Indicators of Behavior

SPARTA

Unauthorized and Anomalous Command Execution in Spacecraft Operations

Hardware Command Executed Outside Authorized Schedule

Unauthorized Hardware Command-Induced Configuration Change

Legitimate Command with Malicious Parameters Targeting Subsystems

Unexpected Legitimate Command Sent

Unexpected counter increment (valid or invalid count)

Unauthorized Commands Issued from Unrecognized Ground Station

Duplicate Command Packet Executions

Anomalous Command Packet Signatures

Valid Command Flooding

Logs of Processed Commands Flooding

Unauthorized Command Execution via Flight Software

Anomalous Command or Sequence in Safe-Mode

Unexpected Command Execution During Safe-Mode

Safe-Mode Exit Command Executed at Unexpected Time

Command from Untrusted Ground Station or Location in Safe-Mode

Irregular Orbit Maneuver Commands Detected on Attitude Control

Abnormal Burn Duration Detected in Propulsion Subsystem

Suspicious Burn Sequence Executed Outside Planned Timeline

Unexpected Thrust Direction Detected in Propulsion Subsystem

Repeated Downlink Commands with Identical Timestamps

Repeated Downlink Commands Sent Outside Authorized Time

Multiple Consecutive Burn Commands Exceeding Duration Limits

Unusual Commands from Subsystem Acting as Bus Controller (1553)

Unauthorized CLTU-START, STOP, or UNBIND Initiation from Unauthorized User or Rogue IP

Telecommand Format Tampering in CLTU-TRANSFER_DATA

Unauthorized Crosslink Command at Unexpected Time

Unauthorized Cryptographic Key Usage and Encryption Bypass

Repeated Use of Cryptographic Keys from Unusual Locations

Use of Old or Rotated Cryptographic Keys for Authentication

Unexpected Access to Cryptographic Keys

Unexpected Changes to Encryption Configuration Settings

Unexpected SPI Value Triggering Segmentation Fault

Abnormal Security Association (SA) Pointer Retrieval

Modification of Encryption Algorithms

Payload Channel Operating Without Encryption

Failed Credential Encryption in SLE Protocol

Crosslink Channel Operating Without Encryption

Use of Account or Cryptographic Keys at Unexpected Times

Communication Security and Network Exploitation

Unexpected Ground Station IP Address in Communication

ARP Spoofing Attack (Rogue IP)

Backup Channel Activity Outside Scheduled Time Windows

Unexpected Data Transfer Over Backup Channel While Primary Active

Traffic Volume Spike on Backup Channel

Unexpected Communication Protocols in Uplink

Use of Unexpected Protocol on Backup Channel

Denial of Service Due to Saturated Bandwidth Detected

Unexpected Downlink Traffic Dropped or Disrupted

Transmission to Unauthorized Ground Station Detected

Data Exfiltration Detected During Scheduled Communication Windows

Generic Flooding Attack

Erroneous Input Flooding

Unusual Data Transmission Between SpaceWire Routing Switches

Unexpected Communication Between Subsystems

Suspicious Network Traffic Without Expected Encryption

Creation of FIFO for Data Exfiltration or Command Injection

Process Execution Tied to Specific Geographic Coordinates

Unexpected High-Priority Messages on the CAN Bus

Unauthorized Downlink Communication at Unexpected Time

Unauthorized Data Transmission from Ground System to External IP

Traffic Volume Spike on Out-of-Band Link

Sudden Increase in Bandwidth Usage from Ground System

ARP Spoofing via MAC Address Mismatch

CAN Bus Error Frames Detected Across Multiple Nodes

Frequent CAN Arbitration Loss by Critical Subsystems

Unexpected Communication Between SpaceWire Nodes

Detection of CANBus Replay Attack with Duplicate Message ID and Timing Anomalies

Replay of Legitimate CANBus Message with Known Message ID

Unauthorized Device Acting as Bus Controller (1553)

Specially Crafted CAN Messages Sent to Critical Subsystems

Repeated CAN Message Spoofing Detected Between Subsystems

Unusual Communication Between Payload and Critical Subsystems

Unusual Data Transmission from Remote Terminal to Subsystem. (1553)

