ATT&CK Changes Between v11.1 and v11.2

Key

New objects: ATT&CK objects which are only present in the new release.
Major version changes: ATT&CK objects that have a major version change. (e.g. 1.0 → 2.0)
Minor version changes: ATT&CK objects that have a minor version change. (e.g. 1.0 → 1.1)
Other version changes: ATT&CK objects that have a version change of any other kind. (e.g. 1.0 → 1.2)
Patches: ATT&CK objects that have been patched while keeping the version the same. (e.g., 1.0 → 1.0 but something like a typo, a URL, or some metadata was fixed)
Object revocations: ATT&CK objects which are revoked by a different object.
Object deprecations: ATT&CK objects which are deprecated and no longer in use, and not replaced.
Object deletions: ATT&CK objects which are no longer found in the STIX data.

Additional formats

These ATT&CK Navigator layer files can be uploaded to ATT&CK Navigator manually.

This JSON file contains the machine readble output used to create this page: changelog.json

Techniques

enterprise-attack

Patches

[T1098.001] Account Manipulation: Additional Cloud Credentials

Current version: 2.3

Details

values_changed
STIX Field	Old value	New Value
modified	2022-04-19 14:53:37.293000+00:00	2022-05-19 14:16:53.885000+00:00
x_mitre_data_sources[0]	Active Directory: Active Directory Object Modification	User Account: User Account Modification
x_mitre_data_sources[1]	User Account: User Account Modification	Active Directory: Active Directory Object Modification

iterable_item_added
STIX Field	Old value	New Value
x_mitre_contributors		Zur Ulianitzky, XM Cyber

[T1098.003] Account Manipulation: Additional Cloud Roles

Current version: 2.0

Details

values_changed
STIX Field	Old value	New Value
modified	2022-04-19 12:41:16.167000+00:00	2022-05-20 17:29:25.547000+00:00
external_references[4]['url']	https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html	https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html

[T1550.001] Use Alternate Authentication Material: Application Access Token

Current version: 1.3

Details

values_changed
STIX Field	Old value	New Value
modified	2022-04-21 16:25:42.900000+00:00	2022-05-20 17:40:20.069000+00:00
external_references[5]['url']	https://cloud.google.com/iam/docs/creating-short-lived-service-account-credentials	https://cloud.google.com/iam/docs/creating-short-lived-service-account-credentials
x_mitre_data_sources[0]	Web Credential: Web Credential Usage	Application Log: Application Log Content
x_mitre_data_sources[1]	Application Log: Application Log Content	Web Credential: Web Credential Usage

[T1005] Data from Local System

Current version: 1.4

Details

values_changed
STIX Field	Old value	New Value
modified	2022-04-20 18:14:57.035000+00:00	2022-05-20 17:34:15.405000+00:00
external_references[1]['url']	https://www.mandiant.com/resources/apt41-initiates-global-intrusion-campaign-using-multiple-exploits	https://www.mandiant.com/resources/apt41-initiates-global-intrusion-campaign-using-multiple-exploits

iterable_item_added
STIX Field	Old value	New Value
x_mitre_data_sources		Process: Process Creation
x_mitre_data_sources		Script: Script Execution

iterable_item_removed
STIX Field	Old value	New Value
x_mitre_data_sources	Script: Script Execution
x_mitre_data_sources	Process: Process Creation

[T1562.010] Impair Defenses: Downgrade Attack

Current version: 1.1

Details

values_changed
STIX Field	Old value	New Value
modified	2022-04-20 17:20:26.830000+00:00	2022-05-19 16:28:31.041000+00:00
x_mitre_data_sources[1]	Process: Process Metadata	Process: Process Creation
x_mitre_data_sources[2]	Process: Process Creation	Process: Process Metadata

iterable_item_removed
STIX Field	Old value	New Value
x_mitre_contributors	Krishnan Subramanian, @krish203
x_mitre_contributors	Vinay Pidathala

[T1027.006] Obfuscated Files or Information: HTML Smuggling

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2022-05-04 15:06:14.630000+00:00	2022-05-19 16:29:47.637000+00:00

iterable_item_added
STIX Field	Old value	New Value
x_mitre_contributors		Krishnan Subramanian, @krish203
x_mitre_contributors		Vinay Pidathala

[T1105] Ingress Tool Transfer

Current version: 2.1

Details

values_changed
STIX Field	Old value	New Value
modified	2022-04-20 17:14:04.124000+00:00	2022-05-20 17:38:35.985000+00:00
external_references[2]['url']	https://lolbas-project.github.io/#t1105	https://lolbas-project.github.io/#t1105
x_mitre_data_sources[1]	Network Traffic: Network Traffic Content	Network Traffic: Network Connection Creation
x_mitre_data_sources[3]	Network Traffic: Network Connection Creation	Network Traffic: Network Traffic Content

[T1003.001] OS Credential Dumping: LSASS Memory

Current version: 1.1

Details

dictionary_item_added
STIX Field	Old value	New Value
x_mitre_attack_spec_version		2.1.0
x_mitre_deprecated		False

dictionary_item_removed
STIX Field	Old value	New Value
x_mitre_permissions_required	['Administrator', 'SYSTEM']

values_changed
STIX Field	Old value	New Value
modified	2021-10-15 19:55:01.368000+00:00	2022-05-12 21:38:58.866000+00:00
external_references[1]['source_name']	Volexity Exchange Marauder March 2021	Medium Detecting Attempts to Steal Passwords from Memory
external_references[1]['description']	Gruzweig, J. et al. (2021, March 2). Operation Exchange Marauder: Active Exploitation of Multiple Zero-Day Microsoft Exchange Vulnerabilities. Retrieved March 3, 2021.	French, D. (2018, October 2). Detecting Attempts to Steal Passwords from Memory. Retrieved October 11, 2019.
external_references[1]['url']	https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/	https://medium.com/threatpunter/detecting-attempts-to-steal-passwords-from-memory-558f16dce4ea
external_references[2]['source_name']	Symantec Attacks Against Government Sector	Graeber 2014
external_references[2]['description']	Symantec. (2021, June 10). Attacks Against the Government Sector. Retrieved September 28, 2021.	Graeber, M. (2014, October). Analysis of Malicious Security Support Provider DLLs. Retrieved March 1, 2017.
external_references[2]['url']	https://symantec.broadcom.com/hubfs/Attacks-Against-Government-Sector.pdf	http://docplayer.net/20839173-Analysis-of-malicious-security-support-provider-dlls.html
external_references[3]['source_name']	Graeber 2014	Volexity Exchange Marauder March 2021
external_references[3]['description']	Graeber, M. (2014, October). Analysis of Malicious Security Support Provider DLLs. Retrieved March 1, 2017.	Gruzweig, J. et al. (2021, March 2). Operation Exchange Marauder: Active Exploitation of Multiple Zero-Day Microsoft Exchange Vulnerabilities. Retrieved March 3, 2021.
external_references[3]['url']	http://docplayer.net/20839173-Analysis-of-malicious-security-support-provider-dlls.html	https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/
external_references[4]['source_name']	TechNet Blogs Credential Protection	Powersploit
external_references[4]['description']	Wilson, B. (2016, April 18). The Importance of KB2871997 and KB2928120 for Credential Protection. Retrieved April 11, 2018.	PowerSploit. (n.d.). Retrieved December 4, 2014.
external_references[4]['url']	https://blogs.technet.microsoft.com/askpfeplat/2016/04/18/the-importance-of-kb2871997-and-kb2928120-for-credential-protection/	https://github.com/mattifestation/PowerSploit
external_references[5]['source_name']	Medium Detecting Attempts to Steal Passwords from Memory	Symantec Attacks Against Government Sector
external_references[5]['description']	French, D. (2018, October 2). Detecting Attempts to Steal Passwords from Memory. Retrieved October 11, 2019.	Symantec. (2021, June 10). Attacks Against the Government Sector. Retrieved September 28, 2021.
external_references[5]['url']	https://medium.com/threatpunter/detecting-attempts-to-steal-passwords-from-memory-558f16dce4ea	https://symantec.broadcom.com/hubfs/Attacks-Against-Government-Sector.pdf
external_references[6]['source_name']	Powersploit	TechNet Blogs Credential Protection
external_references[6]['description']	PowerSploit. (n.d.). Retrieved December 4, 2014.	Wilson, B. (2016, April 18). The Importance of KB2871997 and KB2928120 for Credential Protection. Retrieved April 11, 2018.
external_references[6]['url']	https://github.com/mattifestation/PowerSploit	https://blogs.technet.microsoft.com/askpfeplat/2016/04/18/the-importance-of-kb2871997-and-kb2928120-for-credential-protection/
x_mitre_data_sources[2]	Process: Process Access	Process: OS API Execution
x_mitre_data_sources[3]	Process: OS API Execution	Process: Process Access

[T1218.014] System Binary Proxy Execution: MMC

Current version: 2.0

Details

dictionary_item_added
STIX Field	Old value	New Value
x_mitre_attack_spec_version		2.1.0
x_mitre_deprecated		False

dictionary_item_removed
STIX Field	Old value	New Value
x_mitre_permissions_required	['User', 'Administrator']

values_changed
STIX Field	Old value	New Value
modified	2022-03-11 19:04:18.732000+00:00	2022-05-20 17:41:16.112000+00:00
external_references[1]['source_name']	win_mmc	abusing_com_reg
external_references[1]['description']	Microsoft. (2017, October 16). mmc. Retrieved September 20, 2021.	bohops. (2018, August 18). ABUSING THE COM REGISTRY STRUCTURE (PART 2): HIJACKING & LOADING TECHNIQUES. Retrieved September 20, 2021.
external_references[1]['url']	https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/mmc	https://bohops.com/2018/08/18/abusing-the-com-registry-structure-part-2-loading-techniques-for-evasion-and-persistence/
external_references[2]['source_name']	what_is_mmc	mmc_vulns
external_references[2]['description']	Microsoft. (2020, September 27). What is Microsoft Management Console?. Retrieved October 5, 2021.	Boxiner, A., Vaknin, E. (2019, June 11). Microsoft Management Console (MMC) Vulnerabilities. Retrieved September 24, 2021.
external_references[2]['url']	https://docs.microsoft.com/en-us/troubleshoot/windows-server/system-management-components/what-is-microsoft-management-console	https://research.checkpoint.com/2019/microsoft-management-console-mmc-vulnerabilities/
external_references[4]['source_name']	win_wbadmin_delete_catalog	win_mmc
external_references[4]['description']	Microsoft. (2017, October 16). wbadmin delete catalog. Retrieved September 20, 2021.	Microsoft. (2017, October 16). mmc. Retrieved September 20, 2021.
external_references[4]['url']	https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/wbadmin-delete-catalog	https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/mmc
external_references[5]['source_name']	phobos_virustotal	win_wbadmin_delete_catalog
external_references[5]['description']	Phobos Ransomware. (2020, December 30). Phobos Ransomware, Fast.exe. Retrieved September 20, 2021.	Microsoft. (2017, October 16). wbadmin delete catalog. Retrieved September 20, 2021.
external_references[5]['url']	https://www.virustotal.com/gui/file/0b4c743246478a6a8c9fa3ff8e04f297507c2f0ea5d61a1284fe65387d172f81/detection	https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/wbadmin-delete-catalog
external_references[7]['source_name']	mmc_vulns	what_is_mmc
external_references[7]['description']	Boxiner, A., Vaknin, E. (2019, June 11). Microsoft Management Console (MMC) Vulnerabilities. Retrieved September 24, 2021.	Microsoft. (2020, September 27). What is Microsoft Management Console?. Retrieved October 5, 2021.
external_references[7]['url']	https://research.checkpoint.com/2019/microsoft-management-console-mmc-vulnerabilities/	https://docs.microsoft.com/en-us/troubleshoot/windows-server/system-management-components/what-is-microsoft-management-console
external_references[8]['source_name']	abusing_com_reg	phobos_virustotal
external_references[8]['description']	bohops. (2018, August 18). ABUSING THE COM REGISTRY STRUCTURE (PART 2): HIJACKING & LOADING TECHNIQUES. Retrieved September 20, 2021.	Phobos Ransomware. (2020, December 30). Phobos Ransomware, Fast.exe. Retrieved September 20, 2021.
external_references[8]['url']	https://bohops.com/2018/08/18/abusing-the-com-registry-structure-part-2-loading-techniques-for-evasion-and-persistence/	https://www.virustotal.com/gui/file/0b4c743246478a6a8c9fa3ff8e04f297507c2f0ea5d61a1284fe65387d172f81/detection

iterable_item_added
STIX Field	Old value	New Value
x_mitre_data_sources		File: File Creation

iterable_item_removed
STIX Field	Old value	New Value
x_mitre_data_sources	File: File Creation

[T1204.002] User Execution: Malicious File

Current version: 1.2

Details

dictionary_item_added
STIX Field	Old value	New Value
x_mitre_attack_spec_version		2.1.0
x_mitre_deprecated		False
x_mitre_remote_support		False

dictionary_item_removed
STIX Field	Old value	New Value
x_mitre_permissions_required	['User']

values_changed
STIX Field	Old value	New Value
modified	2022-01-05 21:02:22.796000+00:00	2022-05-20 17:19:50.801000+00:00
external_references[1]['url']	https://www.bleepingcomputer.com/news/security/psa-dont-open-spam-containing-password-protected-word-docs/	https://www.bleepingcomputer.com/news/security/psa-dont-open-spam-containing-password-protected-word-docs/

[T1040] Network Sniffing

Current version: 1.3

Details

values_changed
STIX Field	Old value	New Value
modified	2022-04-19 15:22:53.877000+00:00	2022-05-20 17:32:27.146000+00:00
external_references[2]['url']	https://cloud.google.com/vpc/docs/packet-mirroring	https://cloud.google.com/vpc/docs/packet-mirroring
external_references[3]['url']	https://posts.specterops.io/through-the-looking-glass-part-1-f539ae308512	https://posts.specterops.io/through-the-looking-glass-part-1-f539ae308512
external_references[5]['url']	https://rhinosecuritylabs.com/aws/abusing-vpc-traffic-mirroring-in-aws/	https://rhinosecuritylabs.com/aws/abusing-vpc-traffic-mirroring-in-aws/
x_mitre_data_sources[0]	Process: Process Creation	Command: Command Execution
x_mitre_data_sources[1]	Command: Command Execution	Process: Process Creation

[T1547.001] Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

Current version: 1.1

	Old Description			New Description
t	1	Adversaries may achieve persistence by adding a program to a	t	1	Adversaries may achieve persistence by adding a program to a
	>	startup folder or referencing it with a Registry run key. A		>	startup folder or referencing it with a Registry run key. A
	>	dding an entry to the "run keys" in the Registry or startup		>	dding an entry to the "run keys" in the Registry or startup
	>	folder will cause the program referenced to be executed when		>	folder will cause the program referenced to be executed when
	>	a user logs in.(Citation: Microsoft Run Key) These programs		>	a user logs in.(Citation: Microsoft Run Key) These programs
	>	will be executed under the context of the user and will hav		>	will be executed under the context of the user and will hav
	>	e the account's associated permissions level. Placing a pro		>	e the account's associated permissions level. Placing a pro
	>	gram within a startup folder will also cause that program to		>	gram within a startup folder will also cause that program to
	>	execute when a user logs in. There is a startup folder loca		>	execute when a user logs in. There is a startup folder loca
	>	tion for individual user accounts as well as a system-wide s		>	tion for individual user accounts as well as a system-wide s
	>	tartup folder that will be checked regardless of which user		>	tartup folder that will be checked regardless of which user
	>	account logs in. The startup folder path for the current use		>	account logs in. The startup folder path for the current use
	>	r is <code>C:\Users\\[Username]\AppData\Roaming\Microsoft\Wi		>	r is <code>C:\Users\\[Username]\AppData\Roaming\Microsoft\Wi
	>	ndows\Start Menu\Programs\Startup</code>. The startup folder		>	ndows\Start Menu\Programs\Startup</code>. The startup folder
	>	path for all users is <code>C:\ProgramData\Microsoft\Window		>	path for all users is <code>C:\ProgramData\Microsoft\Window
	>	s\Start Menu\Programs\StartUp</code>. The following run key		>	s\Start Menu\Programs\StartUp</code>. The following run key
	>	s are created by default on Windows systems: * <code>HKEY_C		>	s are created by default on Windows systems: * <code>HKEY_C
	>	URRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run</c		>	URRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run</c
	>	ode> * <code>HKEY_CURRENT_USER\Software\Microsoft\Windows\Cu		>	ode> * <code>HKEY_CURRENT_USER\Software\Microsoft\Windows\Cu
	>	rrentVersion\RunOnce</code> * <code>HKEY_LOCAL_MACHINE\Softw		>	rrentVersion\RunOnce</code> * <code>HKEY_LOCAL_MACHINE\Softw
	>	are\Microsoft\Windows\CurrentVersion\Run</code> * <code>HKEY		>	are\Microsoft\Windows\CurrentVersion\Run</code> * <code>HKEY
	>	_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run		>	_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
	>	Once</code> Run keys may exist under multiple hives.(Citati		>	Once</code> Run keys may exist under multiple hives.(Citati
	>	on: Microsoft Wow6432Node 2018)(Citation: Malwarebytes Wow64		>	on: Microsoft Wow6432Node 2018)(Citation: Malwarebytes Wow64
	>	32Node 2016) The <code>HKEY_LOCAL_MACHINE\Software\Microsoft		>	32Node 2016) The <code>HKEY_LOCAL_MACHINE\Software\Microsoft
	>	\Windows\CurrentVersion\RunOnceEx</code> is also available b		>	\Windows\CurrentVersion\RunOnceEx</code> is also available b
	>	ut is not created by default on Windows Vista and newer. Reg		>	ut is not created by default on Windows Vista and newer. Reg
	>	istry run key entries can reference programs directly or lis		>	istry run key entries can reference programs directly or lis
	>	t them as a dependency.(Citation: Microsoft RunOnceEx APR 20		>	t them as a dependency.(Citation: Microsoft Run Key) For exa
	>	18) For example, it is possible to load a DLL at logon using		>	mple, it is possible to load a DLL at logon using a "Depend"
	>	a "Depend" key with RunOnceEx: <code>reg add HKLM\SOFTWARE\		>	key with RunOnceEx: <code>reg add HKLM\SOFTWARE\Microsoft\W
	>	Microsoft\Windows\CurrentVersion\RunOnceEx\0001\Depend /v 1		>	indows\CurrentVersion\RunOnceEx\0001\Depend /v 1 /d "C:\temp
	>	/d "C:\temp\evil[.]dll"</code> (Citation: Oddvar Moe RunOnce		>	\evil[.]dll"</code> (Citation: Oddvar Moe RunOnceEx Mar 2018
	>	Ex Mar 2018) The following Registry keys can be used to set		>	) The following Registry keys can be used to set startup fo
	>	startup folder items for persistence: * <code>HKEY_CURRENT		>	lder items for persistence: * <code>HKEY_CURRENT_USER\Softw
	>	_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Use		>	are\Microsoft\Windows\CurrentVersion\Explorer\User Shell Fol
	>	r Shell Folders</code> * <code>HKEY_CURRENT_USER\Software\Mi		>	ders</code> * <code>HKEY_CURRENT_USER\Software\Microsoft\Win
	>	crosoft\Windows\CurrentVersion\Explorer\Shell Folders</code>		>	dows\CurrentVersion\Explorer\Shell Folders</code> * <code>HK
	>	* <code>HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curre		>	EY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\E
	>	ntVersion\Explorer\Shell Folders</code> * <code>HKEY_LOCAL_M		>	xplorer\Shell Folders</code> * <code>HKEY_LOCAL_MACHINE\SOFT
	>	ACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Us		>	WARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Fo
	>	er Shell Folders</code> The following Registry keys can con		>	lders</code> The following Registry keys can control automa
	>	trol automatic startup of services during boot: * <code>HKE		>	tic startup of services during boot: * <code>HKEY_LOCAL_MAC
	>	Y_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Ru		>	HINE\Software\Microsoft\Windows\CurrentVersion\RunServicesOn
	>	nServicesOnce</code> * <code>HKEY_CURRENT_USER\Software\Micr		>	ce</code> * <code>HKEY_CURRENT_USER\Software\Microsoft\Windo
	>	osoft\Windows\CurrentVersion\RunServicesOnce</code> * <code>		>	ws\CurrentVersion\RunServicesOnce</code> * <code>HKEY_LOCAL_
	>	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion		>	MACHINE\Software\Microsoft\Windows\CurrentVersion\RunService
	>	\RunServices</code> * <code>HKEY_CURRENT_USER\Software\Micro		>	s</code> * <code>HKEY_CURRENT_USER\Software\Microsoft\Window
	>	soft\Windows\CurrentVersion\RunServices</code> Using policy		>	s\CurrentVersion\RunServices</code> Using policy settings t
	>	settings to specify startup programs creates corresponding		>	o specify startup programs creates corresponding values in e
	>	values in either of two Registry keys: * <code>HKEY_LOCAL_M		>	ither of two Registry keys: * <code>HKEY_LOCAL_MACHINE\Soft
	>	ACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Ex		>	ware\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run<
	>	plorer\Run</code> * <code>HKEY_CURRENT_USER\Software\Microso		>	/code> * <code>HKEY_CURRENT_USER\Software\Microsoft\Windows\
	>	ft\Windows\CurrentVersion\Policies\Explorer\Run</code> The		>	CurrentVersion\Policies\Explorer\Run</code> The Winlogon ke
	>	Winlogon key controls actions that occur when a user logs on		>	y controls actions that occur when a user logs on to a compu
	>	to a computer running Windows 7. Most of these actions are		>	ter running Windows 7. Most of these actions are under the c
	>	under the control of the operating system, but you can also		>	ontrol of the operating system, but you can also add custom
	>	add custom actions here. The <code>HKEY_LOCAL_MACHINE\Softwa		>	actions here. The <code>HKEY_LOCAL_MACHINE\Software\Microsof
	>	re\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit</co		>	t\Windows NT\CurrentVersion\Winlogon\Userinit</code> and <co
	>	de> and <code>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows		>	de>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentV
	>	NT\CurrentVersion\Winlogon\Shell</code> subkeys can automati		>	ersion\Winlogon\Shell</code> subkeys can automatically launc
	>	cally launch programs. Programs listed in the load value of		>	h programs. Programs listed in the load value of the regist
	>	the registry key <code>HKEY_CURRENT_USER\Software\Microsoft		>	ry key <code>HKEY_CURRENT_USER\Software\Microsoft\Windows NT
	>	\Windows NT\CurrentVersion\Windows</code> run when any user		>	\CurrentVersion\Windows</code> run when any user logs on. B
	>	logs on. By default, the multistring <code>BootExecute</cod		>	y default, the multistring <code>BootExecute</code> value of
	>	e> value of the registry key <code>HKEY_LOCAL_MACHINE\System		>	the registry key <code>HKEY_LOCAL_MACHINE\System\CurrentCon
	>	\CurrentControlSet\Control\Session Manager</code> is set to		>	trolSet\Control\Session Manager</code> is set to <code>autoc
	>	<code>autocheck autochk *</code>. This value causes Windows,		>	heck autochk *</code>. This value causes Windows, at startup
	>	at startup, to check the file-system integrity of the hard		>	, to check the file-system integrity of the hard disks if th
	>	disks if the system has been shut down abnormally. Adversari		>	e system has been shut down abnormally. Adversaries can add
	>	es can add other programs or processes to this registry valu		>	other programs or processes to this registry value which wil
	>	e which will automatically launch at boot. Adversaries can		>	l automatically launch at boot. Adversaries can use these c
	>	use these configuration locations to execute malware, such a		>	onfiguration locations to execute malware, such as remote ac
	>	s remote access tools, to maintain persistence through syste		>	cess tools, to maintain persistence through system reboots.
	>	m reboots. Adversaries may also use [Masquerading](https://a		>	Adversaries may also use [Masquerading](https://attack.mitre
	>	ttack.mitre.org/techniques/T1036) to make the Registry entri		>	.org/techniques/T1036) to make the Registry entries look as
	>	es look as if they are associated with legitimate programs.		>	if they are associated with legitimate programs.

