Threats by DiD Layer

Space

Data

SV-AC-3

SV-CF-2

SV-IT-2

SV-MA-2

S/C Software

SV-AV-4

SV-IT-5

SV-MA-3

SV-SP-1

SV-SP-3

SV-SP-6

SV-SP-9

SBC

SV-AC-5

SV-AC-6

SV-AC-8

SV-AV-2

SV-AV-3

SV-AV-8

SV-IT-3

SV-IT-4

SV-MA-8

SV-SP-11

SV-SP-7

IDS/IPS

SV-AV-5

SV-AV-6

SV-DCO-1

SV-MA-5

Crypto

SV-AC-1

SV-AC-2

SV-CF-1

SV-CF-4

SV-IT-1

Comms Link

SV-AC-7

SV-AV-1

Ground

SV-MA-7

Prevention

SV-AC-4

SV-AV-7

SV-CF-3

SV-MA-1

SV-MA-4

SV-MA-6

SV-SP-10

SV-SP-2

SV-SP-4

SV-SP-5

Ground

Data

Automated Collection

Cloud Storage Object Discovery

Data Destruction

Data Encrypted for Impact

Data Manipulation

Data Manipulation: Runtime Data Manipulation

Data Manipulation: Stored Data Manipulation

Data from Cloud Storage Object

Data from Information Repositories: Code Repositories

Data from Information Repositories: Confluence

Data from Information Repositories: Sharepoint

Data from Local System

Data from Network Shared Drive

Data from Removable Media

Defacement

Defacement: External Defacement

Disk Wipe

Disk Wipe: Disk Content Wipe

Disk Wipe: Disk Structure Wipe

Dynamic Resolution: Fast Flux DNS

Email Collection

Email Collection: Local Email Collection

Exfiltration Over Alternative Protocol

Exfiltration Over Alternative Protocol: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol

Exfiltration Over Alternative Protocol: Exfiltration Over Symmetric Encrypted Non-C2 Protocol

Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted Non-C2 Protocol

Exfiltration Over C2 Channel

Exfiltration Over Web Service

File and Directory Discovery

File and Directory Permissions Modification

File and Directory Permissions Modification: Linux and Mac File and Directory Permissions Modification

File and Directory Permissions Modification: Windows File and Directory Permissions Modification

