Home  >  ICS  >  Participants  >  Armis

Armis Overview
Vendor Configuration:  TRITON


MITRE Engenuity does not assign scores, rankings, or ratings. The evaluation results are available to the public, so other organizations may provide their own analysis and interpretation - these are not endorsed or validated by MITRE Engenuity.
Evaluation Summary
These are the evaluations that Armis has participated in:
Evaluations Detection Count Analytic Coverage Telemetry Coverage Visibility
TRITON (2021)
140  across  100* substeps
50  of  100* substeps
90  of  100* substeps
90  of  100* substeps
*Detection for 2 substeps required actively querying the programmable logic controllers. Armis did not leverage this type of capability, so those substeps were removed.
Evaluation Overview
Choose an evaluation to drill down into the procedures used to test each tactic and technique. The clipboard on each cell will allow you to view the detection results.

Tactics

Techniques

Substeps

Collection
Command and Control
Discovery
Evasion
Execution
Impact
Impair Process Control
Inhibit Response Function
Initial Access
Lateral Movement
Persistence
Privilege Escalation
9.D.2
Criteria:

Evidence of an adversary initiated Get Attribute Single CIP request for the “Status” attribute (attribute 0x05, instance 0x01, class 0x01) of the control PLC (10.0.100.110).

Detections:
16.C.2
Criteria:

Evidence of an adversary initiated Get Attribute Single CIP request for the “Status” attribute (attribute 0x05, instance 0x01, class 0x01) of the safety PLC (10.0.100.105).

Detections:
20.A.2
Criteria:

Evidence of an adversary initiated Get Attribute Single CIP request for the “Status” attribute (attribute 0x05, instance 0x01, class 0x01) of the safety PLC (10.0.100.105).

Detections:
20.D.2
Criteria:

Evidence of an adversary initiated Get Attribute Single CIP request for the “Status” attribute (attribute 0x05, instance 0x01, class 0x01) of the control PLC (10.0.100.110).

Detections:
24.A.2
Criteria:

Evidence of an adversary initiated Get Attribute Single CIP request for the “Status” attribute (attribute 0x05, instance 0x01, class 0x01) of the safety PLC (10.0.100.105).

Detections:
1.A.1
Criteria:

Evidence of an established network connection over TCP port 3389 between the adversary machine (10.0.100.1) and the control EWS (10.0.100.20) as RDP.

Detections:
1.A.2
Criteria:

Evidence of an established network connection over TCP port 3389 between the adversary machine (10.0.100.1) and the control EWS (10.0.100.20) via the “mstsc.exe” process as RDP. Successful logon as user “Engineer” may be present or as a part of the connection and process creation.

Detections:
4.B.2
Criteria:

Evidence of an established network connection over TCP port 445 from the control EWS (10.0.100.20) to the adversary machine (10.0.100.1) as an outbound SSH tunnel request.

Detections:
4.C.1
Criteria:

Evidence of an established network connection over TCP port 3389 between the adversary machine (10.0.100.1) and the control EWS (10.0.100.20) via the “mstsc.exe” process. Successful logon as user “Engineer” may be present or as a part of the connection and process creation.

Detections:
6.E.2
Criteria:

Evidence of an established network connection over TCP port 445 from the control EWS (10.0.100.20) to the adversary machine (10.0.100.1) as an outbound SSH tunnel request.

Detections:
7.A.1
Criteria:

Evidence of an established network connection over TCP port 445 between the adversary machine (10.0.100.1) and the control EWS (10.0.100.20) tunneling SFTP.

Detections:
7.A.2
Criteria:

Evidence of an established network connection over TCP port 445 between the adversary machine (10.0.100.1) and the control EWS (10.0.100.20) via the “sftp-server.exe” process. Successful logon as user “Engineer” may be present or as a part of the connection and process creation.

Detections:
7.B.1
Criteria:

Evidence of an established network connection over TCP port 445 between the adversary machine (10.0.100.1) and the control EWS (10.0.100.20) tunneling SSH.

Detections:
7.B.2
Criteria:

Evidence of an established network connection over TCP port 445 between the adversary machine (10.0.100.1) and the control EWS (10.0.100.20) via “csp.exe”[SSHD]. Successful logon as user “Engineer” may be present or as a part of the connection and process creation.

Detections:
10.A.1
Criteria:

Evidence of an established network connection over TCP port 445 between the adversary machine (10.0.100.1) and the Control EWS (10.0.100.20) tunneling RDP traffic over SSH.

Detections:
10.A.2
Criteria:

Evidence of an established network connection over TCP port 3389 between the adversary machine (10.0.100.1) and the control EWS (10.0.100.20) via the “mstsc.exe” process as RDP. Successful logon as user “Engineer” may be present or as a part of the connection and process creation.

