Home >
ICS >
Participants >
Claroty >
Execution through API (T0871)
|
|
TRITON |
||||
Step | ATT&CK Pattern |
|
||
2.B.1
|
Tactic Execution (TA0104) |
|
||
9.E.2
|
Tactic Execution (TA0104) |
|
||
13.A.1
|
Tactic Execution (TA0104) |
|
||
16.D.2
|
Tactic Execution (TA0104) |
|
||
20.B.2
|
Tactic Execution (TA0104) |
|
||
20.C.2
|
Tactic Execution (TA0104) |
|
||
20.C.3
|
Tactic Execution (TA0104) |
|
||
21.E.2
|
Tactic Execution (TA0104) |
|
||
21.F.2
|
Tactic Execution (TA0104) |
|
||
24.B.2
|
Tactic Execution (TA0104) |
|
||
24.C.2
|
Tactic Execution (TA0104) |
|
||
24.C.3
|
Tactic Execution (TA0104) |
|
||
25.E.2
|
Tactic Execution (TA0104) |
|
||
25.E.3
|
Tactic Execution (TA0104) |
|
||
25.G.3
|
Tactic Execution (TA0104) |
|
Criteria
Evidence of an adversary initiated program upload action of the control PLC (10.0.100.110) to collect the current running configuration (requested from the safety EWS [10.0.100.20]).
Criteria
Evidence that all controller and program tag names were requested over CIP from the control PLC (10.0.100.110) to the control EWS (10.0.100.20).
Criteria
Evidence of an adversary initiated program upload action of the safety PLC (10.0.100.105) to collect the current running configuration (requested from the safety EWS [10.0.100.15]).
Criteria
Evidence of an adversary initiated program upload action of the safety PLC (10.0.100.105) to collect the current running configuration (requested from the safety EWS [10.0.100.15]).
Criteria
Evidence of an adversary initiated write tag action to the "CC" tag using the 0x4D CIP service (a low value of "0" or False was written).
Criteria
Evidence of an adversary initiated write tag action to the "CC" tag using the 0x4D CIP service (a low value of "0" or False was written).
Criteria
Evidence of abuse of a CIP handshake between the control EWS and control PLC resulting in an adversary privilege escalation (handshake sequence consisted of a service 0x4B class 0x64 initiation request and 0x4C class 0x64 challenge response).
Criteria
Evidence of adversary initiated write tag actions to the "eR01_3ZC2071" and "f3ZC2071_HMI_Enb" tags to change setpoints and control actions using the 0x4D and 0x51 CIP services (the air damper setpoint tag was written to "0" [percent open] and HMI_Enb was pulsed to remove cascade control).
Criteria
Evidence of adversary initiated write tag actions to the "eR01_3ZC2071" and "f3ZC2071_HMI_Enb" tags to change setpoints and control actions using the 0x4D and 0x51 CIP services (the air damper setpoint tag was written to "0" [percent open] and HMI_Enb was pulsed to remove cascade control).
Criteria
Evidence of an adversary initiated program upload action of the safety PLC (10.0.100.105) to collect the current running configuration (requested from the safety EWS [10.0.100.15]).
Criteria
Evidence of an adversary initiated program upload action of the safety PLC (10.0.100.105) to collect the current running configuration (requested from the safety EWS [10.0.100.15]).
Criteria
Evidence of abuse of a CIP handshake between the control EWS and control PLC resulting in an adversary privilege escalation (handshake sequence consisted of a service 0x4B class 0x64 initiation request and 0x4C class 0x64 challenge response).
Criteria
Evidence of adversary initiated write tag actions to the "eR01_3ZC2071" and "f3ZC2071_HMI_Enb" tags to change setpoints and control actions using the 0x4D and 0x51 CIP services (the air damper setpoint tag was written to "0" [percent open] and HMI_Enb was pulsed to remove cascade control).
[1]

[2]


[3]


[4]


[5]


[6]


Criteria
Evidence of adversary initiated write tag actions to the "eR01_3ZC2071" and "f3ZC2071_HMI_Enb" tags to change setpoints and control actions using the 0x4D and 0x51 CIP services (the air damper setpoint tag was written to "0" [percent open] and HMI_Enb was pulsed to remove cascade control).
Criteria
Evidence of write actions occurring on the tags "eR01_3ZC2071" and "f3ZC2071_HMI_Enb" to change setpoints and control actions with the CIP service 0x4D and service 0x51, respectively. HMI_Enb was pulsed to remove cascade control and the air damper setpoint tag was written to "100" [percent open].
[1]
