Save these enumerated signatures and playbooks as a PDF using your browser’s print dialog.

▸ RootA Signature Pack ↓ Download .zip ← Back to module
Full Spectrum Space Cybersecurity Professional

Day 4 Enumerated Signatures & Playbooks

14 AN-DET ETENs + 14 IR Playbooks, Written with the SOC

Fourteen detection signatures in vendor-neutral RootA format covering yesterday’s attack paths, plus one IR playbook per path naming the response moves and the analyst who owns each one. Path steps with no observable telemetry are declared coverage gaps and handed back to engineering as work to close.

USER
2
AN-DET
GROUND
5
AN-DET
LINK
3
AN-DET
SPACE
4
AN-DET
Exported byverifying identity…
Exported at
ClassificationTLP:GREEN · SCORP² community only
DistributionInternal cohort and confirmed instructors only
TLP:GREEN SCORP² community only · do not redistribute outside cohort
Exported by: Exported at: Distribution: Internal cohort + confirmed instructors
If you received this file from outside the cohort, please notify william.o.ferguson@ethicallyhacking.space and delete it.

Cumulative Decomposition Diagram

The complete artifact stack against the reference platform as of end of this module. New layer added this module is highlighted; prior layers show as context.

Cumulative decomposition diagram

RootA Signature Pack

Fourteen vendor-neutral RootA detection signatures, one per AN-DET entry. Each rule watches the data and signal sources identified in the matching AN-ATT entry from Module 03. Translate to your SIEM via Uncoder.io or equivalent. Tags round-trip against the live METEORSTORM MISP taxonomy.

Download the full pack as a single zip: ↓ an-det-roota-pack.zip · or browse the individual rules and example translations.

IDTitleCoversCoverageDownload
AN-DET:00Anomalous console authenticationAN:ATT:00Full↓ .yml
AN-DET:01End-user app binary integrityAN:ATT:01Full↓ .yml
AN-DET:02Management-plane firmware abuseAN:ATT:02Full↓ .yml
AN-DET:03Operator credential anomalyAN:ATT:03Full↓ .yml
AN-DET:04Out-of-pattern command authorityAN:ATT:04Partial↓ .yml
AN-DET:05Lateral movement to mission controlAN:ATT:05Full↓ .yml
AN-DET:06Mass-encryption file-system anomalyAN:ATT:06Full↓ .yml
AN-DET:07RF noise-floor anomaly (jamming)AN:ATT:07Full↓ .yml
AN-DET:08Replay-and-spoof command anomalyAN:ATT:08Partial↓ .yml
AN-DET:09Downlink-disclosure watchAN:ATT:09Gap↓ .yml
AN-DET:10Destructive on-board command anomalyAN:ATT:10Full↓ .yml
AN-DET:11FSW attestation state mismatchAN:ATT:11Full↓ .yml
AN-DET:12Firmware hash mismatch (supply chain)AN:ATT:12Full↓ .yml
AN-DET:13Payload-data integrity mismatchAN:ATT:13Full↓ .yml

How to Read

Each entry is one AN-DET (detection signature). ID is the AN:DET:Detection Signature:ORDINAL identifier. Description narrates what the signature looks for. Covers links to the AN-ATT step it observes. TDM names the structural element the signature watches. Format is RootA (vendor-neutral). Source cites the framework or post-incident reference behind the signature. Coverage rates whether the signature is Full (signal exists), Partial (depends on baseline / telemetry richness), or Gap (signal does not currently exist; engineering work to close). Each per-segment block is followed by the IR playbooks paired with those signatures.

