| UACE-10 |
Logs of Processed Commands Flooding |
Detection of an unusually high number of processed commands recorded in spacecraft logs, which may indicate a flooding attack using valid commands. Such a surge can overwhelm spacecraft processing capabilities, leading to resource exhaustion like CPU spikes, memory depletion, and increased battery usage. Monitoring log entries can reveal if the spacecraft is being flooded with valid but excessive commands, which could create denial of service conditions by saturating system processing resources. |
[x-opencti-log-entry:log_type = 'command' AND x-opencti-log-entry:entry_count > 'expected_threshold' AND x-opencti-log-entry:entry_rate > 'normal_rate'] |
| UACE-11 |
Unauthorized Command Execution via Flight Software |
Detection of unauthorized command execution through the flight software, potentially indicating exploitation of code flaws or vulnerabilities in the system. This is coming from an "unauthorized" source which could be malware on the bus or within the system. Commanding the FSW maliciously using valid commands is different. |
[x-opencti-command-log:command_origin != 'trusted_source' AND x-opencti-command-log:execution_status = 'unauthorized'] |
| CSNE-17 |
Creation of FIFO for Data Exfiltration or Command Injection |
Detection of the mkfifo command being executed. This suggests that a malicious process may be creating named pipes (FIFO) to facilitate covert data exfiltration or to inject commands into other system processes unnoticed. This system call in the context of a spacecraft running Linux is rarely used therefore any use is likely malicious. |
[process:image_ref.name = 'mkfifo' AND process:x_execution_time = 'unexpected_time'] |
| CSNE-30 |
Unauthorized Device Acting as Bus Controller (1553) |
Detection of an unauthorized device acting as the bus controller, potentially indicating privilege escalation by a threat actor aiming to control the spacecraft�s communication bus. |
[x-opencti-bus-controller:role = 'bus_controller' AND x-opencti-bus-controller:device != 'authorized_bus_controller'] |
| MIRE-1 |
Anomalous Flash Write Operations Detected in Short Timeframe |
Detection of a high number of flash write operations in a short timeframe, indicating a coordinated effort to overwrite the spacecraft's flash memory entirely. This behavior is typical of wiper malware aiming to destroy all flash data. |
[x-opencti-memory:block = 'flash_memory' AND x-opencti-memory:write_operation_count > 'threshold' AND x-opencti-memory:write_duration < 'threshold'] |
| MIRE-2 |
Anomalous Flash/EEPROM Memory Checksums Detected |
Detection of a checksum mismatch for the flight software's flash / eeprom memory partitions. This could indicate that both the primary and redundant partitions have been corrupted by the malicious action, leading to a permanent denial of service (DoS). |
[x-opencti-memory:table_ref.name = 'flash_memory' OR x-opencti-memory:table_ref.name = 'eeprom_memory' AND x-opencti-memory:checksum != 'expected_checksum'] |
| MIRE-6 |
Unexpected Modification of Memory Location Associated with Telemetry Data |
Detection of an unexpected modification in the memory block associated with telemetry data. The system identifies abnormal write operations in memory locations that store telemetry information before it is transmitted, suggesting manipulation by malware. Adversaries may change telemetry before downlink in order to prevent the ground from being aware of malware being on the spacecraft. |
[x-opencti-memory:block = 'telemetry_memory_block' AND x-opencti-memory:write_operation = 'unexpected' AND x-opencti-memory:modification_time != 'authorized_time'] |
| MIRE-13 |
Unexpected Modification to Stored Commands Area |
Detection of an unexpected modification to the stored commands table or area in memory. This could indicate an unauthorized update that modifies the table to perform time-based attack like initiate a system shutdown or denial of service at a time in the future. |
[x-opencti-memory:table_ref.name = 'stored_command_area' AND x-opencti-memory:write_operation = 'unexpected_write' AND x-opencti-memory:timestamp != 'expected_update_time'] |
| MIRE-14 |
Abnormal Memory Consumption by Malicious Process |
Detection of excessive memory consumption by an unauthorized process, indicating a possible memory exhaustion attack aimed at degrading the spacecraft's performance. |
[process:x_memory_usage > 'threshold' AND process:image_ref.name != 'authorized_process'] |
| MIRE-17 |
