Analytics | ICS ATT&CK 18.0 → 19.0

Version 18.0 19.0

Analytics : ICS ATT&CK Changelog

Added Analytics
Modified Analytics

Added Analytics

Description
Unauthorized messages may be detected by reviewing the content of automation protocols, either through detecting based on expected values or comparing to other out of band process data sources. Unauthorized messages may not precisely match legitimate messages which may lead to malformed traffic, although traffic may be malformed for benign reasons. Monitor messages for changes in how they are constructed. Monitor for anomalous or unexpected messages that may result in changes to the process operation observable via asset application logs (e.g., discrete write, logic and device configuration, mode changes, safety triggers). Consider monitoring for Rogue Master and Adversary-in-the-Middle activity which may precede this technique.

Description

Unauthorized messages may be detected by reviewing the content of automation protocols, either through detecting based on expected values or comparing to other out of band process data sources. Unauthorized messages may not precisely match legitimate messages which may lead to malformed traffic, although traffic may be malformed for benign reasons. Monitor messages for changes in how they are constructed.

Monitor for anomalous or unexpected messages that may result in changes to the process operation observable via asset application logs (e.g., discrete write, logic and device configuration, mode changes, safety triggers).

Consider monitoring for Rogue Master and Adversary-in-the-Middle activity which may precede this technique.

Description
Monitor for the termination of processes or services associated with ICS automation protocols and application software which could help detect blocked communications. Monitor for lack of operational process data which may help identify a loss of communications. This will not directly detect the technique’s execution, but instead may provide additional evidence that the technique has been used and may complement other detections. Monitor application logs for changes to settings and other events associated with network protocols that may be used to block communications. Monitor for a loss of network communications, which may indicate this technique is being used. Monitor asset alarms which may help identify a loss of communications. Consider correlating alarms with other data sources that indicate traffic has been blocked, such as network traffic. In cases where alternative methods of communicating with outstations exist alarms may still be visible even if messages are blocked.

Description

Monitor for the termination of processes or services associated with ICS automation protocols and application software which could help detect blocked communications.

Monitor for lack of operational process data which may help identify a loss of communications. This will not directly detect the technique’s execution, but instead may provide additional evidence that the technique has been used and may complement other detections.

Monitor application logs for changes to settings and other events associated with network protocols that may be used to block communications.

Monitor for a loss of network communications, which may indicate this technique is being used.

Monitor asset alarms which may help identify a loss of communications. Consider correlating alarms with other data sources that indicate traffic has been blocked, such as network traffic. In cases where alternative methods of communicating with outstations exist alarms may still be visible even if messages are blocked.

Description
Monitor for firmware changes which may be observable via operational alarms from devices. Monitor device application logs for firmware changes, although not all devices will produce such logs. Monitor ICS management protocols / file transfer protocols for protocol functions related to firmware changes. Monitor firmware for unexpected changes. Asset management systems should be consulted to understand known-good firmware versions. Dump and inspect BIOS images on vulnerable systems and compare against known good images.^[1] Analyze differences to determine if malicious changes have occurred. Log attempts to read/write to BIOS and compare against known patching behavior. Likewise, EFI modules can be collected and compared against a known-clean list of EFI executable binaries to detect potentially malicious modules. The CHIPSEC framework can be used for analysis to determine if firmware modifications have been performed.^[2]^[3]^[4] References: Butterworth, J. (2013, July 30). Copernicus: Question Your Assumptions about BIOS Security. Retrieved December 11, 2015. Beek, C., Samani, R. (2017, March 8). CHIPSEC Support Against Vault 7 Disclosure Scanning. Retrieved March 13, 2017. Intel. (2017, March 18). CHIPSEC Platform Security Assessment Framework. Retrieved March 20, 2017. Intel Security. (2005, July 16). HackingTeam's UEFI Rootkit Details. Retrieved November 17, 2024.

Description

Monitor for firmware changes which may be observable via operational alarms from devices.

Monitor device application logs for firmware changes, although not all devices will produce such logs.

Monitor ICS management protocols / file transfer protocols for protocol functions related to firmware changes.

Monitor firmware for unexpected changes. Asset management systems should be consulted to understand known-good firmware versions. Dump and inspect BIOS images on vulnerable systems and compare against known good images.^[1] Analyze differences to determine if malicious changes have occurred. Log attempts to read/write to BIOS and compare against known patching behavior. Likewise, EFI modules can be collected and compared against a known-clean list of EFI executable binaries to detect potentially malicious modules. The CHIPSEC framework can be used for analysis to determine if firmware modifications have been performed.^[2]^[3]^[4]

References:

Description
Monitor network traffic for insecure credential use in protocols that allow unencrypted authentication. Monitor logon sessions for insecure credential use, when feasible.

