Ground System Presence

The adversary maintains long-lived access by residing within mission ground infrastructure that already has end-to-end reach to the spacecraft. Persistence can exist in operator workstations and mission control software, schedulers/orchestrators, station control (antenna/mount, modem/baseband), automation scripts and procedure libraries, identity and ticketing systems, and cloud-hosted mission services. With this foothold, the actor can repeatedly queue commands, updates, or file transfers during routine passes; mirror legitimate operator behavior to blend in; and refresh their tooling as software is upgraded. Presence on the ground also supports durable reconnaissance (pass plans, dictionaries, key/counter states) and continuous staging so each window to the vehicle can be exploited without re-establishing access.

ID: PER-0003

Sub-techniques: No sub-techniques

Notional Risk (H | M | L): 25 | 24 | 21

ⓘ

Tactic: Persistence

Created: 2022/10/19

Last Modified: 2026/03/11

Countermeasures

ID	Name	Tiering	Description	NIST Rev5	ISO 27001	Onboard SV	Ground
CM0033	Relay Protection	Tier I	Implement relay and replay-resistant authentication mechanisms for establishing a remote connection or connections on the spacecraft bus.	AC-17(10) \| IA-2(8) \| IA-3 \| IA-3(1) \| IA-4 \| IA-7 \| SC-13 \| SC-16(1) \| SC-23 \| SC-23(1) \| SC-23(3) \| SC-7 \| SC-7(11) \| SC-7(18) \| SI-10 \| SI-10(5) \| SI-10(6) \| SI-3(8)	A.5.16 \| A.5.14 \| A.8.16 \| A.8.20 \| A.8.22 \| A.8.23 \| A.8.26 \| A.8.24 \| A.8.26 \| A.5.31	YES	YES
CM0036	Session Termination	Tier I	Terminate the connection associated with a communications session at the end of the session or after an acceptable amount of inactivity which is established via the concept of operations.	AC-12 \| AC-12(2) \| SC-10 \| SI-14(3) \| SI-4(7)	A.8.20	YES
CM0005	Ground-based Countermeasures	Tier II	This countermeasure is focused on the protection of terrestrial assets like ground networks and development environments/contractor networks, etc. Traditional detection technologies and capabilities would be applicable here. Utilizing resources from NIST CSF to properly secure these environments using identify, protect, detect, recover, and respond is likely warranted. Additionally, NISTIR 8401 may provide resources as well since it was developed to focus on ground-based security for space systems (https://csrc.nist.gov/pubs/ir/8401/final). Furthermore, the MITRE ATT&CK framework provides IT focused TTPs and their mitigations https://attack.mitre.org/mitigations/enterprise/. Several recommended NIST 800-53 Rev5 controls are provided for reference when designing ground systems/networks.	