AN-DET RootA Signature Pack Module 04

Fourteen vendor-neutral RootA detection signatures, one per AN-DET entry. Translate to your SIEM via Uncoder.io or equivalent. Back to workbook · Back to module

Signatures

IDTitleCoversSeverityCoverage
AN-DET:00 Anomalous console authentication AN:ATT:00 critical Full ⬇ .yml
AN-DET:01 End-user app binary integrity AN:ATT:01 high Full ⬇ .yml
AN-DET:02 Management-plane firmware abuse AN:ATT:02 critical Full ⬇ .yml
AN-DET:03 Operator credential anomaly AN:ATT:03 high Full ⬇ .yml
AN-DET:04 Out-of-pattern command authority AN:ATT:04 medium Partial ⬇ .yml
AN-DET:05 Lateral movement to mission control AN:ATT:05 high Full ⬇ .yml
AN-DET:06 Mass-encryption file-system anomaly AN:ATT:06 critical Full ⬇ .yml
AN-DET:07 RF noise-floor anomaly (jamming) AN:ATT:07 high Full ⬇ .yml
AN-DET:08 Replay-and-spoof command anomaly AN:ATT:08 high Partial ⬇ .yml
AN-DET:09 Downlink-disclosure watch AN:ATT:09 medium Gap ⬇ .yml
AN-DET:10 Destructive on-board command anomaly AN:ATT:10 critical Full ⬇ .yml
AN-DET:11 FSW attestation state mismatch AN:ATT:11 critical Full ⬇ .yml
AN-DET:12 Firmware hash mismatch (supply chain) AN:ATT:12 critical Full ⬇ .yml
AN-DET:13 Payload-data integrity mismatch AN:ATT:13 high Full ⬇ .yml

Example translation (Splunk SPL)

Translate any of these rules to your SIEM. Example: AN-DET:02 (mgmt-plane firmware abuse) in Splunk:

index=ground_mgmt source="device-mgmt-audit"
  (event_action="firmware_push" OR event_action="config_deploy" OR event_action="image_install")
  target_device="*modem*"
  maintenance_window="false"
| stats count by user, src_ip, target_device, event_action, _time

License

CC-BY 4.0. Use by Space ISAC members and the broader SCORP² community is encouraged. Cite eHs and the METEORSTORM taxonomy when redistributing.