Description

Monitor network traffic for insecure credential use in protocols that allow unencrypted authentication.

Monitor logon sessions for insecure credential use, when feasible.

Description
Monitor for unexpected changes to project files, although if the malicious modification occurs in tandem with legitimate changes it will be difficult to isolate the unintended changes by analyzing only file systems modifications.

Description
Monitor for new processes engaging in scanning activity or connecting to multiple systems by correlating process creation network data. Monitor for hosts enumerating network connected resources using non-ICS enterprise protocols.

Description

Monitor for new processes engaging in scanning activity or connecting to multiple systems by correlating process creation network data.

Monitor for hosts enumerating network connected resources using non-ICS enterprise protocols.

Description
Monitor for anomalies related to discovery related ICS functions, including devices that have not previously used these functions or for functions being sent to many outstations. Monitor for new ICS protocol connections to existing assets or for device scanning (i.e., a host connecting to many devices) over ICS and enterprise protocols (e.g., ICMP, DCOM, WinRM). For added context on adversary enterprise procedures and background see Remote System Discovery.

Description

Monitor for anomalies related to discovery related ICS functions, including devices that have not previously used these functions or for functions being sent to many outstations. Monitor for new ICS protocol connections to existing assets or for device scanning (i.e., a host connecting to many devices) over ICS and enterprise protocols (e.g., ICMP, DCOM, WinRM). For added context on adversary enterprise procedures and background see Remote System Discovery.

Description
Monitor for anomalies related to discovery related ICS functions, including devices that have not previously used these functions or for functions being sent to many outstations. Monitor for new ICS protocol connections to existing assets or for device scanning (i.e., a host connecting to many devices) over ICS and enterprise protocols (e.g., ICMP, DCOM, WinRM). For added context on adversary enterprise procedures and background see Remote System Discovery.

Description

Monitor for anomalies related to discovery related ICS functions, including devices that have not previously used these functions or for functions being sent to many outstations.

Monitor for new ICS protocol connections to existing assets or for device scanning (i.e., a host connecting to many devices) over ICS and enterprise protocols (e.g., ICMP, DCOM, WinRM). For added context on adversary enterprise procedures and background see Remote System Discovery.

Description
Monitor asset alarms which may help identify a loss of communications. Consider correlating alarms with other data sources that indicate traffic has been blocked, such as network traffic. In cases where alternative methods of communicating with outstations exist, alarms may still be visible even if messages are blocked. Monitor for a loss of network communications, which may indicate this technique is being used. Monitor for lack of operational process data which may help identify a loss of communications. This will not directly detect the technique’s execution but instead may provide additional evidence that the technique has been used and may complement other detections. Monitor application logs for changes to settings and other events associated with network protocols that may be used to block communications. Monitor for the termination of processes or services associated with ICS automation protocols and application software which could help detect blocked communications.

Description

Monitor asset alarms which may help identify a loss of communications. Consider correlating alarms with other data sources that indicate traffic has been blocked, such as network traffic. In cases where alternative methods of communicating with outstations exist, alarms may still be visible even if messages are blocked.

Monitor for a loss of network communications, which may indicate this technique is being used.

Monitor for lack of operational process data which may help identify a loss of communications. This will not directly detect the technique’s execution but instead may provide additional evidence that the technique has been used and may complement other detections.

Monitor application logs for changes to settings and other events associated with network protocols that may be used to block communications.

Monitor for the termination of processes or services associated with ICS automation protocols and application software which could help detect blocked communications.

Description
Monitor asset alarms which may help identify a loss of communications. Consider correlating alarms with other data sources that indicate traffic has been blocked, such as network traffic. In cases where alternative methods of communicating with outstations exist, alarms may still be visible even if Ethernet messages are blocked. Monitor for a loss of network communications, which may indicate this technique is being used. Monitor for lack of operational process data which may help identify a loss of communications. This will not directly detect the technique’s execution but instead may provide additional evidence that the technique has been used and may complement other detections. Monitor application logs for changes to settings and other events associated with network protocols that may be used to block communications. Monitor for the termination of processes or services associated with ICS automation protocols and application software which could help detect blocked communications.

Description

Monitor asset alarms which may help identify a loss of communications. Consider correlating alarms with other data sources that indicate traffic has been blocked, such as network traffic. In cases where alternative methods of communicating with outstations exist, alarms may still be visible even if Ethernet messages are blocked.

