Home/ATT&CK Technique/Loss of Protection
ICS ATT&CK

Loss of Protection

T0837 · impact

Adversaries may compromise protective system functions designed to prevent the effects of faults and abnormal conditions. This can result in equipment damage, prolonged process disruptions and hazards to personnel. Many faults and abnormal conditions in process control happen too quickly for a human operator to react to.

Speed is critical in correcting these conditions to limit serious impacts such as Loss of Control and Property Damage. Adversaries may target and disable protective system functions as a prerequisite to subsequent attack execution or to allow for future faults and abnormal conditions to go unchecked. Detection of a Loss of Protection by operators can result in the shutdown of a process due to strict policies regarding protection systems.

This can cause a Loss of Productivity and Revenue and may meet the technical goals of adversaries seeking to cause process disruptions.

None

Actors Using This

3
israel_aligned_suspected_military_intelligencePredatory Sparrow
russiaSandworm Team
russiaXENOTIME / TRITON / TRISIS

Likely Attack Path

Techniques the same actors pair with this one distinctively - those showing up among actors who use this technique noticeably more than across all actors (lift > 1.15), grouped by kill-chain phase. The × is that lift multiplier; the shared-actor count is in the tooltip. A near-universal technique pairs with everything at baseline, so its list is short by design.
execution earlier
T1203 · Exploitation for Client Execution ×1.43T1574 · Hijack Execution Flow ×1.29T1053 · Scheduled Task/Job ×1.25
persistence earlier
T1133 · External Remote Services ×1.36
privilege-escalation earlier
T1068 · Exploitation for Privilege Escalation ×1.49
credential-access earlier
T1003.001 · LSASS Memory ×1.28
lateral-movement earlier
T1021.001 · Remote Desktop Protocol ×1.87T1021 · Remote Services ×1.56
collection earlier
T1056 · Input Capture ×1.34
impact same
T0827 · Loss of Control ×34.00T0828 · Loss of Productivity and Revenue ×29.75T0826 · Loss of Availability ×18.31
other same
T0816 · Device Restart/Shutdown ×34.00T0809 · Data Destruction ×29.75T0814 · Denial of Service ×23.80

Detection Coverage

0/6 layers
Coverage across standard detection surfaces. Rows marked none have no rule of that type mapped. Some are real blind spots worth closing; others are simply not applicable to this technique (e.g. YARA matches malware files, not network behaviour).
Behavioral / log (Sigma) none
Analytics (MITRE CAR) none
Runtime / container (Falco) none
File / malware (YARA) none
Network (Suricata/Snort) none
Vuln scan (Nuclei) none
Intelligence Graph · click any node to traverse
CVETechnique ActorTool Family
drag to reposition · click any node to traverse · button top-right enlarges
External lookups - second-class, for what we don’t hold ourselves
MITRE ATT&CKAtomic Red Teamcar (MITRE)
Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities
Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs
Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures
Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1
About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service
threatengine.sh  ·  Open-source threat intelligence platform  ·  100+ authoritative sources  ·  Every fact traces to its origin