{ "metadata": { "file": "ics-sub-techniques-crosswalk.json", "domain": "ics-attack", "description": "This file maps ICS ATT&CK techniques from their previous ATT&CK IDs and STIX IDs to the ATT&CK IDs and STIX IDs used after the ICS sub-techniques migration. It also lists brand-new techniques and sub-techniques introduced by the migration that do not have previous ATT&CK IDs.", "date": "2026-04-28" }, "existing-techniques": { "T0803": { "attack-v18-attack-id": "T0803", "attack-v19-attack-id": "T1691.001", "attack-v18-stix-id": "attack-pattern--008b8f56-6107-48be-aa9f-746f927dbb61", "attack-v19-stix-id": "attack-pattern--15ca2a99-2d3e-457f-b1d7-c52a1d5849c9", "attack-v18-name": "Block Command Message", "attack-v19-name": "Block Operational Technology Message: Command Message", "attack-v19-parent-attack-id": "T1691", "technique-change-type": "Became new sub-technique", "explanation": "" }, "T0804": { "attack-v18-attack-id": "T0804", "attack-v19-attack-id": "T1691.002", "attack-v18-stix-id": "attack-pattern--3f1f4ccb-9be2-4ff8-8f69-dd972221169b", "attack-v19-stix-id": "attack-pattern--7866bb5f-98ee-45c2-984c-8a328c5176b2", "attack-v18-name": "Block Reporting Message", "attack-v19-name": "Block Operational Technology Message: Reporting Message", "attack-v19-parent-attack-id": "T1691", "technique-change-type": "Became new sub-technique", "explanation": "" }, "T0855": { "attack-v18-attack-id": "T0855", "attack-v19-attack-id": "T1692.001", "attack-v18-stix-id": "attack-pattern--40b300ba-f553-48bf-862e-9471b220d455", "attack-v19-stix-id": "attack-pattern--4344d1b8-968b-4697-9ab9-f9abe5f52265", "attack-v18-name": "Unauthorized Command Message", "attack-v19-name": "Unauthorized Message: Command Message", "attack-v19-parent-attack-id": "T1692", "technique-change-type": "Became new sub-technique", "explanation": "" }, "T0856": { "attack-v18-attack-id": "T0856", "attack-v19-attack-id": "T1692.002", "attack-v18-stix-id": "attack-pattern--8535b71e-3c12-4258-a4ab-40257a1becc4", "attack-v19-stix-id": "attack-pattern--527106b3-95a2-4ed2-bf89-db7f0e4d0da0", "attack-v18-name": "Spoof Reporting Message", "attack-v19-name": "Unauthorized Message: Reporting Message", "attack-v19-parent-attack-id": "T1692", "technique-change-type": "Became new sub-technique", "explanation": "" }, "T0857": { "attack-v18-attack-id": "T0857", "attack-v19-attack-id": "T1693.001", "attack-v18-stix-id": "attack-pattern--b9160e77-ea9e-4ba9-b1c8-53a3c466b13d", "attack-v19-stix-id": "attack-pattern--68a9324d-a524-4766-a899-a026f68a33df", "attack-v18-name": "System Firmware", "attack-v19-name": "Modify Firmware: System Firmware", "attack-v19-parent-attack-id": "T1693", "technique-change-type": "Became new sub-technique", "explanation": "" }, "T0839": { "attack-v18-attack-id": "T0839", "attack-v19-attack-id": "T1693.002", "attack-v18-stix-id": "attack-pattern--efbf7888-f61b-4572-9c80-7e2965c60707", "attack-v19-stix-id": "attack-pattern--75587e49-ab7e-44df-9549-faeb1da57f39", "attack-v18-name": "Module Firmware", "attack-v19-name": "Modify Firmware: Module Firmware", "attack-v19-parent-attack-id": "T1693", "technique-change-type": "Became new sub-technique", "explanation": "" }, "T0812": { "attack-v18-attack-id": "T0812", "attack-v19-attack-id": "T1694.001", "attack-v18-stix-id": "attack-pattern--8bb4538f-f16f-49f0-a431-70b5444c7349", "attack-v19-stix-id": "attack-pattern--5658ad88-7510-490e-a351-95d50b1bcd91", "attack-v18-name": "Default