Detections:
10.B.1
Criteria:

Evidence of an established network connection over TCP port 3389 between the control EWS (10.0.100.20) and the safety EWS (10.0.100.15) as RDP.

Detections:
10.B.2
Criteria:

Evidence of an established network connection over TCP port 3389 between the control EWS(10.0.100.20) and the safety EWS (10.0.100.15) via the “mstsc.exe” process as RDP. Successful logon as user “Engineer” may be present or as a part of the connection and process creation.

Detections:
12.A.1
Criteria:

Evidence of an established network connection over TCP port 445 between the adversary machine (10.0.100.1) and the control EWS (10.0.100.20) tunneling SSH.

Detections:
12.A.2
Criteria:

Evidence of an established network connection over TCP port 445 between the adversary machine (10.0.100.1) and the control EWS (10.0.100.20) via “csp.exe”[SSHD]. Successful logon as user “Engineer” may be present or as a part of the connection and process creation.

Detections:
14.A.1
Criteria:

Evidence of an established network connection over TCP port 2223 between the control EWS (10.0.100.20) and the safety EWS (10.0.100.15) via “scp”. Successful logon as user “Engineer” may be present or as a part of the connection and process creation.

Detections:
15.A.1
Criteria:

Evidence of an established network connection over TCP port 2223 between the control EWS (10.0.100.20) and the safety EWS (10.0.100.15) as SSH.

Detections:
15.A.2
Criteria:

Evidence of an established network connection over TCP port 2223 between the control EWS (10.0.100.20) and the safety EWS (10.0.100.15) via “csp.exe”[SSHD]. Successful logon as user “Engineer” may be present or as a part of the connection and process creation.

Detections:
17.A.1
Criteria:

Evidence of an established network connection over TCP port 445 between the adversary machine (10.0.100.1) and the control EWS (10.0.100.20) via the “sftp-server.exe” process. Successful logon as user “Engineer” may be present or as a part of the connection and process creation.

Detections:
17.A.2
Criteria:

Evidence of an established network connection over TCP port 445 between the adversary machine (10.0.100.1) and the control EWS (10.0.100.20) tunneling SFTP.

Detections:
18.A.1
Criteria:

Evidence of an established network connection over TCP port 2223 between the control EWS (10.0.100.20) and the safety EWS (10.0.100.15) to transfer “Install_GuardLogix.zip” over scp.

Detections:
18.A.2
Criteria:

Evidence of an established network connection over TCP port 2223 between the control EWS (10.0.100.20) and the safety EWS (10.0.100.15) via “scp”. Successful logon as user “Engineer” may be present or as a part of the connection and process creation.

Detections:
19.A.1
Criteria:

Evidence of an established network connection over TCP port 2223 between the control EWS (10.0.100.20) and the safety EWS (10.0.100.15) as SSH.

Detections:
19.A.2
Criteria:

Evidence of an established network connection over TCP port 2223 between the control EWS (10.0.100.20) and the safety EWS (10.0.100.15) via “csp.exe”[SSHD]. Successful logon as user “Engineer” may be present or as a part of the connection and process creation.

Detections:
23.A.1
Criteria:

Evidence of an established network connection over TCP port 445 between the adversary machine (10.0.100.1) and the control EWS (10.0.100.20) tunneling SSH.

Detections:
23.A.2
Criteria:

Evidence of an established network connection over TCP port 445 between the adversary machine (10.0.100.1) and the control EWS (10.0.100.20) via “csp.exe”[SSHD]. Successful logon as user “Engineer” may be present or as a part of the connection and process creation.

Detections:
23.B.1
Criteria:

Evidence of an established network connection over TCP port 2223 between the control EWS (10.0.100.20) and the safety EWS (10.0.100.15) as SSH.

Detections:
23.B.2
Criteria:

Evidence of an established network connection over TCP port 2223 between the control EWS (10.0.100.20) and the safety EWS (10.0.100.15) via “csp.exe”[SSHD]. Successful logon as user “Engineer” may be present or as a part of the connection and process creation.

Detections:
25.D.1
Criteria:

Evidence of an established network connection over TCP port 445 between the adversary machine (10.0.100.1) and the control EWS (10.0.100.20) as SSH.

Detections:
25.D.2
Criteria:

Evidence of an established network connection over TCP port 445 between the adversary machine (10.0.100.1) and the control EWS (10.0.100.20) via “csp.exe”[SSHD]. Successful logon as user “Engineer” may be present or as a part of the connection and process creation.

