| UCEB-4 |
Unexpected Changes to Encryption Configuration Settings |
Detection of unexpected changes to encryption settings, potentially indicating that the encryption mechanism on the spacecraft has been disabled or bypassed without authorization. |
[x-opencti-encryption-config:status = 'disabled' AND x-opencti-encryption-config:change_time != 'authorized_change_time'] |
| UCEB-7 |
Modification of Encryption Algorithms |
Detection of unauthorized modifications to the spacecraft�s encryption algorithm, potentially indicating that a threat actor is attempting to weaken or disable the encryption mechanism to enable exfiltration or other attacks. |
[x-opencti-encryption-algorithm:algorithm != 'expected_algorithm' AND x-opencti-encryption-algorithm:modification_time != 'authorized_time'] |
| CSNE-10 |
Transmission to Unauthorized Ground Station Detected |
Monitors all downlink channels for traffic directed towards unauthorized ground stations, potentially indicating unauthorized data exfiltration attempts. This approach remains agnostic to the specific hardware used for transmission, ensuring broad applicability across communication systems. |
[network-traffic:dst_ref.value != 'authorized_ground_station'] |
| CSNE-20 |
Unauthorized Downlink Communication at Unexpected Time |
Monitors downlink communications for unexpected activity, regardless of whether it originates from a transponder, SDR, or other communication component. This ensures detection of potential exfiltration attempts or unauthorized transmissions. |
[network-traffic:direction = 'downlink' AND network-traffic:timestamp != 'expected_time'] |
| MIRE-12 |
Unexpected Modification to Encryption Memory/Table |
Detection of an unauthorized modification to the encryption table, suggesting a potential malicious update affecting the telemetry, tracking, and control (TT&C) encryption settings. The change occurred in the memory range Value1 - Value999. The memory range will be different for each spacecraft. |
[x-opencti-memory:table_ref.name = 'encryption_table' AND x-opencti-memory:checksum != 'expected_checksum' AND x-opencti-memory:range = 'Value1 - Value999'] |
| SIUU-26 |
Unauthorized Modification of Downlink Configuration |
Detection of unauthorized modifications to the downlink frequency configuration settings, suggesting a potential attack to disrupt the spacecraft�s ability to transmit telemetry. |
[x-opencti-radio-configuration:downlink_frequency != 'authorized_value' AND x-opencti-radio-configuration:modification_time != 'scheduled_window'] |
| DISE-1 |
File or Data Integrity Check Failure |
Monitors the cryptographic integrity of data (files, payload data, configuration file, logs, etc.) to ensure it remains unmodified during data storage or transmission. It is important during engineering to determine the critical data items that need integrity protection. Some example are discussed in evasion technique https://sparta.aerospace.org/technique/DE-0003/ |
[file:hashes != 'expected_hash_value' AND file:name = 'data_file'] |