Unauthorized System Call to Open Flash Memory Blocks (/dev/mtd) |
Detection of unauthorized system calls to access flash memory devices or partitions (/dev/mtd%). These system calls indicate that a malicious script or process is attempting to modify or read flash memory, potentially targeting critical system areas like firmware or configuration data during an attack. |
[process:image_ref.name = 'open' AND file:path LIKE '/dev/mtd%' AND file:access_time != 'authorized_access_time'] |
| WTRE-5 |
Unauthorized Access Attempt to Critical Registers |
Tracks access attempts to critical registers to ensure only authorized sources interact with them, reducing the risk of malicious tampering. It is recommended to maintain a list of critical registers for each particular operating system. |
[x-opencti-register:access_origin != 'trusted_source' AND x-opencti-register:region = 'critical_subsystem'] |
| WTRE-6 |
Unexpected Register Reset Activity |
Monitors register resets that deviate from normal operational patterns, potentially impacting system functionality. |
[x-opencti-register:reset_status = 'unexpected'] |
| WTRE-7 |
Anomalous Register Value Modification |
Monitors critical subsystem registers for unauthorized value modifications that could disrupt spacecraft functionality or subsystem workflows. Detects register values deviating from expected baselines within critical subsystems, potentially indicating unauthorized tampering. |
[x-opencti-register:value != 'expected_value' AND x-opencti-register:region = 'critical_subsystem'] |
| SIUU-2 |
Unexpected System Integrity Failures in Software |
Detection of failed integrity checks during spacecraft software execution, potentially indicating that the software has been modified to include a backdoor or malicious code |
[x-opencti-software:integrity_check = 'failed' AND x-opencti-software:name = 'spacecraft_software'] |
| SIUU-4 |
Abnormal Software Update Activity Detected |
Detection of unauthorized or abnormal software update attempts, particularly affecting critical spacecraft subsystems or even FSW as a whole. This may be an indicator of an attacker exploiting a code flaw to introduce malicious code or manipulate software functionality. |
[x-opencti-update-log:source != 'trusted_source' AND x-opencti-update-log:software_component = 'critical_subsystem'] |
| SIUU-5 |
Unscheduled Software Updates Detected |
Detection of unscheduled or unauthorized software updates, which could indicate a backdoor being injected into the software during an unexpected update process. |
[x-opencti-software-update:scheduled = 'false' AND x-opencti-software:name = 'spacecraft_software'] |
| SIUU-8 |
Malicious Code via New Process |
Code execution detected from an unexpected source / process, possibly indicating unauthorized or malicious code running on the spacecraft. |
[x-opencti-logs:event_type = 'code_execution' AND x-opencti-processor-usage:activity_type = 'unexpected' AND x-opencti-processor-usage:process_name NOT IN ('list_of_known_processes')] |
| SIUU-9 |
Unexpected Software Crash Detected in Flight Software |
Detection of unexpected crashes in flight software, potentially caused by attempts to exploit software vulnerabilities or coding flaws that lead to system instability. Repeated or unexplained crashes may indicate ongoing exploitation attempts targeting the spacecraft's flight control systems. |
[x-opencti-software:status = 'crashed' AND x-opencti-software:component != 'expected_crash_behavior'] |
| SIUU-10 |
Process Executing Priority Modification |
Detection of processes (renice, setpriority) modifying the priority of other processes, possibly targeting flight software to lower its priority and impact spacecraft performance, such as dropping telemetry packets. This system call in the context of a spacecraft running Linux is rarely used therefore any use is likely malicious. |
[process:image_ref.name = 'renice' OR process:image_ref.name = 'setpriority' AND process:x_execution_time != 'authorized_period'] |
| SIUU-11 |
Suspicious Binary or Script Execution |
Detection of an unexpected binary or script being executed that does not match the expected name. This could indicate unauthorized code execution or the presence of a backdoor, where the threat actor is using an unfamiliar binary or script to manipulate the system. Spacecraft are deterministic and controls like process whitelisting are beneficial. Detecting scripts or binaries executing on the system is a method to protect from malicious action. |
[process:image_ref.name != 'expected_binary_or_script'] |