Traffic Volume Spike on Payload Channel

Payload Channel Activity Outside Scheduled Time Windows

Out-of-Band Activity Outside Scheduled Time Windows

Use of Unexpected Protocol on Out-of-Band Link

Unauthorized Frequency Usage on Out-of-Band Link

Unplanned Deactivation of Downlink Transmitter

High Latency Detected in Downlink Communication

Multiple Failed Downlink Attempts from Spacecraft

Anomalous Increase in Crosslink Traffic Volume

Communication to Unauthorized Neighboring Spacecraft

Unauthorized Signal Transmission to Secondary Receiver

Authentication and RF Signal Integrity Threats

Authentication Process Tampering

Anomalous Authentication Attempts

Invalid RF Command Lock

Unexpected Latency in Command Packet Processing

Failed Authentication Attempts Due to RF/EMI Interference

Abnormal Signal Strength

Noise Injection Detected in Communication Channels

Unauthorized Frequency Usage on Backup Channel

Safe-Mode Activation Due to Signal Jamming

CLTU BIND Authentication Failure

Authorized SLE Session Establishment by Attacker (Rogue IP)

Rejection of CLTU BIND Due to Tampered/Invalid Credentials

GNSS and Time Manipulation Threats

Unexpected GNSS Signal Delay

Signal-to-Noise Ratio Drop in GNSS Receiver

GNSS Signal Outage Detected

GNSS Receiver Power Fluctuations

Time Discrepancy Detected in GPS/External Signal Input

Unexpected Time Delta Detected

Time Adjustment Commands Detected

Anomalous Hardware Clock Behavior

Anomalous GNSS Timing Behavior (Time Rewind Detected)

Anomalous Sensor Data (Time Rewind Detected)

Unexpected Position Delta Detected via Anomalous GNSS Position Data

ICD Field Non-Compliance Detected

Spacecraft Memory Integrity and Resource Exploitation Attacks

Anomalous Flash Write Operations Detected in Short Timeframe

Anomalous Flash/EEPROM Memory Checksums Detected

Unusual Access Frequency to Critical Memory Regions

Skipped Boot Integrity Check

Memory Corruption Detected in Flight Software

Unexpected Modification of Memory Location Associated with Telemetry Data

Unexpected Memory Value Write or Modification

Resource Exhaustion Due to Handling Invalid Inputs

Failed Boot Memory Validation

Anomalous Boot Sequence Execution

Detection of Malicious Code in Boot Memory (Integrity Failure)

Unexpected Modification to Encryption Memory/Table

Unexpected Modification to Stored Commands Area

Abnormal Memory Consumption by Malicious Process

Unexpected Modification of Memory Location Associated with Payload Data

Unexpected Boot Memory Modifications

Unauthorized System Call to Open Flash Memory Blocks (/dev/mtd)

