ATT&CK® for Industrial Control Systems

From attackics
Jump to navigation Jump to search

ATT&CK for ICS is a knowledge base useful for describing the actions an adversary may take while operating within an ICS network. The knowledge base can be used to better characterize and describe post-compromise adversary behavior. Please see the overview page for more information about ATT&CK for ICS.

You may start with the following links to become more familiar with ATT&CK for ICS:

The MITRE ATT&CK for ICS Matrix is an overview of the tactics and techniques described in the ATT&CK for ICS knowledge base. It visually aligns individual techniques under the tactics in which they can be applied. Some techniques span more than one tactic because they can be used for different purposes.

Initial Access Data Historian CompromiseDrive-by CompromiseEngineering Workstation CompromiseExploit Public-Facing ApplicationExploitation of Remote ServicesExternal Remote ServicesInternet Accessible DeviceRemote ServicesReplication Through Removable MediaRogue MasterSpearphishing AttachmentSupply Chain CompromiseWireless Compromise
Execution Change Operating ModeCommand-Line InterfaceExecution through APIGraphical User InterfaceHookingModify Controller TaskingNative APIScriptingUser Execution
Persistence Modify ProgramModule FirmwareProject File InfectionSystem FirmwareValid Accounts
Privilege Escalation Exploitation for Privilege EscalationHooking
Evasion Change Operating ModeExploitation for EvasionIndicator Removal on HostMasqueradingRootkitSpoof Reporting Message
Discovery Network Connection EnumerationNetwork SniffingRemote System DiscoveryRemote System Information DiscoveryWireless Sniffing
Lateral Movement Default CredentialsExploitation of Remote ServicesLateral Tool TransferProgram DownloadRemote ServicesValid Accounts
Collection Automated CollectionData from Information RepositoriesDetect Operating ModeI/O ImageMan in the MiddleMonitor Process StatePoint & Tag IdentificationProgram UploadScreen CaptureWireless Sniffing
Command and Control Commonly Used PortConnection ProxyStandard Application Layer Protocol
Inhibit Response Function Activate Firmware Update ModeAlarm SuppressionBlock Command MessageBlock Reporting MessageBlock Serial COMData DestructionDenial of ServiceDevice Restart/ShutdownManipulate I/O ImageModify Alarm SettingsRootkitService StopSystem Firmware
Impair Process Control Brute Force I/OModify ParameterModule FirmwareSpoof Reporting MessageUnauthorized Command Message
Impact Damage to PropertyDenial of ControlDenial of ViewLoss of AvailabilityLoss of ControlLoss of Productivity and RevenueLoss of ProtectionLoss of SafetyLoss of ViewManipulation of ControlManipulation of ViewTheft of Operational Information