Group Policy Discovery

Permission Groups Discovery

Ground Software

Compromise Client Software Binary

Exploit Public-Facing Application

Exploitation for Credential Access

Exploitation for Defense Evasion

Exploitation for Privilege Escalation

Exploitation of Remote Services

Forge Web Credentials: Web Cookies

Masquerading: Invalid Code Signature

Steal Web Session Cookie

Supply Chain Compromise: Compromise Software Dependencies and Development Tools

Supply Chain Compromise: Compromise Software Supply Chain

Template Injection

XSL Script Processing

Endpoint

Abuse Elevation Control Mechanism

Abuse Elevation Control Mechanism: Bypass User Account Control

Abuse Elevation Control Mechanism: Elevated Execution with Prompt

Abuse Elevation Control Mechanism: Setuid and Setgid

Abuse Elevation Control Mechanism: Sudo and Sudo Caching

Access Token Manipulation

Access Token Manipulation: Create Process with Token

Access Token Manipulation: Make and Impersonate Token

Access Token Manipulation: Parent PID Spoofing

Access Token Manipulation: SID-History Injection

Access Token Manipulation: Token Impersonation/Theft

Account Access Removal

Account Discovery

Account Discovery: Cloud Account

Account Discovery: Domain Account

Account Discovery: Email Account

Account Discovery: Local Account

Account Manipulation

Account Manipulation: Additional Cloud Credentials

Account Manipulation: Additional Cloud Roles

Account Manipulation: Additional Email Delegate Permissions

Account Manipulation: Device Registration

Account Manipulation: SSH Authorized Keys

Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay

Application Window Discovery

Archive Collected Data

Archive Collected Data: Archive via Custom Method

Archive Collected Data: Archive via Library

Archive Collected Data: Archive via Utility

Audio Capture

Automated Exfiltration

BITS Jobs

Boot or Logon Autostart Execution

Boot or Logon Autostart Execution: Active Setup

Boot or Logon Autostart Execution: Authentication Package

Boot or Logon Autostart Execution: Kernel Modules and Extensions

Boot or Logon Autostart Execution: LSASS Driver

Boot or Logon Autostart Execution: Login Items

Boot or Logon Autostart Execution: Port Monitors

Boot or Logon Autostart Execution: Print Processors

Boot or Logon Autostart Execution: Re-opened Applications

Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

Boot or Logon Autostart Execution: Security Support Provider

Boot or Logon Autostart Execution: Shortcut Modification

Boot or Logon Autostart Execution: Time Providers

Boot or Logon Autostart Execution: Winlogon Helper DLL

Boot or Logon Autostart Execution: XDG Autostart Entries

Boot or Logon Initialization Scripts

Boot or Logon Initialization Scripts: Login Hook

Boot or Logon Initialization Scripts: Logon Script (Windows)