Bit Flip in Critical Memory Region Detected via Error Detection

Watchdog Timer (WDT) and Register Exploitation

Reduced Watchdog Timer Reset Frequency

Abnormal Frequency of Watchdog Timer Resets

Watchdog Timer Status Disabled

Watchdog Timer Timeout Modified to Unexpected Value

Unauthorized Access Attempt to Critical Registers

Unexpected Register Reset Activity

Anomalous Register Value Modification

Software Integrity and Unauthorized Updates

Unexpected Hardware Interrupt Trigger

Unexpected System Integrity Failures in Software

Security Feature Bypass Detected in Hardware Design

Abnormal Software Update Activity Detected

Unscheduled Software Updates Detected

Compromised Software Certificates or Digital Signatures

Invalid Digital Signature in On-Orbit Update Package

Malicious Code via New Process

Unexpected Software Crash Detected in Flight Software

Process Executing Priority Modification

Suspicious Binary or Script Execution

Loading of Malicious Kernel Modules

Repeated File Access to /null and Other Dummy Files

Abnormal System Calls Indicative of a Software Backdoor/Malicious Code

Repeated File Access to /zero or /null Devices

Execution of System Commands

Detection of Anomalous API Calls in Flight Software

Suspicious Activity in Software Compilation or Build Process

Unauthorized Modification of Source Code in Software Repository

Suspicious Access to Vulnerable Software Process

Detection of Anomalous Process Behavior Due to Code Exploitation

Abnormal Subsystem Behavior Following Malicious Code Execution

Detection of Unauthorized Hardware Debugging

Suspicious Firmware Version Rollback

Unauthorized Function Hooking in Telemetry Process

Unauthorized Modification of Downlink Configuration

Spacecraft Sensor Manipulation and System Resource Exploitation

Sensor Data Exceeds Operational Ranges

High CPU Utilization Due to Anomalous/Malicious Activity

Unauthorized State Changes in Critical Sensors

ADCS Onboard Values Manipulation

Unexpected Spacecraft Telemetry or Movement Detected on Attitude

Unauthorized Fault Management Configuration Change Detected Outside Expected Time

Unauthorized Star Map Changes in Star Trackers

Sudden Orbit Correction Detected Outside of Planned Windows

Security Feature Disabled in Safe-Mode

Ransomware Holding CPU Cycles Hostage

High CPU Usage Detected for Unauthorized Process

Microwave Emissions Targeting Sensitive Nodes

High Energy Particle Strike on Sensitive Node

Multiple Failed System Reinitializations Due to Exploit

Unexpected Changes to Software-Defined Radio (SDR) Configuration

Unexpected Fault Management Process Termination

Telemetry Packet Drops Due to CPU or Memory Overload

Abnormal Process Forking Leading to Resource Exhaustion

System Freeze or Crash Detected After High Resource Consumption (CPU, Memory, Storage)

Data Integrity and Storage Exploitation Threats

File or Data Integrity Check Failure

Unauthorized Modification of On-Orbit Update Binary

Multiple Failed Attempts to Access Encrypted Data

Storage Exhaustion (Disk Full)

Unusual File Encryption Activity Detected

Suspicious Activity Leading to Storage Exhaustion

Attitude Sensor Data and Actuator Behavior

Anomalous Frequency of Sensor Data Updates

Unexpected Change in Gyroscope Sensor Data

Abnormal Data Flow in Attitude Control Telemetry

Sensor Data Spike Detected

Discrepancy Between Redundant Sensor Systems

Flight Software Configuration Anomalies

Unexpected Audit Log Rotation

High Volume of Audit Log Entries Detected

Audit Log Capacity Limit Reached

Unauthorized Modification of Critical Onboard Values

Hardware Command Executed Outside Authorized Schedule

Detects hardware commands being executed outside predefined authorized time windows, potentially indicating unauthorized or malicious activity. Hardware commands should be few and far between and should occur only when expected/planned.

STIX Pattern

[x-opencti-command-log:command = 'hw_cmd_execute' AND x-opencti-command-log:execution_time != 'authorized_time']

SPARTA TTPs

ID		Name	Description
EX-0005		Exploit Hardware/Firmware Corruption	The adversary achieves execution or effect by corrupting or steering behavior beneath the software stack, in device firmware, programmable logic, or the hardware itself. Examples include tampering with firmware images or configuration blobs burned into non-volatile memory; targeting MCU/SoC boot ROM fallbacks; editing FPGA bitstreams or partial-reconfiguration frames; or leveraging physical phenomena and timing to flip bits or skip checks. Because these actions occur below or alongside the operating system and application FSW, traditional endpoint safeguards see normal interfaces while trust anchors are already altered.
EX-0005.02		Malicious Use of Hardware Commands	Threat actors may issue low-level device or maintenance commands that act directly on hardware, bypassing much of the high-level command mediation. These may be memory-mapped register writes forwarded over the bus, vendor-specific instrument/control opcodes, built-in-test and calibration modes, boot-mode or fuse-programming sequences, file/sector operations to on-board non-volatile stores, or actuator primitives for wheels, thrusters, motors, heaters, and RF chains. Because these interfaces exist to configure sensors, zero momentum, switch power domains, tune gains, or adjust clocks, they can also be sequenced to produce harmful effects: over-driving mechanisms, altering persistent calibration, disabling watchdogs, or switching timing sources. Some hardware command sets are only exposed in maintenance or contingency modes, while others are always reachable through gateway processors that translate high-level telecommands into device-level operations. By crafting orders that respect expected framing and rate/size limits, the adversary can induce mechanical, electrical, or logical state changes with immediate, high-privilege impact, all while appearing to exercise legitimate device capabilities.