In cybersecurity, Indicators of Compromise (IOCs) and Indicators of Behavior (IOBs) play pivotal roles in threat detection and mitigation. However, the distinct characteristics of these indicators and their applications often require nuanced understanding, especially within complex environments like space systems. The initial development and spearheading of the IOB work in SPARTA was funded by the Department of Homeland Security (DHS) Science and Technology Directorate to advance proactive detection capabilities tailored to the unique needs of the space domain. The table below depicts generalized IOBs derived from SPARTA techniques that are focused on patterns, sequences, or activities that suggest malicious intent. SPARTA utilizes IOBs over IOCs since they are dynamic and context-driven, versus the static and artifact-based which often derive IOCs due to the nature of the data. Finally, this list addresses "unknown unknowns" by leveraging STIX patterns to identify novel threats and adapt to evolving attacker tactics. Please view the blog post Indicators of Behavior (IOBs) in SPARTA v3.0to learn more about SPARTA’s approach to IOBs and its goal to ensure space system engineers are informed on malicious indicators to detect adversary TTPs.
| ID | Name | Description | STIX Pattern |
| UACE-1 | Hardware Command Executed Outside Authorized Schedule | Detects hardware commands being executed outside predefined authorized time windows, potentially indicating unauthorized or malicious activity. Hardware commands should be few and far between and should occur only when expected/planned. | [x-opencti-command-log:command = 'hw_cmd_execute' AND x-opencti-command-log:execution_time != 'authorized_time'] |
| UACE-2 | Unauthorized Hardware Command-Induced Configuration Change | This monitors for hardware commands issued to reconfigure any system component. It specifically detects deviations from established baseline configurations, which may suggest tampering, unauthorized reprogramming, or exploitation of the system via hardware command injection. | [x-opencti-command-log:command = 'hw_cmd_configure' AND x-opencti-system:configuration != 'baseline_configuration'] |
| UACE-3 | Legitimate Command with Malicious Parameters Targeting Subsystems | A legitimate command is sent, but with parameters that exceed safe thresholds for a subsystem or component on the spacecraft. This could include commands that affect critical subsystems like power distribution, attitude control, or thermal regulation, potentially leading to damage, instability, or malfunction. The misuse of valid parameters across different subsystems can result in severe operational impact or hardware degradation. | [x-opencti-command-log:command_type = 'legitimate_command' AND x-opencti-command-log:target_subsystem != 'expected_subsystem' AND x-opencti-command-log:parameter_value > 'safe_threshold'] |
| UACE-4 | Unexpected Legitimate Command Sent | A legitimate command sent to the spacecraft at an unexpected or inappropriate time, potentially causing disruption to normal operations. This could potentially lead to impacting system availability. This could involve commands such as executing an orbit adjustment or resource-intensive task outside of planned windows, thereby affecting the mission's overall availability or operational efficiency. | [x-opencti-command-log:command_type = 'legitimate_command' AND x-opencti-command-log:timestamp != 'expected_time'] |
| UACE-5 | Unexpected counter increment (valid or invalid count) | Flight software command counter increments without corresponding legitimate ground station action, resulting in a failure of condition #2) below and subsequent 'unexpected' value 'expected' value achieved when the following conditions are met: 1) flight software command counter increments; 2) legitimate ground station action created increment. This could be from valid or invalid commands. Typically there are valid and malformed command counters on a spacecraft. | [x-opencti-command-counter:value = 'unexpected'] |
| UACE-6 | Unauthorized Commands Issued from Unrecognized Ground Station | Detection of control commands issued to the spacecraft from an unrecognized or unauthorized ground station, potentially indicating that a rogue ground station is attempting to take control of the spacecraft. | [x-opencti-command-log:command_origin != 'authorized_ground_station' AND x-opencti-command-log:command_type = 'control'] |
| UACE-7 | Duplicate Command Packet Executions | Detection of previously executed command packets being replayed outside of expected time windows, which may indicate a replay attack. | [x-opencti-command-log:command_id = 'duplicate' AND x-opencti-command-log:timestamp = 'unexpected_time'] |
| UACE-8 | Anomalous Command Packet Signatures | Command packets with invalid or anomalous signatures detected, potentially indicating spoofing or replay of older commands. Command signatures for spacecraft provide a way to verify the authenticity and integrity of commands sent to the spacecraft, ensuring they have not been tampered with during transmission. The signature could be a form of sequence numbers, hashing, or just digital signatures in general. | [x-opencti-command-log:signature != 'expected_signature'] |
| UACE-9 | Valid Command Flooding | Detection of flooding attacks on spacecraft systems using valid but excessive commands. Threat actors may send a high volume of valid commands to spacecraft subsystems, communication buses, or the link layer, leading to resource exhaustion such as CPU usage spikes, memory depletion, and increased battery consumption. These attacks can create temporary denial of service conditions by overwhelming the spacecraft's processing capabilities, preventing it from performing other critical operations. This tactic relies on the legitimate processing of valid commands to degrade spacecraft performance and operational availability. Since these are valid commands, the spacecraft will use processing power to validate and process them taking away CPU cycles from other tasks on the spacecraft. | [x-opencti-command-data:command_type = 'satellite_vehicle_command' AND x-opencti-command-data:command_frequency > 'expected_rate' AND x-opencti-command-data:source = 'external' AND x-opencti-command-data:command_validity = 'valid'] |
| UACE-10 | Logs of Processed Commands Flooding | Detection of an unusually high number of processed commands recorded in spacecraft logs, which may indicate a flooding attack using valid commands. Such a surge can overwhelm spacecraft processing capabilities, leading to resource exhaustion like CPU spikes, memory depletion, and increased battery usage. Monitoring log entries can reveal if the spacecraft is being flooded with valid but excessive commands, which could create denial of service conditions by saturating system processing resources. | [x-opencti-log-entry:log_type = 'command' AND x-opencti-log-entry:entry_count > 'expected_threshold' AND x-opencti-log-entry:entry_rate > 'normal_rate'] |
| UACE-11 | Unauthorized Command Execution via Flight Software | Detection of unauthorized command execution through the flight software, potentially indicating exploitation of code flaws or vulnerabilities in the system. This is coming from an "unauthorized" source which could be malware on the bus or within the system. Commanding the FSW maliciously using valid commands is different. | [x-opencti-command-log:command_origin != 'trusted_source' AND x-opencti-command-log:execution_status = 'unauthorized'] |
| UACE-12 | Anomalous Command or Sequence in Safe-Mode | Monitors for restricted commands or sequences being executed during safe-mode operations. Typically in safe-mode there is limited commands or sequences in which the spacecraft would expect to occur. Attackers may attempt to execute restricted commands or sequences while in safe-mode with the expectation that they work. | [x-opencti-command-log:command != 'expected' AND x-opencti-spacecraft-status:mode = 'safe-mode'] |
| UACE-13 | Unexpected Command Execution During Safe-Mode | Monitors for critical commands being executed in safe-mode, which could suggest malicious activity leveraging reduced protections. | [x-opencti-command-log:command = 'critical_cmd' AND x-opencti-spacecraft-status:mode = 'safe-mode'] |
| UACE-14 | Safe-Mode Exit Command Executed at Unexpected Time | Monitors for safe-mode exit commands executed at unexpected times, which could indicate an exploitation attempt by a threat actor leveraging timing to evade detection. Or threat actor could be exiting safe-mode to cause impact to the spacecraft prior to spacecraft being ready to exit safe-mode. | [x-opencti-command-log:command = 'exit_safe_mode' AND x-opencti-command-log:execution_time != 'authorized_time'] |
| UACE-15 | Command from Untrusted Ground Station or Location in Safe-Mode | Monitors for commands originating from ground stations or locations not authorized for spacecraft communication during safe-mode. This helps identify exploitation attempts leveraging reduced protections in safe-mode. | [x-opencti-command-log:command_origin.location != 'authorized_geolocation' AND x-opencti-spacecraft-status:mode = 'safe-mode'] |
| UACE-16 | Irregular Orbit Maneuver Commands Detected on Attitude Control | Detection of unauthorized or irregular command executions within the Attitude Control System of a spacecraft, indicating possible attempts to manipulate the spacecraft's orientation and trajectory. These activities can suggest malicious intent to disrupt or take control of the spacecraft's operations. | [x-opencti-command:observable_type = 'adcs-command' AND x-opencti-command:value != 'expected_orbit_maneuver_commands'] |
| UACE-17 | Abnormal Burn Duration Detected in Propulsion Subsystem | Detection of an attack targeting the propulsion subsystem by altering the burn duration. Anomalous burn durations (either too long or too short) may indicate unauthorized modification of propulsion commands or control logic, potentially leading to orbital instability or resource wastage. | [x-opencti-propulsion-system:burn_duration > 'expected_max_duration' OR x-opencti-propulsion-system:burn_duration < 'expected_min_duration'] |
| UACE-18 | Suspicious Burn Sequence Executed Outside Planned Timeline | Detection of an unauthorized burn sequence executed outside the expected timeline. This could indicate a command injection or tampering with the control logic of the propulsion system to disrupt planned orbital adjustments. | [x-opencti-propulsion-system:burn_command_time != 'expected_burn_time'] |
| UACE-19 | Unexpected Thrust Direction Detected in Propulsion Subsystem | Detection of an attack where the thrust direction has been altered outside of the expected parameters. Unauthorized changes to the thrust direction can lead to misalignment of the spacecraft�s trajectory and potential mission failure. | [x-opencti-propulsion-system:thrust_direction != 'expected_direction' AND x-opencti-propulsion-system:burn_command_issued = 'true'] |
| UACE-20 | Repeated Downlink Commands with Identical Timestamps | Monitors for repeated downlink commands with matching timestamps, a key indicator of replayed command traffic. | [x-opencti-command-log:command = 'downlink_data' AND x-opencti-command-log:timestamp = 'duplicate_timestamp'] |
