Techniques represent 'how' an adversary achieves a tactical goal by performing an action. For example, an adversary may dump credentials to achieve credential access.
| ID | Name | Description | |
| T2029 | Abuse Elevation Control Mechanism | Adversaries may circumvent mechanisms designed to control elevate privileges to gain higher-level permissions. Most modern systems contain native elevation control mechanisms that are intended to limit privileges that a user can perform on a machine. Authorization has to be granted to specific users in order to perform tasks that can be considered of higher risk. An adversary can perform several methods to take advantage of built-in control mechanisms in order to escalate privileges on a system. | |
| T2019 | Account Manipulation | Adversaries may manipulate accounts to maintain and/or elevate access to vehicle systems. This technique involves actions that preserve or modify adversary access to compromised accounts, such as modifying credentials or permission groups. By manipulating accounts, adversaries can subvert security policies and gain persistent access to vehicle systems, potentially leading to privilege escalation. | |
| T2060 | Adversary-in-the-Middle | Adversaries may position themselves between networked devices using an adversary-in-the-middle (AiTM) technique to support follow-on behaviors such as Network Sniffing, Transmitted Data Manipulation, or replay attacks. By abusing features of common networking protocols, adversaries force a device to communicate through an adversary-controlled system to collect information or perform additional actions. | |
| T2065 | Application Layer Protocol | Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server. | |
| T2063 | Archive Collected Data | An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender. | |
| T2061 | Audio Capture | Adversaries can leverage a a vehicle's built-in peripheral devices and applications to capture audio recordings for eavesdropping on sensitive conversations, allowing them to gather valuable information. These recordings could be used for various malicious purposes, including espionage, or theft of sensitive information. | |
| T2048 | Backend Remote Services | Adversaries may use Valid Accounts to log into a service that accepts remote connections, such as telnet, SSH, and VNC. The adversary may then perform actions as the logged-on user. | |
| T2020 | Boot or Logon Initialization Scripts | Adversaries may use scripts automatically executed at boot or logon initialization to establish persistence. This technique allows adversaries to execute commands, scripts, or binaries during the boot-up or logon process, enabling them to establish a foothold and ensure continued access to the vehicle's systems. | |
| T2036 | Brute Force | Adversaries may use brute force techniques to gain unauthorized access to vehicle systems by repeatedly guessing passwords or password hashes. | |
| T2012 | Command and Scripting Interpreter | Adversaries may abuse command and scripting interpreters to execute unauthorized commands, scripts, or binaries within vehicle systems. These interfaces provide a way for adversaries to interact with the vehicle's computer systems and execute arbitrary commands, potentially leading to unauthorized access and control over critical vehicle functions. | |
| T2066 | Communication Through Cellular Network | Adversaries may communicate using cellular networks in vehicle telematics systems to establish command and control channels. By leveraging the communication capabilities of the telematics box, adversaries can maintain persistent communication with compromised systems. | |
| T2068 | Communication Through Diagnostic Port | Adversaries may communicate using the diagnostic port of a vehicle. Using specialized hardware and software tools, adversaries can connect to the onboard diagnostic (OBD-II) port of a vehicle to send unauthorized commands and extract sensitive information from the vehicle's electronic control units (ECUs). | |
| T2067 | Communication Through Short Range Wireless | Adversaries may communicate using short range wireless communication. Short range wireless technologies such as Bluetooth and Wi-Fi are commonly integrated into modern vehicles to enable features such as hands-free calling, audio streaming, and wireless connectivity. By tapping into these wireless systems, attackers can remotely access vehicular networks within a limit range, often bypassing traditional security measures. | |
| T2013 | Container Administration Command | Adversaries may abuse the Container Administration Command technique to gain unauthorized access to vehicle systems. As containers have become the standard in the automotive industry, they are vital in the software-defined vehicle architecture, providing flexibility and faster innovation. In this context, adversaries may use the Container Administration Command technique to execute arbitrary commands within containers, allowing them to manipulate critical vehicle functions. | |
| T2069 | Data Encoding | Adversaries may encode data to make the content of command and control traffic more difficult to detect. Command and control (C2) information can be encoded using a standard data encoding system. Use of data encoding may adhere to existing protocol specifications and includes use of ASCII, Unicode, Base64, MIME, or other binary-to-text and character encoding systems. Some data encoding systems may also result in data compression, such as gzip. | |
