Home >
ICS >
Participants >
Dragos >
Results
|
|
Criteria
Evidence of an established network connection over TCP port 3389 between the adversary machine (10.0.100.1) and the control EWS (10.0.100.20) as RDP.
Criteria
Evidence of an adversary initiated program upload action of the control PLC (10.0.100.110) to collect the current running configuration (requested from the safety EWS [10.0.100.20]).
Criteria
Evidence that the scheduled task "SMB_sync.xml" is not legitimate and was imported into Task Scheduler (the task executes a spoofed plink executable to initiate a reverse shell tunnel).
Criteria
Evidence of an established network connection over TCP port 445 from the control EWS (10.0.100.20) to the adversary machine (10.0.100.1) as an outbound SSH tunnel request.
Criteria
Evidence that the "install-csp.ps1" script was executed on the control EWS (10.0.100.20) via PowerShell (using the bypass execution policy).
Criteria
Evidence that the "rockwell-csp3" service is not legitimate (service is spoofed SSDH, created then executed via Start-Service).
Criteria
Evidence that the "csp-agent" service is not legitimate (service is spoofed ssh-agent, created then executed via Start-Service).
Criteria
Evidence of an established network connection over TCP port 445 from the control EWS (10.0.100.20) to the adversary machine (10.0.100.1) as an outbound SSH tunnel request.
Criteria
Evidence of an established network connection over TCP port 445 between the adversary machine (10.0.100.1) and the control EWS (10.0.100.20) via the "sftp-server.exe" process. Successful logon as user "Engineer" may be present or as a part of the connection and process creation.
Criteria
Evidence of an established network connection over TCP port 445 between the adversary machine (10.0.100.1) and the control EWS (10.0.100.20) via "csp.exe"[SSHD]. Successful logon as user "Engineer" may be present or as a part of the connection and process creation.
Criteria
Evidence of the network discovery broadcast request sent from the control EWS (10.0.100.15) over TCP port 44818.
Criteria
Evidence of an adversary initiated Get Attribute Single CIP request for the "Device Type" attribute (instance 0x01, class 0x01) of the control PLC (10.0.100.110).
Criteria
Evidence of an adversary initiated Get Attribute Single CIP request for the "Status" attribute (attribute 0x05, instance 0x01, class 0x01) of the control PLC (10.0.100.110).
Criteria
Evidence that all controller and program tag names were requested over CIP from the control PLC (10.0.100.110) to the control EWS (10.0.100.20).
Criteria
Evidence of an established network connection over TCP port 445 between the adversary machine (10.0.100.1) and the Control EWS (10.0.100.20) tunneling RDP traffic over SSH.
Criteria
Evidence of an established network connection over TCP port 3389 between the control EWS (10.0.100.20) and the safety EWS (10.0.100.15) as RDP.
Criteria
Evidence of an established network connection over TCP port 3389 between the control EWS(10.0.100.20) and the safety EWS (10.0.100.15) via the "mstsc.exe" process as RDP. Successful logon as user "Engineer" may be present or as a part of the connection and process creation.
Criteria
Evidence that the "install-csp.ps1" script was executed on the safety EWS (10.0.100.15) via PowerShell (using the bypass execution policy).
Criteria
Evidence that the services "rockwell-csp3" and "csp-agent" are not legitimate (service is spoofed SSDH and ssh-agent underlying, created then executed via Start-Service).
Criteria
Evidence of an adversary initiated program upload action of the safety PLC (10.0.100.105) to collect the current running configuration (requested from the safety EWS [10.0.100.15]).
Criteria
Evidence of an established network connection over TCP port 2223 between the control EWS (10.0.100.20) and the safety EWS (10.0.100.15) via "scp". Successful logon as user "Engineer" may be present or as a part of the connection and process creation.
Criteria
Evidence that the newly created files from the extraction of "RSLINX_install.zip" in the Temp Rockwell RSLINX directory are not legitimate ("RSLINX.exe" and "LogixMap.exe").
Criteria
Evidence of an established network connection over TCP port 2223 between the control EWS (10.0.100.20) and the safety EWS (10.0.100.15) as SSH.
Criteria
Evidence of an established network connection over TCP port 2223 between the control EWS (10.0.100.20) and the safety EWS (10.0.100.15) via "csp.exe"[SSHD]. Successful logon as user "Engineer" may be present or as a part of the connection and process creation.
Criteria
Evidence of the network discovery broadcast request sent from the safety EWS (10.0.100.15) over TCP port 44818.
Criteria
Evidence of an adversary initiated Get Attribute Single CIP request for the "Device Type" attribute (instance 0x01, class 0x01) of the safety PLC (10.0.100.105).
Criteria
Evidence of an adversary initiated Get Attribute Single CIP request for the "Status" attribute (attribute 0x05, instance 0x01, class 0x01) of the safety PLC (10.0.100.105).
Criteria
Evidence that all controller and program tag names were requested over CIP from the safety PLC (10.0.100.105) to the safety EWS (10.0.100.15).
Criteria
Evidence of an established network connection over TCP port 445 between the adversary machine (10.0.100.1) and the control EWS (10.0.100.20) via the "sftp-server.exe" process. Successful logon as user "Engineer" may be present or as a part of the connection and process creation.
Criteria
Evidence of an established network connection over TCP port 2223 between the control EWS (10.0.100.20) and the safety EWS (10.0.100.15) as SSH.
Criteria
Evidence of an adversary initiated Get Attribute Single CIP request for the "Status" attribute (attribute 0x05, instance 0x01, class 0x01) of the safety PLC (10.0.100.105).
Criteria
Evidence of an adversary initiated program upload action of the safety PLC (10.0.100.105) to collect the current running configuration (requested from the safety EWS [10.0.100.15]).
Criteria
Evidence of an adversary initiated online edit action on the safety PLC (10.0.100.105), requested from the safety EWS (10.0.100.15).
Criteria
Evidence of the modified program "P04_Trips_FO_R00_Trips" to include new function block logic and a "CC" tag for command and control on the safety PLC.
Criteria
Evidence of an adversary initiated write tag action to the "CC" tag using the 0x4D CIP service (a low value of "0" or False was written).
Criteria
Evidence of an adversary initiated Get Attribute Single CIP request for the "Status" attribute (attribute 0x05, instance 0x01, class 0x01) of the control PLC (10.0.100.110).
Criteria
Evidence of abuse of a CIP handshake between the control EWS and control PLC resulting in an adversary privilege escalation (handshake sequence consisted of a service 0x4B class 0x64 initiation request and 0x4C class 0x64 challenge response).
Criteria
Evidence of adversary initiated write tag actions to the "eR01_3ZC2071" and "f3ZC2071_HMI_Enb" tags to change setpoints and control actions using the 0x4D and 0x51 CIP services (the air damper setpoint tag was written to "0" [percent open] and HMI_Enb was pulsed to remove cascade control).
Criteria
Evidence of adversary initiated write tag actions to the "eR01_3ZC2071" and "f3ZC2071_HMI_Enb" tags to change setpoints and control actions using the 0x4D and 0x51 CIP services (the air damper setpoint tag was written to "0" [percent open] and HMI_Enb was pulsed to remove cascade control).
[1]

