Techniques represent 'how' an adversary achieves a tactical goal by performing an action. For example, an adversary may dump credentials to achieve credential access.
| ID | Name | Description | |
| ATAGS-T1078 | Abuse Elevation Control Mechanism | Threat actors may circumvent mechanisms designed to control elevate privileges to gain higher-level permissions. Most modern systems contain native elevation control mechanisms that are intended to limit privileges that a user can perform on a machine. Authorization has to be granted to specific users in order to perform tasks that can be considered of higher risk. An adversary can perform several methods to take advantage of built-in control mechanisms in order to escalate privileges on a system. | |
| .001 | Bypass User Account Control | Threat Actors may bypass UAC mechanisms to elevate process privileges on system. Windows User Account Control (UAC) allows a program to elevate its privileges (tracked as integrity levels ranging from low to high) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation. The impact to the user ranges from denying the operation under high enforcement to allowing the user to perform the action if they are in the local administrators group and click through the prompt or allowing them to enter an administrator password to complete the action. | |
| .002 | Elevated Execution with Prompt | Threat Actors may leverage the AuthorizationExecuteWithPrivileges API to escalate privileges by prompting the user for credentials. The purpose of this API is to give application developers an easy way to perform operations with root privileges, such as for application installation or updating. This API does not validate that the program requesting root privileges comes from a reputable source or has been maliciously modified. | |
| .003 | Setuid and Setgid | Threat Actors may abuse configurations where an application has the setuid or setgid bits set in order to get code running in a different (and possibly more privileged) user’s context. On Linux or macOS, when the setuid or setgid bits are set for an application binary, the application will run with the privileges of the owning user or group respectively. Normally an application is run in the current user’s context, regardless of which user or group owns the application. However, there are instances where programs need to be executed in an elevated context to function properly, but the user running them may not have the specific required privileges. | |
| .004 | Sudo and Sudo Caching | Threat Actors may perform sudo caching and/or use the sudoers file to elevate privileges. Threat Actors may do this to execute commands as other users or spawn processes with higher privileges. | |
| .005 | TCC Manipulation | Threat Actors can manipulate or abuse the Transparency, Consent, & Control (TCC) service or database to grant malicious executables elevated permissions. TCC is a Privacy & Security macOS control mechanism used to determine if the running process has permission to access the data or services protected by TCC, such as screen sharing, camera, microphone, or Full Disk Access (FDA). | |
| .006 | Temporary Elevated Cloud Access | Threat Actors may abuse permission configurations that allow them to gain temporarily elevated access to cloud resources. Many cloud environments allow administrators to grant user or service accounts permission to request just-in-time access to roles, impersonate other accounts, pass roles onto resources and services, or otherwise gain short-term access to a set of privileges that may be distinct from their own. | |
| ATAGS-T1079 | Access Token Manipulation | Threat actors may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token. | |
| .001 | Create Process with Token | Threat Actors may create a new process with an existing token to escalate privileges and bypass access controls. Processes can be created with the token and resulting security context of another user using features such as CreateProcessWithTokenW and runas. | |
| .002 | Make and Impersonate Token | Threat Actors may make new tokens and impersonate users to escalate privileges and bypass access controls. For example, if Threat Actors has a username and password but the user is not logged onto the system the adversary can then create a logon session for the user using the LogonUser function. The function will return a copy of the new session's access token and the adversary can use SetThreadToken to assign the token to a thread. | |
| .003 | Parent PID Spoofing | Threat Actors may spoof the parent process identifier (PPID) of a new process to evade process-monitoring defenses or to elevate privileges. New processes are typically spawned directly from their parent, or calling, process unless explicitly specified. One way of explicitly assigning the PPID of a new process is via the CreateProcess API call, which supports a parameter that defines the PPID to use. This functionality is used by Windows features such as User Account Control (UAC) to correctly set the PPID after a requested elevated process is spawned by SYSTEM (typically via svchost.exeor consent.exe) rather than the current user context. | |
| .004 | SID-History Injection | Threat Actors may use SID-History Injection to escalate privileges and bypass access controls. The Windows security identifier (SID) is a unique value that identifies a user or group account. SIDs are used by Windows security in both security descriptors and access tokens. An account can hold additional SIDs in the SID-History Active Directory attribute , allowing inter-operable account migration between domains (e.g., all values in SID-History are included in access tokens). | |
| .005 | Token Impersonation/Theft | Threat Actors may duplicate then impersonate another user's existing token to escalate privileges and bypass access controls. For example, Threat Actors can duplicate an existing token using DuplicateToken or DuplicateTokenEx. The token can then be used with ImpersonateLoggedOnUser to allow the calling thread to impersonate a logged on user's security context, or with SetThreadToken to assign the impersonated token to a thread. | |
| ATAGS-T1210 | Account Access Removal | Threat actors may interrupt availability of system and network resources by inhibiting access to accounts utilized by legitimate users. Accounts may be deleted, locked, or manipulated (ex: changed credentials, revoked permissions for SaaS platforms such as Sharepoint) to remove access to accounts. Threat actors may also subsequently log off and/or perform a System Shutdown/Reboot to set malicious changes into place. | |
| ATAGS-T1127 | Account Discovery | Threat actors may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help Threat actors determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts). | |
| .001 | Local Account | Threat Actors may attempt to get a listing of local system accounts. This information can help Threat Actors determine which local accounts exist on a system to aid in follow-on behavior. | |
| .002 | Domain Account | Threat Actors may attempt to get a listing of domain accounts. This information can help Threat Actors determine which domain accounts exist to aid in follow-on behavior such as targeting specific accounts which possess particular privileges. | |
| .003 | Email Account | Threat Actors may attempt to get a listing of email addresses and accounts. Threat Actors may try to dump Exchange address lists such as global address lists (GALs). | |
| .004 | Cloud Account | Threat Actors may attempt to get a listing of cloud accounts. Cloud accounts are those created and configured by an organization for use by users, remote support, services, or for administration of resources within a cloud service provider or SaaS application. | |
| ATAGS-T1080 | Account Manipulation | Threat actors may manipulate accounts to maintain and/or elevate access to victim systems. Account manipulation may consist of any action that preserves or modifies adversary access to a compromised account, such as modifying credentials or permission groups. These actions could also include account activity designed to subvert security policies, such as performing iterative password updates to bypass password duration policies and preserve the life of compromised credentials. | |
| .001 | Additional Cloud Credentials | Threat Actors may add adversary-controlled credentials to a cloud account to maintain persistent access to victim accounts and instances within the environment. | |
| .002 | Additional Cloud Roles | Threat Actors may add additional roles or permissions to Threat Actors-controlled cloud account to maintain persistent access to a tenant. For example, Threat Actors may update IAM policies in cloud-based environments or add a new global administrator in Office 365 environments. With sufficient permissions, a compromised account can gain almost unlimited access to data and settings (including the ability to reset the passwords of other admins). | |
| .003 | Additional Container Cluster Roles | Threat Actors may add additional roles or permissions to Threat Actors-controlled user or service account to maintain persistent access to a container orchestration system. For example, Threat Actors with sufficient permissions may create a RoleBinding or a ClusterRoleBinding to bind a Role or ClusterRole to a Kubernetes account. Where attribute-based access control (ABAC) is in use, Threat Actors with sufficient permissions may modify a Kubernetes ABAC policy to give the target account additional permissions. | |
| .004 | Additional Email Delegate Permissions | Threat Actors may grant additional permission levels to maintain persistent access to Threat Actors-controlled email account. | |
| .005 | Additional Local or Domain Groups | Threat Actors may add additional local or domain groups to Threat Actors-controlled account to maintain persistent access to a system or domain. | |
| .006 | Device Registration | Threat Actors may register a device to Threat Actors-controlled account. Devices may be registered in a multifactor authentication (MFA) system, which handles authentication to the network, or in a device management system, which handles device access and compliance. | |
| .007 | SSH Authorized Keys |
Threat Actors may modify the SSH authorized_keys file to maintain persistence on a victim host. Linux distributions, macOS, and ESXi hypervisors commonly use key-based authentication to secure the authentication process of SSH sessions for remote management. The authorized_keys file in SSH specifies the SSH keys that can be used for logging into the user account for which the file is configured. This file is usually found in the user's home directory under |
|
| ATAGS-T1014 | Acquire Access | Threat actors may purchase or otherwise acquire an existing access to a target system or network. A variety of online services and initial access broker networks are available to sell access to previously compromised systems. In some cases, adversary groups may form partnerships to share compromised systems with each other. | |
| ATAGS-T1015 | Acquire or Build Infrastructure | Threat actors may acquire a Ground Segment, a Ground Station service (e.g. Amazon service ), satellite(s), or other infrastructure that can be useful to his attacking plans. Such an infrastructure can be a set of antennas, lasers, Software Defined Radios (SDR) or other equipment able to transmit the desired signals. Such equipment can be fixed on ground, mounted on vehicles like trucks, ships, aircraft, or also installed on board of satellites. | |
| .001 | Acquire Ground-station/ Ground segment | Threat actors may build a new ground station or gaining control of an existing one. | |
| .002 | Acquire jamming equipment | Antennas, lasers, or other equipment able to jam a radio or visible-light frequency can be useful to prevent communication or an image acquisition. These instruments can be fixed on ground, mounted on vehicles like trucks, ships, aircraft, or also installed on board of satellites. | |
| .003 | Acquire Satellite | Launching a new satellite or gaining control of an existing satellite. | |
| .004 | Rent ground segment as a service | Building it, or renting a cloud based Ground Segment (e.g., AWS) | |
| ATAGS-T1000 | Active Scanning of Provider Infrastructure | Threat actors may execute active reconnaissance scans to gather information that can be used during targeting. Active scans are those where the adversary probes victim infrastructure (GS and Cloud infrastructure) via network traffic, as opposed to other forms of reconnaissance that do not involve direct interaction. | |
| ATAGS-T1111 | Adversary in the Middle | Threat actors may attempt to position themselves between two or more networked devices using an adversary-in-the-middle (AiTM) technique. | |
| .001 | Lower Orbit Satellites, or Drones | Threat Actors can take advantage of a drone or any satellite located between the target and the ground station to sniff the communication link. | |
| .002 | ARP Cache Poisoning | Threat Actors may poison Address Resolution Protocol (ARP) caches to position themselves between the communication of two or more networked devices. This activity may be used to enable follow-on behaviors such as Network Sniffing or Transmitted Data Manipulation. | |
| .003 | DHCP Spoofing | Threat Actors may redirect network traffic to adversary-owned systems by spoofing Dynamic Host Configuration Protocol (DHCP) traffic and acting as a malicious DHCP server on the victim network. By achieving the adversary-in-the-middle (AiTM) position, Threat Actors may collect network communications, including passed credentials, especially those sent over insecure, unencrypted protocols. This may also enable follow-on behaviors such as Network Sniffing or Transmitted Data Manipulation. | |
| .004 | Evil Twin | Threat Actors may host seemingly genuine Wi-Fi access points to deceive users into connecting to malicious networks as a way of supporting follow-on behaviors such as Network Sniffing, Transmitted Data Manipulation, or Input Capture. | |
| .005 | LLMNR/NBT-NS Poisoning and SMB Relay | By responding to LLMNR/NBT-NS network traffic, Threat Actors may spoof an authoritative source for name resolution to force communication with Threat Actors controlled system. This activity may be used to collect or relay authentication materials. | |
| .006 | Unauthenticated gateway or unauthenticated interplanetary node | If unauthenticated gateways or unauthenticated interplanetary nodes are used, Threat Actors can substitute them with an own resource, to collect or modify transmitted data. | |
| .007 | Satellite constellation | A satellite with stolen credential can take place into a dynamic constellation and collect data. | |
| ATAGS-T1167 | Archive Collected Data | Threat actors may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender. | |
| .001 | Archive via Utility | Threat Actors may use utilities to compress and/or encrypt collected data prior to exfiltration. Many utilities include functionalities to compress, encrypt, or otherwise package data into a format that is easier/more secure to transport. | |
| .002 | Archive via Library | Threat Actors may compress or encrypt data that is collected prior to exfiltration using 3rd party libraries. Many libraries exist that can archive data, including Python rarfile , libzip , and zlib . Most libraries include functionality to encrypt and/or compress data. | |
| .003 | Archive via Custom Method | Threat Actors may compress or encrypt data that is collected prior to exfiltration using a custom method. Threat Actors may choose to use custom archival methods, such as encryption with XOR or stream ciphers implemented with no external library or utility references. Custom implementations of well-known compression algorithms have also been used. | |
| ATAGS-T1021 | Assembly, Test, and Launch Operation Compromise | Threat actors may target the Ground Station hardware and/or software while the GS is at Assembly, Test, and Launch Operation (ATLO). ATLO is often the first time pieces of the Ground Station are fully integrated and exchanging data across interfaces. Malware could propagate from infected devices across the integrated GS. For example, test equipment (i.e., transient cyber asset) is often brought in for testing elements of the ground station. Additionally, varying levels of physical security is in place which may be a reduction in physical security typically seen during development. The ATLO environment should be considered a viable attack vector and the appropriate/equivalent security controls from the primary development environment should be implemented during ATLO as well. | |
| ATAGS-T1168 | Audio Capture | Threat actors can leverage a computer's peripheral devices (e.g., microphones and webcams) or applications (e.g., voice and video call services) to capture audio recordings for the purpose of listening into sensitive conversations to gather information. | |
| ATAGS-T1169 | Automated Collection | Once established within a system or network, threat actors may use automated techniques for collecting internal data. Methods for performing this technique could include use of a Command and Scripting Interpreter to search for and copy information fitting set criteria such as file type, location, or name at specific time intervals. | |
| ATAGS-T1197 | Automated Exfiltration | Threat actors may exfiltrate data, such as sensitive documents, through the use of automated processing after being gathered during Collection. | |
| .001 | Traffic Duplication | Threat Actors may leverage traffic mirroring in order to automate data exfiltration over compromised infrastructure. Traffic mirroring is a native feature for some devices, often used for network analysis. For example, devices may be configured to forward network traffic to one or more destinations for analysis by a network analyzer or other monitoring device. | |
| ATAGS-T1042 | Autorun Image | Threat actors may leverage AutoRun functionality or scripts to execute malicious code. Devices configured to enable AutoRun functionality or legacy operating systems may be susceptible to abuse of these features to run malicious code stored on various forms of removeable media (i.e., USB, Disk Images [.ISO]). Commonly, AutoRun or AutoPlay are disabled in many operating systems configurations to mitigate against this technique. If a device is configured to enable AutoRun or AutoPlay, Threat actors may execute code on the device by mounting the removable media to the device, either through physical or virtual means. This may be especially relevant for virtual machine environments where disk images may be dynamically mapped to a guest system on a hypervisor. | |
| ATAGS-T1066 | Backdoor | Threat actors may find and target various backdoors, or inject their own, within the victim ground station provider in the hopes of maintaining their attack. | |
| .001 | Hardware Backdoor | Threat actors may find and target various hardware backdoors within the victim spacecraft in the hopes of maintaining their attack. Once in orbit, mitigating the risk of various hardware backdoors becomes increasingly difficult for ground controllers. By targeting these specific vulnerabilities, threat actors are more likely to remain persistent on the victim spacecraft and perpetuate further attacks. | |
| .002 | Software Backdoor | Threat actors may inject code to create their own backdoor to establish persistent access to the spacecraft. This may be done through modification of code throughout the software supply chain or through modification of the software-defined radio configuration (if applicable). | |
| ATAGS-T1128 | Browser Information Discovery | Threat actors may enumerate information about browsers to learn more about compromised environments. Data saved by browsers (such as bookmarks, accounts, and browsing history) may reveal a variety of personal information about users (e.g., banking sites, relationships/interests, social media, etc.) as well as details about internal network resources such as servers, tools/dashboards, or other related infrastructure. | |
| ATAGS-T1170 | Browser Session Hijacking | Threat actors may take advantage of security vulnerabilities and inherent functionality in browser software to change content, modify user-behaviors, and intercept information as part of various browser session hijacking techniques. | |
| ATAGS-T1112 | Brute Force | Threat actors may use brute force techniques to gain access to accounts when passwords are unknown or when password hashes are obtained. Without knowledge of the password for an account or set of accounts, an adversary may systematically guess the password using a repetitive or iterative mechanism. Brute forcing passwords can take place via interaction with a service that will check the validity of those credentials or offline against previously acquired credential data, such as password hashes. | |