Detections:
9.A.2
Criteria:

Evidence that a network discovery scan for TCP port 44818 was initiated from the control EWS (10.0.100.20) on hosts across the whole subnet (10.0.100.1-10.0.100.255).

Detections:
9.B.2
Criteria:

Evidence of the network discovery broadcast request sent from the control EWS (10.0.100.15) over TCP port 44818.

Detections:
16.A.2
Criteria:

Evidence of the network discovery broadcast request sent from the safety EWS (10.0.100.15) over TCP port 44818.

Detections:
9.C.2
Criteria:

Evidence of an adversary initiated Get Attribute Single CIP request for the “Device Type” attribute (instance 0x01, class 0x01) of the control PLC (10.0.100.110).

Detections:
16.B.2
Criteria:

Evidence of an adversary initiated Get Attribute Single CIP request for the “Device Type” attribute (instance 0x01, class 0x01) of the safety PLC (10.0.100.105).

Detections:
22.A.2
Criteria:

Evidence of the safety PLC operating mode being switched to Program Mode following adversary CIP request to instance 0x01 of class 0x8E using service 0x07.

Detections:
3.A.1
Criteria:

Evidence that the newly created files copied from the RDP shared folder into the control EWS Temp SMB directory are not legitimate (“SMBClient.exe”, “SMB_Sync.xml”, and “SMB_Update.xml”).

Detections:
4.A.1
Criteria:

Evidence that the scheduled task “SMB_sync.xml” is not legitimate and was imported into Task Scheduler (the task executes a spoofed plink executable to initiate a reverse shell tunnel).

Detections:
4.B.1
Criteria:

Evidence that the “SMBClient.exe” process is not legitimate (binary is spoofed plink.exe used to create a SSH tunnel and redirect ports).

Detections:
5.A.1
Criteria:

Evidence that the newly created files from the extraction of “csp3.zip” in the Temp Rockwell directory are not legitimate (“csp.exe”, “Install-csp.ps1”, “csp-agent.exe”, “sftp.exe”, etc.).

Detections:
6.B.1
Criteria:

Evidence that the “rockwell-csp3” service is not legitimate (service is spoofed SSDH, created then executed via Start-Service).

Detections:
6.C.1
Criteria:

Evidence that the “csp-agent” service is not legitimate (service is spoofed ssh-agent, created then executed via Start-Service).

Detections:
6.D.1
Criteria:

Evidence that the scheduled task “SMB_update.xml” is not legitimate and was imported into Task Scheduler (the task executes a spoofed plink executable to initiate a reverse shell tunnel).

Detections:
6.E.1
Criteria:

Evidence that the “SMBClient.exe” process is not legitimate (binary is spoofed plink.exe used to create a SSH tunnel and redirect ports).

Detections:
8.A.1
Criteria:

Evidence that the newly created files from the extraction of “RSLINX_install.zip” in the Temp Rockwell RSLINX directory are not legitimate (“RSLINX.exe” and “LogixMap.exe”).

Detections:
11.A.1
Criteria:

Evidence that the newly created files from the extraction of “RSLINX_install.zip” in the Temp Rockwell RSLINX directory are not legitimate (“RSLINX.exe” and “LogixMap.exe”).

Detections:
11.C.1
Criteria:

Evidence that the services “rockwell-csp3” and “csp-agent” are not legitimate (service is spoofed SSDH and ssh-agent underlying, created then executed via Start-Service).

Detections:
14.B.1
Criteria:

Evidence that the newly created files from the extraction of “RSLINX_install.zip” in the Temp Rockwell RSLINX directory are not legitimate (“RSLINX.exe” and “LogixMap.exe”).

Detections:
17.B.1
Criteria:

Evidence that the newly created files from the extraction of “Install_RSLogix.zip” in the Temp Rockwell RSLogix directory are not legitimate (“RSLogix5000.exe”, “RSComms.exe”, etc.)

Detections:
19.B.1
Criteria:

Evidence that the newly created files from the extraction of “Install_GuardLogix.zip” in the Temp Rockwell GuardLogix directory are not legitimate (“RSLogix5000.exe”, “RSComms.exe”, “abRSA.exe”, etc.)

Detections:
2.B.1
Criteria:

Evidence of an adversary initiated program upload action of the control PLC (10.0.100.110) to collect the current running configuration (requested from the safety EWS [10.0.100.20]).

Detections:
9.E.2
Criteria:

Evidence that all controller and program tag names were requested over CIP from the control PLC (10.0.100.110) to the control EWS (10.0.100.20).