| SIUU-12 |
Loading of Malicious Kernel Modules |
Detection of the insertion of a potentially malicious kernel module via insmod or an INIT_MODULE syscall. This suggests an attempt to gain deeper control over the Linux system by extending kernel functionality, such as disabling telemetry tracking or obscuring rootkit activity. This system call in the context of a spacecraft running Linux is rarely used therefore any use is likely malicious. |
[process:image_ref.name = 'insmod' OR syscall:name = 'INIT_MODULE'] |
| SIUU-13 |
Repeated File Access to /null and Other Dummy Files |
Detection of repeated access to /dev/null or other dummy files, possibly used in conjunction with the fork bomb to waste system resources and contribute to memory exhaustion. This access in the context of a spacecraft running Linux is rarely used therefore any use is likely malicious. |
[file:path = '/dev/null' OR file:path = '/null' AND file:access_time != 'expected_time'] |
| SIUU-14 |
Abnormal System Calls Indicative of a Software Backdoor/Malicious Code |
Detection of abnormal system calls originating from processes or binaries that are unexpected or not typically associated with certain system operations. This could indicate malicious activity such as the execution of a backdoor or malicious code, where the software is making system calls outside of its normal behavior. |
[process:image_ref.name = 'unexpected_process' AND process:system_call = 'unexpected_system_call'] |
| SIUU-15 |
Repeated File Access to /zero or /null Devices |
Detection of repeated access to /dev/null or /dev/zero, indicating a potential attempt to consume resources or overwhelm the system by performing unnecessary read/write operations. |
[file:path = '/dev/null' OR file:path = '/dev/zero' AND file:access_time != 'expected_time'] |
| SIUU-16 |
Execution of System Commands |
Detection of several commands such as dd, grep, ps, awk, and chmod being executed, potentially indicating that the attacker is obfuscating their activity by manipulating process lists or file permissions to hide the rootkit or telemetry tampering. This system call in the context of a spacecraft running Linux is rarely used therefore any use is likely malicious. Many of these are being executed with root privileges, potentially indicating that the attacker is trying to perform destructive or obfuscation tasks with full system access. |
[process:image_ref.name = 'grep' OR process:image_ref.name = 'ps' OR process:image_ref.name = 'awk' OR process:image_ref.name = 'chmod' OR process:image_ref.name = 'dd' OR process:image_ref.name = 'cat' OR process:image_ref.name = 'sh' AND process:x_execution_time != 'authorized_time'] |
| SIUU-17 |
Detection of Anomalous API Calls in Flight Software |
Many FSW have built-in APIs and if malicious software gets onboard the vehicle it could maliciously use the APIs. Detection of anomalous API calls made through the flight software�s API interface, indicating possible exploitation of a vulnerability or misconfiguration. |
[x-opencti-api-log:api_call != 'expected_behavior'] |
| SIUU-20 |
Suspicious Access to Vulnerable Software Process |
Detection of unauthorized access or invocation of any vulnerable software process by an unexpected parent process, potentially indicating an attempt to exploit a software vulnerability. This pattern is useful for detecting suspicious activity across any subsystem where software vulnerabilities may exist. |
[process:binary_ref.type = 'software' AND process:parent_ref.name NOT IN ('authorized_parents') AND process:binary_ref.version = 'known_vulnerable_version'] |
| SIUU-21 |
Detection of Anomalous Process Behavior Due to Code Exploitation |
Detection of unexpected or anomalous behavior in onboard software processes, which may indicate an attempt to exploit a software flaw. This can involve the execution of unusual commands, system calls, memory manipulation, or deviations from normal process behavior. An alternative way to view this could be [process:name != 'expected_process_name' AND process:binary_ref.name != 'trusted_component'] but the current pattern focuses on the process behavior. |
[x-opencti-process:behavior != 'expected_behavior' AND x-opencti-process:software_component != 'trusted_component'] |
| SIUU-22 |
Abnormal Subsystem Behavior Following Malicious Code Execution |
Detection of abnormal or unexpected behavior in critical spacecraft subsystems (e.g., attitude control, power management) after malicious code execution. This pattern indicates a direct impact on spacecraft subsystems following the activation of the malicious code. |