Credentials", "attack-v19-name": "Insecure Credentials: Default Credentials", "attack-v19-parent-attack-id": "T1694", "technique-change-type": "Became new sub-technique", "explanation": "" }, "T0891": { "attack-v18-attack-id": "T0891", "attack-v19-attack-id": "T1694.002", "attack-v18-stix-id": "attack-pattern--c9a8d958-fcdb-40d2-af4c-461c8031651a", "attack-v19-stix-id": "attack-pattern--6b335943-c3af-430e-a135-ab09623bdc20", "attack-v18-name": "Hardcoded Credentials", "attack-v19-name": "Insecure Credentials: Hardcoded Credentials", "attack-v19-parent-attack-id": "T1694", "technique-change-type": "Became new sub-technique", "explanation": "" }, "T0873": { "attack-v18-attack-id": "T0873", "attack-v19-attack-id": "T0873", "attack-v18-stix-id": "attack-pattern--e72425f8-9ae6-41d3-bfdb-e1b865e60722", "attack-v19-stix-id": "attack-pattern--e72425f8-9ae6-41d3-bfdb-e1b865e60722", "attack-v18-name": "Project File Infection", "attack-v19-name": "Project File Infection", "attack-v19-parent-attack-id": "", "technique-change-type": "Remains a technique", "explanation": "Getting a sub-technique for Siemens Project File Format" }, "T0846": { "attack-v18-attack-id": "T0846", "attack-v19-attack-id": "T0846", "attack-v18-stix-id": "attack-pattern--d5a69cfb-fc2a-46cb-99eb-74b236db5061", "attack-v19-stix-id": "attack-pattern--d5a69cfb-fc2a-46cb-99eb-74b236db5061", "attack-v18-name": "Remote System Discovery", "attack-v19-name": "Remote System Discovery", "attack-v19-parent-attack-id": "", "technique-change-type": "Remains a technique", "explanation": "Getting sub-techniques for port scan, broadcast discovery, multicast discovery" }, "T0805": { "attack-v18-attack-id": "T0805", "attack-v19-attack-id": "T1695.001", "attack-v18-stix-id": "attack-pattern--1c478716-71d9-46a4-9a53-fa5d576adb60", "attack-v19-stix-id": "attack-pattern--55e7e5c1-3760-4451-bae0-e79b29f452c5", "attack-v18-name": "Block Serial COM", "attack-v19-name": "Block Communications: Serial COM", "attack-v19-parent-attack-id": "T1695", "technique-change-type": "Became new sub-technique", "explanation": "" }, "T0843": { "attack-v18-attack-id": "T0843", "attack-v19-attack-id": "T0843", "attack-v18-stix-id": "attack-pattern--be69c571-d746-4b1f-bdd0-c0c9817e9068", "attack-v19-stix-id": "attack-pattern--be69c571-d746-4b1f-bdd0-c0c9817e9068", "attack-v18-name": "Program Download", "attack-v19-name": "Program Download", "attack-v19-parent-attack-id": "", "technique-change-type": "Remains a technique", "explanation": "Getting sub-techniques for Download All and Program Append" } }, "new-techniques": { "T1691": { "attack-v19-attack-id": "T1691", "attack-v19-stix-id": "attack-pattern--338f4364-2269-4f70-9079-b20384b16628", "attack-v19-name": "Block Operational Technology Message", "attack-v19-parent-attack-id": "", "technique-change-type": "Became a new technique", "explanation": "" }, "T1692": { "attack-v19-attack-id": "T1692", "attack-v19-stix-id": "attack-pattern--e17cdc00-8b58-4e5f-9d50-4cad1592c4c3", "attack-v19-name": "Unauthorized Message", "attack-v19-parent-attack-id": "", "technique-change-type": "Became a new technique", "explanation": "" }, "T1693": { "attack-v19-attack-id": "T1693", "attack-v19-stix-id": "attack-pattern--7b4c0e19-a9b0-4a74-a196-b38c07b79f20", "attack-v19-name": "Modify Firmware", "attack-v19-parent-attack-id": "", "technique-change-type": "Became