| UACE-21 | Repeated Downlink Commands Sent Outside Authorized Time | Monitors for repeated attempts to send downlink commands outside the expected operational windows, suggesting an attacker replaying commands for data exfiltration purposes. | [x-opencti-command-log:command = 'downlink_payload_data' AND x-opencti-command-log:timestamp != 'expected_time'] |
| UACE-22 | Multiple Consecutive Burn Commands Exceeding Duration Limits | This IOC detects repeated burn commands where the duration exceeds safe operational limits. Multiple consecutive commands with long durations may indicate a deliberate attack aiming to destabilize the spacecraft�s orbit or waste fuel resources. | [x-opencti-propulsion-system:burn_duration > 'expected_duration' AND x-opencti-propulsion-system:consecutive_burn_commands > 'threshold_value'] |
| UACE-23 | Unusual Commands from Subsystem Acting as Bus Controller (1553) | Detection of unusual commands being issued by a subsystem acting as a bus controller, indicating that a threat actor may have escalated privileges or have access to the bus within the flat bus architecture to issue commands from unauthorized subsystems. | [x-opencti-bus-master:role = 'subsystem' AND x-opencti-bus-master:commands != 'expected_commands'] |
| UACE-24 | Unauthorized CLTU-START, STOP, or UNBIND Initiation from Unauthorized User or Rogue IP | Detects the initiation of the CLTU-START, CLTU-STOP, or CLTU-UNBIND commands by either an unauthorized user or a rogue IP address (even with valid credentials), potentially indicating malicious activity targeting session control. | [(x-opencti-command-log:command = 'CLTU-START' OR x-opencti-command-log:command = 'CLTU-STOP' OR x-opencti-command-log:command = 'CLTU-UNBIND') AND (x-opencti-command-log:user != 'authorized_user' OR network-traffic:src_ref.value != 'authorized_ip')] |
| UACE-25 | Telecommand Format Tampering in CLTU-TRANSFER_DATA | Detects that the telecommand data within the CLTU-TRANSFER_DATA PDU does not conform to the expected CCSDS telecommand format, indicating tampering. | [network-traffic:protocols = 'x_ccsds_tc' AND network-traffic:x_content_format != 'expected_ccsds_tc_format' AND network-traffic:x_content = 'cltu-transfer_data'] |
| UACE-26 | Unauthorized Crosslink Command at Unexpected Time | Monitors for crosslink commands transmitted outside approved operational windows, suggesting potential exploitation attempts for spacecraft hopping. | [x-opencti-command-log:command = 'crosslink_command' AND x-opencti-command-log:timestamp != 'expected_time'] |
| UCEB-1 | Repeated Use of Cryptographic Keys from Unusual Locations | Detection of cryptographic keys being used repeatedly from unexpected or unauthorized locations, indicating potential misuse of valid cryptographic credentials to maintain persistent access to spacecraft systems. | [x-opencti-cryptographic-key:usage_location != 'authorized_locations' AND x-opencti-cryptographic-key:use_count > 'threshold'] |
| UCEB-2 | Use of Old or Rotated Cryptographic Keys for Authentication | Detection of authentication attempts using cryptographic keys that have already been rotated or marked as no longer valid. This may indicate that threat actors are using old or compromised keys to try to access to spacecraft or C2 systems. | [x-opencti-cryptographic-key:status = 'rotated or expired'] |
| UCEB-3 | Unexpected Access to Cryptographic Keys | Detection of unauthorized access to cryptographic keys used for decryption, suggesting that a threat actor may be attempting to disable or bypass the spacecraft's encryption mechanisms. | [x-opencti-cryptographic-key:access_time != 'authorized_access_time' AND x-opencti-cryptographic-key:usage = 'decryption'] |
| UCEB-4 | Unexpected Changes to Encryption Configuration Settings | Detection of unexpected changes to encryption settings, potentially indicating that the encryption mechanism on the spacecraft has been disabled or bypassed without authorization. | [x-opencti-encryption-config:status = 'disabled' AND x-opencti-encryption-config:change_time != 'authorized_change_time'] |
| UCEB-5 | Unexpected SPI Value Triggering Segmentation Fault | Detection of an unexpected SPI value that is out of the valid range, potentially causing a segmentation fault within CryptoLib�s security association function. | [network-traffic:spi != 'valid_range' AND network-traffic:protocols[*] = 'SDLS'] |
| UCEB-6 | Abnormal Security Association (SA) Pointer Retrieval | Detection of an out-of-bounds SA pointer retrieval in CryptoLib, indicating a potential exploit targeting the security association retrieval function, leading to system crashes. | [process:x_sa_pointer_retrieval != 'valid_range' AND process:image_ref.name = 'CryptoLib'] |
| UCEB-7 | Modification of Encryption Algorithms | Detection of unauthorized modifications to the spacecraft�s encryption algorithm, potentially indicating that a threat actor is attempting to weaken or disable the encryption mechanism to enable exfiltration or other attacks. | [x-opencti-encryption-algorithm:algorithm != 'expected_algorithm' AND x-opencti-encryption-algorithm:modification_time != 'authorized_time'] |
| UCEB-8 | Payload Channel Operating Without Encryption | Monitors payload channels for unencrypted data exchanges that could indicate improper configuration or security degradation. Typically, the payload data is encrypted and an adversary may attempt to put payload into clear mode to further attacks. | [network-traffic:src_ref.value = 'payload_channel' AND network-traffic:encryption_status != 'encrypted'] |
| UCEB-9 | Failed Credential Encryption in SLE Protocol | Detects that credentials in the CLTU-BIND message were transmitted without encryption, making them vulnerable to capture and replay attacks. The Space Link Extension (SLE) protocol itself does not provide built-in encryption for securing the data transmitted through its services. The protocol focuses on the extension of space link operations between ground systems, but it lacks native security features such as encryption. The SLE protocol was designed to facilitate operational efficiency rather than providing security mechanisms. Any security (including encryption) typically happens outside of the SLE protocol, through mechanisms such as bulk encryption at the hardware layer or via an external transport security layer (e.g., IPsec or TLS) added on top of the communication channels. Encryption is usually implemented at the hardware level (bulk encryption) or applied to the transport layer through external protocols. This ensures that the data exchanged between the SLE User (Mission Control System) and the SLE Provider (Ground Station) is protected during transmission. | [network-traffic:dst_ref.value = 'SLE_Provider' AND network-traffic:encryption_status != 'encrypted'] |
| UCEB-10 | Crosslink Channel Operating Without Encryption | Monitors crosslink channels for unencrypted data exchanges that could indicate improper configuration or security degradation. Typically the crosslinks are encrypted and an adversary may attempt to put crosslink into clear mode to further attacks. | [network-traffic:src_ref.value = 'crosslink' AND network-traffic:encryption_status != 'encrypted'] |
| UCEB-11 | Use of Account or Cryptographic Keys at Unexpected Times | Detection of a user account or cryptographic key being used outside of the expected operational time windows. This may indicate unauthorized or suspicious activity, such as a threat actor using valid credentials or cryptographic keys to gain or maintain persistent access to the spacecraft or related systems. | [user-account:last_login_time != 'expected_operational_hours' OR x-opencti-cryptographic-key:usage_time != 'expected_usage_time'] |
| CSNE-1 | Unexpected Ground Station IP Address in Communication | Detection of network traffic originating from an unauthorized IP address that does not match any of the known or authorized ground station IPs, potentially indicating communication with a rogue ground station. The source IPs that are permitted to speak to the spacecraft should be very limited. Rogue devices may get deployed internal to mission operations networks in an attempt to communicate to the spacecraft. | [network-traffic:src_ref.value != 'authorized_ground_station_ip' AND network-traffic:protocols[*] = 'satellite_communication'] |
| CSNE-2 | ARP Spoofing Attack (Rogue IP) | Rogue IP found communicating between the MOC and ground station which could indicate ARP Spoofing is occuring, or some other man-in-the-middle is going on. | [network-traffic:src_ref.role = 'ground_station' AND network-traffic:dst_ref.role = 'mission_control_system' AND network-traffic:src_ref.value != 'authorized_ip'] |
| CSNE-3 | Backup Channel Activity Outside Scheduled Time Windows | Monitors for backup communication link activity at times that do not align with predefined operational schedules, signaling potential exploitation or unauthorized usage. | [network-traffic:src_ref.value = 'backup_channel' AND network-traffic:timestamp != 'scheduled_window'] |
| CSNE-4 | Unexpected Data Transfer Over Backup Channel While Primary Active | Monitors traffic volume or bandwidth usage on the backup communication link to detect spikes that exceed normal operational thresholds, which may indicate malicious activity. Monitors backup communication channels for unexpected usage when the primary channel is functional, suggesting potential exploitation. | [network-traffic:src_ref.value = 'backup_channel' AND network-traffic:traffic_volume > 'baseline_threshold' AND network-traffic:primary_channel_status = 'active'] |
| CSNE-5 | Traffic Volume Spike on Backup Channel | Monitors traffic volume or bandwidth usage on the backup communication link to detect spikes that exceed normal operational thresholds, which may indicate malicious activity. | [network-traffic:src_ref.value = 'backup_channel' AND network-traffic:traffic_volume > 'baseline_threshold'] |
| CSNE-6 | Unexpected Communication Protocols in Uplink | Detection of unexpected communication protocols in the uplink traffic from a ground station or any rogue device (i.e., spacecraft), indicating that someone may be using non-standard protocols to communicate with the spacecraft. | [network-traffic:protocols[*] != 'expected_protocol' AND network-traffic:direction = 'uplink'] |
| CSNE-7 | Use of Unexpected Protocol on Backup Channel | Monitors for protocol deviations on the backup channel, which could indicate exploitation attempts. | [network-traffic:protocols != 'expected_protocol' AND network-traffic:src_ref.channel = 'backup_channel'] |
| CSNE-8 | Denial of Service Due to Saturated Bandwidth Detected | Detection of bandwidth usage that exceeds the maximum capacity of the communication channel, indicating a denial of service attack caused by flooding. This saturation prevents legitimate data from being transmitted, effectively disabling spacecraft communication. | [network-traffic:x_bandwidth_usage > 'maximum_capacity' AND network-traffic:protocols[*] = 'satellite_communication'] |