Monitor for a loss of network communications, which may indicate this technique is being used.

Monitor application logs for changes to settings and other events associated with network protocols that may be used to block communications.

Monitor for the termination of processes or services associated with ICS automation protocols and application software which could help detect blocked communications.

Description
Monitor asset alarms which may help identify a loss of communications. Consider correlating alarms with other data sources that indicate traffic has been blocked, such as network traffic. In cases where alternative methods of communicating with outstations exist, alarms may still be visible even if Wi-Fi messages are blocked. Monitor for a loss of network communications, which may indicate this technique is being used. Monitor for lack of operational process data which may help identify a loss of communications. This will not directly detect the technique’s execution, but instead may provide additional evidence that the technique has been used and may complement other detections. Monitor application logs for changes to settings and other events associated with network protocols that may be used to block communications. Monitor for the termination of processes or services associated with ICS automation protocols and application software which could help detect blocked communications.

Description

Monitor asset alarms which may help identify a loss of communications. Consider correlating alarms with other data sources that indicate traffic has been blocked, such as network traffic. In cases where alternative methods of communicating with outstations exist, alarms may still be visible even if Wi-Fi messages are blocked.

Monitor for a loss of network communications, which may indicate this technique is being used.

Monitor application logs for changes to settings and other events associated with network protocols that may be used to block communications.

Monitor for the termination of processes or services associated with ICS automation protocols and application software which could help detect blocked communications.

Description
Monitor device alarms for program downloads, although not all devices produce such alarms. Monitor for protocol functions related to program download or modification. Program downloads may be observable in ICS automation protocols and remote management protocols. Consult asset management systems to understand expected program versions. Monitor devices configuration logs which may contain alerts that indicate whether a program download has occurred. Devices may maintain application logs that indicate whether a full program download, online edit, or program append function has occurred.

Description

Monitor device alarms for program downloads, although not all devices produce such alarms.

Monitor for protocol functions related to program download or modification. Program downloads may be observable in ICS automation protocols and remote management protocols.

Consult asset management systems to understand expected program versions.

Monitor devices configuration logs which may contain alerts that indicate whether a program download has occurred. Devices may maintain application logs that indicate whether a full program download, online edit, or program append function has occurred.

Description
Monitor device alarms for program downloads, although not all devices produce such alarms. Monitor for protocol functions related to program download or modification. Program downloads may be observable in ICS automation protocols and remote management protocols. Consult asset management systems to understand expected program versions. Monitor devices configuration logs which may contain alerts that indicate whether a program download has occurred. Devices may maintain application logs that indicate whether a full program download, online edit, or program append function has occurred.

Description

Monitor device alarms for program downloads, although not all devices produce such alarms.

Monitor for protocol functions related to program download or modification. Program downloads may be observable in ICS automation protocols and remote management protocols.

Consult asset management systems to understand expected program versions.

Description
Monitor device alarms for program downloads, although not all devices produce such alarms. Monitor for protocol functions related to program download or modification. Program downloads may be observable in ICS automation protocols and remote management protocols. Consult asset management systems to understand expected program versions. Monitor devices configuration logs which may contain alerts that indicate whether a program download has occurred. Devices may maintain application logs that indicate whether a full program download, online edit, or program append function has occurred.

Description

Monitor device alarms for program downloads, although not all devices produce such alarms.

Monitor for protocol functions related to program download or modification. Program downloads may be observable in ICS automation protocols and remote management protocols.

Consult asset management systems to understand expected program versions.

Modified Analytics

Modified Description View changes side-by-side
Monitor for firmware changes which may be observable via operational alarms from devices. Monitor device application logs for firmware changes, although not all devices will produce such logs. Monitor firmware for unexpected changes. Asset management systems should be consulted to understand known-good firmware versions. Dump and inspect BIOS images on vulnerable systems and compare against known good images.(Citation: MITRE Copernicus) Analyze differences to determine if malicious changes have occurred. Log attempts to read/write to BIOS and compare against known patching behavior. Likewise, EFI modules can be collected and compared against a known-clean list of EFI executable binaries to detect potentially malicious modules. The CHIPSEC framework can be used for analysis to determine if firmware modifications have been performed.(Citation: McAfee CHIPSEC Blog) (Citation: Blog)(Citation: Github CHIPSEC) (Citation: CHIPSEC)(Citation: Intel HackingTeam UEFI Rootkit) Monitor ICS management protocols / file transfer protocols for protocol functions related to firmware changes.

