| UACE-3 |
Legitimate Command with Malicious Parameters Targeting Subsystems |
A legitimate command is sent, but with parameters that exceed safe thresholds for a subsystem or component on the spacecraft. This could include commands that affect critical subsystems like power distribution, attitude control, or thermal regulation, potentially leading to damage, instability, or malfunction. The misuse of valid parameters across different subsystems can result in severe operational impact or hardware degradation. |
[x-opencti-command-log:command_type = 'legitimate_command' AND x-opencti-command-log:target_subsystem != 'expected_subsystem' AND x-opencti-command-log:parameter_value > 'safe_threshold'] |
| UACE-4 |
Unexpected Legitimate Command Sent |
A legitimate command sent to the spacecraft at an unexpected or inappropriate time, potentially causing disruption to normal operations. This could potentially lead to impacting system availability. This could involve commands such as executing an orbit adjustment or resource-intensive task outside of planned windows, thereby affecting the mission's overall availability or operational efficiency. |
[x-opencti-command-log:command_type = 'legitimate_command' AND x-opencti-command-log:timestamp != 'expected_time'] |
| UACE-5 |
Unexpected counter increment (valid or invalid count) |
Flight software command counter increments without corresponding legitimate ground station action, resulting in a failure of condition #2) below and subsequent 'unexpected' value 'expected' value achieved when the following conditions are met: 1) flight software command counter increments; 2) legitimate ground station action created increment. This could be from valid or invalid commands. Typically there are valid and malformed command counters on a spacecraft. |
[x-opencti-command-counter:value = 'unexpected'] |
| UACE-6 |
Unauthorized Commands Issued from Unrecognized Ground Station |
Detection of control commands issued to the spacecraft from an unrecognized or unauthorized ground station, potentially indicating that a rogue ground station is attempting to take control of the spacecraft. |
[x-opencti-command-log:command_origin != 'authorized_ground_station' AND x-opencti-command-log:command_type = 'control'] |
| UACE-8 |
Anomalous Command Packet Signatures |
Command packets with invalid or anomalous signatures detected, potentially indicating spoofing or replay of older commands. Command signatures for spacecraft provide a way to verify the authenticity and integrity of commands sent to the spacecraft, ensuring they have not been tampered with during transmission. The signature could be a form of sequence numbers, hashing, or just digital signatures in general. |
[x-opencti-command-log:signature != 'expected_signature'] |
| UCEB-1 |
Repeated Use of Cryptographic Keys from Unusual Locations |
Detection of cryptographic keys being used repeatedly from unexpected or unauthorized locations, indicating potential misuse of valid cryptographic credentials to maintain persistent access to spacecraft systems. |
[x-opencti-cryptographic-key:usage_location != 'authorized_locations' AND x-opencti-cryptographic-key:use_count > 'threshold'] |
| UCEB-2 |
Use of Old or Rotated Cryptographic Keys for Authentication |
Detection of authentication attempts using cryptographic keys that have already been rotated or marked as no longer valid. This may indicate that threat actors are using old or compromised keys to try to access to spacecraft or C2 systems. |
[x-opencti-cryptographic-key:status = 'rotated or expired'] |
| UCEB-11 |
Use of Account or Cryptographic Keys at Unexpected Times |
Detection of a user account or cryptographic key being used outside of the expected operational time windows. This may indicate unauthorized or suspicious activity, such as a threat actor using valid credentials or cryptographic keys to gain or maintain persistent access to the spacecraft or related systems. |
[user-account:last_login_time != 'expected_operational_hours' OR x-opencti-cryptographic-key:usage_time != 'expected_usage_time'] |
| CSNE-1 |
Unexpected Ground Station IP Address in Communication |
Detection of network traffic originating from an unauthorized IP address that does not match any of the known or authorized ground station IPs, potentially indicating communication with a rogue ground station. The source IPs that are permitted to speak to the spacecraft should be very limited. Rogue devices may get deployed internal to mission operations networks in an attempt to communicate to the spacecraft. |
[network-traffic:src_ref.value != 'authorized_ground_station_ip' AND network-traffic:protocols[*] = 'satellite_communication'] |
| CSNE-6 |
Unexpected Communication Protocols in Uplink |
Detection of unexpected communication protocols in the uplink traffic from a ground station or any rogue device (i.e., spacecraft), indicating that someone may be using non-standard protocols to communicate with the spacecraft. |
[network-traffic:protocols[*] != 'expected_protocol' AND network-traffic:direction = 'uplink'] |
| ARFS-1 |
Authentication Process Tampering |
Detection of modifications to the authentication process, which may signal unauthorized changes by a threat actor seeking access to a spacecraft. Potential modifications include tampering with encryption keys or authentication tokens. Additionally, irregularities in sequence counters, such as receiving packets out of sequence, may indicate an adversary's attempt to align with the spacecraft's authentication or sequencing protocols. |
[x-opencti-system-log:authentication_process_modification = 'TRUE'] |
| ARFS-2 |
Anomalous Authentication Attempts |
Repeated failed authentication attempts detected, potentially indicating an attempt to bypass the authentication process. |
[x-opencti-authentication-log:attempts > 'threshold' AND x-opencti-authentication-log:result = 'failure'] |
| ARFS-3 |
Invalid RF Command Lock |
A signal source detected in the ocean between authorized ground stations resulted in a failure, leading to an 'invalid' classification. A signal is classified as 'valid' when the following conditions are met: the transponder operates at the correct frequency and power level, all signal characteristics align with expected parameters, and command lock is achieved, the signal originates from an authorized and expected location. |
[x-opencti-signal_char:value = 'invalid'] |
| ARFS-9 |
Safe-Mode Activation Due to Signal Jamming |
Monitors RF noise levels in GNSS or uplink bands that exceed expected thresholds, leading to safe-mode activation. This could indicate deliberate signal jamming aimed at exploiting reduced protections in safe-mode. Entering safe mode does not necessarily indicate jamming of commanding has occurred, as some spacecraft enter safe-mode after expected communication contacts with the ground are missed. |
[x-opencti-rf-sensor:frequency_band IN ('gnss_band','uplink_band') AND x-opencti-rf-sensor:noise_level > 'maximum_threshold' AND x-opencti-spacecraft-status:mode = 'safe-mode'] |
| ARFS-12 |
Rejection of CLTU BIND Due to Tampered/Invalid Credentials |
Detects that the SLE Provider rejected the CLTU BIND request due to tampered or failed credentials, leading to a termination of the connection. This IOC specifically detects the rejection of the CLTU BIND request due to credential tampering/invalid credentials. It explicitly identifies that the BIND request was rejected because the credentials were invalid or tampered with, which leads to the termination of the connection. This is a more focused detection that ties directly to the modification of credentials, which results in the rejection of the CLTU BIND request by the SLE Provider. |
[x-opencti-command-log:command = 'CLTU-BIND' AND x-opencti-command-log:status = 'rejected' AND x-opencti-command-log:reason = 'invalid_credentials'] |