| .001 | TC Brute Forcing | Threat Actors can use brute force to gain access to a TC channel, to force encryption or to guess the valid commands. | |
| .002 | Credential Stuffing | Threat Actors may use credentials obtained from breach dumps of unrelated accounts to gain access to target accounts through credential overlap. Occasionally, large numbers of username and password pairs are dumped online when a website or service is compromised and the user account credentials accessed. The information may be useful to Threat Actors attempting to compromise accounts by taking advantage of the tendency for users to use the same passwords across personal and business accounts. | |
| .003 | Password Cracking | Threat Actors may use password cracking to attempt to recover usable credentials, such as plaintext passwords, when credential material such as password hashes are obtained. OS Credential Dumping can be used to obtain password hashes, this may only get Threat Actors so far when Pass the Hash is not an option. Further, Threat Actors may leverage Data from Configuration Repository in order to obtain hashed credentials for network devices. | |
| .004 | Password Guessing | Threat Actors with no prior knowledge of legitimate credentials within the system or environment may guess passwords to attempt access to accounts. Without knowledge of the password for an account, Threat Actors may opt to systematically guess the password using a repetitive or iterative mechanism. Threat Actors may guess login credentials without prior knowledge of system or environment passwords during an operation by using a list of common passwords. Password guessing may or may not take into account the target's policies on password complexity or use policies that may lock accounts out after a number of failed attempts. | |
| .005 | Password Spraying | Threat Actors may use a single or small list of commonly used passwords against many different accounts to attempt to acquire valid account credentials. Password spraying uses one password (e.g. 'Password01'), or a small list of commonly used passwords, that may match the complexity policy of the domain. Logins are attempted with that password against many different accounts on a network to avoid account lockouts that would normally occur when brute forcing a single account with many passwords. | |
| ATAGS-T1087 | Build Image on Host | Threat actors may build a container image directly on a host to bypass defenses that monitor for the retrieval of malicious images from a public registry. A remote build request may be sent to the Docker API that includes a Dockerfile that pulls a vanilla base image, such as alpine, from a public or local registry and then builds a custom image upon it. | |
| ATAGS-T1171 | Clipboard Data | Threat actors may collect data stored in the clipboard from users copying information within or between applications. | |
| ATAGS-T1043 | Cloud Administration Command | Threat actors may abuse cloud management services to execute commands within virtual machines. Resources such as AWS Systems Manager, Azure RunCommand, and Runbooks allow users to remotely run scripts in virtual machines by leveraging installed virtual machine agents. | |
| ATAGS-T1044 | Cloud API execution | Threat actors may abuse the legitimate Cloud Control APIs provided by the GSaaS platform to execute commands (e.g., slewing antennas, scheduling passes, modifying modulation schemes). This requires valid credentials but leverages the inherent functionality of the service. The attacker calls a legitimate function exactly as the developer intended, but for a malicious purpose. | |
| ATAGS-T1067 | Cloud Application Integration | Threat actors may achieve persistence by leveraging OAuth application integrations in a software-as-a-service environment. Threat actors may create a custom application, add a legitimate application into the environment, or even co-opt an existing integration to achieve malicious ends. | |
| ATAGS-T1129 | Cloud Infrastructure Discovery | Threat actors may attempt to discover infrastructure and resources that are available within an infrastructure-as-a-service (IaaS) environment. This includes compute service resources such as instances, virtual machines, and snapshots as well as resources of other services including the storage and database services. | |
| ATAGS-T1068 | Cloud Scheduled Task / Jobs | Threat actors may abuse cloud-native task scheduling services (e.g., AWS EventBridge Scheduler, Azure Logic Apps) or the Ground Station's own scheduling API to trigger malicious code execution at specific times. Unlike OS-level tasks, these schedules persist in the cloud control plane. Attackers may use this to synchronize malicious data processing or exfiltration scripts with the precise Acquisition of Signal (AOS) windows of the target satellite. | |
| ATAGS-T1130 | Cloud Service Dashboard | Threat actors may use a cloud service dashboard GUI with stolen credentials to gain useful information from an operational cloud environment, such as specific services, resources, and features. For example, the GCP Command Center can be used to view all assets, review findings of potential security risks, and run additional queries, such as finding public IP addresses and open ports. | |
| ATAGS-T1131 | Cloud Service Discovery | Threat actors may attempt to enumerate the cloud services running on a system after gaining access. These methods can differ from platform-as-a-service (PaaS), to infrastructure-as-a-service (IaaS), or software-as-a-service (SaaS). Many services exist throughout the various cloud providers and can include Continuous Integration and Continuous Delivery (CI/CD), Lambda Functions, Entra ID, etc. They may also include security services, such as AWS GuardDuty and Microsoft Defender for Cloud, and logging services, such as AWS CloudTrail and Google Cloud Audit Logs. | |
| ATAGS-T1132 | Cloud Storage Object Discovery | Threat actors may enumerate objects in cloud storage infrastructure. Threat actors may use this information during automated discovery to shape follow-on behaviors, including requesting all or specific objects from cloud storage. Similar to File and Directory Discovery on a local host, after identifying available storage services (i.e. Cloud Infrastructure Discovery) Threat actors may access the contents/objects stored in cloud infrastructure. | |
| ATAGS-T1133 | Cloud/Organization Policy Discovery | Threat actors may gather information on Cloud Organization Policies (e.g., AWS SCPs) or IAM boundaries to identify paths for privilege escalation and understand the security constraints applied to the tenancy. | |
| ATAGS-T1045 | Code Flaws Exploit | Threats actors may identify and exploit flaws or weaknesses within the software running on-board the target ground station. These attacks may be extremely targeted and tailored to specific coding errors introduced as a result of poor coding practices or they may target known issues in the commercial software components. | |
| ATAGS-T1046 | Command and Scripting Interpreter | Threat actors may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell. | |
| .001 | AppleScript | Threat actors may abuse AppleScript for execution. AppleScript is a macOS scripting language designed to control applications and parts of the OS via inter-application messages called AppleEvents. These AppleEvent messages can be sent independently or easily scripted with AppleScript. These events can locate open windows, send keystrokes, and interact with almost any open application locally or remotely. | |
| .002 | AutoHotKey & AutoIT | Threat actors may execute commands and perform malicious tasks using AutoIT and AutoHotKey automation scripts. AutoIT and AutoHotkey (AHK) are scripting languages that enable users to automate Windows tasks. These automation scripts can be used to perform a wide variety of actions, such as clicking on buttons, entering text, and opening and closing programs. | |
| .003 | Cloud API | Threat actors may abuse cloud APIs to execute malicious commands. APIs available in cloud environments provide various functionalities and are a feature-rich method for programmatic access to nearly all aspects of a tenant. These APIs may be utilized through various methods such as command line interpreters (CLIs), in-browser Cloud Shells, PowerShell modules like Azure for PowerShell, or software developer kits (SDKs) available for languages such as Python. | |
| .004 | Container CLI/API | Threat actors may abuse built-in CLI tools or API calls to execute malicious commands in containerized environments. | |
| .005 | Hypervisor CLI | Threat actors may abuse hypervisor command line interpreters (CLIs) to execute malicious commands. Hypervisor CLIs typically enable a wide variety of functionality for managing both the hypervisor itself and the guest virtual machines it hosts. | |
| .006 | JavaScript | Threat actors may abuse various implementations of JavaScript for execution. JavaScript (JS) is a platform-independent scripting language (compiled just-in-time at runtime) commonly associated with scripts in webpages, though JS can be executed in runtime environments outside the browser. | |
| .007 | Lua | Threat actors may abuse Lua commands and scripts for execution. Lua is a cross-platform scripting and programming language primarily designed for embedded use in applications. Lua can be executed on the command-line (through the stand-alone lua interpreter), via scripts (.lua), or from Lua-embedded programs (through the struct lua_State). | |
| .008 | Network Device CLI | Threat actors may abuse scripting or built-in command line interpreters (CLI) on network devices to execute malicious command and payloads. The CLI is the primary means through which users and administrators interact with the device in order to view system information, modify device operations, or perform diagnostic and administrative functions. CLIs typically contain various permission levels required for different commands. | |
| .009 | Powershell | Threat actors may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system. Threat actors can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the Start-Process cmdlet which can be used to run an executable and the Invoke-Command cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems). | |
| .010 | Python | Threat actors may abuse Python commands and scripts for execution. Python is a very popular scripting/programming language, with capabilities to perform many functions. Python can be executed interactively from the command-line (via the python.exe interpreter) or via scripts (.py) that can be written and distributed to different systems. Python code can also be compiled into binary executables. | |
| .011 | Unix Shell | Threat actors may abuse Unix shell commands and scripts for execution. Unix shells are the primary command prompt on Linux, macOS, and ESXi systems, though many variations of the Unix shell exist (e.g. sh, ash, bash, zsh, etc.) depending on the specific OS or distribution. Unix shells can control every aspect of a system, with certain commands requiring elevated privileges. | |
| .012 | Visual Basic | Threat actors may abuse Visual Basic (VB) for execution. VB is a programming language created by Microsoft with interoperability with many Windows technologies such as Component Object Model and the Native API through the Windows API. Although tagged as legacy with no planned future evolutions, VB is integrated and supported in the .NET Framework and cross-platform .NET Core. | |
| .013 | Windows Command Shell | Threat actors may abuse the Windows command shell for execution. The Windows command shell (cmd) is the primary command prompt on Windows systems. The Windows command prompt can be used to control almost any aspect of a system, with various permission levels required for different subsets of commands. The command prompt can be invoked remotely via Remote Services such as SSH. | |
| ATAGS-T1088 | Component Collusion | This technique involves two or more compromised components operating in coordination to conceal malicious activity. Threat actors compromise multiple software modules during the supply chain process and design them to behave cooperatively. Each component independently performs only a limited, seemingly benign function, such that when analyzed in isolation, no single module appears malicious. An example of implementation involves one component acting as a trigger agent, waiting for specific mission or system conditions (e.g., GPS fix, telemetry state) and writing a signal to a shared resource (e.g., file, bus). A separate action agent monitors this resource and only executes the malicious behavior (such as data exfiltration or command injection) upon receiving the trigger. This division of responsibilities significantly undermines traditional detection techniques, such as log analysis, static code review, or heuristic-based behavior monitoring. | |
| ATAGS-T1016 | Compromise Infrastructure | Threat actors may compromise third-party infrastructure that can be used for future campaigns or to perpetuate other techniques. Infrastructure solutions include physical devices such as antenna, amplifiers, and convertors, as well as software used by satellite communicators. Instead of buying or renting infrastructure, a threat actor may compromise infrastructure and use it during other phases of the campaign's lifecycle. | |
| .001 | 3rd Party Ground System | Threat actors may compromise access to third-party ground systems that can be used for future campaigns or to perpetuate other techniques. These ground systems can be or may have already been configured for communications to the victim. By compromising this infrastructure, threat actors can stage, launch, and execute an operation. | |
| .002 | 3rd-Party Spacecraft | Threat actors may compromise access to third-party ground systems that can be used for future campaigns or to perpetuate other techniques. These ground systems can be or may have already been configured for communications to the victim ground station. By compromising this infrastructure, threat actors can stage, launch, and execute an operation. | |
| .003 | Botnet | Threat actors may buy, lease, or rent a network of compromised systems that can be used during targeting. A botnet is a network of compromised systems that can be instructed to perform coordinated tasks. Threat actors may purchase a subscription to use an existing botnet from a booter/stresser service. | |
| .004 | Compromise Ground Segment | If a Ground System is located in a remote area with limited physical security controls, a physical violation of the site is possible. There should be authentication systems implemented that make difficult to use it without a proper authorization. | |
| .005 | Compromise Satellite(s) | Compromised or malicious satellites might be abused by Threat actors to achieve kinetic effects on other satellites in orbit, such as sensor interference or manipulation. | |
| .006 | DNS Server | Threat actors may set up their own Domain Name System (DNS) servers that can be used during targeting. During post-compromise activity, Threat actors may utilize DNS traffic for various tasks, including for Command and Control (ex: Application Layer Protocol). Instead of hijacking existing DNS servers, Threat actors may opt to configure and run their own DNS servers in support of operations. | |
| .007 | Domains | Threat actors may acquire domains that can be used during targeting. Domain names are the human readable names used to represent one or more IP addresses. They can be purchased or, in some cases, acquired for free. | |
| .008 | Malvertising | Threat actors may purchase online advertisements that can be abused to distribute malware to victims. Ads can be purchased to plant as well as favorably position artifacts in specific locations online, such as prominently placed within search engine results. These ads may make it more difficult for users to distinguish between actual search results and advertisements. Purchased ads may also target specific audiences using the advertising network’s capabilities, potentially further taking advantage of the trust inherently given to search engines and popular websites. | |
| .009 | Mission-Operated Ground System | Threat actors may compromise mission owned/operated ground systems that can be used for future campaigns or to perpetuate other techniques. These ground systems have already been configured for communications to the victim ground station. By compromising this infrastructure, threat actors can stage, launch, and execute an operation. Threat actors may utilize these systems for various tasks, including Execution and Exfiltration. | |
| .010 | Network Devices | Threat actors may compromise third-party network devices that can be used during targeting. Network devices, such as small office/home office (SOHO) routers, may be compromised where the adversary's ultimate goal is not Initial Access to that environment, but rather to leverage these devices to support additional targeting. | |
| .011 | Server | Threat actors may buy, lease, rent, or obtain physical servers that can be used during targeting. Use of servers allows an adversary to stage, launch, and execute an operation. During post-compromise activity, Threat actors may utilize servers for various tasks, such as watering hole operations in Drive-by Compromise, enabling Phishing operations, or facilitating Command and Control. Instead of compromising a third-party Server or renting a Virtual Private Server, Threat actors may opt to configure and run their own servers in support of operations. Free trial periods of cloud servers may also be abused. | |
| .012 | Serverless | Threat actors may purchase and configure serverless cloud infrastructure, such as Cloudflare Workers, AWS Lambda functions, or Google Apps Scripts, that can be used during targeting. By utilizing serverless infrastructure, Threat actors can make it more difficult to attribute infrastructure used during operations back to them. | |
| .013 | Virtual Private Server | Threat actors may rent Virtual Private Servers (VPSs) that can be used during targeting. There exist a variety of cloud service providers that will sell virtual machines/containers as a service. By utilizing a VPS, Threat actors can make it difficult to physically tie back operations to them. The use of cloud infrastructure can also make it easier for Threat actors to rapidly provision, modify, and shut down their infrastructure. | |
| .014 | Web Services | Threat actors may register for web services that can be used during targeting. A variety of popular websites exist for Threat actors to register for a web-based service that can be abused during later stages of the adversary lifecycle, such as during Command and Control (Web Service), Exfiltration Over Web Service, or Phishing. Using common services, such as those offered by Google, GitHub, or Twitter, makes it easier for Threat actors to hide in expected noise. By utilizing a web service, Threat actors can make it difficult to physically tie back operations to them. | |
| ATAGS-T1017 | Compromise or Establish Accounts | Threat actors may compromise or establish accounts with services that can be used during targeting. For operations incorporating social engineering, the utilization of an online persona may be important. Threat actors may compromise existing accounts. Utilizing an existing persona may engender a level of trust in a potential victim if they have a relationship, or knowledge of, the compromised persona. Adversaries may create and cultivate accounts with services that can be used during targeting. Adversaries can create accounts that can be used to build a persona to further operations; while persona development consists of the development of public information, presence, history and appropriate affiliations. This development could be applied to social media, website, or other publicly available information that could be referenced and scrutinized for legitimacy over the course of an operation using that persona or identity. | |
| ATAGS-T1134 | Container and Resource Discovery | Threat actors may attempt to discover containers and other resources that are available within a containers environment. Other resources may include images, deployments, pods, nodes, and other information such as the status of a cluster. | |