Details

dictionary_item_added
STIX Field	Old value	New Value
external_references		CAPEC-270

dictionary_item_removed
STIX Field	Old value	New Value
external_references	Russinovich, M. (2016, January 4). Autoruns for Windows v13.51. Retrieved June 6, 2016.

values_changed
STIX Field	Old value	New Value
modified	2022-04-20 16:28:54.088000+00:00	2022-05-12 21:44:30.466000+00:00
description	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.(Citation: Microsoft Run Key) These programs will be executed under the context of the user and will have the account's associated permissions level. Placing a program within a startup folder will also cause that program to execute when a user logs in. There is a startup folder location for individual user accounts as well as a system-wide startup folder that will be checked regardless of which user account logs in. The startup folder path for the current user is `C:\Users\\[Username]\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup`. The startup folder path for all users is `C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp`. The following run keys are created by default on Windows systems: * `HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run` * `HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce` * `HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run` * `HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce` Run keys may exist under multiple hives.(Citation: Microsoft Wow6432Node 2018)(Citation: Malwarebytes Wow6432Node 2016) The `HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx` is also available but is not created by default on Windows Vista and newer. Registry run key entries can reference programs directly or list them as a dependency.(Citation: Microsoft RunOnceEx APR 2018) For example, it is possible to load a DLL at logon using a "Depend" key with RunOnceEx: `reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx\0001\Depend /v 1 /d "C:\temp\evil[.]dll"` (Citation: Oddvar Moe RunOnceEx Mar 2018) The following Registry keys can be used to set startup folder items for persistence: * `HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders` * `HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders` * `HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders` * `HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders` The following Registry keys can control automatic startup of services during boot: * `HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce` * `HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce` * `HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices` * `HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServices` Using policy settings to specify startup programs creates corresponding values in either of two Registry keys: * `HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run` * `HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run` The Winlogon key controls actions that occur when a user logs on to a computer running Windows 7. Most of these actions are under the control of the operating system, but you can also add custom actions here. The `HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit` and `HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell` subkeys can automatically launch programs. Programs listed in the load value of the registry key `HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows` run when any user logs on. By default, the multistring `BootExecute` value of the registry key `HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager` is set to `autocheck autochk *`. This value causes Windows, at startup, to check the file-system integrity of the hard disks if the system has been shut down abnormally. Adversaries can add other programs or processes to this registry value which will automatically launch at boot. Adversaries can use these configuration locations to execute malware, such as remote access tools, to maintain persistence through system reboots. Adversaries may also use [Masquerading](https://attack.mitre.org/techniques/T1036) to make the Registry entries look as if they are associated with legitimate programs.	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.(Citation: Microsoft Run Key) These programs will be executed under the context of the user and will have the account's associated permissions level. Placing a program within a startup folder will also cause that program to execute when a user logs in. There is a startup folder location for individual user accounts as well as a system-wide startup folder that will be checked regardless of which user account logs in. The startup folder path for the current user is `C:\Users\\[Username]\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup`. The startup folder path for all users is `C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp`. The following run keys are created by default on Windows systems: * `HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run` * `HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce` * `HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run` * `HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce` Run keys may exist under multiple hives.(Citation: Microsoft Wow6432Node 2018)(Citation: Malwarebytes Wow6432Node 2016) The `HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx` is also available but is not created by default on Windows Vista and newer. Registry run key entries can reference programs directly or list them as a dependency.(Citation: Microsoft Run Key) For example, it is possible to load a DLL at logon using a "Depend" key with RunOnceEx: `reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx\0001\Depend /v 1 /d "C:\temp\evil[.]dll"` (Citation: Oddvar Moe RunOnceEx Mar 2018) The following Registry keys can be used to set startup folder items for persistence: * `HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders` * `HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders` * `HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders` * `HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders` The following Registry keys can control automatic startup of services during boot: * `HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce` * `HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce` * `HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices` * `HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServices` Using policy settings to specify startup programs creates corresponding values in either of two Registry keys: * `HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run` * `HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run` The Winlogon key controls actions that occur when a user logs on to a computer running Windows 7. Most of these actions are under the control of the operating system, but you can also add custom actions here. The `HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit` and `HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell` subkeys can automatically launch programs. Programs listed in the load value of the registry key `HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows` run when any user logs on. By default, the multistring `BootExecute` value of the registry key `HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager` is set to `autocheck autochk *`. This value causes Windows, at startup, to check the file-system integrity of the hard disks if the system has been shut down abnormally. Adversaries can add other programs or processes to this registry value which will automatically launch at boot. Adversaries can use these configuration locations to execute malware, such as remote access tools, to maintain persistence through system reboots. Adversaries may also use [Masquerading](https://attack.mitre.org/techniques/T1036) to make the Registry entries look as if they are associated with legitimate programs.
external_references[2]['source_name']	Microsoft RunOnceEx APR 2018	Microsoft Wow6432Node 2018
external_references[2]['description']	Microsoft. (2018, August 20). Description of the RunOnceEx Registry Key. Retrieved June 29, 2018.	Microsoft. (2018, May 31). 32-bit and 64-bit Application Data in the Registry. Retrieved August 3, 2020.
external_references[2]['url']	https://support.microsoft.com/help/310593/description-of-the-runonceex-registry-key	https://docs.microsoft.com/en-us/windows/win32/sysinfo/32-bit-and-64-bit-application-data-in-the-registry
external_references[3]['source_name']	Microsoft Wow6432Node 2018	Microsoft Run Key
external_references[3]['description']	Microsoft. (2018, May 31). 32-bit and 64-bit Application Data in the Registry. Retrieved August 3, 2020.	Microsoft. (n.d.). Run and RunOnce Registry Keys. Retrieved November 12, 2014.
external_references[3]['url']	https://docs.microsoft.com/en-us/windows/win32/sysinfo/32-bit-and-64-bit-application-data-in-the-registry	http://msdn.microsoft.com/en-us/library/aa376977
external_references[4]['source_name']	Microsoft Run Key	Oddvar Moe RunOnceEx Mar 2018
external_references[4]['description']	Microsoft. (n.d.). Run and RunOnce Registry Keys. Retrieved November 12, 2014.	Moe, O. (2018, March 21). Persistence using RunOnceEx - Hidden from Autoruns.exe. Retrieved June 29, 2018.
external_references[4]['url']	http://msdn.microsoft.com/en-us/library/aa376977	https://oddvar.moe/2018/03/21/persistence-using-runonceex-hidden-from-autoruns-exe/
external_references[5]['source_name']	Oddvar Moe RunOnceEx Mar 2018	TechNet Autoruns
external_references[5]['description']	Moe, O. (2018, March 21). Persistence using RunOnceEx - Hidden from Autoruns.exe. Retrieved June 29, 2018.	Russinovich, M. (2016, January 4). Autoruns for Windows v13.51. Retrieved June 6, 2016.
external_references[5]['url']	https://oddvar.moe/2018/03/21/persistence-using-runonceex-hidden-from-autoruns-exe/	https://technet.microsoft.com/en-us/sysinternals/bb963902
external_references[6]['source_name']	TechNet Autoruns	capec
external_references[6]['url']	https://technet.microsoft.com/en-us/sysinternals/bb963902	https://capec.mitre.org/data/definitions/270.html

iterable_item_added
STIX Field	Old value	New Value
x_mitre_data_sources		Process: Process Creation
x_mitre_data_sources		Command: Command Execution

iterable_item_removed
STIX Field	Old value	New Value
external_references	{'source_name': 'capec', 'url': 'https://capec.mitre.org/data/definitions/270.html', 'external_id': 'CAPEC-270'}
x_mitre_data_sources	Process: Process Creation
x_mitre_data_sources	Command: Command Execution

[T1016] System Network Configuration Discovery

Current version: 1.4

Details

values_changed
STIX Field	Old value	New Value
modified	2022-04-20 18:14:02.739000+00:00	2022-05-20 17:34:15.406000+00:00
external_references[1]['url']	https://www.mandiant.com/resources/apt41-initiates-global-intrusion-campaign-using-multiple-exploits	https://www.mandiant.com/resources/apt41-initiates-global-intrusion-campaign-using-multiple-exploits
x_mitre_data_sources[2]	Process: OS API Execution	Process: Process Creation

iterable_item_added
STIX Field	Old value	New Value
x_mitre_data_sources		Process: OS API Execution

iterable_item_removed
STIX Field	Old value	New Value
x_mitre_data_sources	Process: Process Creation

[T1218.012] System Binary Proxy Execution: Verclsid

Current version: 2.0

Details

dictionary_item_added
STIX Field	Old value	New Value
x_mitre_attack_spec_version		2.1.0
x_mitre_deprecated		False

dictionary_item_removed
STIX Field	Old value	New Value
x_mitre_permissions_required	['User']

values_changed
STIX Field	Old value	New Value
modified	2022-03-11 20:44:27.809000+00:00	2022-05-20 17:35:28.221000+00:00
external_references[1]['source_name']	WinOSBite verclsid.exe	BOHOPS Abusing the COM Registry
external_references[1]['description']	verclsid-exe. (2019, December 17). verclsid.exe File Information - What is it & How to Block . Retrieved August 10, 2020.	BOHOPS. (2018, August 18). Abusing the COM Registry Structure (Part 2): Hijacking & Loading Techniques. Retrieved August 10, 2020.
external_references[1]['url']	https://www.winosbite.com/verclsid-exe/	https://bohops.com/2018/08/18/abusing-the-com-registry-structure-part-2-loading-techniques-for-evasion-and-persistence/
external_references[2]['source_name']	LOLBAS Verclsid	Red Canary Verclsid.exe
external_references[2]['description']	LOLBAS. (n.d.). Verclsid.exe. Retrieved August 10, 2020.	Haag, M., Levan, K. (2017, April 6). Old Phishing Attacks Deploy a New Methodology: Verclsid.exe. Retrieved August 10, 2020.
external_references[2]['url']	https://lolbas-project.github.io/lolbas/Binaries/Verclsid/	https://redcanary.com/blog/verclsid-exe-threat-detection/
external_references[3]['source_name']	Red Canary Verclsid.exe	LOLBAS Verclsid
external_references[3]['description']	Haag, M., Levan, K. (2017, April 6). Old Phishing Attacks Deploy a New Methodology: Verclsid.exe. Retrieved August 10, 2020.	LOLBAS. (n.d.). Verclsid.exe. Retrieved August 10, 2020.
external_references[3]['url']	https://redcanary.com/blog/verclsid-exe-threat-detection/	https://lolbas-project.github.io/lolbas/Binaries/Verclsid/
external_references[4]['source_name']	BOHOPS Abusing the COM Registry	Nick Tyrer GitHub
external_references[4]['description']	BOHOPS. (2018, August 18). Abusing the COM Registry Structure (Part 2): Hijacking & Loading Techniques. Retrieved August 10, 2020.	Tyrer, N. (n.d.). Instructions. Retrieved August 10, 2020.
external_references[4]['url']	https://bohops.com/2018/08/18/abusing-the-com-registry-structure-part-2-loading-techniques-for-evasion-and-persistence/	https://gist.github.com/NickTyrer/0598b60112eaafe6d07789f7964290d5
external_references[5]['source_name']	Nick Tyrer GitHub	WinOSBite verclsid.exe
external_references[5]['description']	Tyrer, N. (n.d.). Instructions. Retrieved August 10, 2020.	verclsid-exe. (2019, December 17). verclsid.exe File Information - What is it & How to Block . Retrieved August 10, 2020.
external_references[5]['url']	https://gist.github.com/NickTyrer/0598b60112eaafe6d07789f7964290d5	https://www.winosbite.com/verclsid-exe/
x_mitre_data_sources[0]	Process: Process Creation	Command: Command Execution
x_mitre_data_sources[1]	Command: Command Execution	Process: Process Creation

[T1555.004] Credentials from Password Stores: Windows Credential Manager

Current version: 1.0

Details

dictionary_item_added
STIX Field	Old value	New Value
x_mitre_attack_spec_version		2.1.0
x_mitre_deprecated		False

dictionary_item_removed
STIX Field	Old value	New Value
x_mitre_permissions_required	['User']

values_changed
STIX Field	Old value	New Value
modified	2021-04-29 21:00:18.973000+00:00	2022-05-20 17:36:17.296000+00:00
external_references[1]['source_name']	Microsoft Credential Manager store	Malwarebytes The Windows Vault
external_references[1]['description']	Microsoft. (2016, August 31). Cached and Stored Credentials Technical Overview. Retrieved November 24, 2020.	Arntz, P. (2016, March 30). The Windows Vault . Retrieved November 23, 2020.
external_references[1]['url']	https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/hh994565(v=ws.11)#credential-manager-store	https://blog.malwarebytes.com/101/2016/01/the-windows-vaults/
external_references[2]['source_name']	Microsoft Credential Locker	Delpy Mimikatz Crendential Manager
external_references[2]['description']	Microsoft. (2013, October 23). Credential Locker Overview. Retrieved November 24, 2020.	Delpy, B. (2017, December 12). howto ~ credential manager saved credentials. Retrieved November 23, 2020.
external_references[2]['url']	https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-8.1-and-8/jj554668(v=ws.11)?redirectedfrom=MSDN	https://github.com/gentilkiwi/mimikatz/wiki/howto-~-credential-manager-saved-credentials
external_references[3]['source_name']	passcape Windows Vault	Microsoft Credential Locker
external_references[3]['description']	Passcape. (n.d.). Windows Password Recovery - Vault Explorer and Decoder. Retrieved November 24, 2020.	Microsoft. (2013, October 23). Credential Locker Overview. Retrieved November 24, 2020.
external_references[3]['url']	https://www.passcape.com/windows_password_recovery_vault_explorer	https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-8.1-and-8/jj554668(v=ws.11)?redirectedfrom=MSDN
external_references[4]['source_name']	Malwarebytes The Windows Vault	Microsoft Credential Manager store
external_references[4]['description']	Arntz, P. (2016, March 30). The Windows Vault . Retrieved November 23, 2020.	Microsoft. (2016, August 31). Cached and Stored Credentials Technical Overview. Retrieved November 24, 2020.
external_references[4]['url']	https://blog.malwarebytes.com/101/2016/01/the-windows-vaults/	https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/hh994565(v=ws.11)#credential-manager-store
external_references[6]['source_name']	Delpy Mimikatz Crendential Manager	passcape Windows Vault
external_references[6]['description']	Delpy, B. (2017, December 12). howto ~ credential manager saved credentials. Retrieved November 23, 2020.	Passcape. (n.d.). Windows Password Recovery - Vault Explorer and Decoder. Retrieved November 24, 2020.
external_references[6]['url']	https://github.com/gentilkiwi/mimikatz/wiki/howto-~-credential-manager-saved-credentials	https://www.passcape.com/windows_password_recovery_vault_explorer
x_mitre_data_sources[0]	Process: OS API Execution	Command: Command Execution
x_mitre_data_sources[3]	Command: Command Execution	Process: OS API Execution

[T1543.003] Create or Modify System Process: Windows Service

Current version: 1.2

Details

values_changed
STIX Field	Old value	New Value
modified	2022-04-20 14:38:44.247000+00:00	2022-05-20 16:22:32.605000+00:00
external_references[5]['url']	https://www.wired.com/images_blogs/threatlevel/2010/11/w32_stuxnet_dossier.pdf	https://www.wired.com/images_blogs/threatlevel/2010/11/w32_stuxnet_dossier.pdf
x_mitre_data_sources[0]	Windows Registry: Windows Registry Key Creation	Windows Registry: Windows Registry Key Modification
x_mitre_data_sources[1]	Process: Process Creation	Driver: Driver Load
x_mitre_data_sources[2]	Service: Service Modification	Service: Service Creation
x_mitre_data_sources[3]	Windows Registry: Windows Registry Key Modification	Windows Registry: Windows Registry Key Creation
x_mitre_data_sources[4]	Driver: Driver Load	Service: Service Modification
x_mitre_data_sources[7]	Service: Service Creation	Process: Process Creation

ics-attack

Patches

[T0858] Change Operating Mode

Current version: 1.0

	Old Description			New Description
t	1	Adversaries may change the operating mode of a controller to	t	1	Adversaries may change the operating mode of a controller to
	>	gain additional access to engineering functions such as Pro		>	gain additional access to engineering functions such as Pro
	>	gram Download. Programmable controllers typically have sev		>	gram Download. Programmable controllers typically have sev
	>	eral modes of operation that control the state of the user p		>	eral modes of operation that control the state of the user p
	>	rogram and control access to the controllers API. Operating		>	rogram and control access to the controllers API. Operating
	>	modes can be physically selected using a key switch on the f		>	modes can be physically selected using a key switch on the f
	>	ace of the controller but may also be selected with calls to		>	ace of the controller but may also be selected with calls to
	>	the controllers API. Operating modes and the mechanisms by		>	the controllers API. Operating modes and the mechanisms by
	>	which they are selected often vary by vendor and product lin		>	which they are selected often vary by vendor and product lin
	>	e. Some commonly implemented operating modes are described b		>	e. Some commonly implemented operating modes are described b
	>	elow: *Program - This mode must be enabled before changes c		>	elow: * Program - This mode must be enabled before change
	>	an be made to a devices program. This allows program uploads		>	s can be made to a devices program. This allows program uplo
	>	and downloads between the device and an engineering worksta		>	ads and downloads between the device and an engineering work
	>	tion. Often the PLCs logic Is halted, and all outputs may be		>	station. Often the PLCs logic Is halted, and all outputs may
	>	forced off. (Citation: N.A. October 2017) *Run - Execution		>	be forced off. (Citation: N.A. October 2017) * Run - Exec
	>	of the devices program occurs in this mode. Input and outpu		>	ution of the devices program occurs in this mode. Input and
	>	t (values, points, tags, elements, etc.) are monitored and u		>	output (values, points, tags, elements, etc.) are monitored
	>	sed according to the programs logic. [Program Upload](https:		>	and used according to the programs logic. [Program Upload](h
	>	//attack.mitre.org/techniques/T0845) and [Program Download](		>	ttps://attack.mitre.org/techniques/T0845) and [Program Downl
	>	https://attack.mitre.org/techniques/T0843) are disabled whil		>	oad](https://attack.mitre.org/techniques/T0843) are disabled
	>	e in this mode. (Citation: Omron) (Citation: Machine Informa		>	while in this mode. (Citation: Omron) (Citation: Machine In
	>	tion Systems 2007) (Citation: N.A. October 2017) (Citation:		>	formation Systems 2007) (Citation: N.A. October 2017) (Cita
	>	PLCgurus 2021) *Remote - Allows for remote changes to a P		>	tion: PLCgurus 2021) * Remote - Allows for remote changes
	>	LCs operation mode. (Citation: PLCgurus 2021) *Stop - The		>	to a PLCs operation mode. (Citation: PLCgurus 2021) * S
	>	PLC and program is stopped, while in this mode, outputs are		>	top - The PLC and program is stopped, while in this mode, ou
	>	forced off. (Citation: Machine Information Systems 2007)		>	tputs are forced off. (Citation: Machine Information Systems
	>	*Reset - Conditions on the PLC are reset to their original s		>	2007) * Reset - Conditions on the PLC are reset to their
	>	tates. Warm resets may retain some memory while cold resets		>	original states. Warm resets may retain some memory while c
	>	will reset all I/O and data registers. (Citation: Machine In		>	old resets will reset all I/O and data registers. (Citation:
	>	formation Systems 2007) *Test / Monitor mode - Similar to		>	Machine Information Systems 2007) * Test / Monitor mode
	>	run mode, I/O is processed, although this mode allows for mo		>	- Similar to run mode, I/O is processed, although this mode
	>	nitoring, force set, resets, and more generally tuning or de		>	allows for monitoring, force set, resets, and more generally
	>	bugging of the system. Often monitor mode may be used as a t		>	tuning or debugging of the system. Often monitor mode may b
	>	rial for initialization. (Citation: Omron)		>	e used as a trial for initialization. (Citation: Omron)

Details

dictionary_item_added
STIX Field	Old value	New Value
x_mitre_attack_spec_version		2.1.0
x_mitre_deprecated		False
x_mitre_detection
x_mitre_domains		['ics-attack']
x_mitre_is_subtechnique		False
x_mitre_modified_by_ref		identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5

values_changed
STIX Field	Old value	New Value
modified	2022-05-06 17:47:23.897000+00:00	2022-05-24 11:42:52.057000+00:00
description	Adversaries may change the operating mode of a controller to gain additional access to engineering functions such as Program Download. Programmable controllers typically have several modes of operation that control the state of the user program and control access to the controllers API. Operating modes can be physically selected using a key switch on the face of the controller but may also be selected with calls to the controllers API. Operating modes and the mechanisms by which they are selected often vary by vendor and product line. Some commonly implemented operating modes are described below: Program - This mode must be enabled before changes can be made to a devices program. This allows program uploads and downloads between the device and an engineering workstation. Often the PLCs logic Is halted, and all outputs may be forced off. (Citation: N.A. October 2017) Run - Execution of the devices program occurs in this mode. Input and output (values, points, tags, elements, etc.) are monitored and used according to the programs logic. [Program Upload](https://attack.mitre.org/techniques/T0845) and [Program Download](https://attack.mitre.org/techniques/T0843) are disabled while in this mode. (Citation: Omron) (Citation: Machine Information Systems 2007) (Citation: N.A. October 2017) (Citation: PLCgurus 2021) Remote - Allows for remote changes to a PLCs operation mode. (Citation: PLCgurus 2021) Stop - The PLC and program is stopped, while in this mode, outputs are forced off. (Citation: Machine Information Systems 2007) Reset - Conditions on the PLC are reset to their original states. Warm resets may retain some memory while cold resets will reset all I/O and data registers. (Citation: Machine Information Systems 2007) Test / Monitor mode - Similar to run mode, I/O is processed, although this mode allows for monitoring, force set, resets, and more generally tuning or debugging of the system. Often monitor mode may be used as a trial for initialization. (Citation: Omron)	Adversaries may change the operating mode of a controller to gain additional access to engineering functions such as Program Download. Programmable controllers typically have several modes of operation that control the state of the user program and control access to the controllers API. Operating modes can be physically selected using a key switch on the face of the controller but may also be selected with calls to the controllers API. Operating modes and the mechanisms by which they are selected often vary by vendor and product line. Some commonly implemented operating modes are described below: * Program - This mode must be enabled before changes can be made to a devices program. This allows program uploads and downloads between the device and an engineering workstation. Often the PLCs logic Is halted, and all outputs may be forced off. (Citation: N.A. October 2017) * Run - Execution of the devices program occurs in this mode. Input and output (values, points, tags, elements, etc.) are monitored and used according to the programs logic. [Program Upload](https://attack.mitre.org/techniques/T0845) and [Program Download](https://attack.mitre.org/techniques/T0843) are disabled while in this mode. (Citation: Omron) (Citation: Machine Information Systems 2007) (Citation: N.A. October 2017) (Citation: PLCgurus 2021) * Remote - Allows for remote changes to a PLCs operation mode. (Citation: PLCgurus 2021) * Stop - The PLC and program is stopped, while in this mode, outputs are forced off. (Citation: Machine Information Systems 2007) * Reset - Conditions on the PLC are reset to their original states. Warm resets may retain some memory while cold resets will reset all I/O and data registers. (Citation: Machine Information Systems 2007) * Test / Monitor mode - Similar to run mode, I/O is processed, although this mode allows for monitoring, force set, resets, and more generally tuning or debugging of the system. Often monitor mode may be used as a trial for initialization. (Citation: Omron)
external_references[0]['source_name']	mitre-ics-attack	mitre-attack
external_references[1]['source_name']	N.A. October 2017	Machine Information Systems 2007
external_references[1]['description']	N.A. 2017, October What are the different operating modes in PLC? Retrieved. 2021/01/28	Machine Information Systems 2007 How PLCs Work Retrieved. 2021/01/28
external_references[1]['url']	https://forumautomation.com/t/what-are-the-different-operating-modes-in-plc/2489	http://www.machine-information-systems.com/How_PLCs_Work.html
external_references[2]['source_name']	Omron	N.A. October 2017
external_references[2]['description']	Omron N.A. 2017, October What are the different operating modes in PLC? Retrieved. 2021/01/28 PLC Different Operating Modes Retrieved. 2021/01/28	N.A. 2017, October What are the different operating modes in PLC? Retrieved. 2021/01/28
external_references[2]['url']	https://www.omron-ap.com/service_support/FAQ/FAQ00002/index.asp#:~:text=In%20PROGRAM%20mode%2C%20the%20CPU,can%20be%20created%20or%20modified.	https://forumautomation.com/t/what-are-the-different-operating-modes-in-plc/2489
external_references[3]['source_name']	Machine Information Systems 2007	Omron
external_references[3]['description']	Machine Information Systems 2007 How PLCs Work Retrieved. 2021/01/28	Omron Machine Information Systems 2007 How PLCs Work Retrieved. 2021/01/28 PLC Different Operating Modes Retrieved. 2021/01/28
external_references[3]['url']	http://www.machine-information-systems.com/How_PLCs_Work.html	https://www.omron-ap.com/service_support/FAQ/FAQ00002/index.asp#:~:text=In%20PROGRAM%20mode%2C%20the%20CPU,can%20be%20created%20or%20modified.
external_references[4]['source_name']	N.A. October 2017	PLCgurus 2021
external_references[4]['description']	N.A. 2017, October What are the different operating modes in PLC? Retrieved. 2021/01/28	PLCgurus 2021 PLC Basics Modes Of Operation Retrieved. 2021/01/28
external_references[4]['url']	https://forumautomation.com/t/what-are-the-different-operating-modes-in-plc/2489	https://www.plcgurus.net/plc-basics/

iterable_item_removed
STIX Field	Old value	New Value
external_references	{'source_name': 'PLCgurus 2021', 'description': 'PLCgurus 2021 PLC Basics Modes Of Operation Retrieved. 2021/01/28 ', 'url': 'https://www.plcgurus.net/plc-basics/'}
external_references	{'source_name': 'PLCgurus 2021', 'description': 'PLCgurus 2021 PLC Basics Modes Of Operation Retrieved. 2021/01/28 ', 'url': 'https://www.plcgurus.net/plc-basics/'}
external_references	{'source_name': 'Machine Information Systems 2007', 'description': 'Machine Information Systems 2007 How PLCs Work Retrieved. 2021/01/28 ', 'url': 'http://www.machine-information-systems.com/How_PLCs_Work.html'}
external_references	{'source_name': 'Machine Information Systems 2007', 'description': 'Machine Information Systems 2007 How PLCs Work Retrieved. 2021/01/28 ', 'url': 'http://www.machine-information-systems.com/How_PLCs_Work.html'}
external_references	{'source_name': 'Omron', 'description': 'Omron Machine Information Systems 2007 How PLCs Work Retrieved. 2021/01/28 PLC Different Operating Modes Retrieved. 2021/01/28 ', 'url': 'https://www.omron-ap.com/service_support/FAQ/FAQ00002/index.asp#:~:text=In%20PROGRAM%20mode%2C%20the%20CPU,can%20be%20created%20or%20modified.'}

[T0885] Commonly Used Port

Current version: 1.0

	Old Description			New Description
t	1	Adversaries may communicate over a commonly used port to byp	t	1	Adversaries may communicate over a commonly used port to byp
	>	ass firewalls or network detection systems and to blend in w		>	ass firewalls or network detection systems and to blend in w
	>	ith normal network activity, to avoid more detailed inspecti		>	ith normal network activity, to avoid more detailed inspecti
	>	on. They may use the protocol associated with the port, or a		>	on. They may use the protocol associated with the port, or a
	>	completely different protocol. They may use commonly open p		>	completely different protocol. They may use commonly open p
	>	orts, such as the examples provided below. * TCP:80 (HTTP) *		>	orts, such as the examples provided below. * TCP:80 (HTT
	>	TCP:443 (HTTPS) * TCP/UDP:53 (DNS) * TCP:1024-4999 (OPC on		>	P) * TCP:443 (HTTPS) * TCP/UDP:53 (DNS) * TCP:1024-499
	>	XP/Win2k3) * TCP:49152-65535 (OPC on Vista and later) * TCP:		>	9 (OPC on XP/Win2k3) * TCP:49152-65535 (OPC on Vista and l
	>	23 (TELNET) * UDP:161 (SNMP) * TCP:502 (MODBUS) * TCP:102 (S		>	ater) * TCP:23 (TELNET) * UDP:161 (SNMP) * TCP:502 (MO
	>	7comm/ISO-TSAP) * TCP:20000 (DNP3) * TCP:44818 (Ethernet/IP)		>	DBUS) * TCP:102 (S7comm/ISO-TSAP) * TCP:20000 (DNP3) *
				>	TCP:44818 (Ethernet/IP)