Boot or Logon Initialization Scripts: Network Logon Script

Boot or Logon Initialization Scripts: RC Scripts

Boot or Logon Initialization Scripts: Startup Items

Browser Bookmark Discovery

Browser Extensions

Browser Session Hijacking

Brute Force

Brute Force: Credential Stuffing

Brute Force: Password Guessing

Brute Force: Password Spraying

Build Image on Host

Clipboard Data

Command and Scripting Interpreter

Command and Scripting Interpreter: AppleScript

Command and Scripting Interpreter: JavaScript

Command and Scripting Interpreter: PowerShell

Command and Scripting Interpreter: Python

Command and Scripting Interpreter: Unix Shell

Command and Scripting Interpreter: Visual Basic

Command and Scripting Interpreter: Windows Command Shell

Communication Through Removable Media

Container Administration Command

Create Account

Create Account: Domain Account

Create Account: Local Account

Create or Modify System Process

Create or Modify System Process: Launch Agent

Create or Modify System Process: Launch Daemon

Create or Modify System Process: Systemd Service

Create or Modify System Process: Windows Service

Credentials from Password Stores

Credentials from Password Stores: Credentials from Web Browsers

Credentials from Password Stores: Keychain

Credentials from Password Stores: Password Managers

Credentials from Password Stores: Securityd Memory

Credentials from Password Stores: Windows Credential Manager

Data Staged

Data Staged: Local Data Staging

Data Staged: Remote Data Staging

Debugger Evasion

Deobfuscate/Decode Files or Information

Direct Volume Access

Domain Policy Modification

Domain Policy Modification: Domain Trust Modification

Domain Policy Modification: Group Policy Modification

Domain Trust Discovery

Dynamic Resolution

Endpoint Denial of Service

Endpoint Denial of Service: Application Exhaustion Flood

Endpoint Denial of Service: Application or System Exploitation

Endpoint Denial of Service: OS Exhaustion Flood

Endpoint Denial of Service: Service Exhaustion Flood

Escape to Host

Event Triggered Execution

Event Triggered Execution: Accessibility Features

Event Triggered Execution: AppCert DLLs

Event Triggered Execution: AppInit DLLs

Event Triggered Execution: Application Shimming

Event Triggered Execution: Change Default File Association

Event Triggered Execution: Component Object Model Hijacking

Event Triggered Execution: Emond

Event Triggered Execution: Image File Execution Options Injection

Event Triggered Execution: LC_LOAD_DYLIB Addition

Event Triggered Execution: Netsh Helper DLL

Event Triggered Execution: PowerShell Profile

Event Triggered Execution: Screensaver

Event Triggered Execution: Trap

Event Triggered Execution: Unix Shell Configuration Modification

Event Triggered Execution: Windows Management Instrumentation Event Subscription

Execution Guardrails

Execution Guardrails: Environmental Keying

Exfiltration Over Other Network Medium

Exfiltration Over Other Network Medium: Exfiltration Over Bluetooth

Exploitation for Client Execution

Firmware Corruption

Forced Authentication

Gather Victim Host Information

Gather Victim Host Information: Client Configurations

Gather Victim Host Information: Firmware

Gather Victim Host Information: Hardware

Gather Victim Host Information: Software

Hide Artifacts

Hide Artifacts: Email Hiding Rules

Hide Artifacts: Hidden File System

Hide Artifacts: Hidden Files and Directories

Hide Artifacts: Hidden Users

Hide Artifacts: Hidden Window

Hide Artifacts: NTFS File Attributes

Hide Artifacts: Process Argument Spoofing

Hide Artifacts: Resource Forking

Hide Artifacts: Run Virtual Instance

Hide Artifacts: VBA Stomping

Hijack Execution Flow

Hijack Execution Flow: COR_PROFILER

Hijack Execution Flow: DLL Search Order Hijacking

Hijack Execution Flow: DLL Side-Loading

Hijack Execution Flow: Dylib Hijacking

Hijack Execution Flow: Dynamic Linker Hijacking

Hijack Execution Flow: Executable Installer File Permissions Weakness

Hijack Execution Flow: KernelCallbackTable

Hijack Execution Flow: Path Interception by PATH Environment Variable

Hijack Execution Flow: Path Interception by Search Order Hijacking

Hijack Execution Flow: Path Interception by Unquoted Path

Hijack Execution Flow: Services File Permissions Weakness

Hijack Execution Flow: Services Registry Permissions Weakness

Impair Defenses

Impair Defenses: Disable Windows Event Logging

Impair Defenses: Disable or Modify System Firewall

Impair Defenses: Disable or Modify Tools

Impair Defenses: Downgrade Attack

Impair Defenses: Impair Command History Logging

Impair Defenses: Safe Mode Boot

Implant Internal Image

Indicator Removal on Host

Indicator Removal on Host: Clear Command History

Indicator Removal on Host: Clear Linux or Mac System Logs

Indicator Removal on Host: Clear Windows Event Logs

Indicator Removal on Host: File Deletion

Indicator Removal on Host: Network Share Connection Removal

Indicator Removal on Host: Timestomp

Indirect Command Execution

Inhibit System Recovery

Input Capture

Input Capture: Credential API Hooking

Input Capture: GUI Input Capture

Input Capture: Keylogging

Input Capture: Web Portal Capture

Inter-Process Communication

Inter-Process Communication: Component Object Model

Inter-Process Communication: Dynamic Data Exchange

Inter-Process Communication: XPC Services

Masquerading

Masquerading: Double File Extension

Masquerading: Masquerade Task or Service

Masquerading: Match Legitimate Name or Location

Masquerading: Rename System Utilities

Masquerading: Right-to-Left Override

Masquerading: Space after Filename

Modify Authentication Process

Modify Authentication Process: Domain Controller Authentication

Modify Authentication Process: Network Device Authentication