| ATAGS-T1022 | Content Injection | Threat actors may gain access and continuously communicate with victims by injecting malicious content into systems through online network traffic. Rather than luring victims to malicious payloads hosted on a compromised website (i.e., Drive-by Target followed by Drive-by Compromise), Threat actors may initially access victims through compromised data-transfer channels where they can manipulate traffic and/or inject their own content. These compromised online network channels may also be used to deliver additional payloads (i.e., Ingress Tool Transfer) and other data to already compromised systems. | |
| ATAGS-T1113 | Credentials from Password Stores | Threat actors may search for common password storage locations to obtain user credentials. Passwords are stored in several places on a system, depending on the operating system or application holding the credentials. There are also specific applications and services that store passwords to make them easier for users to manage and maintain, such as password managers and cloud secrets vaults. Once credentials are obtained, they can be used to perform lateral movement and access restricted information. | |
| .001 | Cloud Secrets Management Stores | Threat Actors may acquire credentials from cloud-native secret management solutions such as AWS Secrets Manager, GCP Secret Manager, Azure Key Vault, and Terraform Vault. | |
| .002 | Credentials from Web Browsers | Threat Actors may acquire credentials from web browsers by reading files specific to the target browser. Web browsers commonly save credentials such as website usernames and passwords so that they do not need to be entered manually in the future. Web browsers typically store the credentials in an encrypted format within a credential store; however, methods exist to extract plaintext credentials from web browsers. | |
| .003 | Keychain | Threat Actors may acquire credentials from Keychain. Keychain (or Keychain Services) is the macOS credential management system that stores account names, passwords, private keys, certificates, sensitive application data, payment data, and secure notes. There are three types of Keychains: Login Keychain, System Keychain, and Local Items (iCloud) Keychain. The default Keychain is the Login Keychain, which stores user passwords and information. The System Keychain stores items accessed by the operating system, such as items shared among users on a host. The Local Items (iCloud) Keychain is used for items synced with Apple’s iCloud service. | |
| .004 | Password Managers | Threat Actors may acquire user credentials from third-party password managers. Password managers are applications designed to store user credentials, normally in an encrypted database. Credentials are typically accessible after a user provides a master password that unlocks the database. After the database is unlocked, these credentials may be copied to memory. These databases can be stored as files on disk. | |
| .005 | Securityd Memory | Threat Actors with root access may gather credentials by reading securityd’s memory. securityd is a service/daemon responsible for implementing security protocols such as encryption and authorization. A privileged adversary may be able to scan through securityd's memory to find the correct sequence of keys to decrypt the user’s logon keychain. This may provide the adversary with various plaintext passwords, such as those for users, WiFi, mail, browsers, certificates, secure notes, etc. | |
| .006 | Windows Credential Manager | Threat Actors may acquire credentials from the Windows Credential Manager. The Credential Manager stores credentials for signing into websites, applications, and/or devices that request authentication through NTLM or Kerberos in Credential Lockers (previously known as Windows Vaults). | |
| ATAGS-T1211 | Data Destruction | Threat actors may destroy data and files on specific systems or in large numbers on a network to interrupt availability to systems, services, and network resources. Data destruction is likely to render stored data irrecoverable by forensic techniques through overwriting files or data on local and remote drives. Common operating system file deletion commands such as del and rm often only remove pointers to files without wiping the contents of the files themselves, making the files recoverable by proper forensic methodology. This behavior is distinct from Disk Content Wipe and Disk Structure Wipe because individual files are destroyed rather than sections of a storage disk or the disk's logical structure. | |
| .001 | Lifecycle-Triggered Deletion | Threat Actors may modify the lifecycle policies of a cloud storage bucket to destroy all objects stored within. | |
| ATAGS-T1183 | Data Encoding | Threat actors may encode data to make the content of command and control traffic more difficult to detect. Command and control (C2) information can be encoded using a standard data encoding system. Use of data encoding may adhere to existing protocol specifications and includes use of ASCII, Unicode, Base64, MIME, or other binary-to-text and character encoding systems. Some data encoding systems may also result in data compression, such as gzip. | |
| .001 | Standard Encoding | Threat Actors may encode data with a standard data encoding system to make the content of command and control traffic more difficult to detect. Command and control (C2) information can be encoded using a standard data encoding system that adheres to existing protocol specifications. Common data encoding schemes include ASCII, Unicode, hexadecimal, Base64, and MIME. Some data encoding systems may also result in data compression, such as gzip. | |
| .002 | Non-Standard Encoding | Threat Actors may encode data with a non-standard data encoding system to make the content of command and control traffic more difficult to detect. Command and control (C2) information can be encoded using a non-standard data encoding system that diverges from existing protocol specifications. Non-standard data encoding schemes may be based on or related to standard data encoding schemes, such as a modified Base64 encoding for the message body of an HTTP request. | |
| ATAGS-T1212 | Data Encrypted for Impact | Threat actors may encrypt data on target systems or on large numbers of systems in a network to interrupt availability to system and network resources. They can attempt to render stored data inaccessible by encrypting files or data on local and remote drives and withholding access to a decryption key. This may be done in order to extract monetary compensation from a victim in exchange for decryption or a decryption key (ransomware) or to render data permanently inaccessible in cases where the key is not saved or transmitted. | |
| ATAGS-T1172 | Data from Cloud Storage | Threat actors may access data saved in cloud storage. | |
| ATAGS-T1173 | Data from Configuration Repository | Threat actors may collect data related to managed devices from configuration repositories. Configuration repositories are used by management systems in order to configure, manage, and control data on remote systems. Configuration repositories may also facilitate remote access and administration of devices. | |
| .001 | SNMP (MIB Dump) | Threat Actors may target the Management Information Base (MIB) to collect and/or mine valuable information in a network managed using Simple Network Management Protocol (SNMP). | |
| .002 | Network Device Configuration Dump | Threat Actors may access network configuration files to collect sensitive data about the device and the network. The network configuration is a file containing parameters that determine the operation of the device. The device typically stores an in-memory copy of the configuration while operating, and a separate configuration on non-volatile storage to load after device reset. Threat Actors can inspect the configuration files to reveal information about the target network and its layout, the network device and its software, or identifying legitimate accounts and credentials for later use. | |
| ATAGS-T1174 | Data from Information Repositories | Threat actors may leverage information repositories to mine valuable information. Information repositories are tools that allow for storage of information, typically to facilitate collaboration or information sharing between users, and can store a wide variety of data that may aid Threat actors in further objectives, such as Credential Access, Lateral Movement, or Defense Evasion, or direct access to the target information. Threat actors may also abuse external sharing features to share sensitive documents with recipients outside of the organization (i.e., Transfer Data to Cloud Account). | |
| .001 | Confluence | Threat Actors may leverage Confluence repositories to mine valuable information. Often found in development environments alongside Atlassian JIRA, Confluence is generally used to store development-related documentation, however, in general may contain more diverse categories of useful information, such as: | |
| .002 | Sharepoint | Threat Actors may leverage the SharePoint repository as a source to mine valuable information. SharePoint will often contain useful information for Threat Actors to learn about the structure and functionality of the internal network and systems. For example, the following is a list of example information that may hold potential value to Threat Actors and may also be found on SharePoint: | |
| .003 | Code Repositories | Threat Actors may leverage code repositories to collect valuable information. Code repositories are tools/services that store source code and automate software builds. They may be hosted internally or privately on third party sites such as Github, GitLab, SourceForge, and BitBucket. Users typically interact with code repositories through a web application or command-line utilities such as git. | |
| .004 | Customer Relationship Management Software | Threat Actors may leverage Customer Relationship Management (CRM) software to mine valuable information. CRM software is used to assist organizations in tracking and managing customer interactions, as well as storing customer data. | |
| .005 | Messaging Applications | Threat Actors may leverage chat and messaging applications, such as Microsoft Teams, Google Chat, and Slack, to mine valuable information. | |
| .006 | Databases | Threat Actors may leverage databases to mine valuable information. These databases may be hosted on-premises or in the cloud (both in platform-as-a-service and software-as-a-service environments). | |
| ATAGS-T1175 | Data from link eavesdropping | Threat actors can collect data transmitted over a channel, if he is able to decode and decrypt the communication. | |
| .001 | Payload eavesdropping | Threat Actors can collect data transmitted over the payload channel, if it is used. | |
| .002 | Range Data eavesdropping | Threat Actors can intercept range data to locate and more accurately target the victim ground station. Mitigation from higher level protocols (encryption to assure confidentiality). | |
| .003 | TC/TM eavesdropping | An attacker can collect and have access to data transmitted by TT&C if the communication doesn't rely on encryption. | |
| ATAGS-T1176 | Data from Local System | Threat actors may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration. | |
| ATAGS-T1177 | Data from Network Shared Drive | Threat actors may search network shares on computers they have compromised to find files of interest. Sensitive data can be collected from remote systems via shared network drives (host shared directory, network file server, etc.) that are accessible from the current system prior to Exfiltration. Interactive command shells may be in use, and common functionality within cmd may be used to gather information. | |
| ATAGS-T1213 | Data Manipulation | Threat actors may insert, delete, or manipulate data in order to influence external outcomes or hide activity, thus threatening the integrity of the data. By manipulating data, Threat actors may attempt to affect a business process, organizational understanding, or decision making. | |
| .001 | Runtime Data Manipulation | Threat Actors may modify systems in order to manipulate the data as it is accessed and displayed to an end user, thus threatening the integrity of the data. By manipulating runtime data, Threat Actors may attempt to affect a business process, organizational understanding, and decision making. | |
| .002 | Stored Data Manipulation | Threat Actors may insert, delete, or manipulate data at rest in order to influence external outcomes or hide activity, thus threatening the integrity of the data. By manipulating stored data, Threat Actors may attempt to affect a business process, organizational understanding, and decision making. | |
| .003 | Transmitted Data Manipulation | Threat Actors may alter data en route to storage or other systems in order to manipulate external outcomes or hide activity, thus threatening the integrity of the data. By manipulating transmitted data, Threat Actors may attempt to affect a business process, organizational understanding, and decision making. | |
| ATAGS-T1184 | Data Obfuscation | Threat actors may obfuscate command and control traffic to make it more difficult to detect. Command and control (C2) communications are hidden (but not necessarily encrypted) in an attempt to make the content more difficult to discover or decipher and to make the communication less conspicuous and hide commands from being seen. This encompasses many methods, such as adding junk data to protocol traffic, using steganography, or impersonating legitimate protocols. | |
| .001 | Junk Data | Threat Actors may add junk data to protocols used for command and control to make detection more difficult. By adding random or meaningless data to the protocols used for command and control, Threat Actors can prevent trivial methods for decoding, deciphering, or otherwise analyzing the traffic. Examples may include appending/prepending data with junk characters or writing junk characters between significant characters. | |
| .002 | Steganography | Threat Actors may use steganographic techniques to hide command and control traffic to make detection efforts more difficult. Steganographic techniques can be used to hide data in digital messages that are transferred between systems. This hidden information can be used for command and control of compromised systems. In some cases, the passing of files embedded using steganography, such as image or document files, can be used for command and control. | |
| .003 | Protocol or Service Impersonation | Threat Actors may impersonate legitimate protocols or web service traffic to disguise command and control activity and thwart analysis efforts. By impersonating legitimate protocols or web services, Threat Actors can make their command and control traffic blend in with legitimate network traffic. | |
| ATAGS-T1178 | Data Staged | Threat actors may stage collected data in a central location or directory prior to Exfiltration. Data may be kept in separate files or combined into one file through techniques such as Archive Collected Data. Interactive command shells may be used, and common functionality within cmd and bash may be used to copy data into a staging location. | |
| .001 | Local Data Staging | Threat Actors may stage collected data in a central location or directory on the local system prior to Exfiltration. Data may be kept in separate files or combined into one file through techniques such as Archive Collected Data. Interactive command shells may be used, and common functionality within cmd and bash may be used to copy data into a staging location. | |
| .002 | Remote Data Staging | Threat Actors may stage data collected from multiple systems in a central location or directory on one system prior to Exfiltration. Data may be kept in separate files or combined into one file through techniques such as Archive Collected Data. Interactive command shells may be used, and common functionality within cmd and bash may be used to copy data into a staging location. | |
| ATAGS-T1198 | Data Transfer Size Limits | Threat actors may exfiltrate data in fixed size chunks instead of whole files or limit packet sizes below certain thresholds. This approach may be used to avoid triggering network data transfer threshold alerts. | |
| ATAGS-T1089 | Debugger Evasion | Threat actors may employ various means to detect and avoid debuggers. Debuggers are typically used by defenders to trace and/or analyze the execution of potential malware payloads. | |
| ATAGS-T1214 | Defacement | Threat actors may modify visual content available internally or externally to an enterprise network, thus affecting the integrity of the original content. Reasons for Defacement include delivering messaging, intimidation, or claiming (possibly false) credit for an intrusion. Disturbing or offensive images may be used as a part of Defacement in order to cause user discomfort, or to pressure compliance with accompanying messages. | |
| .001 | External Defacement | An adversary may deface systems external to an organization in an attempt to deliver messaging, intimidate, or otherwise mislead an organization or users. External Defacement may ultimately cause users to distrust the systems and to question/discredit the system’s integrity. Externally-facing websites are a common victim of defacement; often targeted by adversary and hacktivist groups in order to push a political message or spread propaganda. External Defacement may be used as a catalyst to trigger events, or as a response to actions taken by an organization or government. Similarly, website defacement may also be used as setup, or a precursor, for future attacks such as Drive-by Compromise. | |
| .002 | Internal Defacement | An adversary may deface systems internal to an organization in an attempt to intimidate or mislead users, thus discrediting the integrity of the systems. This may take the form of modifications to internal websites or server login messages, or directly to user systems with the replacement of the desktop wallpaper. Disturbing or offensive images may be used as a part of Internal Defacement in order to cause user discomfort, or to pressure compliance with accompanying messages. Since internally defacing systems exposes an adversary's presence, it often takes place after other intrusion goals have been accomplished. | |
| ATAGS-T1159 | Default Credentials | Threat actors may leverage manufacturer or supplier set default credentials on control system devices. These default credentials may have administrative permissions and may be necessary for initial configuration of the device. It is general best practice to change the passwords for these accounts as soon as possible, but some manufacturers may have devices that have passwords or usernames that cannot be changed. | |
| ATAGS-T1215 | Degradation of infrastructure | Measures designed to permanently impair (either partially or totally) the use of a system. Threat actors may target various subsystems or the hosted payload in such a way to rapidly increase it's degradation. This could potentially shorten the lifespan of the victim spacecraft. | |
| ATAGS-T1090 | Delay Execution | Threat actors may employ various time-based methods to evade detection and analysis. These techniques often exploit system clocks, delays, or timing mechanisms to obscure malicious activity, blend in with benign activity, and avoid scrutiny. Threat actors can perform this behavior within virtualization/sandbox environments or natively on host systems. | |
| ATAGS-T1216 | Denial of Service | Measures designed to temporarily eliminate the use, access, or operation of a system for a period of time, usually without physical damage to the affected system. Threat actors may seek to deny ground providers or customers access to the victim infrastructure. This would be done exhausting system resource, degrading subsystems, or blocking communications entirely. | |
| ATAGS-T1091 | Deobfuscate/Decode Files or Information | Threat actors may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system. | |
| ATAGS-T1092 | Deploy Container | Threat actors may deploy a container into an environment to facilitate execution or evade defenses. In some cases, Threat actors may deploy a new container to execute processes associated with a particular image or deployment, such as processes that execute or download malware. In others, an adversary may deploy a new container configured without network rules, user limitations, etc. to bypass existing defenses within the environment. In Kubernetes environments, an adversary may attempt to deploy a privileged or vulnerable container into a specific node in order to Escape to Host and access other containers running on the node. | |
| ATAGS-T1018 | Develop or Obtain Cyber Capabilities | Threat actors may build, buy or steal capabilities that can be used during targeting. Activities may include the acquisition of malware, software (including licenses), exploits, certificates, and information relating to vulnerabilities. | |