Details

dictionary_item_added
STIX Field	Old value	New Value
x_mitre_attack_spec_version		2.1.0
x_mitre_deprecated		False
x_mitre_detection
x_mitre_domains		['ics-attack']
x_mitre_is_subtechnique		False
x_mitre_modified_by_ref		identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5

values_changed
STIX Field	Old value	New Value
modified	2022-05-06 17:47:23.898000+00:00	2022-05-24 14:31:04.264000+00:00
description	Adversaries may communicate over a commonly used port to bypass firewalls or network detection systems and to blend in with normal network activity, to avoid more detailed inspection. They may use the protocol associated with the port, or a completely different protocol. They may use commonly open ports, such as the examples provided below. * TCP:80 (HTTP) * TCP:443 (HTTPS) * TCP/UDP:53 (DNS) * TCP:1024-4999 (OPC on XP/Win2k3) * TCP:49152-65535 (OPC on Vista and later) * TCP:23 (TELNET) * UDP:161 (SNMP) * TCP:502 (MODBUS) * TCP:102 (S7comm/ISO-TSAP) * TCP:20000 (DNP3) * TCP:44818 (Ethernet/IP)	Adversaries may communicate over a commonly used port to bypass firewalls or network detection systems and to blend in with normal network activity, to avoid more detailed inspection. They may use the protocol associated with the port, or a completely different protocol. They may use commonly open ports, such as the examples provided below. * TCP:80 (HTTP) * TCP:443 (HTTPS) * TCP/UDP:53 (DNS) * TCP:1024-4999 (OPC on XP/Win2k3) * TCP:49152-65535 (OPC on Vista and later) * TCP:23 (TELNET) * UDP:161 (SNMP) * TCP:502 (MODBUS) * TCP:102 (S7comm/ISO-TSAP) * TCP:20000 (DNP3) * TCP:44818 (Ethernet/IP)
external_references[0]['source_name']	mitre-ics-attack	mitre-attack

[T0879] Damage to Property

Current version: 1.0

	Old Description			New Description
t	1	Adversaries may cause damage and destruction of property to	t	1	Adversaries may cause damage and destruction of property to
	>	infrastructure, equipment, and the surrounding environment w		>	infrastructure, equipment, and the surrounding environment w
	>	hen attacking control systems. This technique may result in		>	hen attacking control systems. This technique may result in
	>	device and operational equipment breakdown, or represent tan		>	device and operational equipment breakdown, or represent tan
	>	gential damage from other techniques used in an attack. Depe		>	gential damage from other techniques used in an attack. Depe
	>	nding on the severity of physical damage and disruption caus		>	nding on the severity of physical damage and disruption caus
	>	ed to control processes and systems, this technique may resu		>	ed to control processes and systems, this technique may resu
	>	lt in [Loss of Safety](https://attack.mitre.org/techniques/T		>	lt in [Loss of Safety](https://attack.mitre.org/techniques/T
	>	0880). Operations that result in [Loss of Control](https://a		>	0880). Operations that result in [Loss of Control](https://a
	>	ttack.mitre.org/techniques/T0827) may also cause damage to p		>	ttack.mitre.org/techniques/T0827) may also cause damage to p
	>	roperty, which may be directly or indirectly motivated by an		>	roperty, which may be directly or indirectly motivated by an
	>	adversary seeking to cause impact in the form of [Loss of P		>	adversary seeking to cause impact in the form of [Loss of P
	>	roductivity and Revenue](https://attack.mitre.org/techniques		>	roductivity and Revenue](https://attack.mitre.org/techniques
	>	/T0828). The German Federal Office for Information Securit		>	/T0828). The German Federal Office for Information Securit
	>	y (BSI) reported a targeted attack on a steel mill under an		>	y (BSI) reported a targeted attack on a steel mill under an
	>	incidents affecting business section of its 2014 IT Security		>	incidents affecting business section of its 2014 IT Security
	>	Report. (Citation: Bundesamt fr Sicherheit in der Informati		>	Report. (Citation: BSI State of IT Security 2014) These ta
	>	onstechnik (BSI) (German Federal Office for Information Secu		>	rgeted attacks affected industrial operations and resulted i
	>	rity) 2014) These targeted attacks affected industrial oper		>	n breakdowns of control system components and even entire in
	>	ations and resulted in breakdowns of control system componen		>	stallations. As a result of these breakdowns, massive impact
	>	ts and even entire installations. As a result of these break		>	and damage resulted from the uncontrolled shutdown of a bla
	>	downs, massive impact and damage resulted from the uncontrol		>	st furnace. In the Maroochy Attack, Vitek Boden gained remo
	>	led shutdown of a blast furnace. In the Maroochy Attack, Vi		>	te computer access to the control system and altered data so
	>	tek Boden gained remote computer access to the control syste		>	that whatever function should have occurred at affected pum
	>	m and altered data so that whatever function should have occ		>	ping stations did not occur or occurred in a different way.
	>	urred at affected pumping stations did not occur or occurred		>	This ultimately led to 800,000 liters of raw sewage being sp
	>	in a different way. This ultimately led to 800,000 liters o		>	illed out into the community. The raw sewage affected local
	>	f raw sewage being spilled out into the community. The raw s		>	parks, rivers, and even a local hotel. This resulted in harm
	>	ewage affected local parks, rivers, and even a local hotel.		>	to marine life and produced a sickening stench from the com
	>	This resulted in harm to marine life and produced a sickenin		>	munity's now blackened rivers. (Citation: Marshall Abrams Ju
	>	g stench from the community's now blackened rivers. (Citatio		>	ly 2008) A Polish student used a remote controller device t
	>	n: Marshall Abrams July 2008) A Polish student used a remot		>	o interface with the Lodz city tram system in Poland. (Citat
	>	e controller device to interface with the Lodz city tram sys		>	ion: John Bill May 2017) (Citation: Shelley Smith February 2
	>	tem in Poland. (Citation: John Bill May 2017) (Citation: She		>	008) (Citation: Bruce Schneier January 2008) Using this remo
	>	lley Smith February 2008) (Citation: Bruce Schneier January		>	te, the student was able to capture and replay legitimate tr
	>	2008) Using this remote, the student was able to capture and		>	am signals. This resulted in damage to impacted trams, peopl
	>	replay legitimate tram signals. This resulted in damage to		>	e, and the surrounding property. Reportedly, four trams were
	>	impacted trams, people, and the surrounding property. Report		>	derailed and were forced to make emergency stops. (Citation
	>	edly, four trams were derailed and were forced to make emerg		>	: Shelley Smith February 2008) Commands issued by the studen
	>	ency stops. (Citation: Shelley Smith February 2008) Commands		>	t may have also resulted in tram collisions, causing harm to
	>	issued by the student may have also resulted in tram collis		>	those on board and the environment outside. (Citation: Bruc
	>	ions, causing harm to those on board and the environment out		>	e Schneier January 2008)
	>	side. (Citation: Bruce Schneier January 2008)

Details

dictionary_item_added
STIX Field	Old value	New Value
x_mitre_attack_spec_version		2.1.0
x_mitre_domains		['ics-attack']
x_mitre_modified_by_ref		identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5

values_changed
STIX Field	Old value	New Value
description	Adversaries may cause damage and destruction of property to infrastructure, equipment, and the surrounding environment when attacking control systems. This technique may result in device and operational equipment breakdown, or represent tangential damage from other techniques used in an attack. Depending on the severity of physical damage and disruption caused to control processes and systems, this technique may result in [Loss of Safety](https://attack.mitre.org/techniques/T0880). Operations that result in [Loss of Control](https://attack.mitre.org/techniques/T0827) may also cause damage to property, which may be directly or indirectly motivated by an adversary seeking to cause impact in the form of [Loss of Productivity and Revenue](https://attack.mitre.org/techniques/T0828). The German Federal Office for Information Security (BSI) reported a targeted attack on a steel mill under an incidents affecting business section of its 2014 IT Security Report. (Citation: Bundesamt fr Sicherheit in der Informationstechnik (BSI) (German Federal Office for Information Security) 2014) These targeted attacks affected industrial operations and resulted in breakdowns of control system components and even entire installations. As a result of these breakdowns, massive impact and damage resulted from the uncontrolled shutdown of a blast furnace. In the Maroochy Attack, Vitek Boden gained remote computer access to the control system and altered data so that whatever function should have occurred at affected pumping stations did not occur or occurred in a different way. This ultimately led to 800,000 liters of raw sewage being spilled out into the community. The raw sewage affected local parks, rivers, and even a local hotel. This resulted in harm to marine life and produced a sickening stench from the community's now blackened rivers. (Citation: Marshall Abrams July 2008) A Polish student used a remote controller device to interface with the Lodz city tram system in Poland. (Citation: John Bill May 2017) (Citation: Shelley Smith February 2008) (Citation: Bruce Schneier January 2008) Using this remote, the student was able to capture and replay legitimate tram signals. This resulted in damage to impacted trams, people, and the surrounding property. Reportedly, four trams were derailed and were forced to make emergency stops. (Citation: Shelley Smith February 2008) Commands issued by the student may have also resulted in tram collisions, causing harm to those on board and the environment outside. (Citation: Bruce Schneier January 2008)	Adversaries may cause damage and destruction of property to infrastructure, equipment, and the surrounding environment when attacking control systems. This technique may result in device and operational equipment breakdown, or represent tangential damage from other techniques used in an attack. Depending on the severity of physical damage and disruption caused to control processes and systems, this technique may result in [Loss of Safety](https://attack.mitre.org/techniques/T0880). Operations that result in [Loss of Control](https://attack.mitre.org/techniques/T0827) may also cause damage to property, which may be directly or indirectly motivated by an adversary seeking to cause impact in the form of [Loss of Productivity and Revenue](https://attack.mitre.org/techniques/T0828). The German Federal Office for Information Security (BSI) reported a targeted attack on a steel mill under an incidents affecting business section of its 2014 IT Security Report. (Citation: BSI State of IT Security 2014) These targeted attacks affected industrial operations and resulted in breakdowns of control system components and even entire installations. As a result of these breakdowns, massive impact and damage resulted from the uncontrolled shutdown of a blast furnace. In the Maroochy Attack, Vitek Boden gained remote computer access to the control system and altered data so that whatever function should have occurred at affected pumping stations did not occur or occurred in a different way. This ultimately led to 800,000 liters of raw sewage being spilled out into the community. The raw sewage affected local parks, rivers, and even a local hotel. This resulted in harm to marine life and produced a sickening stench from the community's now blackened rivers. (Citation: Marshall Abrams July 2008) A Polish student used a remote controller device to interface with the Lodz city tram system in Poland. (Citation: John Bill May 2017) (Citation: Shelley Smith February 2008) (Citation: Bruce Schneier January 2008) Using this remote, the student was able to capture and replay legitimate tram signals. This resulted in damage to impacted trams, people, and the surrounding property. Reportedly, four trams were derailed and were forced to make emergency stops. (Citation: Shelley Smith February 2008) Commands issued by the student may have also resulted in tram collisions, causing harm to those on board and the environment outside. (Citation: Bruce Schneier January 2008)
external_references[1]['source_name']	Bundesamt fr Sicherheit in der Informationstechnik (BSI) (German Federal Office for Information Security) 2014	BSI State of IT Security 2014

[T0811] Data from Information Repositories

Current version: 1.0

	Old Description			New Description
t	1	Adversaries may target and collect data from information rep	t	1	Adversaries may target and collect data from information rep
	>	ositories. This can include sensitive data such as specifica		>	ositories. This can include sensitive data such as specifica
	>	tions, schematics, or diagrams of control system layouts, de		>	tions, schematics, or diagrams of control system layouts, de
	>	vices, and processes. Examples of information repositories i		>	vices, and processes. Examples of information repositories i
	>	nclude reference databases or local machines in the process		>	nclude reference databases or local machines in the process
	>	environment, as well as workstations and databases in the co		>	environment, as well as workstations and databases in the co
	>	rporate network that might contain information about the ICS		>	rporate network that might contain information about the ICS
	>	. (Citation: Cybersecurity & Infrastructure Security Agency		>	. (Citation: Cybersecurity & Infrastructure Security Agency
	>	March 2018) Information collected from these systems may p		>	March 2018) Information collected from these systems may p
	>	rovide the adversary with a better understanding of the oper		>	rovide the adversary with a better understanding of the oper
	>	ational environment, vendors used, processes, or procedures		>	ational environment, vendors used, processes, or procedures
	>	of the ICS. In a campaign between 2011 and 2013 against ONG		>	of the ICS. In a campaign between 2011 and 2013 against ONG
	>	organizations, Chinese state-sponsored actors searched docu		>	organizations, Chinese state-sponsored actors searched docu
	>	ment repositories for specific information such as, system m		>	ment repositories for specific information such as, system m
	>	anuals, remote terminal unit (RTU) sites, personnel lists, d		>	anuals, remote terminal unit (RTU) sites, personnel lists, d
	>	ocuments that included the string SCAD*, user credentials, a		>	ocuments that included the string SCAD*, user credentials, a
	>	nd remote dial-up access information. (Citation: Department		>	nd remote dial-up access information. (Citation: CISA AA21-2
	>	of Justice (DOJ), DHS Cybersecurity & Infrastructure Securit		>	01A Pipeline Intrusion July 2021)
	>	y Agency (CISA) July 2021)

Details

dictionary_item_added
STIX Field	Old value	New Value
x_mitre_attack_spec_version		2.1.0
x_mitre_domains		['ics-attack']
x_mitre_modified_by_ref		identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5

values_changed
STIX Field	Old value	New Value
description	Adversaries may target and collect data from information repositories. This can include sensitive data such as specifications, schematics, or diagrams of control system layouts, devices, and processes. Examples of information repositories include reference databases or local machines in the process environment, as well as workstations and databases in the corporate network that might contain information about the ICS. (Citation: Cybersecurity & Infrastructure Security Agency March 2018) Information collected from these systems may provide the adversary with a better understanding of the operational environment, vendors used, processes, or procedures of the ICS. In a campaign between 2011 and 2013 against ONG organizations, Chinese state-sponsored actors searched document repositories for specific information such as, system manuals, remote terminal unit (RTU) sites, personnel lists, documents that included the string SCAD*, user credentials, and remote dial-up access information. (Citation: Department of Justice (DOJ), DHS Cybersecurity & Infrastructure Security Agency (CISA) July 2021)	Adversaries may target and collect data from information repositories. This can include sensitive data such as specifications, schematics, or diagrams of control system layouts, devices, and processes. Examples of information repositories include reference databases or local machines in the process environment, as well as workstations and databases in the corporate network that might contain information about the ICS. (Citation: Cybersecurity & Infrastructure Security Agency March 2018) Information collected from these systems may provide the adversary with a better understanding of the operational environment, vendors used, processes, or procedures of the ICS. In a campaign between 2011 and 2013 against ONG organizations, Chinese state-sponsored actors searched document repositories for specific information such as, system manuals, remote terminal unit (RTU) sites, personnel lists, documents that included the string SCAD*, user credentials, and remote dial-up access information. (Citation: CISA AA21-201A Pipeline Intrusion July 2021)
external_references[2]['source_name']	Department of Justice (DOJ), DHS Cybersecurity & Infrastructure Security Agency (CISA) July 2021	CISA AA21-201A Pipeline Intrusion July 2021

[T0868] Detect Operating Mode

Current version: 1.0

	Old Description			New Description
t	1	Adversaries may gather information about a PLCs or controlle	t	1	Adversaries may gather information about a PLCs or controlle
	>	rs current operating mode. Operating modes dictate what chan		>	rs current operating mode. Operating modes dictate what chan
	>	ge or maintenance functions can be manipulated and are often		>	ge or maintenance functions can be manipulated and are often
	>	controlled by a key switch on the PLC (e.g., run, prog [pr		>	controlled by a key switch on the PLC (e.g., run, prog [pr
	>	ogram], and remote). Knowledge of these states may be valuab		>	ogram], and remote). Knowledge of these states may be valuab
	>	le to an adversary to determine if they are able to reprogra		>	le to an adversary to determine if they are able to reprogra
	>	m the PLC. Operating modes and the mechanisms by which they		>	m the PLC. Operating modes and the mechanisms by which they
	>	are selected often vary by vendor and product line. Some com		>	are selected often vary by vendor and product line. Some com
	>	monly implemented operating modes are described below: *Pro		>	monly implemented operating modes are described below: *
	>	gram - This mode must be enabled before changes can be made		>	Program - This mode must be enabled before changes can be ma
	>	to a devices program. This allows program uploads and downlo		>	de to a devices program. This allows program uploads and dow
	>	ads between the device and an engineering workstation. Often		>	nloads between the device and an engineering workstation. Of
	>	the PLCs logic Is halted, and all outputs may be forced off		>	ten the PLCs logic Is halted, and all outputs may be forced
	>	. (Citation: N.A. October 2017) *Run - Execution of the dev		>	off. (Citation: N.A. October 2017) * Run - Execution of th
	>	ices program occurs in this mode. Input and output (values,		>	e devices program occurs in this mode. Input and output (val
	>	points, tags, elements, etc.) are monitored and used accordi		>	ues, points, tags, elements, etc.) are monitored and used ac
	>	ng to the programs logic. [Program Upload](https://attack.mi		>	cording to the programs logic. [Program Upload](https://atta
	>	tre.org/techniques/T0845) and [Program Download](https://att		>	ck.mitre.org/techniques/T0845) and [Program Download](https:
	>	ack.mitre.org/techniques/T0843) are disabled while in this m		>	//attack.mitre.org/techniques/T0843) are disabled while in t
	>	ode. (Citation: Omron) (Citation: Machine Information System		>	his mode. (Citation: Omron) (Citation: Machine Information S
	>	s 2007) (Citation: N.A. October 2017) (Citation: PLCgurus 2		>	ystems 2007) (Citation: N.A. October 2017) (Citation: PLCgu
	>	021) *Remote - Allows for remote changes to a PLCs operati		>	rus 2021) * Remote - Allows for remote changes to a PLCs
	>	on mode. (Citation: PLCgurus 2021) *Stop - The PLC and pr		>	operation mode. (Citation: PLCgurus 2021) * Stop - The P
	>	ogram is stopped, while in this mode, outputs are forced off		>	LC and program is stopped, while in this mode, outputs are f
	>	. (Citation: Machine Information Systems 2007) *Reset - Co		>	orced off. (Citation: Machine Information Systems 2007) *
	>	nditions on the PLC are reset to their original states. Warm		>	Reset - Conditions on the PLC are reset to their original s
	>	resets may retain some memory while cold resets will reset		>	tates. Warm resets may retain some memory while cold resets
	>	all I/O and data registers. (Citation: Machine Information S		>	will reset all I/O and data registers. (Citation: Machine In
	>	ystems 2007) *Test / Monitor mode - Similar to run mode, I		>	formation Systems 2007) * Test / Monitor mode - Similar t
	>	/O is processed, although this mode allows for monitoring, f		>	o run mode, I/O is processed, although this mode allows for
	>	orce set, resets, and more generally tuning or debugging of		>	monitoring, force set, resets, and more generally tuning or
	>	the system. Often monitor mode may be used as a trial for in		>	debugging of the system. Often monitor mode may be used as a
	>	itialization. (Citation: Omron)		>	trial for initialization. (Citation: Omron)

Details

dictionary_item_added
STIX Field	Old value	New Value
x_mitre_attack_spec_version		2.1.0
x_mitre_deprecated		False
x_mitre_detection
x_mitre_domains		['ics-attack']
x_mitre_is_subtechnique		False
x_mitre_modified_by_ref		identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5

values_changed
STIX Field	Old value	New Value
modified	2022-05-06 17:47:23.916000+00:00	2022-05-24 11:48:05.134000+00:00
description	Adversaries may gather information about a PLCs or controllers current operating mode. Operating modes dictate what change or maintenance functions can be manipulated and are often controlled by a key switch on the PLC (e.g., run, prog [program], and remote). Knowledge of these states may be valuable to an adversary to determine if they are able to reprogram the PLC. Operating modes and the mechanisms by which they are selected often vary by vendor and product line. Some commonly implemented operating modes are described below: Program - This mode must be enabled before changes can be made to a devices program. This allows program uploads and downloads between the device and an engineering workstation. Often the PLCs logic Is halted, and all outputs may be forced off. (Citation: N.A. October 2017) Run - Execution of the devices program occurs in this mode. Input and output (values, points, tags, elements, etc.) are monitored and used according to the programs logic. [Program Upload](https://attack.mitre.org/techniques/T0845) and [Program Download](https://attack.mitre.org/techniques/T0843) are disabled while in this mode. (Citation: Omron) (Citation: Machine Information Systems 2007) (Citation: N.A. October 2017) (Citation: PLCgurus 2021) Remote - Allows for remote changes to a PLCs operation mode. (Citation: PLCgurus 2021) Stop - The PLC and program is stopped, while in this mode, outputs are forced off. (Citation: Machine Information Systems 2007) Reset - Conditions on the PLC are reset to their original states. Warm resets may retain some memory while cold resets will reset all I/O and data registers. (Citation: Machine Information Systems 2007) Test / Monitor mode - Similar to run mode, I/O is processed, although this mode allows for monitoring, force set, resets, and more generally tuning or debugging of the system. Often monitor mode may be used as a trial for initialization. (Citation: Omron)	Adversaries may gather information about a PLCs or controllers current operating mode. Operating modes dictate what change or maintenance functions can be manipulated and are often controlled by a key switch on the PLC (e.g., run, prog [program], and remote). Knowledge of these states may be valuable to an adversary to determine if they are able to reprogram the PLC. Operating modes and the mechanisms by which they are selected often vary by vendor and product line. Some commonly implemented operating modes are described below: * Program - This mode must be enabled before changes can be made to a devices program. This allows program uploads and downloads between the device and an engineering workstation. Often the PLCs logic Is halted, and all outputs may be forced off. (Citation: N.A. October 2017) * Run - Execution of the devices program occurs in this mode. Input and output (values, points, tags, elements, etc.) are monitored and used according to the programs logic. [Program Upload](https://attack.mitre.org/techniques/T0845) and [Program Download](https://attack.mitre.org/techniques/T0843) are disabled while in this mode. (Citation: Omron) (Citation: Machine Information Systems 2007) (Citation: N.A. October 2017) (Citation: PLCgurus 2021) * Remote - Allows for remote changes to a PLCs operation mode. (Citation: PLCgurus 2021) * Stop - The PLC and program is stopped, while in this mode, outputs are forced off. (Citation: Machine Information Systems 2007) * Reset - Conditions on the PLC are reset to their original states. Warm resets may retain some memory while cold resets will reset all I/O and data registers. (Citation: Machine Information Systems 2007) * Test / Monitor mode - Similar to run mode, I/O is processed, although this mode allows for monitoring, force set, resets, and more generally tuning or debugging of the system. Often monitor mode may be used as a trial for initialization. (Citation: Omron)
external_references[0]['source_name']	mitre-ics-attack	mitre-attack
external_references[1]['source_name']	N.A. October 2017	Machine Information Systems 2007
external_references[1]['description']	N.A. 2017, October What are the different operating modes in PLC? Retrieved. 2021/01/28	Machine Information Systems 2007 How PLCs Work Retrieved. 2021/01/28
external_references[1]['url']	https://forumautomation.com/t/what-are-the-different-operating-modes-in-plc/2489	http://www.machine-information-systems.com/How_PLCs_Work.html
external_references[2]['source_name']	Omron	N.A. October 2017
external_references[2]['description']	Omron N.A. 2017, October What are the different operating modes in PLC? Retrieved. 2021/01/28 PLC Different Operating Modes Retrieved. 2021/01/28	N.A. 2017, October What are the different operating modes in PLC? Retrieved. 2021/01/28
external_references[2]['url']	https://www.omron-ap.com/service_support/FAQ/FAQ00002/index.asp#:~:text=In%20PROGRAM%20mode%2C%20the%20CPU,can%20be%20created%20or%20modified.	https://forumautomation.com/t/what-are-the-different-operating-modes-in-plc/2489
external_references[3]['source_name']	Machine Information Systems 2007	Omron
external_references[3]['description']	Machine Information Systems 2007 How PLCs Work Retrieved. 2021/01/28	Omron Machine Information Systems 2007 How PLCs Work Retrieved. 2021/01/28 PLC Different Operating Modes Retrieved. 2021/01/28
external_references[3]['url']	http://www.machine-information-systems.com/How_PLCs_Work.html	https://www.omron-ap.com/service_support/FAQ/FAQ00002/index.asp#:~:text=In%20PROGRAM%20mode%2C%20the%20CPU,can%20be%20created%20or%20modified.
external_references[4]['source_name']	N.A. October 2017	PLCgurus 2021
external_references[4]['description']	N.A. 2017, October What are the different operating modes in PLC? Retrieved. 2021/01/28	PLCgurus 2021 PLC Basics Modes Of Operation Retrieved. 2021/01/28
external_references[4]['url']	https://forumautomation.com/t/what-are-the-different-operating-modes-in-plc/2489	https://www.plcgurus.net/plc-basics/

iterable_item_removed
STIX Field	Old value	New Value
external_references	{'source_name': 'PLCgurus 2021', 'description': 'PLCgurus 2021 PLC Basics Modes Of Operation Retrieved. 2021/01/28 ', 'url': 'https://www.plcgurus.net/plc-basics/'}
external_references	{'source_name': 'PLCgurus 2021', 'description': 'PLCgurus 2021 PLC Basics Modes Of Operation Retrieved. 2021/01/28 ', 'url': 'https://www.plcgurus.net/plc-basics/'}
external_references	{'source_name': 'Machine Information Systems 2007', 'description': 'Machine Information Systems 2007 How PLCs Work Retrieved. 2021/01/28 ', 'url': 'http://www.machine-information-systems.com/How_PLCs_Work.html'}
external_references	{'source_name': 'Machine Information Systems 2007', 'description': 'Machine Information Systems 2007 How PLCs Work Retrieved. 2021/01/28 ', 'url': 'http://www.machine-information-systems.com/How_PLCs_Work.html'}
external_references	{'source_name': 'Omron', 'description': 'Omron Machine Information Systems 2007 How PLCs Work Retrieved. 2021/01/28 PLC Different Operating Modes Retrieved. 2021/01/28 ', 'url': 'https://www.omron-ap.com/service_support/FAQ/FAQ00002/index.asp#:~:text=In%20PROGRAM%20mode%2C%20the%20CPU,can%20be%20created%20or%20modified.'}

[T0827] Loss of Control

Current version: 1.0

	Old Description			New Description
t	1	Adversaries may seek to achieve a sustained loss of control	t	1	Adversaries may seek to achieve a sustained loss of control
	>	or a runaway condition in which operators cannot issue any c		>	or a runaway condition in which operators cannot issue any c
	>	ommands even if the malicious interference has subsided. (Ci		>	ommands even if the malicious interference has subsided. (Ci
	>	tation: Corero) (Citation: Michael J. Assante and Robert M.		>	tation: Corero) (Citation: Michael J. Assante and Robert M.
	>	Lee) (Citation: Tyson Macaulay) The German Federal Office f		>	Lee) (Citation: Tyson Macaulay) The German Federal Office f
	>	or Information Security (BSI) reported a targeted attack on		>	or Information Security (BSI) reported a targeted attack on
	>	a steel mill in its 2014 IT Security Report. (Citation: Bund		>	a steel mill in its 2014 IT Security Report. (Citation: BSI
	>	esamt fr Sicherheit in der Informationstechnik (BSI) (German		>	State of IT Security 2014) These targeted attacks affected
	>	Federal Office for Information Security) 2014) These targe		>	industrial operations and resulted in breakdowns of control
	>	ted attacks affected industrial operations and resulted in b		>	system components and even entire installations. As a result
	>	reakdowns of control system components and even entire insta		>	of these breakdowns, massive impact resulted in damage and
	>	llations. As a result of these breakdowns, massive impact re		>	unsafe conditions from the uncontrolled shutdown of a blast
	>	sulted in damage and unsafe conditions from the uncontrolled		>	furnace.
	>	shutdown of a blast furnace.

