cti-ATT-CK-v13.1/ics-attack/attack-pattern/attack-pattern--19a71d1e-6334-4233-8260-b749cae37953.json

{
    "type": "bundle",
    "id": "bundle--e2e8cb6c-3007-4282-91c2-120c590e5f67",
    "spec_version": "2.0",
    "objects": [
        {
            "modified": "2022-10-24T15:09:07.609Z",
            "name": "Activate Firmware Update Mode",
            "description": "Adversaries may activate firmware update mode on devices to prevent expected response functions from engaging in reaction to an emergency or process malfunction. For example, devices such as protection relays may have an operation mode designed for firmware installation. This mode may halt process monitoring and related functions to allow new firmware to be loaded. A device left in update mode may be placed in an inactive holding state if no firmware is provided to it. By entering and leaving a device in this mode, the adversary may deny its usual functionalities.",
            "kill_chain_phases": [
                {
                    "kill_chain_name": "mitre-ics-attack",
                    "phase_name": "inhibit-response-function"
                }
            ],
            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
            "x_mitre_platforms": [
                "Field Controller/RTU/PLC/IED",
                "Safety Instrumented System/Protection Relay"
            ],
            "x_mitre_domains": [
                "ics-attack"
            ],
            "x_mitre_version": "1.0",
            "x_mitre_attack_spec_version": "2.1.0",
            "x_mitre_contributors": [
                "Joe Slowik - Dragos"
            ],
            "x_mitre_data_sources": [
                "Application Log: Application Log Content",
                "Operational Databases: Device Alarm",
                "Network Traffic: Network Traffic Content"
            ],
            "type": "attack-pattern",
            "id": "attack-pattern--19a71d1e-6334-4233-8260-b749cae37953",
            "created": "2020-05-21T17:43:26.506Z",
            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
            "external_references": [
                {
                    "source_name": "mitre-attack",
                    "url": "https://attack.mitre.org/techniques/T0800",
                    "external_id": "T0800"
                }
            ],
            "object_marking_refs": [
                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
            ],
            "x_mitre_is_subtechnique": false
        }
    ]
}