide authentic
Communicat mitigation mitigates T0831 Manipulatitechnique Protocols usedM0802 for control functions should provide authentic
Communicat mitigation mitigates T0832 Manipulatitechnique Protocols usedM0802 for device management should authenticate a
Communicat mitigation mitigates T0839 Module Fi technique Protocols usedM0802 for control functions should provide authentic
Communicat mitigation mitigates T0861 Point & Tagtechnique Protocols used
M0802 for device management should authenticate a
Communicat mitigation mitigates T0843 Program Dtechnique Protocols used M0802 for device management should authenticate a
Communicat mitigation mitigates T0845 Program Utechnique Protocols used M0802 for control functions should provide authentic
Communicat mitigation mitigates T0848 Rogue Mastechnique Protocols used M0802 for control functions should provide authentic
Communicat mitigation mitigates T0856 Spoof Repotechnique Protocols usedM0802 for device management should authenticate a
Communicat mitigation mitigates T0857 System Fi technique Protocols usedM0802 for control functions should provide authentic
Communicat mitigation mitigates T0855 Unauthori technique Do not inherently
M0802 rely on the authenticity provided by the ne
Communicat mitigation mitigates T0860 Wireless technique Utilize centralM0802storage servers for critical operations where po
Data Backumitigation mitigates T0809 Data Destrtechnique Take and storeM0953 data backups from end user systems and critic
Data Backumitigation mitigates T0813 Denial of Ctechnique Take and store
M0953 data backups from end user systems and critic
Data Backumitigation mitigates T0815 Denial of technique Take and storeM0953 data backups from end user systems and critic
Data Backumitigation mitigates T0826 Loss of Avaitechnique Take and store
Data Backumitigation mitigates T0827 Loss of Contechnique Take and store
Data Backumitigation mitigates T0828 Loss of Pr technique Take and store
Data Backumitigation mitigates T0829 Loss of Vietechnique Take and store
Data Backumitigation mitigates T0831 Manipulatitechnique M0953
Take and store data backups from end user systems and critic
Data Backumitigation mitigates T0832 Manipulatitechnique Apply DLP to M0953
protect the confidentiality of information relate
Data Loss mitigation mitigates T0882 Theft of Optechnique Disable unnecessary
M0803 legacy network protocols that may be us
Disable or mitigation mitigates T0830 Adversary-technique Consider removing
M0942 or restricting features that are unnecessar
Disable or mitigation mitigates T0807 Command-Li technique Ensure thatM0942
unnecessary ports and services are closed to prev
Disable or mitigation mitigates T0885 Commonlytechnique Ensure remote M0942commands that enable device shutdown are d
Disable or mitigation mitigates T0816 Device Restechnique Ensure thatM0942
unnecessary ports and services are closed to prev
Disable or mitigation mitigates T0866 Exploitatiotechnique Consider removal
M0942 of remote services which are not regularly
Disable or mitigation mitigates T0822 External R technique Consider theM0942
disabling of features such as AutoRun.
Disable or mitigation mitigates T0847 Replicatio technique Consider removal
M0942 or disabling of programs and features whic
Disable or mitigation mitigates T0853 Scripting technique The encryption
M0942 of firmware should be considered to prevent
Encrypt Netmitigation mitigates T0839 Module Fi technique Ensure thatM0808
wired and/or wireless traffic is encrypted when fe
Encrypt Netmitigation mitigates T0842 Network Sntechnique The encryption
Encrypt Netmitigation mitigates T0857 System Fi technique Utilize strong
M0808
cryptographic techniques and protocols to prev
Encrypt Netmitigation mitigates T0860 Wireless technique Utilize strongM0808
cryptographic techniques and protocols to prev
Encrypt Netmitigation mitigates T0887 Wireless Sntechnique InformationM0808
which is sensitive to the operation and architectu
Encrypt Senmitigation mitigates T0811 Data from technique The encryption
Encrypt Senmitigation mitigates T0839 Module Fi technique When at rest,M0941
project files should be encrypted to prevent un
Encrypt Senmitigation mitigates T0873 Project Filetechnique The encryption
Encrypt Senmitigation mitigates T0857 System Fi technique Encrypt anyM0941
operational data with strong confidentiality requ
Encrypt Senmitigation mitigates T0882 Theft of Optechnique Consider implementing
M0941 full disk encryption, especially if engin
Encrypt Senmitigation mitigates T0864 Transient technique Execution prevention
M0941 may block malicious software from acce
Execution mitigation mitigates T0807 Command-Li technique Minimize the
M0938
exposure of API calls that allow the execution o
Execution mitigation mitigates T0871 Execution technique Use tools that
M0938
restrict program execution via application cont
Execution mitigation mitigates T0849 Masqueradtechnique Minimize the M0938
exposure of API calls that allow the execution o
Execution mitigation mitigates T0834 Native API technique Execution prevention
M0938 may prevent malicious scripts from acc
Execution mitigation mitigates T0853 Scripting technique ApplicationM0938
control may be able to prevent the running of exe
Execution mitigation mitigates T0863 User Executechnique Utilize exploit
M0938
protection to prevent activities which may be e
Exploit Promitigation mitigates T0817 Drive-by C technique Web Application
M0950Firewalls may be used to limit exposure of a
Exploit Promitigation mitigates T0819 Exploit Pubtechnique Security applications
M0950 that look for behavior used during explo
Exploit Promitigation mitigates T0820 Exploitatiotechnique Security applications
Exploit Promitigation mitigates T0890 Exploitatiotechnique Security applications
Exploit Promitigation mitigates T0866 Exploitatiotechnique Filter for protocols
M0950 and payloads associated with firmware ac
Filter Netwmitigation mitigates T0800 Activate F technique Allow/denylists
M0937 can be used to block access when excessive I/
Filter Netwmitigation mitigates T0806 Brute Forcetechnique Traffic to known
M0937anonymity networks and C2 infrastructure c
Filter Netwmitigation mitigates T0884 Connectiontechnique Perform inline
