The SUBSTITUTE action replaces all or part of the data, content or payload in the least detectable manner.
SUBSTITUTE is used in cases where an attack is to be impeded or thwarted in an undetectable manner.
Table. Supported Targets and Actuators: SUBSTITUTE
| Target Type | Actuator Type | |
|---|---|---|
| cybox:File cybox:Network_Connection |
endpoint network.router |
The SUBSTITUTE action accepts the following modifiers:
Table. Modifiers: SUBSTITUTE
| Modifier | Type | Description | Target Applicability |
|---|---|---|---|
| options | Additional options that specify what to replace and replace with what. | All |
Below is a sample of OpenC2 commands to perform a SUBSTITUTE of targets, utilizing actuators at different levels of specificity, qualified by modifiers to the action as appropriate.
Table. Sample of OpenC2 Commands: SUBSTITUTE
| DESCRIPTION | ACTION | TARGET TARGET-SPECIFIER |
ACTUATOR ACTUATOR-SPECIFIER |
MODIFIER | |
|---|---|---|---|---|---|
| 1 | Overwrite data | SUBSTITUTE | cybox:File cybox:FileObjectType |
endpoint (optional) |
options |
| 2 | Substitute traffic | SUBSTITUTE | cybox:Network_Connection cybox:NetworkConnectionObjectType |
network.router (optional) |
options |