| UACE-6 |
Unauthorized Commands Issued from Unrecognized Ground Station |
Detection of control commands issued to the spacecraft from an unrecognized or unauthorized ground station, potentially indicating that a rogue ground station is attempting to take control of the spacecraft. |
[x-opencti-command-log:command_origin != 'authorized_ground_station' AND x-opencti-command-log:command_type = 'control'] |
| UACE-8 |
Anomalous Command Packet Signatures |
Command packets with invalid or anomalous signatures detected, potentially indicating spoofing or replay of older commands. Command signatures for spacecraft provide a way to verify the authenticity and integrity of commands sent to the spacecraft, ensuring they have not been tampered with during transmission. The signature could be a form of sequence numbers, hashing, or just digital signatures in general. |
[x-opencti-command-log:signature != 'expected_signature'] |
| UCEB-2 |
Use of Old or Rotated Cryptographic Keys for Authentication |
Detection of authentication attempts using cryptographic keys that have already been rotated or marked as no longer valid. This may indicate that threat actors are using old or compromised keys to try to access to spacecraft or C2 systems. |
[x-opencti-cryptographic-key:status = 'rotated or expired'] |
| CSNE-3 |
Backup Channel Activity Outside Scheduled Time Windows |
Monitors for backup communication link activity at times that do not align with predefined operational schedules, signaling potential exploitation or unauthorized usage. |
[network-traffic:src_ref.value = 'backup_channel' AND network-traffic:timestamp != 'scheduled_window'] |
| CSNE-4 |
Unexpected Data Transfer Over Backup Channel While Primary Active |
Monitors traffic volume or bandwidth usage on the backup communication link to detect spikes that exceed normal operational thresholds, which may indicate malicious activity. Monitors backup communication channels for unexpected usage when the primary channel is functional, suggesting potential exploitation. |
[network-traffic:src_ref.value = 'backup_channel' AND network-traffic:traffic_volume > 'baseline_threshold' AND network-traffic:primary_channel_status = 'active'] |
| CSNE-5 |
Traffic Volume Spike on Backup Channel |
Monitors traffic volume or bandwidth usage on the backup communication link to detect spikes that exceed normal operational thresholds, which may indicate malicious activity. |
[network-traffic:src_ref.value = 'backup_channel' AND network-traffic:traffic_volume > 'baseline_threshold'] |
| CSNE-7 |
Use of Unexpected Protocol on Backup Channel |
Monitors for protocol deviations on the backup channel, which could indicate exploitation attempts. |
[network-traffic:protocols != 'expected_protocol' AND network-traffic:src_ref.channel = 'backup_channel'] |
| CSNE-16 |
Suspicious Network Traffic Without Expected Encryption |
Detection of unencrypted telemetry data being transmitted to the ground station when encryption is expected, potentially indicating that encryption has been bypassed to enable unauthorized data exfiltration. |
[network-traffic:encryption_status != 'encrypted' AND network-traffic:protocols[*] = 'satellite_communication' AND network-traffic:dst_ref.role = 'ground_station'] |
| CSNE-45 |
Unauthorized Signal Transmission to Secondary Receiver |
Monitors for transmissions directed at the secondary receiver from sources not recognized as authorized ground stations, potentially indicating an attack attempt. |
[network-traffic:dst_ref.channel = 'secondary_receiver' AND network-traffic:src_ref.value != 'authorized_ground_station'] |
| ARFS-1 |
Authentication Process Tampering |
Detection of modifications to the authentication process, which may signal unauthorized changes by a threat actor seeking access to a spacecraft. Potential modifications include tampering with encryption keys or authentication tokens. Additionally, irregularities in sequence counters, such as receiving packets out of sequence, may indicate an adversary's attempt to align with the spacecraft's authentication or sequencing protocols. |
[x-opencti-system-log:authentication_process_modification = 'TRUE'] |
| ARFS-2 |
Anomalous Authentication Attempts |
Repeated failed authentication attempts detected, potentially indicating an attempt to bypass the authentication process. |
[x-opencti-authentication-log:attempts > 'threshold' AND x-opencti-authentication-log:result = 'failure'] |
| ARFS-5 |
Failed Authentication Attempts Due to RF/EMI Interference |
Detection of failed authentication attempts on spacecraft systems potentially caused by RF or EMI interference. This indicator focuses on identifying anomalies in the RF communication environment, such as signal strength variations that do not correspond with legitimate communication patterns. Such anomalies may indicate an attempt to spoof communication signals or interfere with the authentication process to gain unauthorized access. Monitoring these failed attempts, especially when correlated with suspicious RF activity, helps in identifying and mitigating potential security threats. |
[x-opencti-radio-communication:signal_strength = 'unexpected_variation' AND x-opencti-authentication-log:status = 'failed' AND x-opencti-authentication-log:source_location NOT IN ('list_of_known_ground_stations')] |
| ARFS-7 |
Noise Injection Detected in Communication Channels |
Detection of abnormal noise signal strength in communication channels, potentially indicating a jamming or noise injection attack designed to interfere with legitimate communication and disrupt spacecraft operations. |
[network-traffic:x_signal_noise_ratio < 'expected_noise_threshold' AND network-traffic:protocols[*] = 'satellite_communication'] |
| ARFS-12 |
Rejection of CLTU BIND Due to Tampered/Invalid Credentials |
Detects that the SLE Provider rejected the CLTU BIND request due to tampered or failed credentials, leading to a termination of the connection. This IOC specifically detects the rejection of the CLTU BIND request due to credential tampering/invalid credentials. It explicitly identifies that the BIND request was rejected because the credentials were invalid or tampered with, which leads to the termination of the connection. This is a more focused detection that ties directly to the modification of credentials, which results in the rejection of the CLTU BIND request by the SLE Provider. |
[x-opencti-command-log:command = 'CLTU-BIND' AND x-opencti-command-log:status = 'rejected' AND x-opencti-command-log:reason = 'invalid_credentials'] |