Skip to main content
The Dragos Blog

01.21.21 | 1 min read

December Knowledge Pack Released – including updates for SolarWinds detections

Dragos, Inc.

We’re pleased to announce the December 2020 Knowledge Pack is now available to Dragos Platform customers.

Dragos Knowledge Packs contain the latest indicators of compromise from the Dragos Threat Intelligence team, automating the detection of pieces of forensic data that may identify malicious activity on an OT network. They provide regular updates of the latest protocols, threat behavior analytics, ICS/OT device data, and investigation playbooks to ensure our customers are armed with the proactive, comprehensive information needed to better understand their environments and detect advanced threats. This ICS-focused knowledge is codified into software updates that are delivered to customers via the Dragos Customer Portal.

Key areas of focus for this month’s update include:

FireEye and SolarWinds Signature Analytics

As noted in recent coverage from Dragos, the common use of specific monitoring tools is exposing customer environments to threat vectors that require updates to detections for rapid identification. We have also released new corresponding playbooks and query definitions.

New Threat Characterizations

Over 150 characterizations are now included with several new ones involving tools specific to interactions with Rockwell Automation/Allen Bradley PLCs. In addition, many customers will benefit from updates specific to common malware cloaking techniques including file obfuscation and compression. Attackers are always looking for methods to hide malware in plain sight, and these improvements will help defenders identify and unmask more threats than ever.

New Threat Behaviors

More than 500 detections are available with recent additions based on threat hunting intelligence gathered by teams at Dragos. Of particular note will be those around CIP traffic to unexpected hosts and the transfer of compiled Python executables transferred from a Windows host to an OT asset then generating ICS traffic (a technique used by XENOTIME during the TRISIS event). The rise in remote operations due to COVID impact has also led to more RDP traffic so the new behavior included in this Knowledge Pack update related to RDP Handshake Tunneling will provide additional threat visibility that is relevant now more than ever.

With each new release, customers will find that the Platform detections have MITRE ATT&CK® Tactics and Techniques mapped to them, providing a common reference for known attacker behaviors. If you wish to learn more about this new framework and how you can put it to use in your organization, we invite you to download our recent whitepaper, “Mapping Industrial Cybersecurity Threats to MITRE ATT&CK for ICS”. To learn more about how Dragos Knowledge Packs work and how we continuously funnel our expertise into the Dragos Platform, read the Knowledge Packs Overview blog or contact

Ready to put your insights into action?

Take the next steps and contact our team today.