Details

dictionary_item_added
STIX Field	Old value	New Value
x_mitre_attack_spec_version		2.1.0
x_mitre_domains		['ics-attack']
x_mitre_modified_by_ref		identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5

values_changed
STIX Field	Old value	New Value
description	Adversaries may seek to achieve a sustained loss of control or a runaway condition in which operators cannot issue any commands even if the malicious interference has subsided. (Citation: Corero) (Citation: Michael J. Assante and Robert M. Lee) (Citation: Tyson Macaulay) The German Federal Office for Information Security (BSI) reported a targeted attack on a steel mill in its 2014 IT Security Report. (Citation: Bundesamt fr Sicherheit in der Informationstechnik (BSI) (German Federal Office for Information Security) 2014) These targeted attacks affected industrial operations and resulted in breakdowns of control system components and even entire installations. As a result of these breakdowns, massive impact resulted in damage and unsafe conditions from the uncontrolled shutdown of a blast furnace.	Adversaries may seek to achieve a sustained loss of control or a runaway condition in which operators cannot issue any commands even if the malicious interference has subsided. (Citation: Corero) (Citation: Michael J. Assante and Robert M. Lee) (Citation: Tyson Macaulay) The German Federal Office for Information Security (BSI) reported a targeted attack on a steel mill in its 2014 IT Security Report. (Citation: BSI State of IT Security 2014) These targeted attacks affected industrial operations and resulted in breakdowns of control system components and even entire installations. As a result of these breakdowns, massive impact resulted in damage and unsafe conditions from the uncontrolled shutdown of a blast furnace.
external_references[4]['source_name']	Bundesamt fr Sicherheit in der Informationstechnik (BSI) (German Federal Office for Information Security) 2014	BSI State of IT Security 2014

[T0830] Man in the Middle

Current version: 1.0

	Old Description			New Description
t	1	Adversaries with privileged network access may seek to modif	t	1	Adversaries with privileged network access may seek to modif
	>	y network traffic in real time using man-in-the-middle (MITM		>	y network traffic in real time using man-in-the-middle (MITM
	>	) attacks. (Citation: Gabriel Sanchez October 2017) This typ		>	) attacks. (Citation: Gabriel Sanchez October 2017) This typ
	>	e of attack allows the adversary to intercept traffic to and		>	e of attack allows the adversary to intercept traffic to and
	>	/or from a particular device on the network. If a MITM attac		>	/or from a particular device on the network. If a MITM attac
	>	k is established, then the adversary has the ability to bloc		>	k is established, then the adversary has the ability to bloc
	>	k, log, modify, or inject traffic into the communication str		>	k, log, modify, or inject traffic into the communication str
	>	eam. There are several ways to accomplish this attack, but s		>	eam. There are several ways to accomplish this attack, but s
	>	ome of the most-common are Address Resolution Protocol (ARP)		>	ome of the most-common are Address Resolution Protocol (ARP)
	>	poisoning and the use of a proxy. (Citation: Bonnie Zhu, An		>	poisoning and the use of a proxy. (Citation: Bonnie Zhu, An
	>	thony Joseph, Shankar Sastry 2011) ttt A MITM attack may a		>	thony Joseph, Shankar Sastry 2011) A MITM attack may allo
	>	llow an adversary to perform the following attacks: [Block		>	w an adversary to perform the following attacks: [Block Re
	>	Reporting Message](https://attack.mitre.org/techniques/T080		>	porting Message](https://attack.mitre.org/techniques/T0804),
	>	4), [Spoof Reporting Message](https://attack.mitre.org/tech		>	[Spoof Reporting Message](https://attack.mitre.org/techniqu
	>	niques/T0856), [Modify Parameter](https://attack.mitre.org/t		>	es/T0856), [Modify Parameter](https://attack.mitre.org/techn
	>	echniques/T0836), [Unauthorized Command Message](https://a		>	iques/T0836), [Unauthorized Command Message](https://attack.
	>	ttack.mitre.org/techniques/T0855)		>	mitre.org/techniques/T0855)

Details

dictionary_item_added
STIX Field	Old value	New Value
x_mitre_attack_spec_version		2.1.0
x_mitre_deprecated		False
x_mitre_detection
x_mitre_domains		['ics-attack']
x_mitre_is_subtechnique		False
x_mitre_modified_by_ref		identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5

values_changed
STIX Field	Old value	New Value
modified	2022-05-06 17:47:23.942000+00:00	2022-05-24 19:32:27.175000+00:00
description	Adversaries with privileged network access may seek to modify network traffic in real time using man-in-the-middle (MITM) attacks. (Citation: Gabriel Sanchez October 2017) This type of attack allows the adversary to intercept traffic to and/or from a particular device on the network. If a MITM attack is established, then the adversary has the ability to block, log, modify, or inject traffic into the communication stream. There are several ways to accomplish this attack, but some of the most-common are Address Resolution Protocol (ARP) poisoning and the use of a proxy. (Citation: Bonnie Zhu, Anthony Joseph, Shankar Sastry 2011) ttt A MITM attack may allow an adversary to perform the following attacks: [Block Reporting Message](https://attack.mitre.org/techniques/T0804), [Spoof Reporting Message](https://attack.mitre.org/techniques/T0856), [Modify Parameter](https://attack.mitre.org/techniques/T0836), [Unauthorized Command Message](https://attack.mitre.org/techniques/T0855)	Adversaries with privileged network access may seek to modify network traffic in real time using man-in-the-middle (MITM) attacks. (Citation: Gabriel Sanchez October 2017) This type of attack allows the adversary to intercept traffic to and/or from a particular device on the network. If a MITM attack is established, then the adversary has the ability to block, log, modify, or inject traffic into the communication stream. There are several ways to accomplish this attack, but some of the most-common are Address Resolution Protocol (ARP) poisoning and the use of a proxy. (Citation: Bonnie Zhu, Anthony Joseph, Shankar Sastry 2011) A MITM attack may allow an adversary to perform the following attacks: [Block Reporting Message](https://attack.mitre.org/techniques/T0804), [Spoof Reporting Message](https://attack.mitre.org/techniques/T0856), [Modify Parameter](https://attack.mitre.org/techniques/T0836), [Unauthorized Command Message](https://attack.mitre.org/techniques/T0855)
external_references[0]['source_name']	mitre-ics-attack	mitre-attack
external_references[1]['source_name']	Gabriel Sanchez October 2017	Bonnie Zhu, Anthony Joseph, Shankar Sastry 2011
external_references[1]['description']	Gabriel Sanchez 2017, October Man-In-The-Middle Attack Against Modbus TCP Illustrated with Wireshark Retrieved. 2020/01/05	Bonnie Zhu, Anthony Joseph, Shankar Sastry 2011 A Taxonomy of Cyber Attacks on SCADA Systems Retrieved. 2018/01/12
external_references[1]['url']	https://www.sans.org/reading-room/whitepapers/ICS/man-in-the-middle-attack-modbus-tcp-illustrated-wireshark-38095	http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6142258
external_references[2]['source_name']	Bonnie Zhu, Anthony Joseph, Shankar Sastry 2011	Gabriel Sanchez October 2017
external_references[2]['description']	Bonnie Zhu, Anthony Joseph, Shankar Sastry 2011 A Taxonomy of Cyber Attacks on SCADA Systems Retrieved. 2018/01/12	Gabriel Sanchez 2017, October Man-In-The-Middle Attack Against Modbus TCP Illustrated with Wireshark Retrieved. 2020/01/05
external_references[2]['url']	http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6142258	https://www.sans.org/reading-room/whitepapers/ICS/man-in-the-middle-attack-modbus-tcp-illustrated-wireshark-38095

[T0831] Manipulation of Control

Current version: 1.0

	Old Description			New Description
t	1	Adversaries may manipulate physical process control within t	t	1	Adversaries may manipulate physical process control within t
	>	he industrial environment. Methods of manipulating control c		>	he industrial environment. Methods of manipulating control c
	>	an include changes to set point values, tags, or other param		>	an include changes to set point values, tags, or other param
	>	eters. Adversaries may manipulate control systems devices or		>	eters. Adversaries may manipulate control systems devices or
	>	possibly leverage their own, to communicate with and comman		>	possibly leverage their own, to communicate with and comman
	>	d physical control processes. The duration of manipulation m		>	d physical control processes. The duration of manipulation m
	>	ay be temporary or longer sustained, depending on operator d		>	ay be temporary or longer sustained, depending on operator d
	>	etection. Methods of Manipulation of Control include: * Ma		>	etection. Methods of Manipulation of Control include:
	>	n-in-the-middle * Spoof command message * Changing setpoint		>	* Man-in-the-middle * Spoof command message * Changing se
	>	s A Polish student used a remote controller device to inter		>	tpoints A Polish student used a remote controller device
	>	face with the Lodz city tram system in Poland. (Citation: Jo		>	to interface with the Lodz city tram system in Poland. (Cita
	>	hn Bill May 2017) (Citation: Shelley Smith February 2008) (C		>	tion: John Bill May 2017) (Citation: Shelley Smith February
	>	itation: Bruce Schneier January 2008) Using this remote, the		>	2008) (Citation: Bruce Schneier January 2008) Using this rem
	>	student was able to capture and replay legitimate tram sign		>	ote, the student was able to capture and replay legitimate t
	>	als. As a consequence, four trams were derailed and twelve p		>	ram signals. As a consequence, four trams were derailed and
	>	eople injured due to resulting emergency stops. (Citation: S		>	twelve people injured due to resulting emergency stops. (Cit
	>	helley Smith February 2008) The track controlling commands i		>	ation: Shelley Smith February 2008) The track controlling co
	>	ssued may have also resulted in tram collisions, a further r		>	mmands issued may have also resulted in tram collisions, a f
	>	isk to those on board and nearby the areas of impact. (Citat		>	urther risk to those on board and nearby the areas of impact
	>	ion: Bruce Schneier January 2008)		>	. (Citation: Bruce Schneier January 2008)

Details

dictionary_item_added
STIX Field	Old value	New Value
x_mitre_attack_spec_version		2.1.0
x_mitre_deprecated		False
x_mitre_detection
x_mitre_domains		['ics-attack']
x_mitre_is_subtechnique		False
x_mitre_modified_by_ref		identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5

values_changed
STIX Field	Old value	New Value
modified	2022-05-06 17:47:23.945000+00:00	2022-05-24 14:57:44.326000+00:00
description	Adversaries may manipulate physical process control within the industrial environment. Methods of manipulating control can include changes to set point values, tags, or other parameters. Adversaries may manipulate control systems devices or possibly leverage their own, to communicate with and command physical control processes. The duration of manipulation may be temporary or longer sustained, depending on operator detection. Methods of Manipulation of Control include: * Man-in-the-middle * Spoof command message * Changing setpoints A Polish student used a remote controller device to interface with the Lodz city tram system in Poland. (Citation: John Bill May 2017) (Citation: Shelley Smith February 2008) (Citation: Bruce Schneier January 2008) Using this remote, the student was able to capture and replay legitimate tram signals. As a consequence, four trams were derailed and twelve people injured due to resulting emergency stops. (Citation: Shelley Smith February 2008) The track controlling commands issued may have also resulted in tram collisions, a further risk to those on board and nearby the areas of impact. (Citation: Bruce Schneier January 2008)	Adversaries may manipulate physical process control within the industrial environment. Methods of manipulating control can include changes to set point values, tags, or other parameters. Adversaries may manipulate control systems devices or possibly leverage their own, to communicate with and command physical control processes. The duration of manipulation may be temporary or longer sustained, depending on operator detection. Methods of Manipulation of Control include: * Man-in-the-middle * Spoof command message * Changing setpoints A Polish student used a remote controller device to interface with the Lodz city tram system in Poland. (Citation: John Bill May 2017) (Citation: Shelley Smith February 2008) (Citation: Bruce Schneier January 2008) Using this remote, the student was able to capture and replay legitimate tram signals. As a consequence, four trams were derailed and twelve people injured due to resulting emergency stops. (Citation: Shelley Smith February 2008) The track controlling commands issued may have also resulted in tram collisions, a further risk to those on board and nearby the areas of impact. (Citation: Bruce Schneier January 2008)
external_references[0]['source_name']	mitre-ics-attack	mitre-attack
external_references[1]['source_name']	John Bill May 2017	Bruce Schneier January 2008
external_references[1]['description']	John Bill 2017, May 12 Hacked Cyber Security Railways Retrieved. 2019/10/17	Bruce Schneier 2008, January 17 Hacking Polish Trams Retrieved. 2019/10/17
external_references[1]['url']	https://www.londonreconnections.com/2017/hacked-cyber-security-railways/	https://www.schneier.com/blog/archives/2008/01/hacking_the_pol.html
external_references[2]['source_name']	Shelley Smith February 2008	John Bill May 2017
external_references[2]['description']	Shelley Smith 2008, February 12 Teen Hacker in Poland Plays Trains and Derails City Tram System Retrieved. 2019/10/17	John Bill 2017, May 12 Hacked Cyber Security Railways Retrieved. 2019/10/17
external_references[2]['url']	https://inhomelandsecurity.com/teen_hacker_in_poland_plays_tr/	https://www.londonreconnections.com/2017/hacked-cyber-security-railways/
external_references[3]['source_name']	Bruce Schneier January 2008	Shelley Smith February 2008
external_references[3]['description']	Bruce Schneier 2008, January 17 Hacking Polish Trams Retrieved. 2019/10/17	Shelley Smith 2008, February 12 Teen Hacker in Poland Plays Trains and Derails City Tram System Retrieved. 2019/10/17
external_references[3]['url']	https://www.schneier.com/blog/archives/2008/01/hacking_the_pol.html	https://inhomelandsecurity.com/teen_hacker_in_poland_plays_tr/

iterable_item_removed
STIX Field	Old value	New Value
external_references	{'source_name': 'Shelley Smith February 2008', 'description': 'Shelley Smith 2008, February 12 Teen Hacker in Poland Plays Trains and Derails City Tram System Retrieved. 2019/10/17 ', 'url': 'https://inhomelandsecurity.com/teen_hacker_in_poland_plays_tr/'}
external_references	{'source_name': 'Bruce Schneier January 2008', 'description': 'Bruce Schneier 2008, January 17 Hacking Polish Trams Retrieved. 2019/10/17 ', 'url': 'https://www.schneier.com/blog/archives/2008/01/hacking_the_pol.html'}

[T0836] Modify Parameter

Current version: 1.0

	Old Description			New Description
t	1	Adversaries may modify parameters used to instruct industria	t	1	Adversaries may modify parameters used to instruct industria
	>	l control system devices. These devices operate via programs		>	l control system devices. These devices operate via programs
	>	that dictate how and when to perform actions based on such		>	that dictate how and when to perform actions based on such
	>	parameters. Such parameters can determine the extent to whic		>	parameters. Such parameters can determine the extent to whic
	>	h an action is performed and may specify additional options.		>	h an action is performed and may specify additional options.
	>	For example, a program on a control system device dictating		>	For example, a program on a control system device dictating
	>	motor processes may take a parameter defining the total num		>	motor processes may take a parameter defining the total num
	>	ber of seconds to run that motor. An adversary can pote		>	ber of seconds to run that motor. An adversary can po
	>	ntially modify these parameters to produce an outcome outsid		>	tentially modify these parameters to produce an outcome outs
	>	e of what was intended by the operators. By modifying system		>	ide of what was intended by the operators. By modifying syst
	>	and process critical parameters, the adversary may cause [[		>	em and process critical parameters, the adversary may cause
	>	Impact]] to equipment and/or control processes. Modified par		>	[Impact](https://attack.mitre.org/tactics/TA0105) to equipme
	>	ameters may be turned into dangerous, out-of-bounds, or unex		>	nt and/or control processes. Modified parameters may be turn
	>	pected values from typical operations. For example, specifyi		>	ed into dangerous, out-of-bounds, or unexpected values from
	>	ng that a process run for more or less time than it should,		>	typical operations. For example, specifying that a process r
	>	or dictating an unusually high, low, or invalid value as a p		>	un for more or less time than it should, or dictating an unu
	>	arameter. In the Maroochy Attack, Vitek Boden gained remot		>	sually high, low, or invalid value as a parameter. In th
	>	e computer access to the control system and altered data so		>	e Maroochy Attack, Vitek Boden gained remote computer access
	>	that whatever function should have occurred at affected pump		>	to the control system and altered data so that whatever fun
	>	ing stations did not occur or occurred in a different way. T		>	ction should have occurred at affected pumping stations did
	>	he software program installed in the laptop was one develope		>	not occur or occurred in a different way. The software progr
	>	d by Hunter Watertech for its use in changing configurations		>	am installed in the laptop was one developed by Hunter Water
	>	in the PDS computers. This ultimately led to 800,000 liters		>	tech for its use in changing configurations in the PDS compu
	>	of raw sewage being spilled out into the community. (Citati		>	ters. This ultimately led to 800,000 liters of raw sewage be
	>	on: Marshall Abrams July 2008) In the Oldsmar water treatme		>	ing spilled out into the community. (Citation: Marshall Abra
	>	nt attack, adversaries raised the sodium hydroxide setpoint		>	ms July 2008) In the Oldsmar water treatment attack, adve
	>	value from 100 part-per-million (ppm) to 11,100 ppm, far bey		>	rsaries raised the sodium hydroxide setpoint value from 100
	>	ond normal operating levels. (Citation: Pinellas County Sher		>	part-per-million (ppm) to 11,100 ppm, far beyond normal oper
	>	iffs Office February 2021)		>	ating levels. (Citation: Pinellas County Sheriffs Office Feb
				>	ruary 2021)

Details

dictionary_item_added
STIX Field	Old value	New Value
x_mitre_attack_spec_version		2.1.0
x_mitre_deprecated		False
x_mitre_detection
x_mitre_domains		['ics-attack']
x_mitre_is_subtechnique		False
x_mitre_modified_by_ref		identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5

values_changed
STIX Field	Old value	New Value
modified	2022-05-06 17:47:23.952000+00:00	2022-05-24 12:09:05.073000+00:00
description	Adversaries may modify parameters used to instruct industrial control system devices. These devices operate via programs that dictate how and when to perform actions based on such parameters. Such parameters can determine the extent to which an action is performed and may specify additional options. For example, a program on a control system device dictating motor processes may take a parameter defining the total number of seconds to run that motor. An adversary can potentially modify these parameters to produce an outcome outside of what was intended by the operators. By modifying system and process critical parameters, the adversary may cause [[Impact]] to equipment and/or control processes. Modified parameters may be turned into dangerous, out-of-bounds, or unexpected values from typical operations. For example, specifying that a process run for more or less time than it should, or dictating an unusually high, low, or invalid value as a parameter. In the Maroochy Attack, Vitek Boden gained remote computer access to the control system and altered data so that whatever function should have occurred at affected pumping stations did not occur or occurred in a different way. The software program installed in the laptop was one developed by Hunter Watertech for its use in changing configurations in the PDS computers. This ultimately led to 800,000 liters of raw sewage being spilled out into the community. (Citation: Marshall Abrams July 2008) In the Oldsmar water treatment attack, adversaries raised the sodium hydroxide setpoint value from 100 part-per-million (ppm) to 11,100 ppm, far beyond normal operating levels. (Citation: Pinellas County Sheriffs Office February 2021)	Adversaries may modify parameters used to instruct industrial control system devices. These devices operate via programs that dictate how and when to perform actions based on such parameters. Such parameters can determine the extent to which an action is performed and may specify additional options. For example, a program on a control system device dictating motor processes may take a parameter defining the total number of seconds to run that motor. An adversary can potentially modify these parameters to produce an outcome outside of what was intended by the operators. By modifying system and process critical parameters, the adversary may cause [Impact](https://attack.mitre.org/tactics/TA0105) to equipment and/or control processes. Modified parameters may be turned into dangerous, out-of-bounds, or unexpected values from typical operations. For example, specifying that a process run for more or less time than it should, or dictating an unusually high, low, or invalid value as a parameter. In the Maroochy Attack, Vitek Boden gained remote computer access to the control system and altered data so that whatever function should have occurred at affected pumping stations did not occur or occurred in a different way. The software program installed in the laptop was one developed by Hunter Watertech for its use in changing configurations in the PDS computers. This ultimately led to 800,000 liters of raw sewage being spilled out into the community. (Citation: Marshall Abrams July 2008) In the Oldsmar water treatment attack, adversaries raised the sodium hydroxide setpoint value from 100 part-per-million (ppm) to 11,100 ppm, far beyond normal operating levels. (Citation: Pinellas County Sheriffs Office February 2021)
external_references[0]['source_name']	mitre-ics-attack	mitre-attack

[T0839] Module Firmware

Current version: 1.0

	Old Description			New Description
t	1	Adversaries may install malicious or vulnerable firmware ont	t	1	Adversaries may install malicious or vulnerable firmware ont
	>	o modular hardware devices. Control system devices often con		>	o modular hardware devices. Control system devices often con
	>	tain modular hardware devices. These devices may have their		>	tain modular hardware devices. These devices may have their
	>	own set of firmware that is separate from the firmware of th		>	own set of firmware that is separate from the firmware of th
	>	e main control system equipment. This technique is similar		>	e main control system equipment. This technique is simil
	>	to [System Firmware](https://attack.mitre.org/techniques/T0		>	ar to [System Firmware](https://attack.mitre.org/techniques/
	>	857), but is conducted on other system components that may n		>	T0857), but is conducted on other system components that may
	>	ot have the same capabilities or level of integrity checking		>	not have the same capabilities or level of integrity checki
	>	. Although it results in a device re-image, malicious device		>	ng. Although it results in a device re-image, malicious devi
	>	firmware may provide persistent access to remaining devices		>	ce firmware may provide persistent access to remaining devic
	>	. (Citation: Daniel Peck, Dale Peterson January 2009) An e		>	es. (Citation: Daniel Peck, Dale Peterson January 2009)
	>	asy point of access for an adversary is the Ethernet card, w		>	An easy point of access for an adversary is the Ethernet car
	>	hich may have its own CPU, RAM, and operating system. The ad		>	d, which may have its own CPU, RAM, and operating system. Th
	>	versary may attack and likely exploit the computer on an Eth		>	e adversary may attack and likely exploit the computer on an
	>	ernet card. Exploitation of the Ethernet card computer may e		>	Ethernet card. Exploitation of the Ethernet card computer m
	>	nable the adversary to accomplish additional attacks, such a		>	ay enable the adversary to accomplish additional attacks, su
	>	s the following: (Citation: Daniel Peck, Dale Peterson Janu		>	ch as the following: (Citation: Daniel Peck, Dale Peterson
	>	ary 2009) *Delayed Attack - The adversary may stage an atta		>	January 2009) * Delayed Attack - The adversary may stage
	>	ck in advance and choose when to launch it, such as at a par		>	an attack in advance and choose when to launch it, such as a
	>	ticularly damaging time. *Brick the Ethernet Card - Malicio		>	t a particularly damaging time. * Brick the Ethernet Card
	>	us firmware may be programmed to result in an Ethernet card		>	- Malicious firmware may be programmed to result in an Ether
	>	failure, requiring a factory return. *Random Attack or Fail		>	net card failure, requiring a factory return. * Random Att
	>	ure - The adversary may load malicious firmware onto multipl		>	ack or Failure - The adversary may load malicious firmware o
	>	e field devices. Execution of an attack and the time it occu		>	nto multiple field devices. Execution of an attack and the t
	>	rs is generated by a pseudo-random number generator. *A Fi		>	ime it occurs is generated by a pseudo-random number generat
	>	eld Device Worm - The adversary may choose to identify all f		>	or. * A Field Device Worm - The adversary may choose to i
	>	ield devices of the same model, with the end goal of perform		>	dentify all field devices of the same model, with the end go
	>	ing a device-wide compromise. *Attack Other Cards on the Fi		>	al of performing a device-wide compromise. * Attack Other
	>	eld Device - Although it is not the most important module in		>	Cards on the Field Device - Although it is not the most impo
	>	a field device, the Ethernet card is most accessible to the		>	rtant module in a field device, the Ethernet card is most ac
	>	adversary and malware. Compromise of the Ethernet card may		>	cessible to the adversary and malware. Compromise of the Eth
	>	provide a more direct route to compromising other modules, s		>	ernet card may provide a more direct route to compromising o
	>	uch as the CPU module.		>	ther modules, such as the CPU module.