| T2062 | Data from Local System | Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration. | |
| T2070 | Data Obfuscation | Adversaries may obfuscate command and control traffic to make it more difficult to detect. Command and control (C2) communications are hidden (but not necessarily encrypted) in an attempt to make the content more difficult to discover or decipher and to make the communication less conspicuous and hide commands from being seen. This encompasses many methods, such as adding junk data to protocol traffic, using steganography, or impersonating legitimate protocols. | |
| T2064 | Data Staged | Adversaries may stage collected data in a central location or directory prior to Exfiltration. Data may be kept in separate files or combined into one file through techniques such as Archive Collected Data. Interactive command shells may be used, and common functionality within cmd and bash may be used to copy data into a staging location. | |
| T2001 | Deliver Malicious App via Authorized App Store | Adversaries may take advantage of authorized app stores to deliver malicious apps to target vehicle systems. This technique allows them to gain access to the vehicle's network. | |
| T2083 | Denial of Operational | Adversaries may cause a denial of control to temporarily prevent driver from interacting with vehicle controls. An adversary may attempt to deny vehicle control access to cause a temporary loss of communication with the vehicle or to prevent driver adjustment of vehicle controls. An affected vehicle may still be operating during the period of control loss, but not necessarily in a desired state. | |
| T2030 | Deobfuscate/Decode Files or Information | Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system. | |
| T2014 | Deploy Container | Adversaries may deploy containers as a means of executing arbitrary code within the context of vehicle cybersecurity. By leveraging container technology, adversaries can encapsulate malicious payloads and deploy them within the vehicle's software-defined architecture. This technique allows adversaries to bypass traditional security measures and execute unauthorized code within the vehicle's computing environment, potentially leading to unauthorized access, data theft, or disruption of critical vehicle functions. | |
| T2071 | Dynamic Resolution | Adversaries may dynamically establish connections to command and control infrastructure to evade common detections and remediations. This may be achieved by using malware that shares a common algorithm with the infrastructure the adversary uses to receive the malware's communications. These calculations can be used to dynamically adjust parameters such as the domain name, IP address, or port number the malware uses for command and control. | |
| T2052 | ECU Exploitation | Adversaries may exploit Electronic Control Units (ECUs) to perform lateral movement within a vehicle's network. ECUs are specialized embedded systems that control various functions within modern vehicles, such as engine management, airbags, and braking systems. By gaining access to one ECU, adversaries can potentially compromise the integrity of the vehicle's network and manipulate other connected ECUs.Adversaries may leveraging existing vulnerabilities in ECUs. For instance, an adversary might first compromise an infotainment system connected to the internet and then move laterally to more sensitive ECUs like those related to steering or braking. This technique may require specialized knowledge of the vehicle's network architecture and the communication protocols used, such as CAN bus, LIN, or FlexRay. | |
| T2072 | Encrypted Channel | Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files. | |
| T2026 | Escape to Host | Adversaries may break out of a container to gain access to the underlying host. This can allow an adversary access to other containerized resources from the host level or to the host itself. In principle, containerized resources should provide a clear separation of application functionality and be isolated from the host environment.There are multiple ways an adversary may escape to a host environment. Examples include creating a container configured to mount the host’s filesystem using the bind parameter, which allows the adversary to drop payloads and execute control utilities such as cron on the host; utilizing a privileged container to run commands or load a malicious kernel module on the underlying host; or abusing system calls such as unshare and keyctl to escalate privileges and steal secrets.Additionally, an adversary may be able to exploit a compromised container with a mounted container management socket, such as docker.sock, to break out of the container via a Container Administration Command. Adversaries may also escape via Exploitation for Privilege Escalation, such as exploiting vulnerabilities in global symbolic links in order to access the root directory of a host machine.Gaining access to the host may provide the adversary with the opportunity to achieve follow-on objectives, such as establishing persistence, moving laterally within the environment, or setting up a command and control channel on the host. | |
| T2073 | Exfiltration Over Alternative Protocol | Adversaries may exfiltrate data over alternative protocols to avoid detection and bypass security controls. This technique involves using non-standard or less-monitored communication channels, such as DNS, ICMP, or even custom protocols, to exfiltrate sensitive information from compromised vehicle systems. | |