M0937allowlisting of automation protocol commands
Filter Netwmitigation mitigates T0868 Detect Opetechnique ApplicationM0937
denylists can be used to block automation protoc
Filter Netwmitigation mitigates T0816 Device Restechnique Filter for protocols
Filter Netwmitigation mitigates T0839 Module Fi technique Perform inline
Filter Netwmitigation mitigates T0861 Point & Tagtechnique Filter for protocols
M0937 and payloads associated with program do
Filter Netwmitigation mitigates T0843 Program Dtechnique Filter for protocols
M0937 and payloads associated with program up
Filter Netwmitigation mitigates T0845 Program Utechnique Filter application-layer
M0937 protocol messages for remote services
Filter Netwmitigation mitigates T0886 Remote Sertechnique Perform inline
Filter Netwmitigation mitigates T0848 Rogue Mastechnique Perform inlineM0937allowlisting of automation protocol commands
Filter Netwmitigation mitigates T0856 Spoof Repotechnique Filter for protocols
Filter Netwmitigation mitigates T0857 System Fi technique M0937
Perform inline allowlisting of automation protocol commands
Filter Netwmitigation mitigates T0855 Unauthori technique Consider using M0937 IP allowlisting along with user account manage
Filter Netwmitigation mitigates T0859 Valid Acco technique M0937
Human User mitigation mitigates T0800 Activate F technique Devices th M0804
Human User mitigation mitigates T0858 Change Optechnique All field c M0804
Human User mitigation mitigates T0885 Commonlytechnique All field c M0804
Human User mitigation mitigates T0868 Detect Opetechnique All field c M0804
Human User mitigation mitigates T0816 Device Restechnique All
All field c M0804
APIs on remote systems or local processes should require
Human User mitigation mitigates T0871 Execution technique M0804
Human User mitigation mitigates T0838 Modify Alatechnique All field c M0804
Human User mitigation mitigates T0839 Module Fi technique Devices th M0804
Human User mitigation mitigates T0861 Point & Tagtechnique All field c M0804
Human User mitigation mitigates T0843 Program Dtechnique All field c M0804
Human User mitigation mitigates T0845 Program Utechnique AllAll field
remotec M0804
services should require strong authentication befo
Human User mitigation mitigates T0886 Remote Sertechnique M0804
Human User mitigation mitigates T0857 System Fi technique Devices th M0804
Limit access to remote services through centrally managed co
Limit Acce mitigation mitigates T0822 External R technique Enforce systemM0935 policies or physical restrictions to limit hardw
Limit Hardwmitigation mitigates T0847 Replicatio technique Protection M0934
devices should have minimal digital components t
Mechanicalmitigation mitigates T0879 Damage totechnique Protection M0805 devices should have minimal digital components t
Mechanicalmitigation mitigates T0880 Loss of Saf technique TechniquesM0805can include (i) reducing transmission power on w
Minimize Wmitigation mitigates T0860 Wireless technique Reduce theM0806 range of RF communications to their intended op
Minimize Wmitigation mitigates T0887 Wireless Sntechnique Once an adversary
M0806 has access to a remote GUI they can abuse
Mitigation mitigation mitigates T0823 Graphical Utechnique This techniqueM0816 may not be effectively mitigated against, cons
Mitigation mitigation mitigates T0877 I/O Image technique This technique M0816 may not be effectively mitigated against, cons
Mitigation mitigation mitigates T0835 Manipulatetechnique This type ofM0816 attack technique cannot be easily mitigated with
Mitigation mitigation mitigates T0801 Monitor Prtechnique Network connection
M0816 enumeration is likely obtained by using c
Mitigation mitigation mitigates T0840 Network Cotechnique PreventingM0816 screen capture on a device may require disabling
Mitigation mitigation mitigates T0852 Screen Captechnique Use strongM0816 multi-factor authentication for remote service acc
Multi-factomitigation mitigates T0822 External R technique Use multi-factor
M0932authentication wherever possible.
Multi-factomitigation mitigates T0842 Network Sntechnique IntegratingM0932 multi-factor authentication (MFA) as part of organ
Multi-factomitigation mitigates T0859 Valid Acco technique Use host-basedM0932 allowlists to prevent devices from accepting c
Network Almitigation mitigates T0800 Activate F technique Utilize network
M0807 allowlists to restrict unnecessary connections
Network Almitigation mitigates T0878 Alarm Supptechnique Utilize networkM0807 allowlists to restrict unnecessary connections
Network Almitigation mitigates T0802 Automatedtechnique Utilize network M0807 allowlists to restrict unnecessary connections
Network Almitigation mitigates T0803 Block Com technique Utilize networkM0807 allowlists to restrict unnecessary connections
Network Almitigation mitigates T0804 Block Repotechnique ImplementM0807 network allowlists to minimize serial comm port a
Network Almitigation mitigates T0805 Block Seri technique Utilize network
M0807 allowlists to restrict unnecessary connections
Network Almitigation mitigates T0806 Brute Forcetechnique Use host-basedM0807 allowlists to prevent devices from accepting c
Network Almitigation mitigates T0858 Change Optechnique M0807
Network Almitigation mitigates T0884 Connectiontechnique Network allM0807
Use host-based allowlists to prevent devices from accepting c
Network Almitigation mitigates T0879 Damage totechnique Use host-based M0807 allowlists to prevent devices from accepting c
Network Almitigation mitigates T0868 Detect Opetechnique Use host-based M0807 allowlists to prevent devices from accepting c
Network Almitigation mitigates T0816 Device Restechnique Use host-based M0807 allowlists to prevent devices from accepting c
Network Almitigation mitigates T0838 Modify Alatechnique Use host-based M0807 allowlists to prevent devices from accepting c
Network Almitigation mitigates T0839 Module Fi technique Use host-based M0807 allowlists to prevent devices from accepting c
Network Almitigation mitigates T0861 Point & Tagtechnique M0807
Network Almitigation mitigates T0843 Program Dtechnique Use host-based M0807 allowlists to prevent devices from accepting c
Network Almitigation mitigates T0845 Program Utechnique Network allowlists