Details

dictionary_item_added
STIX Field	Old value	New Value
x_mitre_attack_spec_version		2.1.0
x_mitre_deprecated		False
x_mitre_detection
x_mitre_domains		['ics-attack']
x_mitre_is_subtechnique		False
x_mitre_modified_by_ref		identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5

values_changed
STIX Field	Old value	New Value
modified	2022-05-06 17:47:23.954000+00:00	2022-05-24 11:51:30.717000+00:00
description	Adversaries may install malicious or vulnerable firmware onto modular hardware devices. Control system devices often contain modular hardware devices. These devices may have their own set of firmware that is separate from the firmware of the main control system equipment. This technique is similar to [System Firmware](https://attack.mitre.org/techniques/T0857), but is conducted on other system components that may not have the same capabilities or level of integrity checking. Although it results in a device re-image, malicious device firmware may provide persistent access to remaining devices. (Citation: Daniel Peck, Dale Peterson January 2009) An easy point of access for an adversary is the Ethernet card, which may have its own CPU, RAM, and operating system. The adversary may attack and likely exploit the computer on an Ethernet card. Exploitation of the Ethernet card computer may enable the adversary to accomplish additional attacks, such as the following: (Citation: Daniel Peck, Dale Peterson January 2009) Delayed Attack - The adversary may stage an attack in advance and choose when to launch it, such as at a particularly damaging time. Brick the Ethernet Card - Malicious firmware may be programmed to result in an Ethernet card failure, requiring a factory return. Random Attack or Failure - The adversary may load malicious firmware onto multiple field devices. Execution of an attack and the time it occurs is generated by a pseudo-random number generator. A Field Device Worm - The adversary may choose to identify all field devices of the same model, with the end goal of performing a device-wide compromise. *Attack Other Cards on the Field Device - Although it is not the most important module in a field device, the Ethernet card is most accessible to the adversary and malware. Compromise of the Ethernet card may provide a more direct route to compromising other modules, such as the CPU module.	Adversaries may install malicious or vulnerable firmware onto modular hardware devices. Control system devices often contain modular hardware devices. These devices may have their own set of firmware that is separate from the firmware of the main control system equipment. This technique is similar to [System Firmware](https://attack.mitre.org/techniques/T0857), but is conducted on other system components that may not have the same capabilities or level of integrity checking. Although it results in a device re-image, malicious device firmware may provide persistent access to remaining devices. (Citation: Daniel Peck, Dale Peterson January 2009) An easy point of access for an adversary is the Ethernet card, which may have its own CPU, RAM, and operating system. The adversary may attack and likely exploit the computer on an Ethernet card. Exploitation of the Ethernet card computer may enable the adversary to accomplish additional attacks, such as the following: (Citation: Daniel Peck, Dale Peterson January 2009) * Delayed Attack - The adversary may stage an attack in advance and choose when to launch it, such as at a particularly damaging time. * Brick the Ethernet Card - Malicious firmware may be programmed to result in an Ethernet card failure, requiring a factory return. * Random Attack or Failure - The adversary may load malicious firmware onto multiple field devices. Execution of an attack and the time it occurs is generated by a pseudo-random number generator. * A Field Device Worm - The adversary may choose to identify all field devices of the same model, with the end goal of performing a device-wide compromise. * Attack Other Cards on the Field Device - Although it is not the most important module in a field device, the Ethernet card is most accessible to the adversary and malware. Compromise of the Ethernet card may provide a more direct route to compromising other modules, such as the CPU module.
external_references[0]['source_name']	mitre-ics-attack	mitre-attack

iterable_item_removed
STIX Field	Old value	New Value
external_references	{'source_name': 'Daniel Peck, Dale Peterson January 2009', 'description': 'Daniel Peck, Dale Peterson 2009, January 28 Leveraging Ethernet Card Vulnerabilities in Field Devices Retrieved. 2017/12/19 ', 'url': 'https://www.researchgate.net/publication/228849043_Leveraging_ethernet_card_vulnerabilities_in_field_devices'}

[T0840] Network Connection Enumeration

Current version: 1.0

	Old Description			New Description
t	1	Adversaries may perform network connection enumeration to di	t	1	Adversaries may perform network connection enumeration to di
	>	scover information about device communication patterns. If a		>	scover information about device communication patterns. If a
	>	n adversary can inspect the state of a network connection wi		>	n adversary can inspect the state of a network connection wi
	>	th tools, such as [https://en.wikipedia.org/wiki/Netstat net		>	th tools, such as Netstat(Citation: Netstat), in conjunction
	>	stat], in conjunction with [System Firmware](https://attack.		>	with [System Firmware](https://attack.mitre.org/techniques/
	>	mitre.org/techniques/T0857), then they can determine the rol		>	T0857), then they can determine the role of certain devices
	>	e of certain devices on the network (Citation: MITRE). The		>	on the network (Citation: MITRE). The adversary can also us
	>	adversary can also use [Network Sniffing](https://attack.mit		>	e [Network Sniffing](https://attack.mitre.org/techniques/T08
	>	re.org/techniques/T0842) to watch network traffic for detail		>	42) to watch network traffic for details about the source, d
	>	s about the source, destination, protocol, and content.		>	estination, protocol, and content.

Details

dictionary_item_added
STIX Field	Old value	New Value
x_mitre_attack_spec_version		2.1.0
x_mitre_deprecated		False
x_mitre_detection
x_mitre_domains		['ics-attack']
x_mitre_is_subtechnique		False
x_mitre_modified_by_ref		identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5

values_changed
STIX Field	Old value	New Value
modified	2022-05-06 17:47:23.957000+00:00	2022-05-23 21:24:49.040000+00:00
description	Adversaries may perform network connection enumeration to discover information about device communication patterns. If an adversary can inspect the state of a network connection with tools, such as [https://en.wikipedia.org/wiki/Netstat netstat], in conjunction with [System Firmware](https://attack.mitre.org/techniques/T0857), then they can determine the role of certain devices on the network (Citation: MITRE). The adversary can also use [Network Sniffing](https://attack.mitre.org/techniques/T0842) to watch network traffic for details about the source, destination, protocol, and content.	Adversaries may perform network connection enumeration to discover information about device communication patterns. If an adversary can inspect the state of a network connection with tools, such as Netstat(Citation: Netstat), in conjunction with [System Firmware](https://attack.mitre.org/techniques/T0857), then they can determine the role of certain devices on the network (Citation: MITRE). The adversary can also use [Network Sniffing](https://attack.mitre.org/techniques/T0842) to watch network traffic for details about the source, destination, protocol, and content.
external_references[0]['source_name']	mitre-ics-attack	mitre-attack

iterable_item_added
STIX Field	Old value	New Value
external_references		{'source_name': 'Netstat', 'description': 'Wikipedia. (n.d.). Netstat. Retrieved May 23, 2022.', 'url': 'https://en.wikipedia.org/wiki/Netstat'}

[T0886] Remote Services

Current version: 1.0

	Old Description			New Description
t	1	Adversaries may leverage remote services to move between ass	t	1	Adversaries may leverage remote services to move between ass
	>	ets and network segments. These services are often used to a		>	ets and network segments. These services are often used to a
	>	llow operators to interact with systems remotely within the		>	llow operators to interact with systems remotely within the
	>	network, some examples are RDP, SMB, SSH, and other similar		>	network, some examples are RDP, SMB, SSH, and other similar
	>	mechanisms. (Citation: Blake Johnson, Dan Caban, Marina Krot		>	mechanisms. (Citation: Blake Johnson, Dan Caban, Marina Krot
	>	ofil, Dan Scali, Nathan Brubaker, Christopher Glyer December		>	ofil, Dan Scali, Nathan Brubaker, Christopher Glyer December
	>	2017) (Citation: Dragos December 2017) (Citation: Joe Slowi		>	2017) (Citation: Dragos December 2017) (Citation: Joe Slowi
	>	k April 2019) Remote services could be used to support remo		>	k April 2019) Remote services could be used to support remo
	>	te access, data transmission, authentication, name resolutio		>	te access, data transmission, authentication, name resolutio
	>	n, and other remote functions. Further, remote services may		>	n, and other remote functions. Further, remote services may
	>	be necessary to allow operators and administrators to config		>	be necessary to allow operators and administrators to config
	>	ure systems within the network from their engineering or man		>	ure systems within the network from their engineering or man
	>	agement workstations. An adversary may use this technique to		>	agement workstations. An adversary may use this technique to
	>	access devices which may be dual-homed (Citation: Blake Joh		>	access devices which may be dual-homed (Citation: Blake Joh
	>	nson, Dan Caban, Marina Krotofil, Dan Scali, Nathan Brubaker		>	nson, Dan Caban, Marina Krotofil, Dan Scali, Nathan Brubaker
	>	, Christopher Glyer December 2017) to multiple network segme		>	, Christopher Glyer December 2017) to multiple network segme
	>	nts, and can be used for [Program Download](https://attack.m		>	nts, and can be used for [Program Download](https://attack.m
	>	itre.org/techniques/T0843) or to execute attacks on control		>	itre.org/techniques/T0843) or to execute attacks on control
	>	devices directly through [Valid Accounts](https://attack.mit		>	devices directly through [Valid Accounts](https://attack.mit
	>	re.org/techniques/T0859). Specific remote services (RDP & V		>	re.org/techniques/T0859). Specific remote services (RDP & V
	>	NC) may be a precursor to enable [Graphical User Interface](		>	NC) may be a precursor to enable [Graphical User Interface](
	>	https://attack.mitre.org/techniques/T0823) execution on devi		>	https://attack.mitre.org/techniques/T0823) execution on devi
	>	ces such as HMIs or engineering workstation software. In th		>	ces such as HMIs or engineering workstation software. In th
	>	e Oldsmar water treatment attack, adversaries gained access		>	e Oldsmar water treatment attack, adversaries gained access
	>	to the system through remote access software, allowing for t		>	to the system through remote access software, allowing for t
	>	he use of the standard operator HMI interface. (Citation: Pi		>	he use of the standard operator HMI interface. (Citation: Pi
	>	nellas County Sheriffs Office February 2021) Based on incid		>	nellas County Sheriffs Office February 2021) Based on incid
	>	ent data, CISA and FBI assessed that Chinese state-sponsored		>	ent data, CISA and FBI assessed that Chinese state-sponsored
	>	actors also compromised various authorized remote access ch		>	actors also compromised various authorized remote access ch
	>	annels, including systems designed to transfer data and/or a		>	annels, including systems designed to transfer data and/or a
	>	llow access between corporate and ICS networks. (Citation:		>	llow access between corporate and ICS networks. (Citation:
	>	Department of Justice (DOJ), DHS Cybersecurity & Infrastruct		>	CISA AA21-201A Pipeline Intrusion July 2021)
	>	ure Security Agency (CISA) July 2021)

Details

dictionary_item_added
STIX Field	Old value	New Value
x_mitre_attack_spec_version		2.1.0
x_mitre_domains		['ics-attack']
x_mitre_modified_by_ref		identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5

values_changed
STIX Field	Old value	New Value
description	Adversaries may leverage remote services to move between assets and network segments. These services are often used to allow operators to interact with systems remotely within the network, some examples are RDP, SMB, SSH, and other similar mechanisms. (Citation: Blake Johnson, Dan Caban, Marina Krotofil, Dan Scali, Nathan Brubaker, Christopher Glyer December 2017) (Citation: Dragos December 2017) (Citation: Joe Slowik April 2019) Remote services could be used to support remote access, data transmission, authentication, name resolution, and other remote functions. Further, remote services may be necessary to allow operators and administrators to configure systems within the network from their engineering or management workstations. An adversary may use this technique to access devices which may be dual-homed (Citation: Blake Johnson, Dan Caban, Marina Krotofil, Dan Scali, Nathan Brubaker, Christopher Glyer December 2017) to multiple network segments, and can be used for [Program Download](https://attack.mitre.org/techniques/T0843) or to execute attacks on control devices directly through [Valid Accounts](https://attack.mitre.org/techniques/T0859). Specific remote services (RDP & VNC) may be a precursor to enable [Graphical User Interface](https://attack.mitre.org/techniques/T0823) execution on devices such as HMIs or engineering workstation software. In the Oldsmar water treatment attack, adversaries gained access to the system through remote access software, allowing for the use of the standard operator HMI interface. (Citation: Pinellas County Sheriffs Office February 2021) Based on incident data, CISA and FBI assessed that Chinese state-sponsored actors also compromised various authorized remote access channels, including systems designed to transfer data and/or allow access between corporate and ICS networks. (Citation: Department of Justice (DOJ), DHS Cybersecurity & Infrastructure Security Agency (CISA) July 2021)	Adversaries may leverage remote services to move between assets and network segments. These services are often used to allow operators to interact with systems remotely within the network, some examples are RDP, SMB, SSH, and other similar mechanisms. (Citation: Blake Johnson, Dan Caban, Marina Krotofil, Dan Scali, Nathan Brubaker, Christopher Glyer December 2017) (Citation: Dragos December 2017) (Citation: Joe Slowik April 2019) Remote services could be used to support remote access, data transmission, authentication, name resolution, and other remote functions. Further, remote services may be necessary to allow operators and administrators to configure systems within the network from their engineering or management workstations. An adversary may use this technique to access devices which may be dual-homed (Citation: Blake Johnson, Dan Caban, Marina Krotofil, Dan Scali, Nathan Brubaker, Christopher Glyer December 2017) to multiple network segments, and can be used for [Program Download](https://attack.mitre.org/techniques/T0843) or to execute attacks on control devices directly through [Valid Accounts](https://attack.mitre.org/techniques/T0859). Specific remote services (RDP & VNC) may be a precursor to enable [Graphical User Interface](https://attack.mitre.org/techniques/T0823) execution on devices such as HMIs or engineering workstation software. In the Oldsmar water treatment attack, adversaries gained access to the system through remote access software, allowing for the use of the standard operator HMI interface. (Citation: Pinellas County Sheriffs Office February 2021) Based on incident data, CISA and FBI assessed that Chinese state-sponsored actors also compromised various authorized remote access channels, including systems designed to transfer data and/or allow access between corporate and ICS networks. (Citation: CISA AA21-201A Pipeline Intrusion July 2021)
external_references[6]['source_name']	Department of Justice (DOJ), DHS Cybersecurity & Infrastructure Security Agency (CISA) July 2021	CISA AA21-201A Pipeline Intrusion July 2021

[T0851] Rootkit

Current version: 1.0

	Old Description			New Description
t	1	Adversaries may deploy rootkits to hide the presence of prog	t	1	Adversaries may deploy rootkits to hide the presence of prog
	>	rams, files, network connections, services, drivers, and oth		>	rams, files, network connections, services, drivers, and oth
	>	er system components. Rootkits are programs that hide the ex		>	er system components. Rootkits are programs that hide the ex
	>	istence of malware by intercepting and modifying operating-s		>	istence of malware by intercepting and modifying operating-s
	>	ystem API calls that supply system information. Rootkits or		>	ystem API calls that supply system information. Rootkits or
	>	rootkit-enabling functionality may reside at the user or ker		>	rootkit-enabling functionality may reside at the user or ker
	>	nel level in the operating system, or lower. (Citation: Ente		>	nel level in the operating system, or lower. (Citation: Ente
	>	rprise ATT&CK January 2018) Firmware rootkits that affect		>	rprise ATT&CK January 2018) Firmware rootkits that affec
	>	the operating system yield nearly full control of the system		>	t the operating system yield nearly full control of the syst
	>	. While firmware rootkits are normally developed for the mai		>	em. While firmware rootkits are normally developed for the m
	>	n processing board, they can also be developed for I/O T1109		>	ain processing board, they can also be developed for I/O T11
	>	that can be attached to the asset. Compromise of this firmw		>	09 that can be attached to the asset. Compromise of this fir
	>	are allows the modification of all of the process variables		>	mware allows the modification of all of the process variable
	>	and functions the module engages in. This may result in comm		>	s and functions the module engages in. This may result in co
	>	ands being disregarded and false information being fed to th		>	mmands being disregarded and false information being fed to
	>	e main device. By tampering with device processes, an advers		>	the main device. By tampering with device processes, an adve
	>	ary may inhibit its expected response functions and possibly		>	rsary may inhibit its expected response functions and possib
	>	enable [[Impact]].		>	ly enable [Impact](https://attack.mitre.org/tactics/TA0105).

Details

dictionary_item_added
STIX Field	Old value	New Value
x_mitre_attack_spec_version		2.1.0
x_mitre_deprecated		False
x_mitre_detection
x_mitre_domains		['ics-attack']
x_mitre_is_subtechnique		False
x_mitre_modified_by_ref		identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5

values_changed
STIX Field	Old value	New Value
modified	2022-05-06 17:47:23.976000+00:00	2022-05-24 12:13:28.790000+00:00
description	Adversaries may deploy rootkits to hide the presence of programs, files, network connections, services, drivers, and other system components. Rootkits are programs that hide the existence of malware by intercepting and modifying operating-system API calls that supply system information. Rootkits or rootkit-enabling functionality may reside at the user or kernel level in the operating system, or lower. (Citation: Enterprise ATT&CK January 2018) Firmware rootkits that affect the operating system yield nearly full control of the system. While firmware rootkits are normally developed for the main processing board, they can also be developed for I/O T1109 that can be attached to the asset. Compromise of this firmware allows the modification of all of the process variables and functions the module engages in. This may result in commands being disregarded and false information being fed to the main device. By tampering with device processes, an adversary may inhibit its expected response functions and possibly enable [[Impact]].	Adversaries may deploy rootkits to hide the presence of programs, files, network connections, services, drivers, and other system components. Rootkits are programs that hide the existence of malware by intercepting and modifying operating-system API calls that supply system information. Rootkits or rootkit-enabling functionality may reside at the user or kernel level in the operating system, or lower. (Citation: Enterprise ATT&CK January 2018) Firmware rootkits that affect the operating system yield nearly full control of the system. While firmware rootkits are normally developed for the main processing board, they can also be developed for I/O T1109 that can be attached to the asset. Compromise of this firmware allows the modification of all of the process variables and functions the module engages in. This may result in commands being disregarded and false information being fed to the main device. By tampering with device processes, an adversary may inhibit its expected response functions and possibly enable [Impact](https://attack.mitre.org/tactics/TA0105).
external_references[0]['source_name']	mitre-ics-attack	mitre-attack

[T0865] Spearphishing Attachment

Current version: 1.0

	Old Description			New Description
t	1	Adversaries may use a spearphishing attachment, a variant of	t	1	Adversaries may use a spearphishing attachment, a variant of
	>	spearphishing, as a form of a social engineering attack aga		>	spearphishing, as a form of a social engineering attack aga
	>	inst specific targets. Spearphishing attachments are differe		>	inst specific targets. Spearphishing attachments are differe
	>	nt from other forms of spearphishing in that they employ mal		>	nt from other forms of spearphishing in that they employ mal
	>	ware attached to an email. All forms of spearphishing are el		>	ware attached to an email. All forms of spearphishing are el
	>	ectronically delivered and target a specific individual, com		>	ectronically delivered and target a specific individual, com
	>	pany, or industry. In this scenario, adversaries attach a fi		>	pany, or industry. In this scenario, adversaries attach a fi
	>	le to the spearphishing email and usually rely upon [User Ex		>	le to the spearphishing email and usually rely upon [User Ex
	>	ecution](https://attack.mitre.org/techniques/T0863) to gain		>	ecution](https://attack.mitre.org/techniques/T0863) to gain
	>	execution and access. (Citation: Enterprise ATT&CK October 2		>	execution and access. (Citation: Enterprise ATT&CK October 2
	>	019) A Chinese spearphishing campaign running from December		>	019) A Chinese spearphishing campaign running from December
	>	9, 2011 through February 29, 2012, targeted ONG organizatio		>	9, 2011 through February 29, 2012, targeted ONG organizatio
	>	ns and their employees. The emails were constructed with a h		>	ns and their employees. The emails were constructed with a h
	>	igh level of sophistication to convince employees to open th		>	igh level of sophistication to convince employees to open th
	>	e malicious file attachments. (Citation: Department of Justi		>	e malicious file attachments. (Citation: CISA AA21-201A Pipe
	>	ce (DOJ), DHS Cybersecurity & Infrastructure Security Agency		>	line Intrusion July 2021)
	>	(CISA) July 2021)

Details

dictionary_item_added
STIX Field	Old value	New Value
x_mitre_attack_spec_version		2.1.0
x_mitre_domains		['ics-attack']
x_mitre_modified_by_ref		identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5

values_changed
STIX Field	Old value	New Value
description	Adversaries may use a spearphishing attachment, a variant of spearphishing, as a form of a social engineering attack against specific targets. Spearphishing attachments are different from other forms of spearphishing in that they employ malware attached to an email. All forms of spearphishing are electronically delivered and target a specific individual, company, or industry. In this scenario, adversaries attach a file to the spearphishing email and usually rely upon [User Execution](https://attack.mitre.org/techniques/T0863) to gain execution and access. (Citation: Enterprise ATT&CK October 2019) A Chinese spearphishing campaign running from December 9, 2011 through February 29, 2012, targeted ONG organizations and their employees. The emails were constructed with a high level of sophistication to convince employees to open the malicious file attachments. (Citation: Department of Justice (DOJ), DHS Cybersecurity & Infrastructure Security Agency (CISA) July 2021)	Adversaries may use a spearphishing attachment, a variant of spearphishing, as a form of a social engineering attack against specific targets. Spearphishing attachments are different from other forms of spearphishing in that they employ malware attached to an email. All forms of spearphishing are electronically delivered and target a specific individual, company, or industry. In this scenario, adversaries attach a file to the spearphishing email and usually rely upon [User Execution](https://attack.mitre.org/techniques/T0863) to gain execution and access. (Citation: Enterprise ATT&CK October 2019) A Chinese spearphishing campaign running from December 9, 2011 through February 29, 2012, targeted ONG organizations and their employees. The emails were constructed with a high level of sophistication to convince employees to open the malicious file attachments. (Citation: CISA AA21-201A Pipeline Intrusion July 2021)
external_references[2]['source_name']	Department of Justice (DOJ), DHS Cybersecurity & Infrastructure Security Agency (CISA) July 2021	CISA AA21-201A Pipeline Intrusion July 2021

[T0855] Unauthorized Command Message

Current version: 1.0

	Old Description			New Description
t	1	Adversaries may send unauthorized command messages to instru	t	1	Adversaries may send unauthorized command messages to instru
	>	ct control system assets to perform actions outside of their		>	ct control system assets to perform actions outside of their
	>	intended functionality, or without the logical precondition		>	intended functionality, or without the logical precondition
	>	s to trigger their expected function. Command messages are u		>	s to trigger their expected function. Command messages are u
	>	sed in ICS networks to give direct instructions to control s		>	sed in ICS networks to give direct instructions to control s
	>	ystems devices. If an adversary can send an unauthorized com		>	ystems devices. If an adversary can send an unauthorized com
	>	mand message to a control system, then it can instruct the c		>	mand message to a control system, then it can instruct the c
	>	ontrol systems device to perform an action outside the norma		>	ontrol systems device to perform an action outside the norma
	>	l bounds of the device's actions. An adversary could potenti		>	l bounds of the device's actions. An adversary could potenti
	>	ally instruct a control systems device to perform an action		>	ally instruct a control systems device to perform an action
	>	that will cause an [[Impact]]. (Citation: Bonnie Zhu, Anthon		>	that will cause an [Impact](https://attack.mitre.org/tactics
	>	y Joseph, Shankar Sastry 2011) In the Maroochy Attack, the		>	/TA0105). (Citation: Bonnie Zhu, Anthony Joseph, Shankar Sas
	>	adversary used a dedicated analog two-way radio system to s		>	try 2011) In the Maroochy Attack, the adversary used a d
	>	end false data and instructions to pumping stations and the		>	edicated analog two-way radio system to send false data and
	>	central computer. (Citation: Marshall Abrams July 2008) In		>	instructions to pumping stations and the central computer. (
	>	the Dallas Siren incident, adversaries were able to send com		>	Citation: Marshall Abrams July 2008) In the Dallas Siren
	>	mand messages to activate tornado alarm systems across the c		>	incident, adversaries were able to send command messages to
	>	ity without an impending tornado or other disaster. (Citatio		>	activate tornado alarm systems across the city without an im
	>	n: Zack Whittaker April 2017) (Citation: Benjamin Freed Marc		>	pending tornado or other disaster. (Citation: Zack Whittaker
	>	h 2019)		>	April 2017) (Citation: Benjamin Freed March 2019)