AC-1 \| AC-10 \| AC-11 \| AC-11(1) \| AC-12 \| AC-12(1) \| AC-14 \| AC-16 \| AC-16(6) \| AC-17 \| AC-17(1) \| AC-17(10) \| AC-17(2) \| AC-17(3) \| AC-17(4) \| AC-17(6) \| AC-17(9) \| AC-18 \| AC-18(1) \| AC-18(3) \| AC-18(4) \| AC-18(5) \| AC-19 \| AC-19(5) \| AC-2 \| AC-2(1) \| AC-2(11) \| AC-2(12) \| AC-2(13) \| AC-2(2) \| AC-2(3) \| AC-2(9) \| AC-20 \| AC-20(1) \| AC-20(2) \| AC-20(3) \| AC-20(5) \| AC-21 \| AC-22 \| AC-3 \| AC-3(11) \| AC-3(13) \| AC-3(15) \| AC-3(4) \| AC-4 \| AC-4(23) \| AC-4(24) \| AC-4(25) \| AC-4(26) \| AC-4(31) \| AC-4(32) \| AC-6 \| AC-6(1) \| AC-6(10) \| AC-6(2) \| AC-6(3) \| AC-6(5) \| AC-6(8) \| AC-6(9) \| AC-7 \| AC-8 \| AT-2(4) \| AT-2(5) \| AT-2(6) \| AT-3 \| AT-3(2) \| AT-4 \| AU-10 \| AU-11 \| AU-12 \| AU-12(1) \| AU-12(3) \| AU-14 \| AU-14(1) \| AU-14(3) \| AU-2 \| AU-3 \| AU-3(1) \| AU-4 \| AU-4(1) \| AU-5 \| AU-5(1) \| AU-5(2) \| AU-5(5) \| AU-6 \| AU-6(1) \| AU-6(3) \| AU-6(4) \| AU-6(5) \| AU-6(6) \| AU-7 \| AU-7(1) \| AU-8 \| AU-9 \| AU-9(2) \| AU-9(3) \| AU-9(4) \| CA-3 \| CA-3(6) \| CA-3(7) \| CA-7 \| CA-7(1) \| CA-7(6) \| CA-8 \| CA-8(1) \| CA-9 \| CM-10(1) \| CM-11 \| CM-11(2) \| CM-11(3) \| CM-12 \| CM-12(1) \| CM-14 \| CM-2 \| CM-2(2) \| CM-2(3) \| CM-2(7) \| CM-3 \| CM-3(1) \| CM-3(2) \| CM-3(4) \| CM-3(5) \| CM-3(6) \| CM-3(7) \| CM-3(8) \| CM-4 \| CM-5(1) \| CM-5(5) \| CM-6 \| CM-6(1) \| CM-6(2) \| CM-7 \| CM-7(1) \| CM-7(2) \| CM-7(3) \| CM-7(5) \| CM-7(8) \| CM-7(9) \| CM-8 \| CM-8(1) \| CM-8(2) \| CM-8(3) \| CM-8(4) \| CM-9 \| CP-10 \| CP-10(2) \| CP-10(4) \| CP-2 \| CP-2(2) \| CP-2(5) \| CP-2(8) \| CP-3(1) \| CP-4(1) \| CP-4(2) \| CP-4(5) \| CP-8 \| CP-8(1) \| CP-8(2) \| CP-8(3) \| CP-8(4) \| CP-8(5) \| CP-9 \| CP-9(1) \| CP-9(2) \| CP-9(3) \| IA-11 \| IA-12 \| IA-12(1) \| IA-12(2) \| IA-12(3) \| IA-12(4) \| IA-12(5) \| IA-12(6) \| IA-2 \| IA-2(1) \| IA-2(12) \| IA-2(2) \| IA-2(5) \| IA-2(6) \| IA-2(8) \| IA-3 \| IA-3(1) \| IA-4 \| IA-4(9) \| IA-5 \| IA-5(1) \| IA-5(13) \| IA-5(14) \| IA-5(2) \| IA-5(7) \| IA-5(8) \| IA-6 \| IA-7 \| IA-8 \| IR-2 \| IR-2(2) \| IR-2(3) \| IR-3 \| IR-3(1) \| IR-3(2) \| IR-3(3) \| IR-4 \| IR-4(1) \| IR-4(10) \| IR-4(11) \| IR-4(12) \| IR-4(13) \| IR-4(14) \| IR-4(3) \| IR-4(4) \| IR-4(5) \| IR-4(6) \| IR-4(7) \| IR-4(8) \| IR-5 \| IR-5(1) \| IR-6 \| IR-6(1) \| IR-6(2) \| IR-7 \| IR-7(1) \| IR-8 \| MA-2 \| MA-3 \| MA-3(1) \| MA-3(2) \| MA-3(3) \| MA-4 \| MA-4(1) \| MA-4(3) \| MA-4(6) \| MA-4(7) \| MA-5(1) \| MA-6 \| MA-7 \| MP-2 \| MP-3 \| MP-4 \| MP-5 \| MP-6 \| MP-6(3) \| MP-7 \| PE-3(7) \| PL-10 \| PL-11 \| PL-8 \| PL-8(1) \| PL-8(2) \| PL-9 \| PM-11 \| PM-16(1) \| PM-17 \| PM-30 \| PM-30(1) \| PM-31 \| PM-32 \| RA-10 \| RA-3(1) \| RA-3(2) \| RA-3(3) \| RA-3(4) \| RA-5 \| RA-5(10) \| RA-5(11) \| RA-5(2) \| RA-5(4) \| RA-5(5) \| RA-7 \| RA-9 \| SA-10 \| SA-10(1) \| SA-10(2) \| SA-10(7) \| SA-11 \| SA-11(2) \| SA-11(4) \| SA-11(7) \| SA-11(9) \| SA-15 \| SA-15(3) \| SA-15(7) \| SA-17 \| SA-2 \| SA-22 \| SA-3 \| SA-3(1) \| SA-3(2) \| SA-4 \| SA-4(1) \| SA-4(10) \| SA-4(12) \| SA-4(2) \| SA-4(3) \| SA-4(5) \| SA-4(7) \| SA-4(9) \| SA-5 \| SA-8 \| SA-8(14) \| SA-8(15) \| SA-8(18) \| SA-8(21) \| SA-8(22) \| SA-8(23) \| SA-8(24) \| SA-8(29) \| SA-8(9) \| SA-9 \| SA-9(1) \| SA-9(2) \| SA-9(6) \| SA-9(7) \| SC-10 \| SC-12 \| SC-12(1) \| SC-12(6) \| SC-13 \| SC-15 \| SC-16(2) \| SC-16(3) \| SC-18(1) \| SC-18(2) \| SC-18(3) \| SC-18(4) \| SC-2 \| SC-2(2) \| SC-20 \| SC-21 \| SC-22 \| SC-23 \| SC-23(1) \| SC-23(3) \| SC-23(5) \| SC-24 \| SC-28 \| SC-28(1) \| SC-28(3) \| SC-3 \| SC-38 \| SC-39 \| SC-4 \| SC-45 \| SC-45(1) \| SC-45(2) \| SC-49 \| SC-5 \| SC-5(1) \| SC-5(2) \| SC-5(3) \| SC-50 \| SC-51 \| SC-7 \| SC-7(10) \| SC-7(11) \| SC-7(12) \| SC-7(13) \| SC-7(14) \| SC-7(18) \| SC-7(21) \| SC-7(25) \| SC-7(29) \| SC-7(3) \| SC-7(4) \| SC-7(5) \| SC-7(7) \| SC-7(8) \| SC-7(9) \| SC-8 \| SC-8(1) \| SC-8(2) \| SC-8(5) \| SI-10 \| SI-10(3) \| SI-10(6) \| SI-11 \| SI-12 \| SI-14(3) \| SI-16 \| SI-19(4) \| SI-2 \| SI-2(2) \| SI-2(3) \| SI-2(6) \| SI-21 \| SI-3 \| SI-3(10) \| SI-4 \| SI-4(1) \| SI-4(10) \| SI-4(11) \| SI-4(12) \| SI-4(13) \| SI-4(14) \| SI-4(15) \| SI-4(16) \| SI-4(17) \| SI-4(2) \| SI-4(20) \| SI-4(22) \| SI-4(23) \| SI-4(24) \| SI-4(25) \| SI-4(4) \| SI-4(5) \| SI-5 \| SI-5(1) \| SI-6 \| SI-7 \| SI-7(1) \| SI-7(17) \| SI-7(2) \| SI-7(5) \| SI-7(7) \| SI-7(8) \| SR-1 \| SR-10 \| SR-11 \| SR-11(1) \| SR-11(2) \| SR-11(3) \| SR-12 \| SR-2 \| SR-2(1) \| SR-3 \| SR-3(1) \| SR-3(2) \| SR-3(3) \| SR-4 \| SR-4(1) \| SR-4(2) \| SR-4(3) \| SR-4(4) \| SR-5 \| SR-5(1) \| SR-5(2) \| SR-6 \| SR-6(1) \| SR-7 \| SR-8 \| SR-9 \| SR-9(1)	5.2 \| 5.3 \| 7.5.1 \| 7.5.2 \| 7.5.3 \| A.5.1 \| A.5.2 \| A.5.4 \| A.5.15 \| A.5.31 \| A.5.36 \| A.5.37 \| A.5.16 \| A.5.18 \| A.8.2 \| A.8.16 \| A.5.15 \| A.5.33 \| A.8.3 \| A.8.4 \| A.8.18 \| A.8.20 \| A.8.2 \| A.8.4 \| A.5.14 \| A.8.22 \| A.8.23 \| A.8.11 \| A.8.10 \| A.5.15 \| A.8.2 \| A.8.18 \| A.8.5 \| A.8.5 \| A.7.7 \| A.8.1 \| A.5.14 \| A.6.7 \| A.8.1 \| A.8.16 \| A.5.14 \| A.8.1 \| A.8.20 \| A.5.14 \| A.7.9 \| A.8.1 \| A.5.14 \| A.7.9 \| A.8.20 \| A.6.3 \| A.8.15 \| A.8.15 \| A.8.6 \| A.5.25 \| A.6.8 \| A.8.15 \| A.7.4 \| A.8.17 \| A.5.33 \| A.8.15 \| A.5.28 \| A.8.15 \| A.8.15 \| A.8.15 \| A.5.14 \| A.8.21 \| 9.1 \| 9.3.2 \| 9.3.3 \| A.5.36 \| 9.2.2 \| A.8.9 \| A.8.9 \| 8.1 \| 9.3.3 \| A.8.9 \| A.8.32 \| A.8.9 \| A.8.9 \| A.8.9 \| A.8.9 \| A.8.19 \| A.8.19 \| A.5.9 \| A.8.9 \| A.5.2 \| A.8.9 \| A.8.19 \| 7.5.1 \| 7.5.2 \| 7.5.3 \| A.5.2 \| A.5.29 \| A.8.1 \| A.8.6 \| A.5.30 \| A.5.30 \| A.5.29 \| A.7.11 \| A.5.29 \| A.5.33 \| A.8.13 \| A.5.29 \| A.5.16 \| A.5.16 \| A.5.16 \| A.5.17 \| A.8.5 \| A.5.16 \| A.6.3 \| A.5.25 \| A.5.26 \| A.5.27 \| A.8.16 \| A.5.5 \| A.6.8 \| 7.5.1 \| 7.5.2 \| 7.5.3 \| A.5.24 \| A.7.10 \| A.7.13 \| A.8.10 \| A.8.10 \| A.8.16 \| A.8.10 \| A.7.13 \| A.5.10 \| A.7.7 \| A.7.10 \| A.5.13 \| A.5.10 \| A.7.7 \| A.7.10 \| A.8.10 \| A.5.10 \| A.7.9 \| A.7.10 \| A.5.10 \| A.7.10 \| A.7.14 \| A.8.10 \| A.5.10 \| A.7.10 \| A.5.8 \| A.5.7 \| 4.4 \| 6.2 \| 7.5.1 \| 7.5.2 \| 7.5.3 \| 10.2 \| 4.4 \| 6.2 \| 7.4 \| 7.5.1 \| 7.5.2 \| 7.5.3 \| 9.1 \| 9.2.2 \| 10.1 \| 10.2 \| A.8.8 \| 6.1.3 \| 8.3 \| 10.2 \| A.5.22 \| A.5.7 \| A.5.2 \| A.5.8 \| A.8.25 \| A.8.31 \| A.8.33 \| 8.1 \| A.5.8 \| A.5.20 \| A.5.23 \| A.8.29 \| A.8.30 \| A.8.28 \| 7.5.1 \| 7.5.2 \| 7.5.3 \| A.5.37 \| A.8.27 \| A.8.28 \| A.5.2 \| A.5.4 \| A.5.8 \| A.5.14 \| A.5.22 \| A.5.23 \| A.8.21 \| A.8.9 \| A.8.28 \| A.8.30 \| A.8.32 \| A.8.29 \| A.8.30 \| A.5.8 \| A.8.25 \| A.8.25 \| A.8.27 \| A.8.6 \| A.5.14 \| A.8.16 \| A.8.20 \| A.8.22 \| A.8.23 \| A.8.26 \| A.8.23 \| A.8.12 \| A.5.10 \| A.5.14 \| A.8.20 \| A.8.26 \| A.5.33 \| A.8.20 \| A.8.24 \| A.8.24 \| A.8.26 \| A.5.31 \| A.5.14 \| A.5.10 \| A.5.33 \| A.6.8 \| A.8.8 \| A.8.32 \| A.8.7 \| A.8.16 \| A.8.16 \| A.8.16 \| A.8.16 \| A.5.6 \| A.8.11 \| A.8.10 \| 5.2 \| 5.3 \| 7.5.1 \| 7.5.2 \| 7.5.3 \| A.5.1 \| A.5.2 \| A.5.4 \| A.5.19 \| A.5.31 \| A.5.36 \| A.5.37 \| A.5.19 \| A.5.20 \| A.5.21 \| A.8.30 \| A.5.20 \| A.5.21 \| A.5.21 \| A.8.30 \| A.5.20 \| A.5.21 \| A.5.23 \| A.8.29 \| A.5.22 \| A.5.22	YES