| T2078 | Exfiltration Over Bluetooth | Adversaries may attempt to exfiltrate data over Bluetooth rather than the command and control channel. Bluetooth can be an attractive choice for exfiltration when adversaries are in close proximity to the target vehicle and the Bluetooth connection offers a lower level of security compared to the primary Internet-connected channel. | |
| T2074 | Exfiltration Over C2 Channel | Adversaries may exfiltrate data over command and control (C2) channels in order to steal sensitive information from vehicle systems. They can use compromised data-transfer channels to manipulate traffic and inject their own content, allowing them to continuously communicate with victim systems and deliver additional payloads. | |
| T2076 | Exfiltration Over Cellular Network | Adversaries may attempt to exfiltrate data over a cellular network. This technique allows them to transfer sensitive data from the vehicle to an external location using the cellular network. | |
| T2075 | Exfiltration Over Other Network Medium | Adversaries may attempt to exfiltrate data over a different network medium than the command and control channel. If the command and control network is a wired Internet connection, the exfiltration may occur, for example, over a WiFi connection, modem, cellular data connection, Bluetooth, or another radio frequency (RF) channel. | |
| T2079 | Exfiltration Over Physical Medium | Adversaries may attempt to exfiltrate data via a physical medium, such as a removable drive or ODB-II. In certain circumstances, such as an offline network compromise, exfiltration could occur via a physical medium or device introduced by a user. Such media could be an external hard drive, USB drive, cellular phone or other removable storage and processing device. The physical medium or device could be used as the final exfiltration point or to hop between otherwise disconnected systems. | |
| T2077 | Exfiltration Over Short Range Wireless | Adversaries may attempt to exfiltrate data over WiFi connection or another radio frequency (RF) channel. This technique allows adversaries to wirelessly transmit stolen data from a compromised vehicle to a nearby receiver without the need for physical access. | |
| T2002 | Exploit via backend service | Adversaries may exploit vulnerabilities in backend services to gain unauthorized access and potentially compromise vehicles in the context of vehicle cybersecurity. Backend services, such as those provided by platforms like Mercedes Me, enable drivers to remotely manage their vehicles through backend servers. However, these services can become attractive targets for attackers when weaknesses are present in the backend server infrastructure.Exploiting vulnerabilities in backend services involves leveraging security flaws or weaknesses in the server-side components that manage vehicle connectivity and control. Attackers may exploit these vulnerabilities to gain unauthorized access to vehicle systems and potentially manipulate various functionalities. For instance, they could remotely unlock doors, disable security features, or even manipulate critical vehicle systems.By infiltrating backend services, adversaries may compromise the integrity and security of vehicles, posing significant risks to both drivers and manufacturers. It is crucial for organizations in the automotive industry to proactively address these vulnerabilities and implement robust security measures to protect against such threats. | |
| T2003 | Exploit via Charging Station | Adversaries may exploit vulnerabilities associated with charging stations to gain unauthorized access to vehicles and potentially compromise their systems. While charging stations offer the convenience of "plug and charge" for electric vehicles, the underlying protocols and communication channels between the station and the vehicle can often be insecure. In this context, attackers can employ various tactics, including Man-in-the-Middle (MITM) attacks, to intercept and manipulate the data exchanged during the charging process.These vulnerabilities open doors for adversaries to intercept sensitive vehicle data, inject malicious code or commands into the communication between the charging station and the vehicle's Controller Area Network (CAN) bus, and potentially compromise the vehicle's systems. By exploiting weaknesses in the charging station's security mechanisms, adversaries can disrupt the charging process, manipulate the vehicle's behavior, or even gain unauthorized control over critical vehicle functions. | |
| T2004 | Exploit via ODB port | Adversaries may exploit vehicle cybersecurity vulnerabilities by targeting the On-Board Diagnostics (ODB) port, enabling unauthorized access to a vehicle's internal systems. The ODB port is a critical interface used for vehicle diagnostics and maintenance, and it provides a gateway to the vehicle's electronic control units (ECUs).To execute this attack, adversaries might utilize specialized hardware or software tools to interact with the ODB port, sending malicious commands or manipulating the communication between the ODB port and the vehicle's ECUs. Such actions could lead to dangerous consequences, including unauthorized access to a vehicle's firmware, data exfiltration, or even remote control of the vehicle.The exploitation of the ODB port highlights the importance of securing vehicle interfaces against malicious access, emphasizing the need for robust cybersecurity measures to protect both the vehicle and its occupants from potential threats. | |
