TRITON
|
Step
|
ATT&CK Pattern
|
|
25.G.2
|
|
|
25.G.4
|
|
|
Evidence of a privileged write or force point action being used to overwrite polled tag values on the control PLC when the adversary initiated the CIP service 0x51 within the class 0x6A. The tags associated with the Ignitor (3XY2070) and Flame Sensor (3HS2070) were the target of these actions.
Evidence that a privileged write action occurred and actuated all forced points set in the logic (Enable all forces in Allen Bradley) following the adversary request the class 0x69 using service 0x4D.