| ATAGS-T1019 | Develop or Obtain Non-Cyber Capabilities | Threat actors may obtain non-cyber capabilities, primarily physical weapons or systems. These capabilities vary significantly in the types of effects they create, the level of technological sophistication required, and the level of resources needed to develop and deploy them. These diverse capabilities also differ in how they are employed and how easy they are to detect and attribute and the permanence of the effects they have on their target. | |
| ATAGS-T1135 | Device Driver Discovery | Threat actors may attempt to enumerate local device drivers on a victim host. Information about device drivers may highlight various insights that shape follow-on behaviors, such as the function/purpose of the host, present security tools (i.e. Security Software Discovery) or other defenses (e.g., Virtualization/Sandbox Evasion), as well as potential exploitable vulnerabilities (e.g., Exploitation for Privilege Escalation). | |
| ATAGS-T1023 | Direct Attack to Space Communication Links | Threat actors can leverage communication channels to initially access a resource, using TT&C or a payload channel, opening a communication link to compromise the victim system. Threat actors can perform different actions. | |
| .001 | Record and replay TC/TM or mission specific packets | Threat actors can record and replay TC/TM packets to deceive the spacecraft or the ground station, causing an unexpected behavior or an erroneous evaluation of the spacecraft status. Threat actors can gain access to the data exchanged in a payload channel or even spoof TC. Usually the TM replay doesn't cause an impact, unless timing information are transmitted. | |
| ATAGS-T1081 | Domain or Tenant Policy Modification | Threat actors may modify the configuration settings of a domain or identity tenant to evade defenses and/or escalate privileges in centrally managed environments. Such services provide a centralized means of managing identity resources such as devices and accounts, and often include configuration settings that may apply between domains or tenants such as trust relationships, identity syncing, or identity federation. | |
| .001 | Group Policy Modification |
Threat Actors may modify Group Policy Objects (GPOs) to subvert the intended discretionary access controls for a domain, usually with the intention of escalating privileges on the domain. Group policy allows for centralized management of user and computer settings in Active Directory (AD). GPOs are containers for group policy settings made up of files stored within a predictable network path \ |
|
| .002 | Trust Modification | Threat Actors may add new domain trusts, modify the properties of existing domain trusts, or otherwise change the configuration of trust relationships between domains and tenants to evade defenses and/or elevate privileges.Trust details, such as whether or not user identities are federated, allow authentication and authorization properties to apply between domains or tenants for the purpose of accessing shared resources. These trust objects may include accounts, credentials, and other authentication material applied to servers, tokens, and domains. | |
| ATAGS-T1024 | Drive-by Compromise | Threat actors may gain access to a system through a user visiting a website over the normal course of browsing. Multiple ways of delivering exploit code to a browser exist (i.e., Drive-by Target), including: | |
| ATAGS-T1185 | Dynamic Resolution | Threat actors may dynamically establish connections to command and control infrastructure to evade common detections and remediations. This may be achieved by using malware that shares a common algorithm with the infrastructure the adversary uses to receive the malware's communications. These calculations can be used to dynamically adjust parameters such as the domain name, IP address, or port number the malware uses for command and control. | |
| .001 | Fast Flux DNS | Threat Actors may use Fast Flux DNS to hide a command and control channel behind an array of rapidly changing IP addresses linked to a single domain resolution. This technique uses a fully qualified domain name, with multiple IP addresses assigned to it which are swapped with high frequency, using a combination of round robin IP addressing and short Time-To-Live (TTL) for a DNS resource record. | |
| .002 | Domain Generation Algorithms | Threat Actors may make use of Domain Generation Algorithms (DGAs) to dynamically identify a destination domain for command and control traffic rather than relying on a list of static IP addresses or domains. This has the advantage of making it much harder for defenders to block, track, or take over the command and control channel, as there potentially could be thousands of domains that malware can check for instructions. | |
| .003 | DNS Calculation | Threat Actors may perform calculations on addresses returned in DNS results to determine which port and IP address to use for command and control, rather than relying on a predetermined port number or the actual returned IP address. A IP and/or port number calculation can be used to bypass egress filtering on a C2 channel. | |
| ATAGS-T1179 | Email Collection | Threat actors may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to Threat actors. Emails may also contain details of ongoing incident response operations, which may allow Threat actors to adjust their techniques in order to maintain persistence or evade defenses. Threat actors can collect or forward email from mail servers or clients. | |
| .001 | Local Email Collection | Threat Actors may target user email on local systems to collect sensitive information. Files containing email data can be acquired from a user’s local system, such as Outlook storage or cache files. | |
| .002 | Remote Email Collection | Threat Actors may target an Exchange server, Office 365, or Google Workspace to collect sensitive information. Threat Actors may leverage a user's credentials and interact directly with the Exchange server to acquire information from within a network. Threat Actors may also access externally facing Exchange services, Office 365, or Google Workspace to access email using credentials or access tokens. Tools such as MailSniper can be used to automate searches for specific keywords. | |
| .003 | Email Forwarding Rule | Threat Actors may setup email forwarding rules to collect sensitive information. Threat Actors may abuse email forwarding rules to monitor the activities of a victim, steal information, and further gain intelligence on the victim or the victim’s organization to use as part of further exploits or operations. Furthermore, email forwarding rules can allow Threat Actors to maintain persistent access to victim's emails even after compromised credentials are reset by administrators. Most email clients allow users to create inbox rules for various email functions, including forwarding to a different recipient. These rules may be created through a local email application, a web interface, or by command-line interface. Messages can be forwarded to internal or external recipients, and there are no restrictions limiting the extent of this rule. Administrators may also create forwarding rules for user accounts with the same considerations and outcomes. | |
| ATAGS-T1186 | Encrypted Channel | Threat actors may employ an encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files. | |
| .001 | Symmetric Cryptography | Threat Actors may employ a known symmetric encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Symmetric encryption algorithms use the same key for plaintext encryption and ciphertext decryption. Common symmetric encryption algorithms include AES, DES, 3DES, Blowfish, and RC4. | |
| .002 | Asymmetric Cryptography | Threat Actors may employ a known asymmetric encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Asymmetric cryptography, also known as public key cryptography, uses a keypair per party: one public that can be freely distributed, and one private. Due to how the keys are generated, the sender encrypts data with the receiver’s public key and the receiver decrypts the data with their private key. This ensures that only the intended recipient can read the encrypted data. Common public key encryption algorithms include RSA and ElGamal. | |
| ATAGS-T1047 | Encryption Disable/Bypass | Threat actors may perform specific techniques in order to bypass or disable the encryption mechanism onboard the victim spacecraft. By bypassing or disabling this particular mechanism, further tactics can be performed, such as Exfiltration, that may have not been possible with the internal encryption process in place. | |
| ATAGS-T1217 | Endpoint Denial of Service | Threat actors may perform Endpoint Denial of Service (DoS) attacks to degrade or block the availability of services to users. Endpoint DoS can be performed by exhausting the system resources those services are hosted on or exploiting the system to cause a persistent crash condition. Example services include websites, email services, DNS, and web-based applications. Threat actors have been observed conducting DoS attacks for political purposes and to support other malicious activities, including distraction, hacktivism, and extortion. | |
| .001 | Application Exhaustion Flood | Threat Actors may target resource intensive features of applications to cause a denial of service (DoS), denying availability to those applications. For example, specific features in web applications may be highly resource intensive. Repeated requests to those features may be able to exhaust system resources and deny access to the application or the server itself. | |
| .002 | Application or System Exploitation | Threat Actors may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users. Some systems may automatically restart critical applications and services when crashes occur, but they can likely be re-exploited to cause a persistent denial of service (DoS) condition. | |
| .003 | OS Exhaustion Flood | Threat Actors may launch a denial of service (DoS) attack targeting an endpoint's operating system (OS). A system's OS is responsible for managing the finite resources as well as preventing the entire system from being overwhelmed by excessive demands on its capacity. These attacks do not need to exhaust the actual resources on a system; the attacks may simply exhaust the limits and available resources that an OS self-imposes. | |
| .004 | Service Exhaustion Flood | Threat Actors may target the different network services provided by systems to conduct a denial of service (DoS). Threat Actors often target the availability of DNS and web services, however others have been targeted as well. Web server software can be attacked through a variety of means, some of which apply generally while others are specific to the software being used to provide the service. | |
| ATAGS-T1082 | Escape to Host | If containers or hypervisors are used, an attacker could overcome the container fences and gain access to the host system. Separations between applications may be defeated, and malicious operations could affect other functionalities. This attack can leverage common utilities, schedulers, shared memory, or vulnerabilities. | |
| .001 | Exploitation of vulnerabilities | Threat Actors can exploiting unpatched/outdated containers or hypervisors to escape it | |
| ATAGS-T1069 | Event Triggered Execution | Threat actors may establish persistence by hijacking cloud-native event triggers. Attackers may manipulate Cloud Event Rules (e.g., EventBridge, Azure Event Grid) to trigger malicious serverless functions or containers in response to standard mission events—such as Satellite Contact Finished, Data Delivered. This ensures malicious code executes automatically during normal mission operations. | |
| .001 | Accessibility Features | Threat Actors may establish persistence and/or elevate privileges by executing malicious content triggered by accessibility features. Windows contains accessibility features that may be launched with a key combination before a user has logged in (ex: when the user is on the Windows logon screen). An adversary can modify the way these programs are launched to get a command prompt or backdoor without logging in to the system. | |
| .002 | AppCert DLLs | Threat Actors may establish persistence and/or elevate privileges by executing malicious content triggered by AppCert DLLs loaded into processes. Dynamic-link libraries (DLLs) that are specified in the AppCertDLLs Registry key under HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\ are loaded into every process that calls the ubiquitously used application programming interface (API) functions CreateProcess, CreateProcessAsUser, CreateProcessWithLoginW, CreateProcessWithTokenW, or WinExec. | |
| .003 | AppInit DLLs | Threat Actors may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes. Dynamic-link libraries (DLLs) that are specified in the AppInit_DLLs value in the Registry keys HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows or HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows are loaded by user32.dll into every process that loads user32.dll. In practice this is nearly every program, since user32.dll is a very common library. | |
| .004 | Application Shimming | Threat Actors may establish persistence and/or elevate privileges by executing malicious content triggered by application shims. The Microsoft Windows Application Compatibility Infrastructure/Framework (Application Shim) was created to allow for backward compatibility of software as the operating system codebase changes over time. For example, the application shimming feature allows developers to apply fixes to applications (without rewriting code) that were created for Windows XP so that it will work with Windows 10. | |
| .005 | Change Default File Association | Threat Actors may establish persistence by executing malicious content triggered by a file type association. When a file is opened, the default program used to open the file (also called the file association or handler) is checked. File association selections are stored in the Windows Registry and can be edited by users, administrators, or programs that have Registry access or by administrators using the built-in assoc utility. Applications can modify the file association for a given file extension to call an arbitrary program when a file with the given extension is opened. | |
| .006 | Component Object Model Hijacking | Threat Actors may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects. COM is a system within Windows to enable interaction between software components through the operating system. References to various COM objects are stored in the Registry. | |
| .007 | Emond | Threat Actors may gain persistence and elevate privileges by executing malicious content triggered by the Event Monitor Daemon (emond). Emond is a Launch Daemon that accepts events from various services, runs them through a simple rules engine, and takes action. The emond binary at /sbin/emond will load any rules from the /etc/emond.d/rules/ directory and take action once an explicitly defined event takes place. | |
| .008 | Image File Execution Options Injection | Threat Actors may establish persistence and/or elevate privileges by executing malicious content triggered by Image File Execution Options (IFEO) debuggers. IFEOs enable a developer to attach a debugger to an application. When a process is created, a debugger present in an application’s IFEO will be prepended to the application’s name, effectively launching the new process under the debugger (e.g., C:\dbg\ntsd.exe -g notepad.exe). | |
| .009 | Installer Packages | Threat Actors may establish persistence and elevate privileges by using an installer to trigger the execution of malicious content. Installer packages are OS specific and contain the resources an operating system needs to install applications on a system. Installer packages can include scripts that run prior to installation as well as after installation is complete. Installer scripts may inherit elevated permissions when executed. Developers often use these scripts to prepare the environment for installation, check requirements, download dependencies, and remove files after installation. | |
| .010 | LC_LOAD_DYLIB Addition | Threat Actors may establish persistence by executing malicious content triggered by the execution of tainted binaries. Mach-O binaries have a series of headers that are used to perform certain operations when a binary is loaded. The LC_LOAD_DYLIB header in a Mach-O binary tells macOS and OS X which dynamic libraries (dylibs) to load during execution time. These can be added ad-hoc to the compiled binary as long as adjustments are made to the rest of the fields and dependencies. There are tools available to perform these changes. | |
| .011 | Netsh Helper DLL | Threat Actors may establish persistence by executing malicious content triggered by Netsh Helper DLLs. Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system. It contains functionality to add helper DLLs for extending functionality of the utility. The paths to registered netsh.exe helper DLLs are entered into the Windows Registry at HKLM\SOFTWARE\Microsoft\Netsh. | |
| .012 | PowerShell Profile | Threat Actors may gain persistence and elevate privileges by executing malicious content triggered by PowerShell profiles. A PowerShell profile (profile.ps1) is a script that runs when PowerShell starts and can be used as a logon script to customize user environments. | |
| .013 | Python Startup Hooks | Threat Actors may achieve persistence by leveraging Python’s startup mechanisms, including path configuration (.pth) files and the sitecustomize.py or usercustomize.pymodules. These files are automatically processed during the initialization of the Python interpreter, allowing for the execution of arbitrary code whenever Python is invoked. | |
| .014 | Screensaver | Threat Actors may establish persistence by executing malicious content triggered by user inactivity. Screensavers are programs that execute after a configurable time of user inactivity and consist of Portable Executable (PE) files with a .scr file extension. The Windows screensaver application scrnsave.scr is located in C:\Windows\System32\, and C:\Windows\sysWOW64\ on 64-bit Windows systems, along with screensavers included with base Windows installations. | |
| .015 | Trap | Threat Actors may establish persistence by executing malicious content triggered by an interrupt signal. The trapcommand allows programs and shells to specify commands that will be executed upon receiving interrupt signals. A common situation is a script allowing for graceful termination and handling of common keyboard interrupts like ctrl+c and ctrl+d. | |
| .016 | Udev Rules | Threat Actors may maintain persistence through executing malicious content triggered using udev rules. Udev is the Linux kernel device manager that dynamically manages device nodes, handles access to pseudo-device files in the /dev directory, and responds to hardware events, such as when external devices like hard drives or keyboards are plugged in or removed. Udev uses rule files with match keysto specify the conditions a hardware event must meet and action keys to define the actions that should follow. Root permissions are required to create, modify, or delete rule files located in /etc/udev/rules.d/, /run/udev/rules.d/, /usr/lib/udev/rules.d/, /usr/local/lib/udev/rules.d/, and /lib/udev/rules.d/. Rule priority is determined by both directory and by the digit prefix in the rule filename. | |
| .017 | Unix Shell Configuration Modification | Threat Actors may establish persistence through executing malicious commands triggered by a user’s shell. User Unix Shells execute several configuration scripts at different points throughout the session based on events. For example, when a user opens a command-line interface or remotely logs in (such as via SSH) a login shell is initiated. The login shell executes scripts from the system (/etc) and the user’s home directory (~/) to configure the environment. All login shells on a system use /etc/profile when initiated. These configuration scripts run at the permission level of their directory and are often used to set environment variables, create aliases, and customize the user’s environment. When the shell exits or terminates, additional shell scripts are executed to ensure the shell exits appropriately. | |
