TID-308: Code Overwritten to Avoid Detection
Threat Description
The threat actor can overwrite a previously deployed/installed malicious program with a dummy program in order to evade the detection of the malicious program. This can be used to prevent detection by monitoring tools or engineering software that performs periodic “Program Uploads” to inspect the contents of a program on the device.
While some devices utilize error detection codes, such as CRCs or Checksums, these are not cryptographically strong and a threat actor can easily generate a program with the same CRC/Checksum (i.e., by simply padding the program).
Threat Maturity and Evidence
Observed Adversarial Technique
ATT&CK Technique: Indicator Removal on Host (T0872)
Procedure Example: Triton (S1009)
“Triton would reset the controller to the previous state over TriStation and if this failed it would write a dummy program to memory in what was likely an attempt at anti-forensics.”
CWE
CWE-223: Omission of Security-relevant Information
“The product does not record or display information that would be important for identifying the source or nature of an attack, or determining if an action is safe.”
CWE-778: Insufficient Logging
“When a security-critical event occurs, the product either does not record the event or omits important details about the event when logging it.”