| CSNE-9 | Unexpected Downlink Traffic Dropped or Disrupted | Detection of downlink traffic being unexpectedly dropped or disrupted with a high error rate, potentially indicating an attack targeting the spacecraft's ability to send telemetry data. | [network-traffic:direction = 'downlink' AND network-traffic:status = 'dropped' OR network-traffic:error_rate > 'acceptable_threshold'] |
| CSNE-10 | Transmission to Unauthorized Ground Station Detected | Monitors all downlink channels for traffic directed towards unauthorized ground stations, potentially indicating unauthorized data exfiltration attempts. This approach remains agnostic to the specific hardware used for transmission, ensuring broad applicability across communication systems. | [network-traffic:dst_ref.value != 'authorized_ground_station'] |
| CSNE-11 | Data Exfiltration Detected During Scheduled Communication Windows | Detection of larger-than-expected data packets sent during scheduled spacecraft communication windows, indicating that a compromised ground system may be exfiltrating data under the guise of legitimate operations. | [network-traffic:direction = 'downlink' AND network-traffic:data_size > 'expected_size'] |
| CSNE-12 | Generic Flooding Attack | Detection of generic flooding attacks aimed at spacecraft communication channels, characterized by an overwhelming volume of unexpected noise or message injections. This can result in denial of service (DoS) or data corruption by saturating the communication link with excessive packets or signals, thereby disrupting normal spacecraft operations. Flooding attacks could target various communication elements, including uplink, downlink, and crosslink channels, potentially leading to significant degradation of system availability, especially during critical mission phases. | [network-traffic:protocols[*] = 'satellite_vehicle' AND network-traffic:src_port IN ('uplink_port','crosslink_port') AND network-traffic:packet_size > 'expected_max_size' AND network-traffic:packet_count > 'normal_packet_rate'] |
| CSNE-13 | Erroneous Input Flooding | Detection of erroneous input flooding attacks targeting spacecraft communication channels by injecting irrelevant noise, data, or signals. This flooding method disrupts the processing of legitimate messages by introducing a high volume of non-system-relevant or malformed packets. Even though these inputs are irrelevant, the spacecraft may still expend computing resources attempting to process or discard them, leading to resource exhaustion and potential degradation of communication integrity and availability. Such attacks aim to cause denial of service conditions by saturating the spacecraft's computational resources and communication bandwidth with useless data. | [network-traffic:protocols[*] = 'satellite_vehicle' AND network-traffic:data_size < 'minimum_valid_size' AND network-traffic:data_content = 'non-system-relevant' AND network-traffic:packet_count > 'expected_threshold'] |
| CSNE-14 | Unusual Data Transmission Between SpaceWire Routing Switches | Detection of unusual data transmissions from a SpaceWire routing switch to critical subsystems, potentially indicating the exploitation of a flat architecture to inject crafted data into sensitive areas of the spacecraft. | [x-opencti-bus-traffic:src_ref.role = 'routing_switch' AND x-opencti-bus-traffic:dst_ref.role = 'critical_subsystem'] |
| CSNE-15 | Unexpected Communication Between Subsystems | Detection of unexpected communication between spacecraft subsystems that should not normally interact directly on the same bus, potentially indicating lateral movement by a threat actor across a flat architecture. For example, a subsystem could attempt to modify the watchdog timer or other onboard values. | [x-opencti-bus-traffic:src_ref.subsystem != 'expected_subsystem' AND x-opencti-bus-traffic:dst_ref.subsystem != 'authorized_subsystem'] |
| CSNE-16 | Suspicious Network Traffic Without Expected Encryption | Detection of unencrypted telemetry data being transmitted to the ground station when encryption is expected, potentially indicating that encryption has been bypassed to enable unauthorized data exfiltration. | [network-traffic:encryption_status != 'encrypted' AND network-traffic:protocols[*] = 'satellite_communication' AND network-traffic:dst_ref.role = 'ground_station'] |
| CSNE-17 | Creation of FIFO for Data Exfiltration or Command Injection | Detection of the mkfifo command being executed. This suggests that a malicious process may be creating named pipes (FIFO) to facilitate covert data exfiltration or to inject commands into other system processes unnoticed. This system call in the context of a spacecraft running Linux is rarely used therefore any use is likely malicious. | [process:image_ref.name = 'mkfifo' AND process:x_execution_time = 'unexpected_time'] |
| CSNE-18 | Process Execution Tied to Specific Geographic Coordinates | Monitors for process executions specifically occurring when the spacecraft crosses certain predefined geographic boundaries. This could indicate malware designed to activate only when over restricted or sensitive areas, using positional data and timing as execution triggers. | [process:status = 'executing' AND process:start_time != 'expected_time' AND x-opencti-pnt-data:geolocation IN ('restricted_geofence')] |
| CSNE-19 | Unexpected High-Priority Messages on the CAN Bus | Detection of unexpected high-priority CAN messages (lower message IDs) originating from unauthorized subsystems. This may indicate that a threat actor is injecting high-priority messages to dominate the CAN bus and manipulate subsystem communications. | [x-opencti-bus-traffic:can_message_id < 'expected_lowest_priority' AND x-opencti-bus-traffic:src_ref.subsystem != 'authorized_subsystem'] |
| CSNE-20 | Unauthorized Downlink Communication at Unexpected Time | Monitors downlink communications for unexpected activity, regardless of whether it originates from a transponder, SDR, or other communication component. This ensures detection of potential exfiltration attempts or unauthorized transmissions. | [network-traffic:direction = 'downlink' AND network-traffic:timestamp != 'expected_time'] |
| CSNE-21 | Unauthorized Data Transmission from Ground System to External IP | Detection of data transmissions originating from a compromised ground system to an external IP address not authorized for spacecraft operations, potentially indicating exfiltration of sensitive information. | [network-traffic:src_ref.role = 'ground_system' AND network-traffic:dst_ref.value != 'authorized_external_ip'] |
| CSNE-22 | Traffic Volume Spike on Out-of-Band Link | Monitors traffic volume or bandwidth usage on the out-of-band communication link to detect spikes that exceed normal operational thresholds, which may indicate malicious activity. | [network-traffic:src_ref.value = 'out_of_band_channel' AND network-traffic:traffic_volume > 'baseline_threshold'] |
| CSNE-23 | Sudden Increase in Bandwidth Usage from Ground System | Detection of a sudden increase in network bandwidth usage from the ground system, which could indicate data exfiltration activities as threat actors attempt to move large amounts of information out of the compromised system. | [network-traffic:bandwidth_usage > 'expected_threshold' AND network-traffic:src_ref.role = 'ground_system'] |
| CSNE-24 | ARP Spoofing via MAC Address Mismatch | ARP spoofing detected by observing that the MAC address does not match the expected authorized MAC address for the ground station. | [network-traffic:src_ref.value != 'authorized_mac_address' AND network-traffic:src_ref.role = 'ground_station'] |
| CSNE-25 | CAN Bus Error Frames Detected Across Multiple Nodes | Detection of a high number of CAN error frames from multiple nodes, indicating that an attacker might be deliberately causing errors to disrupt communication on the bus or cause certain subsystems to enter error-passive or bus-off states. | [x-opencti-can-error-frame:error_count > 'threshold' AND bus-traffic:src_ref.subsystem != 'authorized_subsystem'] |
| CSNE-26 | Frequent CAN Arbitration Loss by Critical Subsystems | Detection of critical subsystems repeatedly losing CAN arbitration, which may indicate that an attacker is exploiting CAN�s arbitration mechanism by sending high-priority (low-ID) messages to suppress critical subsystem communication. | [x-opencti-can-arbitration:loss_count > 'threshold' AND x-opencti-can-arbitration:losing_node = 'critical_subsystem'] |
| CSNE-27 | Unexpected Communication Between SpaceWire Nodes | Detection of unexpected communication between SpaceWire nodes that are not supposed to interact, potentially indicating lateral movement across the spacecraft's flat bus architecture. | [x-opencti-bus-traffic:src_ref.spacewire_node != 'expected_node' AND x-opencti-bus-traffic:dst_ref.spacewire_node != 'authorized_node'] |
| CSNE-28 | Detection of CANBus Replay Attack with Duplicate Message ID and Timing Anomalies | Detection of a replay attack using a legitimate CANBus message (legitimate_id) with an expected payload being retransmitted either outside of its expected transmission window or multiple times in rapid succession (i.e., duplicate messages). This could indicate a malicious actor attempting to replay previously captured commands to manipulate spacecraft systems. | [x-opencti-bus-traffic:can_message_id = 'legitimate_id' AND x-opencti-bus-traffic:message_payload = 'expected_payload' AND (x-opencti-bus-traffic:transmission_time != 'expected_transmission_time' OR x-opencti-bus-traffic:duplicate_message_count > 1)] |
| CSNE-29 | Replay of Legitimate CANBus Message with Known Message ID | Detection of a replay attack using a legitimate CANBus message with a known message ID (legitimate_id). The message is being retransmitted outside of its expected transmission time, indicating potential replay of previously captured traffic to manipulate spacecraft operations, such as sensor states or power settings. | [x-opencti-bus-traffic:can_message_id = 'legitimate_id' AND x-opencti-bus-traffic:transmission_time != 'expected_transmission_time'] |
| CSNE-30 | Unauthorized Device Acting as Bus Controller (1553) | Detection of an unauthorized device acting as the bus controller, potentially indicating privilege escalation by a threat actor aiming to control the spacecraft�s communication bus. | [x-opencti-bus-controller:role = 'bus_controller' AND x-opencti-bus-controller:device != 'authorized_bus_controller'] |
| CSNE-31 | Specially Crafted CAN Messages Sent to Critical Subsystems | Detection of specially crafted CAN messages targeting critical subsystems with unexpected message IDs or payloads, suggesting an attacker is trying to inject malicious commands to compromise key systems. | [x-opencti-bus-traffic:can_message_id = 'unexpected_value' AND x-opencti-bus-traffic:dst_ref.role = 'critical_subsystem'] |
| CSNE-32 | Repeated CAN Message Spoofing Detected Between Subsystems | Detection of CAN messages with legitimate message IDs but originating from unauthorized subsystems, indicating that an attacker is spoofing CAN messages to imitate legitimate subsystems and move laterally across the spacecraft. | [x-opencti-bus-traffic:x_can_message_id = 'legitimate_id' AND x-opencti-bus-traffic:src_ref.subsystem != 'authorized_subsystem'] |