Modify Authentication Process: Password Filter DLL

Modify Authentication Process: Pluggable Authentication Modules

Modify Authentication Process: Reversible Encryption

Modify Registry

Multi-Factor Authentication Interception

Native API

Network Service Discovery

Network Share Discovery

OS Credential Dumping

OS Credential Dumping: /etc/passwd and /etc/shadow

OS Credential Dumping: Cached Domain Credentials

OS Credential Dumping: DCSync

OS Credential Dumping: LSA Secrets

OS Credential Dumping: LSASS Memory

OS Credential Dumping: NTDS

OS Credential Dumping: Proc Filesystem

OS Credential Dumping: Security Account Manager

Obfuscated Files or Information

Obfuscated Files or Information: Binary Padding

Obfuscated Files or Information: Compile After Delivery

Obfuscated Files or Information: Indicator Removal from Tools

Obfuscated Files or Information: Software Packing

Obfuscated Files or Information: Steganography

Office Application Startup

Office Application Startup: Add-ins

Office Application Startup: Office Template Macros

Office Application Startup: Office Test

Office Application Startup: Outlook Forms

Office Application Startup: Outlook Home Page

Office Application Startup: Outlook Rules

Password Policy Discovery

Peripheral Device Discovery

Permission Groups Discovery: Domain Groups

Permission Groups Discovery: Local Groups

Plist File Modification

Pre-OS Boot

Pre-OS Boot: Bootkit

Pre-OS Boot: Component Firmware

Pre-OS Boot: ROMMONkit

Pre-OS Boot: System Firmware

Process Discovery

Process Injection

Process Injection: Asynchronous Procedure Call

Process Injection: Dynamic-link Library Injection

Process Injection: Extra Window Memory Injection

Process Injection: ListPlanting

Process Injection: Portable Executable Injection

Process Injection: Proc Memory

Process Injection: Process Doppelgänging

Process Injection: Process Hollowing

Process Injection: Ptrace System Calls

Process Injection: Thread Execution Hijacking

Process Injection: Thread Local Storage

Process Injection: VDSO Hijacking

Query Registry

Reflective Code Loading

Remote Service Session Hijacking

Remote Service Session Hijacking: RDP Hijacking

Remote Services: Distributed Component Object Model

Remote Services: Remote Desktop Protocol

Remote Services: SMB/Windows Admin Shares

Remote Services: SSH

Remote Services: Windows Remote Management

Remote System Discovery

Resource Hijacking

Rootkit

Scheduled Task/Job

Scheduled Task/Job: At

Scheduled Task/Job: Container Orchestration Job

Scheduled Task/Job: Cron

Scheduled Task/Job: Scheduled Task

Scheduled Task/Job: Systemd Timers

Screen Capture

Server Software Component

Server Software Component: IIS Components

Server Software Component: SQL Stored Procedures

Server Software Component: Terminal Services DLL

Server Software Component: Transport Agent

Server Software Component: Web Shell

Service Stop

Shared Modules

Software Discovery

Software Discovery: Security Software Discovery

Stage Capabilities: Install Digital Certificate

Steal Application Access Token

Steal or Forge Kerberos Tickets

Steal or Forge Kerberos Tickets: AS-REP Roasting

Steal or Forge Kerberos Tickets: Golden Ticket

Steal or Forge Kerberos Tickets: Kerberoasting

Steal or Forge Kerberos Tickets: Silver Ticket

Subvert Trust Controls

Subvert Trust Controls: Code Signing

Subvert Trust Controls: Code Signing Policy Modification

Subvert Trust Controls: Gatekeeper Bypass

Subvert Trust Controls: Install Root Certificate

Subvert Trust Controls: SIP and Trust Provider Hijacking

System Binary Proxy Execution

System Binary Proxy Execution: CMSTP

System Binary Proxy Execution: Compiled HTML File

System Binary Proxy Execution: Control Panel

System Binary Proxy Execution: InstallUtil

System Binary Proxy Execution: MMC

System Binary Proxy Execution: Mavinject

System Binary Proxy Execution: Mshta

System Binary Proxy Execution: Msiexec

System Binary Proxy Execution: Odbcconf

System Binary Proxy Execution: Regsvcs/Regasm

System Binary Proxy Execution: Regsvr32

System Binary Proxy Execution: Rundll32

System Binary Proxy Execution: Verclsid

System Information Discovery

System Location Discovery

System Location Discovery: System Language Discovery

System Network Configuration Discovery

System Network Configuration Discovery: Internet Connection Discovery

System Network Connections Discovery

System Owner/User Discovery

System Script Proxy Execution

System Script Proxy Execution: PubPrn

System Service Discovery

System Services

System Services: Launchctl

System Services: Service Execution

System Shutdown/Reboot

System Time Discovery

Taint Shared Content

Traffic Signaling: Port Knocking

Trusted Developer Utilities Proxy Execution

Trusted Developer Utilities Proxy Execution: MSBuild

Unsecured Credentials

Unsecured Credentials: Bash History

Unsecured Credentials: Credentials In Files

Unsecured Credentials: Group Policy Preferences

Unsecured Credentials: Private Keys

User Execution

User Execution: Malicious File

User Execution: Malicious Image

Valid Accounts

Valid Accounts: Default Accounts

Valid Accounts: Local Accounts

Video Capture

Virtualization/Sandbox Evasion

Virtualization/Sandbox Evasion: System Checks

Virtualization/Sandbox Evasion: Time Based Evasion

Virtualization/Sandbox Evasion: User Activity Based Checks

Windows Management Instrumentation

Network

Adversary-in-the-Middle

Adversary-in-the-Middle: ARP Cache Poisoning

Adversary-in-the-Middle: DHCP Spoofing

Command and Scripting Interpreter: Network Device CLI

Data from Configuration Repository

Data from Configuration Repository: Network Device Configuration Dump

Data from Configuration Repository: SNMP (MIB Dump)

