cti-ATT-CK-v13.1/ics-attack/attack-pattern/attack-pattern--09a61657-46e1-439e-b3ed-3e4556a78243.json

{
    "type": "bundle",
    "id": "bundle--0e6b28a8-6cb3-4ca7-b7f5-e8f48370d7d9",
    "spec_version": "2.0",
    "objects": [
        {
            "modified": "2023-03-09T18:38:51.471Z",
            "name": "Modify Controller Tasking",
            "description": "Adversaries may modify the tasking of a controller to allow for the execution of their own programs. This can allow an adversary to manipulate the execution flow and behavior of a controller. \n\nAccording to 61131-3, the association of a Task with a Program Organization Unit (POU) defines a task association. (Citation: IEC February 2013) An adversary may modify these associations or create new ones to manipulate the execution flow of a controller. Modification of controller tasking can be accomplished using a Program Download in addition to other types of program modification such as online edit and program append.\n\nTasks have properties, such as interval, frequency and priority to meet the requirements of program execution. Some controller vendors implement tasks with implicit, pre-defined properties whereas others allow for these properties to be formulated explicitly. An adversary may associate their program with tasks that have a higher priority or execute associated programs more frequently. For instance, to ensure cyclic execution of their program on a Siemens controller, an adversary may add their program to the task, Organization Block 1 (OB1).",
            "kill_chain_phases": [
                {
                    "kill_chain_name": "mitre-ics-attack",
                    "phase_name": "execution"
                }
            ],
            "x_mitre_attack_spec_version": "2.1.0",
            "x_mitre_deprecated": false,
            "x_mitre_detection": "",
            "x_mitre_domains": [
                "ics-attack"
            ],
            "x_mitre_is_subtechnique": false,
            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
            "x_mitre_platforms": [
                "Field Controller/RTU/PLC/IED"
            ],
            "x_mitre_version": "1.1",
            "x_mitre_data_sources": [
                "Operational Databases: Device Alarm",
                "Application Log: Application Log Content",
                "Asset: Software"
            ],
            "type": "attack-pattern",
            "id": "attack-pattern--09a61657-46e1-439e-b3ed-3e4556a78243",
            "created": "2021-04-13T11:15:26.506Z",
            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
            "revoked": false,
            "external_references": [
                {
                    "source_name": "mitre-attack",
                    "url": "https://attack.mitre.org/techniques/T0821",
                    "external_id": "T0821"
                },
                {
                    "source_name": "IEC February 2013",
                    "description": "IEC 2013, February 20 IEC 61131-3:2013  Programmable controllers - Part 3: Programming languages Retrieved. 2019/10/22 ",
                    "url": "https://webstore.iec.ch/publication/4552"
                }
            ],
            "object_marking_refs": [
                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
            ]
        }
    ]
}