New Knowledge Pack Released (KP-2022-003-A)

Each Knowledge Pack contains the latest insight from the Dragos team, automating the detection of devices and potential malicious activity across industrial networks. They provide regular updates related to protocols, threat analytics, ICS/OT device data, and investigation playbooks to equip customers with comprehensive visibility into their environments.

A summary of key updates in this Knowledge Pack is as follows:

Characterizations:

• Modbus TCP Summarization – improvements to how we dissect Modbus TCP traffic and pull diagnostic codes
• Over 200 characterizations are included in this Knowledge Pack

Detections:

• Log4J / Log4Shell – related analytics tuned to reduce the potential for false positive occurrences
• CRASHOVERRIDE – composite detection covering the CRASHOVERRIDE IEC104 module terminating a legitimate process, followed by an external file transfer then a Windows GUID retrieval
• Windows Service Created with Unusual Source Directory – new service with an unusual application path created on a Windows host, often used to maintain persistence for malicious actors
• BLACKENERGY – file transfers associated with BLACKENERGY malware, associated with KAMACITE, one of the activity groups identified and tracked by Dragos
• Stealbit YARA – transfer files that include features associated with Stealbit, a data exfiltration tool associated with Lockbit 2.0 ransomware
• Client/Server “Hello’s” – detections to identify the JA3 hash associated with a Meterpreter HTTPS “Client Hello” which when used in conjunction with a malicious Server Hello from a Kali Linux Metasploit handler, is a sign of a malicious C2 link. Similar detections for JA3S TLS hashes of known Kali Linux Metasploit Sockets and Metasploit TLS Server Client Hello
• Over 400 detections are included in this Knowledge Pack

Dragos Platform customers can download new Knowledge Packs from the Customer Portal. Registered users get access to Platform documentation, integration guides, tech notes, best practices, Dragos Academy online learning center, and support case creation.  Users with additional subscriptions, including Neighborhood Keeper and WorldView Threat Intelligence, also access those services using their Customer Portal credentials.

For more background on Dragos Knowledge Packs and how we continuously incorporate our expertise into the Dragos Platform, we invite you to read this overview or contact sales@dragos.com.

< class="mini-cta__header heading--3"> Implications of Log4j Vulnerability for Operational Technology Networks

Watch the on-demand webinar with Dragos experts discussing the Log4j vulnerability and learn about: Potentially impacted software and equipment within OT networks | OT-relevant mitigation strategies | Dragos Intelligence recommendations

Watch Now