Lateral Tool Transfer

Modify System Image

Modify System Image: Downgrade System Image

Modify System Image: Patch System Image

Network Boundary Bridging

Network Boundary Bridging: Network Address Translation Traversal

Network Denial of Service

Network Denial of Service: Direct Network Flood

Network Denial of Service: Reflection Amplification

Network Sniffing

Non-Application Layer Protocol

Pre-OS Boot: TFTP Boot

Protocol Tunneling

Proxy

Remote Services: VNC

Traffic Signaling

Transfer Data to Cloud Account

Trusted Relationship

Weaken Encryption

Weaken Encryption: Disable Crypto Hardware

Weaken Encryption: Reduce Key Space

CND/IR

Active Scanning

Active Scanning: Scanning IP Blocks

Active Scanning: Vulnerability Scanning

Active Scanning: Wordlist Scanning

Application Layer Protocol

Application Layer Protocol: DNS

Application Layer Protocol: File Transfer Protocols

Application Layer Protocol: Mail Protocols

Application Layer Protocol: Web Protocols

Automated Exfiltration: Traffic Duplication

Cloud Infrastructure Discovery

Cloud Service Dashboard

Cloud Service Discovery

Container and Resource Discovery

Create Account: Cloud Account

Data Encoding

Data Encoding: Non-Standard Encoding

Data Encoding: Standard Encoding

Data Manipulation: Transmitted Data Manipulation

Data Obfuscation

Data Obfuscation: Junk Data

Data Obfuscation: Protocol Impersonation

Data Obfuscation: Steganography

Data Transfer Size Limits

Defacement: Internal Defacement

Deploy Container

Dynamic Resolution: DNS Calculation

Email Collection: Email Forwarding Rule

Email Collection: Remote Email Collection

Encrypted Channel

Encrypted Channel: Asymmetric Cryptography

Encrypted Channel: Symmetric Cryptography

Exfiltration Over Web Service: Exfiltration to Cloud Storage

Exfiltration Over Web Service: Exfiltration to Code Repository

Fallback Channels

Forge Web Credentials

Forge Web Credentials: SAML Tokens

Impair Defenses: Disable Cloud Logs

Impair Defenses: Indicator Blocking

Ingress Tool Transfer

Internal Spearphishing

Modify Cloud Compute Infrastructure

Modify Cloud Compute Infrastructure: Create Cloud Instance

Modify Cloud Compute Infrastructure: Create Snapshot

Modify Cloud Compute Infrastructure: Delete Cloud Instance

Modify Cloud Compute Infrastructure: Revert Cloud Instance

Multi-Factor Authentication Request Generation

Multi-Stage Channels

Non-Standard Port

Obfuscated Files or Information: HTML Smuggling

Permission Groups Discovery: Cloud Groups

Proxy: Domain Fronting

Proxy: Internal Proxy

Proxy: Multi-hop Proxy

Remote Access Software

Remote Service Session Hijacking: SSH Hijacking

Remote Services

Rogue Domain Controller

Scheduled Transfer

Stage Capabilities: Drive-by Target

Stage Capabilities: Link Target

Stage Capabilities: Upload Malware

Stage Capabilities: Upload Tool

Subvert Trust Controls: Mark-of-the-Web Bypass

Unsecured Credentials: Cloud Instance Metadata API

Unsecured Credentials: Container API

Unsecured Credentials: Credentials in Registry

Unused/Unsupported Cloud Regions

Use Alternate Authentication Material

Use Alternate Authentication Material: Application Access Token

Use Alternate Authentication Material: Pass the Hash

Use Alternate Authentication Material: Pass the Ticket

Use Alternate Authentication Material: Web Session Cookie

Valid Accounts: Cloud Accounts

Valid Accounts: Domain Accounts

Web Service

Web Service: Bidirectional Communication

Web Service: One-Way Communication

Perimeter

Drive-by Compromise

Dynamic Resolution: Domain Generation Algorithms

External Remote Services

Impair Defenses: Disable or Modify Cloud Firewall

Phishing

Phishing: Spearphishing Attachment

Phishing: Spearphishing Link

Phishing: Spearphishing via Service

Proxy: External Proxy

User Execution: Malicious Link

Web Service: Dead Drop Resolver

Physical

Exfiltration Over Physical Medium

Exfiltration Over Physical Medium: Exfiltration over USB

