Detection of files being encrypted with an unknown or unexpected encryption algorithm, potentially indicating ransomware activity on spacecraft systems. This can involve newly created or modified files with unusual extensions such as .encrypted or .locked. - if ransomware were to include those extenstions then you would att AND file:extension IN ('.encrypted', '.locked') to the pattern to become. [file:encryption_algorithm != 'none' AND file:extension IN ('.encrypted', '.locked') AND file:modified_time = 'recent']
| ID | Name | Description | |
| EX-0010 | Inject Malicious Code | Threat actors may rely on other tactics and techniques in order to inject malicious code into the victim SV. This can be done via compromising the supply chain or development environment in some capacity or taking advantage of known commands. However, once malicious code has been uploaded to the victim SV, the threat actor can then trigger the code to run via a specific command or wait for a legitimate user to trigger it accidently. The code itself can do a number of different things to the hosted payload, subsystems, or underlying OS. | |
| EX-0012 | Modify On-Board Values | Threat actors may perform specific commands in order to modify onboard values that the victim SV relies on. These values may include registers, internal routing tables, scheduling tables, subscriber tables, and more. Depending on how the values have been modified, the victim SV may no longer be able to function. | |
| EX-0012.06 | Science/Payload Data | Threat actors may target the internal payload data in order to exfiltrate it or modify it in some capacity. Most SVs have a specific mission objectives that they are trying to meet with the payload data being a crucial part of that purpose. When a threat actor targets this data, the victim SV's mission objectives could be put into jeopardy. | |