| .018 | Windows Management Instrumentation Event Subscription | Threat Actors may establish persistence and elevate privileges by executing malicious content triggered by a Windows Management Instrumentation (WMI) event subscription. WMI can be used to install event filters, providers, consumers, and bindings that execute code when a defined event occurs. Examples of events that may be subscribed to are the wall clock time, user login, or the computer's uptime. | |
| ATAGS-T1093 | Execution Guardrails | Threat actors may use execution guardrails to constrain execution or actions based on adversary supplied and environment specific conditions that are expected to be present on the target. Guardrails ensure that a payload only executes against an intended target and reduces collateral damage from an adversary’s campaign. Values an adversary can provide about a target system or environment to use as guardrails may include specific network share names, attached physical devices, files, joined Active Directory (AD) domains, and local/external IP addresses. | |
| .001 | Environmental Keying | Threat Actors may environmentally key payloads or other features of malware to evade defenses and constraint execution to a specific target environment. Environmental keying uses cryptography to constrain execution or actions based on adversary supplied environment specific conditions that are expected to be present on the target. Environmental keying is an implementation of Execution Guardrails that utilizes cryptographic techniques for deriving encryption/decryption keys from specific types of values in a given computing environment. | |
| .002 | Mutual Exclusion | Threat Actors may constrain execution or actions based on the presence of a mutex associated with malware. A mutex is a locking mechanism used to synchronize access to a resource. Only one thread or process can acquire a mutex at a given time. | |
| ATAGS-T1199 | Exfiltration Over Alternative Protocol | Threat actors may steal data by exfiltrating it over a different protocol than that of the existing command and control channel. The data may also be sent to an alternate network location from the main command and control server. | |
| .001 | Exfiltration Over Symmetric Encrypted Non-C2 Protocol | Threat Actors may steal data by exfiltrating it over a symmetrically encrypted network protocol other than that of the existing command and control channel. The data may also be sent to an alternate network location from the main command and control server. | |
| .002 | Exfiltration Over Asymmetric Encrypted Non-C2 Protocol | Threat Actors may steal data by exfiltrating it over an asymmetrically encrypted network protocol other than that of the existing command and control channel. The data may also be sent to an alternate network location from the main command and control server. | |
| .003 | Exfiltration Over Unencrypted Non-C2 Protocol | Threat Actors may steal data by exfiltrating it over an un-encrypted network protocol other than that of the existing command and control channel. The data may also be sent to an alternate network location from the main command and control server. | |
| ATAGS-T1200 | Exfiltration Over C2 Channel | Threat actors may steal data by exfiltrating it over an existing command and control channel. Stolen data is encoded into the normal communications channel using the same protocol as command and control communications. | |
| ATAGS-T1201 | Exfiltration Over Other Network Medium | Threat actors may attempt to exfiltrate data over a different network medium than the command and control channel. If the command and control network is a wired Internet connection, the exfiltration may occur, for example, over a WiFi connection, modem, cellular data connection, Bluetooth, or another radio frequency (RF) channel. | |
| .001 | Exfiltration Over Bluetooth | Threat Actors may attempt to exfiltrate data over Bluetooth rather than the command and control channel. If the command and control network is a wired Internet connection, an adversary may opt to exfiltrate data using a Bluetooth communication channel. | |
| ATAGS-T1202 | Exfiltration Over Payload Channel | Threat actors can deploy malicious software on the payload(s) which can send data through the payload channel. Payloads often have their own communication channels outside of the main TT&C pathway which presents an opportunity for exfiltration of payload data or other spacecraft data depending on the interface and data exchange. | |
| ATAGS-T1203 | Exfiltration Over Web Service | Threat actors may use an existing, legitimate external Web service to exfiltrate data rather than their primary command and control channel. Popular Web services acting as an exfiltration mechanism may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to compromise. Firewall rules may also already exist to permit traffic to these services. | |
| .001 | Exfiltration to Code Repository | Threat Actors may exfiltrate data to a code repository rather than over their primary command and control channel. Code repositories are often accessible via an API (ex: https://api.github.com). Access to these APIs are often over HTTPS, which gives the adversary an additional level of protection. | |
| .002 | Exfiltration to Cloud Storage | Threat Actors may exfiltrate data to a cloud storage service rather than over their primary command and control channel. Cloud storage services allow for the storage, edit, and retrieval of data from a remote cloud storage server over the Internet. | |
| .003 | Exfiltration to Text Storage Sites | Threat Actors may exfiltrate data to text storage sites instead of their primary command and control channel. Text storage sites, such as pastebin[.]com, are commonly used by developers to share code and other information. | |
| .004 | Exfiltration Over Webhook | Threat Actors may exfiltrate data to a webhook endpoint rather than over their primary command and control channel. Webhooks are simple mechanisms for allowing a server to push data over HTTP/S to a client without the need for the client to continuously poll the server. Many public and commercial services, such as Discord, Slack, and webhook.site, support the creation of webhook endpoints that can be used by other services, such as Github, Jira, or Trello. When changes happen in the linked services (such as pushing a repository update or modifying a ticket), these services will automatically post the data to the webhook endpoint for use by the consuming application. | |
| ATAGS-T1048 | Exploit Hardware/Firmware Corruption | Threat actors can target the underlying hardware and/or firmware using various TTPs that will be dependent on the specific hardware/firmware. Typically, software tools (e.g., antivirus, antimalware, intrusion detection) can protect a system from threat actors attempting to take advantage of those vulnerabilities to inject malicious code. However, there exist security gaps that cannot be closed by the above-mentioned software tools since they are not stationed on software applications, drivers or the operating system but rather on the hardware itself. Hardware components, like memory modules and caches, can be exploited under specific circumstances thus enabling backdoor access to potential threat actors. In addition to hardware, the firmware itself which often is thought to be software in its own right also provides an attack surface for threat actors. Firmware is programming that's written to a hardware device's non-volatile memory where the content is saved when a hardware device is turned off or loses its external power source. Firmware is written directly onto a piece of hardware during manufacturing and it is used to run on the device and can be thought of as the software that enables hardware to run. | |
| .001 | Design Flaws | Threat actors may target design features/flaws with the hardware design to their advantage to cause the desired impact. Threat actors may utilize the inherent design of the hardware (e.g. hardware timers, hardware interrupts, memory cells), which is intended to provide reliability, to their advantage to degrade other aspects like availability. Additionally, field programmable gate array (FPGA)/application-specific integrated circuit (ASIC) logic can be exploited just like software code can be exploited. There could be logic/design flaws embedded in the hardware (i.e., FPGA/ASIC) which may be exploitable by a threat actor. | |
| .002 | Malicious Use of Hardware Commands | Threat actors may utilize various hardware commands and perform malicious activities with them. Hardware commands typically differ from traditional command channels as they bypass many of the traditional protections and pathways and are more direct therefore they can be dangerous if not protected. Hardware commands are sometime a necessity to perform various actions such as configuring sensors, adjusting positions, and rotating internal motors. Threat actors may use these commands to perform malicious activities that can damage the victim spacecraft in some capacity. | |
| ATAGS-T1025 | Exploit Public-Facing Application | Threat actors may attempt to exploit a weakness in an Internet-facing host or system to initially access a network. The weakness in the system can be a software bug, a temporary glitch, or a misconfiguration. | |
| ATAGS-T1114 | Exploitation for Credential Access | Threat actors may exploit software vulnerabilities in an attempt to collect credentials. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. | |
| ATAGS-T1094 | Exploitation for Defense Evasion | Threat actors may exploit a system or application vulnerability to bypass security features. Exploitation of a vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Vulnerabilities may exist in defensive security software that can be used to disable or circumvent them. | |
| ATAGS-T1083 | Exploitation for Privilege Escalation | Threat actors may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so Threat actors will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions. | |
| ATAGS-T1070 | External Remote Services | Threat actors may leverage external-facing remote services to persist within the ground station management network. Adversaries may abuse legitimate access mechanisms such as Cloud Management Consoles, Bastion Hosts, or Reverse SSH Tunnels to maintain command and control channels. In a supply chain context, this may involve compromising the remote support channels used by the GSaaS provider for maintenance. | |
| ATAGS-T1187 | Fallback Channels | Threat actors may use fallback or alternate communication channels if the primary channel is compromised or inaccessible in order to maintain reliable command and control and to avoid data transfer thresholds. | |
| ATAGS-T1136 | File and Directory Discovery | Threat actors may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Threat actors may use the information from File and Directory Discoveryduring automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions. | |
| ATAGS-T1095 | File and Directory Permission Modification | Threat actors may modify file or directory permissions/attributes to evade access control lists (ACLs) and access protected files. File and directory permissions are commonly managed by ACLs configured by the file or directory owner, or users with the appropriate permissions. File and directory ACL implementations vary by platform, but generally explicitly designate which users or groups can perform which actions (read, write, execute, etc.). | |
| .001 | Linux and Mac File and Directory Permissions Modification | Threat Actors may modify file or directory permissions/attributes to evade access control lists (ACLs) and access protected files. File and directory permissions are commonly managed by ACLs configured by the file or directory owner, or users with the appropriate permissions. File and directory ACL implementations vary by platform, but generally explicitly designate which users or groups can perform which actions (read, write, execute, etc.). | |
| .002 | Windows File and Directory Permissions Modification | Threat Actors may modify file or directory permissions/attributes to evade access control lists (ACLs) and access protected files. File and directory permissions are commonly managed by ACLs configured by the file or directory owner, or users with the appropriate permissions. File and directory ACL implementations vary by platform, but generally explicitly designate which users or groups can perform which actions (read, write, execute, etc.). | |
| ATAGS-T1218 | Financial Theft | Threat actors may steal monetary resources from targets through extortion, social engineering, technical theft, or other methods aimed at their own financial gain at the expense of the availability of these resources for victims. Financial theft is the ultimate objective of several popular campaign types including extortion by ransomware, business email compromise (BEC) and fraud, "pig butchering," bank hacking, and exploiting cryptocurrency networks. | |
| ATAGS-T1049 | Flooding | Threat actors use flooding attacks to disrupt communications by injecting unexpected noise or messages into a transmission channel. There are several types of attacks that are consistent with this method of exploitation, and they can produce various outcomes. Although, the most prominent of the impacts are denial of service or data corruption. Several elements of the ground station may be targeted by jamming and flooding attacks, and depending on the time of the attack, it can have devastating results to the availability of the system. | |
| .001 | Erroneous Input | Threat actors inject noise/data/signals into the target channel so that legitimate messages cannot be correctly processed due to impacts to integrity or availability. Additionally, while this technique does not utilize system-relevant signals/commands/information, the target spacecraft may still consume valuable computing resources to process and discard the signal. | |
| .002 | Valid Commands | Threat actors may utilize valid commanding as a mechanism for flooding as the processing of these valid commands could expend valuable resources like processing power and battery usage. Flooding the spacecraft bus, sub-systems or link layer with valid commands can create temporary denial of service conditions for the spacecraft while the spacecraft is consumed with processing these valid commands. | |
| ATAGS-T1115 | Forced Authentication | Threat actors may gather credential material by invoking or forcing a user to automatically provide authentication information through a mechanism in which they can intercept. | |
| ATAGS-T1116 | Forge Web Credentials | Threat actors may forge credential materials that can be used to gain access to web applications or Internet services. Web applications and services (hosted in cloud SaaS environments or on-premise servers) often use session cookies, tokens, or other materials to authenticate and authorize user access. | |
| .001 | SAML Tokens | Threat Actors may forge SAML tokens with any permissions claims and lifetimes if they possess a valid SAML token-signing certificate. The default lifetime of a SAML token is one hour, but the validity period can be specified in the NotOnOrAfter value of the conditions ... element in a token. This value can be changed using the AccessTokenLifetime in a LifetimeTokenPolicy. Forged SAML tokens enable Threat Actors to authenticate across services that use SAML 2.0 as an SSO (single sign-on) mechanism. | |
| .002 | Web Cookies | Threat Actors may forge web cookies that can be used to gain access to web applications or Internet services. Web applications and services (hosted in cloud SaaS environments or on-premise servers) often use session cookies to authenticate and authorize user access. | |
| ATAGS-T1001 | G2S Eavesdropping | Threat actors may seek to capture network communications throughout the ground station, these communications may be captured using packet capture software while the threat actor is on the target network. | |
| ATAGS-T1002 | G2U Eavesdropping | Threat actors may seek to capture network communications throughout the ground station and radio frequency (RF) communication used for uplink and downlink communications. Threat actors may capture RF communications using specialized hardware, such as software defined radio (SDR), handheld radio, or a computer with radio demodulator turned to the communication frequency. | |
| ATAGS-T1003 | Gather Customer Network Information | Threat actors may gather information about the customer's networks that can be used during targeting. Information about networks may include a variety of details, including administrative data (ex: IP ranges, domain names, etc.) as well as specifics regarding its topology and operations. | |
| ATAGS-T1004 | Gather Customer Org Information | Threat actors may gather information about the Customer's organization that can be used during targeting. Information about an organization may include a variety of details, including the names of divisions/departments, specifics of business operations, as well as the roles and responsibilities of key employees. | |
| ATAGS-T1005 | Gather Ground Station Communications Information | Threat actors may obtain information on the specific RF-over-IP protocols (e.g., VITA 49), center frequencies, and modulation schemes configured in the GSaaS Mission Profile. This data is required to successfully inject malicious packets or demodulate intercepted data. | |
| ATAGS-T1006 | Gather Ground Station Logical and Cloud Design Information | Threat actors may gather information about the GSaaS provider's network topology, API gateway versions, and cloud region availability. Unlike traditional ground stations, this information is often publicly available in provider documentation and can be mapped to specific customer implementations. | |
| ATAGS-T1007 | Gather Ground Station Physical Architecture Information | Threat actors may gather information about the victim Ground station's physical architecture that can be used for future campaigns or to help perpetuate other techniques. Information about the architecture can include location, physical security in place, antennas utilized, material, means of power support, employees staffed, maintainance. | |
| ATAGS-T1008 | Gather Mission Profile Configuration | Threat actors seek to obtain the specific "Mission Profile" or configuration scripts (JSON/YAML) used to configure the Ground Station for a pass. This reveals the exact demodulation, decoding, and data delivery paths used by the victim. | |
| ATAGS-T1009 | Gather Mission Schedule / LEOP Timeline | Threat actors gather launch windows and LEOP (Launch and Early Orbit Phase) schedules. This temporal data allows the adversary to time Denial of Service attacks against the GSaaS scheduling API specifically when the satellite is most vulnerable and has not yet stabilized its orbit. | |
| ATAGS-T1010 | Gather Mission that uses GSaaS Information | Threat actors may initially seek to gain an understanding of a target Ground Station by gathering information of mission that are known to use a specific provider. Gathering information commonly captured in a Concept of Operations (or similar) document and related artifacts. Information of interest includes, but is not limited to: - the needs, goals, and objectives of the system - system overview and key elements/instruments - modes of operations (including operational constraints) - proposed capabilities and the underlying science/technology used to provide capabilities (i.e., scientific papers, research studies, etc.) - physical and support environments | |
| ATAGS-T1011 | Gather Provider Org Information | Threat actors may gather information about the Provider's organization that can be used during targeting. Information about an organization may include a variety of details, including the names of divisions/departments, specifics of business operations, as well as the roles and responsibilities of key employees. | |
| ATAGS-T1012 | Gather Supply Chain Information | Threat actors may gather information about GS supply chain or product delivery mechanisms that can be used for future campaigns or to help perpetuate other techniques. | |
| .001 | Business Relationships | Threat actors may gather information about the victim's business relationships that can be used during targeting. Information about an mission’s business relationships may include a variety of details, including second or third-party organizations/domains (ex: managed service providers, contractors/sub-contractors, etc.) that have connected (and potentially elevated) network access or sensitive information. This information may also reveal supply chains and shipment paths for the victim’s hardware and software resources. | |