Details

dictionary_item_added
STIX Field	Old value	New Value
x_mitre_attack_spec_version		2.1.0
x_mitre_deprecated		False
x_mitre_detection
x_mitre_domains		['ics-attack']
x_mitre_is_subtechnique		False
x_mitre_modified_by_ref		identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5

values_changed
STIX Field	Old value	New Value
modified	2022-05-06 17:47:23.987000+00:00	2022-05-24 12:18:48.810000+00:00
description	Adversaries may send unauthorized command messages to instruct control system assets to perform actions outside of their intended functionality, or without the logical preconditions to trigger their expected function. Command messages are used in ICS networks to give direct instructions to control systems devices. If an adversary can send an unauthorized command message to a control system, then it can instruct the control systems device to perform an action outside the normal bounds of the device's actions. An adversary could potentially instruct a control systems device to perform an action that will cause an [[Impact]]. (Citation: Bonnie Zhu, Anthony Joseph, Shankar Sastry 2011) In the Maroochy Attack, the adversary used a dedicated analog two-way radio system to send false data and instructions to pumping stations and the central computer. (Citation: Marshall Abrams July 2008) In the Dallas Siren incident, adversaries were able to send command messages to activate tornado alarm systems across the city without an impending tornado or other disaster. (Citation: Zack Whittaker April 2017) (Citation: Benjamin Freed March 2019)	Adversaries may send unauthorized command messages to instruct control system assets to perform actions outside of their intended functionality, or without the logical preconditions to trigger their expected function. Command messages are used in ICS networks to give direct instructions to control systems devices. If an adversary can send an unauthorized command message to a control system, then it can instruct the control systems device to perform an action outside the normal bounds of the device's actions. An adversary could potentially instruct a control systems device to perform an action that will cause an [Impact](https://attack.mitre.org/tactics/TA0105). (Citation: Bonnie Zhu, Anthony Joseph, Shankar Sastry 2011) In the Maroochy Attack, the adversary used a dedicated analog two-way radio system to send false data and instructions to pumping stations and the central computer. (Citation: Marshall Abrams July 2008) In the Dallas Siren incident, adversaries were able to send command messages to activate tornado alarm systems across the city without an impending tornado or other disaster. (Citation: Zack Whittaker April 2017) (Citation: Benjamin Freed March 2019)
external_references[0]['source_name']	mitre-ics-attack	mitre-attack
external_references[1]['source_name']	Bonnie Zhu, Anthony Joseph, Shankar Sastry 2011	Benjamin Freed March 2019
external_references[1]['description']	Bonnie Zhu, Anthony Joseph, Shankar Sastry 2011 A Taxonomy of Cyber Attacks on SCADA Systems Retrieved. 2018/01/12	Benjamin Freed 2019, March 13 Tornado sirens in Dallas suburbs deactivated after being hacked and set off Retrieved. 2020/11/06
external_references[1]['url']	http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6142258	https://statescoop.com/tornado-sirens-in-dallas-suburbs-deactivated-after-being-hacked-and-set-off/
external_references[2]['source_name']	Marshall Abrams July 2008	Bonnie Zhu, Anthony Joseph, Shankar Sastry 2011
external_references[2]['description']	Marshall Abrams 2008, July 23 Malicious Control System Cyber Security Attack Case Study Maroochy Water Services, Australia Retrieved. 2018/03/27	Bonnie Zhu, Anthony Joseph, Shankar Sastry 2011 A Taxonomy of Cyber Attacks on SCADA Systems Retrieved. 2018/01/12
external_references[2]['url']	https://www.mitre.org/sites/default/files/pdf/08_1145.pdf	http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6142258
external_references[3]['source_name']	Zack Whittaker April 2017	Marshall Abrams July 2008
external_references[3]['description']	Zack Whittaker 2017, April 12 Dallas' emergency sirens were hacked with a rogue radio signal Retrieved. 2020/11/06	Marshall Abrams 2008, July 23 Malicious Control System Cyber Security Attack Case Study Maroochy Water Services, Australia Retrieved. 2018/03/27
external_references[3]['url']	https://www.zdnet.com/article/experts-think-they-know-how-dallas-emergency-sirens-were-hacked/	https://www.mitre.org/sites/default/files/pdf/08_1145.pdf
external_references[4]['source_name']	Benjamin Freed March 2019	Zack Whittaker April 2017
external_references[4]['description']	Benjamin Freed 2019, March 13 Tornado sirens in Dallas suburbs deactivated after being hacked and set off Retrieved. 2020/11/06	Zack Whittaker 2017, April 12 Dallas' emergency sirens were hacked with a rogue radio signal Retrieved. 2020/11/06
external_references[4]['url']	https://statescoop.com/tornado-sirens-in-dallas-suburbs-deactivated-after-being-hacked-and-set-off/	https://www.zdnet.com/article/experts-think-they-know-how-dallas-emergency-sirens-were-hacked/

[T0863] User Execution

Current version: 1.0

	Old Description			New Description
t	1	Adversaries may rely on a targeted organizations user intera	t	1	Adversaries may rely on a targeted organizations user intera
	>	ction for the execution of malicious code. User interaction		>	ction for the execution of malicious code. User interaction
	>	may consist of installing applications, opening email attach		>	may consist of installing applications, opening email attach
	>	ments, or granting higher permissions to documents. Advers		>	ments, or granting higher permissions to documents. Advers
	>	aries may embed malicious code or visual basic code into fil		>	aries may embed malicious code or visual basic code into fil
	>	es such as Microsoft Word and Excel documents or software in		>	es such as Microsoft Word and Excel documents or software in
	>	stallers. (Citation: Booz Allen Hamilton) Execution of this		>	stallers. (Citation: Booz Allen Hamilton) Execution of this
	>	code requires that the user enable scripting or write access		>	code requires that the user enable scripting or write access
	>	within the document. Embedded code may not always be notice		>	within the document. Embedded code may not always be notice
	>	able to the user especially in cases of trojanized software.		>	able to the user especially in cases of trojanized software.
	>	(Citation: Daavid Hentunen, Antti Tikkanen June 2014) A Ch		>	(Citation: Daavid Hentunen, Antti Tikkanen June 2014) A Ch
	>	inese spearphishing campaign running from December 9, 2011 t		>	inese spearphishing campaign running from December 9, 2011 t
	>	hrough February 29, 2012 delivered malware through spearphis		>	hrough February 29, 2012 delivered malware through spearphis
	>	hing attachments which required user action to achieve execu		>	hing attachments which required user action to achieve execu
	>	tion. (Citation: Department of Justice (DOJ), DHS Cybersecur		>	tion. (Citation: CISA AA21-201A Pipeline Intrusion July 2021
	>	ity & Infrastructure Security Agency (CISA) July 2021)		>	)

Details

dictionary_item_added
STIX Field	Old value	New Value
x_mitre_attack_spec_version		2.1.0
x_mitre_domains		['ics-attack']
x_mitre_modified_by_ref		identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5

values_changed
STIX Field	Old value	New Value
description	Adversaries may rely on a targeted organizations user interaction for the execution of malicious code. User interaction may consist of installing applications, opening email attachments, or granting higher permissions to documents. Adversaries may embed malicious code or visual basic code into files such as Microsoft Word and Excel documents or software installers. (Citation: Booz Allen Hamilton) Execution of this code requires that the user enable scripting or write access within the document. Embedded code may not always be noticeable to the user especially in cases of trojanized software. (Citation: Daavid Hentunen, Antti Tikkanen June 2014) A Chinese spearphishing campaign running from December 9, 2011 through February 29, 2012 delivered malware through spearphishing attachments which required user action to achieve execution. (Citation: Department of Justice (DOJ), DHS Cybersecurity & Infrastructure Security Agency (CISA) July 2021)	Adversaries may rely on a targeted organizations user interaction for the execution of malicious code. User interaction may consist of installing applications, opening email attachments, or granting higher permissions to documents. Adversaries may embed malicious code or visual basic code into files such as Microsoft Word and Excel documents or software installers. (Citation: Booz Allen Hamilton) Execution of this code requires that the user enable scripting or write access within the document. Embedded code may not always be noticeable to the user especially in cases of trojanized software. (Citation: Daavid Hentunen, Antti Tikkanen June 2014) A Chinese spearphishing campaign running from December 9, 2011 through February 29, 2012 delivered malware through spearphishing attachments which required user action to achieve execution. (Citation: CISA AA21-201A Pipeline Intrusion July 2021)
external_references[3]['source_name']	Department of Justice (DOJ), DHS Cybersecurity & Infrastructure Security Agency (CISA) July 2021	CISA AA21-201A Pipeline Intrusion July 2021

[T0859] Valid Accounts

Current version: 1.0

	Old Description			New Description
t	1	Adversaries may steal the credentials of a specific user or	t	1	Adversaries may steal the credentials of a specific user or
	>	service account using credential access techniques. In some		>	service account using credential access techniques. In some
	>	cases, default credentials for control system devices may be		>	cases, default credentials for control system devices may be
	>	publicly available. Compromised credentials may be used to		>	publicly available. Compromised credentials may be used to
	>	bypass access controls placed on various resources on hosts		>	bypass access controls placed on various resources on hosts
	>	and within the network, and may even be used for persistent		>	and within the network, and may even be used for persistent
	>	access to remote systems. Compromised and default credential		>	access to remote systems. Compromised and default credential
	>	s may also grant an adversary increased privilege to specifi		>	s may also grant an adversary increased privilege to specifi
	>	c systems and devices or access to restricted areas of the n		>	c systems and devices or access to restricted areas of the n
	>	etwork. Adversaries may choose not to use malware or tools,		>	etwork. Adversaries may choose not to use malware or tools,
	>	in conjunction with the legitimate access those credentials		>	in conjunction with the legitimate access those credentials
	>	provide, to make it harder to detect their presence or to co		>	provide, to make it harder to detect their presence or to co
	>	ntrol devices and send legitimate commands in an unintended		>	ntrol devices and send legitimate commands in an unintended
	>	way. ttt Adversaries may also create accounts, sometimes us		>	way. Adversaries may also create accounts, sometimes using
	>	ing predefined account names and passwords, to provide a mea		>	predefined account names and passwords, to provide a means
	>	ns of backup access for persistence. (Citation: Booz Allen H		>	of backup access for persistence. (Citation: Booz Allen Hami
	>	amilton) ttt The overlap of credentials and permissions acro		>	lton) The overlap of credentials and permissions across a
	>	ss a network of systems is of concern because the adversary		>	network of systems is of concern because the adversary may b
	>	may be able to pivot across accounts and systems to reach a		>	e able to pivot across accounts and systems to reach a high
	>	high level of access (i.e., domain or enterprise administrat		>	level of access (i.e., domain or enterprise administrator)
	>	or) and possibly between the enterprise and operational tec		>	and possibly between the enterprise and operational technolo
	>	hnology environments. Adversaries may be able to leverage va		>	gy environments. Adversaries may be able to leverage valid c
	>	lid credentials from one system to gain access to another sy		>	redentials from one system to gain access to another system.
	>	stem.

Details

dictionary_item_added
STIX Field	Old value	New Value
x_mitre_attack_spec_version		2.1.0
x_mitre_deprecated		False
x_mitre_detection
x_mitre_domains		['ics-attack']
x_mitre_is_subtechnique		False
x_mitre_modified_by_ref		identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5

values_changed
STIX Field	Old value	New Value
modified	2022-05-06 17:47:23.992000+00:00	2022-05-24 11:56:16.241000+00:00
description	Adversaries may steal the credentials of a specific user or service account using credential access techniques. In some cases, default credentials for control system devices may be publicly available. Compromised credentials may be used to bypass access controls placed on various resources on hosts and within the network, and may even be used for persistent access to remote systems. Compromised and default credentials may also grant an adversary increased privilege to specific systems and devices or access to restricted areas of the network. Adversaries may choose not to use malware or tools, in conjunction with the legitimate access those credentials provide, to make it harder to detect their presence or to control devices and send legitimate commands in an unintended way. ttt Adversaries may also create accounts, sometimes using predefined account names and passwords, to provide a means of backup access for persistence. (Citation: Booz Allen Hamilton) ttt The overlap of credentials and permissions across a network of systems is of concern because the adversary may be able to pivot across accounts and systems to reach a high level of access (i.e., domain or enterprise administrator) and possibly between the enterprise and operational technology environments. Adversaries may be able to leverage valid credentials from one system to gain access to another system.	Adversaries may steal the credentials of a specific user or service account using credential access techniques. In some cases, default credentials for control system devices may be publicly available. Compromised credentials may be used to bypass access controls placed on various resources on hosts and within the network, and may even be used for persistent access to remote systems. Compromised and default credentials may also grant an adversary increased privilege to specific systems and devices or access to restricted areas of the network. Adversaries may choose not to use malware or tools, in conjunction with the legitimate access those credentials provide, to make it harder to detect their presence or to control devices and send legitimate commands in an unintended way. Adversaries may also create accounts, sometimes using predefined account names and passwords, to provide a means of backup access for persistence. (Citation: Booz Allen Hamilton) The overlap of credentials and permissions across a network of systems is of concern because the adversary may be able to pivot across accounts and systems to reach a high level of access (i.e., domain or enterprise administrator) and possibly between the enterprise and operational technology environments. Adversaries may be able to leverage valid credentials from one system to gain access to another system.
external_references[0]['source_name']	mitre-ics-attack	mitre-attack

Software

enterprise-attack

Patches

[S0552] AdFind

Current version: 1.0

Details

dictionary_item_added
STIX Field	Old value	New Value
x_mitre_deprecated		False

values_changed
STIX Field	Old value	New Value
modified	2020-12-29 18:04:33.254000+00:00	2022-05-20 17:07:10.931000+00:00
external_references[1]['url']	https://redcanary.com/blog/how-one-hospital-thwarted-a-ryuk-ransomware-outbreak/	https://redcanary.com/blog/how-one-hospital-thwarted-a-ryuk-ransomware-outbreak/
external_references[2]['source_name']	FireEye FIN6 Apr 2019	FireEye Ryuk and Trickbot January 2019
external_references[2]['description']	McKeague, B. et al. (2019, April 5). Pick-Six: Intercepting a FIN6 Intrusion, an Actor Recently Tied to Ryuk and LockerGoga Ransomware. Retrieved April 17, 2019.	Goody, K., et al (2019, January 11). A Nasty Trick: From Credential Theft Malware to Business Disruption. Retrieved May 12, 2020.
external_references[2]['url']	https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html	https://www.fireeye.com/blog/threat-research/2019/01/a-nasty-trick-from-credential-theft-malware-to-business-disruption.html
external_references[3]['source_name']	FireEye Ryuk and Trickbot January 2019	FireEye FIN6 Apr 2019
external_references[3]['description']	Goody, K., et al (2019, January 11). A Nasty Trick: From Credential Theft Malware to Business Disruption. Retrieved May 12, 2020.	McKeague, B. et al. (2019, April 5). Pick-Six: Intercepting a FIN6 Intrusion, an Actor Recently Tied to Ryuk and LockerGoga Ransomware. Retrieved April 17, 2019.
external_references[3]['url']	https://www.fireeye.com/blog/threat-research/2019/01/a-nasty-trick-from-credential-theft-malware-to-business-disruption.html	https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html

[S0093] Backdoor.Oldrea

Current version: 2.0

Details

values_changed
STIX Field	Old value	New Value
modified	2022-04-20 01:25:31.056000+00:00	2022-05-11 14:00:00.188000+00:00

iterable_item_added
STIX Field	Old value	New Value
x_mitre_domains		ics-attack

[S0606] Bad Rabbit

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2021-10-17 18:43:07.613000+00:00	2022-04-25 14:00:00.188000+00:00

iterable_item_added
STIX Field	Old value	New Value
x_mitre_domains		ics-attack

[S0089] BlackEnergy

Current version: 1.3

Details

values_changed
STIX Field	Old value	New Value
modified	2021-04-26 15:59:03.034000+00:00	2022-04-25 14:00:00.188000+00:00

iterable_item_added
STIX Field	Old value	New Value
x_mitre_domains		ics-attack

[S0608] Conficker

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2021-10-14 19:41:44.167000+00:00	2022-04-25 14:00:00.188000+00:00

iterable_item_added
STIX Field	Old value	New Value
x_mitre_domains		ics-attack

[S0038] Duqu

Current version: 1.2

Details

values_changed
STIX Field	Old value	New Value
modified	2020-03-30 02:07:19.052000+00:00	2022-04-25 14:00:00.188000+00:00

iterable_item_added
STIX Field	Old value	New Value
x_mitre_domains		ics-attack

[S0605] EKANS

Current version: 2.0

Details

values_changed
STIX Field	Old value	New Value
modified	2022-04-21 01:05:24.884000+00:00	2022-05-11 14:00:00.188000+00:00

iterable_item_added
STIX Field	Old value	New Value
x_mitre_domains		ics-attack

[S0143] Flame

Current version: 1.1

Details

values_changed
STIX Field	Old value	New Value
modified	2020-03-30 16:41:41.805000+00:00	2022-04-25 14:00:00.188000+00:00

iterable_item_added
STIX Field	Old value	New Value
x_mitre_domains		ics-attack

[S0604] Industroyer

Current version: 1.0

Details

dictionary_item_added
STIX Field	Old value	New Value
x_mitre_contributors		['Dragos Threat Intelligence', 'Joe Slowik - Dragos']

values_changed
STIX Field	Old value	New Value
modified	2022-04-14 19:56:46.309000+00:00	2022-05-23 21:22:34.355000+00:00
external_references[3]['url']	https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf	https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf
external_references[4]['url']	https://dragos.com/blog/crashoverride/CrashOverride-01.pdf	https://dragos.com/blog/crashoverride/CrashOverride-01.pdf
external_references[5]['url']	https://www.dragos.com/wp-content/uploads/CRASHOVERRIDE2018.pdf	https://www.dragos.com/wp-content/uploads/CRASHOVERRIDE2018.pdf

iterable_item_added
STIX Field	Old value	New Value
x_mitre_domains		ics-attack

[S0581] IronNetInjector

Current version: 1.0

Details

dictionary_item_added
STIX Field	Old value	New Value
x_mitre_deprecated		False

values_changed
STIX Field	Old value	New Value
modified	2021-04-13 00:20:21.372000+00:00	2022-05-20 17:02:59.587000+00:00
external_references[1]['url']	https://unit42.paloaltonetworks.com/ironnetinjector/	https://unit42.paloaltonetworks.com/ironnetinjector/

[S0607] KillDisk

Current version: 1.1

Details

values_changed
STIX Field	Old value	New Value
modified	2022-04-19 01:59:06.481000+00:00	2022-05-11 14:00:00.188000+00:00

iterable_item_added
STIX Field	Old value	New Value
x_mitre_domains		ics-attack

[S0372] LockerGoga

Current version: 2.0

Details

dictionary_item_added
STIX Field	Old value	New Value
x_mitre_contributors		['Joe Slowik - Dragos']

values_changed
STIX Field	Old value	New Value
modified	2022-04-21 01:00:38.896000+00:00	2022-05-23 21:22:58.477000+00:00

iterable_item_added
STIX Field	Old value	New Value
x_mitre_domains		ics-attack

[S0368] NotPetya

Current version: 2.0

Details

values_changed
STIX Field	Old value	New Value
modified	2021-04-23 19:31:47.185000+00:00	2022-04-25 14:00:00.188000+00:00

iterable_item_added
STIX Field	Old value	New Value
x_mitre_domains		ics-attack

[S0603] Stuxnet

Current version: 1.1

Details

values_changed
STIX Field	Old value	New Value
modified	2022-04-19 01:44:44.149000+00:00	2022-05-20 16:22:32.608000+00:00
external_references[4]['url']	https://www.wired.com/images_blogs/threatlevel/2010/11/w32_stuxnet_dossier.pdf	https://www.wired.com/images_blogs/threatlevel/2010/11/w32_stuxnet_dossier.pdf

iterable_item_added
STIX Field	Old value	New Value
x_mitre_domains		ics-attack

[S0366] WannaCry

Current version: 1.1

Details

values_changed
STIX Field	Old value	New Value
modified	2020-05-13 22:59:51.283000+00:00	2022-04-25 14:00:00.188000+00:00

iterable_item_added
STIX Field	Old value	New Value
x_mitre_domains		ics-attack

ics-attack

New Software

[S1001] Bad Rabbit

Current version: 1.0

Description: [Bad Rabbit](https://collaborate.mitre.org/attackics/index.php/Software/S0005) is a self-propagating (“wormable”) ransomware that affected the transportation sector in Ukraine. (Citation: ESET Bad Rabbit Oct 2017)

[S1002] BlackEnergy 3

Current version: 1.0

Description: [BlackEnergy 3](https://collaborate.mitre.org/attackics/index.php/Software/S0004) is a malware toolkit that has been used by both criminal and APT actors. It support various plug-ins including a variant of KillDisk. It is known to have been used against the Ukrainian power grid. (Citation: Booz Allen Hamilton)

[S1003] Conficker

Current version: 1.0

Description: [Conficker](https://collaborate.mitre.org/attackics/index.php/Software/S0012) is a computer worm that targets Microsoft Windows and was first detected in November 2008. It targets a vulnerability (MS08-067) in Windows OS software and dictionary attacks on administrator passwords to propagate while forming a botnet. Conficker made its way onto computers and removable disk drives in a nuclear power plant. (Citation: Malware Shuts Down German Nuclear Power Plant on Chernobyl's 30th Anniversary)

[S0017] EKANS

Current version: 1.0

Description: [EKANS](https://collaborate.mitre.org/attackics/index.php/Software/S0017) is ransomware that was first seen December 2019 and later reported to have impacted operations at Honda automotive production facilities.(Citation: Forbes Snake Ransomware June 2020)(Citation: MalwareByes Honda and Enel Ransomware June 2020)(Citation: Dragos EKANS February 2020) EKANS has a hard-coded kill-list of processes, including some associated with common ICS software platforms (e.g., GE Proficy historian, Honeywell HMIWeb).(Citation: Dragos EKANS February 2020) If the malware discovers these processes on the target system, it will stop, encrypt, and rename the process to prevent the program from restarting. This malware should not be confused with the “Snake” malware associated with the Turla group. The ICS processes documented within the malware’s kill-list is similar to those defined by the MEGACORTEX software.(Citation: FireEye OT Ransomware July 2020)(Citation: Pylos January 2020)(Citation: Dragos EKANS June 2020)The ransomware was initially reported as “Snake”, however, to avoid confusion with the unrelated Turla APT group security researchers spelled it backwards as EKANS.

[S1004] Industroyer

Current version: 1.0

Description: [Industroyer](https://collaborate.mitre.org/attackics/index.php/Software/S0001) is a sophisticated piece of malware designed to cause an [Impact](https://collaborate.mitre.org/attackics/index.php/Impact) to the working processes of Industrial Control Systems (ICS), specifically ICSs used in electrical substations.(Citation: ESET Win32/Industroyer) Industroyer was alleged to be used in the attacks on the Ukrainian power grid in December 2016.(Citation: Dragos Crashoverride)(Citation: CISA Alert (TA17-163A))(Citation: Dragos Crashoverride 2018)(Citation: Dragos Crashoverride 2019)

[S1005] Killdisk

Current version: 1.0

Description: In 2015 the BlackEnergy malware contained a component called KillDisk. KillDisk's main functionality is to overwrite files with random data, rendering the OS unbootable. (Citation: ESET BlackEnergy Jan 2016)

[S1008] Stuxnet

Current version: 1.0

Description: [Stuxnet](https://collaborate.mitre.org/attackics/index.php/Software/S0010) was the first publicly reported piece of malware to specifically target industrial control systems devices. Stuxnet is a large and complex piece of malware that utilized multiple different complex tactics including multiple zero-day vulnerabilites, a sophisticated Windows rootkit, and network infection routines.(Citation: Wired W32.Stuxnet Dossier Feb 2011)(Citation: Symantec W32.Stuxnet Writeup)(Citation: CISA ICS Advisory (ICSA-10-238-01B))(Citation: SCADAhacker Stuxnet Mitigation Jan 2014)