CM0034	Monitor Critical Telemetry Points	Tier I	Monitor defined telemetry points for malicious activities (i.e., jamming attempts, commanding attempts (e.g., command modes, counters, etc.)). This would include valid/processed commands as well as commands that were rejected. Telemetry monitoring should synchronize with ground-based Defensive Cyber Operations (i.e., SIEM/auditing) to create a full space system situation awareness from a cybersecurity perspective.	AC-17(1) \| AU-3(1) \| CA-7(6) \| IR-4(14) \| PL-8 \| PL-8(1) \| SA-8(13) \| SC-16 \| SC-16(1) \| SC-7 \| SI-3(8) \| SI-4(7)	A.8.16 \| A.5.8 \| A.5.14 \| A.8.16 \| A.8.20 \| A.8.22 \| A.8.23 \| A.8.26	YES
CM0032	On-board Intrusion Detection & Prevention	Tier I	Utilize on-board intrusion detection/prevention system that monitors the mission critical components or systems and audit/logs actions. The IDS/IPS should have the capability to respond to threats (initial access, execution, persistence, evasion, exfiltration, etc.) and it should address signature-based attacks along with dynamic never-before seen attacks using machine learning/adaptive technologies. The IDS/IPS must integrate with traditional fault management to provide a wholistic approach to faults on-board the spacecraft. Spacecraft should select and execute safe countermeasures against cyber-attacks. These countermeasures are a ready supply of options to triage against the specific types of attack and mission priorities. Minimally, the response should ensure vehicle safety and continued operations. Ideally, the goal is to trap the threat, convince the threat that it is successful, and trace and track the attacker — with or without ground support. This would support successful attribution and evolving countermeasures to mitigate the threat in the future. “Safe countermeasures” are those that are compatible with the system’s fault management system to avoid unintended effects or fratricide on the system.	AU-14 \| AU-2 \| AU-3 \| AU-3(1) \| AU-4 \| AU-4(1) \| AU-5 \| AU-5(2) \| AU-5(5) \| AU-6(1) \| AU-6(4) \| AU-8 \| AU-9 \| AU-9(2) \| AU-9(3) \| CA-7(6) \| CM-11(3) \| CP-10 \| CP-10(4) \| IR-4 \| IR-4(11) \| IR-4(12) \| IR-4(14) \| IR-4(5) \| IR-5 \| IR-5(1) \| PL-8 \| PL-8(1) \| RA-10 \| RA-3(4) \| SA-8(21) \| SA-8(22) \| SA-8(23) \| SC-16(2) \| SC-32(1) \| SC-5 \| SC-5(3) \| SC-7(10) \| SC-7(9) \| SI-10(6) \| SI-16 \| SI-17 \| SI-3 \| SI-3(10) \| SI-3(8) \| SI-4 \| SI-4(1) \| SI-4(10) \| SI-4(11) \| SI-4(13) \| SI-4(16) \| SI-4(17) \| SI-4(2) \| SI-4(23) \| SI-4(24) \| SI-4(25) \| SI-4(4) \| SI-4(5) \| SI-4(7) \| SI-6 \| SI-7(17) \| SI-7(8)	A.8.15 \| A.8.15 \| A.8.6 \| A.8.17 \| A.5.33 \| A.8.15 \| A.8.15 \| A.5.29 \| A.5.25 \| A.5.26 \| A.5.27 \| A.5.8 \| A.5.7 \| A.8.12 \| A.8.7 \| A.8.16 \| A.8.16 \| A.8.16 \| A.8.16	YES