| CSNE-33 | Unusual Communication Between Payload and Critical Subsystems | Detection of unusual communication between a payload and critical subsystems , indicating that the flat bus architecture may be exploited to allow a payload to interact with sensitive parts of the spacecraft. | [x-opencti-bus-traffic:src_ref.role = 'payload' AND x-opencti-bus-traffic:dst_ref.role = 'critical_subsystem'] |
| CSNE-34 | Unusual Data Transmission from Remote Terminal to Subsystem. (1553) | Detection of unusual data transmission from a remote terminal to a critical subsystem using unexpected protocols, indicating that the flat bus architecture is being leveraged to send malicious data across the spacecraft. | [x-opencti-bus-traffic:src_ref.role = 'remote_terminal' AND x-opencti-bus-traffic:dst_ref.role = 'critical_subsystem' AND x-opencti-bus-traffic:protocols[*] != 'expected_protocol'] |
| CSNE-35 | Traffic Volume Spike on Payload Channel | Monitors traffic volume or bandwidth usage on the payload communication link to detect spikes that exceed normal operational thresholds, which may indicate malicious activity. | [network-traffic:src_ref.value = 'payload_channel' AND network-traffic:traffic_volume > 'baseline_threshold'] |
| CSNE-36 | Payload Channel Activity Outside Scheduled Time Windows | Monitors for payload communication link activity at times that do not align with predefined operational schedules, signaling potential exploitation or unauthorized usage. | [network-traffic:src_ref.value = 'payload_channel' AND network-traffic:timestamp != 'scheduled_window'] |
| CSNE-37 | Out-of-Band Activity Outside Scheduled Time Windows | Monitors for out-of-band communication link activity at times that do not align with predefined operational schedules, signaling potential exploitation or unauthorized usage. | [network-traffic:src_ref.value = 'out_of_band_channel' AND network-traffic:timestamp != 'scheduled_window'] |
| CSNE-38 | Use of Unexpected Protocol on Out-of-Band Link | Monitors for protocol deviations on the out-of-band link, which could indicate exploitation attempts. | [network-traffic:protocols != 'expected_protocol' AND network-traffic:src_ref.channel = 'out_of_band'] |
| CSNE-39 | Unauthorized Frequency Usage on Out-of-Band Link | Tracks unauthorized frequency usage on the out-of-band communication link. | [x-opencti-rf-sensor:frequency_band = 'out_of_band_channel' AND x-opencti-rf-sensor:usage != 'baseline_usage'] |
| CSNE-40 | Unplanned Deactivation of Downlink Transmitter | Detection of the downlink transmitter being deactivated unexpectedly, potentially indicating a malicious action intended to disable the spacecraft�s ability to send telemetry data to the ground. | [x-opencti-telemetry:component = 'downlink_transmitter' AND x-opencti-telemetry:status = 'inactive' AND x-opencti-telemetry:deactivation_reason != 'planned'] |
| CSNE-41 | High Latency Detected in Downlink Communication | Detection of unusually high latency in downlink communications, which may indicate that an attacker is interfering with telemetry transmission to delay or disrupt communication between the spacecraft and ground controllers. | [network-traffic:latency > 'acceptable_latency_threshold' AND network-traffic:direction = 'downlink'] |
| CSNE-42 | Multiple Failed Downlink Attempts from Spacecraft | Detection of repeated failed attempts by the spacecraft to send telemetry data via the downlink, indicating potential disruption or interference preventing successful transmission. | [x-opencti-telemetry-log:direction = 'downlink' AND x-opencti-telemetry-log:transmission_attempts > 'threshold' AND x-opencti-telemetry-log:status = 'failed'] |
| CSNE-43 | Anomalous Increase in Crosslink Traffic Volume | Monitors for abnormal increases in crosslink communication traffic, which may suggest unauthorized data transfers between spacecraft or accessing being attempted via crosslink. | [network-traffic:src_ref.value = 'crosslink' AND network-traffic:traffic_volume > 'baseline_threshold'] |
| CSNE-44 | Communication to Unauthorized Neighboring Spacecraft | Monitors for crosslink communications targeting spacecraft not included in the authorized constellation network. Your spacecraft could be used as a pivot point to other spacecraft. | [network-traffic:src_ref.value = 'crosslink' AND network-traffic:dst_ref.value != 'authorized_spacecraft'] |
| CSNE-45 | Unauthorized Signal Transmission to Secondary Receiver | Monitors for transmissions directed at the secondary receiver from sources not recognized as authorized ground stations, potentially indicating an attack attempt. | [network-traffic:dst_ref.channel = 'secondary_receiver' AND network-traffic:src_ref.value != 'authorized_ground_station'] |
| ARFS-1 | Authentication Process Tampering | Detection of modifications to the authentication process, which may signal unauthorized changes by a threat actor seeking access to a spacecraft. Potential modifications include tampering with encryption keys or authentication tokens. Additionally, irregularities in sequence counters, such as receiving packets out of sequence, may indicate an adversary's attempt to align with the spacecraft's authentication or sequencing protocols. | [x-opencti-system-log:authentication_process_modification = 'TRUE'] |
| ARFS-2 | Anomalous Authentication Attempts | Repeated failed authentication attempts detected, potentially indicating an attempt to bypass the authentication process. | [x-opencti-authentication-log:attempts > 'threshold' AND x-opencti-authentication-log:result = 'failure'] |
| ARFS-3 | Invalid RF Command Lock | A signal source detected in the ocean between authorized ground stations resulted in a failure, leading to an 'invalid' classification. A signal is classified as 'valid' when the following conditions are met: the transponder operates at the correct frequency and power level, all signal characteristics align with expected parameters, and command lock is achieved, the signal originates from an authorized and expected location. | [x-opencti-signal_char:value = 'invalid'] |
| ARFS-4 | Unexpected Latency in Command Packet Processing | Description: Detection of previously executed command packets being replayed outside of expected time windows, which may indicate a replay attack. | [x-opencti-telemetry:command_delay > 'threshold'] |
| ARFS-5 | Failed Authentication Attempts Due to RF/EMI Interference | Detection of failed authentication attempts on spacecraft systems potentially caused by RF or EMI interference. This indicator focuses on identifying anomalies in the RF communication environment, such as signal strength variations that do not correspond with legitimate communication patterns. Such anomalies may indicate an attempt to spoof communication signals or interfere with the authentication process to gain unauthorized access. Monitoring these failed attempts, especially when correlated with suspicious RF activity, helps in identifying and mitigating potential security threats. | [x-opencti-radio-communication:signal_strength = 'unexpected_variation' AND x-opencti-authentication-log:status = 'failed' AND x-opencti-authentication-log:source_location NOT IN ('list_of_known_ground_stations')] |
| ARFS-6 | Abnormal Signal Strength | Detection of abnormal or excessive signal strength in communications, which could indicate the presence of a rogue device attempting to overpower legitimate signals and gain control of the spacecraft. | [network-traffic:signal_strength > 'expected_threshold' AND network-traffic:protocols[*] = 'satellite_communication'] |
| ARFS-7 | Noise Injection Detected in Communication Channels | Detection of abnormal noise signal strength in communication channels, potentially indicating a jamming or noise injection attack designed to interfere with legitimate communication and disrupt spacecraft operations. | [network-traffic:x_signal_noise_ratio < 'expected_noise_threshold' AND network-traffic:protocols[*] = 'satellite_communication'] |
| ARFS-8 | Unauthorized Frequency Usage on Backup Channel | Tracks unauthorized frequency usage on the backup channel/communication link. | [x-opencti-rf-sensor:frequency_band = 'backup_channel' AND x-opencti-rf-sensor:usage != 'baseline_usage'] |
| ARFS-9 | Safe-Mode Activation Due to Signal Jamming | Monitors RF noise levels in GNSS or uplink bands that exceed expected thresholds, leading to safe-mode activation. This could indicate deliberate signal jamming aimed at exploiting reduced protections in safe-mode. Entering safe mode does not necessarily indicate jamming of commanding has occurred, as some spacecraft enter safe-mode after expected communication contacts with the ground are missed. | [x-opencti-rf-sensor:frequency_band IN ('gnss_band','uplink_band') AND x-opencti-rf-sensor:noise_level > 'maximum_threshold' AND x-opencti-spacecraft-status:mode = 'safe-mode'] |
| ARFS-10 | CLTU BIND Authentication Failure | Detects a failure in authentication during the CLTU BIND process. This IOC detects any authentication failure during the CLTU BIND process. It captures a general case where the authentication does not succeed. | [x-opencti-command-log:command = 'CLTU-BIND' AND x-opencti-command-log:authentication_result = 'failure'] |
| ARFS-11 | Authorized SLE Session Establishment by Attacker (Rogue IP) | Detects an authorized SLE session established by the attacker using replayed / captured credentials, gaining control of the session. This is when attacker has valid credentials to establish the bind | [x-opencti-command-log:command = 'CLTU-BIND' AND x-opencti-command-log:user = 'authorized_user' AND network-traffic:src_ref.value != 'authorized_ip'] |
| ARFS-12 | Rejection of CLTU BIND Due to Tampered/Invalid Credentials | Detects that the SLE Provider rejected the CLTU BIND request due to tampered or failed credentials, leading to a termination of the connection. This IOC specifically detects the rejection of the CLTU BIND request due to credential tampering/invalid credentials. It explicitly identifies that the BIND request was rejected because the credentials were invalid or tampered with, which leads to the termination of the connection. This is a more focused detection that ties directly to the modification of credentials, which results in the rejection of the CLTU BIND request by the SLE Provider. | [x-opencti-command-log:command = 'CLTU-BIND' AND x-opencti-command-log:status = 'rejected' AND x-opencti-command-log:reason = 'invalid_credentials'] |
| GNTM-1 | Unexpected GNSS Signal Delay | Monitors GNSS signal delays for signs of interference disrupting timing data. | [x-opencti-gnss-log:signal_delay > 'acceptable_latency'] |
| GNTM-2 | Signal-to-Noise Ratio Drop in GNSS Receiver | Monitors GNSS signal quality for sudden drops in the signal-to-noise ratio, which can occur during intentional jamming attempts. | [x-opencti-gnss-log:signal_to_noise_ratio < 'minimum_threshold'] |
| GNTM-3 | GNSS Signal Outage Detected | Tracks unexpected GNSS signal outages that could disrupt spacecraft navigation and timing functions. | [x-opencti-gnss-log:signal_status = 'lost' AND x-opencti-gnss-log:duration > 'outage_threshold'] |