M0807 can be implemented through either host-b
Network Almitigation mitigates T0886 Remote Sertechnique Use host-based M0807 allowlists to prevent devices from accepting c
Network Almitigation mitigates T0848 Rogue Mastechnique Use host-based M0807 allowlists to prevent devices from accepting c
Network Almitigation mitigates T0856 Spoof Repotechnique M0807
Network Almitigation mitigates T0869 Standard Aptechnique Network allM0807
Network Almitigation mitigates T0857 System Fi technique Use host-based M0807 allowlists to prevent devices from accepting c
Network Almitigation mitigates T0855 Unauthori technique Network intrusion
M0807 detection and prevention systems that can
Network Inmitigation mitigates T0830 Adversary-technique Network intrusion
M0931 detection and prevention systems that use
Network Inmitigation mitigates T0885 Commonlytechnique Network intrusionM0931 detection and prevention systems that use
Network Inmitigation mitigates T0884 Connectiontechnique Network intrusion
Network Inmitigation mitigates T0867 Lateral Tootechnique Network intrusion
M0931 prevention systems and systems designed
Network Inmitigation mitigates T0865 Spearphishtechnique Network intrusion
Network Inmitigation mitigates T0869 Standard Aptechnique If a link is being
M0931 visited by a user, network intrusion preventio
Network Inmitigation mitigates T0863 User Executechnique Segment operational
M0931 network and systems to restrict access t
Network S mitigation mitigates T0800 Activate F technique Network segmentation
M0930 can be used to isolate infrastructure c
Network S mitigation mitigates T0830 Adversary-technique Segment operational
M0930 assets and their management devices b
Network S mitigation mitigates T0878 Alarm Supptechnique Prevent unauthorized
M0930 systems from accessing control servers
Network S mitigation mitigates T0802 Automatedtechnique Restrict unauthorized
M0930 devices from accessing serial comm po
Network S mitigation mitigates T0805 Block Seri technique Segment operational
Network S mitigation mitigates T0806 Brute Forcetechnique Segment operational
Network S mitigation mitigates T0858 Change Optechnique Configure internal
M0930 and external firewalls to block traffic using
Network S mitigation mitigates T0885 Commonlytechnique Segment operational
Network S mitigation mitigates T0868 Detect Opetechnique Segment operational
Network S mitigation mitigates T0816 Device Restechnique Segment externally
M0930 facing servers and services from the rest
Network S mitigation mitigates T0819 Exploit Pubtechnique Segment networks
M0930 and systems appropriately to reduce acce
Network S mitigation mitigates T0866 Exploitatiotechnique Deny directM0930remote access to internal systems through the us
Network S mitigation mitigates T0822 External R technique Deny directM0930remote access to internal systems through the us
Network S mitigation mitigates T0883 Internet Actechnique Segment operational
Network S mitigation mitigates T0838 Modify Alatechnique Segment operational
Network S mitigation mitigates T0839 Module Fi technique Segment networks
M0930 and systems appropriately to reduce acce
Network S mitigation mitigates T0842 Network Sntechnique Segment operational
Network S mitigation mitigates T0861 Point & Tagtechnique Segment operational
Network S mitigation mitigates T0843 Program Dtechnique Segment operational
Network S mitigation mitigates T0845 Program Utechnique Segment and M0930
control software movement between business
Network S mitigation mitigates T0886 Remote Sertechnique Segment operational
Network S mitigation mitigates T0848 Rogue Mastechnique Segment operational
Network S mitigation mitigates T0881 Service Stotechnique Segment operational
Network S mitigation mitigates T0856 Spoof Repotechnique Ensure proper M0930network segmentation between higher level co
Network S mitigation mitigates T0869 Standard Aptechnique Segment operational
Network S mitigation mitigates T0857 System Fi technique Segment and M0930
control software movement between business
Network S mitigation mitigates T0864 Transient technique Segment operational
Network S mitigation mitigates T0855 Unauthori technique Harden theM0930 system through operating system controls to prev
Operating mitigation mitigates T0847 Replicatio technique Example mitigations
M0928 could include minimizing its distribution/
Operationalmitigation mitigates T0882 Theft of Optechnique M0809
Utilize out-of-band communication to validate the integrity o
Out-of-Banmitigation mitigates T0830 Adversary-technique Provide an M0810
alternative method for alarms to be reported in th
Out-of-Banmitigation mitigates T0878 Alarm Supptechnique Provide an M0810
alternative method for sending critical commands
Out-of-Banmitigation mitigates T0803 Block Com technique Provide an M0810
alternative method for sending critical report mes
Out-of-Banmitigation mitigates T0804 Block Repotechnique Ensure devicesM0810 have an alternative method for communicatin
Out-of-Banmitigation mitigates T0805 Block Seri technique Provide operators
M0810 with redundant, out-of-band communicati
Out-of-Banmitigation mitigates T0813 Denial of Ctechnique Provide operators
Out-of-Banmitigation mitigates T0815 Denial of technique Provide operators
Out-of-Banmitigation mitigates T0826 Loss of Avaitechnique Provide operators
Out-of-Banmitigation mitigates T0827 Loss of Contechnique Provide operators
Out-of-Banmitigation mitigates T0829 Loss of Vietechnique Utilize out-of-band
M0810 communication to validate the integrity o
Out-of-Banmitigation mitigates T0831 Manipulatitechnique Utilize out-of-band
M0810 communication to validate the integrity o
Out-of-Banmitigation mitigates T0832 Manipulatitechnique Review vendor M0810 documents and security alerts for potentially
Password Pmitigation mitigates T0812 Default Cretechnique Set and enforce
M0927 secure password policies for accounts.
Password Pmitigation mitigates T0822 External R technique Enforce strong
M0927 password requirements to prevent password b
Password Pmitigation mitigates T0886 Remote Sertechnique Applications M0927
and appliances that utilize default username and
Password Pmitigation mitigates T0859 Valid Acco technique Minimize permissions
M0927 and access for service accounts to limit