| T2005 | Exploit via radio interface | Adversaries may exploit vulnerabilities in vehicle radio interfaces to gain unauthorized access to vehicle systems. These interfaces, including Bluetooth, modem, and WiFi chips, provide a means for adversaries to remotely execute code and compromise the vehicle's security. This technique allows attackers to infiltrate the vehicle's network and potentially take control of critical systems, posing a significant threat to the safety and privacy of vehicle occupants.By leveraging remote code execution on radio interfaces, adversaries can inject malicious code into the vehicle's systems, leading to a range of potential attacks. For example, attackers could exploit a memory issue on the driver of the Bluetooth interface to execute arbitrary commands and gain unauthorized access to the vehicle's network. Once inside, adversaries could manipulate vehicle functions, intercept sensitive data, or even take control of steering, braking, or acceleration systems, posing a serious risk to the safety and security of the vehicle and its occupants. | |
| T2031 | Exploitation for Defense Evasion | Adversaries may exploit a system or application vulnerability to bypass security features. Exploitation of a vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Vulnerabilities may exist in defensive security software that can be used to disable or circumvent them. | |
| T2028 | Exploitation for Privilege Escalation | Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.When initially gaining access to a system, an adversary may be operating within a lower privileged process which will prevent them from accessing certain resources on the system. Vulnerabilities may exist, usually in operating system components and software commonly running at higher permissions, that can be exploited to gain higher levels of access on the system. This could enable someone to move from unprivileged or user level permissions to SYSTEM or root permissions depending on the component that is vulnerable. This could also enable an adversary to move from a virtualized environment, such as within a virtual machine or container, onto the underlying host. This may be a necessary step for an adversary compromising an endpoint system that has been properly configured and limits other privilege escalation methods. | |
| T2051 | Exploitation of Backend Remote Services | Adversaries may exploit backend remote services to gain unauthorized access to backend service once inside of the vehicle. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. A common goal for post-compromise exploitation of remote services is for lateral movement to enable access to a remote system. | |
| T2054 | Exploitation of Remote Services in In-Vehicle Network | Adversaries may exploit remote services in In-Vehicle network to gain unauthorized access to internal systems once inside of the vehicle. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. A common goal for post-compromise exploitation of remote services is for lateral movement to enable access to a remote system. | |
| T2006 | External Remote Services | Adversaries may gain unauthorized access to in-vehicle systems by exploiting external remote services. These services, such as SSH servers or RPC servers, are exposed on the internet or intranet, providing a potential entry point for attackers to compromise vehicle networks.By abusing these external remote services, adversaries can execute commands, scripts, or binaries on the in-vehicle device. For example, they may manipulate accounts to maintain access or elevate their privileges within the vehicle's system. Additionally, adversaries can create new accounts to establish secondary access, allowing them to maintain a persistent presence without the need for continuous deployment of remote access tools on the vehicle. | |
| T2040 | File and Directory Discovery | Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions. | |
| T2007 | Hardware Additions | Adversaries may gain initial access to vehicle systems by exploiting hardware additions. This could involve manipulating or adding physical components to the vehicle's systems in order to gain unauthorized access. | |
| T2032 | Impair Defenses | Adversaries may maliciously modify components of a victim environment in order to hinder or disable defensive mechanisms. This not only involves impairing preventative defenses, such as firewalls and anti-virus, but also detection capabilities that defenders can use to audit activity and identify malicious behavior. This may also span both native defenses as well as supplemental capabilities installed by users and administrators. | |
| .001 | CAN Restrict | Adversaries may exploit the CAN Restrict attack technique in vehicle cybersecurity to bypass restrictions on the Controller Area Network (CAN) bus. The CAN bus is a critical component of modern vehicles, responsible for transmitting messages between different electronic control units (ECUs) within the vehicle. The CAN bus transmit chip typically restricts the types of messages that can be transmitted on the network to prevent unauthorized access and manipulation. However, adversaries can rewrite or exploit the firmware or driver of the CAN bus transmit chip to bypass these restrictions and transmit arbitrary CAN messages on the network. | |