Hardware Additions

Replication Through Removable Media

Prevention

Acquire Infrastructure

Acquire Infrastructure: Botnet

Acquire Infrastructure: DNS Server

Acquire Infrastructure: Domains

Acquire Infrastructure: Server

Acquire Infrastructure: Virtual Private Server

Acquire Infrastructure: Web Services

Brute Force: Password Cracking

Compromise Accounts

Compromise Accounts: Email Accounts

Compromise Accounts: Social Media Accounts

Compromise Infrastructure

Compromise Infrastructure: Botnet

Compromise Infrastructure: DNS Server

Compromise Infrastructure: Domains

Compromise Infrastructure: Server

Compromise Infrastructure: Virtual Private Server

Compromise Infrastructure: Web Services

Data from Information Repositories

Develop Capabilities

Develop Capabilities: Code Signing Certificates

Develop Capabilities: Digital Certificates

Develop Capabilities: Exploits

Develop Capabilities: Malware

Establish Accounts

Establish Accounts: Email Accounts

Establish Accounts: Social Media Accounts

Gather Victim Identity Information

Gather Victim Identity Information: Credentials

Gather Victim Identity Information: Email Addresses

Gather Victim Identity Information: Employee Names

Gather Victim Network Information

Gather Victim Network Information: DNS

Gather Victim Network Information: Domain Properties

Gather Victim Network Information: IP Addresses

Gather Victim Network Information: Network Security Appliances

Gather Victim Network Information: Network Topology

Gather Victim Network Information: Network Trust Dependencies

Gather Victim Org Information

Gather Victim Org Information: Business Relationships

Gather Victim Org Information: Determine Physical Locations

Gather Victim Org Information: Identify Business Tempo

Gather Victim Org Information: Identify Roles

Obtain Capabilities

Obtain Capabilities: Code Signing Certificates

Obtain Capabilities: Digital Certificates

Obtain Capabilities: Exploits

Obtain Capabilities: Malware

Obtain Capabilities: Tool

Obtain Capabilities: Vulnerabilities

Phishing for Information

Phishing for Information: Spearphishing Attachment

Phishing for Information: Spearphishing Link

Phishing for Information: Spearphishing Service

Search Closed Sources

Search Closed Sources: Purchase Technical Data

Search Closed Sources: Threat Intel Vendors

Search Open Technical Databases

Search Open Technical Databases: CDNs

Search Open Technical Databases: DNS/Passive DNS

Search Open Technical Databases: Digital Certificates

Search Open Technical Databases: Scan Databases

Search Open Technical Databases: WHOIS

Search Open Websites/Domains

Search Open Websites/Domains: Search Engines

Search Open Websites/Domains: Social Media

Search Victim-Owned Websites

Software Deployment Tools

Stage Capabilities

Supply Chain Compromise

Supply Chain Compromise: Compromise Hardware Supply Chain

CM0000

Satellites base many operations on timing especially since many operations are automated. Cyberattack to disrupt timing/timers could affect the vehicle (Time Jamming / Time Spoofing)

Informational References

CENTRA Volume I - Cyber Content of Satellites

ID: CM0000

DiD Layer: SBC

CAPEC #: 29 | 621 | 624

NIST Rev5 Control Tag Mapping: CA-7 | CA-7(6) | CP-4 | CP-4(5) | RA-10 | SA-8 | SA-8(9) | SA-8(21) | SA-8(24) | SC-45 | SC-45(1) | SC-45(2)

Lowest Threat Tier to
Create Threat Event: V

Notional Risk Rank Score:

High-Level Requirements

The spacecraft shall protect the integrity and availability of the authoritative time source.

Low-Level Requirements

Requirement	Rationale/Additional Guidance/Notes
The spacecraft shall have fault-tolerant authoritative time sourcing for the spacecraft's clock. {SV-AV-2} {SC-45(2)}
The spacecraft shall synchronize the internal system clocks for each processor to the authoritative time source when the time difference is greater than the FSW-defined interval. {SV-AV-2} {SC-45(1)}

