Home >
ICS >
Participants >
Dragos >
Evasion (TA0103)
|
|
TRITON |
||||
Step | ATT&CK Pattern |
|
||
3.A.1
![]() |
Technique Masquerading (T0849) |
|
||
4.A.1
![]() |
Technique Masquerading (T0849) |
|
||
4.B.1
![]() |
Technique Masquerading (T0849) |
|
||
5.A.1
![]() |
Technique Masquerading (T0849) |
|
||
6.B.1
![]() |
Technique Masquerading (T0849) |
|
||
6.C.1
![]() |
Technique Masquerading (T0849) |
|
||
6.D.1
|
Technique Masquerading (T0849) |
|
||
6.E.1
![]() |
Technique Masquerading (T0849) |
|
||
8.A.1
![]() |
Technique Masquerading (T0849) |
|
||
11.A.1
![]() |
Technique Masquerading (T0849) |
|
||
11.C.1
![]() |
Technique Masquerading (T0849) |
|
||
14.B.1
![]() |
Technique Masquerading (T0849) |
|
||
17.B.1
![]() |
Technique Masquerading (T0849) |
|
||
19.B.1
![]() |
Technique Masquerading (T0849) |
|
||
22.A.2
|
Technique Change Operating Mode (T0858) |
|
Criteria
Evidence that the scheduled task "SMB_sync.xml" is not legitimate and was imported into Task Scheduler (the task executes a spoofed plink executable to initiate a reverse shell tunnel).
Criteria
Evidence that the "rockwell-csp3" service is not legitimate (service is spoofed SSDH, created then executed via Start-Service).
Criteria
Evidence that the "csp-agent" service is not legitimate (service is spoofed ssh-agent, created then executed via Start-Service).
Criteria
Evidence that the services "rockwell-csp3" and "csp-agent" are not legitimate (service is spoofed SSDH and ssh-agent underlying, created then executed via Start-Service).
Criteria
Evidence that the newly created files from the extraction of "RSLINX_install.zip" in the Temp Rockwell RSLINX directory are not legitimate ("RSLINX.exe" and "LogixMap.exe").
Criteria
Evidence of the safety PLC operating mode being switched to Program Mode following adversary CIP request to instance 0x01 of class 0x8E using service 0x07.