Patches

[S0093] Backdoor.Oldrea

Current version: 2.0

Details

values_changed
STIX Field	Old value	New Value
modified	2022-04-20 01:25:31.056000+00:00	2022-05-11 14:00:00.188000+00:00

iterable_item_added
STIX Field	Old value	New Value
x_mitre_domains		ics-attack

[S0606] Bad Rabbit

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2021-10-17 18:43:07.613000+00:00	2022-04-25 14:00:00.188000+00:00

iterable_item_added
STIX Field	Old value	New Value
x_mitre_domains		ics-attack

[S0089] BlackEnergy

Current version: 1.3

Details

values_changed
STIX Field	Old value	New Value
modified	2021-04-26 15:59:03.034000+00:00	2022-04-25 14:00:00.188000+00:00

iterable_item_added
STIX Field	Old value	New Value
x_mitre_domains		ics-attack

[S0608] Conficker

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2021-10-14 19:41:44.167000+00:00	2022-04-25 14:00:00.188000+00:00

iterable_item_added
STIX Field	Old value	New Value
x_mitre_domains		ics-attack

[S0038] Duqu

Current version: 1.2

Details

values_changed
STIX Field	Old value	New Value
modified	2020-03-30 02:07:19.052000+00:00	2022-04-25 14:00:00.188000+00:00

iterable_item_added
STIX Field	Old value	New Value
x_mitre_domains		ics-attack

[S0605] EKANS

Current version: 2.0

Details

values_changed
STIX Field	Old value	New Value
modified	2022-04-21 01:05:24.884000+00:00	2022-05-11 14:00:00.188000+00:00

iterable_item_added
STIX Field	Old value	New Value
x_mitre_domains		ics-attack

[S0143] Flame

Current version: 1.1

Details

values_changed
STIX Field	Old value	New Value
modified	2020-03-30 16:41:41.805000+00:00	2022-04-25 14:00:00.188000+00:00

iterable_item_added
STIX Field	Old value	New Value
x_mitre_domains		ics-attack

[S0604] Industroyer

Current version: 1.0

Details

dictionary_item_added
STIX Field	Old value	New Value
x_mitre_contributors		['Dragos Threat Intelligence', 'Joe Slowik - Dragos']

values_changed
STIX Field	Old value	New Value
modified	2022-04-14 19:56:46.309000+00:00	2022-05-23 21:22:34.355000+00:00
external_references[3]['url']	https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf	https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf
external_references[4]['url']	https://dragos.com/blog/crashoverride/CrashOverride-01.pdf	https://dragos.com/blog/crashoverride/CrashOverride-01.pdf
external_references[5]['url']	https://www.dragos.com/wp-content/uploads/CRASHOVERRIDE2018.pdf	https://www.dragos.com/wp-content/uploads/CRASHOVERRIDE2018.pdf

iterable_item_added
STIX Field	Old value	New Value
x_mitre_domains		ics-attack

[S0607] KillDisk

Current version: 1.1

Details

values_changed
STIX Field	Old value	New Value
modified	2022-04-19 01:59:06.481000+00:00	2022-05-11 14:00:00.188000+00:00

iterable_item_added
STIX Field	Old value	New Value
x_mitre_domains		ics-attack

[S0372] LockerGoga

Current version: 2.0

Details

dictionary_item_added
STIX Field	Old value	New Value
x_mitre_contributors		['Joe Slowik - Dragos']

values_changed
STIX Field	Old value	New Value
modified	2022-04-21 01:00:38.896000+00:00	2022-05-23 21:22:58.477000+00:00

iterable_item_added
STIX Field	Old value	New Value
x_mitre_domains		ics-attack

[S0368] NotPetya

Current version: 2.0

Details

values_changed
STIX Field	Old value	New Value
modified	2021-04-23 19:31:47.185000+00:00	2022-04-25 14:00:00.188000+00:00

iterable_item_added
STIX Field	Old value	New Value
x_mitre_domains		ics-attack

[S0496] REvil

Current version: 2.0

Details

values_changed
STIX Field	Old value	New Value
modified	2022-04-21 01:01:16.684000+00:00	2022-05-24 21:09:01.019000+00:00

iterable_item_added
STIX Field	Old value	New Value
x_mitre_domains		ics-attack

[S0446] Ryuk

Current version: 1.3

Details

dictionary_item_added
STIX Field	Old value	New Value
x_mitre_deprecated		False

values_changed
STIX Field	Old value	New Value
modified	2022-03-26 13:13:19.978000+00:00	2022-05-24 21:10:44.381000+00:00
external_references[2]['source_name']	CrowdStrike Ryuk January 2019	Bleeping Computer - Ryuk WoL
external_references[2]['description']	Hanel, A. (2019, January 10). Big Game Hunting with Ryuk: Another Lucrative Targeted Ransomware. Retrieved May 12, 2020.	Abrams, L. (2021, January 14). Ryuk Ransomware Uses Wake-on-Lan To Encrypt Offline Devices. Retrieved February 11, 2021.
external_references[2]['url']	https://www.crowdstrike.com/blog/big-game-hunting-with-ryuk-another-lucrative-targeted-ransomware/	https://www.bleepingcomputer.com/news/security/ryuk-ransomware-uses-wake-on-lan-to-encrypt-offline-devices/
external_references[4]['source_name']	FireEye FIN6 Apr 2019	CrowdStrike Ryuk January 2019
external_references[4]['description']	McKeague, B. et al. (2019, April 5). Pick-Six: Intercepting a FIN6 Intrusion, an Actor Recently Tied to Ryuk and LockerGoga Ransomware. Retrieved April 17, 2019.	Hanel, A. (2019, January 10). Big Game Hunting with Ryuk: Another Lucrative Targeted Ransomware. Retrieved May 12, 2020.
external_references[4]['url']	https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html	https://www.crowdstrike.com/blog/big-game-hunting-with-ryuk-another-lucrative-targeted-ransomware/
external_references[5]['source_name']	Bleeping Computer - Ryuk WoL	FireEye FIN6 Apr 2019
external_references[5]['description']	Abrams, L. (2021, January 14). Ryuk Ransomware Uses Wake-on-Lan To Encrypt Offline Devices. Retrieved February 11, 2021.	McKeague, B. et al. (2019, April 5). Pick-Six: Intercepting a FIN6 Intrusion, an Actor Recently Tied to Ryuk and LockerGoga Ransomware. Retrieved April 17, 2019.
external_references[5]['url']	https://www.bleepingcomputer.com/news/security/ryuk-ransomware-uses-wake-on-lan-to-encrypt-offline-devices/	https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html

iterable_item_added
STIX Field	Old value	New Value
x_mitre_domains		ics-attack

[S0603] Stuxnet

Current version: 1.1

Details

values_changed
STIX Field	Old value	New Value
modified	2022-04-19 01:44:44.149000+00:00	2022-05-20 16:22:32.608000+00:00
external_references[4]['url']	https://www.wired.com/images_blogs/threatlevel/2010/11/w32_stuxnet_dossier.pdf	https://www.wired.com/images_blogs/threatlevel/2010/11/w32_stuxnet_dossier.pdf

iterable_item_added
STIX Field	Old value	New Value
x_mitre_domains		ics-attack

[S0366] WannaCry

Current version: 1.1

Details

values_changed
STIX Field	Old value	New Value
modified	2020-05-13 22:59:51.283000+00:00	2022-04-25 14:00:00.188000+00:00

iterable_item_added
STIX Field	Old value	New Value
x_mitre_domains		ics-attack

Groups

enterprise-attack

Patches

[G0064] APT33

Current version: 1.4

Details

dictionary_item_added
STIX Field	Old value	New Value
x_mitre_attack_spec_version		2.1.0
x_mitre_contributors		['Dragos Threat Intelligence']
x_mitre_deprecated		False

values_changed
STIX Field	Old value	New Value
modified	2021-05-26 12:40:42.907000+00:00	2022-05-23 21:22:08.170000+00:00
external_references[4]['source_name']	FireEye APT33 Sept 2017	FireEye APT33 Webinar Sept 2017
external_references[4]['description']	O'Leary, J., et al. (2017, September 20). Insights into Iranian Cyber Espionage: APT33 Targets Aerospace and Energy Sectors and has Ties to Destructive Malware. Retrieved February 15, 2018.	Davis, S. and Carr, N. (2017, September 21). APT33: New Insights into Iranian Cyber Espionage Group. Retrieved February 15, 2018.
external_references[4]['url']	https://www.fireeye.com/blog/threat-research/2017/09/apt33-insights-into-iranian-cyber-espionage.html	https://www.brighttalk.com/webcast/10703/275683
external_references[5]['source_name']	FireEye APT33 Webinar Sept 2017	Microsoft Holmium June 2020
external_references[5]['description']	Davis, S. and Carr, N. (2017, September 21). APT33: New Insights into Iranian Cyber Espionage Group. Retrieved February 15, 2018.	Microsoft Threat Protection Intelligence Team. (2020, June 18). Inside Microsoft Threat Protection: Mapping attack chains from cloud to endpoint. Retrieved June 22, 2020.
external_references[5]['url']	https://www.brighttalk.com/webcast/10703/275683	https://www.microsoft.com/security/blog/2020/06/18/inside-microsoft-threat-protection-mapping-attack-chains-from-cloud-to-endpoint/
external_references[6]['source_name']	Microsoft Holmium June 2020	FireEye APT33 Sept 2017
external_references[6]['description']	Microsoft Threat Protection Intelligence Team. (2020, June 18). Inside Microsoft Threat Protection: Mapping attack chains from cloud to endpoint. Retrieved June 22, 2020.	O'Leary, J., et al. (2017, September 20). Insights into Iranian Cyber Espionage: APT33 Targets Aerospace and Energy Sectors and has Ties to Destructive Malware. Retrieved February 15, 2018.
external_references[6]['url']	https://www.microsoft.com/security/blog/2020/06/18/inside-microsoft-threat-protection-mapping-attack-chains-from-cloud-to-endpoint/	https://www.fireeye.com/blog/threat-research/2017/09/apt33-insights-into-iranian-cyber-espionage.html

[G0138] Andariel

Current version: 1.0

Details

dictionary_item_added
STIX Field	Old value	New Value
x_mitre_attack_spec_version		2.1.0
x_mitre_deprecated		False

values_changed
STIX Field	Old value	New Value
modified	2021-10-15 15:16:47.329000+00:00	2022-05-24 16:27:11.471000+00:00
external_references[1]['source_name']	Andariel	Silent Chollima
external_references[1]['description']	(Citation: FSI Andariel Campaign Rifle July 2017)	(Citation: CrowdStrike Silent Chollima Adversary September 2021)
external_references[2]['source_name']	Silent Chollima	Andariel
external_references[2]['description']	(Citation: CrowdStrike Silent Chollima Adversary September 2021)	(Citation: FSI Andariel Campaign Rifle July 2017)
external_references[3]['source_name']	FSI Andariel Campaign Rifle July 2017	AhnLab Andariel Subgroup of Lazarus June 2018
external_references[3]['description']	FSI. (2017, July 27). Campaign Rifle - Andariel, the Maiden of Anguish. Retrieved September 29, 2021.	AhnLab. (2018, June 23). Targeted attacks by Andariel Threat Group, a subgroup of the Lazarus. Retrieved September 29, 2021.
external_references[3]['url']	https://www.fsec.or.kr/user/bbs/fsec/163/344/bbsDataView/1680.do	http://download.ahnlab.com/global/brochure/[Analysis]Andariel_Group.pdf
external_references[4]['source_name']	IssueMakersLab Andariel GoldenAxe May 2017	TrendMicro New Andariel Tactics July 2018
external_references[4]['description']	IssueMakersLab. (2017, May 1). Operation GoldenAxe. Retrieved September 29, 2021.	Chen, Joseph. (2018, July 16). New Andariel Reconnaissance Tactics Uncovered. Retrieved September 29, 2021.
external_references[4]['url']	http://www.issuemakerslab.com/research3/	https://www.trendmicro.com/en_us/research/18/g/new-andariel-reconnaissance-tactics-hint-at-next-targets.html
external_references[5]['source_name']	AhnLab Andariel Subgroup of Lazarus June 2018	CrowdStrike Silent Chollima Adversary September 2021
external_references[5]['description']	AhnLab. (2018, June 23). Targeted attacks by Andariel Threat Group, a subgroup of the Lazarus. Retrieved September 29, 2021.	CrowdStrike. (2021, September 29). Silent Chollima Adversary Profile. Retrieved September 29, 2021.
external_references[5]['url']	http://download.ahnlab.com/global/brochure/[Analysis]Andariel_Group.pdf	https://adversary.crowdstrike.com/en-US/adversary/silent-chollima/
external_references[6]['source_name']	TrendMicro New Andariel Tactics July 2018	FSI Andariel Campaign Rifle July 2017
external_references[6]['description']	Chen, Joseph. (2018, July 16). New Andariel Reconnaissance Tactics Uncovered. Retrieved September 29, 2021.	FSI. (2017, July 27). Campaign Rifle - Andariel, the Maiden of Anguish. Retrieved September 29, 2021.
external_references[6]['url']	https://www.trendmicro.com/en_us/research/18/g/new-andariel-reconnaissance-tactics-hint-at-next-targets.html	https://www.fsec.or.kr/user/bbs/fsec/163/344/bbsDataView/1680.do
external_references[7]['source_name']	CrowdStrike Silent Chollima Adversary September 2021	IssueMakersLab Andariel GoldenAxe May 2017
external_references[7]['description']	CrowdStrike. (2021, September 29). Silent Chollima Adversary Profile. Retrieved September 29, 2021.	IssueMakersLab. (2017, May 1). Operation GoldenAxe. Retrieved September 29, 2021.
external_references[7]['url']	https://adversary.crowdstrike.com/en-US/adversary/silent-chollima/	http://www.issuemakerslab.com/research3/

[G0035] Dragonfly

Current version: 3.0

Details

dictionary_item_added
STIX Field	Old value	New Value
x_mitre_contributors		['Dragos Threat Intelligence']

values_changed
STIX Field	Old value	New Value
modified	2022-04-19 15:04:26.829000+00:00	2022-05-24 19:21:16.242000+00:00

[G0004] Ke3chang

Current version: 2.0

Details

values_changed
STIX Field	Old value	New Value
modified	2022-04-19 17:08:18.374000+00:00	2022-05-13 12:17:09.479000+00:00

iterable_item_added
STIX Field	Old value	New Value
x_mitre_contributors		Manikantan Srinivasan, NEC Corporation India
x_mitre_contributors		Hiroki Nagahama, NEC Corporation

[G0094] Kimsuky

Current version: 3.1

Details

values_changed
STIX Field	Old value	New Value
modified	2022-04-25 12:25:09.059000+00:00	2022-05-24 16:28:34.698000+00:00

[G0032] Lazarus Group

Current version: 3.0

Details

dictionary_item_added
STIX Field	Old value	New Value
x_mitre_attack_spec_version		2.1.0
x_mitre_deprecated		False
external_references		https://adversary.crowdstrike.com/en-US/adversary/labyrinth-chollima/

dictionary_item_removed
STIX Field	Old value	New Value
external_references	https://adversary.crowdstrike.com/en-US/adversary/labyrinth-chollima/

values_changed
STIX Field	Old value	New Value
modified	2022-03-23 19:01:20.193000+00:00	2022-05-23 21:20:57.634000+00:00
external_references[1]['source_name']	Lazarus Group	Labyrinth Chollima
external_references[1]['description']	(Citation: Novetta Blockbuster)	(Citation: CrowdStrike Labyrinth Chollima Feb 2022)
external_references[2]['source_name']	Labyrinth Chollima	ZINC
external_references[2]['description']	(Citation: CrowdStrike Labyrinth Chollima Feb 2022)	(Citation: Microsoft ZINC disruption Dec 2017)
external_references[3]['source_name']	HIDDEN COBRA	Lazarus Group
external_references[3]['description']	The U.S. Government refers to malicious cyber activity by the North Korean government as HIDDEN COBRA.(Citation: US-CERT HIDDEN COBRA June 2017)(Citation: US-CERT HOPLIGHT Apr 2019)	(Citation: Novetta Blockbuster)
external_references[4]['source_name']	Guardians of Peace	NICKEL ACADEMY
external_references[4]['description']	(Citation: US-CERT HIDDEN COBRA June 2017)	(Citation: Secureworks NICKEL ACADEMY Dec 2017)
external_references[5]['source_name']	ZINC	Guardians of Peace
external_references[5]['description']	(Citation: Microsoft ZINC disruption Dec 2017)	(Citation: US-CERT HIDDEN COBRA June 2017)
external_references[6]['source_name']	NICKEL ACADEMY	CrowdStrike Labyrinth Chollima Feb 2022
external_references[6]['description']	(Citation: Secureworks NICKEL ACADEMY Dec 2017)	CrowdStrike. (2022, February 1). CrowdStrike Adversary Labyrinth Chollima. Retrieved February 1, 2022.
external_references[7]['source_name']	US-CERT HIDDEN COBRA June 2017	Novetta Blockbuster
external_references[7]['description']	US-CERT. (2017, June 13). Alert (TA17-164A) HIDDEN COBRA – North Korea’s DDoS Botnet Infrastructure. Retrieved July 13, 2017.	Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Unraveling the Long Thread of the Sony Attack. Retrieved February 25, 2016.
external_references[7]['url']	https://www.us-cert.gov/ncas/alerts/TA17-164A	https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Report.pdf
external_references[8]['source_name']	Treasury North Korean Cyber Groups September 2019	Secureworks NICKEL ACADEMY Dec 2017
external_references[8]['description']	US Treasury . (2019, September 13). Treasury Sanctions North Korean State-Sponsored Malicious Cyber Groups. Retrieved September 29, 2021.	Secureworks. (2017, December 15). Media Alert - Secureworks Discovers North Korean Cyber Threat Group, Lazarus, Spearphishing Financial Executives of Cryptocurrency Companies. Retrieved December 27, 2017.
external_references[8]['url']	https://home.treasury.gov/news/press-releases/sm774	https://www.secureworks.com/about/press/media-alert-secureworks-discovers-north-korean-cyber-threat-group-lazarus-spearphishing
external_references[9]['source_name']	Novetta Blockbuster	Microsoft ZINC disruption Dec 2017
external_references[9]['description']	Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Unraveling the Long Thread of the Sony Attack. Retrieved February 25, 2016.	Smith, B. (2017, December 19). Microsoft and Facebook disrupt ZINC malware attack to protect customers and the internet from ongoing cyberthreats. Retrieved December 20, 2017.
external_references[9]['url']	https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Report.pdf	https://blogs.microsoft.com/on-the-issues/2017/12/19/microsoft-facebook-disrupt-zinc-malware-attack-protect-customers-internet-ongoing-cyberthreats/
external_references[10]['source_name']	CrowdStrike Labyrinth Chollima Feb 2022	HIDDEN COBRA
external_references[10]['description']	CrowdStrike. (2022, February 1). CrowdStrike Adversary Labyrinth Chollima. Retrieved February 1, 2022.	The U.S. Government refers to malicious cyber activity by the North Korean government as HIDDEN COBRA.(Citation: US-CERT HIDDEN COBRA June 2017)(Citation: US-CERT HOPLIGHT Apr 2019)
external_references[11]['source_name']	US-CERT HOPLIGHT Apr 2019	Treasury North Korean Cyber Groups September 2019
external_references[11]['description']	US-CERT. (2019, April 10). MAR-10135536-8 – North Korean Trojan: HOPLIGHT. Retrieved April 19, 2019.	US Treasury . (2019, September 13). Treasury Sanctions North Korean State-Sponsored Malicious Cyber Groups. Retrieved September 29, 2021.
external_references[11]['url']	https://www.us-cert.gov/ncas/analysis-reports/AR19-100A	https://home.treasury.gov/news/press-releases/sm774
external_references[12]['source_name']	Microsoft ZINC disruption Dec 2017	US-CERT HIDDEN COBRA June 2017
external_references[12]['description']	Smith, B. (2017, December 19). Microsoft and Facebook disrupt ZINC malware attack to protect customers and the internet from ongoing cyberthreats. Retrieved December 20, 2017.	US-CERT. (2017, June 13). Alert (TA17-164A) HIDDEN COBRA – North Korea’s DDoS Botnet Infrastructure. Retrieved July 13, 2017.
external_references[12]['url']	https://blogs.microsoft.com/on-the-issues/2017/12/19/microsoft-facebook-disrupt-zinc-malware-attack-protect-customers-internet-ongoing-cyberthreats/	https://www.us-cert.gov/ncas/alerts/TA17-164A
external_references[13]['source_name']	Secureworks NICKEL ACADEMY Dec 2017	US-CERT HOPLIGHT Apr 2019
external_references[13]['description']	Secureworks. (2017, December 15). Media Alert - Secureworks Discovers North Korean Cyber Threat Group, Lazarus, Spearphishing Financial Executives of Cryptocurrency Companies. Retrieved December 27, 2017.	US-CERT. (2019, April 10). MAR-10135536-8 – North Korean Trojan: HOPLIGHT. Retrieved April 19, 2019.
external_references[13]['url']	https://www.secureworks.com/about/press/media-alert-secureworks-discovers-north-korean-cyber-threat-group-lazarus-spearphishing	https://www.us-cert.gov/ncas/analysis-reports/AR19-100A

iterable_item_added
STIX Field	Old value	New Value
x_mitre_contributors		Dragos Threat Intelligence

[G0049] OilRig

Current version: 3.0

Details

values_changed
STIX Field	Old value	New Value
modified	2022-04-21 15:54:58.494000+00:00	2022-05-23 21:20:37.658000+00:00

iterable_item_added
STIX Field	Old value	New Value
x_mitre_contributors		Dragos Threat Intelligence

[G0034] Sandworm Team

Current version: 2.2

Details

dictionary_item_added
STIX Field	Old value	New Value
x_mitre_contributors		['Dragos Threat Intelligence']

values_changed
STIX Field	Old value	New Value
modified	2022-04-14 15:09:52.498000+00:00	2022-05-23 21:21:17.572000+00:00

[G0088] TEMP.Veles

Current version: 1.3

Details

dictionary_item_added
STIX Field	Old value	New Value
x_mitre_attack_spec_version		2.1.0
x_mitre_contributors		['Dragos Threat Intelligence']
x_mitre_deprecated		False
external_references		https://dragos.com/resource/xenotime/

dictionary_item_removed
STIX Field	Old value	New Value
external_references	https://www.fireeye.com/blog/threat-research/2018/10/triton-attribution-russian-government-owned-lab-most-likely-built-tools.html

values_changed
STIX Field	Old value	New Value
modified	2021-10-17 14:49:09.631000+00:00	2022-05-24 16:22:20.856000+00:00
external_references[2]['source_name']	XENOTIME	Dragos Xenotime 2018
external_references[2]['description']	The activity group XENOTIME, as defined by Dragos, has overlaps with activity reported upon by FireEye about TEMP.Veles as well as the actors behind [TRITON](https://attack.mitre.org/software/S0609) .(Citation: Dragos Xenotime 2018)(Citation: Pylos Xenotime 2019)(Citation: FireEye TRITON 2019)(Citation: FireEye TEMP.Veles 2018 )	Dragos, Inc.. (n.d.). Xenotime. Retrieved April 16, 2019.
external_references[3]['source_name']	FireEye TRITON 2019	FireEye TEMP.Veles 2018
external_references[3]['description']	Miller, S, et al. (2019, April 10). TRITON Actor TTP Profile, Custom Attack Tools, Detections, and ATT&CK Mapping. Retrieved April 16, 2019.	FireEye Intelligence . (2018, October 23). TRITON Attribution: Russian Government-Owned Lab Most Likely Built Custom Intrusion Tools for TRITON Attackers. Retrieved April 16, 2019.
external_references[3]['url']	https://www.fireeye.com/blog/threat-research/2019/04/triton-actor-ttp-profile-custom-attack-tools-detections.html	https://www.fireeye.com/blog/threat-research/2018/10/triton-attribution-russian-government-owned-lab-most-likely-built-tools.html
external_references[4]['source_name']	FireEye TEMP.Veles 2018	FireEye TEMP.Veles 2018
external_references[4]['url']	https://www.fireeye.com/blog/threat-research/2018/10/triton-attribution-russian-government-owned-lab-most-likely-built-tools.html	https://www.fireeye.com/blog/threat-research/2018/10/triton-attribution-russian-government-owned-lab-most-likely-built-tools.html
external_references[5]['source_name']	FireEye TEMP.Veles JSON April 2019	FireEye TRITON 2019
external_references[5]['description']	Miller, S., et al. (2019, April 10). TRITON Appendix C. Retrieved April 29, 2019.	Miller, S, et al. (2019, April 10). TRITON Actor TTP Profile, Custom Attack Tools, Detections, and ATT&CK Mapping. Retrieved April 16, 2019.
external_references[5]['url']	https://www.fireeye.com/content/dam/fireeye-www/blog/files/TRITON_Appendix_C.html	https://www.fireeye.com/blog/threat-research/2019/04/triton-actor-ttp-profile-custom-attack-tools-detections.html
external_references[6]['source_name']	Dragos Xenotime 2018	FireEye TEMP.Veles JSON April 2019
external_references[6]['description']	Dragos, Inc.. (n.d.). Xenotime. Retrieved April 16, 2019.	Miller, S., et al. (2019, April 10). TRITON Appendix C. Retrieved April 29, 2019.
external_references[6]['url']	https://dragos.com/resource/xenotime/	https://www.fireeye.com/content/dam/fireeye-www/blog/files/TRITON_Appendix_C.html
external_references[8]['source_name']	FireEye TEMP.Veles 2018	XENOTIME
external_references[8]['description']	FireEye Intelligence . (2018, October 23). TRITON Attribution: Russian Government-Owned Lab Most Likely Built Custom Intrusion Tools for TRITON Attackers. Retrieved April 16, 2019.	The activity group XENOTIME, as defined by Dragos, has overlaps with activity reported upon by FireEye about TEMP.Veles as well as the actors behind [TRITON](https://attack.mitre.org/software/S0609) .(Citation: Dragos Xenotime 2018)(Citation: Pylos Xenotime 2019)(Citation: FireEye TRITON 2019)(Citation: FireEye TEMP.Veles 2018 )

ics-attack

New Groups

[G0057] APT34

Current version: 1.0

[G0082] APT38

Current version: 2.0

Description: [APT38](https://attack.mitre.org/groups/G0082) is a North Korean state-sponsored threat group that specializes in financial cyber operations; it has been attributed to the Reconnaissance General Bureau.(Citation: CISA AA20-239A BeagleBoyz August 2020) Active since at least 2014, [APT38](https://attack.mitre.org/groups/G0082) has targeted banks, financial institutions, casinos, cryptocurrency exchanges, SWIFT system endpoints, and ATMs in at least 38 countries worldwide. Significant operations include the 2016 Bank of Bangladesh heist, during which [APT38](https://attack.mitre.org/groups/G0082) stole $81 million, as well as attacks against Bancomext (2018) and Banco de Chile (2018); some of their attacks have been destructive.(Citation: CISA AA20-239A BeagleBoyz August 2020)(Citation: FireEye APT38 Oct 2018)(Citation: DOJ North Korea Indictment Feb 2021)(Citation: Kaspersky Lazarus Under The Hood Blog 2017) North Korean group definitions are known to have significant overlap, and some security researchers report all North Korean state-sponsored cyber activity under the name [Lazarus Group](https://attack.mitre.org/groups/G0032) instead of tracking clusters or subgroups.

