Home >
ICS >
Participants >
Claroty >
Masquerading (T0849)
|
|
TRITON |
|||
Step | ATT&CK Pattern |
|
|
3.A.1
![]() |
Tactic Evasion (TA0103) |
|
|
4.A.1
![]() |
Tactic Evasion (TA0103) |
|
|
4.B.1
![]() |
Tactic Evasion (TA0103) |
|
|
5.A.1
![]() |
Tactic Evasion (TA0103) |
|
|
6.B.1
![]() |
Tactic Evasion (TA0103) |
|
|
6.C.1
![]() |
Tactic Evasion (TA0103) |
|
|
6.D.1
|
Tactic Evasion (TA0103) |
|
|
6.E.1
![]() |
Tactic Evasion (TA0103) |
|
|
8.A.1
![]() |
Tactic Evasion (TA0103) |
|
|
11.A.1
![]() |
Tactic Evasion (TA0103) |
|
|
11.C.1
![]() |
Tactic Evasion (TA0103) |
|
|
14.B.1
![]() |
Tactic Evasion (TA0103) |
|
|
17.B.1
![]() |
Tactic Evasion (TA0103) |
|
|
19.B.1
![]() |
Tactic Evasion (TA0103) |
|
Criteria
Evidence that the newly created files copied from the RDP shared folder into the control EWS Temp SMB directory are not legitimate ("SMBClient.exe", "SMB_Sync.xml", and "SMB_Update.xml").
Criteria
Evidence that the scheduled task "SMB_sync.xml" is not legitimate and was imported into Task Scheduler (the task executes a spoofed plink executable to initiate a reverse shell tunnel).
Criteria
Evidence that the "SMBClient.exe" process is not legitimate (binary is spoofed plink.exe used to create a SSH tunnel and redirect ports).
Criteria
Evidence that the newly created files from the extraction of "csp3.zip" in the Temp Rockwell directory are not legitimate ("csp.exe", "Install-csp.ps1", "csp-agent.exe", "sftp.exe", etc.).
Criteria
Evidence that the "rockwell-csp3" service is not legitimate (service is spoofed SSDH, created then executed via Start-Service).
Criteria
Evidence that the "csp-agent" service is not legitimate (service is spoofed ssh-agent, created then executed via Start-Service).
Criteria
Evidence that the scheduled task "SMB_update.xml" is not legitimate and was imported into Task Scheduler (the task executes a spoofed plink executable to initiate a reverse shell tunnel).
Criteria
Evidence that the "SMBClient.exe" process is not legitimate (binary is spoofed plink.exe used to create a SSH tunnel and redirect ports).
Criteria
Evidence that the newly created files from the extraction of "RSLINX_install.zip" in the Temp Rockwell RSLINX directory are not legitimate ("RSLINX.exe" and "LogixMap.exe").
Criteria
Evidence that the newly created files from the extraction of "RSLINX_install.zip" in the Temp Rockwell RSLINX directory are not legitimate ("RSLINX.exe" and "LogixMap.exe").
Criteria
Evidence that the services "rockwell-csp3" and "csp-agent" are not legitimate (service is spoofed SSDH and ssh-agent underlying, created then executed via Start-Service).
Criteria
Evidence that the newly created files from the extraction of "RSLINX_install.zip" in the Temp Rockwell RSLINX directory are not legitimate ("RSLINX.exe" and "LogixMap.exe").
Criteria
Evidence that the newly created files from the extraction of "Install_RSLogix.zip" in the Temp Rockwell RSLogix directory are not legitimate ("RSLogix5000.exe", "RSComms.exe", etc.)