Privileged mitigation mitigates T0809 Data Destrtechnique Minimize permissions
Privileged mitigation mitigates T0811 Data from technique Use least privilege
M0926 for service accounts. (Citation: Keith Stouff
Privileged mitigation mitigates T0819 Exploit Pubtechnique Minimize permissions
Privileged mitigation mitigates T0866 Exploitatiotechnique Restrict rootM0926
or administrator access on user accounts to limi
Privileged mitigation mitigates T0842 Network Sntechnique Audit domain M0926
and local accounts and their permission levels r
Privileged mitigation mitigates T0859 Valid Acco technique Hot-standbys M0926
in diverse locations can ensure continued opera
Redundancy mitigation mitigates T0813 Denial of Ctechnique Hot-standbys M0811
Redundancy mitigation mitigates T0815 Denial of technique Hot-standbys M0811
Redundancy mitigation mitigates T0826 Loss of Avaitechnique Hot-standbysM0811
Redundancy mitigation mitigates T0827 Loss of Contechnique Hot-standbys M0811
Redundancy mitigation mitigates T0829 Loss of Vietechnique Protect filesM0811
stored locally with proper permissions to limit o
Restrict Fi mitigation mitigates T0809 Data Destrtechnique Protect filesM0922
stored locally with proper permissions to limit op
Restrict Fi mitigation mitigates T0811 Data from technique Protect filesM0922
Restrict Fi mitigation mitigates T0872 Indicator technique Use file system
M0922 access controls to protect system and applica
Restrict Fi mitigation mitigates T0849 Masqueradtechnique Ensure permissions
M0922 restrict project file access to only enginee
Restrict Fi mitigation mitigates T0873 Project Filetechnique Ensure proper
M0922process and file permissions are in place to inh
Restrict Fi mitigation mitigates T0881 Service Stotechnique Protect filesM0922
Restrict Fi mitigation mitigates T0882 Theft of Optechnique Restrict theM0922
use of untrusted or unknown libraries, such as re
Restrict Li mitigation mitigates T0874 Hooking technique Ensure proper M0944registry permissions are in place to inhibit adve
Restrict Remitigation mitigates T0881 Service Stotechnique Restrict browsers
M0924to limit the capabilities of malicious ads and
Restrict W mitigation mitigates T0817 Drive-by C technique Consider restricting
M0921 access to email within critical process env
Restrict W mitigation mitigates T0865 Spearphishtechnique If a link is being
M0921 visited by a user, block unknown or unused fi
Restrict W mitigation mitigates T0863 User Executechnique If it is possible
M0921to inspect HTTPS traffic, the captures can be an
SSL/TLS In mitigation mitigates T0884 Connectiontechnique Ensure thatM0920
all SIS are segmented from operational networks
Safety Ins mitigation mitigates T0879 Damage totechnique Ensure thatM0812all SIS are segmented from operational networks
Safety Ins mitigation mitigates T0880 Loss of Saf technique Authenticateconnections
M0812 fromsoftware and devices to preven
Software Pmitigation mitigates T0800 Activate F technique To protect M0813
against MITM, authentication mechanisms should
Software Pmitigation mitigates T0830 Adversary-technique Devices shouldM0813 authenticate all messages between master an
Software Pmitigation mitigates T0806 Brute Forcetechnique M0813
Authenticateconnections fromsoftware and devices to preven
Software Pmitigation mitigates T0858 Change Optechnique Authenticate M0813
connections from software and devices to preve
Software Pmitigation mitigates T0868 Detect Opetechnique Authenticate M0813
Software Pmitigation mitigates T0816 Device Restechnique Authenticateconnections
Software Pmitigation mitigates T0838 Modify Alatechnique Authenticateconnections
Software Pmitigation mitigates T0839 Module Fi technique Devices should
M0813 authenticate all messages between master an
Software Pmitigation mitigates T0861 Point & Tagtechnique AuthenticateM0813
Software Pmitigation mitigates T0843 Program Dtechnique Authenticate M0813
Software Pmitigation mitigates T0845 Program Utechnique All communication
M0813 sessions to remote services should be aut
Software Pmitigation mitigates T0886 Remote Sertechnique Devices should
Software Pmitigation mitigates T0848 Rogue Mastechnique Devices shouldM0813 authenticate all messages between master an
Software Pmitigation mitigates T0856 Spoof Repotechnique Authenticateconnections
Software Pmitigation mitigates T0857 System Fi technique Devices should
Software Pmitigation mitigates T0855 Unauthori technique Ensure wireless
M0813 networks require the authentication of all de
Software Pmitigation mitigates T0860 Wireless technique Statically defined
M0813ARP entries can prevent manipulation and s
Static Net mitigation mitigates T0830 Adversary-technique Unauthorized M0814
connections can be prevented by statically defi
Static Net mitigation mitigates T0878 Alarm Supptechnique Unauthorized M0814
Static Net mitigation mitigates T0803 Block Com technique Unauthorized M0814
Static Net mitigation mitigates T0804 Block Repotechnique Statically defined
M0814ARP entries can prevent manipulation and s
Static Net mitigation mitigates T0842 Network Sntechnique ICS environments
M0814 typically have more statically defined devic
Static Net mitigation mitigates T0846 Remote Systechnique ICS environments
M0814 typically have more statically defined devic
Static Net mitigation mitigates T0888 Remote Systechnique A supply chain
M0814management program should include method
Supply Ch mitigation mitigates T0862 Supply Chatechnique Develop a robust
M0817cyber threat intelligence capability to deter
Threat Int mitigation mitigates T0820 Exploitatiotechnique Develop a robust
Threat Int mitigation mitigates T0890 Exploitatiotechnique Develop a robust
Threat Int mitigation mitigates T0866 Exploitatiotechnique Ensure all browsers
M0919 and plugins are kept updated to help pre
Update Sofmitigation mitigates T0817 Drive-by C technique Regularly scan
M0951externally facing systems for vulnerabilities an
Update Sofmitigation mitigates T0819 Exploit Pubtechnique Update software
M0951regularly by employing patch management
Update Sofmitigation mitigates T0820 Exploitatiotechnique Update software
Update Sofmitigation mitigates T0890 Exploitatiotechnique Update software