| GNTM-4 | GNSS Receiver Power Fluctuations | Tracks GNSS receiver power levels for anomalies during operation and detects unexpected power fluctuations in GNSS receivers, which could indicate malicious jamming or hardware malfunction. | [x-opencti-gnss-log:power_fluctuation > 'threshold'] |
| GNTM-5 | Time Discrepancy Detected in GPS/External Signal Input | Detection of a time discrepancy in GPS or other external time signal inputs, indicating a potential time spoofing attack aimed at altering the spacecraft's internal time through false signals. This is similar to IOC for Unexpected Time Delta Detected but this is more specific around external timing input. | [x-opencti-sensor-data:sensor_type = 'gps_time' AND x-opencti-sensor-data:timestamp != 'expected_timestamp' AND x-opencti-time:delta_value != 'expected_delta_value'] |
| GNTM-6 | Unexpected Time Delta Detected | Detection of an unexpected and large time delta, indicating a potential time manipulation attack. Time should be linear with minimal drift therefore detection in deviations of seconds should be detectable. | [x-opencti-system:component = 'time_controller' AND x-opencti-time:delta_value != 'expected_delta_value'] |
| GNTM-7 | Time Adjustment Commands Detected | Detection of repeated execution of time adjustment commands, which could indicate a malicious process or binary attempting to continuously manipulate on-board time to affect spacecraft operations. For example, in Linux systems, time adjustments are usually performed using more commonly known commands and utilities such as:\ndate: This is used to set or display the system date and time.\nhwclock: This is used to interact with the hardware clock (RTC) on the system.\ntimedatectl: This is used to control and query the system time, timezone, and synchronize the system clock.\nntpd/chrony: These services manage time synchronization with external NTP (Network Time Protocol) servers.\nadjtimex: This command is used to fine-tune the kernel clock to improve time accuracy. | [x-opencti-system:component = 'time_controller' AND x-opencti-command:command = 'adjust_time' AND x-opencti-command:execution_count > 'threshold'] |
| GNTM-8 | Anomalous Hardware Clock Behavior | Identifies abnormal changes in clock speed, indicative of clock glitching attempts. Clock Glitching is a fault injection method where an attacker or a security evaluator alters the operating frequency of a target. | [x-opencti-hardware-log:clock_speed != 'expected_speed'] |
| GNTM-9 | Anomalous GNSS Timing Behavior (Time Rewind Detected) | This pattern detects a GNSS receiver time that moves backward, which could indicate tampering or spoofing. It compares the current GNSS timestamp to the previously stored timestamp. Detection of GNSS receiver time decreasing between samples, potentially indicating spoofing or replayed signals. Requires local time-series storage to compute delta. Detects rollback in GNSS time by checking if delta_time is negative. This requires the delta to be calculated externally or on-board before being logged as a field. | [x-opencti-gnss:delta_time < 0] |
| GNTM-10 | Anomalous Sensor Data (Time Rewind Detected) | Detects rollback in GNSS time sensor readings compared to an external or independently maintained timestamp. The GNSS-reported time is older than previously recorded values, suggesting potential spoofing, recovery from interference, or malicious time manipulation. A GNSS time rewind event was flagged based on observed time discontinuity. Requires logic outside STIX to compute and set rewind_detected. | [x-opencti-sensor-data:sensor_type = 'gps_time' AND x-opencti-sensor-data:rewind_detected = true] |
| GNTM-11 | Unexpected Position Delta Detected via Anomalous GNSS Position Data | Indicates movement inconsistent with the spacecraft's orbital dynamics. Observed position delta exceeds expected change based on orbital calculations. May indicate GNSS spoofing or receiver error. The delta must be computed and stored before use. | [x-opencti-gnss:delta_position > 'expected_delta_value'] |
| GNTM-12 | ICD Field Non-Compliance Detected | GNSS message fields exceed the specification limits defined in the ICD (e.g., IS-GPS-200), which could imply spoofing or malformed packet injection. Can be signal malicious interference, malformed packet injection, or hardware anomaly. Requires upstream logic or telemetry processing to evaluate field ranges (e.g., based on IS-GPS-200). | [x-opencti-gnss:icd_field_value < 'MIN_LIMIT'] OR [x-opencti-gnss:icd_field_value > 'MAX_LIMIT'] |
| MIRE-1 | Anomalous Flash Write Operations Detected in Short Timeframe | Detection of a high number of flash write operations in a short timeframe, indicating a coordinated effort to overwrite the spacecraft's flash memory entirely. This behavior is typical of wiper malware aiming to destroy all flash data. | [x-opencti-memory:block = 'flash_memory' AND x-opencti-memory:write_operation_count > 'threshold' AND x-opencti-memory:write_duration < 'threshold'] |
| MIRE-2 | Anomalous Flash/EEPROM Memory Checksums Detected | Detection of a checksum mismatch for the flight software's flash / eeprom memory partitions. This could indicate that both the primary and redundant partitions have been corrupted by the malicious action, leading to a permanent denial of service (DoS). | [x-opencti-memory:table_ref.name = 'flash_memory' OR x-opencti-memory:table_ref.name = 'eeprom_memory' AND x-opencti-memory:checksum != 'expected_checksum'] |
| MIRE-3 | Unusual Access Frequency to Critical Memory Regions | Monitors for excessive access to critical memory regions, which may indicate malicious activities. On a spacecraft, consistent and unexpected access (read or write) to critical memory regions could indicate malicious activities by malware. | [x-opencti-memory:access_frequency > 'expected_rate' AND x-opencti-memory:memory_region != 'expected'] |
| MIRE-4 | Skipped Boot Integrity Check | Detects cases where boot / firmware integrity checks are bypassed, potentially due to a glitching or other attacks. | [x-opencti-memory:block = 'boot' AND x-opencti-memory:integrity_check = 'skipped'] |
| MIRE-5 | Memory Corruption Detected in Flight Software | Detection of memory corruption in spacecraft flight software components, potentially caused by buffer overflow or other memory management vulnerabilities being exploited by threat actors. | [x-opencti-memory:status = 'corrupted' AND x-opencti-software:component = 'flight_software'] |
| MIRE-6 | Unexpected Modification of Memory Location Associated with Telemetry Data | Detection of an unexpected modification in the memory block associated with telemetry data. The system identifies abnormal write operations in memory locations that store telemetry information before it is transmitted, suggesting manipulation by malware. Adversaries may change telemetry before downlink in order to prevent the ground from being aware of malware being on the spacecraft. | [x-opencti-memory:block = 'telemetry_memory_block' AND x-opencti-memory:write_operation = 'unexpected' AND x-opencti-memory:modification_time != 'authorized_time'] |
| MIRE-7 | Unexpected Memory Value Write or Modification | Detection of unexpected or unauthorized modifications to onboard memory values during the execution. This could be done during updates, configuration changes, or direct commanding. This attack could potentially leading to corruption of system values or triggering malicious behavior. An adversary may inject malicious information in the Flash or EEPROM or area where the FSW/Software is stored during an update. | [x-opencti-memory:write_operation = 'unexpected_write' AND x-opencti-memory:value != 'expected'] |
| MIRE-8 | Resource Exhaustion Due to Handling Invalid Inputs | Detection of resource exhaustion on spacecraft systems due to attacks involving invalid inputs. This indicator focuses on identifying high memory and CPU utilization caused by the processing of numerous invalid inputs, which may lead to critical errors, safe mode transitions, or reboots of flight software (FSW) and applications. Such activity can be indicative of a deliberate attempt to exhaust spacecraft resources, resulting in a denial of service (DoS) condition or other operational impacts. Monitoring for these conditions is essential to maintaining spacecraft stability and ensuring mission success. | [x-opencti-system-log:memory_usage > 'threshold' AND x-opencti-system-log:cpu_usage > 'threshold' AND x-opencti-error-log:error_type = 'invalid_input_handling' AND x-opencti-system-log:event_count > 'threshold'] |
| MIRE-9 | Failed Boot Memory Validation | Detection of boot memory validation failure, indicating that boot memory has been tampered with to bypass internal processes. This is similar to integrity failure detection but this is the overall boot process failing validation using whatever steps are established (i.e., digital signature, cryptography, etc.) | [x-opencti-system:boot_memory_validation = 'failed'] |
| MIRE-10 | Anomalous Boot Sequence Execution | Detection of an unexpected boot sequence, indicating potential tampering or manipulation of boot memory during system startup. | [x-opencti-system:boot_sequence = 'unexpected'] |
| MIRE-11 | Detection of Malicious Code in Boot Memory (Integrity Failure) | Detection of malicious code being executed or loaded into boot memory, indicated by a failed memory integrity check. | [x-opencti-memory:block = 'boot' AND x-opencti-memory:integrity_check = 'failed'] |
| MIRE-12 | Unexpected Modification to Encryption Memory/Table | Detection of an unauthorized modification to the encryption table, suggesting a potential malicious update affecting the telemetry, tracking, and control (TT&C) encryption settings. The change occurred in the memory range Value1 - Value999. The memory range will be different for each spacecraft. | [x-opencti-memory:table_ref.name = 'encryption_table' AND x-opencti-memory:checksum != 'expected_checksum' AND x-opencti-memory:range = 'Value1 - Value999'] |
| MIRE-13 | Unexpected Modification to Stored Commands Area | Detection of an unexpected modification to the stored commands table or area in memory. This could indicate an unauthorized update that modifies the table to perform time-based attack like initiate a system shutdown or denial of service at a time in the future. | [x-opencti-memory:table_ref.name = 'stored_command_area' AND x-opencti-memory:write_operation = 'unexpected_write' AND x-opencti-memory:timestamp != 'expected_update_time'] |
| MIRE-14 | Abnormal Memory Consumption by Malicious Process | Detection of excessive memory consumption by an unauthorized process, indicating a possible memory exhaustion attack aimed at degrading the spacecraft's performance. | [process:x_memory_usage > 'threshold' AND process:image_ref.name != 'authorized_process'] |
| MIRE-15 | Unexpected Modification of Memory Location Associated with Payload Data | Detection of an unexpected modification in the payload memory block associated with payload data. The system identifies abnormal write operations in memory locations that store payload information before it is transmitted, suggesting manipulation by malware. Adversaries may change payload data before downlink in order to disrupt operations. | [x-opencti-memory:block = 'payload_memory_block' AND x-opencti-memory:write_operation = 'unexpected'] |