[2]


Criteria
Evidence of the safety PLC operating mode being switched to Program Mode following adversary CIP request to instance 0x01 of class 0x8E using service 0x07.
Criteria
Evidence of an adversary initiated program download action on the safety PLC (10.0.100.105) to overwrite the current configuration (requested from the safety EWS [10.0.100.15]).
Criteria
Evidence of an adversary initiated Get Attribute Single CIP request for the "Status" attribute (attribute 0x05, instance 0x01, class 0x01) of the safety PLC (10.0.100.105).
Criteria
Evidence of an adversary initiated program upload action of the safety PLC (10.0.100.105) to collect the current running configuration (requested from the safety EWS [10.0.100.15]).
Criteria
Evidence of an adversary initiated online edit action on the safety PLC (10.0.100.105), requested from the safety EWS (10.0.100.15).
Criteria
Evidence of the modified program "P04_Trips_FO_R00_Trips" to include new function block logic and a "CC" tag for command and control on the safety PLC.
Criteria
Evidence of an adversary initiated write tag action to the "CC" tag using the 0x4D CIP service (a low value of "1" or True was written).
Criteria
Evidence of an established network connection over TCP port 445 between the adversary machine (10.0.100.1) and the control EWS (10.0.100.20) via "csp.exe"[SSHD]. Successful logon as user "Engineer" may be present or as a part of the connection and process creation.
Criteria
Evidence of abuse of a CIP handshake between the control EWS and control PLC resulting in an adversary privilege escalation (handshake sequence consisted of a service 0x4B class 0x64 initiation request and 0x4C class 0x64 challenge response).
Criteria
Evidence of adversary initiated write tag actions to the "eR01_3ZC2071" and "f3ZC2071_HMI_Enb" tags to change setpoints and control actions using the 0x4D and 0x51 CIP services (the air damper setpoint tag was written to "0" [percent open] and HMI_Enb was pulsed to remove cascade control).
[1]

Criteria
Evidence of a privileged write or force point action being used to overwrite polled tag values on the control PLC when the adversary initiated the CIP service 0x51 within the class 0x6A. The tags associated with the Ignitor (3XY2070) and Flame Sensor (3HS2070) were the target of these actions.
[1]

Criteria
Evidence of write actions occurring on the tags "eR01_3ZC2071" and "f3ZC2071_HMI_Enb" to change setpoints and control actions with the CIP service 0x4D and service 0x51, respectively. HMI_Enb was pulsed to remove cascade control and the air damper setpoint tag was written to "100" [percent open].
[1]