| .002 | Hardware Recon | Threat actors may gather information that can be used to facilitate a future attack where they manipulate hardware components in the victim infrastructure prior to the customer receiving them in order to achieve data or system compromise. The threat actor can insert backdoors and give them a high level of control over the system when they modify the hardware or firmware in the supply chain. This would include ASIC and FPGA devices as well. | |
| .003 | Known Vulnerabilities | Threat actors may gather information about vulnerabilities that can be used for future campaigns or to perpetuate other techniques. A vulnerability is a weakness in the victim spacecraft's hardware, subsystems, bus, or software that can, potentially, be exploited by a threat actor to cause unintended or unanticipated behavior to occur. During reconnaissance as threat actors identify the types/versions of software (i.e., COTS, open-source) being used, they will look for well-known vulnerabilities that could affect the spacecraft. Threat actors may find vulnerability information by searching leaked documents, vulnerability databases/scanners, compromising ground systems, and searching through online databases. | |
| .004 | Software Recon | Threat actors may gather information relating to the mission's software supply chain in order to facilitate future attacks to achieve data or system compromise. This attack can take place in a number of ways, including manipulation of source code, manipulation of the update and/or distribution mechanism, or replacing compiled versions with a malicious one. | |
| ATAGS-T1137 | Ground Network Sniffing | Threat actors may passively sniff network traffic to capture information about an environment, including authentication material passed over the network. Network sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection. Threat actors may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data. | |
| ATAGS-T1026 | Ground Segment Compromise | Threat actors may compromise Ground Segment sectors, such as work stations, Ground Stations and operation centers. | |
| .001 | Logical compromise | There can be various ways of Ground Segment compromise, that resemble a lot MITRE ATT&CK® Enterprise methods. | |
| .002 | Physical compromise | Threat actors can exploit missing physical security ( eg. facilities not protected with physical barriers). | |
| ATAGS-T1160 | Hardcoded Credentials | Threat actors may leverage credentials that are hardcoded in software or firmware to gain an unauthorized interactive user session to an asset. | |
| ATAGS-T1027 | Hardware Additions | Threat actors may physically introduce computer accessories, networking hardware, or other computing devices into a system or network that can be used as a vector to gain access. Rather than just connecting and distributing payloads via removable storage (i.e. Replication Through Removable Media), more robust hardware additions can be used to introduce new functionalities and/or features into a system that can then be abused. | |
| ATAGS-T1096 | Hide Artifacts | Threat actors may attempt to hide artifacts associated with their behaviors to evade detection. Operating systems may have features to hide various artifacts, such as important system files and administrative task execution, to avoid disrupting user work environments and prevent users from changing files or features on the system. Threat actors may abuse these features to hide artifacts such as files, directories, user accounts, or other system activity to evade detection. | |
| .001 | Bind Mounts | Threat Actors may abuse bind mounts on file structures to hide their activity and artifacts from native utilities. A bind mount maps a directory or file from one location on the filesystem to another, similar to a shortcut on Windows. It’s commonly used to provide access to specific files or directories across different environments, such as inside containers or chroot environments, and requires sudo access. | |
| .002 | Email Hiding Rules | Threat Actors may use email rules to hide inbound emails in a compromised user's mailbox. Many email clients allow users to create inbox rules for various email functions, including moving emails to other folders, marking emails as read, or deleting emails. Rules may be created or modified within email clients or through external features such as the New-InboxRule or Set-InboxRule PowerShell cmdlets on Windows systems. | |
| .003 | Extended Attributes | Threat Actors may abuse extended attributes (xattrs) on macOS and Linux to hide their malicious data in order to evade detection. Extended attributes are key-value pairs of file and directory metadata used by both macOS and Linux. They are not visible through standard tools like Finder, ls, or cat and require utilities such as xattr (macOS) or getfattr (Linux) for inspection. Operating systems and applications use xattrs for tagging, integrity checks, and access control. On Linux, xattrs are organized into namespaces such as user. (user permissions), trusted. (root permissions), security., and system., each with specific permissions. On macOS, xattrs are flat strings without namespace prefixes, commonly prefixed with com.apple.* (e.g., com.apple.quarantine, com.apple.metadata:_kMDItemUserTags) and used by system features like Gatekeeper and Spotlight. | |
| .004 | File/Path Exclusions | Threat Actors may attempt to hide their file-based artifacts by writing them to specific folders or file names excluded from antivirus (AV) scanning and other defensive capabilities. AV and other file-based scanners often include exclusions to optimize performance as well as ease installation and legitimate use of applications. These exclusions may be contextual (e.g., scans are only initiated in response to specific triggering events/alerts), but are also often hardcoded strings referencing specific folders and/or files assumed to be trusted and legitimate. | |
| .005 | Hidden File System | Threat Actors may use a hidden file system to conceal malicious activity from users and security tools. File systems provide a structure to store and access data from physical storage. Typically, a user engages with a file system through applications that allow them to access files and directories, which are an abstraction from their physical location (ex: disk sector). Standard file systems include FAT, NTFS, ext4, and APFS. File systems can also contain other structures, such as the Volume Boot Record (VBR) and Master File Table (MFT) in NTFS. | |
| .006 | Hidden Files and Directories | Threat Actors may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches (dir /a for Windows and ls –a for Linux and macOS). | |
| .007 | Hidden Users | Threat Actors may use hidden users to hide the presence of user accounts they create or modify. Administrators may want to hide users when there are many user accounts on a given system or if they want to hide their administrative or other management accounts from other users. | |
| .008 | Hidden Window | Threat Actors may use hidden windows to conceal malicious activity from the plain sight of users. In some cases, windows that would typically be displayed when an application carries out an operation can be hidden. This may be utilized by system administrators to avoid disrupting user work environments when carrying out administrative tasks. | |
| .009 | Ignore Process Interrupts | Threat Actors may evade defensive mechanisms by executing commands that hide from process interrupt signals. Many operating systems use signals to deliver messages to control process behavior. Command interpreters often include specific commands/flags that ignore errors and other hangups, such as when the user of the active session logs off. These interrupt signals may also be used by defensive tools and/or analysts to pause or terminate specified running processes. | |
| .010 | NTFS File Attributes | Threat Actors may use NTFS file attributes to hide their malicious data in order to evade detection. Every New Technology File System (NTFS) formatted partition contains a Master File Table (MFT) that maintains a record for every file/directory on the partition. Within MFT entries are file attributes, such as Extended Attributes (EA) and Data [known as Alternate Data Streams (ADSs) when more than one Data attribute is present], that can be used to store arbitrary data (and even complete files). | |
| .011 | Process Argument Spoofing | Threat Actors may attempt to hide process command-line arguments by overwriting process memory. Process command-line arguments are stored in the process environment block (PEB), a data structure used by Windows to store various information about/used by a process. The PEB includes the process command-line arguments that are referenced when executing the process. When a process is created, defensive tools/sensors that monitor process creations may retrieve the process arguments from the PEB. | |
| .012 | Resource Forking | Threat Actors may abuse resource forks to hide malicious code or executables to evade detection and bypass security applications. A resource fork provides applications a structured way to store resources such as thumbnail images, menu definitions, icons, dialog boxes, and code. Usage of a resource fork is identifiable when displaying a file’s extended attributes, using ls -l@ or xattr -l commands. Resource forks have been deprecated and replaced with the application bundle structure. Non-localized resources are placed at the top level directory of an application bundle, while localized resources are placed in the /Resources folder. | |
| .013 | Run Virtual Instance | Threat Actors may carry out malicious operations using a virtual instance to avoid detection. A wide variety of virtualization technologies exist that allow for the emulation of a computer or computing environment. By running malicious code inside of a virtual instance, Threat Actors can hide artifacts associated with their behavior from security tools that are unable to monitor activity inside the virtual instance. Additionally, depending on the virtual networking implementation (ex: bridged adapter), network traffic generated by the virtual instance can be difficult to trace back to the compromised host as the IP address and hostname might not match known values. | |
| .014 | VBA Stomping | Threat Actors may hide malicious Visual Basic for Applications (VBA) payloads embedded within MS Office documents by replacing the VBA source code with benign data. | |
| ATAGS-T1188 | Hide Infrastructure | Threat actors may manipulate network traffic in order to hide and evade detection of their C2 infrastructure. This can be accomplished by identifying and filtering traffic from defensive tools, masking malicious domains to obfuscate the true destination from both automated scanning tools and security researchers, and otherwise hiding malicious artifacts to delay discovery and prolong the effectiveness of adversary infrastructure that could otherwise be identified, blocked, or taken down entirely. | |
| ATAGS-T1050 | Hooking | Threat actors may hook into application programming interface (API) functions used by processes to redirect calls for execution and privilege escalation means. Windows processes often leverage these API functions to perform tasks that require reusable system resources. Windows API functions are typically stored in dynamic-link libraries (DLLs) as exported functions. The attacker intercepts function calls between software components to modify the behavior, inspect data, or redirect execution flow. | |
| ATAGS-T1097 | Impair Defenses | Threat actors may maliciously modify components of a victim environment in order to hinder or disable defensive mechanisms. This not only involves impairing preventative defenses, such as firewalls and anti-virus, but also detection capabilities that defenders can use to audit activity and identify malicious behavior. This may also span both native defenses as well as supplemental capabilities installed by users and administrators. | |
| .001 | Triggering the clear mode | Threat Actors can trigger the clear mode accessing TC or consuming its resources, , to disable or limit the security level of the spacecraft. If a 'clear mode' is implemented, the conditions under which, and by which, it is activated should be carefully analyzed, as those might introduce major security vulnerabilities. | |
| .002 | Disable or Modify Cloud Firewall | Threat Actors may disable or modify a firewall within a cloud environment to bypass controls that limit access to cloud resources. Cloud firewalls are separate from system firewalls that are described in Disable or Modify System Firewall. | |
| .003 | Disable or Modify Cloud Logs | Threat Actors may disable or modify cloud logging capabilities and integrations to limit what data is collected on their activities and avoid detection. Cloud environments allow for collection and analysis of audit and application logs that provide insight into what activities a user does within the environment. If Threat Actors has sufficient permissions, they can disable or modify logging to avoid detection of their activities. | |
| .004 | Disable or Modify Linux Audit System | Threat Actors may disable or modify the Linux audit system to hide malicious activity and avoid detection. Linux admins use the Linux Audit system to track security-relevant information on a system. The Linux Audit system operates at the kernel-level and maintains event logs on application and system activity such as process, network, file, and login events based on pre-configured rules. | |
| .005 | Disable or Modify Network Device Firewall | Threat Actors may disable network device-based firewall mechanisms entirely or add, delete, or modify particular rules in order to bypass controls limiting network usage. | |
| .006 | Disable or Modify System Firewall | Threat Actors may disable or modify system firewalls in order to bypass controls limiting network usage. Changes could be disabling the entire mechanism as well as adding, deleting, or modifying particular rules. This can be done numerous ways depending on the operating system, including via command-line, editing Windows Registry keys, and Windows Control Panel. | |
| .007 | Disable or Modify Tools | Threat Actors may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Threat Actors may also disable updates to prevent the latest security patches from reaching tools on victim systems. | |
| .008 | Disable Windows Event Logging | Threat Actors may disable Windows event logging to limit data that can be leveraged for detections and audits. Windows event logs record user and system activity such as login attempts, process creation, and much more. This data is used by security tools and analysts to generate detections. | |
| .009 | Downgrade Attack | Threat Actors may downgrade or use a version of system features that may be outdated, vulnerable, and/or does not support updated security controls. Downgrade attacks typically take advantage of a system’s backward compatibility to force it into less secure modes of operation. | |
| .010 | Impair Command History Logging | Threat Actors may impair command history logging to hide commands they run on a compromised system. Various command interpreters keep track of the commands users type in their terminal so that users can retrace what they've done. | |
| .011 | Indicator Blocking | Threat Actors may attempt to block indicators or events typically captured by sensors from being gathered and analyzed. This could include maliciously redirecting or even disabling host-based sensors, such as Event Tracing for Windows (ETW), by tampering settings that control the collection and flow of event telemetry. These settings may be stored on the system in configuration files and/or in the Registry as well as being accessible via administrative utilities such as PowerShell or Windows Management Instrumentation. | |
| .012 | Safe Mode Boot | Threat Actors may abuse Windows safe mode to disable endpoint defenses. Safe mode starts up the Windows operating system with a limited set of drivers and services. Third-party security software such as endpoint detection and response (EDR) tools may not start after booting Windows in safe mode. There are two versions of safe mode: Safe Mode and Safe Mode with Networking. It is possible to start additional services after a safe mode boot. | |
| .013 | Spoof Security Alerting | Threat Actors may spoof security alerting from tools, presenting false evidence to impair defenders’ awareness of malicious activity. Messages produced by defensive tools contain information about potential security events as well as the functioning status of security software and the system. Security reporting messages are important for monitoring the normal operation of a system and identifying important events that can signal a security incident. | |
| ATAGS-T1098 | Impersonation | Threat actors may impersonate a trusted person or organization in order to persuade and trick a target into performing some action on their behalf. For example, Threat actors may communicate with victims (via Phishing for Information, Phishing, or Internal Spearphishing) while impersonating a known sender such as an executive, colleague, or third-party vendor. Established trust can then be leveraged to accomplish an adversary’s ultimate goals, possibly against multiple victims. | |
| ATAGS-T1071 | Implant Internal Image | Threat actors may implant cloud or container images with malicious code to establish persistence after gaining access to an environment. Amazon Web Services (AWS) Amazon Machine Images (AMIs), Google Cloud Platform (GCP) Images, and Azure Images as well as popular container runtimes such as Docker can be implanted or backdoored. Unlike Upload Malware, this technique focuses on Threat actors implanting an image in a registry within a victim’s environment. Depending on how the infrastructure is provisioned, this could provide persistent access if the infrastructure provisioning tool is instructed to always use the latest image. | |
| ATAGS-T1099 | Indicator Removal | Threat actors may delete or modify artifacts generated within systems to remove evidence of their presence or hinder defenses. Various artifacts may be created by an adversary or something that can be attributed to an adversary’s actions. Typically these artifacts are used as defensive indicators related to monitored events, such as strings from downloaded files, logs that are generated from user actions, and other data analyzed by defenders. Location, format, and type of artifact (such as command or login history) are often specific to each platform. | |
| .001 | Clear Command History | In addition to clearing system logs, Threat Actors may clear the command history of a compromised account to conceal the actions undertaken during an intrusion. Various command interpreters keep track of the commands users type in their terminal so that users can retrace what they've done. | |
| .002 | Clear Linux or Mac System Logs | Threat Actors may clear system logs to hide evidence of an intrusion. macOS and Linux both keep track of system or user-initiated actions via system logs. The majority of native system logging is stored under the /var/log/ directory. Subfolders in this directory categorize logs by their related functions, such as: | |
| .003 | Clear Mailbox Data | Threat Actors may modify mail and mail application data to remove evidence of their activity. Email applications allow users and other programs to export and delete mailbox data via command line tools or use of APIs. Mail application data can be emails, email metadata, or logs generated by the application or operating system, such as export requests. | |
| .004 | Clear Network Connection History and Configurations | Threat Actors may clear or remove evidence of malicious network connections in order to clean up traces of their operations. Configuration settings as well as various artifacts that highlight connection history may be created on a system and/or in application logs from behaviors that require network connections, such as Remote Services or External Remote Services. Defenders may use these artifacts to monitor or otherwise analyze network connections created by Threat Actors. | |
| .005 | Clear Persistence | Threat Actors may clear artifacts associated with previously established persistence on a host system to remove evidence of their activity. This may involve various actions, such as removing services, deleting executables, Modify Registry, Plist File Modification, or other methods of cleanup to prevent defenders from collecting evidence of their persistent presence. Threat Actors may also delete accounts previously created to maintain persistence (i.e. Create Account). | |