USERUser Segment, 2 AN-DET + 2 Playbooks

IDAN-DET ETEN
AN-DET:00Anomalous console authentication.CoversAN:ATT:Attack Path:00TDMAST:HW:Hardware:04 auth logs; SVC:CP:Control Plane:13 console-ops auditFormatRootASourceMITRE ATT&CK T1110, T1078CoverageFull
AN-DET:01End-user application binary integrity.CoversAN:ATT:Attack Path:01TDMAST:SW:Software:08 file-integrity stream; SVC:DP:Data Plane:02 auditFormatRootASourceMITRE ATT&CK T1565; SolarWinds detection retrospectives (CISA AA20-352A)CoverageFull

Paired Playbooks

PB-00
Console credential compromise response
Triggered by: AN-DET:00
  1. Disable the affected operator account immediately and force re-authentication via the auth team.
  2. Pull commanding history for the past 12 hours; flag any commands issued from the suspect session for SatOps review.
  3. Rotate any session keys or cached credentials held on the console workstation.
  4. Escalate to SatDev/Eng if any out-of-pattern commands were accepted; otherwise hand to identity team for credential lifecycle review.
Owners: SOC on-call (steps 1–2); SatOps console lead (step 2 review); identity team (step 3); SatDev/Eng on-call (step 4 if needed).
PB-01
End-user application tampering response
Triggered by: AN-DET:01
  1. Quarantine the affected workstation; preserve the modified binary for forensics.
  2. Re-install the end-user application from a known-good signed source; verify hash against the vendor manifest.
  3. Pull all displayed mission product served from the affected workstation in the past 24 hours; flag for re-verification by SatOps.
  4. Coordinate with SatDev/Eng on supply-chain investigation if the modification appears to predate workstation arrival.
Owners: SOC on-call (steps 1–3); SatOps mission-product lead (step 3); SatDev/Eng supply-chain lead (step 4).

GROUNDGround Segment, 5 AN-DET + 5 Playbooks

IDAN-DET ETEN
AN-DET:02Management-plane abuse: firmware-push operations from the modem management interface outside maintenance windows.CoversAN:ATT:Attack Path:02 (KA-SAT-style)TDMSVC:CP:Control Plane:09 audit; AST:DA:Data:02 deployment log; AST:SW:Software:03 execution logFormatRootASourceViasat post-incident report (30 March 2022); CISA AA22-110A; SentinelLabs AcidRainCoverageFull
AN-DET:03Operator credential anomaly: impossible travel, off-hours sign-ins, or new-geolocation patterns.CoversAN:ATT:Attack Path:03TDMAST:DA:Data:01 auth audit; SVC:CP:Control Plane:09 sign-in streamFormatRootASourceMITRE ATT&CK T1078CoverageFull
AN-DET:04Out-of-pattern command authority usage: off-hours, missing peer-review tags, or sequences inconsistent with the active mission profile.CoversAN:ATT:Attack Path:04TDMAST:HW:Hardware:04 usage stream; SVC:CP:Control Plane:13 command auditFormatRootASourceMITRE ATT&CK T1078.003; NIST SP 800-53 PS-7CoveragePartial, depends on per-operator baselines
AN-DET:05Lateral movement to mission control: east-west flows outside documented allow-list.CoversAN:ATT:Attack Path:05TDMNetwork flow telemetry; SVC:CP:Control Plane:13 connection auditFormatRootASourceMITRE ATT&CK TA0008CoverageFull
AN-DET:06Mass encryption / file-system anomaly: high-rate write-and-rename with entropy shift.CoversAN:ATT:Attack Path:06TDMSVC:CP:Control Plane:10 file-system audit; AST:DA:Data:02 integrity stream; AST:SW:Software:03 auditFormatRootASourceCISA Stop Ransomware; MITRE ATT&CK T1486CoverageFull