Update Sofmitigation mitigates T0866 Exploitatiotechnique A patch management
M0951 process should be implemented to che
Update Sofmitigation mitigates T0862 Supply Chatechnique Patch the BIOS
M0951 and EFI as necessary.
Update Sofmitigation mitigates T0857 System Fi technique Update software
M0951on control network assets when possible. If
Update Sofmitigation mitigates T0864 Transient technique Ensure users M0951
and user groups have appropriate permissions f
User Acco mitigation mitigates T0811 Data from technique Consider utilizing
M0918jump boxes for external remote access. Add
User Acco mitigation mitigates T0822 External R technique Limit privileges
M0918 of user accounts and groups so that only desig
User Acco mitigation mitigates T0838 Modify Alatechnique Limit the accounts
M0918 that may use remote services. Limit the pe
User Acco mitigation mitigates T0886 Remote Sertechnique Limit privileges
M0918 of user accounts and groups so that only auth
User Acco mitigation mitigates T0881 Service Stotechnique Ensure usersM0918
and user groups have appropriate permissions f
User Acco mitigation mitigates T0859 Valid Acco technique Develop and M0918
publish policies that define acceptable informati
User Trainimitigation mitigates T0811 Data from technique Users can be M0917
trained to identify social engineering techniques
User Trainimitigation mitigates T0865 Spearphishtechnique Use user training
M0917as a way to bring awareness to common ph
User Trainimitigation mitigates T0863 User Executechnique Regularly scan
M0917externally facing systems for vulnerabilities an
Vulnerabilimitigation mitigates T0819 Exploit Pubtechnique Regularly scan
M0916the internal network for available services to id
Vulnerabilimitigation mitigates T0866 Exploitatiotechnique ImplementM0916
continuous monitoring of vulnerability sources. A
Vulnerabilimitigation mitigates T0862 Supply Chatechnique M0916
System and process restarts should be performed when a tim
Watchdog mitigation mitigates T0814 Denial of Stechnique M0815
reference citation url
A G Foord,A G Foord, https://www.icheme.org/media/9906/xviii-paper-23.pdf
Aditya K SoAditya K Sohttps://www.helpnetsecurity.com/2019/07/10/bacnet-devices/
Andy GreenAndy Greenhttps://www.wired.com/story/iran-hackers-us-phishing-tensions/
Anton Che Anton Cherhttps://www.welivesecurity.com/2016/01/03/blackenergy-sshbeardoor-details-2015-attacks-ukrainian-n
Anton CherAnton Cherhttps://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf
Bastille Ap Bastille 20 https://www.bastille.net/blogs/2017/4/17/dallas-siren-attack
Ben HunterBen Hunterhttps://www.fortinet.com/blog/threat-research/ekans-ransomware-targeting-ot-ics-systems
Blake JohnBlake John https://www.fireeye.com/blog/threat-research/2017/12/attackers-deploy-new-ics-attack-framework-tri
Booz Allen Booz Allen https://www.boozallen.com/content/dam/boozallen/documents/2016/09/ukraine-report-when-the-ligh
Brubaker-InNathan Bruhttps://www.mandiant.com/resources/incontroller-state-sponsored-ics-tool
CISA June CISA 2013, https://us-cert.cisa.gov/ncas/alerts/TA13-175A
CISA MarchCISA 2010, https://us-cert.cisa.gov/ncas/tips/ST05-003
CISA-AA22DHS/CISA. https://www.cisa.gov/uscert/ncas/alerts/aa22-103a
Carl Hurd Carl Hurd https://www.youtube.com/watch?v=yuZazP22rpI
Catalin Ci Catalin Ci https://news.softpedia.com/news/on-chernobyl-s-30th-anniversary-malware-shuts-down-german-nucle
Chris Bing Chris Bing https://www.cyberscoop.com/xenotime-ics-cyber-attacks-trisis-dragos/
Colin Gray Colin Gray https://cdn.selinc.com/assets/Literature/Publications/Technical%20Papers/6891_HowSDN_CG_2018072
D. Parsons D. Parsons https://www.csiac.org/journal-article/practical-industrial-control-system-ics-cybersecurity-it-and-ot-hav
DHS NatioDHS Natiohttps://www.dhs.gov/sites/default/files/saver-msr-rf-detection_cod-508_10july2019.pdf
DHS CISA FDHS CISA 2https://ics-cert.us-cert.gov/sites/default/files/documents/MAR-17-352-01%20HatMan%20-%20Safety%
Daavid HenDaavid Henhttps://www.f-secure.com/weblog/archives/00002718.html
Dan GoodiDan Goodinhttps://arstechnica.com/information-technology/2017/03/hack-that-escapes-vm-by-exploiting-edge-bro
Daniel KapDaniel Kap https://www.fireeye.com/blog/threat-research/2020/02/ransomware-against-machine-learning-to-disru
Davey Wind Davey Wind https://www.forbes.com/sites/daveywinder/2020/06/10/honda-hacked-japanese-car-giant-confirms-cy
David Vorea David Vorea https://www.bloomberg.com/news/features/2019-12-03/merck-cyberattack-s-1-3-billion-question-was-
Department Department https://us-cert.cisa.gov/sites/default/files/recommended_practices/final-RP_ics_cybersecurity_incident
Department Department https://us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth
Dragos Dragos D https://dragos.com/resource/dymalloy/
Dragos De Dragos 201https://dragos.com/blog/trisis/TRISIS-01.pdf
Dragos Inc Dragos Inc.https://dragos.com/blog/crashoverride/CrashOverride-01.pdf
Dragos OctDragos 201https://dragos.com/wp-content/uploads/CRASHOVERRIDE2018.pdf
Dragos ThrDragos Thre https://dragos.com/wp-content/uploads/Dragos-Oil-and-Gas-Threat-Perspective-2019.pdf
Dragos ThrDragos Thrhttps://www.dragos.com/blog/industry-news/ekans-ransomware-and-ics-operations/
Dragos-Pi DRAGOS. (2https://hub.dragos.com/hubfs/116-Whitepapers/Dragos_ChernoviteWP_v2b.pdf?hsLang=en
Dwight AndDwight Ande https://www.sans.org/reading-room/whitepapers/ICS/protect-critical-infrastructure-systems-whitelistin
ESET ESET ACA https://www.welivesecurity.com/wp-content/uploads/200x/white-papers/ESET_ACAD_Medre_A_white
ESET IndusAnton Cherhttps://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf
ESET ReseaESET Resear https://www.welivesecurity.com/wp-content/uploads/2018/09/ESET-LoJax.pdf
Eduard KovEduard Kovhttps://www.securityweek.com/five-threat-groups-target-industrial-systems-dragos
Eduard KovEduard Kovhttps://www.cyberviser.com/2018/05/group-linked-to-shamoon-attacks-targeting-ics-networks-in-midd
Electricity Electricity https://assets.contentstack.io/v3/assets/blt36c2e63521272fdc/blt6a77276749b76a40/607f235992f006
Emerson EEmerson Exhttps://emersonexchange365.com/products/control-safety-systems/f/plc-pac-systems-industrial-compu
FireEye TR Blake Johnshttps://www.fireeye.com/blog/threat-research/2017/12/attackers-deploy-new-ics-attack-framework-tri