Indicators of Behavior

ID	Name	Description	STIX Pattern
UACE-3	Legitimate Command with Malicious Parameters Targeting Subsystems	A legitimate command is sent, but with parameters that exceed safe thresholds for a subsystem or component on the spacecraft. This could include commands that affect critical subsystems like power distribution, attitude control, or thermal regulation, potentially leading to damage, instability, or malfunction. The misuse of valid parameters across different subsystems can result in severe operational impact or hardware degradation.	[x-opencti-command-log:command_type = 'legitimate_command' AND x-opencti-command-log:target_subsystem != 'expected_subsystem' AND x-opencti-command-log:parameter_value > 'safe_threshold']
UACE-24	Unauthorized CLTU-START, STOP, or UNBIND Initiation from Unauthorized User or Rogue IP	Detects the initiation of the CLTU-START, CLTU-STOP, or CLTU-UNBIND commands by either an unauthorized user or a rogue IP address (even with valid credentials), potentially indicating malicious activity targeting session control.	[(x-opencti-command-log:command = 'CLTU-START' OR x-opencti-command-log:command = 'CLTU-STOP' OR x-opencti-command-log:command = 'CLTU-UNBIND') AND (x-opencti-command-log:user != 'authorized_user' OR network-traffic:src_ref.value != 'authorized_ip')]
UACE-25	Telecommand Format Tampering in CLTU-TRANSFER_DATA	Detects that the telecommand data within the CLTU-TRANSFER_DATA PDU does not conform to the expected CCSDS telecommand format, indicating tampering.	[network-traffic:protocols = 'x_ccsds_tc' AND network-traffic:x_content_format != 'expected_ccsds_tc_format' AND network-traffic:x_content = 'cltu-transfer_data']
UCEB-9	Failed Credential Encryption in SLE Protocol	Detects that credentials in the CLTU-BIND message were transmitted without encryption, making them vulnerable to capture and replay attacks. The Space Link Extension (SLE) protocol itself does not provide built-in encryption for securing the data transmitted through its services. The protocol focuses on the extension of space link operations between ground systems, but it lacks native security features such as encryption. The SLE protocol was designed to facilitate operational efficiency rather than providing security mechanisms. Any security (including encryption) typically happens outside of the SLE protocol, through mechanisms such as bulk encryption at the hardware layer or via an external transport security layer (e.g., IPsec or TLS) added on top of the communication channels. Encryption is usually implemented at the hardware level (bulk encryption) or applied to the transport layer through external protocols. This ensures that the data exchanged between the SLE User (Mission Control System) and the SLE Provider (Ground Station) is protected during transmission.	[network-traffic:dst_ref.value = 'SLE_Provider' AND network-traffic:encryption_status != 'encrypted']
CSNE-2	ARP Spoofing Attack (Rogue IP)	Rogue IP found communicating between the MOC and ground station which could indicate ARP Spoofing is occuring, or some other man-in-the-middle is going on.	[network-traffic:src_ref.role = 'ground_station' AND network-traffic:dst_ref.role = 'mission_control_system' AND network-traffic:src_ref.value != 'authorized_ip']
