Detection of an unexpected binary or script being executed that does not match the expected name. This could indicate unauthorized code execution or the presence of a backdoor, where the threat actor is using an unfamiliar binary or script to manipulate the system. Spacecraft are deterministic and controls like process whitelisting are beneficial. Detecting scripts or binaries executing on the system is a method to protect from malicious action.
| ID | Name | Description | |
| EX-0010 | Inject Malicious Code | Threat actors may rely on other tactics and techniques in order to inject malicious code into the victim spacecraft. This can be done via compromising the supply chain or development environment in some capacity or taking advantage of known commands. However, once malicious code has been uploaded to the victim spacecraft, the threat actor can then trigger the code to run via a specific command or wait for a legitimate user to trigger it accidently. The code itself can do a number of different things to the hosted payload, subsystems, or underlying OS. | |
| PER-0002 | Backdoor | Threat actors may find and target various backdoors, or inject their own, within the victim spacecraft in the hopes of maintaining their attack. | |
| PER-0002.02 | Software | Threat actors may inject code to create their own backdoor to establish persistent access to the spacecraft. This may be done through modification of code throughout the software supply chain or through modification of the software-defined radio configuration (if applicable). | |