Modified Description View changes side-by-side

Monitor for firmware changes which may be observable via operational alarms from devices. Monitor device application logs for firmware changes, although not all devices will produce such logs. Monitor firmware for unexpected changes. Asset management systems should be consulted to understand known-good firmware versions. Dump and inspect BIOS images on vulnerable systems and compare against known good images.(Citation: MITRE Copernicus) Analyze differences to determine if malicious changes have occurred. Log attempts to read/write to BIOS and compare against known patching behavior. Likewise, EFI modules can be collected and compared against a known-clean list of EFI executable binaries to detect potentially malicious modules. The CHIPSEC framework can be used for analysis to determine if firmware modifications have been performed.(Citation: McAfee CHIPSEC Blog) (Citation: Blog)(Citation: Github CHIPSEC) (Citation: CHIPSEC)(Citation: Intel HackingTeam UEFI Rootkit) Monitor ICS management protocols / file transfer protocols for protocol functions related to firmware changes.

Old Description	New Description View changes inline
Monitor for firmware changes which may be observable via operational alarms from devices. Monitor device application logs for firmware changes, although not all devices will produce such logs. Monitor firmware for unexpected changes. Asset management systems should be consulted to understand known-good firmware versions. Dump and inspect BIOS images on vulnerable systems and compare against known good images.^[1] Analyze differences to determine if malicious changes have occurred. Log attempts to read/write to BIOS and compare against known patching behavior. Likewise, EFI modules can be collected and compared against a known-clean list of EFI executable binaries to detect potentially malicious modules. The CHIPSEC framework can be used for analysis to determine if firmware modifications have been performed.^[2] ^[3] ^[4] Monitor ICS management protocols / file transfer protocols for protocol functions related to firmware changes. References: Butterworth, J. (2013, July 30). Copernicus: Question Your Assumptions about BIOS Security. Retrieved December 11, 2015. Beek, C., Samani, R. (2017, March 8). CHIPSEC Support Against Vault 7 Disclosure Scanning. Retrieved March 13, 2017. Intel. (2017, March 18). CHIPSEC Platform Security Assessment Framework. Retrieved March 20, 2017. Intel Security. (2005, July 16). HackingTeam's UEFI Rootkit Details. Retrieved November 17, 2024.	Monitor for firmware changes which may be observable via operational alarms from devices. Monitor device application logs for firmware changes, although not all devices will produce such logs. Monitor firmware for unexpected changes. Asset management systems should be consulted to understand known-good firmware versions. Dump and inspect BIOS images on vulnerable systems and compare against known good images.^[1] Analyze differences to determine if malicious changes have occurred. Log attempts to read/write to BIOS and compare against known patching behavior. Likewise, EFI modules can be collected and compared against a known-clean list of EFI executable binaries to detect potentially malicious modules. The CHIPSEC framework can be used for analysis to determine if firmware modifications have been performed.^[2]^[3]^[4] Monitor ICS management protocols / file transfer protocols for protocol functions related to firmware changes. References: Butterworth, J. (2013, July 30). Copernicus: Question Your Assumptions about BIOS Security. Retrieved December 11, 2015. Beek, C., Samani, R. (2017, March 8). CHIPSEC Support Against Vault 7 Disclosure Scanning. Retrieved March 13, 2017. Intel. (2017, March 18). CHIPSEC Platform Security Assessment Framework. Retrieved March 20, 2017. Intel Security. (2005, July 16). HackingTeam's UEFI Rootkit Details. Retrieved November 17, 2024.

Details

Dictionary Item Added

FIELD	OLD VALUE	NEW VALUE
revoked		False

Values Changed

FIELD	OLD VALUE	NEW VALUE
modified	2025-10-21T15:10:28.402Z	2026-04-24T20:33:55.812Z
description	Monitor for firmware changes which may be observable via operational alarms from devices. Monitor device application logs for firmware changes, although not all devices will produce such logs. Monitor firmware for unexpected changes. Asset management systems should be consulted to understand known-good firmware versions. Dump and inspect BIOS images on vulnerable systems and compare against known good images.(Citation: MITRE Copernicus) Analyze differences to determine if malicious changes have occurred. Log attempts to read/write to BIOS and compare against known patching behavior. Likewise, EFI modules can be collected and compared against a known-clean list of EFI executable binaries to detect potentially malicious modules. The CHIPSEC framework can be used for analysis to determine if firmware modifications have been performed.(Citation: McAfee CHIPSEC Blog) (Citation: Github CHIPSEC) (Citation: Intel HackingTeam UEFI Rootkit) Monitor ICS management protocols / file transfer protocols for protocol functions related to firmware changes.	Monitor for firmware changes which may be observable via operational alarms from devices. Monitor device application logs for firmware changes, although not all devices will produce such logs. Monitor firmware for unexpected changes. Asset management systems should be consulted to understand known-good firmware versions. Dump and inspect BIOS images on vulnerable systems and compare against known good images.(Citation: MITRE Copernicus) Analyze differences to determine if malicious changes have occurred. Log attempts to read/write to BIOS and compare against known patching behavior. Likewise, EFI modules can be collected and compared against a known-clean list of EFI executable binaries to detect potentially malicious modules. The CHIPSEC framework can be used for analysis to determine if firmware modifications have been performed.(Citation: McAfee CHIPSEC Blog)(Citation: Github CHIPSEC)(Citation: Intel HackingTeam UEFI Rootkit) Monitor ICS management protocols / file transfer protocols for protocol functions related to firmware changes.
x_mitre_version	1.0	1.1