Gardiner, JGardiner, https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf
Hydro Hydro Kevihttps://www.hydro.com/en/media/on-the-agenda/cyber-attack/
ICS CERT S ICS CERT 2 https://www.us-cert.gov/ics/advisories/ICSA-11-094-02B
ICS-CERT AICS-CERT 2 https://ics-cert.us-cert.gov/advisories/ICSA-14-178-01
ICS-CERT ICS-CERT 2 https://www.us-cert.gov/ics/alerts/ICS-ALERT-14-281-01B
ICS-CERT ICS-CERT 20https://ics-cert.us-cert.gov/advisories/ICSA-18-107-02
ICS-CERT FICS-CERT 20https://ics-cert.us-cert.gov/alerts/IR-ALERT-H-16-056-01
ICS-CERT OICS-CERT 20https://www.us-cert.gov/ncas/alerts/TA17-293A
IEC FebruaIEC 2019, Fhttps://webstore.iec.ch/publication/34421
Intel Intel ESET https://www.intel.com/content/dam/www/public/us/en/documents/white-papers/security-technologie
Jacqueline Jacqueline https://www.fireeye.com/blog/threat-research/2017/09/apt33-insights-into-iranian-cyber-espionage.ht
Jeff Jones Jeff Jones https://www.eisac.com/public-news-detail?id=115909
Joe Slowik Joe Slowik https://dragos.com/blog/industry-news/implications-of-it-ransomware-for-ics-environments/
Joe Slowik Joe Slowik https://dragos.com/wp-content/uploads/CRASHOVERRIDE.pdf
John HultqJohn Hultqhttps://www.fireeye.com/blog/threat-research/2016/01/ukraine-and-sandworm-team.html
Jos WetzelJos Wetzel https://www.midnightbluelabs.com/blog/2018/1/16/analyzing-the-triton-industrial-malware
Josh RinaldJosh Rinaldhttps://www.rtautomation.com/rtas-blog/still-a-thrill-opc-ua-device-discovery/
Julian RrusJulian Rrus https://pdfs.semanticscholar.org/18df/43ef1690b0fae15a36f770001160aefbc6c5.pdf
Junnosuke Junnosuke https://www.symantec.com/security-center/writeup/2017-030708-4403-99
Karen ScarKaren Scarfhttps://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-41r1.pdf
Keith Stou Keith Stoufhttps://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf
Kelly Jacks Kelly Jack https://www.darkreading.com/attacks-breaches/how-a-manufacturing-firm-recovered-from-a-devastati
Kevin Bea Kevin Beauhttps://doublepulsar.com/how-lockergoga-took-down-hydro-ransomware-used-in-targeted-attacks-aim
Kevin SavaKevin Sava https://web.archive.org/web/20190930124504/https://www.symantec.com/security-center/writeup/20
Kyle WilhoiKyle Wilho https://www.youtube.com/watch?v=eywmb7UDODY&feature=youtu.be&t=939
Langner N Langner 20https://www.langner.com/2018/11/why-ethernet-ip-changes-the-ot-asset-discovery-game/
M. RentschM. Rentschlhttps://ieeexplore.ieee.org/document/6505877
MDudek-ICMDudek-ICS https://github.com/MDudek-ICS/TRISIS-TRITON-HATMAN/tree/master/decompiled_code/library
MITRE Jun MITRE 2020 https://cwe.mitre.org/data/definitions/227.html
Marc-EtienMarc-Etienhttps://www.welivesecurity.com/2017/10/24/bad-rabbit-not-petya-back/
Max HeineMax Heinem https://www.darktrace.com/en/blog/post-mortem-of-a-targeted-sodinokibi-ransomware-attack/
McAfee LabMcAfee Labhttps://www.mcafee.com/blogs/other-blogs/mcafee-labs/mcafee-atr-analyzes-sodinokibi-aka-revil-rans
McCarthy, M J cCarthy, https://doi.org/10.6028/NIST.SP.1800-2
J
Microsoft Microsoft https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/impleme
Microsoft Microsoft 2https://docs.microsoft.com/en-us/windows-server/identity/securing-privileged-access/securing-privilege
Microsoft Microsoft 2https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/attractive
Microsoft Microsoft https://msrc-blog.microsoft.com/2017/08/09/moving-beyond-emet-ii-windows-defender-exploit-guard/
N/A N/A Departhttps://www.exida.com/images/uploads/18492275-Alarm-Management-for-Process-Control.pdf
National InNational Inhttps://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf
National S National S https://apps.nsa.gov/iaarchive/library/ia-guidance/security-configuration/industrial-control-systems/po
Nicolas FalNicolas Fal https://www.wired.com/images_blogs/threatlevel/2011/02/Symantec-Stuxnet-Update-Feb-2011.pdf
North AmerNorth Amerhttps://www.natf.net/docs/natf/documents/resources/security/natf-transient-cyber-asset-guidance.pdf
Novetta ThNovetta Thhttps://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Report.p
OWASP OWASP Tohttps://owasp.org/www-project-top-ten/
Orkhan Mam Orkhan Mam https://securelist.com/bad-rabbit-ransomware/82851/
Pinellas CoPinellas Cohttps://www.youtube.com/watch?v=MkXDSOgLQ6M
Ralph Lan Ralph Langn https://www.langner.com/wp-content/uploads/2017/03/to-kill-a-centrifuge.pdf
Robert A. Robert A. https://www.mitre.org/sites/default/files/publications/pr-20-01465-37-trusting-our-supply-chains-a-com
Robert Fal Robert Fal https://unit42.paloaltonetworks.com/the-oilrig-campaign-attacks-on-saudi-arabian-organizations-delive
Schneider ESchneider Ehttps://www.youtube.com/watch?v=f09E75bWvkk&index=3&list=PL8OWO1qWXF4qYG19p7An4Vw3N2
SchweitzerSchweitzerhttps://cdn.selinc.com/assets/Literature/Publications/Application%20Notes/AN2015-08_20150817.pdf?
SecureWorSecureWork https://www.secureworks.com/research/revil-sodinokibi-ransomware
Selena Lar Selena Lar https://f.hubspotusercontent10.net/hubfs/5943619/Whitepaper-Downloads/Ransomware_in_ICS_Envir
SpennebergSpenneberg, https://www.blackhat.com/docs/asia-16/materials/asia-16-Spenneberg-PLC-Blaster-A-Worm-Living-Sole
Symantec Symantec https://docs.broadcom.com/doc/w32-duqu-11-en
Symantec JSymantec 2https://support.symantec.com/us/en/article.tech93179.html
Symantec Symantec 20 https://www.symantec.com/blogs/threat-intelligence/elfin-apt33-espionage
Symantec SSymantec Shttps://docs.broadcom.com/doc/dragonfly_threat_against_western_energy_suppliers#:~:text=The%20a
The Office The Office https://www.nrc.gov/docs/ML1209/ML120900890.pdf
Tom Fakte Tom Fakterhttps://www.cybereason.com/blog/the-sodinokibi-ransomware-attack
UNITED STUNITED STA https://www.justice.gov/opa/press-release/file/1328521/download
Wikipedia Wikipedia https://en.wikipedia.org/wiki/Control-flow_integrity
William La William Larhttps://blog.talosintelligence.com/2018/06/vpnfilter-update.html
Wylie-22 Jimmy Wylie https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/Jimmy%20Wylie%2
Zetter, Ki Zetter, Ki https://www.wired.com/2016/03/inside-cunning-unprecedented-hack-ukraines-power-grid/
Bonnie ZhuBonnie Zhuhttp://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6142258