| MIRE-16 | Unexpected Boot Memory Modifications | Detection of unexpected access and changes in the boot memory region, which may indicate an attempt to manipulate or modify the system's boot sequence. | [x-opencti-memory:block = 'boot' AND x-opencti-memory-log:block = 'boot' AND x-opencti-memory-log:status != 'expected'] |
| MIRE-17 | Unauthorized System Call to Open Flash Memory Blocks (/dev/mtd) | Detection of unauthorized system calls to access flash memory devices or partitions (/dev/mtd%). These system calls indicate that a malicious script or process is attempting to modify or read flash memory, potentially targeting critical system areas like firmware or configuration data during an attack. | [process:image_ref.name = 'open' AND file:path LIKE '/dev/mtd%' AND file:access_time != 'authorized_access_time'] |
| MIRE-18 | Bit Flip in Critical Memory Region Detected via Error Detection | This could monitor for errors in specific memory regions critical to spacecraft operations. The detection could rely on: parity checks (identifies discrepancies in the number of 1s in the data), hamming code (detects and corrects bit flips in a data block), checksums (compares recalculated checksum values with expected results to flag corruption), redundancy (cross-checks repeated data instances for inconsistencies.) By focusing on memory regions directly, this targets areas most vulnerable to SEU or malicious interference, ensuring precise monitoring of critical memory segments. | [x-opencti-memory-log:error_detection_status = 'failed' AND x-opencti-memory-log:memory_region IN ('critical_region_1','critical_region_2')] |
| WTRE-1 | Reduced Watchdog Timer Reset Frequency | Tracks reductions in WDT reset frequency below operational baselines, which may suggest malicious manipulation. | [x-opencti-watchdog:reset_frequency < 'minimum_threshold'] |
| WTRE-2 | Abnormal Frequency of Watchdog Timer Resets | Tracks abnormally frequent WDT resets, potentially signaling attempts to circumvent its functionality. | [x-opencti-watchdog:reset_frequency > 'expected_threshold'] |
| WTRE-3 | Watchdog Timer Status Disabled | Monitors for cases where the WDT status is set to disabled, which may signal tampering or exploitation by a threat actor. The status could also be suspended vice disabled. This could look like [x-opencti-watchdog:active = false] in STIX | [x-opencti-watchdog:status = 'disabled'] |
| WTRE-4 | Watchdog Timer Timeout Modified to Unexpected Value | Monitors changes to WDT timeout values, which could indicate unauthorized modifications designed to disable normal reset mechanisms. For example, WDT timeout value is extended beyond acceptable operational limits, potentially allowing unregulated activity. This could be written in STIX as [x-opencti-watchdog:timeout > 'maximum_operational_limit'] | [x-opencti-watchdog:timeout != 'baseline_value'] |
| WTRE-5 | Unauthorized Access Attempt to Critical Registers | Tracks access attempts to critical registers to ensure only authorized sources interact with them, reducing the risk of malicious tampering. It is recommended to maintain a list of critical registers for each particular operating system. | [x-opencti-register:access_origin != 'trusted_source' AND x-opencti-register:region = 'critical_subsystem'] |
| WTRE-6 | Unexpected Register Reset Activity | Monitors register resets that deviate from normal operational patterns, potentially impacting system functionality. | [x-opencti-register:reset_status = 'unexpected'] |
| WTRE-7 | Anomalous Register Value Modification | Monitors critical subsystem registers for unauthorized value modifications that could disrupt spacecraft functionality or subsystem workflows. Detects register values deviating from expected baselines within critical subsystems, potentially indicating unauthorized tampering. | [x-opencti-register:value != 'expected_value' AND x-opencti-register:region = 'critical_subsystem'] |
| SIUU-1 | Unexpected Hardware Interrupt Trigger | Monitors for unexpected hardware interrupts, which may indicate an attacker exploiting design flaws to disrupt operational workflows. | [x-opencti-hardware-interrupt:triggered = true AND x-opencti-hardware-interrupt:source != 'authorized_source'] |
| SIUU-2 | Unexpected System Integrity Failures in Software | Detection of failed integrity checks during spacecraft software execution, potentially indicating that the software has been modified to include a backdoor or malicious code | [x-opencti-software:integrity_check = 'failed' AND x-opencti-software:name = 'spacecraft_software'] |
| SIUU-3 | Security Feature Bypass Detected in Hardware Design | Monitors for security features being disabled in the hardware layer, possibly indicating design flaws being leveraged. | [x-opencti-hardware:security_feature_status != 'enabled'] |
| SIUU-4 | Abnormal Software Update Activity Detected | Detection of unauthorized or abnormal software update attempts, particularly affecting critical spacecraft subsystems or even FSW as a whole. This may be an indicator of an attacker exploiting a code flaw to introduce malicious code or manipulate software functionality. | [x-opencti-update-log:source != 'trusted_source' AND x-opencti-update-log:software_component = 'critical_subsystem'] |
| SIUU-5 | Unscheduled Software Updates Detected | Detection of unscheduled or unauthorized software updates, which could indicate a backdoor being injected into the software during an unexpected update process. | [x-opencti-software-update:scheduled = 'false' AND x-opencti-software:name = 'spacecraft_software'] |
| SIUU-6 | Compromised Software Certificates or Digital Signatures | Detection of compromised or invalid digital certificates or signatures associated with spacecraft software, indicating that the software may have been altered or tampered with in the supply chain, potentially enabling the execution of malicious code or system compromise. | [x-opencti-software:certificate_validity = 'failed' OR x-opencti-software:signature != 'expected_signature'] |
| SIUU-7 | Invalid Digital Signature in On-Orbit Update Package | Detection of an invalid digital signature in the on-orbit update package, potentially indicating tampering or replacement of the legitimate update with a malicious version before it is sent to the spacecraft. This is assuming digital signatures are being used on the spacecraft. | [x-opencti-software:signature_validity = 'invalid' AND x-opencti-software:name = 'on_orbit_update_package'] |
| SIUU-8 | Malicious Code via New Process | Code execution detected from an unexpected source / process, possibly indicating unauthorized or malicious code running on the spacecraft. | [x-opencti-logs:event_type = 'code_execution' AND x-opencti-processor-usage:activity_type = 'unexpected' AND x-opencti-processor-usage:process_name NOT IN ('list_of_known_processes')] |
| SIUU-9 | Unexpected Software Crash Detected in Flight Software | Detection of unexpected crashes in flight software, potentially caused by attempts to exploit software vulnerabilities or coding flaws that lead to system instability. Repeated or unexplained crashes may indicate ongoing exploitation attempts targeting the spacecraft's flight control systems. | [x-opencti-software:status = 'crashed' AND x-opencti-software:component != 'expected_crash_behavior'] |
| SIUU-10 | Process Executing Priority Modification | Detection of processes (renice, setpriority) modifying the priority of other processes, possibly targeting flight software to lower its priority and impact spacecraft performance, such as dropping telemetry packets. This system call in the context of a spacecraft running Linux is rarely used therefore any use is likely malicious. | [process:image_ref.name = 'renice' OR process:image_ref.name = 'setpriority' AND process:x_execution_time != 'authorized_period'] |
| SIUU-11 | Suspicious Binary or Script Execution | Detection of an unexpected binary or script being executed that does not match the expected name. This could indicate unauthorized code execution or the presence of a backdoor, where the threat actor is using an unfamiliar binary or script to manipulate the system. Spacecraft are deterministic and controls like process whitelisting are beneficial. Detecting scripts or binaries executing on the system is a method to protect from malicious action. | [process:image_ref.name != 'expected_binary_or_script'] |
| SIUU-12 | Loading of Malicious Kernel Modules | Detection of the insertion of a potentially malicious kernel module via insmod or an INIT_MODULE syscall. This suggests an attempt to gain deeper control over the Linux system by extending kernel functionality, such as disabling telemetry tracking or obscuring rootkit activity. This system call in the context of a spacecraft running Linux is rarely used therefore any use is likely malicious. | [process:image_ref.name = 'insmod' OR syscall:name = 'INIT_MODULE'] |
| SIUU-13 | Repeated File Access to /null and Other Dummy Files | Detection of repeated access to /dev/null or other dummy files, possibly used in conjunction with the fork bomb to waste system resources and contribute to memory exhaustion. This access in the context of a spacecraft running Linux is rarely used therefore any use is likely malicious. | [file:path = '/dev/null' OR file:path = '/null' AND file:access_time != 'expected_time'] |
| SIUU-14 | Abnormal System Calls Indicative of a Software Backdoor/Malicious Code | Detection of abnormal system calls originating from processes or binaries that are unexpected or not typically associated with certain system operations. This could indicate malicious activity such as the execution of a backdoor or malicious code, where the software is making system calls outside of its normal behavior. | [process:image_ref.name = 'unexpected_process' AND process:system_call = 'unexpected_system_call'] |
| SIUU-15 | Repeated File Access to /zero or /null Devices | Detection of repeated access to /dev/null or /dev/zero, indicating a potential attempt to consume resources or overwhelm the system by performing unnecessary read/write operations. | [file:path = '/dev/null' OR file:path = '/dev/zero' AND file:access_time != 'expected_time'] |
| SIUU-16 | Execution of System Commands | Detection of several commands such as dd, grep, ps, awk, and chmod being executed, potentially indicating that the attacker is obfuscating their activity by manipulating process lists or file permissions to hide the rootkit or telemetry tampering. This system call in the context of a spacecraft running Linux is rarely used therefore any use is likely malicious. Many of these are being executed with root privileges, potentially indicating that the attacker is trying to perform destructive or obfuscation tasks with full system access. | [process:image_ref.name = 'grep' OR process:image_ref.name = 'ps' OR process:image_ref.name = 'awk' OR process:image_ref.name = 'chmod' OR process:image_ref.name = 'dd' OR process:image_ref.name = 'cat' OR process:image_ref.name = 'sh' AND process:x_execution_time != 'authorized_time'] |