Modified Description View changes side-by-side
Various techniques enable spoofing a reporting message. Consider monitoring for [Rogue Master](https://attack.mitre.org/techniques/T0848) and [Adversary-in-the-Middle](https://attack.mitre.org/techniques/T0830) activity which may precede this technique. Monitor asset logs for alarms or other information the adversary is unable to directly suppress. Relevant alarms include those from a loss of communications due to [Adversary-in-the-Middle](https://attack.mitre.org/techniques/T0830) activity. Various techniques enable spoofing a reporting message. Monitor for LLMNR/NBT-NS poisoning via new services/daemons which may be used to enable this technique. For added context on adversary procedures and background see [LLMNR/NBT-NS [Name Resolution Poisoning and SMB Relay](https://attack.mitre.org/techniques/T1557/001). Spoofed reporting messages may be detected by reviewing the content of automation protocols, either through detecting based on expected values or comparing to other out of band process data sources. Spoofed messages may not precisely match legitimate messages which may lead to malformed traffic, although traffic may be malformed for many benign reasons. Monitor reporting messages for changes in how they are constructed. Various techniques enable spoofing a reporting message. Consider monitoring for [Rogue Master](https://attack.mitre.org/techniques/T0848) and [Adversary-in-the-Middle](https://attack.mitre.org/techniques/T0830) activity.

Modified Description View changes side-by-side

Various techniques enable spoofing a reporting message. Consider monitoring for [Rogue Master](https://attack.mitre.org/techniques/T0848) and [Adversary-in-the-Middle](https://attack.mitre.org/techniques/T0830) activity which may precede this technique. Monitor asset logs for alarms or other information the adversary is unable to directly suppress. Relevant alarms include those from a loss of communications due to [Adversary-in-the-Middle](https://attack.mitre.org/techniques/T0830) activity. Various techniques enable spoofing a reporting message. Monitor for LLMNR/NBT-NS poisoning via new services/daemons which may be used to enable this technique. For added context on adversary procedures and background see [LLMNR/NBT-NS [Name Resolution Poisoning and SMB Relay](https://attack.mitre.org/techniques/T1557/001). Spoofed reporting messages may be detected by reviewing the content of automation protocols, either through detecting based on expected values or comparing to other out of band process data sources. Spoofed messages may not precisely match legitimate messages which may lead to malformed traffic, although traffic may be malformed for many benign reasons. Monitor reporting messages for changes in how they are constructed. Various techniques enable spoofing a reporting message. Consider monitoring for [Rogue Master](https://attack.mitre.org/techniques/T0848) and [Adversary-in-the-Middle](https://attack.mitre.org/techniques/T0830) activity.

Old Description	New Description View changes inline
Various techniques enable spoofing a reporting message. Consider monitoring for Rogue Master and Adversary-in-the-Middle activity which may precede this technique. Monitor asset logs for alarms or other information the adversary is unable to directly suppress. Relevant alarms include those from a loss of communications due to Adversary-in-the-Middle activity. Various techniques enable spoofing a reporting message. Monitor for LLMNR/NBT-NS poisoning via new services/daemons which may be used to enable this technique. For added context on adversary procedures and background see LLMNR/NBT-NS Poisoning and SMB Relay. Spoofed reporting messages may be detected by reviewing the content of automation protocols, either through detecting based on expected values or comparing to other out of band process data sources. Spoofed messages may not precisely match legitimate messages which may lead to malformed traffic, although traffic may be malformed for many benign reasons. Monitor reporting messages for changes in how they are constructed. Various techniques enable spoofing a reporting message. Consider monitoring for Rogue Master and Adversary-in-the-Middle activity.	Various techniques enable spoofing a reporting message. Consider monitoring for Rogue Master and Adversary-in-the-Middle activity which may precede this technique. Monitor asset logs for alarms or other information the adversary is unable to directly suppress. Relevant alarms include those from a loss of communications due to Adversary-in-the-Middle activity. Various techniques enable spoofing a reporting message. Monitor for LLMNR/NBT-NS poisoning via new services/daemons which may be used to enable this technique. For added context on adversary procedures and background see Name Resolution Poisoning and SMB Relay. Spoofed reporting messages may be detected by reviewing the content of automation protocols, either through detecting based on expected values or comparing to other out of band process data sources. Spoofed messages may not precisely match legitimate messages which may lead to malformed traffic, although traffic may be malformed for many benign reasons. Monitor reporting messages for changes in how they are constructed. Various techniques enable spoofing a reporting message. Consider monitoring for Rogue Master and Adversary-in-the-Middle activity.

