TA005 Persistence · T005.003 — Technique
GCS Persistence
Establishment of persistent access within the GCS operating environment via scheduled tasks, startup scripts, or implanted plugins.
Sub-techniques (4)
- Malicious GCS plugin auto-load
- OS-level persistence (cron, systemd, registry)
- Credential harvesting implant
- Remote access trojan on GCS host
Applicable countermeasures
CM-003 Firmware Integrity and Secure Boot
Cryptographic signing and hardware-enforced verification of all firmware images at boot using a hardware root of trust.
NIST SP 800-53 SI-7 · NIST SP 800-193 · DO-326A · IEC 62443-4-2 CR 3.4
CM-007 Physical Debug Interface Protection
Disabling or cryptographically protecting all JTAG/UART/USB debug interfaces on production hardware.
NIST SP 800-53 AC-3 · IEC 62443-4-2 CR 1.1 · NIST SP 800-193 · DO-326A Sec 5
CM-008 GCS Network Segmentation and Hardening
Isolation of GCS from enterprise networks, least-privilege access enforcement, host hardening, and network anomaly detection.
NIST SP 800-53 SC-7 · CIS Controls v8 Control 12 · ISO/IEC 27001 A.13 · NSA/CISA Segmentation Guide
CM-010 Swarm Node Mutual Authentication
Open in the interactive matrix
Cryptographic mutual authentication between all swarm nodes with message integrity to prevent rogue insertion and hopping.
NIST SP 800-53 IA-3 · IEEE 1609.2 · STANAG 4586 · IEC 62443-3-3 SR 1.2