[G0037] FIN6

Current version: 3.2

Description: [FIN6](https://attack.mitre.org/groups/G0037) is a cyber crime group that has stolen payment card data and sold it for profit on underground marketplaces. This group has aggressively targeted and compromised point of sale (PoS) systems in the hospitality and retail sectors.(Citation: FireEye FIN6 April 2016)(Citation: FireEye FIN6 Apr 2019)

[G0046] FIN7

Current version: 2.1

Description: [FIN7](https://attack.mitre.org/groups/G0046) is a financially-motivated threat group that has been active since 2013 primarily targeting the U.S. retail, restaurant, and hospitality sectors, often using point-of-sale malware. A portion of [FIN7](https://attack.mitre.org/groups/G0046) was run out of a front company called Combi Security. Since 2020 [FIN7](https://attack.mitre.org/groups/G0046) shifted operations to a big game hunting (BGH) approach including use of [REvil](https://attack.mitre.org/software/S0496) ransomware and their own Ransomware as a Service (RaaS), Darkside. [FIN7](https://attack.mitre.org/groups/G0046) may be linked to the [Carbanak](https://attack.mitre.org/groups/G0008) Group, but there appears to be several groups using [Carbanak](https://attack.mitre.org/software/S0030) malware and are therefore tracked separately.(Citation: FireEye FIN7 March 2017)(Citation: FireEye FIN7 April 2017)(Citation: FireEye CARBANAK June 2017)(Citation: FireEye FIN7 Aug 2018)(Citation: CrowdStrike Carbon Spider August 2021)

[G0115] GOLD SOUTHFIELD

Current version: 1.1

Description: [GOLD SOUTHFIELD](https://attack.mitre.org/groups/G0115) is a financially motivated threat group active since at least 2019 that operates the [REvil](https://attack.mitre.org/software/S0496) Ransomware-as-a Service (RaaS). [GOLD SOUTHFIELD](https://attack.mitre.org/groups/G0115) provides backend infrastructure for affiliates recruited on underground forums to perpetrate high value deployments.(Citation: Secureworks REvil September 2019)(Citation: Secureworks GandCrab and REvil September 2019)(Citation: Secureworks GOLD SOUTHFIELD)

[G0102] Wizard Spider

Current version: 2.0

Description: [Wizard Spider](https://attack.mitre.org/groups/G0102) is a Russia-based financially motivated threat group originally known for the creation and deployment of [TrickBot](https://attack.mitre.org/software/S0266) since at least 2016. [Wizard Spider](https://attack.mitre.org/groups/G0102) possesses a diverse arsenal of tools and has conducted ransomware campaigns against a variety of organizations, ranging from major corporations to hospitals.(Citation: CrowdStrike Ryuk January 2019)(Citation: DHS/CISA Ransomware Targeting Healthcare October 2020)(Citation: CrowdStrike Wizard Spider October 2020)

Patches

[G1000] ALLANITE

Current version: 1.0

	Old Description			New Description
t	1	[ALLANITE](https://attack.mitre.org/groups/G1000) is a suspe	t	1	[ALLANITE](https://attack.mitre.org/groups/G1000) is a suspe
	>	cted Russian cyber espionage group, that has primarily targe		>	cted Russian cyber espionage group, that has primarily targe
	>	ted the electric utility sector within the United States and		>	ted the electric utility sector within the United States and
	>	United Kingdom. The group's tactics and techniques are repo		>	United Kingdom. The group's tactics and techniques are repo
	>	rtedly similar to [Dragonfly](https://attack.mitre.org/group		>	rtedly similar to [Dragonfly](https://attack.mitre.org/group
	>	s/G0002) / [Dragonfly 2.0](https://attack.mitre.org/groups/G		>	s/G0035), although [ALLANITE](https://attack.mitre.org/group
	>	0035), although [ALLANITE](https://attack.mitre.org/groups/G		>	s/G1000)s technical capabilities have not exhibited disrupti
	>	1000)s technical capabilities have not exhibited disruptive		>	ve or destructive abilities. It has been suggested that the
	>	or destructive abilities. It has been suggested that the gro		>	group maintains a presence in ICS for the purpose of gaining
	>	up maintains a presence in ICS for the purpose of gaining un		>	understanding of processes and to maintain persistence. (Ci
	>	derstanding of processes and to maintain persistence. (Citat		>	tation: Dragos)
	>	ion: Dragos)

Details

dictionary_item_added
STIX Field	Old value	New Value
x_mitre_attack_spec_version		2.1.0
x_mitre_deprecated		False
x_mitre_modified_by_ref		identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5

values_changed
STIX Field	Old value	New Value
modified	2022-05-06 17:47:23.998000+00:00	2022-05-24 19:26:10.721000+00:00
description	[ALLANITE](https://attack.mitre.org/groups/G1000) is a suspected Russian cyber espionage group, that has primarily targeted the electric utility sector within the United States and United Kingdom. The group's tactics and techniques are reportedly similar to [Dragonfly](https://attack.mitre.org/groups/G0002) / [Dragonfly 2.0](https://attack.mitre.org/groups/G0035), although [ALLANITE](https://attack.mitre.org/groups/G1000)s technical capabilities have not exhibited disruptive or destructive abilities. It has been suggested that the group maintains a presence in ICS for the purpose of gaining understanding of processes and to maintain persistence. (Citation: Dragos)	[ALLANITE](https://attack.mitre.org/groups/G1000) is a suspected Russian cyber espionage group, that has primarily targeted the electric utility sector within the United States and United Kingdom. The group's tactics and techniques are reportedly similar to [Dragonfly](https://attack.mitre.org/groups/G0035), although [ALLANITE](https://attack.mitre.org/groups/G1000)s technical capabilities have not exhibited disruptive or destructive abilities. It has been suggested that the group maintains a presence in ICS for the purpose of gaining understanding of processes and to maintain persistence. (Citation: Dragos)
external_references[0]['source_name']	mitre-ics-attack	mitre-attack

[G0064] APT33

Current version: 1.4

Details

dictionary_item_added
STIX Field	Old value	New Value
x_mitre_attack_spec_version		2.1.0
x_mitre_contributors		['Dragos Threat Intelligence']
x_mitre_deprecated		False

values_changed
STIX Field	Old value	New Value
modified	2021-05-26 12:40:42.907000+00:00	2022-05-23 21:22:08.170000+00:00
external_references[4]['source_name']	FireEye APT33 Sept 2017	FireEye APT33 Webinar Sept 2017
external_references[4]['description']	O'Leary, J., et al. (2017, September 20). Insights into Iranian Cyber Espionage: APT33 Targets Aerospace and Energy Sectors and has Ties to Destructive Malware. Retrieved February 15, 2018.	Davis, S. and Carr, N. (2017, September 21). APT33: New Insights into Iranian Cyber Espionage Group. Retrieved February 15, 2018.
external_references[4]['url']	https://www.fireeye.com/blog/threat-research/2017/09/apt33-insights-into-iranian-cyber-espionage.html	https://www.brighttalk.com/webcast/10703/275683
external_references[5]['source_name']	FireEye APT33 Webinar Sept 2017	Microsoft Holmium June 2020
external_references[5]['description']	Davis, S. and Carr, N. (2017, September 21). APT33: New Insights into Iranian Cyber Espionage Group. Retrieved February 15, 2018.	Microsoft Threat Protection Intelligence Team. (2020, June 18). Inside Microsoft Threat Protection: Mapping attack chains from cloud to endpoint. Retrieved June 22, 2020.
external_references[5]['url']	https://www.brighttalk.com/webcast/10703/275683	https://www.microsoft.com/security/blog/2020/06/18/inside-microsoft-threat-protection-mapping-attack-chains-from-cloud-to-endpoint/
external_references[6]['source_name']	Microsoft Holmium June 2020	FireEye APT33 Sept 2017
external_references[6]['description']	Microsoft Threat Protection Intelligence Team. (2020, June 18). Inside Microsoft Threat Protection: Mapping attack chains from cloud to endpoint. Retrieved June 22, 2020.	O'Leary, J., et al. (2017, September 20). Insights into Iranian Cyber Espionage: APT33 Targets Aerospace and Energy Sectors and has Ties to Destructive Malware. Retrieved February 15, 2018.
external_references[6]['url']	https://www.microsoft.com/security/blog/2020/06/18/inside-microsoft-threat-protection-mapping-attack-chains-from-cloud-to-endpoint/	https://www.fireeye.com/blog/threat-research/2017/09/apt33-insights-into-iranian-cyber-espionage.html
x_mitre_domains[0]	enterprise-attack	ics-attack

[G0035] Dragonfly

Current version: 3.0

Details

dictionary_item_added
STIX Field	Old value	New Value
x_mitre_contributors		['Dragos Threat Intelligence']

values_changed
STIX Field	Old value	New Value
modified	2022-04-19 15:04:26.829000+00:00	2022-05-24 19:21:16.242000+00:00
x_mitre_domains[0]	enterprise-attack	ics-attack

[G1001] HEXANE

Current version: 1.0

	Old Description			New Description
t	1	[HEXANE](https://attack.mitre.org/groups/G1001) is a threat	t	1	[HEXANE](https://attack.mitre.org/groups/G1001) is a threat
	>	group that has targeted ICS organization within the oil & ga		>	group that has targeted ICS organization within the oil & ga
	>	s, and telecommunications sectors. Many of the targeted orga		>	s, and telecommunications sectors. Many of the targeted orga
	>	nizations have been located in the Middle East including Kuw		>	nizations have been located in the Middle East including Kuw
	>	ait. [HEXANE](https://attack.mitre.org/groups/G1001)'s targe		>	ait. [HEXANE](https://attack.mitre.org/groups/G1001)'s targe
	>	ting of telecommunications has been speculated to be part of		>	ting of telecommunications has been speculated to be part of
	>	an effort to establish man-in-the-middle capabilities throu		>	an effort to establish man-in-the-middle capabilities throu
	>	ghout the region. [HEXANE](https://attack.mitre.org/groups/G		>	ghout the region. [HEXANE](https://attack.mitre.org/groups/G
	>	1001)'s TTPs appear similar to [APT33](https://attack.mitre.		>	1001)'s TTPs appear similar to [APT33](https://attack.mitre.
	>	org/groups/G0003) and [OilRig](https://attack.mitre.org/grou		>	org/groups/G0064) and [OilRig](https://attack.mitre.org/grou
	>	ps/G0010) but due to differences in victims and tools it is		>	ps/G0049) but due to differences in victims and tools it is
	>	tracked as a separate entity. (Citation: Dragos)		>	tracked as a separate entity. (Citation: Dragos)

Details

dictionary_item_added
STIX Field	Old value	New Value
x_mitre_attack_spec_version		2.1.0
x_mitre_deprecated		False
x_mitre_modified_by_ref		identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5

values_changed
STIX Field	Old value	New Value
modified	2022-05-06 17:47:24.002000+00:00	2022-05-24 19:27:30.581000+00:00
description	[HEXANE](https://attack.mitre.org/groups/G1001) is a threat group that has targeted ICS organization within the oil & gas, and telecommunications sectors. Many of the targeted organizations have been located in the Middle East including Kuwait. [HEXANE](https://attack.mitre.org/groups/G1001)'s targeting of telecommunications has been speculated to be part of an effort to establish man-in-the-middle capabilities throughout the region. [HEXANE](https://attack.mitre.org/groups/G1001)'s TTPs appear similar to [APT33](https://attack.mitre.org/groups/G0003) and [OilRig](https://attack.mitre.org/groups/G0010) but due to differences in victims and tools it is tracked as a separate entity. (Citation: Dragos)	[HEXANE](https://attack.mitre.org/groups/G1001) is a threat group that has targeted ICS organization within the oil & gas, and telecommunications sectors. Many of the targeted organizations have been located in the Middle East including Kuwait. [HEXANE](https://attack.mitre.org/groups/G1001)'s targeting of telecommunications has been speculated to be part of an effort to establish man-in-the-middle capabilities throughout the region. [HEXANE](https://attack.mitre.org/groups/G1001)'s TTPs appear similar to [APT33](https://attack.mitre.org/groups/G0064) and [OilRig](https://attack.mitre.org/groups/G0049) but due to differences in victims and tools it is tracked as a separate entity. (Citation: Dragos)
external_references[0]['source_name']	mitre-ics-attack	mitre-attack

[G0032] Lazarus Group

Current version: 3.0

Details

dictionary_item_added
STIX Field	Old value	New Value
x_mitre_attack_spec_version		2.1.0
x_mitre_deprecated		False
external_references		https://adversary.crowdstrike.com/en-US/adversary/labyrinth-chollima/

dictionary_item_removed
STIX Field	Old value	New Value
external_references	https://adversary.crowdstrike.com/en-US/adversary/labyrinth-chollima/

values_changed
STIX Field	Old value	New Value
modified	2022-03-23 19:01:20.193000+00:00	2022-05-23 21:20:57.634000+00:00
external_references[1]['source_name']	Lazarus Group	Labyrinth Chollima
external_references[1]['description']	(Citation: Novetta Blockbuster)	(Citation: CrowdStrike Labyrinth Chollima Feb 2022)
external_references[2]['source_name']	Labyrinth Chollima	ZINC
external_references[2]['description']	(Citation: CrowdStrike Labyrinth Chollima Feb 2022)	(Citation: Microsoft ZINC disruption Dec 2017)
external_references[3]['source_name']	HIDDEN COBRA	Lazarus Group
external_references[3]['description']	The U.S. Government refers to malicious cyber activity by the North Korean government as HIDDEN COBRA.(Citation: US-CERT HIDDEN COBRA June 2017)(Citation: US-CERT HOPLIGHT Apr 2019)	(Citation: Novetta Blockbuster)
external_references[4]['source_name']	Guardians of Peace	NICKEL ACADEMY
external_references[4]['description']	(Citation: US-CERT HIDDEN COBRA June 2017)	(Citation: Secureworks NICKEL ACADEMY Dec 2017)
external_references[5]['source_name']	ZINC	Guardians of Peace
external_references[5]['description']	(Citation: Microsoft ZINC disruption Dec 2017)	(Citation: US-CERT HIDDEN COBRA June 2017)
external_references[6]['source_name']	NICKEL ACADEMY	CrowdStrike Labyrinth Chollima Feb 2022
external_references[6]['description']	(Citation: Secureworks NICKEL ACADEMY Dec 2017)	CrowdStrike. (2022, February 1). CrowdStrike Adversary Labyrinth Chollima. Retrieved February 1, 2022.
external_references[7]['source_name']	US-CERT HIDDEN COBRA June 2017	Novetta Blockbuster
external_references[7]['description']	US-CERT. (2017, June 13). Alert (TA17-164A) HIDDEN COBRA – North Korea’s DDoS Botnet Infrastructure. Retrieved July 13, 2017.	Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Unraveling the Long Thread of the Sony Attack. Retrieved February 25, 2016.
external_references[7]['url']	https://www.us-cert.gov/ncas/alerts/TA17-164A	https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Report.pdf
external_references[8]['source_name']	Treasury North Korean Cyber Groups September 2019	Secureworks NICKEL ACADEMY Dec 2017
external_references[8]['description']	US Treasury . (2019, September 13). Treasury Sanctions North Korean State-Sponsored Malicious Cyber Groups. Retrieved September 29, 2021.	Secureworks. (2017, December 15). Media Alert - Secureworks Discovers North Korean Cyber Threat Group, Lazarus, Spearphishing Financial Executives of Cryptocurrency Companies. Retrieved December 27, 2017.
external_references[8]['url']	https://home.treasury.gov/news/press-releases/sm774	https://www.secureworks.com/about/press/media-alert-secureworks-discovers-north-korean-cyber-threat-group-lazarus-spearphishing
external_references[9]['source_name']	Novetta Blockbuster	Microsoft ZINC disruption Dec 2017
external_references[9]['description']	Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Unraveling the Long Thread of the Sony Attack. Retrieved February 25, 2016.	Smith, B. (2017, December 19). Microsoft and Facebook disrupt ZINC malware attack to protect customers and the internet from ongoing cyberthreats. Retrieved December 20, 2017.
external_references[9]['url']	https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Report.pdf	https://blogs.microsoft.com/on-the-issues/2017/12/19/microsoft-facebook-disrupt-zinc-malware-attack-protect-customers-internet-ongoing-cyberthreats/
external_references[10]['source_name']	CrowdStrike Labyrinth Chollima Feb 2022	HIDDEN COBRA
external_references[10]['description']	CrowdStrike. (2022, February 1). CrowdStrike Adversary Labyrinth Chollima. Retrieved February 1, 2022.	The U.S. Government refers to malicious cyber activity by the North Korean government as HIDDEN COBRA.(Citation: US-CERT HIDDEN COBRA June 2017)(Citation: US-CERT HOPLIGHT Apr 2019)
external_references[11]['source_name']	US-CERT HOPLIGHT Apr 2019	Treasury North Korean Cyber Groups September 2019
external_references[11]['description']	US-CERT. (2019, April 10). MAR-10135536-8 – North Korean Trojan: HOPLIGHT. Retrieved April 19, 2019.	US Treasury . (2019, September 13). Treasury Sanctions North Korean State-Sponsored Malicious Cyber Groups. Retrieved September 29, 2021.
external_references[11]['url']	https://www.us-cert.gov/ncas/analysis-reports/AR19-100A	https://home.treasury.gov/news/press-releases/sm774
external_references[12]['source_name']	Microsoft ZINC disruption Dec 2017	US-CERT HIDDEN COBRA June 2017
external_references[12]['description']	Smith, B. (2017, December 19). Microsoft and Facebook disrupt ZINC malware attack to protect customers and the internet from ongoing cyberthreats. Retrieved December 20, 2017.	US-CERT. (2017, June 13). Alert (TA17-164A) HIDDEN COBRA – North Korea’s DDoS Botnet Infrastructure. Retrieved July 13, 2017.
external_references[12]['url']	https://blogs.microsoft.com/on-the-issues/2017/12/19/microsoft-facebook-disrupt-zinc-malware-attack-protect-customers-internet-ongoing-cyberthreats/	https://www.us-cert.gov/ncas/alerts/TA17-164A
external_references[13]['source_name']	Secureworks NICKEL ACADEMY Dec 2017	US-CERT HOPLIGHT Apr 2019
external_references[13]['description']	Secureworks. (2017, December 15). Media Alert - Secureworks Discovers North Korean Cyber Threat Group, Lazarus, Spearphishing Financial Executives of Cryptocurrency Companies. Retrieved December 27, 2017.	US-CERT. (2019, April 10). MAR-10135536-8 – North Korean Trojan: HOPLIGHT. Retrieved April 19, 2019.
external_references[13]['url']	https://www.secureworks.com/about/press/media-alert-secureworks-discovers-north-korean-cyber-threat-group-lazarus-spearphishing	https://www.us-cert.gov/ncas/analysis-reports/AR19-100A
x_mitre_domains[0]	enterprise-attack	ics-attack

iterable_item_added
STIX Field	Old value	New Value
x_mitre_contributors		Dragos Threat Intelligence

[G0049] OilRig

Current version: 3.0

Details

values_changed
STIX Field	Old value	New Value
modified	2022-04-21 15:54:58.494000+00:00	2022-05-23 21:20:37.658000+00:00
x_mitre_domains[0]	enterprise-attack	ics-attack

iterable_item_added
STIX Field	Old value	New Value
x_mitre_contributors		Dragos Threat Intelligence

[G0034] Sandworm Team

Current version: 2.2

Details

dictionary_item_added
STIX Field	Old value	New Value
x_mitre_contributors		['Dragos Threat Intelligence']

values_changed
STIX Field	Old value	New Value
modified	2022-04-14 15:09:52.498000+00:00	2022-05-23 21:21:17.572000+00:00
x_mitre_domains[0]	enterprise-attack	ics-attack

[G0088] TEMP.Veles

Current version: 1.3

Details

dictionary_item_added
STIX Field	Old value	New Value
x_mitre_attack_spec_version		2.1.0
x_mitre_contributors		['Dragos Threat Intelligence']
x_mitre_deprecated		False
external_references		https://dragos.com/resource/xenotime/

dictionary_item_removed
STIX Field	Old value	New Value
external_references	https://www.fireeye.com/blog/threat-research/2018/10/triton-attribution-russian-government-owned-lab-most-likely-built-tools.html

values_changed
STIX Field	Old value	New Value
modified	2021-10-17 14:49:09.631000+00:00	2022-05-24 16:22:20.856000+00:00
external_references[2]['source_name']	XENOTIME	Dragos Xenotime 2018
external_references[2]['description']	The activity group XENOTIME, as defined by Dragos, has overlaps with activity reported upon by FireEye about TEMP.Veles as well as the actors behind [TRITON](https://attack.mitre.org/software/S0609) .(Citation: Dragos Xenotime 2018)(Citation: Pylos Xenotime 2019)(Citation: FireEye TRITON 2019)(Citation: FireEye TEMP.Veles 2018 )	Dragos, Inc.. (n.d.). Xenotime. Retrieved April 16, 2019.
external_references[3]['source_name']	FireEye TRITON 2019	FireEye TEMP.Veles 2018
external_references[3]['description']	Miller, S, et al. (2019, April 10). TRITON Actor TTP Profile, Custom Attack Tools, Detections, and ATT&CK Mapping. Retrieved April 16, 2019.	FireEye Intelligence . (2018, October 23). TRITON Attribution: Russian Government-Owned Lab Most Likely Built Custom Intrusion Tools for TRITON Attackers. Retrieved April 16, 2019.
external_references[3]['url']	https://www.fireeye.com/blog/threat-research/2019/04/triton-actor-ttp-profile-custom-attack-tools-detections.html	https://www.fireeye.com/blog/threat-research/2018/10/triton-attribution-russian-government-owned-lab-most-likely-built-tools.html
external_references[4]['source_name']	FireEye TEMP.Veles 2018	FireEye TEMP.Veles 2018
external_references[4]['url']	https://www.fireeye.com/blog/threat-research/2018/10/triton-attribution-russian-government-owned-lab-most-likely-built-tools.html	https://www.fireeye.com/blog/threat-research/2018/10/triton-attribution-russian-government-owned-lab-most-likely-built-tools.html
external_references[5]['source_name']	FireEye TEMP.Veles JSON April 2019	FireEye TRITON 2019
external_references[5]['description']	Miller, S., et al. (2019, April 10). TRITON Appendix C. Retrieved April 29, 2019.	Miller, S, et al. (2019, April 10). TRITON Actor TTP Profile, Custom Attack Tools, Detections, and ATT&CK Mapping. Retrieved April 16, 2019.
external_references[5]['url']	https://www.fireeye.com/content/dam/fireeye-www/blog/files/TRITON_Appendix_C.html	https://www.fireeye.com/blog/threat-research/2019/04/triton-actor-ttp-profile-custom-attack-tools-detections.html
external_references[6]['source_name']	Dragos Xenotime 2018	FireEye TEMP.Veles JSON April 2019
external_references[6]['description']	Dragos, Inc.. (n.d.). Xenotime. Retrieved April 16, 2019.	Miller, S., et al. (2019, April 10). TRITON Appendix C. Retrieved April 29, 2019.
external_references[6]['url']	https://dragos.com/resource/xenotime/	https://www.fireeye.com/content/dam/fireeye-www/blog/files/TRITON_Appendix_C.html
external_references[8]['source_name']	FireEye TEMP.Veles 2018	XENOTIME
external_references[8]['description']	FireEye Intelligence . (2018, October 23). TRITON Attribution: Russian Government-Owned Lab Most Likely Built Custom Intrusion Tools for TRITON Attackers. Retrieved April 16, 2019.	The activity group XENOTIME, as defined by Dragos, has overlaps with activity reported upon by FireEye about TEMP.Veles as well as the actors behind [TRITON](https://attack.mitre.org/software/S0609) .(Citation: Dragos Xenotime 2018)(Citation: Pylos Xenotime 2019)(Citation: FireEye TRITON 2019)(Citation: FireEye TEMP.Veles 2018 )
x_mitre_domains[0]	enterprise-attack	ics-attack

Data Sources

enterprise-attack

Patches

[DS0015] Application Log

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2022-03-30T14:26:51.804Z	2022-05-11T14:00:00.188Z

iterable_item_added
STIX Field	Old value	New Value
x_mitre_domains		ics-attack

[DS0024] Windows Registry

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2021-10-20T15:05:19.273Z	2022-05-11T14:00:00.188Z

iterable_item_added
STIX Field	Old value	New Value
x_mitre_domains		ics-attack

ics-attack

Patches

[DS0015] Application Log

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2022-03-30T14:26:51.804Z	2022-05-11T14:00:00.188Z

iterable_item_added
STIX Field	Old value	New Value
x_mitre_domains		ics-attack

[DS0040] Operational Databases

Current version: 1.0

Details

dictionary_item_added
STIX Field	Old value	New Value
x_mitre_domains		['ics-attack']
x_mitre_attack_spec_version		2.1.0
x_mitre_modified_by_ref		identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5

dictionary_item_removed
STIX Field	Old value	New Value
x_mitre_contributors	[]

values_changed
STIX Field	Old value	New Value
modified	2022-05-11T16:22:58.802589Z	2022-05-11T16:22:58.802Z
created	2022-05-11T16:22:58.802589Z	2022-05-11T16:22:58.802Z

[DS0024] Windows Registry

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2021-10-20T15:05:19.273Z	2022-05-11T14:00:00.188Z

iterable_item_added
STIX Field	Old value	New Value
x_mitre_domains		ics-attack

Deletions

[DS0039] Assets

Current version: 1.0

Description: Data sources with information about the set of devices found within the network, along with their current software and configurations

Data Components

ics-attack

Patches

Operational Databases: Device Alarm

Current version: 1.0

Details

dictionary_item_added
STIX Field	Old value	New Value
x_mitre_domains		['ics-attack']
x_mitre_attack_spec_version		2.1.0
x_mitre_modified_by_ref		identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5

values_changed
STIX Field	Old value	New Value
modified	2022-05-11T16:22:58.802647Z	2022-05-11T16:22:58.802Z
created	2022-05-11T16:22:58.802647Z	2022-05-11T16:22:58.802Z

Operational Databases: Process History/Live Data

Current version: 1.0

Details

dictionary_item_added
STIX Field	Old value	New Value
x_mitre_domains		['ics-attack']
x_mitre_attack_spec_version		2.1.0
x_mitre_modified_by_ref		identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5

values_changed
STIX Field	Old value	New Value
modified	2022-05-11T16:22:58.802606Z	2022-05-11T16:22:58.802Z
created	2022-05-11T16:22:58.802606Z	2022-05-11T16:22:58.802Z

Operational Databases: Process/Event Alarm

Current version: 1.0

Details

dictionary_item_added
STIX Field	Old value	New Value
x_mitre_domains		['ics-attack']
x_mitre_attack_spec_version		2.1.0
x_mitre_modified_by_ref		identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5

values_changed
STIX Field	Old value	New Value
modified	2022-05-11T16:22:58.802627Z	2022-05-11T16:22:58.802Z
created	2022-05-11T16:22:58.802627Z	2022-05-11T16:22:58.802Z