Old Description

New Description View changes inline

Various techniques enable spoofing a reporting message. Consider monitoring for Rogue Master and Adversary-in-the-Middle activity which may precede this technique. Monitor asset logs for alarms or other information the adversary is unable to directly suppress. Relevant alarms include those from a loss of communications due to Adversary-in-the-Middle activity. Various techniques enable spoofing a reporting message. Monitor for LLMNR/NBT-NS poisoning via new services/daemons which may be used to enable this technique. For added context on adversary procedures and background see LLMNR/NBT-NS Poisoning and SMB Relay. Spoofed reporting messages may be detected by reviewing the content of automation protocols, either through detecting based on expected values or comparing to other out of band process data sources. Spoofed messages may not precisely match legitimate messages which may lead to malformed traffic, although traffic may be malformed for many benign reasons. Monitor reporting messages for changes in how they are constructed. Various techniques enable spoofing a reporting message. Consider monitoring for Rogue Master and Adversary-in-the-Middle activity.

Various techniques enable spoofing a reporting message. Consider monitoring for Rogue Master and Adversary-in-the-Middle activity which may precede this technique. Monitor asset logs for alarms or other information the adversary is unable to directly suppress. Relevant alarms include those from a loss of communications due to Adversary-in-the-Middle activity. Various techniques enable spoofing a reporting message. Monitor for LLMNR/NBT-NS poisoning via new services/daemons which may be used to enable this technique. For added context on adversary procedures and background see Name Resolution Poisoning and SMB Relay. Spoofed reporting messages may be detected by reviewing the content of automation protocols, either through detecting based on expected values or comparing to other out of band process data sources. Spoofed messages may not precisely match legitimate messages which may lead to malformed traffic, although traffic may be malformed for many benign reasons. Monitor reporting messages for changes in how they are constructed.

Various techniques enable spoofing a reporting message. Consider monitoring for Rogue Master and Adversary-in-the-Middle activity.

Details

Values Changed

FIELD	OLD VALUE	NEW VALUE
description	Various techniques enable spoofing a reporting message. Consider monitoring for [Rogue Master](https://attack.mitre.org/techniques/T0848) and [Adversary-in-the-Middle](https://attack.mitre.org/techniques/T0830) activity which may precede this technique. Monitor asset logs for alarms or other information the adversary is unable to directly suppress. Relevant alarms include those from a loss of communications due to [Adversary-in-the-Middle](https://attack.mitre.org/techniques/T0830) activity. Various techniques enable spoofing a reporting message. Monitor for LLMNR/NBT-NS poisoning via new services/daemons which may be used to enable this technique. For added context on adversary procedures and background see [LLMNR/NBT-NS Poisoning and SMB Relay](https://attack.mitre.org/techniques/T1557/001). Spoofed reporting messages may be detected by reviewing the content of automation protocols, either through detecting based on expected values or comparing to other out of band process data sources. Spoofed messages may not precisely match legitimate messages which may lead to malformed traffic, although traffic may be malformed for many benign reasons. Monitor reporting messages for changes in how they are constructed. Various techniques enable spoofing a reporting message. Consider monitoring for [Rogue Master](https://attack.mitre.org/techniques/T0848) and [Adversary-in-the-Middle](https://attack.mitre.org/techniques/T0830) activity.	Various techniques enable spoofing a reporting message. Consider monitoring for [Rogue Master](https://attack.mitre.org/techniques/T0848) and [Adversary-in-the-Middle](https://attack.mitre.org/techniques/T0830) activity which may precede this technique. Monitor asset logs for alarms or other information the adversary is unable to directly suppress. Relevant alarms include those from a loss of communications due to [Adversary-in-the-Middle](https://attack.mitre.org/techniques/T0830) activity. Various techniques enable spoofing a reporting message. Monitor for LLMNR/NBT-NS poisoning via new services/daemons which may be used to enable this technique. For added context on adversary procedures and background see [Name Resolution Poisoning and SMB Relay](https://attack.mitre.org/techniques/T1557/001). Spoofed reporting messages may be detected by reviewing the content of automation protocols, either through detecting based on expected values or comparing to other out of band process data sources. Spoofed messages may not precisely match legitimate messages which may lead to malformed traffic, although traffic may be malformed for many benign reasons. Monitor reporting messages for changes in how they are constructed. Various techniques enable spoofing a reporting message. Consider monitoring for [Rogue Master](https://attack.mitre.org/techniques/T0848) and [Adversary-in-the-Middle](https://attack.mitre.org/techniques/T0830) activity.