| SIUU-17 | Detection of Anomalous API Calls in Flight Software | Many FSW have built-in APIs and if malicious software gets onboard the vehicle it could maliciously use the APIs. Detection of anomalous API calls made through the flight software�s API interface, indicating possible exploitation of a vulnerability or misconfiguration. | [x-opencti-api-log:api_call != 'expected_behavior'] |
| SIUU-18 | Suspicious Activity in Software Compilation or Build Process | Detection of suspicious activities or errors in the spacecraft software compilation process, potentially indicating tampering with source code or injecting malicious components into the compiled software before it is delivered to the spacecraft. | [x-opencti-build-log:process = 'compilation' AND x-opencti-build-log:result != 'expected'] |
| SIUU-19 | Unauthorized Modification of Source Code in Software Repository | Detection of unauthorized modifications to source code in a software repository used to develop or update spacecraft software, indicating potential code injection or manipulation in the supply chain to introduce malicious functionality. | [x-opencti-code-repository:commit_author != 'trusted_contributor' AND x-opencti-code-repository:code_change != 'expected'] |
| SIUU-20 | Suspicious Access to Vulnerable Software Process | Detection of unauthorized access or invocation of any vulnerable software process by an unexpected parent process, potentially indicating an attempt to exploit a software vulnerability. This pattern is useful for detecting suspicious activity across any subsystem where software vulnerabilities may exist. | [process:binary_ref.type = 'software' AND process:parent_ref.name NOT IN ('authorized_parents') AND process:binary_ref.version = 'known_vulnerable_version'] |
| SIUU-21 | Detection of Anomalous Process Behavior Due to Code Exploitation | Detection of unexpected or anomalous behavior in onboard software processes, which may indicate an attempt to exploit a software flaw. This can involve the execution of unusual commands, system calls, memory manipulation, or deviations from normal process behavior. An alternative way to view this could be [process:name != 'expected_process_name' AND process:binary_ref.name != 'trusted_component'] but the current pattern focuses on the process behavior. | [x-opencti-process:behavior != 'expected_behavior' AND x-opencti-process:software_component != 'trusted_component'] |
| SIUU-22 | Abnormal Subsystem Behavior Following Malicious Code Execution | Detection of abnormal or unexpected behavior in critical spacecraft subsystems (e.g., attitude control, power management) after malicious code execution. This pattern indicates a direct impact on spacecraft subsystems following the activation of the malicious code. | [x-opencti-subsystem-log:status != 'expected' AND process:image_ref.name = 'malicious_process'] |
| SIUU-23 | Detection of Unauthorized Hardware Debugging | Identifies unauthorized activation of hardware debugging features, which could facilitate backdoor access. This pattern checks if the hardware debugging mode is activated at an unexpected time (activation_time != 'expected_time'). It is useful for scenarios where debugging activity might occur outside of predefined operational windows, potentially signaling malicious activity or tampering. | [x-opencti-hardware-log:debug_mode = true AND x-opencti-hardware-log:activation_time != 'expected_time'] |
| SIUU-24 | Suspicious Firmware Version Rollback | Firmware updates will oftentimes include fixes to security vulnerabilities, meaning that past versions will contain security threats to the devices. If a threat actor can initiate a firmware update on the device, they may be able to �upgrade� to a previous firmware version with known vulnerabilities. By completing an �upgrade� to a version with vulnerabilities, the threat actor could then potentially exploit that device to gain additional access or privileges. | [x-opencti-firmware-log:version != 'latest_version' AND x-opencti-firmware-log:rollback_attempt = true] |
| SIUU-25 | Unauthorized Function Hooking in Telemetry Process | Detection of unauthorized function hooking in the telemetry process, specifically targeting the packet_write_function. This hook allows the malware to modify telemetry data before it is transmitted to ground systems, concealing malicious activity onboard the spacecraft | [process:image_ref.name = 'telemetry_process' AND process:hooked_function = 'packet_write_function'] |
| SIUU-26 | Unauthorized Modification of Downlink Configuration | Detection of unauthorized modifications to the downlink frequency configuration settings, suggesting a potential attack to disrupt the spacecraft�s ability to transmit telemetry. | [x-opencti-radio-configuration:downlink_frequency != 'authorized_value' AND x-opencti-radio-configuration:modification_time != 'scheduled_window'] |
| SMSR-1 | Sensor Data Exceeds Operational Ranges | Tracks sensor readings that exceed acceptable operational limits, potentially disrupting spacecraft functionality. Detects sensor data values falling outside predefined operational ranges, potentially indicating spoofing. | [x-opencti-sensor-data:value NOT IN ('expected_min','expected_max')] |
| SMSR-2 | High CPU Utilization Due to Anomalous/Malicious Activity | Detection of high CPU utilization on spacecraft systems, potentially caused by anomalous or unexpected activity. This indicator focuses on identifying when CPU load exceeds normal operational thresholds, especially due to the execution of processes that are not recognized as part of the normal spacecraft operations. Such activity could be indicative of a cyber attack, such as a resource exhaustion attack, where unauthorized processes or malware attempt to degrade system performance, leading to potential mission impacts or denial of service conditions. | [x-opencti-processor-usage:cpu_load > 'threshold' AND x-opencti-processor-usage:activity_type = 'unexpected' AND x-opencti-processor-usage:process_name NOT IN ('list_of_known_processes')] |
| SMSR-3 | Unauthorized State Changes in Critical Sensors | Detection of an unexpected sensor state change in critical spacecraft sensors (e.g., Sun Sensor, GPS Sensor). The sensor states are modified outside of authorized operational windows, suggesting a malicious attack affecting the sensor's behavior. | [x-opencti-sensor:state = 'off' AND x-opencti-sensor:state_change_time != 'authorized_time'] |
| SMSR-4 | ADCS Onboard Values Manipulation | Detection of suspicious modifications to the onboard values of the Attitude Determination and Control subsystem, such as sudden changes in quaternion values, unexpected gyro readings, or abnormal magnetometer values. Such anomalies could indicate unauthorized modifications by threat actors aiming to manipulate spacecraft orientation. The intent might be to force the automated control system to perform unnecessary corrective maneuvers, leading to resource depletion or potential mission failure. | [x-opencti-telemetry-data:telemetry_type = 'attitude-control' AND x-opencti-telemetry-data:parameter_name IN ('quaternion','gyro_reading','magnetometer_value') AND x-opencti-telemetry-data:value_change > 'threshold_value' AND x-opencti-telemetry-data:change_rate > 'expected_rate'] |
| SMSR-5 | Unexpected Spacecraft Telemetry or Movement Detected on Attitude | Detection of unexpected telemetry or movement data from the spacecraft's Attitude Control System that deviates from planned and expected orbital maneuvers. Such anomalies may indicate unauthorized control commands or manipulation, potentially pointing to a cyber attack aimed at altering the spacecraft's intended course or orientation. | [x-opencti-telemetry:movement_type = 'orbit-deviation' AND x-opencti-telemetry:deviation_value > 'threshold_value'] |
| SMSR-6 | Unauthorized Fault Management Configuration Change Detected Outside Expected Time | Monitors for fault management configuration modifications occurring at unauthorized times, which may indicate an attempt to disable critical protections during vulnerable operational states. | [x-opencti-fault-management:configuration != 'baseline_configuration' AND x-opencti-fault-management:modification_time != 'authorized_time_window'] |
| SMSR-7 | Unauthorized Star Map Changes in Star Trackers | Detection of unauthorized changes to star maps within star trackers. This can result in incorrect positional readings and severe degradation or mission loss. The pattern monitors for changes in the star map data using hash verification, with unexpected hashes indicating potential unauthorized modification. Integrity is paramount for Star Trackers to work properly. | [x-opencti-onboard-data:component = 'star_tracker' AND x-opencti-onboard-data:data_type = 'star_map' AND x-opencti-onboard-data:hashes != 'expected_star_map_hash'] |
| SMSR-8 | Sudden Orbit Correction Detected Outside of Planned Windows | Detection of an unplanned orbit adjustment executed by the Attitude Determination and Control subsystem. This indicates that the system may have been manipulated to trigger unnecessary orbit corrections, leading to resource wastage. | [x-opencti-orbit-adjustment:status = 'active' AND x-opencti-orbit-adjustment:scheduled != 'TRUE'] |
| SMSR-9 | Security Feature Disabled in Safe-Mode | Monitors the status of critical security features (e.g., COMSEC) to detect if they are disabled during safe-mode operations. The security feature would need to be determined by engineer, but COMSEC is an example. An example of how to build pattern for COMSEC, [x-opencti-security-feature:feature = 'encryption' AND x-opencti-security-feature:status = 'disabled' AND x-opencti-spacecraft-status:mode = 'safe-mode'] | [x-opencti-spacecraft-status:mode = 'safe-mode' AND x-opencti-security-feature:status = 'disabled'] |
| SMSR-10 | Ransomware Holding CPU Cycles Hostage | This is assumed we know the name of the process - ransomware_process. If not that needs to be removed from the pattern. Detection of a ransomware process that monopolizes CPU cycles by consuming a high percentage of CPU resources. This process resists termination attempts, effectively holding system resources hostage and degrading spacecraft performance. This could indicate a ransomware variant that demands ransom in exchange for restoring normal system operations by releasing CPU resources. | [process:x_cpu_usage > 'high_threshold' AND process:image_ref.name = 'ransomware_process' AND process:x_status = 'running' AND process:x_memory_usage > 'threshold' AND process:x_termination_attempt = 'failed'] |
| SMSR-11 | High CPU Usage Detected for Unauthorized Process | Detection of an unauthorized process consuming an unusually high amount of CPU resources, which may be part of a malicious attempt to degrade system performance and affect telemetry operations. | [process:x_cpu_usage > 'threshold' AND process:image_ref.name != 'authorized_process'] |
| SMSR-12 | Microwave Emissions Targeting Sensitive Nodes | Monitors for microwave signals exceeding safe thresholds in spacecraft operational zones, which may disrupt critical components or induce SEU. | [x-opencti-rf-sensor:frequency_band = 'microwave_band' AND x-opencti-rf-sensor:signal_power > 'safe_threshold'] |
