cti-ATT-CK-v13.1/ics-attack/attack-pattern/attack-pattern--53a48c74-0025-45f4-b04a-baa853df8204.json

{
    "type": "bundle",
    "id": "bundle--431176ba-d425-47d7-9f05-51d546b2ba62",
    "spec_version": "2.0",
    "objects": [
        {
            "modified": "2023-03-09T18:38:51.471Z",
            "name": "I/O Image",
            "description": "Adversaries may seek to capture process values related to the inputs and outputs of a PLC. During the scan cycle, a PLC reads the status of all inputs and stores them in an image table. (Citation: Nanjundaiah, Vaidyanath) The image table is the PLCs internal storage location where values of inputs/outputs for one scan are stored while it executes the user program. After the PLC has solved the entire logic program, it updates the output image table. The contents of this output image table are written to the corresponding output points in I/O Modules.\n\nThe Input and Output Image tables described above make up the I/O Image on a PLC. This image is used by the user program instead of directly interacting with physical I/O. (Citation: Spenneberg, Ralf 2016) \n\nAdversaries may collect the I/O Image state of a PLC by utilizing a devices [Native API](https://attack.mitre.org/techniques/T0834) to access the memory regions directly. The collection of the PLCs I/O state could be used to replace values or inform future stages of an attack.",
            "kill_chain_phases": [
                {
                    "kill_chain_name": "mitre-ics-attack",
                    "phase_name": "collection"
                }
            ],
            "x_mitre_attack_spec_version": "3.1.0",
            "x_mitre_deprecated": false,
            "x_mitre_detection": "",
            "x_mitre_domains": [
                "ics-attack"
            ],
            "x_mitre_is_subtechnique": false,
            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
            "x_mitre_platforms": [
                "Field Controller/RTU/PLC/IED"
            ],
            "x_mitre_version": "1.1",
            "x_mitre_data_sources": [
                "Asset: Software"
            ],
            "type": "attack-pattern",
            "id": "attack-pattern--53a48c74-0025-45f4-b04a-baa853df8204",
            "created": "2020-05-21T17:43:26.506Z",
            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
            "revoked": false,
            "external_references": [
                {
                    "source_name": "mitre-attack",
                    "url": "https://attack.mitre.org/techniques/T0877",
                    "external_id": "T0877"
                },
                {
                    "source_name": "Nanjundaiah, Vaidyanath",
                    "description": "Nanjundaiah, Vaidyanath   PLC Ladder Logic Basics Retrieved. 2021/10/11 ",
                    "url": "https://www.ezautomation.net/industry-articles/plc-ladder-logic-basics.htm"
                },
                {
                    "source_name": "Spenneberg, Ralf 2016",
                    "description": "Spenneberg, Ralf 2016 PLC-Blaster Retrieved. 2019/06/06 ",
                    "url": "https://www.blackhat.com/docs/asia-16/materials/asia-16-Spenneberg-PLC-Blaster-A-Worm-Living-Solely-In-The-PLC.pdf"
                }
            ],
            "object_marking_refs": [
                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
            ]
        }
    ]
}