Each Knowledge Pack contains the latest insight from the Dragos team, automating the detection of devices and potential malicious activity across industrial networks. They provide regular updates related to protocols, threat analytics, ICS/OT device data, and investigation playbooks to equip customers with comprehensive visibility into their environments.
A summary of key updates in this Knowledge Pack is as follows:
- Modbus TCP Summarization – improvements to how we dissect Modbus TCP traffic and pull diagnostic codes
- Over 200 characterizations are included in this Knowledge Pack
- Log4J / Log4Shell – related analytics tuned to reduce the potential for false positive occurrences
- CRASHOVERRIDE – composite detection covering the CRASHOVERRIDE IEC104 module terminating a legitimate process, followed by an external file transfer then a Windows GUID retrieval
- Windows Service Created with Unusual Source Directory – new service with an unusual application path created on a Windows host, often used to maintain persistence for malicious actors
- BLACKENERGY – file transfers associated with BLACKENERGY malware, associated with KAMACITE, one of the activity groups identified and tracked by Dragos
- Stealbit YARA – transfer files that include features associated with Stealbit, a data exfiltration tool associated with Lockbit 2.0 ransomware
- Client/Server “Hello’s” – detections to identify the JA3 hash associated with a Meterpreter HTTPS “Client Hello” which when used in conjunction with a malicious Server Hello from a Kali Linux Metasploit handler, is a sign of a malicious C2 link. Similar detections for JA3S TLS hashes of known Kali Linux Metasploit Sockets and Metasploit TLS Server Client Hello
- Over 400 detections are included in this Knowledge Pack
Dragos Platform customers can download new Knowledge Packs from the Customer Portal. Registered users get access to Platform documentation, integration guides, tech notes, best practices, Dragos Academy online learning center, and support case creation. Users with additional subscriptions, including Neighborhood Keeper and WorldView Threat Intelligence, also access those services using their Customer Portal credentials.
Ready to put your insights into action?
Take the next steps and contact our team today.