Home >
ICS >
Participants >
Microsoft >
Evasion (TA0103)
|
|
TRITON |
|||
Step | ATT&CK Pattern |
|
|
3.A.1
![]() |
Technique Masquerading (T0849) |
|
|
4.A.1
![]() |
Technique Masquerading (T0849) |
|
|
4.B.1
![]() |
Technique Masquerading (T0849) |
|
|
5.A.1
![]() |
Technique Masquerading (T0849) |
|
|
6.B.1
![]() |
Technique Masquerading (T0849) |
|
|
6.C.1
![]() |
Technique Masquerading (T0849) |
|
|
6.D.1
|
Technique Masquerading (T0849) |
|
|
6.E.1
![]() |
Technique Masquerading (T0849) |
|
|
8.A.1
![]() |
Technique Masquerading (T0849) |
|
|
11.A.1
![]() |
Technique Masquerading (T0849) |
|
|
11.C.1
![]() |
Technique Masquerading (T0849) |
|
|
14.B.1
![]() |
Technique Masquerading (T0849) |
|
|
17.B.1
![]() |
Technique Masquerading (T0849) |
|
|
19.B.1
![]() |
Technique Masquerading (T0849) |
|
|
22.A.2
|
Technique Change Operating Mode (T0858) |
|
Criteria
Evidence that the newly created files from the extraction of "RSLINX_install.zip" in the Temp Rockwell RSLINX directory are not legitimate ("RSLINX.exe" and "LogixMap.exe").
Criteria
Evidence that the newly created files from the extraction of "Install_GuardLogix.zip" in the Temp Rockwell GuardLogix directory are not legitimate ("RSLogix5000.exe", "RSComms.exe", "abRSA.exe", etc.)