Home >
ICS >
Participants >
Armis >
Evasion (TA0103)
|
|
TRITON |
||||
Step | ATT&CK Pattern |
|
||
3.A.1
![]() |
Technique Masquerading (T0849) |
|
||
4.A.1
![]() |
Technique Masquerading (T0849) |
|
||
4.B.1
![]() |
Technique Masquerading (T0849) |
|
||
5.A.1
![]() |
Technique Masquerading (T0849) |
|
||
6.B.1
![]() |
Technique Masquerading (T0849) |
|
||
6.C.1
![]() |
Technique Masquerading (T0849) |
|
||
6.D.1
|
Technique Masquerading (T0849) |
|
||
6.E.1
![]() |
Technique Masquerading (T0849) |
|
||
8.A.1
![]() |
Technique Masquerading (T0849) |
|
||
11.A.1
![]() |
Technique Masquerading (T0849) |
|
||
11.C.1
![]() |
Technique Masquerading (T0849) |
|
||
14.B.1
![]() |
Technique Masquerading (T0849) |
|
||
17.B.1
![]() |
Technique Masquerading (T0849) |
|
||
19.B.1
![]() |
Technique Masquerading (T0849) |
|
||
22.A.2
|
Technique Change Operating Mode (T0858) |
|
Criteria
Evidence that the newly created files from the extraction of "csp3.zip" in the Temp Rockwell directory are not legitimate ("csp.exe", "Install-csp.ps1", "csp-agent.exe", "sftp.exe", etc.).
Criteria
Evidence that the newly created files from the extraction of "RSLINX_install.zip" in the Temp Rockwell RSLINX directory are not legitimate ("RSLINX.exe" and "LogixMap.exe").
Criteria
Evidence that the newly created files from the extraction of "RSLINX_install.zip" in the Temp Rockwell RSLINX directory are not legitimate ("RSLINX.exe" and "LogixMap.exe").
Criteria
Evidence that the newly created files from the extraction of "RSLINX_install.zip" in the Temp Rockwell RSLINX directory are not legitimate ("RSLINX.exe" and "LogixMap.exe").
Criteria
Evidence that the newly created files from the extraction of "Install_RSLogix.zip" in the Temp Rockwell RSLogix directory are not legitimate ("RSLogix5000.exe", "RSComms.exe", etc.)
Criteria
Evidence that the newly created files from the extraction of "Install_GuardLogix.zip" in the Temp Rockwell GuardLogix directory are not legitimate ("RSLogix5000.exe", "RSComms.exe", "abRSA.exe", etc.)
Criteria
Evidence of the safety PLC operating mode being switched to Program Mode following adversary CIP request to instance 0x01 of class 0x8E using service 0x07.