Modified Description View changes side-by-side
Monitor for firmware changes which may be observable via operational alarms from devices. Monitor device application logs for firmware changes, although not all devices will produce such logs. Monitor ICS management protocols / file transfer protocols for protocol functions related to firmware changes. Monitor firmware for unexpected changes. Asset management systems should be consulted to understand known-good firmware versions. Dump and inspect BIOS images on vulnerable systems and compare against known good images.(Citation: MITRE Copernicus) Analyze differences to determine if malicious changes have occurred. Log attempts to read/write to BIOS and compare against known patching behavior. Likewise, EFI modules can be collected and compared against a known-clean list of EFI executable binaries to detect potentially malicious modules. The CHIPSEC framework can be used for analysis to determine if firmware modifications have been performed.(Citation: McAfee CHIPSEC Blog) (Citation: Blog)(Citation: Github CHIPSEC) (Citation: CHIPSEC)(Citation: Intel HackingTeam UEFI Rootkit)

Modified Description View changes side-by-side

Monitor for firmware changes which may be observable via operational alarms from devices. Monitor device application logs for firmware changes, although not all devices will produce such logs. Monitor ICS management protocols / file transfer protocols for protocol functions related to firmware changes. Monitor firmware for unexpected changes. Asset management systems should be consulted to understand known-good firmware versions. Dump and inspect BIOS images on vulnerable systems and compare against known good images.(Citation: MITRE Copernicus) Analyze differences to determine if malicious changes have occurred. Log attempts to read/write to BIOS and compare against known patching behavior. Likewise, EFI modules can be collected and compared against a known-clean list of EFI executable binaries to detect potentially malicious modules. The CHIPSEC framework can be used for analysis to determine if firmware modifications have been performed.(Citation: McAfee CHIPSEC Blog) (Citation: Blog)(Citation: Github CHIPSEC) (Citation: CHIPSEC)(Citation: Intel HackingTeam UEFI Rootkit)

Old Description	New Description View changes inline
Monitor for firmware changes which may be observable via operational alarms from devices. Monitor device application logs for firmware changes, although not all devices will produce such logs. Monitor ICS management protocols / file transfer protocols for protocol functions related to firmware changes. Monitor firmware for unexpected changes. Asset management systems should be consulted to understand known-good firmware versions. Dump and inspect BIOS images on vulnerable systems and compare against known good images.^[1] Analyze differences to determine if malicious changes have occurred. Log attempts to read/write to BIOS and compare against known patching behavior. Likewise, EFI modules can be collected and compared against a known-clean list of EFI executable binaries to detect potentially malicious modules. The CHIPSEC framework can be used for analysis to determine if firmware modifications have been performed.^[2] ^[3] ^[4] References: Butterworth, J. (2013, July 30). Copernicus: Question Your Assumptions about BIOS Security. Retrieved December 11, 2015. Beek, C., Samani, R. (2017, March 8). CHIPSEC Support Against Vault 7 Disclosure Scanning. Retrieved March 13, 2017. Intel. (2017, March 18). CHIPSEC Platform Security Assessment Framework. Retrieved March 20, 2017. Intel Security. (2005, July 16). HackingTeam's UEFI Rootkit Details. Retrieved November 17, 2024.	Monitor for firmware changes which may be observable via operational alarms from devices. Monitor device application logs for firmware changes, although not all devices will produce such logs. Monitor ICS management protocols / file transfer protocols for protocol functions related to firmware changes. Monitor firmware for unexpected changes. Asset management systems should be consulted to understand known-good firmware versions. Dump and inspect BIOS images on vulnerable systems and compare against known good images.^[1] Analyze differences to determine if malicious changes have occurred. Log attempts to read/write to BIOS and compare against known patching behavior. Likewise, EFI modules can be collected and compared against a known-clean list of EFI executable binaries to detect potentially malicious modules. The CHIPSEC framework can be used for analysis to determine if firmware modifications have been performed.^[2]^[3]^[4] References: Butterworth, J. (2013, July 30). Copernicus: Question Your Assumptions about BIOS Security. Retrieved December 11, 2015. Beek, C., Samani, R. (2017, March 8). CHIPSEC Support Against Vault 7 Disclosure Scanning. Retrieved March 13, 2017. Intel. (2017, March 18). CHIPSEC Platform Security Assessment Framework. Retrieved March 20, 2017. Intel Security. (2005, July 16). HackingTeam's UEFI Rootkit Details. Retrieved November 17, 2024.

