| UCEB-2 |
Use of Old or Rotated Cryptographic Keys for Authentication |
Detection of authentication attempts using cryptographic keys that have already been rotated or marked as no longer valid. This may indicate that threat actors are using old or compromised keys to try to access to spacecraft or C2 systems. |
[x-opencti-cryptographic-key:status = 'rotated or expired'] |
| UCEB-11 |
Use of Account or Cryptographic Keys at Unexpected Times |
Detection of a user account or cryptographic key being used outside of the expected operational time windows. This may indicate unauthorized or suspicious activity, such as a threat actor using valid credentials or cryptographic keys to gain or maintain persistent access to the spacecraft or related systems. |
[user-account:last_login_time != 'expected_operational_hours' OR x-opencti-cryptographic-key:usage_time != 'expected_usage_time'] |
| CSNE-11 |
Data Exfiltration Detected During Scheduled Communication Windows |
Detection of larger-than-expected data packets sent during scheduled spacecraft communication windows, indicating that a compromised ground system may be exfiltrating data under the guise of legitimate operations. |
[network-traffic:direction = 'downlink' AND network-traffic:data_size > 'expected_size'] |
| CSNE-21 |
Unauthorized Data Transmission from Ground System to External IP |
Detection of data transmissions originating from a compromised ground system to an external IP address not authorized for spacecraft operations, potentially indicating exfiltration of sensitive information. |
[network-traffic:src_ref.role = 'ground_system' AND network-traffic:dst_ref.value != 'authorized_external_ip'] |
| CSNE-23 |
Sudden Increase in Bandwidth Usage from Ground System |
Detection of a sudden increase in network bandwidth usage from the ground system, which could indicate data exfiltration activities as threat actors attempt to move large amounts of information out of the compromised system. |
[network-traffic:bandwidth_usage > 'expected_threshold' AND network-traffic:src_ref.role = 'ground_system'] |
| ARFS-1 |
Authentication Process Tampering |
Detection of modifications to the authentication process, which may signal unauthorized changes by a threat actor seeking access to a spacecraft. Potential modifications include tampering with encryption keys or authentication tokens. Additionally, irregularities in sequence counters, such as receiving packets out of sequence, may indicate an adversary's attempt to align with the spacecraft's authentication or sequencing protocols. |
[x-opencti-system-log:authentication_process_modification = 'TRUE'] |
| SIUU-4 |
Abnormal Software Update Activity Detected |
Detection of unauthorized or abnormal software update attempts, particularly affecting critical spacecraft subsystems or even FSW as a whole. This may be an indicator of an attacker exploiting a code flaw to introduce malicious code or manipulate software functionality. |
[x-opencti-update-log:source != 'trusted_source' AND x-opencti-update-log:software_component = 'critical_subsystem'] |