| SMSR-13 | High Energy Particle Strike on Sensitive Node | Tracks high-energy particle activity impacting critical spacecraft nodes, which could cause SEU or be induced by adversaries using targeted energy emissions. Detects high-energy particle activity near sensitive spacecraft components. | [x-opencti-radiation-sensor:energy_level > 'threshold' AND x-opencti-radiation-sensor:node_location = 'critical_component'] |
| SMSR-14 | Multiple Failed System Reinitializations Due to Exploit | Detection of repeated system reinitializations caused by continuous exploitation of segmentation faults in software, leading to a denial of service condition. | [x-opencti-system:status = 'reinitialization' AND x-opencti-system:failure_count > 'threshold'] |
| SMSR-15 | Unexpected Changes to Software-Defined Radio (SDR) Configuration | Detection of unauthorized modifications to the software-defined radio (SDR) configuration, potentially allowing a threat actor to establish persistent access via radio communication. SDRs are reconfigurable by design therefore, integrity protection is important and detection of all modifications are necessary. | [x-opencti-sdr-configuration:value != 'expected_value' AND x-opencti-sdr-configuration:name = 'radio_settings'] |
| SMSR-16 | Unexpected Fault Management Process Termination | Monitors the fault management service for unexpected termination, which could indicate a targeted attempt to disable protections. | [process:name = 'fault_management_service' AND process:status != 'running'] |
| SMSR-17 | Telemetry Packet Drops Due to CPU or Memory Overload | Detection of a high rate of dropped telemetry packets coinciding with CPU or memory exhaustion, indicating that a malicious process is consuming system resources and preventing critical flight software operations. | [x-opencti-telemetry:packet_drop_rate > 'threshold' AND x-opencti-system:cpu_usage > 'threshold'] |
| SMSR-18 | Abnormal Process Forking Leading to Resource Exhaustion | Detection of a rapid increase in the number of processes being forked by an unauthorized process, leading to excessive CPU and memory usage. This behavior is characteristic of a fork bomb, which is designed to exhaust system resources and lead to a system crash or freeze. | [process:image_ref.name != 'authorized_process' AND process:x_fork_count > 'threshold' AND process:x_cpu_usage > 'threshold' AND process:x_memory_usage > 'threshold'] |
| SMSR-19 | System Freeze or Crash Detected After High Resource Consumption (CPU, Memory, Storage) | Detection of the system becoming unresponsive due to excessive consumption of memory, CPU, and storage resources. This is likely caused by a malicious process (e.g., a fork bomb or other attack) that exhausts system resources, leading to system failure or a crash. | [x-opencti-system:status = 'unresponsive' AND x-opencti-system:memory_usage > 'threshold' AND x-opencti-system:cpu_usage > 'threshold' AND x-opencti-file-system:available_space < 'threshold'] |
| DISE-1 | File or Data Integrity Check Failure | Monitors the cryptographic integrity of data (files, payload data, configuration file, logs, etc.) to ensure it remains unmodified during data storage or transmission. It is important during engineering to determine the critical data items that need integrity protection. Some example are discussed in evasion technique https://sparta.aerospace.org/technique/DE-0003/ | [file:hashes != 'expected_hash_value' AND file:name = 'data_file'] |
| DISE-2 | Unauthorized Modification of On-Orbit Update Binary | Detection of unauthorized modifications to an on-orbit update binary, indicated by mismatches in the SHA-256 hash value, potentially indicating that the binary has been replaced with a malicious version. | [file:hashes != 'expected_hash_value' AND file:name = 'on_orbit_update_binary'] |
| DISE-3 | Multiple Failed Attempts to Access Encrypted Data | Multiple failed attempts to access files or data stored on the spacecraft, indicating that critical data has POTENTIALLY been rendered inaccessible due to ransomware activity. This pattern focuses on detecting repeated access failures. The data could be corrupted via just environmental issues but could also indicate malicious activity as well. | [file:status = 'unreadable' AND file:access_attempts > 'threshold'] |
| DISE-4 | Storage Exhaustion (Disk Full) | Attackers may attempt to fill up storage devices in order to have impact on the spacecraft. Storage is sometimes a limited commodity and simply filling a disk can prevent telemetry, payload data, etc. from being collected. | [x-opencti-file-system:available_space < 'threshold'] |
| DISE-5 | Unusual File Encryption Activity Detected | Detection of files being encrypted with an unknown or unexpected encryption algorithm, potentially indicating ransomware activity on spacecraft systems. This can involve newly created or modified files with unusual extensions such as .encrypted or .locked. - if ransomware were to include those extenstions then you would att AND file:extension IN ('.encrypted', '.locked') to the pattern to become. [file:encryption_algorithm != 'none' AND file:extension IN ('.encrypted', '.locked') AND file:modified_time = 'recent'] | [file:x_encryption_algorithm != 'none' AND file:modified_time = 'recent'] |
| DISE-6 | Suspicious Activity Leading to Storage Exhaustion | Detection of activity which may be part of a malicious attempt to fill the storage device on the spacecraft. Without storage, this would prevent the flight software from writing telemetry data or payload data, leading to a potential denial-of-service (DoS) condition . | [x-opencti-file-system:available_space < 'threshold' AND process:x_execution_time != 'authorized_time'] |
| DISE-7 | Attitude Sensor Data and Actuator Behavior | Detection of sudden changes or spikes in sensor data that do not correlate with known physical conditions, indicating potential anomalies. Such behavior, when combined with unexpected actuator operations like unintended thruster firings or erratic reaction wheel speeds, suggests possible malicious interference or system faults. This can be detected through baselining/normalization of spacecraft speeds using machine learning algorithms to identify deviations from expected patterns. | [x-opencti-sensor-data:sensor_type = 'inertial-measurement-unit' AND x-opencti-sensor-data:anomaly_value > 'threshold_value'] AND [x-opencti-actuator:actuator_type IN ('thruster','reaction-wheel') AND x-opencti-actuator:operation_status = 'unexpected'] |
| DISE-8 | Anomalous Frequency of Sensor Data Updates | Monitors for deviations in sensor update rates, which could affect spacecraft control loops. Detects unexpected changes in the frequency of sensor data updates, which could suggest spoofing or tampering attempts. | [x-opencti-sensor-data:update_frequency != 'baseline_frequency'] |
| DISE-9 | Unexpected Change in Gyroscope Sensor Data | Detection of an unexpected, large deviation in gyroscope sensor data that exceeds normal operational thresholds, indicating potential tampering with the Attitude Determination and Control subsystem. This may lead to automated correction tasks being triggered unnecessarily. | [x-opencti-sensor-data:sensor_type = 'gyroscope' AND x-opencti-sensor-data:reading_delta > 'threshold'] |
| DISE-10 | Abnormal Data Flow in Attitude Control Telemetry | Detection of abnormal telemetry data rates in the Attitude Determination and Control subsystem, indicating potential manipulation of onboard values or interference with the control signals. This can trigger unnecessary corrective maneuvers or system malfunctions. An alternative pattern could be [x-opencti-telemetry-data:telemetry_type = 'attitude-control' AND (x-opencti-telemetry-data:parameter_name = 'quaternion' OR x-opencti-telemetry-data:parameter_name = 'gyro_reading' OR x-opencti-telemetry-data:parameter_name = 'magnetometer_value') AND x-opencti-telemetry-data:value_change > 'threshold_value' AND x-opencti-telemetry-data:change_rate > 'expected_rate'] | [x-opencti-telemetry:telemetry_type = 'attitude_control' AND x-opencti-telemetry:data_rate > 'expected_rate'] |
| DISE-11 | Sensor Data Spike Detected | Monitors for sudden deviations in sensor data, which could disrupt control loops and spacecraft operations. Detects sudden spikes in sensor data readings that exceed acceptable thresholds, potentially indicating spoofing or manipulation. | [x-opencti-sensor-data:reading_delta > 'acceptable_threshold'] |
| DISE-12 | Discrepancy Between Redundant Sensor Systems | Tracks inconsistencies between redundant sensors that should otherwise provide matching data, potentially indicating spoofing. Detects mismatches in data between redundant sensors, which may signal data spoofing or tampering. | [x-opencti-sensor-data:value != 'redundant_value'] |
| DISE-13 | Flight Software Configuration Anomalies | Detection of anomalous or unauthorized configuration changes in flight software, potentially exploited by threat actors to enable malicious behavior or gain access to segmented subsystems. Much of the FSW functionality are driven by configuration files, tables, etc. For example, detection of an unexpected modification in the attitude control table, specifically related to momentum wheel control, indicating that a malicious update may have lowered the max momentum value to disable the wheel control. | [x-opencti-system:configuration = 'unexpected' AND x-opencti-system:subsystem = 'flight_software'] |
| DISE-14 | Unexpected Audit Log Rotation | Monitors for unauthorized or unexpected log rotation events that could lead to data loss or concealment of malicious activity. | [x-opencti-audit-log:rotation_event = 'triggered' AND x-opencti-audit-log:timestamp != 'expected_time'] |
| DISE-15 | High Volume of Audit Log Entries Detected | Monitors for excessive audit log activity, which could be indicative of log flooding or attempts to force log overflow to conceal malicious activity. | [x-opencti-audit-log:event_count > 'threshold' AND x-opencti-audit-log:timestamp = 'recent_period'] |
| DISE-16 | Audit Log Capacity Limit Reached | Monitors for instances where the flight software's, or overall system's, audit log has reached its maximum capacity, potentially preventing the logging of further events and concealing ongoing malicious activity. | [x-opencti-audit-log:capacity_used >= 'max_capacity'] |
| DISE-17 | Unauthorized Modification of Critical Onboard Values | This monitors for the unauthorized modification of critical onboard data elements essential for spacecraft control, telemetry, and security functions. Changes detected in these values could indicate tampering, defensive evasion, or system compromise. The monitored data elements could include and are derived from https://sparta.aerospace.org/technique/DE-0003/: Vehicle Command Counter (VCC) Rejected Command Counter Command Receiver On/Off Mode Command Receivers Received Signal Strength Command Receiver Lock Modes Telemetry Downlink Modes Cryptographic Modes Received Commands System Clock GPS Ephemeris Watchdog Timer (WDT) Poisoned AI/ML Training Data This is intentionally broad to ensure coverage of multiple subsystems where unauthorized modifications could disrupt normal spacecraft operations or create vulnerabilities for further exploitation. | [x-opencti-data-element:modification_detected = true AND x-opencti-data-element:modification_source != 'trusted_source'] |