| .002 | Disable Memory Protection | Adversaries may exploit vulnerabilities in vehicle systems to disable memory protection, allowing them to manipulate and compromise the vehicle's software and potentially gain unauthorized access to critical functions. This technique involves bypassing the security measures that protect the vehicle's memory, providing adversaries with the ability to execute malicious code and tamper with system operations. | |
| .003 | Disable or Modify System Firewall | Adversaries may disable or modify system firewalls in order to bypass controls limiting network usage. Changes could be disabling the entire mechanism as well as adding, deleting, or modifying particular rules. This can be done numerous ways depending on the operating system, including via command-line, editing Windows Registry keys, and Windows Control Panel. | |
| T2015 | Inter-Process Communication | Adversaries may abuse inter-process communication (IPC) within vehicle systems to facilitate unauthorized execution of commands or scripts. IPC mechanisms are used by different processes within a vehicle's electronic control units (ECUs) to communicate and exchange data. This can include communication between different software components. Adversaries may abuse IPC to gain unauthorized access to critical systems and execute malicious commands, potentially leading to vehicle malfunctions or compromise of sensitive data. | |
| T2084 | Loss of Financial | Adversaries may cause a loss of financial impact to vehicle owners, road users and vehicle manufacturer through disruption and even damage to the availability and integrity of the vehicle or backend service. The damage and theft of vehicles can result in financial losses for their owners, while a denial of service to the backend service can lead to financial repercussions for the vehicle manufacturer. | |
| T2085 | Loss of Operational | Adversaries may seek to achieve a sustained loss of operational or a runaway condition in which driver cannot issue any controls even if the malicious interference has subsided.This technique can result in the vehicle not working or showing unexpected behavior of core functions. | |
| T2086 | Loss of Safety | Adversaries may compromise safety system functions designed to maintain safe operation of a process when unacceptable or dangerous conditions occur. Safety systems are often composed of the same elements as control systems but have the sole purpose of ensuring the process fails in a predetermined safe manner. | |
| T2087 | Manipulation of Operational | Adversaries may manipulate the control of vehicle. Methods of manipulating control can include takeover the control of the vehicle, allowing adversaries to impact the core functioning of the vehicle. | |
| T2021 | Modify Trusted Execution Environment | Adversaries may target the trusted execution environment, such as the vehicle's secure boot process or cryptographic keys, to modify the system's behavior and maintain their presence within the vehicle's network. By tampering with these trusted components, adversaries can ensure that their unauthorized access and control persist even after reboots or software updates. This allows them to continue malicious activities, such as intercepting or manipulating vehicle communication, compromising safety systems, or stealing sensitive data. | |
| T2016 | Native API | Adversaries may abuse the Native API technique to execute behaviors within the context of vehicle cybersecurity. Similar to how adversaries manipulate accounts to maintain and elevate access to victim systems, they may also abuse the OS API functions to interact with and utilize various components of a vehicle's system. | |
| T2041 | Network Service Scanning | Adversaries may attempt to get a listing of services running on remote hosts, including those that may be vulnerable to remote software exploitation. Methods to acquire this information include port scans and vulnerability scans from the mobile device. This technique may take advantage of the mobile device's access to an internal enterprise network either through local connectivity or through a Virtual Private Network (VPN). | |
| T2037 | Network Sniffing | Adversaries may gain unauthorized access to vehicle systems by using network sniffing technique. This method allows them to capture information about the vehicle's network, including authentication material passed over the network. Network sniffing involves monitoring or capturing information sent over a wired or wireless connection, providing adversaries with valuable data about the vehicle's network activity. | |
| T2080 | Non-Application Layer Protocol | Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive. Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL). | |
| T2081 | Non-Standard Port | Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088 or port 587 as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data. | |
| T2038 | OS Credential Dumping | Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information. | |
| T2058 | Personal Information Collection | Adversaries may target the Personal Information to gather sensitive personal data from vehicle systems. Modern vehicles, equipped with advanced technology, store and transmit a wealth of personal information, ranging from driver's license details to personal identification numbers. The primary motive behind this technique is often to leverage collected data for ransom or to facilitate data leaks, exploiting the rich trove of personal information that vehicles now hold. | |
