| UACE-3 |
Legitimate Command with Malicious Parameters Targeting Subsystems |
A legitimate command is sent, but with parameters that exceed safe thresholds for a subsystem or component on the spacecraft. This could include commands that affect critical subsystems like power distribution, attitude control, or thermal regulation, potentially leading to damage, instability, or malfunction. The misuse of valid parameters across different subsystems can result in severe operational impact or hardware degradation. |
[x-opencti-command-log:command_type = 'legitimate_command' AND x-opencti-command-log:target_subsystem != 'expected_subsystem' AND x-opencti-command-log:parameter_value > 'safe_threshold'] |
| UACE-23 |
Unusual Commands from Subsystem Acting as Bus Controller (1553) |
Detection of unusual commands being issued by a subsystem acting as a bus controller, indicating that a threat actor may have escalated privileges or have access to the bus within the flat bus architecture to issue commands from unauthorized subsystems. |
[x-opencti-bus-master:role = 'subsystem' AND x-opencti-bus-master:commands != 'expected_commands'] |
| CSNE-14 |
Unusual Data Transmission Between SpaceWire Routing Switches |
Detection of unusual data transmissions from a SpaceWire routing switch to critical subsystems, potentially indicating the exploitation of a flat architecture to inject crafted data into sensitive areas of the spacecraft. |
[x-opencti-bus-traffic:src_ref.role = 'routing_switch' AND x-opencti-bus-traffic:dst_ref.role = 'critical_subsystem'] |
| CSNE-15 |
Unexpected Communication Between Subsystems |
Detection of unexpected communication between spacecraft subsystems that should not normally interact directly on the same bus, potentially indicating lateral movement by a threat actor across a flat architecture. For example, a subsystem could attempt to modify the watchdog timer or other onboard values. |
[x-opencti-bus-traffic:src_ref.subsystem != 'expected_subsystem' AND x-opencti-bus-traffic:dst_ref.subsystem != 'authorized_subsystem'] |
| CSNE-19 |
Unexpected High-Priority Messages on the CAN Bus |
Detection of unexpected high-priority CAN messages (lower message IDs) originating from unauthorized subsystems. This may indicate that a threat actor is injecting high-priority messages to dominate the CAN bus and manipulate subsystem communications. |
[x-opencti-bus-traffic:can_message_id < 'expected_lowest_priority' AND x-opencti-bus-traffic:src_ref.subsystem != 'authorized_subsystem'] |
| CSNE-31 |
Specially Crafted CAN Messages Sent to Critical Subsystems |
Detection of specially crafted CAN messages targeting critical subsystems with unexpected message IDs or payloads, suggesting an attacker is trying to inject malicious commands to compromise key systems. |
[x-opencti-bus-traffic:can_message_id = 'unexpected_value' AND x-opencti-bus-traffic:dst_ref.role = 'critical_subsystem'] |
| CSNE-32 |
Repeated CAN Message Spoofing Detected Between Subsystems |
Detection of CAN messages with legitimate message IDs but originating from unauthorized subsystems, indicating that an attacker is spoofing CAN messages to imitate legitimate subsystems and move laterally across the spacecraft. |
[x-opencti-bus-traffic:x_can_message_id = 'legitimate_id' AND x-opencti-bus-traffic:src_ref.subsystem != 'authorized_subsystem'] |
| CSNE-33 |
Unusual Communication Between Payload and Critical Subsystems |
Detection of unusual communication between a payload and critical subsystems , indicating that the flat bus architecture may be exploited to allow a payload to interact with sensitive parts of the spacecraft. |
[x-opencti-bus-traffic:src_ref.role = 'payload' AND x-opencti-bus-traffic:dst_ref.role = 'critical_subsystem'] |
| CSNE-34 |
Unusual Data Transmission from Remote Terminal to Subsystem. (1553) |
Detection of unusual data transmission from a remote terminal to a critical subsystem using unexpected protocols, indicating that the flat bus architecture is being leveraged to send malicious data across the spacecraft. |
[x-opencti-bus-traffic:src_ref.role = 'remote_terminal' AND x-opencti-bus-traffic:dst_ref.role = 'critical_subsystem' AND x-opencti-bus-traffic:protocols[*] != 'expected_protocol'] |
| ARFS-3 |
Invalid RF Command Lock |
A signal source detected in the ocean between authorized ground stations resulted in a failure, leading to an 'invalid' classification. A signal is classified as 'valid' when the following conditions are met: the transponder operates at the correct frequency and power level, all signal characteristics align with expected parameters, and command lock is achieved, the signal originates from an authorized and expected location. |
[x-opencti-signal_char:value = 'invalid'] |
| GNTM-1 |
Unexpected GNSS Signal Delay |
Monitors GNSS signal delays for signs of interference disrupting timing data. |
[x-opencti-gnss-log:signal_delay > 'acceptable_latency'] |
| GNTM-5 |
Time Discrepancy Detected in GPS/External Signal Input |
Detection of a time discrepancy in GPS or other external time signal inputs, indicating a potential time spoofing attack aimed at altering the spacecraft's internal time through false signals. This is similar to IOC for Unexpected Time Delta Detected but this is more specific around external timing input. |
[x-opencti-sensor-data:sensor_type = 'gps_time' AND x-opencti-sensor-data:timestamp != 'expected_timestamp' AND x-opencti-time:delta_value != 'expected_delta_value'] |
| GNTM-9 |
Anomalous GNSS Timing Behavior (Time Rewind Detected) |