Paired Playbooks

PB-02
Management-plane abuse / mass firmware-push response
Triggered by: AN-DET:02
  1. Halt the deployment pipeline immediately; revoke the pushing identity’s authority.
  2. Inventory which devices received the firmware push; compare deployed hash against the signed expected value.
  3. Activate the rollback procedure on affected devices; coordinate with SatOps for any operational impact.
  4. Engage SatDev/Eng to investigate the upstream VPN appliance and management-network entry point.
Owners: SOC on-call (steps 1–2); SatOps modem-fleet lead (step 3); SatDev/Eng network lead (step 4).
PB-03
Operator credential anomaly response
Triggered by: AN-DET:03
  1. Step up authentication on the suspect account (require additional MFA challenge).
  2. Review session activity in the affected window; flag any commanding actions.
  3. If session was used, follow PB-00 from step 1 onward.
Owners: SOC on-call; identity team.
PB-04
Insider misuse response
Triggered by: AN-DET:04
  1. Hold any pending command sequences in the queue for peer review before transmission.
  2. Engage HR / personnel-security lead per the platform’s insider-threat protocol.
  3. Pull the operator’s full session history; correlate with shift-change records.
  4. Recommend continued monitoring or account suspension based on findings.
Owners: SOC on-call (steps 1, 3); HR / personnel-security (step 2, 4); SatOps console lead (step 1 enforcement).
PB-05
Lateral movement to mission control response
Triggered by: AN-DET:05
  1. Isolate the source host from the operator network at the segment boundary.
  2. Verify no mission-control host accepted inbound traffic from the source; check for new auth events or process spawns.
  3. Pull full network flow + EDR telemetry from source and any contacted mission-control hosts.
  4. Coordinate with SatDev/Eng on segment-boundary rule tightening.
Owners: SOC on-call (steps 1–3); SatDev/Eng network lead (step 4).
PB-06
Ransomware response (launch infrastructure)
Triggered by: AN-DET:06
  1. Isolate affected hosts from the network immediately; do not power down.
  2. Activate the launch-control continuity plan if launch operations are in window.
  3. Engage the cyber-incident lead and SatOps leadership; communicate per the disclosure protocol.
  4. Coordinate with SatDev/Eng and the backup team on restoration from known-good backups; rebuild rather than decrypt.
  5. Hand to forensics for post-incident root-cause; feed lessons into the patch-pipeline hardening.
Owners: SOC on-call (steps 1, 5); SatOps launch-control lead (step 2); cyber-incident lead (step 3); SatDev/Eng backup team (step 4).

LINKLink Segment, 3 AN-DET + 3 Playbooks

IDAN-DET ETEN
AN-DET:07Sustained noise-floor anomaly across uplink/downlink bands.CoversAN:ATT:Attack Path:07TDMSVC:HY:Hybrid:02 RF metrics; AST:SI:Signal:00 SNR + BER streamFormatRootASourceITU interference-reporting guidance; SPARTA SPACE-T1429CoverageFull
AN-DET:08Replay-and-spoof anomaly: command-waveform sequences with valid auth tags but anomalous timing, or session keys appearing in unexpected places.CoversAN:ATT:Attack Path:08TDMSVC:CP:Control Plane:05 auth audit; SVC:CP:Control Plane:09 key-material audit; AST:SI:Signal:00 command-timing streamFormatRootASourceSPARTA SPACE-T1428CoveragePartial, requires command-cadence baseline
AN-DET:09Downlink interception is largely passive. Signature watches for follow-on disclosure of intercepted content rather than the interception itself.CoversAN:ATT:Attack Path:09TDMOSINT collection monitoring; threat-intel feeds for leaked mission-product mentionsFormatRootA + external watchSourceSPARTA SPACE-T1427CoverageGap, mitigate via downlink encryption + disclosure monitoring

Paired Playbooks

PB-07
Jamming response
Triggered by: AN-DET:07
  1. Confirm via secondary ground station that the elevated noise is platform-targeted vs. local interference.
  2. Switch to backup band / spread-spectrum mode per the operational playbook if confirmed.
  3. File geolocation request with the interference-mitigation team; coordinate with regulatory liaison.
  4. Notify SatOps to adjust pass scheduling around affected windows if persistent.
Owners: SOC on-call (step 1); SatOps link-ops lead (steps 2, 4); regulatory liaison (step 3).
PB-08
Replay-and-spoof response
Triggered by: AN-DET:08
  1. Block all in-flight commands matching the suspect signature; require manual reauthorization from the ground.
  2. Force session-key rotation on both ground and space sides.
  3. Audit recent commanding history for accepted commands that match the suspect pattern; flag any for SatOps review.
  4. Engage SatDev/Eng if accepted commands suggest key material is compromised at rest.
Owners: SOC on-call (step 1); crypto team (step 2); SatOps commanding lead (step 3); SatDev/Eng crypto lead (step 4).
PB-09
Downlink interception (suspected) response
Triggered by: AN-DET:09
  1. Confirm the disclosed material is genuine via cryptographic provenance check.
  2. Notify mission-product consumers of the disclosure and recommended next steps.
  3. Escalate to legal / disclosure-management team per the platform’s protocol.
  4. Engage SatDev/Eng on downlink encryption status review; track as a hardening priority.
Owners: SOC on-call (step 1); mission-product lead (step 2); legal / disclosure team (step 3); SatDev/Eng crypto lead (step 4).