Electricity Electricity https://assets.contentstack.io/v3/assets/blt36c2e63521272fdc/blt6a77276749b76a40/607f235992f006
Enterprise Enterprise https://attack.mitre.org/techniques/T1489/
Marshall AMarshall A https://web.archive.org/web/20200802103218/https://www.mitre.org/sites/default/files/pdf/08_1145.
IEC FebruaIEC 2013, https://webstore.iec.ch/publication/4552
Bastille Ap Bastille 20 https://www.bastille.net/blogs/2017/4/17/dallas-siren-attack
Candell, R.Candell, R. https://nvlpubs.nist.gov/nistpubs/ams/NIST.AMS.300-4.pdf
Gallagher, Gallagher, https://arstechnica.com/information-technology/2017/04/dallas-siren-hack-used-radio-signals-to-spoof
Corero Corero In https://www.corero.com/resources/files/whitepapers/cns_whitepaper_ics.pdf
Michael J. Michael J. https://www.sans.org/reading-room/whitepapers/ICS/industrial-control-system-cyber-kill-chain-36297
Tyson MacTyson Macau https://books.google.com/books?id=oXIYBAAAQBAJ&pg=PA249&lpg=PA249&dq=loss+denial+manipulati
Bruce SchnBruce Schnhttps://www.schneier.com/blog/archives/2008/01/hacking_the_pol.html
John Bill John Bill https://www.londonreconnections.com/2017/hacked-cyber-security-railways/
Shelley SmShelley Smihttps://inhomelandsecurity.com/teen_hacker_in_poland_plays_tr/
Common We Common Wea http://cwe.mitre.org/data/definitions/400.html
ICS-CERT AICS-CERT 20https://www.us-cert.gov/ics/alerts/ICS-ALERT-17-102-01A
ICS-CERT AICS-CERT 20https://ics-cert.us-cert.gov/advisories/ICSA-15-202-01
MITRE MarMITRE 2018 https://nvd.nist.gov/vuln/detail/CVE-2015-5374
Enterprise Enterprise https://attack.mitre.org/wiki/Technique/T1059
Dennis L. Dennis L. https://www.radioworld.com/industry/understanding-plc-programming-methods-and-the-tag-database
Booz Allen Booz Allen https://www.boozallen.com/content/dam/boozallen/documents/2016/09/ukraine-report-when-the-ligh
Daavid HenDaavid Henhttps://www.f-secure.com/weblog/archives/00002718.html
CISA AA21-Department https://us-cert.cisa.gov/sites/default/files/publications/AA21-201A_Chinese_Gas_Pipeline_Intrusion_Ca
Alexander Alexander https://www.slideshare.net/dgpeters/17-bolshev-1-13
Alexander Alexander https://www.blackhat.com/docs/us-14/materials/us-14-Bolshev-ICSCorsair-How-I-Will-PWN-Your-ERP-T
Machine InMachine Inhttp://www.machine-information-systems.com/How_PLCs_Work.html
N.A. OctobN.A. 2017, https://forumautomation.com/t/what-are-the-different-operating-modes-in-plc/2489
Omron Omron Mach https://www.omron-ap.com/service_support/FAQ/FAQ00002/index.asp#:~:text=In%20PROGRAM%20m
PLCgurus 2PLCgurus 2https://www.plcgurus.net/plc-basics/
Jos WetzelsJos Wetzelshttps://troopers.de/downloads/troopers19/TROOPERS19_NGI_IoT_diet_poisoned_fruit.pdf
CybersecurCybersecurihttps://us-cert.cisa.gov/ncas/alerts/TA18-074A
North AmeriNorth Ameri https://www.nerc.com/files/glossary_of_terms.pdf
Dr. Kelvin Dr. Kelvin https://www.isa.org/standards-and-publications/isa-publications/intech/2010/december/programmable
NanjundaiaNanjundaiahttps://www.ezautomation.net/industry-articles/plc-ladder-logic-basics.htm
Benjamin FBenjamin Frhttps://statescoop.com/tornado-sirens-in-dallas-suburbs-deactivated-after-being-hacked-and-set-off/
Zack WhittZack Whittahttps://www.zdnet.com/article/experts-think-they-know-how-dallas-emergency-sirens-were-hacked/
SpennebergSpenneberghttps://www.blackhat.com/docs/asia-16/materials/asia-16-Spenneberg-PLC-Blaster-A-Worm-Living-Sole
Control Gl Control Gl https://www.controlglobal.com/industrynews/2019/yokogawa-announcement-warns-of-counterfeit-tra
Colonial P Colonial P https://www.colpipe.com/news/press-releases/media-statement-colonial-pipeline-system-disruption
Lion CorpoLion Corporhttps://lionco.com/2020/06/26/lion-update-re-cyber-issue/
Paganini, PPaganini, Phttps://securityaffairs.co/wordpress/104749/cyber-crime/ransomware-attack-hit-lion.html
Enterprise Enterprise https://attack.mitre.org/techniques/T1193/
BSI State oBundesamthttps://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Publications/Securitysituation/IT-Security-Situ
f
Joe Slowik Joe Slowik https://dragos.com/blog/industry-news/implications-of-it-ransomware-for-ics-environments/
Keith Stou Keith Stoufhttps://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf
Daniel OaklDaniel Oaklhttps://attack.mitre.org/wiki/Technique/T1133
Gabriel Sa Gabriel Sa https://www.sans.org/reading-room/whitepapers/ICS/man-in-the-middle-attack-modbus-tcp-illustrated
Nicolas FalNicolas Fal https://www.wired.com/images_blogs/threatlevel/2011/02/Symantec-Stuxnet-Update-Feb-2011.pdf
The MITREThe MITREhttps://attack.mitre.org/techniques/T1106/
Mark ThomMark Thomp https://time.com/4270728/iran-cyber-attack-dam-fbi/
Danny YadDanny Yadrhttps://www.wsj.com/articles/iranian-hackers-infiltrated-new-york-dam-in-2013-1450662559
Basnight, ZBasnight, Zhttp://www.sciencedirect.com/science/article/pii/S1874548213000231
BBC April BBC 2016, https://www.bbc.com/news/technology-36158606
Catalin Ci Catalin Ci https://news.softpedia.com/news/on-chernobyl-s-30th-anniversary-malware-shuts-down-german-nucle
Christoph SChristoph Shttps://www.reuters.com/article/us-nuclearpower-cyber-germany/german-nuclear-plant-infected-with-
Dark ReadinDark Readihttps://www.darkreading.com/endpoint/german-nuclear-power-plant-infected-with-malware/d/d-id/13
ESET April ESET 2016,https://www.welivesecurity.com/2016/04/28/malware-found-german-nuclear-power-plant/
KernkraftwKernkraftwhttps://www.kkw-gundremmingen.de/presse.php?id=571
Lee Mathew Lee Mathews https://www.geek.com/apps/german-nuclear-plant-found-riddled-with-conficker-other-viruses-1653415
Peter DockrPeter Dockrhttps://www.sciencealert.com/multiple-computer-viruses-have-been-discovered-in-this-german-nuclear
Sean GallagSean Galla https://arstechnica.com/information-technology/2016/04/german-nuclear-plants-fuel-rod-system-swar
Trend MicrTrend Micrhttps://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/malware-discovered-in-german-nu
ICS-CERT OICS-CERT 20https://www.us-cert.gov/ncas/alerts/TA17-293A
The MITREThe MITREhttps://attack.mitre.org/techniques/T1068/
C
Blake JohnBlake John https://www.fireeye.com/blog/threat-research/2017/12/attackers-deploy-new-ics-attack-framework-tri
Dragos De Dragos 201https://dragos.com/blog/trisis/TRISIS-01.pdf
Mark LovelMark Lovelhttps://duo.com/decipher/the-dallas-county-siren-hack