This pattern detects a GNSS receiver time that moves backward, which could indicate tampering or spoofing. It compares the current GNSS timestamp to the previously stored timestamp. Detection of GNSS receiver time decreasing between samples, potentially indicating spoofing or replayed signals. Requires local time-series storage to compute delta. Detects rollback in GNSS time by checking if delta_time is negative. This requires the delta to be calculated externally or on-board before being logged as a field. |
[x-opencti-gnss:delta_time < 0] |
| GNTM-10 |
Anomalous Sensor Data (Time Rewind Detected) |
Detects rollback in GNSS time sensor readings compared to an external or independently maintained timestamp. The GNSS-reported time is older than previously recorded values, suggesting potential spoofing, recovery from interference, or malicious time manipulation. A GNSS time rewind event was flagged based on observed time discontinuity. Requires logic outside STIX to compute and set rewind_detected. |
[x-opencti-sensor-data:sensor_type = 'gps_time' AND x-opencti-sensor-data:rewind_detected = true] |
| GNTM-11 |
Unexpected Position Delta Detected via Anomalous GNSS Position Data |
Indicates movement inconsistent with the spacecraft's orbital dynamics. Observed position delta exceeds expected change based on orbital calculations. May indicate GNSS spoofing or receiver error. The delta must be computed and stored before use. |
[x-opencti-gnss:delta_position > 'expected_delta_value'] |
| GNTM-12 |
ICD Field Non-Compliance Detected |
GNSS message fields exceed the specification limits defined in the ICD (e.g., IS-GPS-200), which could imply spoofing or malformed packet injection. Can be signal malicious interference, malformed packet injection, or hardware anomaly. Requires upstream logic or telemetry processing to evaluate field ranges (e.g., based on IS-GPS-200). |
[x-opencti-gnss:icd_field_value < 'MIN_LIMIT'] OR [x-opencti-gnss:icd_field_value > 'MAX_LIMIT'] |
| MIRE-3 |
Unusual Access Frequency to Critical Memory Regions |
Monitors for excessive access to critical memory regions, which may indicate malicious activities. On a spacecraft, consistent and unexpected access (read or write) to critical memory regions could indicate malicious activities by malware. |
[x-opencti-memory:access_frequency > 'expected_rate' AND x-opencti-memory:memory_region != 'expected'] |
| MIRE-6 |
Unexpected Modification of Memory Location Associated with Telemetry Data |
Detection of an unexpected modification in the memory block associated with telemetry data. The system identifies abnormal write operations in memory locations that store telemetry information before it is transmitted, suggesting manipulation by malware. Adversaries may change telemetry before downlink in order to prevent the ground from being aware of malware being on the spacecraft. |
[x-opencti-memory:block = 'telemetry_memory_block' AND x-opencti-memory:write_operation = 'unexpected' AND x-opencti-memory:modification_time != 'authorized_time'] |
| MIRE-7 |
Unexpected Memory Value Write or Modification |
Detection of unexpected or unauthorized modifications to onboard memory values during the execution. This could be done during updates, configuration changes, or direct commanding. This attack could potentially leading to corruption of system values or triggering malicious behavior. An adversary may inject malicious information in the Flash or EEPROM or area where the FSW/Software is stored during an update. |
[x-opencti-memory:write_operation = 'unexpected_write' AND x-opencti-memory:value != 'expected'] |
| SIUU-25 |
Unauthorized Function Hooking in Telemetry Process |
Detection of unauthorized function hooking in the telemetry process, specifically targeting the packet_write_function. This hook allows the malware to modify telemetry data before it is transmitted to ground systems, concealing malicious activity onboard the spacecraft |
[process:image_ref.name = 'telemetry_process' AND process:hooked_function = 'packet_write_function'] |
| SMSR-1 |
Sensor Data Exceeds Operational Ranges |
Tracks sensor readings that exceed acceptable operational limits, potentially disrupting spacecraft functionality. Detects sensor data values falling outside predefined operational ranges, potentially indicating spoofing. |
[x-opencti-sensor-data:value NOT IN ('expected_min','expected_max')] |
| DISE-9 |
Unexpected Change in Gyroscope Sensor Data |
Detection of an unexpected, large deviation in gyroscope sensor data that exceeds normal operational thresholds, indicating potential tampering with the Attitude Determination and Control subsystem. This may lead to automated correction tasks being triggered unnecessarily. |
[x-opencti-sensor-data:sensor_type = 'gyroscope' AND x-opencti-sensor-data:reading_delta > 'threshold'] |
| DISE-10 |
Abnormal Data Flow in Attitude Control Telemetry |
Detection of abnormal telemetry data rates in the Attitude Determination and Control subsystem, indicating potential manipulation of onboard values or interference with the control signals. This can trigger unnecessary corrective maneuvers or system malfunctions. An alternative pattern could be [x-opencti-telemetry-data:telemetry_type = 'attitude-control' AND (x-opencti-telemetry-data:parameter_name = 'quaternion' OR x-opencti-telemetry-data:parameter_name = 'gyro_reading' OR x-opencti-telemetry-data:parameter_name = 'magnetometer_value') AND x-opencti-telemetry-data:value_change > 'threshold_value' AND x-opencti-telemetry-data:change_rate > 'expected_rate'] |
[x-opencti-telemetry:telemetry_type = 'attitude_control' AND x-opencti-telemetry:data_rate > 'expected_rate'] |