Details

Dictionary Item Added

FIELD	OLD VALUE	NEW VALUE
revoked		False

Values Changed

FIELD	OLD VALUE	NEW VALUE
modified	2025-10-21T15:10:28.402Z	2026-04-24T20:33:58.916Z
description	Monitor for firmware changes which may be observable via operational alarms from devices. Monitor device application logs for firmware changes, although not all devices will produce such logs. Monitor ICS management protocols / file transfer protocols for protocol functions related to firmware changes. Monitor firmware for unexpected changes. Asset management systems should be consulted to understand known-good firmware versions. Dump and inspect BIOS images on vulnerable systems and compare against known good images.(Citation: MITRE Copernicus) Analyze differences to determine if malicious changes have occurred. Log attempts to read/write to BIOS and compare against known patching behavior. Likewise, EFI modules can be collected and compared against a known-clean list of EFI executable binaries to detect potentially malicious modules. The CHIPSEC framework can be used for analysis to determine if firmware modifications have been performed.(Citation: McAfee CHIPSEC Blog) (Citation: Github CHIPSEC) (Citation: Intel HackingTeam UEFI Rootkit)	Monitor for firmware changes which may be observable via operational alarms from devices. Monitor device application logs for firmware changes, although not all devices will produce such logs. Monitor ICS management protocols / file transfer protocols for protocol functions related to firmware changes. Monitor firmware for unexpected changes. Asset management systems should be consulted to understand known-good firmware versions. Dump and inspect BIOS images on vulnerable systems and compare against known good images.(Citation: MITRE Copernicus) Analyze differences to determine if malicious changes have occurred. Log attempts to read/write to BIOS and compare against known patching behavior. Likewise, EFI modules can be collected and compared against a known-clean list of EFI executable binaries to detect potentially malicious modules. The CHIPSEC framework can be used for analysis to determine if firmware modifications have been performed.(Citation: McAfee CHIPSEC Blog)(Citation: Github CHIPSEC)(Citation: Intel HackingTeam UEFI Rootkit)
x_mitre_version	1.0	1.1

Version 18.0 19.0

Analytics : ICS ATT&CK Changelog

Added Analytics

AN2045 Analytic 2045 v1.0

AN2045

Analytic 2045

v1.0

AN2046 Analytic 2046 v1.0

AN2046

Analytic 2046

v1.0

AN2047 Analytic 2047 v1.0

AN2047

Analytic 2047

v1.0

AN2048 Analytic 2048 v1.0

AN2048

Analytic 2048

v1.0

AN2049 Analytic 2049 v1.0

AN2049

Analytic 2049

v1.0

AN2050 Analytic 2050 v1.0

AN2050

Analytic 2050

v1.0

AN2051 Analytic 2051 v1.0

AN2051

Analytic 2051

v1.0

AN2052 Analytic 2052 v1.0

AN2052

Analytic 2052

v1.0

AN2053 Analytic 2053 v1.0

AN2053

Analytic 2053

v1.0

AN2054 Analytic 2054 v1.0

AN2054

Analytic 2054

v1.0

AN2055 Analytic 2055 v1.0

AN2055

Analytic 2055

v1.0

AN2056 Analytic 2056 v1.0

AN2056

Analytic 2056

v1.0

AN2057 Analytic 2057 v1.0

AN2057

Analytic 2057

v1.0

AN2058 Analytic 2058 v1.0

AN2058

Analytic 2058

v1.0

Modified Analytics

AN1864 Analytic 1864 v1.1

AN1864

Analytic 1864

v1.1

Dictionary Item Added

Values Changed

AN1879 Analytic 1879 v1.0

AN1879

Analytic 1879

v1.0

Values Changed

AN1922 Analytic 1922 v1.1

AN1922

Analytic 1922

v1.1

Dictionary Item Added

Values Changed