| .006 | Clear Windows Event Logs | Threat Actors may clear Windows Event Logs to hide the activity of an intrusion. Windows Event Logs are a record of a computer's alerts and notifications. There are three system-defined sources of events: System, Application, and Security, with five event types: Error, Warning, Information, Success Audit, and Failure Audit. | |
| .007 | File Deletion | Threat Actors may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by Threat Actors (ex: Ingress Tool Transfer) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint. | |
| .008 | Network Share Connection Removal | Threat Actors may remove share connections that are no longer useful in order to clean up traces of their operation. Windows shared drive and SMB/Windows Admin Shares connections can be removed when no longer needed. Net is an example utility that can be used to remove network share connections with the net use \system\share /delete command. | |
| .009 | Relocate Malware | Once a payload is delivered, Threat Actors may reproduce copies of the same malware on the victim system to remove evidence of their presence and/or avoid defenses. Copying malware payloads to new locations may also be combined with File Deletion to cleanup older artifacts. | |
| .010 | Timestomp | Threat Actors may modify file time attributes to hide new files or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder and blend malicious files with legitimate files. | |
| ATAGS-T1072 | Infrastructure File Infection | Threat actors may attempt to infect Infrastructure as Code (IaC) templates or Mission Profiles with malicious logic. These files (e.g., Terraform, CloudFormation, or JSON mission definitions) define the configuration of the ground station resources and data flows. By injecting malicious definitions into the engineering environment or CI/CD pipeline, adversaries ensure that newly provisioned resources or scheduled contacts automatically execute compromised logic upon instantiation. | |
| ATAGS-T1189 | Ingress Tool Transfer | Threat actors may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp. Once present, Threat actors may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer). | |
| ATAGS-T1219 | Inhibit System Recovery | Threat actors may delete or remove built-in data and turn off services designed to aid in the recovery of a corrupted system to prevent recovery. This may deny access to available backups and recovery options. | |
| ATAGS-T1117 | Input Capture | Threat actors may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture). | |
| .001 | Credential API Hooking | Threat Actors may hook into Windows application programming interface (API) functions and Linux system functions to collect user credentials. Malicious hooking mechanisms may capture API or function calls that include parameters that reveal user authentication credentials. Unlike Keylogging, this technique focuses specifically on API functions that include parameters that reveal user credentials. | |
| .002 | GUI Input Capture | Threat Actors may mimic common operating system GUI components to prompt users for credentials with a seemingly legitimate prompt. When programs are executed that need additional privileges than are present in the current user context, it is common for the operating system to prompt the user for proper credentials to authorize the elevated privileges for the task (ex: Bypass User Account Control). | |
| .003 | Keylogging | Threat Actors may log user keystrokes to intercept credentials as the user types them. Keylogging is likely to be used to acquire credentials for new access opportunities when OS Credential Dumping efforts are not effective, and may require Threat Actors to intercept keystrokes on a system for a substantial period of time before credentials can be successfully captured. In order to increase the likelihood of capturing credentials quickly, Threat Actors may also perform actions such as clearing browser cookies to force users to reauthenticate to systems. | |
| .004 | Web Portal Capture | Threat Actors may install code on externally facing portals, such as a VPN login page, to capture and transmit credentials of users who attempt to log into the service. For example, a compromised login page may log provided user credentials before logging the user in to the service. | |
| ATAGS-T1051 | Input Injection | Threat actors may simulate keystrokes on a victim’s computer by various means to perform any type of action on behalf of the user, such as launching the command interpreter using keyboard shortcuts, typing an inline script to be executed, or interacting directly with a GUI-based application. These actions can be preprogrammed into adversary tooling or executed through physical devices such as Human Interface Devices (HIDs). | |
| ATAGS-T1161 | Internal Spearphishing | After they already have access to accounts or systems within the environment, Threat actors may use internal spearphishing to gain access to additional information or compromise other users within the same organization. Internal spearphishing is multi-staged campaign where a legitimate account is initially compromised either by controlling the user's device or by compromising the account credentials of the user. Threat actors may then attempt to take advantage of the trusted internal account to increase the likelihood of tricking more victims into falling for phish attempts, often incorporating Impersonation. | |
| ATAGS-T1028 | Internet Accessible Device | Threat actors may gain access into industrial environments through systems exposed directly to the internet for remote access rather than through External Remote Services. Internet Accessible Devices are exposed to the internet unintentionally or intentionally without adequate protections. This may allow for Threat actors to move directly into the control system network. Access onto these devices is accomplished without the use of exploits, these would be represented within the Exploit Public-Facing Application technique. | |
| ATAGS-T1052 | Jamming | Jamming is an electronic attack that uses radio frequency signals to interfere with communications. A jammer must operate in the same frequency band and within the field of view of the antenna it is targeting. Unlike physical attacks, jamming is completely reversible—once the jammer is disengaged, communications can be restored. Attribution of jamming can be tough because the source can be small and highly mobile, and users operating on the wrong frequency or pointed at the wrong satellite can jam friendly communications.* Similiar to intentional jamming, accidential jamming can cause temporary signal degradation. Accidental jamming refers to unintentional interference with communication signals, and it can potentially impact ground station in various ways, depending on the severity, frequency, and duration of the interference. | |
| .001 | Downlink Jamming | Downlink jammers target the users of a satellite by creating noise in the same frequency as the downlink signal from the satellite. A downlink jammer only needs to be as powerful as the signal being received on the ground and must be within the field of view of the receiving terminal’s antenna. This limits the number of users that can be affected by a single jammer. Since many ground terminals use directional antennas pointed at the sky, a downlink jammer typically needs to be located above the terminal it is attempting to jam. This limitation can be overcome by employing a downlink jammer on an air or space-based platform, which positions the jammer between the terminal and the satellite. This also allows the jammer to cover a wider area and potentially affect more users. Ground terminals with omnidirectional antennas, such as many GPS receivers, have a wider field of view and thus are more susceptible to downlink jamming from different angles on the ground. | |
| .002 | Uplink Jamming | An uplink jammer is used to interfere with signals going up to a satellite by creating enough noise that the satellite cannot distinguish between the real signal and the noise. Uplink jamming of the control link, for example, can prevent satellite operators from sending commands to a satellite. However, because the uplink jammer must be within the field of view of the antenna on the satellite receiving the command link, the jammer must be physically located within the vicinity of the command station on the ground. | |
| ATAGS-T1138 | Key Management Policy Discovery | Threat actors may try to gather information about Key Management Policy implemented. Security Policies are rules and regulations that describe the operational procedures required for proper key management. This includes the specification of rules for processes such as generation, distribution, and allowed use for cryptographic keys. | |
| ATAGS-T1053 | Kinetic Physical Attack | Threat actors may deploy kinetic physical attacks to damage or destroy space- or land-based space assets. The nature of these attacks makes them easier to attribute and allow for better confirmation of success on the part of the attacker. | |
| ATAGS-T1073 | KMS Key Disablement / Replacement | Threat actors may compromise the Key Management Service (KMS) controlling the encryption of the Ground Station's data output. By disabling, deleting, or maliciously rotating the Customer Master Keys (CMKs) used to encrypt the digitized RF streams (VITA 49) stored in cloud buckets, the adversary renders the downlinked mission data permanently inaccessible to the operator, even if the satellite itself remains healthy. | |
| ATAGS-T1162 | Lateral Tool Transfer | Threat actors may transfer tools or other files between systems in a compromised environment. Once brought into the victim environment (i.e., Ingress Tool Transfer) files may then be copied from one system to another to stage adversary tools or other files over the course of an operation. | |
| ATAGS-T1139 | Link segment Sniffing | Threat actors may passively sniff network traffic to capture information about an environment, including authentication material passed over the network. Threat actors may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data. In the context of GSaaS, it includes the interception of digitized RF streams (VITA 49) and monitoring of the IF (Intermediate Frequency) spectrum data if accessible via network interfaces. | |
| ATAGS-T1140 | Local Storage Discovery | Threat actors may enumerate local drives, disks, and/or volumes and their attributes like total or free space and volume serial number. This can be done to prepare for ransomware-related encryption, to perform Lateral Movement, or as a precursor to Direct Volume Access. | |
| ATAGS-T1141 | Log Enumeration | Threat actors may enumerate system and service logs to find useful data. These logs may highlight various types of valuable insights for Threat actors, such as user authentication records (Account Discovery), security or vulnerable software (Software Discovery), or hosts within a compromised network (Remote System Discovery). | |
| ATAGS-T1220 | Loss of Control | Threat actors may seek to achieve a sustained loss of control or a runaway condition in which operators cannot issue any commands even if the malicious interference has subsided, this has direct consequences on the control of the Spacecraft. | |
| ATAGS-T1221 | Loss of Intellectual property/proprietary data | Threat actors may attempt to steal the data that is being gathered, processed, and sent from the victim spacecraft. Many spacecraft have a particular purpose associated with them and the data they gather is deemed mission critical. By attempting to steal this data, the mission, or purpose, of the spacecraft could be lost entirely. | |
| ATAGS-T1222 | Loss of Productivity and Revenue | Threat actors may cause loss of productivity and revenue through disruption and even damage to the availability and integrity of control system operations, devices, and related processes. This technique may manifest as a direct effect of an ICS-targeting attack or tangentially, due to an IT-targeting attack against non-segregated environments. | |
| ATAGS-T1223 | Loss of Protection | Threat actors may compromise protective system functions designed to prevent the effects of faults and abnormal conditions. This can result in equipment damage, prolonged process disruptions and hazards to personnel. | |
| ATAGS-T1224 | Loss of View | Threat actors may cause a sustained or permanent loss of view where the ICS equipment will require local, hands-on operator intervention; for instance, a restart or manual operation. By causing a sustained reporting or visibility loss, the adversary can effectively hide the present state of operations. This loss of view can occur without affecting the physical processes themselves. | |
| ATAGS-T1054 | Malicious Code | Threat actors may rely on other tactics and techniques in order to execute malicious code on the victim ground station. This can be done via compromising the supply chain or development environment in some capacity or taking advantage of known commands. However, once malicious code has been uploaded to the victim ground station, the threat actor can then trigger the code to run via a specific command or wait for a legitimate user to trigger it accidently. The code itself can do a number of different things to the hosted payload, subsystems, or underlying OS. | |
| .001 | Bootkit | Threat actors may use bootkits to persist on systems and evade detection. Bootkits reside at a layer below the operating system and may make it difficult to perform full remediation unless an organization suspects one was used and can act accordingly. | |
| .002 | Ransomware | Threat actors may encrypt spacecraft data to interrupt availability and usability. Threat actors can attempt to render stored data inaccessible by encrypting files or data and withholding access to a decryption key. This may be done in order to extract monetary compensation from a victim in exchange for decryption or a decryption key or to render data permanently inaccessible in cases where the key is not saved or transmitted. | |
| .003 | Rootkit | Rootkits are programs that hide the existence of malware by intercepting/hooking and modifying operating system API calls that supply system information. Rootkits or rootkit enabling functionality may reside at the flight software or kernel level in the operating system or lower, to include a hypervisor, Master Boot Record, or System Firmware. | |
| .004 | Wiper Malware | Threat actors may deploy wiper malware, which is a type of malicious software designed to destroy data or render it unusable. Wiper malware can spread through various means, software vulnerabilities (CWE/CVE), or by exploiting weak or stolen credentials. | |
| ATAGS-T1100 | Masquerading | Threat actors may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names. | |
| .001 | Break Process Trees | Threat Actors may attempt to evade process tree-based analysis by modifying executed malware's parent process ID (PPID). If endpoint protection software leverages the "parent-child" relationship for detection, breaking this relationship could result in the adversary’s behavior not being associated with previous process tree activity. On Unix-based systems breaking this process tree is common practice for administrators to execute software using scripts and programs. | |
| .002 | Browser Fingerprint | Threat Actors may attempt to blend in with legitimate traffic by spoofing browser and system attributes like operating system, system language, platform, user-agent string, resolution, time zone, etc. The HTTP User-Agent request header is a string that lets servers and network peers identify the application, operating system, vendor, and/or version of the requesting user agent. | |
| .003 | Double File Extension | Threat Actors may abuse a double extension in the filename as a means of masquerading the true file type. A file name may include a secondary file type extension that may cause only the first extension to be displayed (ex: File.txt.exe may render in some views as just File.txt). However, the second extension is the true file type that determines how the file is opened and executed. The real file extension may be hidden by the operating system in the file browser (ex: explorer.exe), as well as in any software configured using or similar to the system’s policies. | |
| .004 | Invalid Code Signature | Threat Actors may attempt to mimic features of valid code signatures to increase the chance of deceiving a user, analyst, or tool. Code signing provides a level of authenticity on a binary from the developer and a guarantee that the binary has not been tampered with. Threat Actors can copy the metadata and signature information from a signed program, then use it as a template for an unsigned program. Files with invalid code signatures will fail digital signature validation checks, but they may appear more legitimate to users and security tools may improperly handle these files. | |
| .005 | Masquerade Account Name | Threat Actors may match or approximate the names of legitimate accounts to make newly created ones appear benign. This will typically occur during Create Account, although accounts may also be renamed at a later date. This may also coincide with Account Access Removal if the actor first deletes an account before re-creating one with the same name. | |
| .006 | Masquerade File Type | Threat Actors may masquerade malicious payloads as legitimate files through changes to the payload's formatting, including the file’s signature, extension, icon, and contents. Various file types have a typical standard format, including how they are encoded and organized. For example, a file’s signature (also known as header or magic bytes) is the beginning bytes of a file and is often used to identify the file’s type. For example, the header of a JPEG file, is 0xFF 0xD8 and the file extension is either .JPE, .JPEG or .JPG. | |
| .007 | Masquerade Task or Service | Threat Actors may attempt to manipulate the name of a task or service to make it appear legitimate or benign. Tasks/services executed by the Task Scheduler or systemd will typically be given a name and/or description. Windows services will have a service name as well as a display name. Many benign tasks and services exist that have commonly associated names. Threat Actors may give tasks or services names that are similar or identical to those of legitimate ones. | |
| .008 | Match Legitimate Resource Name or Location | Threat Actors may match or approximate the name or location of legitimate files, Registry keys, or other resources when naming/placing them. This is done for the sake of evading defenses and observation. | |
| .009 | Overwrite Process Arguments |
Threat Actors may modify a process's in-memory arguments to change its name in order to appear as a legitimate or benign process. On Linux, the operating system stores command-line arguments in the process’s stack and passes them to the main()function as the argv array. The first element, argv[0], typically contains the process name or path - by default, the command used to actually start the process (e.g., cat /etc/passwd). By default, the Linux /proc filesystem uses this value to represent the process name. The /proc/ |
|
| .010 | Rename Legitimate Utilities | Threat Actors may rename legitimate / system utilities to try to evade security mechanisms concerning the usage of those utilities. Security monitoring and control mechanisms may be in place for legitimate utilities Threat Actors are capable of abusing, including both built-in binaries and tools such as PSExec, AutoHotKey, and IronPython. It may be possible to bypass those security mechanisms by renaming the utility prior to utilization (ex: rename rundll32.exe). An alternative case occurs when a legitimate utility is copied or moved to a different directory and renamed to avoid detections based on these utilities executing from non-standard paths. | |
| .011 | Right-to-Left Override | Threat Actors may abuse the right-to-left override (RTLO or RLO) character (U+202E) to disguise a string and/or file name to make it appear benign. RTLO is a non-printing Unicode character that causes the text that follows it to be displayed in reverse. For example, a Windows screensaver executable named March 25 \u202Excod.scr will display as March 25 rcs.docx. A JavaScript file named photo_high_re\u202Egnp.jswill be displayed as photo_high_resj.png. | |
| .012 | Space after Filename | Threat Actors can hide a program's true filetype by changing the extension of a file. With certain file types (specifically this does not work with .app extensions), appending a space to the end of a filename will change how the file is processed by the operating system. | |