Related SPARTA Techniques and Sub-Techniques

ID		Name	Description
EX-0008		Time Synchronized Execution	Threat actors may develop payloads or insert malicious logic to be executed at a specific time.
	EX-0008.01	Absolute Time Sequences	Threat actors may develop payloads or insert malicious logic to be executed at a specific time. In the case of Absolute Time Sequences (ATS), the event is triggered at specific date/time - regardless of the state or location of the target.
	EX-0008.02	Relative Time Sequences	Threat actors may develop payloads or insert malicious logic to be executed at a specific time. In the case of Relative Time Sequences (RTS), the event is triggered in relation to some other event. For example, a specific amount of time after boot.
EX-0012		Modify On-Board Values	Threat actors may perform specific commands in order to modify onboard values that the victim SV relies on. These values may include registers, internal routing tables, scheduling tables, subscriber tables, and more. Depending on how the values have been modified, the victim SV may no longer be able to function.
	EX-0012.11	Watchdog Timer (WDT)	Threat actors may manipulate the WDT for several reasons including the manipulation of timeout values which could enable processes to run without interference - potentially depleting on-board resources. For spacecraft, WDTs can be either software or hardware. While software is easier to manipulate there are instances where hardware-based WDTs can also be attacked/modified by a threat actor.
	EX-0012.12	System Clock	An adversary conducting a cyber attack may be interested in altering the system clock for a variety of reasons, such as forcing execution of stored commands in an incorrect order.
EX-0014		Spoofing	Threat actors may attempt to spoof the various sensor and controller data that is depended upon by various subsystems within the victim SV. Subsystems rely on this data to perform automated tasks, process gather data, and return important information to the ground controllers. By spoofing this information, threat actors could trigger automated tasks to fire when they are not needed to, potentially causing the SV to behave erratically. Further, the data could be processed erroneously, causing ground controllers to receive incorrect telemetry or scientific data, threatening the SV's reliability and integrity.
	EX-0014.01	Time Spoof	Threat actors may attempt to target the internal timers onboard the victim SV and spoof their data. The Spacecraft Event Time (SCET) is used for various programs within the SV and control when specific events are set to occur. Ground controllers use these timed events to perform automated processes as the SV is in orbit in order for it to fulfill it's purpose. Threat actors that target this particular system and attempt to spoof it's data could cause these processes to trigger early or late.
	EX-0014.03	Sensor Data	Threat actors may target sensor data on the space vehicle to achieve their attack objectives. Sensor data is typically inherently trusted by the space vehicle therefore an attractive target for a threat actor. Spoofing the sensor data could affect the calculations and disrupt portions of a control loop as well as create uncertainty within the mission thereby creating temporary denial of service conditions for the mission. Affecting the integrity of the sensor data can have varying impacts on the space vehicle depending on decisions being made by the space vehicle using the sensor data. For example, spoofing data related to attitude control could adversely impact the space vehicles ability to maintain orbit.
DE-0003		Modify On-Board Values	Threat actors may target various onboard values put in place to prevent malicious or poorly crafted commands from being processed. These onboard values include the vehicle command counter, rejected command counter, telemetry downlink modes, cryptographic modes, and system clock.
	DE-0003.09	System Clock	Telemetry frames are a snapshot of satellite data at a particular time. Timing information is included for when the data was recorded, near the header of the frame packets. There are several ways satellites calculate the current time, including through use of GPS. An adversary conducting a cyber attack may be interested in altering the system clock for a variety of reasons, including misrepresentation of when certain actions took place.
	DE-0003.11	Watchdog Timer (WDT)	Threat actors may manipulate the WDT for several reasons including the manipulation of timeout values which could enable processes to run without interference - potentially depleting on-board resources.
IMP-0001		Deception (or Misdirection)	Threat actors may seek to deceive mission stakeholders (or even military decision makers) for a multitude of reasons. Telemetry values could be modified, attacks could be designed to intentionally mimic another threat actor's TTPs, and even allied ground infrastructure could be compromised and used as the source of communications to the SV.
IMP-0002		Disruption	Threat actors may seek to disrupt communications from the victim SV to the ground controllers or other interested parties. By disrupting communications during critical times, there is the potential impact of data being lost or critical actions not being performed. This could cause the SV's purpose to be put into jeopardy depending on what communications were lost during the disruption. This behavior is different than Denial as this attack can also attempt to modify the data and messages as they are passed as a way to disrupt communications.
IMP-0003		Denial	Threat actors may seek to deny ground controllers and other interested parties access to the victim SV. This would be done exhausting system resource, degrading subsystems, or blocking communications entirely. This behavior is different from Disruption as this seeks to deny communications entirely, rather than stop them for a length of time.
IMP-0004		Degradation	Threat actors may target various subsystems or the hosted payload in such a way in order to rapidly increase it's degradation. This could potentially shorten the lifespan of the victim SV.

Related SPARTA Countermeasures

ID		Name	Description	NIST Rev5	D3FEND	ISO 27001
CM0000		Countermeasure Not Identified	This technique is a result of utilizing TTPs to create an impact and the applicable countermeasures are associated with the TTPs leveraged to achieve the impact	None		None