Live Webinar:

Join Robert M. Lee on Dec. 8 as he shares strategies for effectively communicating with your board about the critical need for additional funding in OT cybersecurity.

Skip to main content
The Dragos Blog

03.11.22 | 1 min read

New Knowledge Pack Released (KP-2022-003-A)

Dragos, Inc.

Each Knowledge Pack contains the latest insight from the Dragos team, automating the detection of devices and potential malicious activity across industrial networks. They provide regular updates related to protocols, threat analytics, ICS/OT device data, and investigation playbooks to equip customers with comprehensive visibility into their environments.

A summary of key updates in this Knowledge Pack is as follows:


  • Modbus TCP Summarization – improvements to how we dissect Modbus TCP traffic and pull diagnostic codes
  • Over 200 characterizations are included in this Knowledge Pack


  • Log4J / Log4Shell – related analytics tuned to reduce the potential for false positive occurrences
  • CRASHOVERRIDE – composite detection covering the CRASHOVERRIDE IEC104 module terminating a legitimate process, followed by an external file transfer then a Windows GUID retrieval
  • Windows Service Created with Unusual Source Directory – new service with an unusual application path created on a Windows host, often used to maintain persistence for malicious actors
  • BLACKENERGY – file transfers associated with BLACKENERGY malware, associated with KAMACITE, one of the activity groups identified and tracked by Dragos
  • Stealbit YARA – transfer files that include features associated with Stealbit, a data exfiltration tool associated with Lockbit 2.0 ransomware
  • Client/Server “Hello’s” – detections to identify the JA3 hash associated with a Meterpreter HTTPS “Client Hello” which when used in conjunction with a malicious Server Hello from a Kali Linux Metasploit handler, is a sign of a malicious C2 link. Similar detections for JA3S TLS hashes of known Kali Linux Metasploit Sockets and Metasploit TLS Server Client Hello
  • Over 400 detections are included in this Knowledge Pack

Dragos Platform customers can download new Knowledge Packs from the Customer Portal. Registered users get access to Platform documentation, integration guides, tech notes, best practices, Dragos Academy online learning center, and support case creation.  Users with additional subscriptions, including Neighborhood Keeper and WorldView Threat Intelligence, also access those services using their Customer Portal credentials.

For more background on Dragos Knowledge Packs and how we continuously incorporate our expertise into the Dragos Platform, we invite you to read this overview or contact

Implications of Log4j Vulnerability for Operational Technology Networks
Watch the on-demand webinar with Dragos experts discussing the Log4j vulnerability and learn about: Potentially impacted software and equipment within OT networks | OT-relevant mitigation strategies | Dragos Intelligence recommendations

Ready to put your insights into action?

Take the next steps and contact our team today.