14 AN-DET ETENs + 14 IR Playbooks, Written with the SOC
Fourteen detection signatures in vendor-neutral RootA format covering yesterday’s attack paths, plus one IR playbook per path naming the response moves and the analyst who owns each one. Path steps with no observable telemetry are declared coverage gaps and handed back to engineering as work to close.
USER
2
AN-DET
GROUND
5
AN-DET
LINK
3
AN-DET
SPACE
4
AN-DET
Exported byverifying identity…
Exported at…
ClassificationTLP:GREEN · SCORP² community only
DistributionInternal cohort and confirmed instructors only
TLP:GREENSCORP² community only · do not redistribute outside cohort
If you received this file from outside the cohort, please notify william.o.ferguson@ethicallyhacking.space and delete it.
Cumulative Decomposition Diagram
The complete artifact stack against the reference platform as of end of this module. New layer added this module is highlighted; prior layers show as context.
RootA Signature Pack
Fourteen vendor-neutral RootA detection signatures, one per AN-DET entry. Each rule watches the
data and signal sources identified in the matching AN-ATT entry from Module 03. Translate to
your SIEM via Uncoder.io or
equivalent. Tags round-trip against the live
METEORSTORM MISP taxonomy.
Each entry is one AN-DET (detection signature). ID is the AN:DET:Detection Signature:ORDINAL identifier. Description narrates what the signature looks for. Covers links to the AN-ATT step it observes. TDM names the structural element the signature watches. Format is RootA (vendor-neutral). Source cites the framework or post-incident reference behind the signature. Coverage rates whether the signature is Full (signal exists), Partial (depends on baseline / telemetry richness), or Gap (signal does not currently exist; engineering work to close). Each per-segment block is followed by the IR playbooks paired with those signatures.
Isolate the source host from the operator network at the segment boundary.
Verify no mission-control host accepted inbound traffic from the source; check for new auth events or process spawns.
Pull full network flow + EDR telemetry from source and any contacted mission-control hosts.
Coordinate with SatDev/Eng on segment-boundary rule tightening.
Owners: SOC on-call (steps 1–3); SatDev/Eng network lead (step 4).
PB-06
Ransomware response (launch infrastructure)
Triggered by: AN-DET:06
Isolate affected hosts from the network immediately; do not power down.
Activate the launch-control continuity plan if launch operations are in window.
Engage the cyber-incident lead and SatOps leadership; communicate per the disclosure protocol.
Coordinate with SatDev/Eng and the backup team on restoration from known-good backups; rebuild rather than decrypt.
Hand to forensics for post-incident root-cause; feed lessons into the patch-pipeline hardening.
Owners: SOC on-call (steps 1, 5); SatOps launch-control lead (step 2); cyber-incident lead (step 3); SatDev/Eng backup team (step 4).
LINKLink Segment, 3 AN-DET + 3 Playbooks
ID
AN-DET ETEN
AN-DET:07
Sustained noise-floor anomaly across uplink/downlink bands.CoversAN:ATT:Attack Path:07TDMSVC:HY:Hybrid:02 RF metrics; AST:SI:Signal:00 SNR + BER streamFormatRootASourceITU interference-reporting guidance; SPARTA SPACE-T1429CoverageFull
AN-DET:08
Replay-and-spoof anomaly: command-waveform sequences with valid auth tags but anomalous timing, or session keys appearing in unexpected places.CoversAN:ATT:Attack Path:08TDMSVC:CP:Control Plane:05 auth audit; SVC:CP:Control Plane:09 key-material audit; AST:SI:Signal:00 command-timing streamFormatRootASourceSPARTA SPACE-T1428CoveragePartial, requires command-cadence baseline
AN-DET:09
Downlink interception is largely passive. Signature watches for follow-on disclosure of intercepted content rather than the interception itself.CoversAN:ATT:Attack Path:09TDMOSINT collection monitoring; threat-intel feeds for leaked mission-product mentionsFormatRootA + external watchSourceSPARTA SPACE-T1427CoverageGap, mitigate via downlink encryption + disclosure monitoring
Paired Playbooks
PB-07
Jamming response
Triggered by: AN-DET:07
Confirm via secondary ground station that the elevated noise is platform-targeted vs. local interference.
Switch to backup band / spread-spectrum mode per the operational playbook if confirmed.
File geolocation request with the interference-mitigation team; coordinate with regulatory liaison.
Notify SatOps to adjust pass scheduling around affected windows if persistent.
Block all in-flight commands matching the suspect signature; require manual reauthorization from the ground.
Force session-key rotation on both ground and space sides.
