New Knowledge Pack Released (KP-2022-007)
Each Knowledge Pack contains the latest insight from the Dragos team, streamlining the detection of devices and potential malicious activity across industrial networks. They provide regular updates related to threat analytics, protocols, ICS/OT device data, and investigation playbooks to equip customers with visibility into their environments and the tools to respond.
Over 260 characterizations and 530 detections are included in this Knowledge Pack for customers running Platform 2.x. Here are some highlights:
- Ovation – many new characterizations for Emerson Ovation including: SSQuery and SS_RPC activity, system registration, controller models, Toolserver, Developer Studio workstation commands, Ovation Historian, REM Server, and Ovation Database servers.
- Triconex – firmware update, P2P, and TSAA summarizations around monitoring and managing Triconex systems.
- DeltaV – device commissioning and decommissioning via DOP from a Pro Plus Server, and the “setpriv” command in DeltaV Diagnostics via telnet.
- CaddyWiper – composite detections that correlate specific disk-corruption, domain controller identification, remote windows user directory access, file/directory enumeration, and ARGUEPATCH loader activities.
- Ransomware – DNS queries for Pcloud and Mega cloud storage, known to be an exfil destinations, in addition to the Rclone client tool used with a variety of other cloud storage providers.
- NGROK – several detections related to this tool which provides external (internet) access to internal systems including: tunnel creation, file transfers, DNS queries, and share access attempts.
- Cobalt Strike – specific file transfers related to PowerShell and other post-exploitation tools besides Cobalt Strike like PowerShell Empire, and a collection of IDS signatures for command and control patterns.
- Sality – initial and lateral transfer of the Sality malware that has extensive capabilities including PLC password retrieval.
Dragos Platform Knowledge Packs are available for download from the Dragos Customer Portal. Registered users get access to Platform documentation, integration guides, tech notes, best practices, Dragos Academy online learning center, and support case creation. Users with additional Dragos services and subscriptions, including Neighborhood Keeper and WorldView Threat Intelligence, can access them using their Customer Portal credentials through https://portal.dragos.com.
If you’re interested in learning more about Dragos Knowledge Packs and how we continuously incorporate our expertise into the Dragos Platform, we invite you to read this overview or contact email@example.com.
Read next blog post
Ready to put your insights into action?
Take the next steps and contact our team today.