| ATAGS-T1055 | Modify Authentication Process | Threat actors may modify the internal authentication process of the victim ground station to facilitate initial access, recurring execution, or prevent authorized entities from accessing the ground station. This can be done through the modification of the software binaries or memory manipulation techniques. | |
| .001 | Domain Controller Authentication | Threat Actors may patch the authentication process on a domain controller to bypass the typical authentication mechanisms and enable access to accounts. | |
| .002 | Multi-Factor Authentication | Threat Actors may disable or modify multi-factor authentication (MFA) mechanisms to enable persistent access to compromised accounts. | |
| .003 | Network Device Authentication | Threat Actors may use Patch System Image to hard code a password in the operating system, thus bypassing of native authentication mechanisms for local accounts on network devices. | |
| .004 | Network Provider DLL | Threat Actors may register malicious network provider dynamic link libraries (DLLs) to capture cleartext user credentials during the authentication process. Network provider DLLs allow Windows to interface with specific network protocols and can also support add-on credential management functions. During the logon process, Winlogon (the interactive logon module) sends credentials to the local mpnotify.exe process via RPC. The mpnotify.exe process then shares the credentials in cleartext with registered credential managers when notifying that a logon event is happening. | |
| .005 | Password Filter DLL | Threat Actors may register malicious password filter dynamic link libraries (DLLs) into the authentication process to acquire user credentials as they are validated. | |
| .006 | Pluggable Authentication Modules | Threat Actors may modify pluggable authentication modules (PAM) to access user credentials or enable otherwise unwarranted access to accounts. PAM is a modular system of configuration files, libraries, and executable files which guide authentication for many services. The most common authentication module is pam_unix.so, which retrieves, sets, and verifies account authentication information in /etc/passwd and /etc/shadow. | |
| .007 | Reversible Encryption | An adversary may abuse Active Directory authentication encryption properties to gain access to credentials on Windows systems. The AllowReversiblePasswordEncryption property specifies whether reversible password encryption for an account is enabled or disabled. By default this property is disabled (instead storing user credentials as the output of one-way hashing functions) and should not be enabled unless legacy or other software require it. | |
| .008 | Conditional Access Policies | Threat Actors may disable or modify conditional access policies to enable persistent access to compromised accounts. Conditional access policies are additional verifications used by identity providers and identity and access management systems to determine whether a user should be granted access to a resource. | |
| .009 | Hybrid Identity | Threat Actors may patch, modify, or otherwise backdoor cloud authentication processes that are tied to on-premises user identities in order to bypass typical authentication mechanisms, access credentials, and enable persistent access to accounts. | |
| ATAGS-T1101 | Modify Cloud Compute Infrastructure | An adversary may attempt to modify a cloud account's compute service infrastructure to evade defenses. A modification to the compute service infrastructure can include the creation, deletion, or modification of one or more components such as compute instances, virtual machines, and snapshots. | |
| .001 | Create Cloud Instance | Threat Actors may create a new instance or virtual machine (VM) within the compute service of a cloud account to evade defenses. Creating a new instance may allow Threat Actors to bypass firewall rules and permissions that exist on instances currently residing within an account. Threat Actors may Create Snapshotof one or more volumes in an account, create a new instance, mount the snapshots, and then apply a less restrictive security policy to collect Data from Local System or for Remote Data Staging. | |
| .002 | Create Snapshot | Threat Actors may create a snapshot or data backup within a cloud account to evade defenses. A snapshot is a point-in-time copy of an existing cloud compute component such as a virtual machine (VM), virtual hard drive, or volume. Threat Actors may leverage permissions to create a snapshot in order to bypass restrictions that prevent access to existing compute service infrastructure, unlike in Revert Cloud Instancewhere Threat Actors may revert to a snapshot to evade detection and remove evidence of their presence. | |
| .003 | Delete Cloud Instance | Threat Actors may delete a cloud instance after they have performed malicious activities in an attempt to evade detection and remove evidence of their presence. Deleting an instance or virtual machine can remove valuable forensic artifacts and other evidence of suspicious behavior if the instance is not recoverable. | |
| .004 | Modify Cloud Compute Configurations | Threat Actors may modify settings that directly affect the size, locations, and resources available to cloud compute infrastructure in order to evade defenses. These settings may include service quotas, subscription associations, tenant-wide policies, or other configurations that impact available compute. Such modifications may allow Threat Actors to abuse the victim’s compute resources to achieve their goals, potentially without affecting the execution of running instances and/or revealing their activities to the victim. | |
| .005 | Revert Cloud Instance | Threat Actors may revert changes made to a cloud instance after they have performed malicious activities in attempt to evade detection and remove evidence of their presence. In highly virtualized environments, such as cloud-based infrastructure, this may be accomplished by restoring virtual machine (VM) or data storage snapshots through the cloud management dashboard or cloud APIs. | |
| ATAGS-T1102 | Modify Cloud Resource Hierarchy | Threat actors may attempt to modify hierarchical structures in infrastructure-as-a-service (IaaS) environments in order to evade defenses. | |
| ATAGS-T1204 | Modify Communications Configuration | Threat actors can manipulate communications equipment, modifying the existing software, hardware, or the transponder configuration to exfiltrate data via unintentional channels the mission has no control over. | |
| .001 | Software Defined Radio | Threat actors may target software defined radios due to their software nature to setup exfiltration channels. Since SDRs are programmable, when combined with supply chain or development environment attacks, SDRs provide a pathway to setup covert exfiltration channels for a threat actor. | |
| .002 | Transponder | Threat actors may change the transponder configuration to exfiltrate data via radio access to an attacker-controlled asset. | |
| ATAGS-T1056 | Modify Controller Tasking | Threat actors may modify the tasking of a controller to allow for the execution of their own programs. This can allow an adversary to manipulate the execution flow and behavior of a controller. | |
| ATAGS-T1103 | Modify Whitelist | Threat actors may target whitelists on the spacecrafts as a means to execute and/or hide malicious processes/programs. Whitelisting is a common technique used on traditional IT systems but has also been used on spacecrafts. Whitelisting is used to prevent execution of unknown or potentially malicious software. However, this technique can be bypassed if not implemented correctly but threat actors may also simply attempt to modify the whitelist outright to ensure their malicious software will operate on the spacecraft that utilizes whitelisting. | |
| ATAGS-T1118 | Multi-Factor Authentication Interception | Threat actors may target multi-factor authentication (MFA) mechanisms, (i.e., smart cards, token generators, etc.) to gain access to credentials that can be used to access systems, services, and network resources. Use of MFA is recommended and provides a higher level of security than usernames and passwords alone, but organizations should be aware of techniques that could be used to intercept and bypass these security mechanisms. | |
| ATAGS-T1119 | Multi-Factor Authentication Request Generation | Threat actors may attempt to bypass multi-factor authentication (MFA) mechanisms and gain access to accounts by generating MFA requests sent to users. | |
| ATAGS-T1190 | Multi-Stage Channels | Threat actors may create multiple stages for command and control that are employed under different conditions or for certain functions. Use of multiple stages may obfuscate the command and control channel to make detection more difficult. | |
| ATAGS-T1142 | Network Service Discovery | Threat actors may attempt to get a listing of services running on remote hosts and local network infrastructure devices, including those that may be vulnerable to remote software exploitation. Common methods to acquire this information include port, vulnerability, and/or wordlist scans using tools that are brought onto a system. | |
| ATAGS-T1143 | Network Share Discovery | Threat actors may look for folders and drives shared on remote systems as a means of identifying sources of information to gather as a precursor for Collection and to identify potential systems of interest for Lateral Movement. Networks often contain shared network drives and folders that enable users to access file directories on various systems across a network. | |
| ATAGS-T1120 | Network Sniffing | Threat actors may passively sniff network traffic to capture information about an environment, including authentication material passed over the network. Network sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection. An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data. | |
| ATAGS-T1191 | Non-Application Layer Protocol | Threat actors may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive. Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL). | |
| ATAGS-T1057 | Non-Kinetic Physical Attack | A non-kinetic physical attack is when a ground station is physically damaged without any direct contact. Non-kinetic physical attacks can be characterized into a few types: electromagnetic pulses, high-powered lasers, and high-powered microwaves. These attacks have medium possible attribution levels and often provide little evidence of success to the attacker. | |
| .001 | Electromagnetic Pulse (EMP) | An EMP, such as those caused by high-altitude detonation of certain bombs, is an indiscriminate form of attack in space. For example, a nuclear detonation in space releases an electromagnetic pulse (EMP) that would have near immediate consequences for the satellites within range. The detonation also creates a high radiation environment that accelerates the degradation of satellite components in the affected orbits. | |
| .002 | High-Powered Laser | A high-powered laser can be used to permanently or temporarily damage critical satellite components (i.e. solar arrays or optical centers). If directed toward a satellite’s optical center, the attack is known as blinding or dazzling. Blinding, as the name suggests, causes permanent damage to the optics of a satellite. Dazzling causes temporary loss of sight for the satellite. While there is clear attribution of the location of the laser at the time of the attack, the lasers used in these attacks may be mobile, which can make attribution to a specific actor more difficult because the attacker does not have to be in their own nation, or even continent, to conduct such an attack. Only the satellite operator will know if the attack is successful, meaning the attacker has limited confirmation of success, as an attacked nation may not choose to announce that their satellite has been attacked or left vulnerable for strategic reasons. A high-powered laser attack can also leave the targeted satellite disabled and uncontrollable, which could lead to collateral damage if the satellite begins to drift. A higher-powered laser may permanently damage a satellite by overheating its parts. The parts most susceptible to this are satellite structures, thermal control panels, and solar panels. | |
| .003 | High-Powered Microwave | High-powered microwave (HPM) weapons can be used to disrupt or destroy a satellite’s electronics. A "front-door" HPM attack uses a satellite’s own antennas as an entry path, while a "back-door" attack attempts to enter through small seams or gaps around electrical connections and shielding. A front-door attack is more straightforward to carry out, provided the HPM is positioned within the field of view of the antenna that it is using as a pathway, but it can be thwarted if the satellite uses circuits designed to detect and block surges of energy entering through the antenna. In contrast, a back-door attack is more challenging, because it must exploit design or manufacturing flaws, but it can be conducted from many angles relative to the satellite. Both types of attacks can be either reversible or irreversible; however, the attacker may not be able to control the severity of the damage from the attack. Both front-door and back-door HPM attacks can be difficult to attribute to an attacker, and like a laser weapon, the attacker may not know if the attack has been successful. A HPM attack may leave the target satellite disabled and uncontrollable which can cause it to drift into other satellites, creating further collateral damage. | |
| ATAGS-T1104 | Obfuscated Files or Information | Threat actors may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses. | |
| .001 | Binary Padding | Threat Actors may use binary padding to add junk data and change the on-disk representation of malware. This can be done without affecting the functionality or behavior of a binary, but can increase the size of the binary beyond what some security tools are capable of handling due to file size limitations. | |
| .002 | Command Obfuscation | Threat Actors may obfuscate content during command execution to impede detection. Command-line obfuscation is a method of making strings and patterns within commands and scripts more difficult to signature and analyze. This type of obfuscation can be included within commands executed by delivered payloads (e.g., Phishing and Drive-by Compromise) or interactively via Command and Scripting Interpreter. | |
| .003 | Compile After Delivery | Threat Actors may attempt to make payloads difficult to discover and analyze by delivering files to victims as uncompiled code. Text-based source code files may subvert analysis and scrutiny from protections targeting executables/binaries. These payloads will need to be compiled before execution; typically via native utilities such as ilasm.exe, csc.exe, or GCC/MinGW. | |
| .004 | Compression | Threat Actors may use compression to obfuscate their payloads or files. Compressed file formats such as ZIP, gzip, 7z, and RAR can compress and archive multiple files together to make it easier and faster to transfer files. In addition to compressing files, Threat Actors may also compress shellcode directly - for example, in order to store it in a Windows Registry key (i.e., Fileless Storage). | |
| .005 | Dynamic API Resolution | Threat Actors may obfuscate then dynamically resolve API functions called by their malware in order to conceal malicious functionalities and impair defensive analysis. Malware commonly uses various Native APIfunctions provided by the OS to perform various tasks such as those involving processes, files, and other system artifacts. | |
| .006 | Embedded Payloads | Threat Actors may embed payloads within other files to conceal malicious content from defenses. Otherwise seemingly benign files (such as scripts and executables) may be abused to carry and obfuscate malicious payloads and content. In some cases, embedded payloads may also enable Threat Actors to Subvert Trust Controls by not impacting execution controls such as digital signatures and notarization tickets. | |
| .007 | Encrypted/Encoded File | Threat Actors may encrypt or encode files to obfuscate strings, bytes, and other specific patterns to impede detection. Encrypting and/or encoding file content aims to conceal malicious artifacts within a file used in an intrusion. Many other techniques, such as Software Packing, Steganography, and Embedded Payloads, share this same broad objective. Encrypting and/or encoding files could lead to a lapse in detection of static signatures, only for this malicious content to be revealed (i.e., Deobfuscate/Decode Files or Information) at the time of execution/use. | |
| .008 | Fileless Storage | Threat Actors may store data in "fileless" formats to conceal malicious activity from defenses. Fileless storage can be broadly defined as any format other than a file. Common examples of non-volatile fileless storage in Windows systems include the Windows Registry, event logs, or WMI repository. Shared memory directories on Linux systems (/dev/shm, /run/shm, /var/run, and /var/lock) and volatile directories on Network Devices (/tmp and /volatile) may also be considered fileless storage, as files written to these directories are mapped directly to RAM and not stored on the disk.. | |
| .009 | HTML Smuggling | Threat Actors may smuggle data and files past content filters by hiding malicious payloads inside of seemingly benign HTML files. HTML documents can store large binary objects known as JavaScript Blobs (immutable data that represents raw bytes) that can later be constructed into file-like objects. Data may also be stored in Data URLs, which enable embedding media type or MIME files inline of HTML documents. HTML5 also introduced a download attribute that may be used to initiate file downloads. | |
| .010 | Indicator Removal from Tools | Threat Actors may remove indicators from tools if they believe their malicious tool was detected, quarantined, or otherwise curtailed. They can modify the tool by removing the indicator and using the updated version that is no longer detected by the target's defensive systems or subsequent targets that may use similar systems. | |
| .011 | Junk Code Insertion | Threat Actors may use junk code / dead code to obfuscate a malware’s functionality. Junk code is code that either does not execute, or if it does execute, does not change the functionality of the code. Junk code makes analysis more difficult and time-consuming, as the analyst steps through non-functional code instead of analyzing the main code. It also may hinder detections that rely on static code analysis due to the use of benign functionality, especially when combined with Compression or Software Packing. | |
| .012 | LNK Icon Smuggling | Threat Actors may smuggle commands to download malicious payloads past content filters by hiding them within otherwise seemingly benign windows shortcut files. Windows shortcut files (.LNK) include many metadata fields, including an icon location field (also known as the IconEnvironmentDataBlock) designed to specify the path to an icon file that is to be displayed for the LNK file within a host directory. | |
| .013 | Polymorphic Code | Threat Actors may utilize polymorphic code (also known as metamorphic or mutating code) to evade detection. Polymorphic code is a type of software capable of changing its runtime footprint during code execution. With each execution of the software, the code is mutated into a different version of itself that achieves the same purpose or objective as the original. This functionality enables the malware to evade traditional signature-based defenses, such as antivirus and antimalware tools. | |
| .014 | Software Packing | Threat Actors may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code. | |
| .015 | Steganography | Threat Actors may use steganography techniques in order to prevent the detection of hidden information. Steganographic techniques can be used to hide data in digital media such as images, audio tracks, video clips, or text files. | |
| .016 | Stripped Payloads | Threat Actors may attempt to make a payload difficult to analyze by removing symbols, strings, and other human readable information. Scripts and executables may contain variables names and other strings that help developers document code functionality. Symbols are often created by an operating system’s linkerwhen executable payloads are compiled. Reverse engineers use these symbols and strings to analyze code and to identify functionality in payloads. | |
| .017 | SVG Smuggling | Threat Actors may smuggle data and files past content filters by hiding malicious payloads inside of seemingly benign SVG files. SVGs, or Scalable Vector Graphics, are vector-based image files constructed using XML. As such, they can legitimately include | |