[x-opencti-subsystem-log:status != 'expected' AND process:image_ref.name = 'malicious_process'] |
| SIUU-25 |
Unauthorized Function Hooking in Telemetry Process |
Detection of unauthorized function hooking in the telemetry process, specifically targeting the packet_write_function. This hook allows the malware to modify telemetry data before it is transmitted to ground systems, concealing malicious activity onboard the spacecraft |
[process:image_ref.name = 'telemetry_process' AND process:hooked_function = 'packet_write_function'] |
| SMSR-1 |
Sensor Data Exceeds Operational Ranges |
Tracks sensor readings that exceed acceptable operational limits, potentially disrupting spacecraft functionality. Detects sensor data values falling outside predefined operational ranges, potentially indicating spoofing. |
[x-opencti-sensor-data:value NOT IN ('expected_min','expected_max')] |
| SMSR-2 |
High CPU Utilization Due to Anomalous/Malicious Activity |
Detection of high CPU utilization on spacecraft systems, potentially caused by anomalous or unexpected activity. This indicator focuses on identifying when CPU load exceeds normal operational thresholds, especially due to the execution of processes that are not recognized as part of the normal spacecraft operations. Such activity could be indicative of a cyber attack, such as a resource exhaustion attack, where unauthorized processes or malware attempt to degrade system performance, leading to potential mission impacts or denial of service conditions. |
[x-opencti-processor-usage:cpu_load > 'threshold' AND x-opencti-processor-usage:activity_type = 'unexpected' AND x-opencti-processor-usage:process_name NOT IN ('list_of_known_processes')] |
| SMSR-3 |
Unauthorized State Changes in Critical Sensors |
Detection of an unexpected sensor state change in critical spacecraft sensors (e.g., Sun Sensor, GPS Sensor). The sensor states are modified outside of authorized operational windows, suggesting a malicious attack affecting the sensor's behavior. |
[x-opencti-sensor:state = 'off' AND x-opencti-sensor:state_change_time != 'authorized_time'] |
| SMSR-6 |
Unauthorized Fault Management Configuration Change Detected Outside Expected Time |
Monitors for fault management configuration modifications occurring at unauthorized times, which may indicate an attempt to disable critical protections during vulnerable operational states. |
[x-opencti-fault-management:configuration != 'baseline_configuration' AND x-opencti-fault-management:modification_time != 'authorized_time_window'] |
| SMSR-10 |
Ransomware Holding CPU Cycles Hostage |
This is assumed we know the name of the process - ransomware_process. If not that needs to be removed from the pattern. Detection of a ransomware process that monopolizes CPU cycles by consuming a high percentage of CPU resources. This process resists termination attempts, effectively holding system resources hostage and degrading spacecraft performance. This could indicate a ransomware variant that demands ransom in exchange for restoring normal system operations by releasing CPU resources. |
[process:x_cpu_usage > 'high_threshold' AND process:image_ref.name = 'ransomware_process' AND process:x_status = 'running' AND process:x_memory_usage > 'threshold' AND process:x_termination_attempt = 'failed'] |
| SMSR-11 |
High CPU Usage Detected for Unauthorized Process |
Detection of an unauthorized process consuming an unusually high amount of CPU resources, which may be part of a malicious attempt to degrade system performance and affect telemetry operations. |
[process:x_cpu_usage > 'threshold' AND process:image_ref.name != 'authorized_process'] |
| SMSR-14 |
Multiple Failed System Reinitializations Due to Exploit |
Detection of repeated system reinitializations caused by continuous exploitation of segmentation faults in software, leading to a denial of service condition. |
[x-opencti-system:status = 'reinitialization' AND x-opencti-system:failure_count > 'threshold'] |
| SMSR-16 |
Unexpected Fault Management Process Termination |
Monitors the fault management service for unexpected termination, which could indicate a targeted attempt to disable protections. |
[process:name = 'fault_management_service' AND process:status != 'running'] |
| SMSR-17 |
Telemetry Packet Drops Due to CPU or Memory Overload |
Detection of a high rate of dropped telemetry packets coinciding with CPU or memory exhaustion, indicating that a malicious process is consuming system resources and preventing critical flight software operations. |
