ICS ATT&CK
Block Command Message
Service Stop
Modify Parameter
Modify Controller Tasking
Wireless Sniffing
Loss of View
Activate Firmware Update Mode
Manipulation of Control
Denial of Service
Block Serial COM
System Binary Proxy Execution
Command-Line Interface
Point & Tag Identification
Device Restart/Shutdown
User Execution
Wireless Compromise
Change Operating Mode
Alarm Suppression
Detect Operating Mode
Loss of Protection
Monitor Process State
Scripting
Remote System Information Discovery
Program Upload
Exploit Public-Facing Application
Data from Information Repositories
Transient Cyber Asset
Manipulate I/O Image
Network Sniffing
Rootkit
Automated Collection
Block Reporting Message
Unauthorized Command Message
Data Destruction
Manipulation of View
Indicator Removal on Host
I/O Image
Denial of View
Execution through API
Supply Chain Compromise
Loss of Safety
Loss of Productivity and Revenue
Spearphishing Attachment
Autorun Image
Drive-by Compromise
Damage to Property
Spoof Reporting Message
Exploitation of Remote Services
Default Credentials
External Remote Services
Brute Force I/O
Adversary-in-the-Middle
Exploitation for Evasion
Loss of Control
Hooking
Graphical User Interface
Rogue Master
Native API
Loss of Availability
Theft of Operational Information
System Firmware
Masquerading
Program Download
Replication Through Removable Media
Screen Capture
Hardcoded Credentials
Valid Accounts
Exploitation for Privilege Escalation
Remote System Discovery
Connection Proxy
Standard Application Layer Protocol
Remote Services
Denial of Control
Modify Alarm Settings
Commonly Used Port
Project File Infection
Network Connection Enumeration
Lateral Tool Transfer
Module Firmware
Internet Accessible Device
Data from Local System
Change Credential
Modify Program
Triton Safety Instrumented System Attack
2015 Ukraine Electric Power Attack
Maroochy Water Breach
Unitronics Defacement Campaign
2016 Ukraine Electric Power Attack
2022 Ukraine Electric Power Attack
Application Isolation and Sandboxing
Filter Network Traffic
Restrict Web-Based Content
Validate Program Inputs
Network Segmentation
Restrict Library Loading
Active Directory Configuration
Network Intrusion Prevention
Restrict Registry Permissions
Data Loss Prevention
Access Management
Mitigation Limited or Not Effective
Exploit Protection
Limit Access to Resource Over Network
Execution Prevention
Static Network Configuration
Password Policies
Privileged Account Management
Human User Authentication
SSL/TLS Inspection
Code Signing
Software Process and Device Authentication
Encrypt Network Traffic
Account Use Policies
Application Developer Guidance
Boot Integrity
Mechanical Protection Layers
Update Software
Watchdog Timers
Operational Information Confidentiality
Operating System Configuration
Limit Hardware Installation
Encrypt Sensitive Information
Network Allowlists
Supply Chain Management
Data Backup
Out-of-Band Communications Channel
Audit
Communication Authenticity
Disable or Remove Feature or Program
Threat Intelligence Program
Safety Instrumented Systems
User Training
Multi-factor Authentication
Vulnerability Scanning
Authorization Enforcement
User Account Management
Redundancy of Service
Restrict File and Directory Permissions
Software Configuration
Antivirus/Antimalware
Minimize Wireless Signal Propagation
The MITRE Corporation
APT38
ALLANITE
Dragonfly
FIN6
FIN7
Sandworm Team
OilRig
TEMP.Veles
CyberAv3ngers
GOLD SOUTHFIELD
Lazarus Group
Wizard Spider
HEXANE
APT33
EKANS
Backdoor.Oldrea
Stuxnet
Bad Rabbit
PLC-Blaster
BlackEnergy
NotPetya
Conficker
LockerGoga
VPNFilter
Duqu
Industroyer2
WannaCry
Triton
Fuxnet
Ryuk
ACAD/Medre.A
REvil
INCONTROLLER
KillDisk
Industroyer
Flame
None
Virtual Private Network (VPN) Server
Jump Host
Remote Terminal Unit (RTU)
Field I/O
Human-Machine Interface (HMI)
Data Gateway
Safety Controller
Intelligent Electronic Device (IED)
Application Server
Programmable Logic Controller (PLC)
Routers
Data Historian
Control Server
Workstation
Windows Registry Key Deletion
Network Connection Creation
File Access
File Creation
Network Traffic Content
Logon Session Metadata
Process Creation
Drive Creation
Process/Event Alarm
Drive Modification
Service Creation
Process Termination
File Metadata
Service Modification
Command Execution
Service Metadata
Scheduled Job Metadata
File Modification
Software
Process History/Live Data
OS API Execution
Application Log Content
Logon Session Creation
Device Alarm
Script Execution
Network Traffic Flow
User Account Authentication
Asset Inventory
Firmware Modification
Module Load
Windows Registry Key Modification
File Deletion
Process Metadata
Scheduled Job Creation
Network Share Access
Scheduled Job Modification
User Account
Windows Registry
Script
Operational Databases
Application Log
Logon Session
File
Drive
Command
Asset
Network Share
Network Traffic
Scheduled Job
Firmware
Service
Process
Module
Inhibit Response Function
Privilege Escalation
Lateral Movement
Discovery
Initial Access
Impact
Persistence
Execution
Command and Control
Collection
Evasion
Impair Process Control
Network Intrusion Prevention
Vulnerability Scanning
Limit Access to Resource Over Network
Filter Network Traffic
Restrict Web-Based Content
Application Developer Guidance
Limit Hardware Installation
User Training
Operating System Configuration
Data Backup
Execution Prevention
Code Signing
SSL/TLS Inspection
Boot Integrity
Network Segmentation
Threat Intelligence Program
Password Policies
User Account Management
Restrict File and Directory Permissions
Privileged Account Management
Restrict Registry Permissions
Antivirus/Antimalware
Multi-factor Authentication
Software Configuration
Application Isolation and Sandboxing
Audit
Exploit Protection
Active Directory Configuration
Update Software
Restrict Library Loading
Disable or Remove Feature or Program
Account Use Policies
Encrypt Sensitive Information
Leafminer