SPACESpace Segment, 4 AN-DET + 4 Playbooks

IDAN-DET ETEN
AN-DET:10Out-of-pattern bus commanding: sequences against ADCS/EPS/FTS outside the active mission profile or violating safe-mode rules.CoversAN:ATT:Attack Path:10TDMSVC:HY:Hybrid:00 command-acceptance audit; SVC:CP:Control Plane:00/02/03 command streamsFormatRootA + ground-side commanding auditSourceSPARTA SPACE-T1029CoveragePartial, ground audit fills most of on-board telemetry gap
AN-DET:11Unauthorized FSW state change: unexpected mode transitions or configuration writes on the OBC not initiated by an authorized ground command.CoversAN:ATT:Attack Path:11TDMAST:HW:Hardware:06 state audit; AST:SW:Software:06 configuration-write log; SVC:CP:Control Plane:01 auditFormatRootA + ground-side correlationSourceSPARTA SPACE-T1014CoveragePartial, depends on on-board telemetry richness
AN-DET:12Firmware-hash mismatch at boot.CoversAN:ATT:Attack Path:12TDMAST:FW:Firmware:00/01/02 boot-attestation streamFormatRootA + on-board attestationSourceNIST SP 800-193; SolarWinds (2020) post-incident retrospectivesCoverageFull, if measured boot / attestation is implemented
AN-DET:13Payload-data integrity mismatch: downlinked hash does not match the on-board signature computed before transmission.CoversAN:ATT:Attack Path:13TDMSVC:DP:Data Plane:00 integrity stream; SVC:DP:Data Plane:01 signature auditFormatRootA + cryptographic verification on the groundSourceSPARTA SPACE-T1059CoverageFull, if end-to-end signing is implemented

Paired Playbooks

PB-10
Destructive bus commanding response
Triggered by: AN-DET:10
  1. Block the suspect command sequence at the ground; require dual-signoff before any subsequent commanding to ADCS / EPS / FTS.
  2. Switch the platform into a defined safe mode if the sequence appears to have reached the bus.
  3. Audit the full commanding history of the originating account / workstation.
  4. Coordinate with SatDev/Eng and Mission Director on continuity plan.
Owners: SOC on-call (steps 1, 3); SatOps mission director (step 2, 4); SatDev/Eng bus lead (step 4).
PB-11
Unauthorized FSW state change response
Triggered by: AN-DET:11
  1. Reconcile the unexpected state change against ground-side command logs; identify whether any authorized command could have caused it.
  2. If no authorized cause, revert to the previous known-good FSW state where possible.
  3. Engage SatDev/Eng for FSW forensic review and possible re-upload of a verified image.
Owners: SOC on-call (step 1); SatOps FSW lead (step 2); SatDev/Eng FSW team (step 3).
PB-12
Firmware-hash mismatch response
Triggered by: AN-DET:12
  1. Hold the affected component in its current state; do not allow it to take operational role.
  2. Compare measured hash against the signed expected value; engage the firmware build team for source-of-discrepancy investigation.
  3. If on-orbit: switch to the redundant component if available; coordinate with SatOps.
  4. Engage SatDev/Eng supply-chain lead for upstream investigation.
Owners: SOC on-call (step 1); FSW build team (step 2); SatOps redundancy lead (step 3); SatDev/Eng supply-chain (step 4).
PB-13
Payload-data integrity mismatch response
Triggered by: AN-DET:13
  1. Hold the affected mission product; do not release to downstream consumers until verified.
  2. Re-request the original telemetry from the platform with end-to-end integrity check.
  3. If mismatch persists, engage SatDev/Eng payload-data lead for on-board investigation.
  4. Notify mission-product consumers of the integrity hold per the disclosure protocol.
Owners: SOC on-call (step 1); SatOps mission-product lead (step 2, 4); SatDev/Eng payload-data lead (step 3).