[x-opencti-telemetry:packet_drop_rate > 'threshold' AND x-opencti-system:cpu_usage > 'threshold'] |
| SMSR-18 |
Abnormal Process Forking Leading to Resource Exhaustion |
Detection of a rapid increase in the number of processes being forked by an unauthorized process, leading to excessive CPU and memory usage. This behavior is characteristic of a fork bomb, which is designed to exhaust system resources and lead to a system crash or freeze. |
[process:image_ref.name != 'authorized_process' AND process:x_fork_count > 'threshold' AND process:x_cpu_usage > 'threshold' AND process:x_memory_usage > 'threshold'] |
| SMSR-19 |
System Freeze or Crash Detected After High Resource Consumption (CPU, Memory, Storage) |
Detection of the system becoming unresponsive due to excessive consumption of memory, CPU, and storage resources. This is likely caused by a malicious process (e.g., a fork bomb or other attack) that exhausts system resources, leading to system failure or a crash. |
[x-opencti-system:status = 'unresponsive' AND x-opencti-system:memory_usage > 'threshold' AND x-opencti-system:cpu_usage > 'threshold' AND x-opencti-file-system:available_space < 'threshold'] |
| DISE-1 |
File or Data Integrity Check Failure |
Monitors the cryptographic integrity of data (files, payload data, configuration file, logs, etc.) to ensure it remains unmodified during data storage or transmission. It is important during engineering to determine the critical data items that need integrity protection. Some example are discussed in evasion technique https://sparta.aerospace.org/technique/DE-0003/ |
[file:hashes != 'expected_hash_value' AND file:name = 'data_file'] |
| DISE-3 |
Multiple Failed Attempts to Access Encrypted Data |
Multiple failed attempts to access files or data stored on the spacecraft, indicating that critical data has POTENTIALLY been rendered inaccessible due to ransomware activity. This pattern focuses on detecting repeated access failures. The data could be corrupted via just environmental issues but could also indicate malicious activity as well. |
[file:status = 'unreadable' AND file:access_attempts > 'threshold'] |
| DISE-4 |
Storage Exhaustion (Disk Full) |
Attackers may attempt to fill up storage devices in order to have impact on the spacecraft. Storage is sometimes a limited commodity and simply filling a disk can prevent telemetry, payload data, etc. from being collected. |
[x-opencti-file-system:available_space < 'threshold'] |
| DISE-5 |
Unusual File Encryption Activity Detected |
Detection of files being encrypted with an unknown or unexpected encryption algorithm, potentially indicating ransomware activity on spacecraft systems. This can involve newly created or modified files with unusual extensions such as .encrypted or .locked. - if ransomware were to include those extenstions then you would att AND file:extension IN ('.encrypted', '.locked') to the pattern to become. [file:encryption_algorithm != 'none' AND file:extension IN ('.encrypted', '.locked') AND file:modified_time = 'recent'] |
[file:x_encryption_algorithm != 'none' AND file:modified_time = 'recent'] |
| DISE-6 |
Suspicious Activity Leading to Storage Exhaustion |
Detection of activity which may be part of a malicious attempt to fill the storage device on the spacecraft. Without storage, this would prevent the flight software from writing telemetry data or payload data, leading to a potential denial-of-service (DoS) condition . |
[x-opencti-file-system:available_space < 'threshold' AND process:x_execution_time != 'authorized_time'] |
| DISE-14 |
Unexpected Audit Log Rotation |
Monitors for unauthorized or unexpected log rotation events that could lead to data loss or concealment of malicious activity. |
[x-opencti-audit-log:rotation_event = 'triggered' AND x-opencti-audit-log:timestamp != 'expected_time'] |
| DISE-15 |
High Volume of Audit Log Entries Detected |
Monitors for excessive audit log activity, which could be indicative of log flooding or attempts to force log overflow to conceal malicious activity. |
[x-opencti-audit-log:event_count > 'threshold' AND x-opencti-audit-log:timestamp = 'recent_period'] |
| DISE-16 |
Audit Log Capacity Limit Reached |
Monitors for instances where the flight software's, or overall system's, audit log has reached its maximum capacity, potentially preventing the logging of further events and concealing ongoing malicious activity. |
[x-opencti-audit-log:capacity_used >= 'max_capacity'] |