ATT&CK® for Industrial Control Systems

From attackics
Jump to navigation Jump to search

ATT&CK for ICS is a knowledge base useful for describing the actions an adversary may take while operating within an ICS network. The knowledge base can be used to better characterize and describe post-compromise adversary behavior. Please see the overview page for more information about ATT&CK for ICS.

You may start with the following links to become more familiar with ATT&CK for ICS:


The MITRE ATT&CK for ICS Matrix is an overview of the tactics and techniques described in the ATT&CK for ICS knowledge base. It visually aligns individual techniques under the tactics in which they can be applied. Some techniques span more than one tactic because they can be used for different purposes.

Initial Access Data Historian CompromiseDrive-by CompromiseEngineering Workstation CompromiseExploit Public-Facing ApplicationExternal Remote ServicesInternet Accessible DeviceReplication Through Removable MediaSpearphishing AttachmentSupply Chain CompromiseWireless Compromise
Execution Change Program StateCommand-Line InterfaceExecution through APIGraphical User InterfaceMan in the MiddleProgram Organization UnitsProject File InfectionScriptingUser Execution
Persistence HookingModule FirmwareProgram DownloadProject File InfectionSystem FirmwareValid Accounts
Evasion Exploitation for EvasionIndicator Removal on HostMasqueradingRogue Master DeviceRootkitSpoof Reporting MessageUtilize/Change Operating Mode
Discovery Control Device IdentificationI/O Module DiscoveryNetwork Connection EnumerationNetwork Service ScanningNetwork SniffingRemote System DiscoverySerial Connection Enumeration
Lateral Movement Default CredentialsExploitation of Remote ServicesExternal Remote ServicesProgram Organization UnitsRemote File CopyValid Accounts
Collection Automated CollectionData from Information RepositoriesDetect Operating ModeDetect Program StateI/O ImageLocation IdentificationMonitor Process StatePoint & Tag IdentificationProgram UploadRole IdentificationScreen Capture
Command and Control Commonly Used PortConnection ProxyStandard Application Layer Protocol
Inhibit Response Function Activate Firmware Update ModeAlarm SuppressionBlock Command MessageBlock Reporting MessageBlock Serial COMData DestructionDenial of ServiceDevice Restart/ShutdownManipulate I/O ImageModify Alarm SettingsModify Control LogicProgram DownloadRootkitSystem FirmwareUtilize/Change Operating Mode
Impair Process Control Brute Force I/OChange Program StateMasqueradingModify Control LogicModify ParameterModule FirmwareProgram DownloadRogue Master DeviceService StopSpoof Reporting MessageUnauthorized Command Message
Impact Damage to PropertyDenial of ControlDenial of ViewLoss of AvailabilityLoss of ControlLoss of Productivity and RevenueLoss of SafetyLoss of ViewManipulation of ControlManipulation of ViewTheft of Operational Information