| T2008 | Phishing | Adversaries may send phishing messages to gain access to victim systems. All forms of phishing are electronically delivered social engineering. Phishing can be targeted, known as spearphishing. In spearphishing, a specific individual, company, or industry will be targeted by the adversary. More generally, adversaries can conduct non-targeted phishing, such as in mass malware spam campaigns.Adversaries may send victims emails containing malicious attachments or links, typically to execute malicious code on victim systems. Phishing may also be conducted via third-party services, like social media platforms. Phishing may also involve social engineering techniques, such as posing as a trusted source, as well as evasive techniques such as removing or manipulating emails or metadata/headers from compromised accounts being abused to send messages (e.g., Email Hiding Rules). Another way to accomplish this is by forging or spoofing the identity of the sender which can be used to fool both the human recipient as well as automated security tools.Victims may also receive phishing messages that instruct them to call a phone number where they are directed to visit a malicious URL, download malware, or install adversary-accessible remote management tools onto their computer (i.e., User Execution). | |
| T2043 | Process Discovery | Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions. | |
| T2025 | Process Injection | Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.There are many different ways to inject code into a process, many of which abuse legitimate functionalities. These implementations exist for every major OS but are typically platform specific.More sophisticated samples may perform multiple process injections to segment modules and further evade detection, utilizing named pipes or other inter-process communication (IPC) mechanisms as a communication channel. | |
| T2082 | Protocol Tunneling | Adversaries may tunnel network communications to and from a victim system within a separate protocol to avoid detection/network filtering and/or enable access to otherwise unreachable systems. Tunneling involves explicitly encapsulating a protocol within another. This behavior may conceal malicious traffic by blending in with existing traffic and/or provide an outer layer of encryption (similar to a VPN). Tunneling could also enable routing of network packets that would otherwise not reach their intended destination, such as SMB, RDP, or other traffic that would be filtered by network appliances or not routed over the Internet. | |
| T2056 | Remote services in In-Vehicle Network | Adversaries may use Valid Accounts to log into a service that accepts remote connections, such as telnet, SSH, and VNC. The adversary may then perform actions as the logged-on user. | |
| T2009 | Replication Through Removable Media | Adversaries may exploit the use of removable media in vehicle systems to gain initial access and spread malicious content. In the context of vehicle cybersecurity, removable media such as USB drives are commonly used for updating in-vehicle infotainment (IVI) systems or transferring data. Adversaries may take advantage of this functionality to introduce malicious code or malware into the vehicle's network, potentially leading to system compromise and unauthorized access.By inserting a compromised USB drive into a vehicle's IVI system, adversaries can introduce malicious files or code that can be automatically executed by the vehicle's software. For example, adversaries may load a Virtual Contact File from the USB drive, which contains malicious content designed to exploit vulnerabilities in the IVI system. Additionally, adversaries may disguise malware as a legitimate software update and trick the IVI system into executing the malicious code from the USB drive, thereby gaining unauthorized access and compromising the vehicle's network. This technique allows adversaries to replicate and spread their malicious content across multiple vehicles by using removable media as a delivery mechanism for their attacks. | |
| T2022 | Rewrite ECU Image/Firmware | Adversaries may manipulate ECU image or firmware to maintain persistent access to vehicle systems. This technique involves altering the software running on the vehicle's electronic control units (ECUs) to establish a foothold and maintain control over the vehicle's functions. | |
| T2017 | Scheduled Task/Job | Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system. | |
| T2033 | Subvert Trust Controls | Adversaries may undermine security controls that will either warn users of untrusted activity or prevent execution of untrusted programs. Operating systems and security products may contain mechanisms to identify programs or websites as possessing some level of trust. | |
| .001 | Code Signing | Adversaries may exploit code signing to bypass security measures and execute unauthorized code within vehicle systems. When updating the system, the update progress may verify if the update image is valid. Adversaries might exploit the update progress and bypass the validation check. | |
| .002 | UDS Security Access | Adversaries may exploit UDS Security Access in vehicle cybersecurity to gain unauthorized access to critical ECU services. This technique involves cracking the challenge and response mechanism used to unlock secure features. By reversing the challenge and response function, adversaries can extract the key and bypass the security measures in place. | |