a new technique", "explanation": "" }, "T1694": { "attack-v19-attack-id": "T1694", "attack-v19-stix-id": "attack-pattern--3e9b182e-e493-49e1-9a9b-bd0dfcd34a7c", "attack-v19-name": "Insecure Credentials", "attack-v19-parent-attack-id": "", "technique-change-type": "Became a new technique", "explanation": "" }, "T0873.001": { "attack-v19-attack-id": "T0873.001", "attack-v19-stix-id": "attack-pattern--354ca909-b54d-4c41-b597-9c296b344a43", "attack-v19-name": "Project File Infection: Siemens Project File Format", "attack-v19-parent-attack-id": "T0873", "technique-change-type": "Became new sub-technique", "explanation": "" }, "T0846.001": { "attack-v19-attack-id": "T0846.001", "attack-v19-stix-id": "attack-pattern--5d24bb1d-4487-4923-ae3a-8e679092ac7a", "attack-v19-name": "Remote System Discovery: Port Scan", "attack-v19-parent-attack-id": "T0846", "technique-change-type": "Became new sub-technique", "explanation": "" }, "T0846.002": { "attack-v19-attack-id": "T0846.002", "attack-v19-stix-id": "attack-pattern--c55f0be5-044e-4577-8095-65b37680d28c", "attack-v19-name": "Remote System Discovery: Broadcast Discovery", "attack-v19-parent-attack-id": "T0846", "technique-change-type": "Became new sub-technique", "explanation": "" }, "T0846.003": { "attack-v19-attack-id": "T0846.003", "attack-v19-stix-id": "attack-pattern--64bbc1b2-101f-4322-af1d-0c9cc25cef91", "attack-v19-name": "Remote System Discovery: Multicast Discovery", "attack-v19-parent-attack-id": "T0846", "technique-change-type": "Became new sub-technique", "explanation": "" }, "T1695": { "attack-v19-attack-id": "T1695", "attack-v19-stix-id": "attack-pattern--fbb67c2d-37c3-49ee-86e3-bf234cc48ca9", "attack-v19-name": "Block Communications", "attack-v19-parent-attack-id": "", "technique-change-type": "Became a new technique", "explanation": "Getting sub-techniques for Block Serial COM, Block Ethernet, and Block Wi-Fi" }, "T1695.002": { "attack-v19-attack-id": "T1695.002", "attack-v19-stix-id": "attack-pattern--6008c1f0-1b68-4614-8f5b-a547436b8855", "attack-v19-name": "Block Communications: Ethernet", "attack-v19-parent-attack-id": "T1695", "technique-change-type": "Became new sub-technique", "explanation": "" }, "T1695.003": { "attack-v19-attack-id": "T1695.003", "attack-v19-stix-id": "attack-pattern--71f2d49e-65dd-4fb6-a4cc-0d2b19d427fa", "attack-v19-name": "Block Communications: Wi-Fi", "attack-v19-parent-attack-id": "T1695", "technique-change-type": "Became new sub-technique", "explanation": "" }, "T0843.001": { "attack-v19-attack-id": "T0843.001", "attack-v19-stix-id": "attack-pattern--77015a55-eef8-4f71-a071-b152f82ec1ef", "attack-v19-name": "Program Download: Download All", "attack-v19-parent-attack-id": "T0843", "technique-change-type": "Became new sub-technique", "explanation": "" }, "T0843.002": { "attack-v19-attack-id": "T0843.002", "attack-v19-stix-id": "attack-pattern--d85a6ee9-820c-4adf-8a64-2392ee70c83c", "attack-v19-name": "Program Download: Online Edit", "attack-v19-parent-attack-id": "T0843", "technique-change-type": "Became new sub-technique", "explanation": "" }, "T0843.003": { "attack-v19-attack-id": "T0843.003", "attack-v19-stix-id": "attack-pattern--574d5bfb-9a7a-4b28-ab5c-743ac704c135", "attack-v19-name": "Program Download: Program Append", "attack-v19-parent-attack-id": "T0843", "technique-change-type": "Became new sub-technique", "explanation": "" } } }