Execution through API
(Redirected from Execution through API)
Jump to navigation
Jump to search
Execution through API | |
---|---|
Technique | |
ID | T0871 |
Tactic | Execution |
Data Sources | API monitoring, Network protocol analysis, Packet capture |
Asset | Field Controller/RTU/PLC/IED |
Description
Adversaries may attempt to leverage Application Program Interfaces (APIs) used for communication between control software and the hardware. Specific functionality is often coded into APIs which can be called by software to engage specific functions on a device or other software, such as Change Program State of a program on a PLC.
Procedure Examples
- PLC-Blaster utilizes the PLC communication and management API to load executable Program Organization Units.1
- Stuxnet utilizes the PLC communication and management API to load executable Program Organization Units.2
- Triton leverages a reconstructed TriStation protocol within its framework to trigger APIs related to program download, program allocation, and program changes.3
Mitigations
- Authorization Enforcement - All APIs used to perform execution, especially those hosted on embedded controllers (e.g., PLCs), should provide adequate authorization enforcement of user access. Minimize user's access to only required API calls.4
- Human User Authentication - All APIs on remote systems or local processes should require the authentication of users before executing any code or system changes.
- Access Management - Access Management technologies can be used to enforce authorization policies and decisions, especially when existing field devices do not provide capabilities to support user identification and authentication.5 These technologies typically utilize an in-line network device or gateway system to prevent access to unauthenticated users, while also integrating with an authentication service to first verify user credentials.
- Execution Prevention - Minimize the exposure of API calls that allow the execution of code.
References
- ^ Spenneberg, Ralf, Maik Brüggemann, and Hendrik Schwartke. (2016, March 31). Plc-blaster: A worm living solely in the plc.. Retrieved September 19, 2017.
- ^ Nicolas Falliere, Liam O Murchu, Eric Chien. (2011, February). W32.Stuxnet Dossier (Version 1.4). Retrieved September 22, 2017.
- ^ Jos Wetzels. (2018, January 16). Analyzing the TRITON industrial malware. Retrieved October 22, 2019.