cti-ATT-CK-v13.1/ics-attack/attack-pattern/attack-pattern--2aa406ed-81c3-4c1d-ba83-cfbee5a2847a.json

{
    "type": "bundle",
    "id": "bundle--7936fb78-9021-4c05-80ed-6a676c1b068a",
    "spec_version": "2.0",
    "objects": [
        {
            "modified": "2023-03-09T18:38:51.471Z",
            "name": "Detect Operating Mode",
            "description": "Adversaries may gather information about a PLCs or controllers current operating mode. Operating modes dictate what change or maintenance functions can be manipulated and are often controlled by a key switch on the PLC (e.g.,  run, prog [program], and remote). Knowledge of these states may be valuable to an adversary to determine if they are able to reprogram the PLC. Operating modes and the mechanisms by which they are selected often vary by vendor and product line. Some commonly implemented operating modes are described below:  \n\n* Program - This mode must be enabled before changes can be made to a devices program. This allows program uploads and downloads between the device and an engineering workstation. Often the PLCs logic Is halted, and all outputs may be forced off. (Citation: N.A. October 2017)  \n* Run - Execution of the devices program occurs in this mode. Input and output (values, points, tags, elements, etc.) are monitored and used according to the programs logic.[Program Upload](https://attack.mitre.org/techniques/T0845) and [Program Download](https://attack.mitre.org/techniques/T0843) are disabled while in this mode. (Citation: Omron) (Citation: Machine Information Systems 2007)  (Citation: N.A. October 2017) (Citation: PLCgurus 2021)   \n* Remote - Allows for remote changes to a PLCs operation mode. (Citation: PLCgurus 2021)    \n* Stop - The PLC and program is stopped, while in this mode, outputs are forced off. (Citation: Machine Information Systems 2007)   \n* Reset - Conditions on the PLC are reset to their original states. Warm resets may retain some memory while cold resets will reset all I/O and data registers. (Citation: Machine Information Systems 2007)   \n* Test / Monitor mode - Similar to run mode, I/O is processed, although this mode allows for monitoring, force set, resets, and more generally tuning or debugging of the system. Often monitor mode may be used as a trial for initialization. (Citation: Omron)",
            "kill_chain_phases": [
                {
                    "kill_chain_name": "mitre-ics-attack",
                    "phase_name": "collection"
                }
            ],
            "x_mitre_attack_spec_version": "3.1.0",
            "x_mitre_deprecated": false,
            "x_mitre_detection": "",
            "x_mitre_domains": [
                "ics-attack"
            ],
            "x_mitre_is_subtechnique": false,
            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
            "x_mitre_platforms": [
                "Field Controller/RTU/PLC/IED"
            ],
            "x_mitre_version": "1.0",
            "x_mitre_data_sources": [
                "Network Traffic: Network Traffic Content"
            ],
            "type": "attack-pattern",
            "id": "attack-pattern--2aa406ed-81c3-4c1d-ba83-cfbee5a2847a",
            "created": "2020-05-21T17:43:26.506Z",
            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
            "revoked": false,
            "external_references": [
                {
                    "source_name": "mitre-attack",
                    "url": "https://attack.mitre.org/techniques/T0868",
                    "external_id": "T0868"
                },
                {
                    "source_name": "Machine Information Systems 2007",
                    "description": "Machine Information Systems 2007 How PLCs Work Retrieved. 2021/01/28 ",
                    "url": "http://www.machine-information-systems.com/How_PLCs_Work.html"
                },
                {
                    "source_name": "N.A. October 2017",
                    "description": "N.A. 2017, October What are the different operating modes in PLC? Retrieved. 2021/01/28 ",
                    "url": "https://forumautomation.com/t/what-are-the-different-operating-modes-in-plc/2489"
                },
                {
                    "source_name": "Omron",
                    "description": "Omron Machine Information Systems 2007 How PLCs Work Retrieved. 2021/01/28  PLC Different Operating Modes Retrieved. 2021/01/28 ",
                    "url": "https://www.omron-ap.com/service_support/FAQ/FAQ00002/index.asp#:~:text=In%20PROGRAM%20mode%2C%20the%20CPU,can%20be%20created%20or%20modified."
                },
                {
                    "source_name": "PLCgurus 2021",
                    "description": "PLCgurus 2021 PLC Basics  Modes Of Operation Retrieved. 2021/01/28 ",
                    "url": "https://www.plcgurus.net/plc-basics/"
                }
            ],
            "object_marking_refs": [
                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
            ]
        }
    ]
}