CSNE-6	Unexpected Communication Protocols in Uplink	Detection of unexpected communication protocols in the uplink traffic from a ground station or any rogue device (i.e., spacecraft), indicating that someone may be using non-standard protocols to communicate with the spacecraft.	[network-traffic:protocols[*] != 'expected_protocol' AND network-traffic:direction = 'uplink']
CSNE-10	Transmission to Unauthorized Ground Station Detected	Monitors all downlink channels for traffic directed towards unauthorized ground stations, potentially indicating unauthorized data exfiltration attempts. This approach remains agnostic to the specific hardware used for transmission, ensuring broad applicability across communication systems.	[network-traffic:dst_ref.value != 'authorized_ground_station']
CSNE-23	Sudden Increase in Bandwidth Usage from Ground System	Detection of a sudden increase in network bandwidth usage from the ground system, which could indicate data exfiltration activities as threat actors attempt to move large amounts of information out of the compromised system.	[network-traffic:bandwidth_usage > 'expected_threshold' AND network-traffic:src_ref.role = 'ground_system']
CSNE-24	ARP Spoofing via MAC Address Mismatch	ARP spoofing detected by observing that the MAC address does not match the expected authorized MAC address for the ground station.	[network-traffic:src_ref.value != 'authorized_mac_address' AND network-traffic:src_ref.role = 'ground_station']
ARFS-5	Failed Authentication Attempts Due to RF/EMI Interference	Detection of failed authentication attempts on spacecraft systems potentially caused by RF or EMI interference. This indicator focuses on identifying anomalies in the RF communication environment, such as signal strength variations that do not correspond with legitimate communication patterns. Such anomalies may indicate an attempt to spoof communication signals or interfere with the authentication process to gain unauthorized access. Monitoring these failed attempts, especially when correlated with suspicious RF activity, helps in identifying and mitigating potential security threats.	[x-opencti-radio-communication:signal_strength = 'unexpected_variation' AND x-opencti-authentication-log:status = 'failed' AND x-opencti-authentication-log:source_location NOT IN ('list_of_known_ground_stations')]
ARFS-10	CLTU BIND Authentication Failure	Detects a failure in authentication during the CLTU BIND process. This IOC detects any authentication failure during the CLTU BIND process. It captures a general case where the authentication does not succeed.	[x-opencti-command-log:command = 'CLTU-BIND' AND x-opencti-command-log:authentication_result = 'failure']
ARFS-11	Authorized SLE Session Establishment by Attacker (Rogue IP)	Detects an authorized SLE session established by the attacker using replayed / captured credentials, gaining control of the session. This is when attacker has valid credentials to establish the bind	[x-opencti-command-log:command = 'CLTU-BIND' AND x-opencti-command-log:user = 'authorized_user' AND network-traffic:src_ref.value != 'authorized_ip']

Priority 1	Priority 2	Priority 3	Priority 4
CWE-1390: Weak Authentication	CWE-311: Missing Encryption of Sensitive Data	CWE-200: Information Exposure
CWE-1391: Improperly Implemented Security Check for Standard
CWE-172: Encoding Error
CWE-287: Improper Authentication

Ground System Presence

Countermeasures

Related CWE Classes

Related Aerospace Threat ID

Related MITRE ATT&CK TTPs

Related ESA SPACE-SHIELD TTPs

Related MITRE EMB3D Threats

Related BSI Threats

Indicators of Behavior

References