title: SCOR Attack Paths description: Informative galaxy: known attack paths through converged platforms. Every value uses the TEN form AN-ATT-Attack Path; individual paths are distinguished by meta.display_name and uuid. Each path describes initial access, lateral movement, and intended target (meta.initial-access, meta.lateral-movement, meta.intended-target), and lists the TENs it typically exploits in meta.toe-candidates (TOE reference notes in full TEN form). Relationships to TENs (the actual TOE relationship), Detection Signatures, and Resilience Measures are created by analysts in MISP, not precalculated here.
SCOR Attack Paths
Informative galaxy: known attack paths through converged platforms. Every value uses the TEN form AN-ATT-Attack Path; individual paths are distinguished by meta.display_name and uuid. Each path describes initial access, lateral movement, and intended target (meta.initial-access, meta.lateral-movement, meta.intended-target), and lists the TENs it typically exploits in meta.toe-candidates (TOE reference notes in full TEN form). Relationships to TENs (the actual TOE relationship), Detection Signatures, and Resilience Measures are created by analysts in MISP, not precalculated here.
Authors
| Authors and/or Contributors |
|---|
| H4CK32N4U75® |
Network-management compromise via ground-segment edge appliance
Generic attack path. An adversary obtains access to a ground-segment management appliance (such as a misconfigured edge VPN or remote-access gateway) and pivots into the platform's management VLAN. From there the adversary reaches a modem- or terminal-management plane that legitimately ships firmware updates to user-segment endpoints, and uses the existing update channel to deliver a destructive or persistent payload at scale. Initial access is on the ground segment; lateral movement is through control-plane infrastructure; the intended target is user-segment software and firmware via an authenticated, expected delivery mechanism.
Internal MISP references
UUID 7e1c4a8b-3d5f-4e2a-9c8b-000000000001 which can be used as unique global reference for Network-management compromise via ground-segment edge appliance in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| an_layer_tag | meteorstorm:an="ATT" |
| audit-pending | true |
| display_name | Network-management compromise via ground-segment edge appliance |
| exposure_domain | ['Cyber Warfare'] |
| initial-access | AUDIT-PENDING |
| intended-target | AUDIT-PENDING |
| lateral-movement | AUDIT-PENDING |
| related-incidents | ['6f4e2d9b-3c5a-4d7f-8b2c-000000000009'] |
| ten | AN-ATT-Attack Path |
| toe-candidates | [] |
Related clusters
To see the related clusters, click here.
Low-altitude UAS incursion against ground infrastructure
Generic attack path. One or more uncrewed aerial systems are flown into the low-altitude airspace over a ground-segment facility (airfield, launch range, telemetry site, mission control campus). The intended target may be physical (collision, payload delivery), informational (reconnaissance, telemetry capture), or operational (denial of service by forcing protective shutdown of the ground facility). Initial access is via the aerial environment; lateral movement is the UAS itself transiting toward the target site; the intended target is ground-segment hardware, signals, or operations.
Internal MISP references
UUID 7e1c4a8b-3d5f-4e2a-9c8b-000000000002 which can be used as unique global reference for Low-altitude UAS incursion against ground infrastructure in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| an_layer_tag | meteorstorm:an="ATT" |
| audit-pending | true |
| display_name | Low-altitude UAS incursion against ground infrastructure |
| exposure_domain | ['Kinetic'] |
| initial-access | AUDIT-PENDING |
| intended-target | AUDIT-PENDING |
| lateral-movement | AUDIT-PENDING |
| related-incidents | ['6f4e2d9b-3c5a-4d7f-8b2c-000000000001'] |
| ten | AN-ATT-Attack Path |
| toe-candidates | [] |
Related clusters
To see the related clusters, click here.
Direct-ascent kinetic engagement of space-segment assets
Generic attack path. A direct-ascent or co-orbital interceptor is launched against a space-segment asset (satellite, on-orbit platform). The engagement may aim for destruction, manoeuvrable harassment, or denial of orbital capability. Secondary effects include large debris populations that degrade the orbital environment and impose collision risk on co-located assets. Initial access is via the orbital environment; lateral movement is the interceptor's transit to the engagement point; the intended target is space-segment hardware.
Internal MISP references
UUID 7e1c4a8b-3d5f-4e2a-9c8b-000000000003 which can be used as unique global reference for Direct-ascent kinetic engagement of space-segment assets in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| an_layer_tag | meteorstorm:an="ATT" |
| audit-pending | true |
| display_name | Direct-ascent kinetic engagement of space-segment assets |
| exposure_domain | ['Kinetic'] |
| initial-access | AUDIT-PENDING |
| intended-target | AUDIT-PENDING |
| lateral-movement | AUDIT-PENDING |
| related-incidents | [] |
| ten | AN-ATT-Attack Path |
| toe-candidates | [] |
Related clusters
To see the related clusters, click here.
GNSS deception against user-segment positioning receivers
Generic attack path. An adversary radiates spoofed or meaconed GNSS signals on the link segment with sufficient power and timing fidelity to be tracked by user-segment positioning receivers. The receivers report position, velocity, or time consistent with the spoofed signal rather than the true sky picture, causing platforms or operators relying on those receivers to act on false PNT. Initial access is on the link segment; lateral movement is the receiver's signal-acquisition and tracking loops; the intended target is user-segment signal processing.