| T2010 | Supply Chain Compromise | Adversaries may gain access to vehicle systems through supply chain compromises, where they exploit vulnerabilities in the software or hardware provided by third-party suppliers. These compromises can have far-reaching consequences, as the supplier's products are used by multiple OEMs, potentially allowing adversaries to impact a wide range of vehicles. | |
| T2044 | System Information Discovery | An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions. | |
| T2045 | System Network Configuration Discovery | Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp, ipconfig/ifconfig, nbtstat, and route. | |
| T2046 | System Network Connections Discovery | Adversaries may attempt to get a listing of network connections to or from the compromised system they are currently accessing or from remote systems by querying for information over the network. | |
| T2018 | System Services | Adversaries may abuse system services or daemons to execute commands or programs. Adversaries can execute malicious content by interacting with or creating services either locally or remotely. Many services are set to run at boot, which can aid in achieving persistence (Create or Modify System Process), but adversaries can also abuse services for one-time or temporary execution. | |
| T2088 | Theft of Privacy | Adversaries may steal privacy information in the vehicle environment. This information may include personally identifiable information, driver license, location tracking, dashcam record. | |
| T2047 | UDS Service Discovery | Adversaries may may attempt to enumerate services support by Unified Diagnostic Services (UDS). This technique allows adversaries to scan for and identify the various services and functionalities available within the vehicle's onboard systems. By understanding the specific services and identifiers used in the UDS protocol, adversaries can effectively target and exploit vulnerabilities within the vehicle's network. | |
| T2039 | Unsecured Credentials | Adversaries may search compromised systems to find and obtain insecurely stored credentials. These credentials can be stored and/or misplaced in many locations on a system, including plaintext files (e.g. Bash History), operating system or other specialized files/artifacts (e.g. Private Keys). | |
| .001 | Bash History |
Adversaries may search the bash command history on compromised systems for insecurely stored credentials. Bash keeps track of the commands users type on the command-line with the "history" utility. Once a user logs out, the history is flushed to the user’s .bash_history file. For each user, this file resides at the same location: ~/.bash_history. Typically, this file keeps track of the user’s last 500 commands. Users often type usernames and passwords on the command-line as parameters to programs, which then get saved to this file when they log out. Adversaries can abuse this by looking through the file for potential credentials.
|
|
| .002 | Credentials In Files | Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials. These can be files created by users to store their own credentials, shared credential stores for a group of individuals, configuration files containing passwords for a system or service, or source code/binary files containing embedded passwords. | |
| .003 | Private Keys | Adversaries may search for private key certificate files on compromised systems for insecurely stored credentials. Private cryptographic keys and certificates are used for authentication, encryption/decryption, and digital signatures. Common key and certificate file extensions include: .key, .pgp, .gpg, .ppk., .p12, .pem, .pfx, .cer, .p7b, .asc. | |
| .004 | VPN Credential | Adversaries may search unsecured VPN credentials to gain unauthorized access to vehicle backend servers. These credentials are intended to protect the backend server and only allow legitimate vehicles to access it. However, if these VPN credentials are not properly secured, adversaries can easily extract them and directly connect to the backend server using without the legitimate vehicles. | |
| T2011 | Valid Accounts | Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop. Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.In some cases, adversaries may abuse inactive accounts: for example, those belonging to individuals who are no longer part of an organization. Using these accounts may allow the adversary to evade detection, as the original account user will not be present to identify any anomalous activity taking place on their account.The overlap of permissions for local, domain, and cloud accounts across a network of systems is of concern because the adversary may be able to pivot across accounts and systems to reach a high level of access (i.e., domain or enterprise administrator) to bypass access controls set within the enterprise. | |
| T2059 | Vehicle Telemetry Collection | Adversaries may target the telematics systems within modern vehicles to collect a vast array of data. These systems, designed for navigation, safety, and entertainment, also generate and store detailed telemetry information. This information, which can include location data, vehicle usage patterns, and even driver behavior, is extremely valuable for adversaries. By tapping into these systems, adversaries can gain insights into the movements and habits of individuals or organizations, potentially leading to further exploitation or surveillance activities. | |
| T2035 | Virtualization/Sandbox Evasion | Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from Virtualization/Sandbox Evasion during automated discovery to shape follow-on behaviors. | |