Detections:
13.A.1
Criteria:

Evidence of an adversary initiated program upload action of the safety PLC (10.0.100.105) to collect the current running configuration (requested from the safety EWS [10.0.100.15]).

Detections:
16.D.2
Criteria:

Evidence that all controller and program tag names were requested over CIP from the safety PLC (10.0.100.105) to the safety EWS (10.0.100.15).

Detections:
20.B.2
Criteria:

Evidence of an adversary initiated program upload action of the safety PLC (10.0.100.105) to collect the current running configuration (requested from the safety EWS [10.0.100.15]).

Detections:
20.C.2
Criteria:

Evidence of an adversary initiated read action of the “CC” tag using the 0x4C CIP service.

Detections:
20.C.3
Criteria:

Evidence of an adversary initiated write tag action to the “CC” tag using the 0x4D CIP service (a low value of “0” or False was written).

Detections:
21.E.2
Criteria:

Evidence of abuse of a CIP handshake between the control EWS and control PLC resulting in an adversary privilege escalation (handshake sequence consisted of a service 0x4B class 0x64 initiation request and 0x4C class 0x64 challenge response).

Detections:
21.F.2
Criteria:

Evidence of adversary initiated write tag actions to the “eR01_3ZC2071” and “f3ZC2071_HMI_Enb” tags to change setpoints and control actions using the 0x4D and 0x51 CIP services (the air damper setpoint tag was written to “0” [percent open] and HMI_Enb was pulsed to remove cascade control).

Detections:
24.B.2
Criteria:

Evidence of an adversary initiated program upload action of the safety PLC (10.0.100.105) to collect the current running configuration (requested from the safety EWS [10.0.100.15]).

Detections:
24.C.2
Criteria:

Evidence of an adversary initiated read action of the “CC” tag using the 0x4C CIP service.

Detections:
24.C.3
Criteria:

Evidence of an adversary initiated write tag action to the “CC” tag using the 0x4D CIP service (a low value of “1” or True was written).

Detections:
25.E.2
Criteria:

Evidence of abuse of a CIP handshake between the control EWS and control PLC resulting in an adversary privilege escalation (handshake sequence consisted of a service 0x4B class 0x64 initiation request and 0x4C class 0x64 challenge response).

Detections:
25.E.3
Criteria:

Evidence of adversary initiated write tag actions to the “eR01_3ZC2071” and “f3ZC2071_HMI_Enb” tags to change setpoints and control actions using the 0x4D and 0x51 CIP services (the air damper setpoint tag was written to “0” [percent open] and HMI_Enb was pulsed to remove cascade control).

Detections:
25.G.3
Criteria:

Evidence of write actions occurring on the tags “eR01_3ZC2071” and “f3ZC2071_HMI_Enb” to change setpoints and control actions with the CIP service 0x4D and service 0x51, respectively. HMI_Enb was pulsed to remove cascade control and the air damper setpoint tag was written to “100” [percent open].

Detections:
25.F.1
Criteria:

Evidence of the safety HMI (10.0.100.16) writing to the safety PLC (10.0.100.105). Manual trip actions were engaged through onsite access by process operators on the HMI to disable the burner management system.

Detections:
25.G.2
Criteria:

Evidence of a privileged write or force point action being used to overwrite polled tag values on the control PLC when the adversary initiated the CIP service 0x51 within the class 0x6A. The tags associated with the Ignitor (3XY2070) and Flame Sensor (3HS2070) were the target of these actions.

Detections:
25.G.4
Criteria:

Evidence that a privileged write action occurred and actuated all forced points set in the logic (Enable all forces in Allen Bradley) following the adversary request the class 0x69 using service 0x4D.

Detections:
20.B.3
Criteria:

Evidence of an adversary initiated online edit action on the safety PLC (10.0.100.105), requested from the safety EWS (10.0.100.15).

Detections:
22.B.2
Criteria:

Evidence of an adversary initiated program download action on the safety PLC (10.0.100.105) to overwrite the current configuration (requested from the safety EWS [10.0.100.15]).

Detections:
24.B.3
Criteria:

Evidence of an adversary initiated online edit action on the safety PLC (10.0.100.105), requested from the safety EWS (10.0.100.15).

Detections:
20.B.4
Criteria:

Evidence of the modified program “P04_Trips_FO_R00_Trips” to include new function block logic and a “CC” tag for command and control on the safety PLC.

Detections:
24.B.4
Criteria:

Evidence of the modified program “P04_Trips_FO_R00_Trips” to include new function block logic and a “CC” tag for command and control on the safety PLC.

Detections:

Results Graphs

Detections Type Distribution by Step


Detections Type Distribution by Sub-step


Detection Type Frequency by Sub-step