Beckhoff Beckhoff https://infosys.beckhoff.com/english.php?content=../content/1033/tc3_sourcecontrol/18014398915785
PLCdev PLCdev Nichttp://www.plcdev.com/book/export/html/373
MITRE MITRE Sy https://attack.mitre.org/wiki/Technique/T1049
Netstat Wikipedia. https://en.wikipedia.org/wiki/Netstat
Daniel PeckDaniel Peckhttps://www.researchgate.net/publication/228849043_Leveraging_ethernet_card_vulnerabilities_in_fie
NCCIC JanuNCCIC 2014, https://www.us-cert.gov/sites/default/files/Monitors/ICS-CERT_Monitor_Jan-April2014.pdf
Stephen HilStephen Hihttps://documents.trendmicro.com/assets/white_papers/wp-caught-in-the-act-running-a-realistic-facto
etails-2015-attacks-ukrainian-news-media-electric-industry/
dustroyer.pdf
ting-ot-ics-systems
-new-ics-attack-framework-triton.html
/ukraine-report-when-the-lights-went-out.pdf
are-shuts-down-german-nuclear-power-plant-503429.shtml
s/6891_HowSDN_CG_20180720_Web2.pdf?v=20190312-231901
cs-cybersecurity-it-and-ot-have-converged-discover-and-defend-your-assets/
10july2019.pdf
%20HatMan%20-%20Safety%20System%20Targeted%20Malware%20%28Update%20B%29.pdf
pes-vm-by-exploiting-edge-browser-fetches-105000-at-pwn2own/
inst-machine-learning-to-disrupt-industrial-production.html
apanese-car-giant-confirms-cyber-attack-on-global-operations-snake-ransomware/?sh=2725c35753ad
ck-s-1-3-billion-question-was-it-an-act-of-war
RP_ics_cybersecurity_incident_response_100609.pdf
_ICS-CERT_Defense_in_Depth_2016_S508C.pdf
pective-2019.pdf
operations/
2b.pdf?hsLang=en
astructure-systems-whitelisting-35312
/ESET_ACAD_Medre_A_whitepaper.pdf
dustroyer.pdf
argeting-ics-networks-in-middle-east-and-uk/
6749b76a40/607f235992f0063e5c070fff/E-ISAC_SANS_Ukraine_DUC_5%5b73%5d.pdf
pac-systems-industrial-computing-forum/8383/increase-security-with-tpm-secure-boot-and-trusted-boot
e-papers/security-technologies-4th-gen-core-retail-paper.pdf
to-iranian-cyber-espionage.html
-ics-environments/
dworm-team.html
ndustrial-malware
m-recovered-from-a-devastating-ransomware-attack/d/d-id/1334760
-used-in-targeted-attacks-aimed-at-big-business-c666551f5880
m/security-center/writeup/2012-052811-0308-99
-discovery-game/
compiled_code/library
bi-ransomware-attack/
yzes-sodinokibi-aka-revil-ransomware-as-a-service-what-the-code-tells-us
curity-best-practices/implementing-least-privilege-administrative-models
eged-access/securing-privileged-access-reference-material#a-nameesaebmaesae-administrative-forest-design-approach
curity-best-practices/attractive-accounts-for-credential-theft
dows-defender-exploit-guard/
or-Process-Control.pdf
industrial-control-systems/position-zero-integrity-checking-windows-based-ics-scada-systems.cfm
xnet-Update-Feb-2011.pdf
ient-cyber-asset-guidance.pdf
eration-Blockbuster-Report.pdf
usting-our-supply-chains-a-comprehensive-data-driven-approach.pdf
i-arabian-organizations-deliver-helminth-backdoor/
O1qWXF4qYG19p7An4Vw3N2YZ86aRS&t=0s
es/AN2015-08_20150817.pdf?
ds/Ransomware_in_ICS_Environments_Whitepaper_10_12_20.pdf?utm_referrer=https%3A%2F%2Fwww.dragos.com%2Fresource%2Fra
LC-Blaster-A-Worm-Living-Solely-In-The-PLC-wp.pdf
gy_suppliers#:~:text=The%20attackers%2C%20known%20to%20Symantec,supply%20in%20the%20affected%20countries.
entations/Jimmy%20Wylie%20-%20Analyzing%20PIPEDREAM%20Challenges%20in%20testing%20an%20ICS%20attack%20toolkit.pdf
aines-power-grid/
6749b76a40/607f235992f0063e5c070fff/E-ISAC_SANS_Ukraine_DUC_5%5b73%5d.pdf
es/default/files/pdf/08_1145.pdf
k-used-radio-signals-to-spoof-alarm-says-city-manager/
ystem-cyber-kill-chain-36297
49&dq=loss+denial+manipulation+of+view&source=bl&ots=dV1uQ8IUff&sig=ACfU3U2NIwGjhg051D_Ytw6npyEk9xcf4w&hl=en&sa=X&ved
methods-and-the-tag-database-system
/ukraine-report-when-the-lights-went-out.pdf
se_Gas_Pipeline_Intrusion_Campaign_2011_to_2013%20(1).pdf
r-How-I-Will-PWN-Your-ERP-Through-4-20mA-Current-Loop-WP.pdf
in-plc/2489
~:text=In%20PROGRAM%20mode%2C%20the%20CPU,can%20be%20created%20or%20modified.
oisoned_fruit.pdf
010/december/programmable-logic-controller-hardware/
r-being-hacked-and-set-off/
gency-sirens-were-hacked/
LC-Blaster-A-Worm-Living-Solely-In-The-PLC.pdf
ment-warns-of-counterfeit-transmitters/
pipeline-system-disruption
ack-hit-lion.html
curitysituation/IT-Security-Situation-in-Germany-2014.pdf?__blob=publicationFile&v=3
-ics-environments/
attack-modbus-tcp-illustrated-wireshark-38095
xnet-Update-Feb-2011.pdf
n-2013-1450662559
are-shuts-down-german-nuclear-power-plant-503429.shtml
n-nuclear-plant-infected-with-computer-viruses-operator-says-idUSKCN0XN2OS
ected-with-malware/d/d-id/1325298
clear-power-plant/
nficker-other-viruses-1653415/
overed-in-this-german-nuclear-plant
r-plants-fuel-rod-system-swarming-with-old-malware/
are-discovered-in-german-nuclear-power-plant
ourcecontrol/18014398915785483.html&id=
net_card_vulnerabilities_in_field_devices
an-April2014.pdf
e-act-running-a-realistic-factory-honeypot-to-capture-real-threats.pdf
gn-approach
ragos.com%2Fresource%2Fransomware-in-ics-environments%2F
%20countries.
S%20attack%20toolkit.pdf
pyEk9xcf4w&hl=en&sa=X&ved=2ahUKEwj2wJ7y4tDlAhVmplkKHSTaDnQQ6AEwAHoECAgQAQ#v=onepage&q=loss%20denial%20manipula
q=loss%20denial%20manipulation%20of%20view&f=false

Ics Attack v12.1 Techniques

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Ics Attack v12.1 Techniques

Uploaded by

Copyright:

Available Formats

ID name description url created last modified version tactics platformsdata sources

T0800 Activate F Adversaries https://attack.mitre.org/techniques/T0800

O'Leary et al. September 2017),(Citation: Junnosuke Yagi March 2017),

ards and Technology April 2013)

rds and Technology April 2013)

rds and Technology April 2013)

meland Security September 2016)

nology April 2013),(Citation: Keith Stouffer May 2015)

rity Response Center August 2017),(Citation: Keith Stouffer May 2015)

Citation: Gardiner, J., Cova, M., Nagaraja, S February 2014)

Department of Homeland Security October 2009)

iam O Murchu, Eric Chien February 2011),(Citation: IEC February 2019)

r May 2015),(Citation: National Institute of Standards and Technology April 2013)

troller),(Citation: Wylie-22),(Citation: North America Transmission Forum December 2019)

meland Security September 2016)

Citation: Jacqueline O'Leary et al. September 2017),

You might also like