Audit recent commanding history for accepted commands that match the suspect pattern; flag any for SatOps review.
Engage SatDev/Eng if accepted commands suggest key material is compromised at rest.
Owners: SOC on-call (step 1); crypto team (step 2); SatOps commanding lead (step 3); SatDev/Eng crypto lead (step 4).
PB-09
Downlink interception (suspected) response
Triggered by: AN-DET:09
Confirm the disclosed material is genuine via cryptographic provenance check.
Notify mission-product consumers of the disclosure and recommended next steps.
Escalate to legal / disclosure-management team per the platform’s protocol.
Engage SatDev/Eng on downlink encryption status review; track as a hardening priority.
Owners: SOC on-call (step 1); mission-product lead (step 2); legal / disclosure team (step 3); SatDev/Eng crypto lead (step 4).
SPACESpace Segment, 4 AN-DET + 4 Playbooks
ID
AN-DET ETEN
AN-DET:10
Out-of-pattern bus commanding: sequences against ADCS/EPS/FTS outside the active mission profile or violating safe-mode rules.CoversAN:ATT:Attack Path:10TDMSVC:HY:Hybrid:00 command-acceptance audit; SVC:CP:Control Plane:00/02/03 command streamsFormatRootA + ground-side commanding auditSourceSPARTA SPACE-T1029CoveragePartial, ground audit fills most of on-board telemetry gap
AN-DET:11
Unauthorized FSW state change: unexpected mode transitions or configuration writes on the OBC not initiated by an authorized ground command.CoversAN:ATT:Attack Path:11TDMAST:HW:Hardware:06 state audit; AST:SW:Software:06 configuration-write log; SVC:CP:Control Plane:01 auditFormatRootA + ground-side correlationSourceSPARTA SPACE-T1014CoveragePartial, depends on on-board telemetry richness
AN-DET:12
Firmware-hash mismatch at boot.CoversAN:ATT:Attack Path:12TDMAST:FW:Firmware:00/01/02 boot-attestation streamFormatRootA + on-board attestationSourceNIST SP 800-193; SolarWinds (2020) post-incident retrospectivesCoverageFull, if measured boot / attestation is implemented
AN-DET:13
Payload-data integrity mismatch: downlinked hash does not match the on-board signature computed before transmission.CoversAN:ATT:Attack Path:13TDMSVC:DP:Data Plane:00 integrity stream; SVC:DP:Data Plane:01 signature auditFormatRootA + cryptographic verification on the groundSourceSPARTA SPACE-T1059CoverageFull, if end-to-end signing is implemented
Paired Playbooks
PB-10
Destructive bus commanding response
Triggered by: AN-DET:10
Block the suspect command sequence at the ground; require dual-signoff before any subsequent commanding to ADCS / EPS / FTS.
Switch the platform into a defined safe mode if the sequence appears to have reached the bus.
Audit the full commanding history of the originating account / workstation.
Coordinate with SatDev/Eng and Mission Director on continuity plan.
Owners: SOC on-call (steps 1, 3); SatOps mission director (step 2, 4); SatDev/Eng bus lead (step 4).
PB-11
Unauthorized FSW state change response
Triggered by: AN-DET:11
Reconcile the unexpected state change against ground-side command logs; identify whether any authorized command could have caused it.
If no authorized cause, revert to the previous known-good FSW state where possible.
Engage SatDev/Eng for FSW forensic review and possible re-upload of a verified image.
Owners: SOC on-call (step 1); SatOps FSW lead (step 2); SatDev/Eng FSW team (step 3).
PB-12
Firmware-hash mismatch response
Triggered by: AN-DET:12
Hold the affected component in its current state; do not allow it to take operational role.
Compare measured hash against the signed expected value; engage the firmware build team for source-of-discrepancy investigation.
If on-orbit: switch to the redundant component if available; coordinate with SatOps.
Engage SatDev/Eng supply-chain lead for upstream investigation.
Owners: SOC on-call (step 1); FSW build team (step 2); SatOps redundancy lead (step 3); SatDev/Eng supply-chain (step 4).
PB-13
Payload-data integrity mismatch response
Triggered by: AN-DET:13
Hold the affected mission product; do not release to downstream consumers until verified.
Re-request the original telemetry from the platform with end-to-end integrity check.
If mismatch persists, engage SatDev/Eng payload-data lead for on-board investigation.
Notify mission-product consumers of the integrity hold per the disclosure protocol.
Owners: SOC on-call (step 1); SatOps mission-product lead (step 2, 4); SatDev/Eng payload-data lead (step 3).