Home >
ICS >
Participants >
Institute for Information Industry >
Results
|
|
Criteria
Evidence of an established network connection over TCP port 3389 between the adversary machine (10.0.100.1) and the control EWS (10.0.100.20) as RDP.
Criteria
Evidence of an established network connection over TCP port 3389 between the adversary machine (10.0.100.1) and the control EWS (10.0.100.20) via the "mstsc.exe" process as RDP. Successful logon as user "Engineer" may be present or as a part of the connection and process creation.
Criteria
Evidence that the newly created files copied from the RDP shared folder into the control EWS Temp SMB directory are not legitimate ("SMBClient.exe", "SMB_Sync.xml", and "SMB_Update.xml").
Criteria
Evidence that the scheduled task "SMB_sync.xml" is not legitimate and was imported into Task Scheduler (the task executes a spoofed plink executable to initiate a reverse shell tunnel).
Criteria
Evidence of an established network connection over TCP port 445 from the control EWS (10.0.100.20) to the adversary machine (10.0.100.1) as an outbound SSH tunnel request.
Criteria
Evidence of an established network connection over TCP port 3389 between the adversary machine (10.0.100.1) and the control EWS (10.0.100.20) via the "mstsc.exe" process. Successful logon as user "Engineer" may be present or as a part of the connection and process creation.
Criteria
Evidence of an established network connection over TCP port 445 from the control EWS (10.0.100.20) to the adversary machine (10.0.100.1) as an outbound SSH tunnel request.
Criteria
Evidence of an established network connection over TCP port 445 between the adversary machine (10.0.100.1) and the control EWS (10.0.100.20) via "csp.exe"[SSHD]. Successful logon as user "Engineer" may be present or as a part of the connection and process creation.
Criteria
Evidence that a network discovery scan for TCP port 44818 was initiated from the control EWS (10.0.100.20) on hosts across the whole subnet (10.0.100.1-10.0.100.255).
Criteria
Evidence of the network discovery broadcast request sent from the control EWS (10.0.100.15) over TCP port 44818.
Criteria
Evidence of an adversary initiated Get Attribute Single CIP request for the "Device Type" attribute (instance 0x01, class 0x01) of the control PLC (10.0.100.110).
Criteria
Evidence of an established network connection over TCP port 3389 between the control EWS(10.0.100.20) and the safety EWS (10.0.100.15) via the "mstsc.exe" process as RDP. Successful logon as user "Engineer" may be present or as a part of the connection and process creation.
Criteria
Evidence that the newly created files from the extraction of "RSLINX_install.zip" in the Temp Rockwell RSLINX directory are not legitimate ("RSLINX.exe" and "LogixMap.exe").
Criteria
Evidence of an established network connection over TCP port 445 between the adversary machine (10.0.100.1) and the control EWS (10.0.100.20) via "csp.exe"[SSHD]. Successful logon as user "Engineer" may be present or as a part of the connection and process creation.
Criteria
Evidence that the newly created files from the extraction of "RSLINX_install.zip" in the Temp Rockwell RSLINX directory are not legitimate ("RSLINX.exe" and "LogixMap.exe").
Criteria
Evidence of an established network connection over TCP port 2223 between the control EWS (10.0.100.20) and the safety EWS (10.0.100.15) via "csp.exe"[SSHD]. Successful logon as user "Engineer" may be present or as a part of the connection and process creation.
Criteria
Evidence of the network discovery broadcast request sent from the safety EWS (10.0.100.15) over TCP port 44818.
Criteria
Evidence of an adversary initiated Get Attribute Single CIP request for the "Device Type" attribute (instance 0x01, class 0x01) of the safety PLC (10.0.100.105).
Criteria
Evidence that the newly created files from the extraction of "Install_RSLogix.zip" in the Temp Rockwell RSLogix directory are not legitimate ("RSLogix5000.exe", "RSComms.exe", etc.)
Criteria
Evidence of an established network connection over TCP port 2223 between the control EWS (10.0.100.20) and the safety EWS (10.0.100.15) to transfer "Install_GuardLogix.zip" over scp.
Criteria
Evidence of an established network connection over TCP port 2223 between the control EWS (10.0.100.20) and the safety EWS (10.0.100.15) as SSH.
Criteria
Evidence of an established network connection over TCP port 2223 between the control EWS (10.0.100.20) and the safety EWS (10.0.100.15) via "csp.exe"[SSHD]. Successful logon as user "Engineer" may be present or as a part of the connection and process creation.
Criteria
Evidence of the modified program "P04_Trips_FO_R00_Trips" to include new function block logic and a "CC" tag for command and control on the safety PLC.
Criteria
Evidence of an adversary initiated write tag action to the "CC" tag using the 0x4D CIP service (a low value of "0" or False was written).
Criteria
Evidence of adversary initiated write tag actions to the "eR01_3ZC2071" and "f3ZC2071_HMI_Enb" tags to change setpoints and control actions using the 0x4D and 0x51 CIP services (the air damper setpoint tag was written to "0" [percent open] and HMI_Enb was pulsed to remove cascade control).
Criteria
Evidence of the safety PLC operating mode being switched to Program Mode following adversary CIP request to instance 0x01 of class 0x8E using service 0x07.
Criteria
Evidence of the modified program "P04_Trips_FO_R00_Trips" to include new function block logic and a "CC" tag for command and control on the safety PLC.
Criteria
Evidence of an adversary initiated write tag action to the "CC" tag using the 0x4D CIP service (a low value of "1" or True was written).
Criteria
Evidence of an established network connection over TCP port 445 between the adversary machine (10.0.100.1) and the control EWS (10.0.100.20) via "csp.exe"[SSHD]. Successful logon as user "Engineer" may be present or as a part of the connection and process creation.
Criteria
Evidence of abuse of a CIP handshake between the control EWS and control PLC resulting in an adversary privilege escalation (handshake sequence consisted of a service 0x4B class 0x64 initiation request and 0x4C class 0x64 challenge response).
Criteria
Evidence of adversary initiated write tag actions to the "eR01_3ZC2071" and "f3ZC2071_HMI_Enb" tags to change setpoints and control actions using the 0x4D and 0x51 CIP services (the air damper setpoint tag was written to "0" [percent open] and HMI_Enb was pulsed to remove cascade control).
Criteria
Evidence of a privileged write or force point action being used to overwrite polled tag values on the control PLC when the adversary initiated the CIP service 0x51 within the class 0x6A. The tags associated with the Ignitor (3XY2070) and Flame Sensor (3HS2070) were the target of these actions.
Criteria
Evidence of write actions occurring on the tags "eR01_3ZC2071" and "f3ZC2071_HMI_Enb" to change setpoints and control actions with the CIP service 0x4D and service 0x51, respectively. HMI_Enb was pulsed to remove cascade control and the air damper setpoint tag was written to "100" [percent open].