Internal MISP references
UUID 7e1c4a8b-3d5f-4e2a-9c8b-000000000004 which can be used as unique global reference for GNSS deception against user-segment positioning receivers in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| an_layer_tag | meteorstorm:an="ATT" |
| audit-pending | true |
| display_name | GNSS deception against user-segment positioning receivers |
| exposure_domain | ['Electronic Warfare (EW)'] |
| initial-access | AUDIT-PENDING |
| intended-target | AUDIT-PENDING |
| lateral-movement | AUDIT-PENDING |
| related-incidents | [] |
| ten | AN-ATT-Attack Path |
| toe-candidates | [] |
Related clusters
To see the related clusters, click here.
Ground-to-platform command path via credential abuse
Ground-to-platform command path via credential abuse. Path in which an adversary compromises ground-segment operator credentials and reaches the platform control plane through legitimate command channels. Reference TENs: SEG-GR-Ground: The ground segment is the entry point: the operator workstation and ground infrastructure are where the credentials are abused. SVC-CP-Control Plane: The control plane is exploited to issue commands once the adversary holds valid sessions. AST-SW-Software: Ground-segment software (the operator console and command tooling) is the asset abused to reach the platform.
Internal MISP references
UUID 8d360306-04b1-58fa-a211-f21c4b6af2e8 which can be used as unique global reference for Ground-to-platform command path via credential abuse in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| an_layer_tag | AN-ATT |
| display_name | Ground-to-platform command path via credential abuse |
| initial-access | Compromise of ground-segment operator credentials (phishing or credential theft). |
| intended-target | Issuance of out-of-baseline commands to the platform control plane. |
| lateral-movement | Reuse of valid sessions to move from the operator workstation into the control-plane service. |
| related-incidents | [] |
| ten | AN-ATT-Attack Path |
| toe-candidates | ['SEG-GR-Ground', 'SVC-CP-Control Plane', 'AST-SW-Software'] |
Related clusters
To see the related clusters, click here.
Firmware implant introduced through supply chain
Firmware implant introduced through supply chain. Path in which an adversary modifies firmware artifacts via a supplier and reaches the platform via the legitimate update pipeline. Reference TENs: AST-SW-Software: Software artifacts in the supplier pipeline are the initial point of tampering. AST-FW-Firmware: Firmware is the ultimate artifact carrying the implant onto the platform. AST-HW-Hardware: Platform hardware is the host the implanted firmware persists on.
Internal MISP references
UUID be0a2d09-f46b-5f52-8f48-775356a9ed42 which can be used as unique global reference for Firmware implant introduced through supply chain in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| an_layer_tag | AN-ATT |
| display_name | Firmware implant introduced through supply chain |
| initial-access | Compromise of a supplier or integrator build artifact prior to delivery. |
| intended-target | Persistent firmware implant on platform hardware. |
| lateral-movement | Propagation of the tampered artifact through the legitimate update pipeline onto platform hardware. |
| related-incidents | [] |
| ten | AN-ATT-Attack Path |
| toe-candidates | ['AST-SW-Software', 'AST-FW-Firmware', 'AST-HW-Hardware'] |
Related clusters
To see the related clusters, click here.
PNT deception path against user segment
PNT deception path against user segment. Path in which an adversary degrades user-segment PNT availability through RF deception, optionally as a precursor to a downstream operational disruption. Reference TENs: SEG-US-User: The user segment is the target whose receivers are deceived. SEG-LI-Link: The link segment is the medium over which the deceptive signals are injected. AST-SI-Signal: Signal assets (the RF channels and receiver tracking loops) are the asset class manipulated.
Internal MISP references
UUID b0a43fb2-e3ff-5431-905c-1cb634c9e081 which can be used as unique global reference for PNT deception path against user segment in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| an_layer_tag | AN-ATT |
| display_name | PNT deception path against user segment |
| initial-access | RF-range proximity to the user segment sufficient to transmit deceptive PNT signals. |
| intended-target | Degradation or manipulation of user-segment positioning, navigation, and timing. |
| lateral-movement | Progressive capture of receiver tracking loops from authentic to deceptive signals. |
| related-incidents | [] |
| ten | AN-ATT-Attack Path |
| toe-candidates | ['SEG-US-User', 'SEG-LI-Link', 'AST-SI-Signal'] |
Related clusters
To see the related clusters, click here.
Mission data exfiltration via the data plane
Mission data exfiltration via the data plane. Path in which an adversary obtains access to mission data products and exfiltrates them through abnormal egress channels on the data plane. Reference TENs: SVC-DP-Data Plane: The data plane is the service whose mission products are targeted. AST-DA-Data: Data assets (the mission product stores) are the asset class exfiltrated.
Internal MISP references
UUID 6e32cdeb-9f4c-5564-bad0-06ec949916f7 which can be used as unique global reference for Mission data exfiltration via the data plane in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| an_layer_tag | AN-ATT |
| display_name | Mission data exfiltration via the data plane |
| initial-access | Compromise of a data-plane service account or processing node. |
| intended-target | Exfiltration of mission data products through abnormal egress channels. |
| lateral-movement | Traversal from the processing node to mission data stores. |
| related-incidents | [] |
| ten | AN-ATT-Attack Path |
| toe-candidates | ['SVC-DP-Data Plane', 'AST-DA-Data'] |
Related clusters
To see the related clusters, click here.